anúncios

segunda-feira, 14 de maio de 2012

Regras IPFW do Firewall para FreeBSD

Para quem não conhece o funcionamento de um firewall, então sugiro uma leitura em: Entendendo o funcionamento de um firewall
O IPFW é o firewall padrão do FreeBSD
Visualizar regras ipfw
Para visualizar as regras em uso pelo firewall basta utilizar o parâmetro show
Ex.:ipfw show
65000 27503703 16411153839 allow ip from any to any
65535 0 0 allow ip from any to any
Adicionar regras
Para adicionar um bloqueio de acesso a um determinado ip basta utilizar
ipfw add NUMERO_REGRA deny all from any to IP_DO_USUARIO
Remover regras
Para remover a regra utilize
ipfw delete NUMERO_REGRA
Para mais detalhes em Documentação FreeBSD
e Handbook FreeBSD Firewall IPFW
Configurando as interfaces e caminho do script firewal
#ee /etc/rc.conf
natd_enable="YES"
natd_interface="em0"
firewall_enable="YES"
firewall_type="/etc/rc.firewall"
Para o correto funcionamento do script abaixo segue: Configurando Gateway e serviço DHCP no FreeBSD

Script Firewall IPFW - FreeBSD
#!/bin/csh
#DECLARACAO DE VARIAVEIS
IFWAN="em0"
IFLAN="em1"
LAN="192.168.1.0/24"
#RESETA O FIREWALL
sleep 60
ipfw -f flush
ipfw add 20 allow ip from any to any
#Checa primeiro as regras dinâmicas ipfw add 1 check-state
# LOOPBACK
ipfw add 100 pass all from any to any via lo0
ipfw add 110 deny all from 127.0.0.0/8 to any
ipfw add 120 deny all from any to 127.0.0.0/8
#FINGERPRINT
ipfw add 130 deny tcp from any to any tcpflags fin,urg,psh in recv $IFLAN
ipfw add 140 deny tcp from any to any tcpflags fin,urg,psh in recv $IFWAN
ipfw add 150 deny tcp from any to any tcpflags
!fin,!syn,!ack,!urg,!psh,!rst in recv $IFLAN
ipfw add 160 deny tcp from any to any tcpflags
!fin,!syn,!ack,!urg,!psh,!rst in recv $IFWAN
ipfw add 170 deny tcp from any to any tcpflags syn,fin,rst,ack in recv $IFLAN
ipfw add 180 deny tcp from any to any tcpflags syn,fin,rst,ack in recv $IFWAN
ipfw add 190 deny tcp from any to any tcpflags fin,!syn,!rst,!ack in recv $IFLAN
ipfw add 200 deny tcp from any to any tcpflags fin,!syn,!rst,!ack in recv $IFWAN
ipfw add 210 deny tcp from any to any tcpflags syn,fin,!rst,!ack in recv $IFLAN
ipfw add 220 deny tcp from any to any tcpflags syn,fin,!rst,!ack in recv $IFWAN
ipfw add 230 deny tcp from any to any tcpflags urg,!syn,!fin,!rst,!ack in recv $IFLAN
ipfw add 240 deny tcp from any to any tcpflags urg,!syn,!fin,!rst,!ack in recv $IFWAN
# BLOQUEIO PARA PORTAS P2P
# ipfw add 250 deny tcp from any 4661-4672,6881-6889,1214,1455,5662,6346,6347,6699,6257,2234,2235,5555,4242,2323 to any in
ipfw add 260 deny udp from any 4661-4672,6881-6889,1214,1455,5662,6346,6347,6699,6257,2234,2235,5555,4242,2323 to any in
ipfw add 270 deny tcp from any to any 4661-4672,6881-6889,1214,1455,5662,6346,6347,6699,6 257,2234,2235,5555,4242,2323 in
ipfw add 280 deny udp from any to any 4661-4672,6881-6889,1214,1455,5662,6346,6347,6699,6 257,2234,2235,5555,4242,2323 in
ipfw add 290 deny tcp from any 8000-8050,1755,554 to any
# VIRUS & WORM ipfw add 300 deny tcp from any to any 135-139,445,593,1024-1030,1080,1363,27665,31335,345 55 in via any
ipfw add 310 deny tcp from any to any 1364,1368,1377,1433,1434,2745,2283,2535,35555,27444 in via any
ipfw add 320 deny tcp from any to any 2745,3127,3128,3410,4444,5554,27374,666,4000,6000,6 006 in via any
ipfw add 330 deny tcp from any to any 8866,9898,10000,10080,12345,17300,65506,16660 in via any
ipfw add 340 deny udp from any to any 135-139,445,4444 in via any
# NATD PARA REDE INTERNA #Não precisa pois no rc.conf esta sendo feito
ipfw add 350 divert 8668 all from any to any via $IFWAN
# CONECTIVIDADE SOCIAL
ipfw add 355 allow tcp from $LAN 1024-65535 to 200.198.194.27 80
ipfw add 356 allow tcp from $LAN 1024-65535 to 200.198.194.19 80
ipfw add 357 allow tcp from $LAN 1024-65535 to 200.201.174.0/24 80
#REDIRECT PARA O SQUID #
ipfw add 360 fwd 127.0.0.1,3128 tcp from $LAN to any 80 via $IFLAN keep-state
#Bloqueia tudo que vem da WAN
ipfw add 380 deny tcp from any to $LAN in via $IFWAN
ipfw add 380 deny udp from any to $LAN in via $IFWAN
#Libera acesso a saida de determinadas portas
#SSH
ipfw add 390 allow tcp from $LAN to any 22 in via $IFLAN keep-state
#CONTROLE DE BANDA
ipfw pipe 600 config bw 160kbit/s
ipfw add 601 pipe 600 all from any to $LAN in via $IFWAN
ipfw add 602 pipe 600 tcp from any to me in via $IFLAN
Feito!

Nenhum comentário:

Postar um comentário