[FUG-BR] pf e ipfw juntos.
Cabral Bandeira
ibandeira em me.com
Domingo Julho 17 16:51:09 BRT 2011
Olá, eu estou usando o pf como firewall padrão e o ipfw para controle de banda ACK, acontece que não navega com os 2 ativados, somente o ping funciona. Se eu faço pfctl -F all o internet funciona normal. Como resolver?
Meu uso é como desktop, com o MacBook e OS X Lion. Não tem Suporte a ALTQ.
No ipfw uso o http://intrarts.com/throttled.html
Aprendi pf em uma hora :) Acho que aprendi creio eu.
Mas gostaria de saber se preciso melhorar algo. Se abaixo.
set block-policy drop
set optimization normal
set ruleset-optimization basic
set timeout interval 10
set timeout frag 30
set skip on lo0
set debug none
set limit frags 4096
set state-policy floating
set require-order yes
if = "en1"
scrub in all
# Quebra pacotes mal formados
scrub all reassemble tcp
scrub out all no-df max-mss 1492 random-id
antispoof for $if inet
#icmp_types="echoreq"
block in
pass out
# loopback is good
pass in quick on lo0 all
pass out quick on lo0 all
antispoof quick for $if inet
# allow icmp
#pass in inet proto icmp all icmp-type $icmp_types
block in on $if inet proto icmp from ! 192.168.1.5 to any icmp-type 8 code 0
# allow dns queries
pass out on $if proto udp from any to any port 53
# pass http traffic
pass out on $if proto tcp from $if to any port 80 flags S/SA
# pass ftp traffic
pass out on $if proto tcp from $if to any port { 21 , 20 } flags S/SA
pass in quick inet proto { tcp, udp } from any to any port = 16000
pass out quick inet proto { tcp, udp } from any to any port = 16000
pass in quick inet proto { tcp, udp } from any to any port = 16003
pass out quick inet proto { tcp, udp } from any to any port = 16003
pass in quick inet proto { tcp, udp } from any to any port = 51413
pass out quick inet proto { tcp, udp } from any to any port = 51413
pass in quick inet proto { tcp, udp } from any to any port = 38772
pass out quick inet proto { tcp, udp } from any to any port = 38772
pass in quick inet proto udp from any to any port = 123
pass out quick inet proto udp from any to any port = 123
pass in quick inet proto udp from any to any port = 192
pass out quick inet proto udp from any to any port = 192
pass in quick inet proto tcp from any to any port = 443
pass out quick inet proto tcp from any to any port = 443
pass in quick inet proto tcp from any to any port = 548
pass out quick inet proto tcp from any to any port = 548
pass in quick inet proto udp from any to any port = 5353
pass out quick inet proto udp from any to any port = 5353
# Ativa a proteção contra falsificações para todas as interfaces
block in quick from urpf-failed
# block scans com nmap
block in quick proto tcp flags FUP/WEUAPRSF
block in quick proto tcp flags WEUAPRSF/WEUAPRSF
block in quick proto tcp flags SRAFU/WEUAPRSF
block in quick proto tcp flags /WEUAPRSF
block in quick proto tcp flags SR/SR
block in quick proto tcp flags SF/SF
block drop in quick on $if from any os { NMAP }
pass on lo0 all
-----
Cabral Bandeira
Mais detalhes sobre a lista de discussão freebsd