conversão firewall

1. conversão firewall

gil
(usa Debian)

Enviado em 04/11/2010 - 09:01h

Oi pessoal, tudo bem, estou precisando da ajuda de vocês, como conheço muito pouco de firewall, preciso converter meu firewall que hoje está em pf para iptables.Como trabalho mais com linux, prefiro uma plataforma a qual tenho mais conhecimento. Segue meu firewall em pf:

############################
# Variaveis/Macros/Tabelas #
############################

## Interface de Rede externa
ext_if="{ fxp0 }"

## Interface de Rede interna
int_if="{ fxp1 }"

## Interface VPN QM
vpn_matriz="{ tun0 }"

## IP matriz
ip_matriz="{ xxx.xxx.xxx.xx/29 }"

## Rede interna matriz
lan_matriz="{ 192.168.1.64/24 }"

## Rede interna filial QM
lan_qm="{ 192.168.2.0/24 }"

## matriz admins
admin_matriz="{ 192.168.1.76, 192.168.1.77, 192.168.1.8 }"

## Enderecos negados RFC 1918
table <rfc1918> const { 127.0.0.0/8, 192.168.0.0/26, 172.16.0.0/12 }

## Enderecos Abuso INET
table <abuso_inet>

## Servidor DNS
dmz_dns1="{ 192.168.1.69 }"
int_dns1="{ 192.168.2.1 }"

## Servidor SMTP
dmz_smtp1="{ 192.168.0.34 }"

## Servidor POP
dmz_pop1="{ 192.168.0.34 }"

## Servidor HTTP
dmz_http1="{ 192.168.0.34 }"
int_http1="{ 192.168.1.69 }"

## Servidor FTP
dmz_ftp1="{ 192.168.0.34 }"

## Servidor Firewall externo
ext_fw1="{ xxx.xxx.xxx.xx }"
int_fw1="{ 192.168.2.1 }"

## Servidor Proxy interno
int_prxhttp1="{ 192.168.2.1 }"

## Servidor Jabber
int_jabber1="{ 192.168.1.7 }"

## Servidor DHCP Interno
int_dhcp1="{ 192.168.2.1 }"

## Servidor VPN
ext_vpn1="{ xxx.xxx.xxx.xx }"

## Servidor WTS
int_wts1="{ 192.168.1.8 }"
matriz_wts1="{ 192.168.1.8 }"
spweb="{ 192.168.1.8, 192.168.1.69 }"

## Servidor Firewall QM
qmsvfw_int="{ 192.168.2.1 }"

## Conversor serial
lan_cv01="{ 192.168.2.16, 192.168.2.17 }"

## Nota fiscal Digital
qmpcfa="{ 192.168.2.62, 192.168.2.21 }"

##########
# Opcoes #
##########

set block-policy drop
#set debug none
set fingerprints "/etc/pf.os"
set limit frags 7000
set limit src-nodes 15000
set limit states 15000
set loginterface none
set optimization normal
#set state-policy if-bound
set timeout interval 10
set timeout frag 30
set timeout src.track 0
set skip on lo0
set reassemble yes

################
# Normalizacao #
################

match in log all scrub (random-id min-ttl 254 max-mss 1452 reassemble tcp)

##################################
# Prioridade e controle de banda #
##################################

altq on $ext_if cbq bandwidth 1480Kb queue { vpn_ext, internet_ext }
queue vpn_ext bandwidth 1280Kb priority 7 cbq(default)
queue internet_ext bandwidth 200Kb priority 0

altq on $int_if cbq bandwidth 1480Kb queue { vpn, internet_int }
queue vpn bandwidth 1000Kb { sis_int, voip_int, outros_int }
queue sis_int bandwidth 800Kb priority 6 cbq(red borrow)
queue outros_int bandwidth 200Kb priority 6 cbq(red)
queue internet_int bandwidth 200Kb priority 0 cbq(default borrow)

##########
# Ancora #
##########
anchor "ftp-proxy/*"

###########################
# Filtros INBOUND $ext_if #
###########################

