[FUG-BR] Ajuda com PF, abrir portas e melhorar regras.
Bandeira
gnu.groups em gmail.com
Sexta Junho 12 15:23:48 BRT 2015
olá pessoal, alguém pode me ajudar com o meu pf.conf? Eu uso no OS X, mas
não estou conseguindo abrir as portas, obrigado desde já.
set block-policy drop
set optimization aggressive
set ruleset-optimization basic
set timeout { interval 5, tcp.opening 20 }
set timeout { frag 15, tcp.established 150 }
set timeout { tcp.first 30, tcp.closing 15, tcp.closed 15, tcp.finwait 15 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
set timeout { adaptive.start 5000, adaptive.end 10000 }
set skip on lo0
set debug none
set limit frags 5000
set state-policy if-bound
set require-order yes
set fingerprints "/usr/local/sbin/pf.os"
tcp_out = "{ ssh, smtp, domain, www, https, 67, 80, 443, 554, 1900, 4662,
548, 587, 993, 1863, 2158, 3689, ntp, ftp, ftp-data }"
udp_out = "{ domain, ntp, 68, 123, 192, 554, 5353, 1900, 4672 }"
tcp_in = "{ 80, 443, 548, 554, 3689, 1900, 4662 }"
udp_in = "{ 123, 192, 554, 1900, 5353, 4672 }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
scrub in all no-df random-id max-mss 1440 min-ttl 15
#match in all scrub (no-df max-mss 1440) #OpenBSD 4.6
if = "en0"
#icmp_types="echoreq"
block in
pass out
antispoof for $if inet
# allow icmp
#pass in inet proto icmp all icmp-type $icmp_types
#block in on $if inet proto icmp from ! en0 to any icmp-type 8 code 0
# Ativa a proteção contra falsificações para todas as interfaces
block in quick from urpf-failed
# allow out
#pass out on $if proto udp from any to any port $tcp_out
#pass out on $if proto tcp from any to any port $udp_out
# allow in
#pass in on $if proto tcp from any to any port $tcp_in
#pass in on $if proto udp from any to any port $udp_in
# allow out
#pass out quick inet proto udp from any to any port $tcp_out
#pass out quick inet proto tcp from any to any port $udp_out
# allow in
#pass in quick inet proto tcp from any to any port $tcp_in
#pass in quick inet proto udp from any to any port $udp_in
# block scans com nmap
block in quick proto tcp flags FUP/WEUAPRSF
block in quick proto tcp flags WEUAPRSF/WEUAPRSF
block in quick proto tcp flags SRAFU/WEUAPRSF
block in quick proto tcp flags /WEUAPRSF
block in quick proto tcp flags SR/SR
block in quick proto tcp flags SF/SF
block drop in quick on $if from any os { NMAP }
pass on lo0 all
Mais detalhes sobre a lista de discussão freebsd