Αρχείο firewall, conf - Ρυθμίσεις στο FreeBSD για να δουλεύει σαν Firewall

5.3 Ρυθμίσεις στο FreeBSD για να δουλεύει σαν Firewall

5.3.5 Λίστα αρχείων που χρησιμοποιούμε

5.3.5.1 Αρχείο firewall, conf

#include "/etc/firewall.setup"

Count traffic Count global traffic for stats

* ****** **********************************************,1,****.**.*******

#ifdef GATEWAY

add 110 count ip from any to any via EXTERNAL NIC in add 120 count ip from any to any via e x t e r n a l"NIC out add 130 count ip from any to any via i n t e r n a l"_NIC out add 140 count ip from any to any via INTERNAL^~NIC in

#else /* GATEWAY */

add 110 count ip from any to any via INTERNAL J'TIC in add 120 count ip from any to any via INTERNAL "n iC out

#endif /* GATEWAY */

add 150 allow ip from any to any via loO out add 160 allow ip from any to any via loO in

/* * * * * * * * * * * * * * * * * * - k * * * * + + -k**-lc-k**** + * * * * * l,* lt1 r 1 r1 tll* 1 ,* 1 r * * * * * * * * * * * * ifk * *

Allow STATEFUL Check packages on the dynamic firewall rules.

If one maches then this usaly means the ip package is allowed though. In this case it also added to a user counter for stats.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Λ * * * * * * * * * » * * * * * * » « * *

add 190 check-state /* 1000 early allow

* 2000 early deny / reject

* 3000 natd + traffic shaper

* 4000 selecting for skipto 50xxx

/* ************************************ A*******************»***,*****

★

Allow local traffic All local traffic is allowed and doesn't need to go though the rest of the firewall rules.

* ******************************************************************

#ifdef GATEWAY add 1000 skipto INTERNAL_NIC

1100 ip add 1000 skipto

INTERNAL NIC

1100 ip

add 1020 allow EXTERNAL_NIC

iP add 1030 allow.

1080

ip add 1030 allow 1080

#endif /* GATEWAY */

add 1010 allow INTERNAL NIC

from fiXTERNAL_NET to EXTERNAL_NET via

from EXTERNAL_IP to any via EXTERNAL_NIC uid from any to EXTERNAL IP via EXTERNAL_NIC uid

from INTERNAL_NET to INTERNAL_NET via

/* Allow local services and deny alternatives. */

via via via via tifdef GATEWAY

add 1310 skipto 59000 udp from EXTERNAL_IP to any domain EXTERNAL_NIC out

add 1310 skipto 59000 udp from any domain to EXTERNAL_IP EXTERNAL_NIC in

add 1310 skipto 59000 udp from any to LXTEKNAL_IP domain EXTERNALNIC in

add 1310 skipto 59000 udp from EXTERNAL_IP domain to any F.XTERNAL_NIC out

add 1310 reject udp from any to any domain EXTERNAL_NIC out

add 1320 skipto 59000 udp from EXTERNAL_IP ntp to any ntp via EXTERNAL_NIC out

add 1320 skipto 59000 udp from any ntp to EXTERNAL_IP ntp via EXTERNAL_NIC in

add 1320 reject udp from any to any ntp via EXTERNALNIC out

ttendif /* GATWAY */

via

add 1330 reject

♦ Λ**************************’*************

udp from any bootpc to any bootps

jit ******** *****************

Deny Spoofing Filther out packages with an private ip-adress excluding those of our own.

* ******************************************************************

#ifdef GATEWAY

add 2000 skipto 2100 ip add 2000 skipto 2100 ip out

add 2000 skipto 2100 ip add 2000 skipto 2100 ip in

add 2000 skipto 2100 ip out

#else /* GATEWAY */

add 2000 skipto 2100 ip in

add 2000 skipto 2100 ip out

fendif

add 2010 deny ip add 2010 deny ip add 2010 deny ip add 2010 deny ip add 2010 deny ip add 2020 reject ip add 2020 reject ip add 2020 reject ip add 2020 reject ip add 2020 reject ip /* Portsentry */

from any to any via INTERNALNIC

from INTERNAL_NET to any via EXTERNAL_NIC from any to INTERNAL_NET via EXTERNAL_NIC from EXTERNAL NET to any via EXTERNALNIC from any to EXTERNA1_NET via EXTERNAL_NIC from INTERNAL NET to any via INTERNAL_NIC from any to INTERNAL_NET via INTERNAL_NIC from 10.0.0.0/8 to any in

from 127.0.0.0/8 to any in from 172.0.0.0/12 to any in from 192.0.2.0/24 to any in from 192.168.0.0/16 to any in from any to ^{i o}.o.o.0/8 out from a n y to 127.0.0 .0/8

from any to 172.0.0 .0/12 out

out from any to 192.0.2.0/24 out from any to 192.168.0.0/16 out

add 2100 skipto 2200 add 2100 skipto 2200

tfifdef GATEWAY

add 2100 skipto 2200

#endif /* GATEWAY * /

ip from any to any via INTERNAL NIC

ip from INTERNALNET to any via EXTERNAL_NIC ip from EXTERNALNET to any via EXTERNAL NIC /* ***************** ***********************************************ΛΑ

Blocklist Filther out packages with n ip-adress that exist on an blacklist formulated by a external blocklist program.

