PF (pf.conf)
Configuração do firewall PF para OpenBSD
Categoria: Segurança
Software: PF
[ Hits: 14.967 ]
Por: Braulio Gomes Rodrigues
Esta é a configuração de um ótimo script de firewall usando o PF para OpenBSD, com opções de NAT's, controle de banda e filtros.
# Variaveis #----------------------------- int_int="rl0" int_ext="rl1" rede="192.168.10.0" PING = "echoreq" TCP_IN = "{ ssh, ftp, 20, 21, 443 }" #UDP_IN = "{ }" TCP_OUT = "{ ssh, 20, 21, ftp, 443, http, ntp, 8080, 5999 }" UDP_OUT = "{ domain, ntp }" # Link down="2.5Mb" uplo="2.5Mb" server2="192.168.10.10" server1="127.0.0.1" #---------------------------------------------------------------------------- # tabela de Ips internos table <baixa> { 192.168.10.1, 192.168.10.5, 192.168.10.12, 192.168.10.17, 192.168.10.21, 192.168.10.23, 192.168.10.30 192.168.10.38 192.168.10.42 } table <bmedia> { } table <media> { } table <alta> { 192.168.10.10, 192.168.10.27, 192.168.10.11 } table <center> { 192.168.254.0/24 } # normalizando os pacotes #---------------------------------------- set timeout { tcp.first 60 tcp.opening 15 tcp.established 86400 \ tcp.closing 300 tcp.finwait 15 tcp.closed 15 } set timeout { udp.first 30 udp.single 15 udp.multiple 30 } set timeout { icmp.first 10 icmp.error 5 } set timeout { other.first 30 other.single 15 other.multiple 30 } set timeout { frag 30 interval 10 } set limit { states 50000 frags 25000 } set optimization aggressive set loginterface $int_ext set loginterface $int_int set loginterface $int_ext set block-policy return set require-order yes scrub all fragment reassemble random-id no-df # Habilita enfileiramento #------------------------------------------------ # Upload altq on $int_ext cbq bandwidth $uplo queue { baixa bmedia media alta center } queue baixa bandwidth 128Kb cbq(default) queue bmedia bandwidth 128Kb priority 1 queue media bandwidth 200Kb priority 2 queue alta bandwidth 350Kb priority 3 queue center bandwidth 512Kb priority 4 # Download # define os parametros para as subfilas. altq on $int_ext cbq bandwidth $down queue { baixa_in bmedia_in media_in alta_in center_in } queue baixa_in bandwidth 200Kb cbq(default) queue bmedia_in bandwidth 200Kb priority 1 queue media_in bandwidth 300Kb priority 2 queue alta_in bandwidth 512Kb priority 3 queue center_in bandwidth 768Kb priority 4 # Fazendo o NAT nat on $int_ext from $rede to any -> $int_ext nat on $int_ext from <baixa> to any -> $int_ext nat on $int_ext from <bmedia> to any -> $int_ext nat on $int_ext from <media> to any -> $int_ext nat on $int_ext from <alta> to any -> $int_ext nat on $int_ext from <center> to any -> $int_int # Redicrecionamento #-------------------------------- rdr on $int_ext proto tcp from any to any port 8080 -> $server2 port 8080 rdr on $int_int proto tcp from any to any port 21 -> $lo port 8021 rdr on $int_ext proto tcp from any to any port 6667 -> $server2 port 6667 rdr on $int_ext proto tcp from any to any port 6891 -> $server2 port 6891 rdr on $int_ext proto tcp from any to any port 6893 -> $server2 port 6893 rdr on $int_ext proto tcp from any to any port 6900 -> $server2 port 6900 rdr on $int_ext proto tcp from any to any port 5900 -> $server2 port 5900 rdr on $int_ext proto tcp from any to any port 1213 -> $server2 port 1213 rdr on $int_ext proto tcp from any to any port 1214 -> $server2 port 1214 rdr on $int_ext proto tcp from any to any port 1832 -> $server2 port 1832 rdr on $int_ext proto tcp from any to any port 3094 -> $server2 port 3094 rdr on $int_ext proto tcp from any to any port 3622 -> $server2 port 3622 rdr on $int_ext proto udp from any to any port 1213 -> $server2 port 1213 rdr on $int_ext proto udp from any to any port 1214 -> $server2 port 1214 rdr on $int_ext proto udp from any to any port 1832 -> $server2 port 1832 rdr on $int_ext proto udp from any to any port 3094 -> $server2 port 3094 