Senhores, Nunca trabalhei com o IPFW e estou buscando alguns materiais na NET, todavia queria compartilhar com quem tem "intimidade" com este firewall as melhores práticas e como funcionam na integra para 1 LAN e duas WANS. Segue como está ficando aqui minha regra, caso alguém queira compartilhar:
Lembrando, ainda não está em produção ##################################################################################################### # FIREWALL # ##################################################################################################### ipfw -q -f flush # Delete all rules ##################################################################################################### # VARIAVEIS DE AMBIENTE # ##################################################################################################### wan_gvt="re2" # out interface wan_ebt="re0" # out interface lan_vva="re1" # in interface cmd="ipfw -q add " # build rule prefix ks="keep-state" # just too lazy to key this each time #################################################################################################### # # #################################################################################################### $cmd 00100 allow log ip from any to any via $lan_vva $cmd 00101 allow log ip from any to any via $wan_gvt $cmd 00102 allow log ip from any to any via $wan_ebt ##################################################################################################### # VERIFICAÇÃO DE PACOTES NA REDE EXTERNA QUE SERIAM DE CLASSE FECHADA # ##################################################################################################### $cmd 00301 deny all from 172.16.0.0/12 to any in via $wan_ebt #RFC 1918 private IP $cmd 00302 deny all from 10.0.0.0/8 to any in via $wan_ebt #RFC 1918 private IP $cmd 00303 deny all from 127.0.0.0/8 to any in via $wan_ebt #loopback $cmd 00304 deny all from 0.0.0.0/8 to any in via $wan_ebt #loopback $cmd 00305 deny all from 169.254.0.0/16 to any in via $wan_ebt #DHCP auto-config $cmd 00306 deny all from 192.0.2.0/24 to any in via $wan_ebt #reserved for docs $cmd 00307 deny all from 204.152.64.0/23 to any in via $wan_ebt #Sun cluster $cmd 00308 deny all from 224.0.0.0/3 to any in via $wan_ebt #Class D & E multicast ##################################################################################################### # BLOQUEIO DE PING NA PLACA EXTERNA # ##################################################################################################### $cmd 01000 deny icmp from any to $wan_ebt in via $wan_ebt icmptypes 8 $cmd 01010 check-state $cmd 01020 allow icmp from $wan_ebt to any out via $wan_ebt icmptypes 8 $ks $cmd 01030 deny icmp from any to any -- ------------------------------- Bruno Torres Viana Todos nós somos ignorantes, porém em assuntos diferentes. Não seja ignorante por opção! ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd