[FUG-BR] pf e ipfw juntos.
Cabral Bandeira
ibandeira em me.com
Domingo Julho 17 18:49:40 BRT 2011
Li na lista o Patrick comentando sobre o pf. http://www.fug.com.br/historico/html/freebsd/2006-04/msg00588.html "Nao pude filtrar lsrr, rr,
etc de IP."
Seria bom usar essas 3 regras no ipfw?
ipfw add deny log tcp from any to any ipoptions ssrr,lsrr,rr
ipfw add deny log tcp from any to any tcpflags syn,fin
ipfw add deny log tcp from any to any tcpflags syn,rst
Regras que uso abaixo.
/sbin/ipfw zero
/sbin/ipfw -f flush
INTERFACE=en1
MAXSPEED=51200
RULENUM=00100
/usr/local/sbin/throttled -s $MAXSPEED -r $RULENUM -d 17779 -w 100 -d 17778 -w 25 -d 17777 -w 1 -T || exit
IP=any
# skip your internal network, these rules are for 192.168.x.x
/sbin/ipfw add $RULENUM skipto `expr $RULENUM + 1` ip from $IP to 192.168.0.0/16 out xmit $INTERFACE
#prioritize empty acks and setup
/sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any out xmit $INTERFACE tcpflags ack iplen 0-70
/sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any setup out xmit $INTERFACE
#prioritize icmp
/sbin/ipfw add $RULENUM divert 17779 icmp from any to any out xmit $INTERFACE
# these rules allow http/https/ssh/telnet/pop/irc/sirc
# to be prioritized by the throttle.
#
# Setting up the configuration this way catches more file transfer types
# and minimizes lag in response driven services.
#prioritize nameserver lookups
/sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any 53 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17779 udp from $IP to any 53 out xmit $INTERFACE
#prioritize iTunes
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP 3689 to any out xmit $INTERFACE
# prioritize Skype
/sbin/ipfw add $RULENUM divert 17778 udp from $IP 16000 to any out xmit $INTERFACE
#prioritize imap
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 587 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 993 out xmit $INTERFACE
#prioritize Apple
/sbin/ipfw add $RULENUM divert 17778 udp from $IP to any 192 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17778 udp from $IP to any 5353 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 548 out xmit $INTERFACE
#prioritize http/https
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 80 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 443 out xmit $INTERFACE
#prioritize msn
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 1863 out xmit $INTERFACE
#prioritize irc
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 6667 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 6668 out xmit $INTERFACE
#prioritize torrent
/sbin/ipfw add $RULENUM divert 17777 tcp from $IP to any 51413 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17777 udp from $IP to any 51413 out xmit $INTERFACE
#bind to throttle low priority services.
/sbin/ipfw add $RULENUM divert 17777 ip from $IP to any out xmit $INTERFACE
-----
Cabral Bandeira
Em 17/07/2011, às 18:41, Rodrigo Mosconi escreveu:
> quais as regras do ipfw?
>
>> set optimization normal
>> set ruleset-optimization basic
>> set timeout interval 10
>> set timeout frag 30
>> set skip on lo0
>> set debug none
>> set limit frags 4096
>> set state-policy floating
>> set require-order yes
>>
>> if = "en1"
>> scrub in all
>>
>> # Quebra pacotes mal formados
>> scrub all reassemble tcp
>> scrub out all no-df max-mss 1492 random-id
>> antispoof for $if inet
>>
>> #icmp_types="echoreq"
>>
>> block in
>> pass out
>>
>> # loopback is good
>> pass in quick on lo0 all
>> pass out quick on lo0 all
>>
>> antispoof quick for $if inet
>>
>> # allow icmp
>> #pass in inet proto icmp all icmp-type $icmp_types
>>
>> block in on $if inet proto icmp from ! 192.168.1.5 to any icmp-type 8 code 0
>>
>> # allow dns queries
>> pass out on $if proto udp from any to any port 53
>>
>> # pass http traffic
>> pass out on $if proto tcp from $if to any port 80 flags S/SA
>>
>> # pass ftp traffic
>> pass out on $if proto tcp from $if to any port { 21 , 20 } flags S/SA
>>
>> pass in quick inet proto { tcp, udp } from any to any port = 16000
>> pass out quick inet proto { tcp, udp } from any to any port = 16000
>> pass in quick inet proto { tcp, udp } from any to any port = 16003
>> pass out quick inet proto { tcp, udp } from any to any port = 16003
>> pass in quick inet proto { tcp, udp } from any to any port = 51413
>> pass out quick inet proto { tcp, udp } from any to any port = 51413
>> pass in quick inet proto { tcp, udp } from any to any port = 38772
>> pass out quick inet proto { tcp, udp } from any to any port = 38772
>>
>> pass in quick inet proto udp from any to any port = 123
>> pass out quick inet proto udp from any to any port = 123
>> pass in quick inet proto udp from any to any port = 192
>> pass out quick inet proto udp from any to any port = 192
>> pass in quick inet proto tcp from any to any port = 443
>> pass out quick inet proto tcp from any to any port = 443
>> pass in quick inet proto tcp from any to any port = 548
>> pass out quick inet proto tcp from any to any port = 548
>> pass in quick inet proto udp from any to any port = 5353
>> pass out quick inet proto udp from any to any port = 5353
>>
>> # Ativa a proteção contra falsificações para todas as interfaces
>> block in quick from urpf-failed
>>
>> # block scans com nmap
>> block in quick proto tcp flags FUP/WEUAPRSF
>> block in quick proto tcp flags WEUAPRSF/WEUAPRSF
>> block in quick proto tcp flags SRAFU/WEUAPRSF
>> block in quick proto tcp flags /WEUAPRSF
>> block in quick proto tcp flags SR/SR
>> block in quick proto tcp flags SF/SF
>> block drop in quick on $if from any os { NMAP }
>>
>> pass on lo0 all
>>
>> -----
>> Cabral Bandeira
>>
>>
>>
>>
>> -------------------------
>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Mais detalhes sobre a lista de discussão freebsd