rdr on $int_ext proto udp from any to any port 3622 -> $server2 port 3622 #rdr on $int_int proto tcp from any to any port 80 -> $server1 port 3128 #rdr on $int_int proto udp from any to any port 80 -> $server1 port 3128 # ... sessão de filtragem # blockeando tudo por default block in log on $int_ext from any to any # bloqueando spoof antispoof for { $int_ext } inet # bloqueando scanners block drop in quick on { $int_ext } from any os { NMAP } # bloqueando trafego ipv6 block log quick inet6 #Liberando loopback pass quick on lo0 all # liberando ping/traceroute pass out log on $int_ext inet proto icmp all icmp-type 8 code 0 keep state pass in log on $int_ext inet proto icmp all icmp-type 8 code 0 keep state # Liberando portas #INCOMING #TCP pass in quick on $int_ext inet proto tcp from any to $int_ext port $TCP_IN flags S/SA keep state #UDP #pass in quick on $int_ext inet proto udp from any to $int_ext port $UDP_IN keep state #PING pass in quick on $int_ext inet proto icmp from any to $int_ext icmp-type $PING keep state pass in on $int_ext inet proto { tcp udp } from any to any port 22 pass in on $int_ext inet proto { tcp udp } from any to any port 21 pass in on $int_ext inet proto { tcp udp } from any to any port 20 pass in on $int_ext inet proto { tcp udp } from any to any port 25 pass in on $int_ext inet proto { tcp udp } from any to any port 53 pass in on $int_ext inet proto { tcp udp } from any to any port 80 pass in on $int_ext inet proto { tcp udp } from any to any port 443 pass in on $int_ext inet proto { tcp udp } from any to any port 110 pass in on $int_ext inet proto { tcp udp } from any to any port 8080 pass in on $int_ext inet proto { tcp udp } from any to any port 6667 pass in on $int_ext inet proto { tcp udp } from any to any port 6891 pass in on $int_ext inet proto { tcp udp } from any to any port 6893 pass in on $int_ext inet proto { tcp udp } from any to any port 6900 pass in on $int_ext inet proto { tcp udp } from any to any port 1213 pass in on $int_ext inet proto { tcp udp } from any to any port 1214 pass in on $int_ext inet proto { tcp udp } from any to any port 1832 pass in on $int_ext inet proto { tcp udp } from any to any port 3094 pass in on $int_ext inet proto { tcp udp } from any to any port 3622 pass in on $int_ext inet proto { tcp udp } from any to any port 2216 pass in on $int_ext inet proto tcp from port 20 to ($int_ext) user proxy flags S/SA keep state #OUTGOING #EXTERNAL INTERFACE #TCP pass out quick on $int_ext inet proto tcp from $int_ext to any port $TCP_OUT flags S/SA keep state #UDP pass out quick on $int_ext inet proto udp from $int_ext to any port $UDP_OUT keep state #ICMP pass out quick on $int_ext inet proto icmp from $int_ext to any icmp-type $PING keep state # Liberando acesso pass in log on $int_ext from <baixa> to any queue baixa_in pass in log on $int_ext from <bmedia> to any queue bmedia_in pass in log on $int_ext from <media> to any queue media_in pass in log on $int_ext from <alta> to any queue alta_in pass in log on $int_ext from <center> to any queue center_in pass in log on $int_ext from $baixa to any pass in log on $int_ext from $bmedia to any pass in log on $int_ext from $media to any pass in log on $int_ext from $alta to any pass in log on $int_ext from $center to any
Enviar mensagem ao usuário trabalhando com as opções do php.ini
Meu Fork do Plugin de Integração do CVS para o KDevelop
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Compartilhamento de Rede com samba em modo Público/Anônimo de forma simples, rápido e fácil
Cups: Mapear/listar todas as impressoras de outro Servidor CUPS de forma rápida e fácil
Criando uma VPC na AWS via CLI
Tem como instalar o gerenciador AMD Adrenalin no Ubuntu 24.04? (15)
Tenho dois Link's ( IP VÁLIDOS ), estou tentando fazer o failover... (0)
Pendrive não formata de jeito nenhum (4)