## Politica Padrao
block log all

## Antispoof
antispoof log for $ext_if inet
antispoof log for $int_if inet

## Block RFC1918
block in quick on $ext_if from <rfc1918> to any

## Abuso INET
block in log quick from <abuso_inet> to any

## ssh - xx tcp
pass in log on $ext_if proto tcp from $ip_matriz to $ext_fw1 port xx flags S/SA keep state queue vpn_ext

###########################
# Filtro OUTBOUND $ext_if #
###########################

## Liberar trafego da LAN
pass out log on $ext_if tagged LAN_INET flags S/SA keep state queue internet_ext nat-to $ext_fw1

## ftp - xx tcp (Trafego ftp-proxy)
pass out log on $ext_if proto tcp from $ext_fw1 to any port xx user proxy flags S/SA keep state queue internet_ext nat-to $ext_fw1

## dns - xx udp
pass out log on $ext_if proto udp from $ext_fw1 to any port xx user named keep state queue internet_ext nat-to $ext_fw1

## http - xxx tcp
pass out log on $ext_if proto tcp from $ext_fw1 to any port xxx user _squid keep state queue internet_ext nat-to $ext_fw1

## https - xx tcp
pass out log on $ext_if proto tcp from $ext_fw1 to any port xx user _squid keep state queue internet_ext nat-to $ext_fw1

## vpn - xxx udp
pass out log on $ext_if proto udp from $ext_fw1 to $ext_vpn1 port xxx user _openvpn keep state queue vpn_ext nat-to $ext_fw1

##########################
# Filtro INBOUND $int_if #
##########################

## ftp proxy - xx tcp
pass in log on $int_if proto tcp from $lan_qm to $int_fw1 port xx flags S/SA keep state rdr-to 127.0.0.1 port xxxx

## ssh - xx tcp
pass in log quick on $int_if proto tcp from $admin_matriz to $qmsvfw_int port xx flags S/SA keep state queue sis_int

## smtp - xx tcp
pass in log on $int_if proto tcp from $lan_qm to $dmz_smtp1 port xx tag LAN_VPN_QM flags S/SA keep state queue outros_int

## dns - xx tcp/udp
pass in log on $int_if proto udp from $lan_qm to $int_dns1 port xx keep state queue outros_int

## http - xx tcp
pass in log quick on $int_if proto tcp from $lan_qm to $dmz_http1 port xx tag LAN_VPN_QM flags S/SA keep state queue outros_int
pass in log quick on $int_if proto tcp from $lan_qm to $int_http1 port xx tag LAN_VPN_QM flags S/SA keep state queue outros_int
pass in log on $int_if proto tcp from $int_prxhttp1 to any port xx tag LAN_INET flags S/SA keep state queue internet_int

## squid proxy - xxx tcp
pass in log on $int_if proto tcp from $lan_qm to $int_prxhttp1 port xxx tag LAN_INET flags S/SA keep state queue internet_int

## pop3 - xx tcp
pass in log on $int_if proto tcp from $lan_qm to $dmz_pop1 port xx tag LAN_VPN_QM flags S/SA keep state queue outros_int

## https - xxxx tcp
pass in log on $int_if proto tcp from $int_prxhttp1 to any port xxxx tag LAN_INET flags S/SA keep state queue internet_int

## netbios/smb - xx xxx tcp
pass in log on $int_if proto tcp from $lan_qm to $lan_matriz port { xx, xxx } tag LAN_VPN_QM flags S/SA keep state queue outros_int

## rdesktop - xxx tcp
pass in log on $int_if proto tcp from $lan_qm to $int_wts1 port xxx tag LAN_VPN_QM flags S/SA keep state queue sis_int

## jabber - xxx tcp
pass in log on $int_if proto tcp from $lan_qm to $int_jabber1 port xxx tag LAN_VPN_QM flags S/SA keep state queue outros_int

## Impressora Financeiro - xxxx tcp
pass in log on $int_if proto tcp from $lan_qm to 192.168.1.227 port xxxx tag LAN_VPN_QM flags S/SA keep state queue outros_int
pass in log on $int_if proto udp from $lan_qm to 192.168.1.227 port xxx tag LAN_VPN_QM keep state queue outros_int

###########################
# Filtro OUTBOUND $int_if #
###########################

## Liberar INET to LAN
pass out log on $int_if tagged INET_LAN keep state

## Liberar VPN_QM_LAN
pass out log on $int_if tagged VPN_QM_LAN keep state

##########################
# Filtro INBOUND $vpn_qm #
##########################

## ssh - x tcp
pass in log on $vpn_matriz proto tcp from $admin_matriz to $lan_qm port x tag VPN_QM_LAN flags S/SA keep state queue sis_int

## netbios/smb - xx xxx tcp
pass in log on $vpn_matriz proto tcp from $lan_matriz to $lan_qm port { xx, xxx } tag VPN_QM_LAN flags S/SA keep state queue outros_int

## rdesktop - xxx tcp
pass in log on $vpn_matriz proto tcp from $admin_matriz to $lan_qm port xxx tag VPN_QM_LAN flags S/SA keep state queue sis_int

## dns slave - xx udp/tcp
pass in log on $vpn_matriz proto { tcp, udp } from $dmz_dns1 to $int_dns1 port xx flags S/SA keep state queue outros_int

## Conversor serial - xx udp/tcp
pass in log on $vpn_matriz proto { tcp } from $lan_matriz to $lan_cv01 port xx tag VPN_QM_LAN flags S/SA keep state queue outros_int
pass in log on $vpn_matriz proto icmp from $lan_matriz to $lan_cv01 tag VPN_QM_LAN queue outros_int

## NFE - xxx/xxx tcp
pass in log on $vpn_matriz proto tcp from $matriz_wts1 to $qmpcfa port xxx tag VPN_QM_LAN flags S/SA keep state queue outros_int
pass in log on $vpn_matriz proto tcp from $matriz_wts1 to $qmpcfa port xxx tag VPN_QM_LAN flags S/SA keep state queue outros_int

###########################
# Filtro OUTBOUND $vpn_qm #
###########################

## dns slave - xx udp/tcp
pass out log on $vpn_matriz proto { tcp, udp } from $int_dns1 to $dmz_dns1 port xx flags S/SA keep state

## LAN_VPN_QM
pass out log on $vpn_matriz tagged LAN_VPN_QM keep state

## www int - xxx tcp
pass out log quick on $vpn_matriz proto tcp from $int_prxhttp1 to $dmz_http1 port xxx tag LAN_VPN_QM flags S/SA keep state
pass out log quick on $vpn_matriz proto tcp from $int_prxhttp1 to $spweb port xxx tag LAN_VPN_QM flags S/SA keep state
##################################################

Se alguém puder me ajudar, agradeço

Gil

0 0

Quote

2. Re: conversão firewall

korvoman
(usa Debian)

Enviado em 04/11/2010 - 09:10h

Bom dia,
Já tive uma tarefa "suja" parecida com esta. No meu caso foi iptables para mikrotik.
Utilizei o sed para substituir as sintaxes, pois eram muitas regras.
[]'s

0 0

Quote

3. Re: conversão firewall

gil
(usa Debian)

Enviado em 04/11/2010 - 10:36h

Opa...blz ? Pois é, e por um acaso podes me ajudar com o Sed ? Na verdade nem sei por onde começo, como disse meu conhecimento é pouco de firewall...dá pra aprender, dá, só que o tempo para isso é pequeno, por isso gostaria de contar com a ajuda da comunidade..

Gil

0 0

Quote

4. Re: conversão firewall

korvoman
(usa Debian)

Enviado em 04/11/2010 - 21:44h

Veja como é a sintaxe do firewall do pf e converta parte dele para iptables.

http://www.zago.eti.br/script/sed.html ou bloco de notas =).

0 0

Quote

5. tomara..

irado
(usa XUbuntu)

Enviado em 04/11/2010 - 21:59h

que vc se ferre todo - risos - isto é, se o seu chefe concordar com essa atrocidade, de mudar de *BSDs/PF para aquela "coisa".

Quando tive um "problema" dêsses fiz o contrário: aprendi mais uma ferramenta. Mas claro, cadum, cadum.

flames > /dev/null

0 0

Quote

6. Re: conversão firewall

gil
(usa Debian)

Enviado em 05/11/2010 - 08:18h

Obrigado por responder korvoman, vou estudar isso ai. E irado, é como comentei, o meu conhecimento é mais em linux(não que o bsd seja muito diferente), mas vou ver uma melhor maneira de talvez tentar manter o meu firewall e aprender o bsd(na marra).

Valeu !!

0 0

Quote