[FUG-BR] Regras IPFW bloqueia o portupgrade

Mon, 20 Jul 2009 10:47:11 -0700 

Pessoal,

Alguem sabe o que esta acontecendo com essas regras que esta bloqueando
somente ALGUMAS atualizações do portupgrade já liberei as portas 20 e 21, 80
e só atualiza quando eu limpo a regras "ipfw -f flush".

#!/bin/sh

fwcmd="/sbin/ipfw -q"

oif="fxp0"
onet="189.XX.XX.XX"
omask="255.255.255.192"
oip="189.XX.XX.XX"
CAIS="200.144.121.33"

${fwcmd} -f flush

${fwcmd} add check-state

# Libera acesso via SSH porta 3456
${fwcmd} add pass tcp from any to ${oip} 3456 setup

# Libera ping
${fwcmd} add allow icmp from any to any via ${oif}
${fwcmd} add allow icmp from any to any

#Bloqueia IPs
${fwcmd} add deny ip from 89.149.221.182 to any
${fwcmd} add deny ip from any to 89.149.221.182


#Bloqueio de FingerPrint
${fwcmd} add deny tcp from any to any tcpflags fin,urg,psh in recv $oif
${fwcmd} add deny tcp from any to any tcpflags
!fin,!syn,!ack,!urg,!psh,!rst in recv $oif
${fwcmd} add deny tcp from any to any tcpflags syn,fin,rst,ack in recv $oif
${fwcmd} add deny tcp from any to any tcpflags fin,!syn,!rst,!ack in recv $oif
${fwcmd} add deny tcp from any to any tcpflags syn,fin,!rst,!ack in recv $oif
${fwcmd} add deny tcp from any to any tcpflags urg,!syn,!fin,!rst,!ack
in recv $oif

# Libera consulta DNS
${fwcmd} add allow udp from me 1024-65535 to any 53 out keep-state uid bind
${fwcmd} add pass tcp from any to any 53 setup
${fwcmd} add pass udp from any to any 53
${fwcmd} add pass udp from any 53 to any
${fwcmd} add pass tcp from any 53 to any
${fwcmd} add pass udp from any to any 53 keep-state
${fwcmd} add pass tcp from any to any 53 keep-state


#Libera porta 80 e 21 para o ports
${fwcmd} add pass tcp from any to any 80 keep-state
${fwcmd} add pass tcp from any to any 20 keep-state
${fwcmd} add pass tcp from any to any 21 keep-state

#Libera porta NTP
${fwcmd} add pass udp from ${onet}:${omask} to ${CAIS} 123 keep-state
${fwcmd} add pass udp from ${CAIS} 123 to ${onet}:${omask} keep-state

# Bloqueia IP spoofing
${fwcmd} add deny all from ${onet}:${omask} to any in via ${oif}

# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
${fwcmd} add pass all from any to any frag

# Bloqueia pacotes com opcoes de Source Routing e Record
#Route do Cabecalho IP ativadas.
${fwcmd} add deny tcp from any to any ipoptions ssrr,lsrr,rr

#${fwcmd} add allow icmp from any to any in via ${oif} icmptype 0
#${fwcmd} add deny log icmp from any to any in via ${oif}
#${fwcmd} add allow icmp from any to any out via ${oif} icmptype 8
#${fwcmd} add deny log icmp from any to any out via ${oif}

#bloquear 5% dos pacotes de entrada, como se houvesse perda de pacotes
${fwcmd} add prob 0.05 deny in

#Qualquer outro trafego sera bloqueado e logado no arquivo de log
${fwcmd} add deny src-ip ${oip} via ${oif} keep-state

#Bloqueia Tudo
${fwcmd} add 65530 deny ip from any to any


Obrigada..
-------------------------
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd

Responder a