* ******************************************************************

/* reserve 2200 for the whitelist */

add 2290 skipto 2500 ip from INTERNAL NET to INTERNAL NET via INTERNAL NIC

add 2291 skipto 2500 ip from 192.168.31.128/25 to any add 2292 skipto 2500 ip from any to 192.168.31.128/25 /* blocklist */

add 2300 skipto 2400 ip from any to any out add 2400 skipto 2500 ip from any to any in

/* Tempory Pay Block * /

#ifdef TEMP_BLOCK tifdef GATEWAY add 2900 reject log add 2900 deny log

#else /* GATEWAY */

add 2900 skipto 59000 state

add 2900 reject log add 2900 deny log

#endif f * GATEWAY */

♦endif /* TEMP BLOCK */

/* socks via skip */

ip from ip from ip from ip from ip from

from me to any via INTERNAL_NIC out keep-

/* Selecting traffic shaping and natd traffic */

lifdef GATEWAY

add 3000 skipto 3400 add 3000 skipto 3400 EXTERNALNIC

add 3000 skipto 3400

#endif /* GATEWAY */

ip from any to any via INTERNALNIC ip from EXTERNAL_NET to EXTERNAL NET via ip from PUBLIC_IP to any via EXTERNAL_NIC /* Traffic shaping up */

#ifdef TRAFFICSHAPER

pipe 1 config queue QUEUE_UP bw BANDWIDTH_UP

queue 1 config queue QUEUE_UP pipe 1 mask src-ip Oxffffffff weight 1 mask all

queue 2 config queue QUEUE_UP pipe 1 mask src-ip Oxffffffff weight 1 0 0

add 3100 skipto 3110 ip from any to any out via EXTERNAL_NIC add 3100 skipto 3200 ip from any to any

add 3110 skipto 3120 tcp from any to any tcpflags ack iplen 0-80 add 3110 skipto 3120 tcp from any to any tcpflags rst

add 3110 skipto 3120 tcp from any to any tcpflags urg

add 3110 skipto 3120 tcp from any to any 22,80,1080 iplen 0-1024 add 3110 skipto 3120 tcp from any 22,80,1080 to any iplen 0-1024 add 3110 queue 1 ip from any to any

add 3110 skipto 3190 ip from any to any add 3120 queue 2 ip from any to any add 3120 skipto 3190 ip from any to any

#endif /* TRAFFIC_SHAPER */

/ * Passing though natd */

#ifdef GATEWAY

add 3200 skipto 3210 add 3200 skipto 3210 add 3200 skipto 3290 add 3210 divert natd add 3220 skipto 3400

#endif /* GATEWAY */

ip from not E X T E R N A L ! P to any ip from any to not PUBLIC_IP ip from any to any

ip from any to any

ip from any to PUBLIC_IP /* Traffic shaping down (for natd traffic) */

#ifdef TRAFFIC_SHAPER

pipe 2 config queue QUEUE DOWN i>w BANDWIDTH_DOWN

queue 3 config queue QUEUE_DOWN pipe 2 mask dst-ip Oxffffffff weight 1 mask all

queue 4 config queue QUEUE_DOWN pipe 2 mask dst-ip Oxffffffff weight 1QQ

add 3300 skipto 3310 ip from any to any in via EXTERNAL_NIC add 3300 skipto 3390 ip from any to any

add 3310 skipto 3320 tcp from any to any tcpflags ack iplen 0-80 add 3310 skipto 3320 tcp from any to any tcpflags rst

add 3310 skipto 3320 tcp from any to any tcpflags urg

add 3310 skipto 3320 tcp from any to any 80,22,1080 iplen 0-1024 add 3310 skipto 3320 tcp from any 80,22,1080 to any iplen 0-1024 add 3310 queue 3 ip from any to any

add 3310 skipto 3390 ip from any to any add 3320 queue 4 ip from any to any add 3320 skipto 3390 ip from any to any

#endif /* TRAFFIC_SHAPER */

/* Allow traffic going though natd */

#ifdef GATEWAY

add 3390 allow ip from any to any iendif /* GATEWAY */

/* Traffic shaping down (for non natd traffic) _{* /}

#ifdef TRAFFIC_SHAPER

add 3400 skipto 3410 ip from any to any in via EXTERNAL_NIC add 3400 skipto 3450 ip from any to any

add 3410 add 3410 add 3410 add 3410 add 3410 add 3410 add 3410 add 3420 add 3420

skipto 3420 tcp from any- to- any tcpflags ack iplen 0-80 skipto 3420 tcp from any to any tcpflags rst

skipto 3420 tcp from any to any tcpflags urg

skipto 3420 tcp from any to any 80,22,1080 iplen 0-1024 skipto 3420 tcp from any 80,22,1080 to any iplen 0-1024 queue 3 ip from any to any

skipto 3490 ip from any to any queue 4 ip from any to any skipto 3490 ip from any to any iendif /* TRAFFIC SHAPER _{* f}

/* IP Rules */

♦ifdef GATEWAY

add 4000 skipto 4100 ip from any to any via E X T E R N A L N I C

#endif /* GATEWAY */

/* User Rules */

♦ifdef GATEWAY

add 4100 skipto 4200 ip from any to any via INTERNAL_NIC fendif /* GATEWAY */

/ * STATEFUL Firewall */

add 4600 deny tcp from any to any in tcpflags syn,fin

#ifdef GATEWAY

add 4610 skipto 1900 ip from any to any via INTERNAL_NIC ttendif /* GATEWAY */

#ifdef OWN DOMAIN add 4620 skipto 59100 add 4620 skipto 59600

#endif /* OWNDO M A I N *

#ifdef OWN_NTP

add 4630 skipto 59000 add 4630 skipto 59000 add 4630 skipto 59000 tendif /* OWN NTP */

frifdef ENABLE_SSH add 4640 skipto 59100 add 4640 skipto 59600

#endif /* ENABLE SSH *

#ifdef ENABLE_HTTP add 4650 skipto 59100 add 4650 skipto 59600

#endi f /* ENABLE_HTTP

/* Deny ICMP type 3 outgoing */

add 4660 rejecticmp from any to any out icmptypes 3 /* Allow pings */

add 4670 skipto 59000 icmp from P U B L I C I P to any out icmptypes 8 add 4670 skipto 59000 icmp from any to PUBLIC_IP in icmptypes 0 /* Allow traceroutes */

udp from udp f rom

udp from u dp from udp f rom

tcp from tcp f rom

tcp f rom tcp

from

add

4680 skipto 59000 icmp log from PUBLIC_IP to any out

4680 skipto 59500 icmp from any to PUBLIC_ IP in icmptypes 11 add 4680 skipto 59500 icmp from any to PUBLIC !P in icmptypes 3 /* Allow traffic out and back in again */

add 4690 skipto 59000 tcp from PUBLIC_IP to any out setup keep- 3 ^ 4 6 9 0 skipto 59000 udp from PUBLIC_IP to any out keep-state

add 4690 skipto 59000 icmp from PUBLIC_IP to any out keep-state

/ * s e l e c t i n g * /

a d d d 4 9 0 0 L s k i p t o _ 5 9 0 0 0 t c p f r o m a n y t o P U B L I C _ I P A L L O W _ I N _ T C P i n k e e p - s t a t e

♦ e n d i f / * A L L O W _ I N _ U D P * /

l d d d 4 9 0 0 L s k i 5 t o _ 5 9 0 0 0 u d p f r o m a n y t o P U B L I C _ I P A L L O W _ I N _ U D P i n k e e p - s t a t e

♦ e n d i f t * A L L O W _ I N _ U D P * /

/* Deny everything else _{* /} lifdef GATEWAY

add 4997 reject ip add 4998 reject ip

#else /* GATEWAY */

add 4998 reject ip frendif /* GATEWAY */

add 4999 deny ip

from any to any in via INTERNAL_NIC from any to any out via EXTERNAL__NIC from any to any out via INTERNAL_NIC

from any to any

/************ — ****************************************************

-k-k#

* Pay Traffic: Local Counter

*********************************************************************

#ifndef BANDWIDTH_UP_LIMITED

tdefine BANDWIDTH_UP_LIMITED BANDWIDTHJJP 4 0ncii f

nine 3 config queue QUEUE UP bw BANDWIDTH UP_LIMITED

qieue 5 conf?g^ueue QUEuI_UP pipe 3 mask src-ip OxfCfffCff «eught 1

#ifndef BANDWIDTH_DOWN_LIMITED

#define BANDW1DTH_D0WN_LIMITED BANDWIDTH_DOWN Hpnrlif

pipe 4 config queue QUEUE J50WN bw BANDWIDTH_DOWN LIMITED

queue 6 config queue QUEUE_DOWN pipe 4 mask dst-ip Oxffffffff weight 1

59499 idefine IPAJJSERIP PUBLIC_IP

♦define IPFW_SELECT 59000

#define IPFW_DOWN 59100 tdefine IPFW_DOWN_ALLOW tdefine IPFW_UP 59600 tdefine IPFW UP ALLOW 59999 finclude "/etc/firewall.user”

#include "/etc/firewall.users_config"

/* tinclude "/etc/firewall.whitelist" */

No documento Ασφάλεια ασύρματων δικτύων (páginas 89-95)