PF (pf.conf)
Configuração do firewall PF para OpenBSD
Categoria: Segurança
Software: PF
[ Hits: 14.957 ]
Por: Braulio Gomes Rodrigues
Esta é a configuração de um ótimo script de firewall usando o PF para OpenBSD, com opções de NAT's, controle de banda e filtros.
# Variaveis #----------------------------- int_int="rl0" int_ext="rl1" rede="192.168.10.0" PING = "echoreq" TCP_IN = "{ ssh, ftp, 20, 21, 443 }" #UDP_IN = "{ }" TCP_OUT = "{ ssh, 20, 21, ftp, 443, http, ntp, 8080, 5999 }" UDP_OUT = "{ domain, ntp }" # Link down="2.5Mb" uplo="2.5Mb" server2="192.168.10.10" server1="127.0.0.1" #---------------------------------------------------------------------------- # tabela de Ips internos table <baixa> { 192.168.10.1, 192.168.10.5, 192.168.10.12, 192.168.10.17, 192.168.10.21, 192.168.10.23, 192.168.10.30 192.168.10.38 192.168.10.42 } table <bmedia> { } table <media> { } table <alta> { 192.168.10.10, 192.168.10.27, 192.168.10.11 } table <center> { 192.168.254.0/24 } # normalizando os pacotes #---------------------------------------- set timeout { tcp.first 60 tcp.opening 15 tcp.established 86400 \ tcp.closing 300 tcp.finwait 15 tcp.closed 15 } set timeout { udp.first 30 udp.single 15 udp.multiple 30 } set timeout { icmp.first 10 icmp.error 5 } set timeout { other.first 30 other.single 15 other.multiple 30 } set timeout { frag 30 interval 10 } set limit { states 50000 frags 25000 } set optimization aggressive set loginterface $int_ext set loginterface $int_int set loginterface $int_ext set block-policy return set require-order yes scrub all fragment reassemble random-id no-df # Habilita enfileiramento #------------------------------------------------ # Upload altq on $int_ext cbq bandwidth $uplo queue { baixa bmedia media alta center } queue baixa bandwidth 128Kb cbq(default) queue bmedia bandwidth 128Kb priority 1 queue media bandwidth 200Kb priority 2 queue alta bandwidth 350Kb priority 3 queue center bandwidth 512Kb priority 4 # Download # define os parametros para as subfilas. altq on $int_ext cbq bandwidth $down queue { baixa_in bmedia_in media_in alta_in center_in } queue baixa_in bandwidth 200Kb cbq(default) queue bmedia_in bandwidth 200Kb priority 1 queue media_in bandwidth 300Kb priority 2 queue alta_in bandwidth 512Kb priority 3 queue center_in bandwidth 768Kb priority 4 # Fazendo o NAT nat on $int_ext from $rede to any -> $int_ext nat on $int_ext from <baixa> to any -> $int_ext nat on $int_ext from <bmedia> to any -> $int_ext nat on $int_ext from <media> to any -> $int_ext nat on $int_ext from <alta> to any -> $int_ext nat on $int_ext from <center> to any -> $int_int # Redicrecionamento #-------------------------------- rdr on $int_ext proto tcp from any to any port 8080 -> $server2 port 8080 rdr on $int_int proto tcp from any to any port 21 -> $lo port 8021 rdr on $int_ext proto tcp from any to any port 6667 -> $server2 port 6667 rdr on $int_ext proto tcp from any to any port 6891 -> $server2 port 6891 rdr on $int_ext proto tcp from any to any port 6893 -> $server2 port 6893 rdr on $int_ext proto tcp from any to any port 6900 -> $server2 port 6900 rdr on $int_ext proto tcp from any to any port 5900 -> $server2 port 5900 rdr on $int_ext proto tcp from any to any port 1213 -> $server2 port 1213 rdr on $int_ext proto tcp from any to any port 1214 -> $server2 port 1214 rdr on $int_ext proto tcp from any to any port 1832 -> $server2 port 1832 rdr on $int_ext proto tcp from any to any port 3094 -> $server2 port 3094 rdr on $int_ext proto tcp from any to any port 3622 -> $server2 port 3622 rdr on $int_ext proto udp from any to any port 1213 -> $server2 port 1213 rdr on $int_ext proto udp from any to any port 1214 -> $server2 port 1214 rdr on $int_ext proto udp from any to any port 1832 -> $server2 port 1832 rdr on $int_ext proto udp from any to any port 3094 -> $server2 port 3094 rdr on $int_ext proto udp from any to any port 3622 -> $server2 port 3622 #rdr on $int_int proto tcp from any to any port 80 -> $server1 port 3128 #rdr on $int_int proto udp from any to any port 80 -> $server1 port 3128 # ... sessão de filtragem # blockeando tudo por default block in log on $int_ext from any to any # bloqueando spoof antispoof for { $int_ext } inet # bloqueando scanners block drop in quick on { $int_ext } from any os { NMAP } # bloqueando trafego ipv6 block log quick inet6 #Liberando loopback pass quick on lo0 all # liberando ping/traceroute pass out log on $int_ext inet proto icmp all icmp-type 8 code 0 keep state pass in log on $int_ext inet proto icmp all icmp-type 8 code 0 keep state # Liberando portas #INCOMING #TCP pass in quick on $int_ext inet proto tcp from any to $int_ext port $TCP_IN flags S/SA keep state #UDP #pass in quick on $int_ext inet proto udp from any to $int_ext port $UDP_IN keep state #PING pass in quick on $int_ext inet proto icmp from any to $int_ext icmp-type $PING keep state pass in on $int_ext inet proto { tcp udp } from any to any port 22 pass in on $int_ext inet proto { tcp udp } from any to any port 21 pass in on $int_ext inet proto { tcp udp } from any to any port 20 pass in on $int_ext inet proto { tcp udp } from any to any port 25 pass in on $int_ext inet proto { tcp udp } from any to any port 53 pass in on $int_ext inet proto { tcp udp } from any to any port 80 pass in on $int_ext inet proto { tcp udp } from any to any port 443 pass in on $int_ext inet proto { tcp udp } from any to any port 110 pass in on $int_ext inet proto { tcp udp } from any to any port 8080 pass in on $int_ext inet proto { tcp udp } from any to any port 6667 pass in on $int_ext inet proto { tcp udp } from any to any port 6891 pass in on $int_ext inet proto { tcp udp } from any to any port 6893 pass in on $int_ext inet proto { tcp udp } from any to any port 6900 pass in on $int_ext inet proto { tcp udp } from any to any port 1213 pass in on $int_ext inet proto { tcp udp } from any to any port 1214 pass in on $int_ext inet proto { tcp udp } from any to any port 1832 pass in on $int_ext inet proto { tcp udp } from any to any port 3094 pass in on $int_ext inet proto { tcp udp } from any to any port 3622 pass in on $int_ext inet proto { tcp udp } from any to any port 2216 pass in on $int_ext inet proto tcp from port 20 to ($int_ext) user proxy flags S/SA keep state #OUTGOING #EXTERNAL INTERFACE #TCP pass out quick on $int_ext inet proto tcp from $int_ext to any port $TCP_OUT flags S/SA keep state #UDP pass out quick on $int_ext inet proto udp from $int_ext to any port $UDP_OUT keep state #ICMP pass out quick on $int_ext inet proto icmp from $int_ext to any icmp-type $PING keep state # Liberando acesso pass in log on $int_ext from <baixa> to any queue baixa_in pass in log on $int_ext from <bmedia> to any queue bmedia_in pass in log on $int_ext from <media> to any queue media_in pass in log on $int_ext from <alta> to any queue alta_in pass in log on $int_ext from <center> to any queue center_in pass in log on $int_ext from $baixa to any pass in log on $int_ext from $bmedia to any pass in log on $int_ext from $media to any pass in log on $int_ext from $alta to any pass in log on $int_ext from $center to any
Enviar mensagem ao usuário trabalhando com as opções do php.ini
Meu Fork do Plugin de Integração do CVS para o KDevelop
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Compartilhamento de Rede com samba em modo Público/Anônimo de forma simples, rápido e fácil
Cups: Mapear/listar todas as impressoras de outro Servidor CUPS de forma rápida e fácil
Criando uma VPC na AWS via CLI
xubuntu sem sons de eventos (3)
Erro ao iniciar serviço samba4 como novo dc em um ambiente com ad (9)
Dificuldade para renderizar vídeo no kdenlive (5)