[FUG-BR] pf e ipfw juntos.
Rodrigo Mosconi
freebsd em mosconi.mat.br
Domingo Julho 17 18:41:11 BRT 2011
quais as regras do ipfw?
> set optimization normal
> set ruleset-optimization basic
> set timeout interval 10
> set timeout frag 30
> set skip on lo0
> set debug none
> set limit frags 4096
> set state-policy floating
> set require-order yes
>
> if = "en1"
> scrub in all
>
> # Quebra pacotes mal formados
> scrub all reassemble tcp
> scrub out all no-df max-mss 1492 random-id
> antispoof for $if inet
>
> #icmp_types="echoreq"
>
> block in
> pass out
>
> # loopback is good
> pass in quick on lo0 all
> pass out quick on lo0 all
>
> antispoof quick for $if inet
>
> # allow icmp
> #pass in inet proto icmp all icmp-type $icmp_types
>
> block in on $if inet proto icmp from ! 192.168.1.5 to any icmp-type 8 code 0
>
> # allow dns queries
> pass out on $if proto udp from any to any port 53
>
> # pass http traffic
> pass out on $if proto tcp from $if to any port 80 flags S/SA
>
> # pass ftp traffic
> pass out on $if proto tcp from $if to any port { 21 , 20 } flags S/SA
>
> pass in quick inet proto { tcp, udp } from any to any port = 16000
> pass out quick inet proto { tcp, udp } from any to any port = 16000
> pass in quick inet proto { tcp, udp } from any to any port = 16003
> pass out quick inet proto { tcp, udp } from any to any port = 16003
> pass in quick inet proto { tcp, udp } from any to any port = 51413
> pass out quick inet proto { tcp, udp } from any to any port = 51413
> pass in quick inet proto { tcp, udp } from any to any port = 38772
> pass out quick inet proto { tcp, udp } from any to any port = 38772
>
> pass in quick inet proto udp from any to any port = 123
> pass out quick inet proto udp from any to any port = 123
> pass in quick inet proto udp from any to any port = 192
> pass out quick inet proto udp from any to any port = 192
> pass in quick inet proto tcp from any to any port = 443
> pass out quick inet proto tcp from any to any port = 443
> pass in quick inet proto tcp from any to any port = 548
> pass out quick inet proto tcp from any to any port = 548
> pass in quick inet proto udp from any to any port = 5353
> pass out quick inet proto udp from any to any port = 5353
>
> # Ativa a proteção contra falsificações para todas as interfaces
> block in quick from urpf-failed
>
> # block scans com nmap
> block in quick proto tcp flags FUP/WEUAPRSF
> block in quick proto tcp flags WEUAPRSF/WEUAPRSF
> block in quick proto tcp flags SRAFU/WEUAPRSF
> block in quick proto tcp flags /WEUAPRSF
> block in quick proto tcp flags SR/SR
> block in quick proto tcp flags SF/SF
> block drop in quick on $if from any os { NMAP }
>
> pass on lo0 all
>
> -----
> Cabral Bandeira
>
>
>
>
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
Mais detalhes sobre a lista de discussão freebsd