[TuTFirewall Freebsd Na Połączeniu Modemowym

[vckat]

Firewall dla serwera dedykowanego na połączeniu modemowym DSL VDSL NEOSTRADA

Interfejsy pokazane w n/w firewallu tun0 to wyjście na świat w moim przypadku vdsl, interfejs nfe0 to karta sieciowa wpięta w w sieć wewnętrzną gdyż serwer pełni rolę serwera proxy, smb i ftp w wewnętrznej sieci. (opcje które nie będą Wam potrzebne zachaszczowałem)

 

Firewall oparty jest o filtr pakietów z systeu OpenBSD, chcąc go używać musimy samodzielnie kompilować jądro freebsd

 

Konfiguracja i kompilacja kernela:

 

cd /usr/src/sys/i386/conf

cp GENERIC VIRTUALMT2

 

ee VIRTUALMT2

i dodjemy opcje pozwalające używać pf na freebsd

 

device pf

device pflog

device pfsync

options ALTQ

options ALTQ_CBQ

options ALTQ_RED

options ALTQ_RIO

options ALTQ_HFSC

options ALTQ_PRIQ

options ALTQ_NOPCC

 

zapisujemy i wychodzimy z edytora

 

config VIRTUALMT2

cd ../../compile/VIRTUALMT2

make depend && make install && make all

 

teraz czekamy zależnie od mocy maszyny jaka posiadamy, jeśli wszytko przebiegnie prawidłowo dajemy komendę reboot i cieszymy się własnym kernelem.

 

Po uruchomieniu się systemu z nowym kernelem, edytujemy /etc/rc.conf

i dodajemy tam:

 

pf_enable="YES"

pf_rules="/etc/pf.conf"

pflog_enable="YES"

pflog_logfile="/var/log/pflog"

 

zamykamy edytor i tworzymy plik w katalogu etc o nazwie pf.conf z zawartością

 

 

### options, normalization, queueing, translation, filtering

 

### new pf.conf virtualmt2

###

 

#### define macros

 

tcp_services = "{ 22, 80, 52000, 3306, 15001, 11002, 12001, 13000, \

13001, 13002, 13003, 13004, 13061, 13099, 14000, 14001,\

14002, 14003, 14004, 14061, 14099, 15000, 15001, 15002,\

15003, 15004, 15061, 15099 16000, 16001, 16002,\

16003, 16004, 16061, 16099, 17000, 17001, 17002, 17003,\

17004, 17061, 17099, 18000, 18001, 18002, 18003, 18004, \

18061, 18099, 19001, 19002, 19003, 19004, 19061, 19099}"

 

udp_services = "{ 3306, 52000, 15001, 11002, 12001, 13000, 13001, 13002, \

13003, 13004, 13061, 13099, 14000, 14001, 14002, 14003, \

14004, 14061, 14099, 15000, 15001, 15002 15003, 15004, \

15061, 15099 ,16000, 16001, 16002, 16003, 16004, \

16061, 16099, 17000, 17001, 17002, 17003, 17004, 17061, \

17099, 18000, 18001, 18002, 18003, 18004,\

18061, 18099, 19001, 19002, 19003, 19004, 19061, 19099 }" #

 

int_if = "nfe0"

ext_if = "tun0"

localnet = $int_if:network

icmp_types = "{ echoreq, unreach }"

 

table <blockedip> persist file "/etc/pf.block.ip.conf"

 

################ Options ##################################

# Timeout Options

 

set optimization aggressive

set timeout { frag 10, tcp.established 3600 }

set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 }

set timeout { udp.first 30, udp.single 30, udp.multiple 30 }

set timeout { other.first 30, other.single 30, other.multiple 30 }

set timeout { adaptive.start 5000, adaptive.end 10000 }

 

# normalizacja datagramw.

scrub in all

#scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble

 

# nat/rdr

nat on $ext_if from $int_if:network to any -> ($ext_if)

nat-anchor "ftp-proxy/*"

rdr-anchor "ftp-proxy/*"

 

#rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

#rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128

#pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state

 

 

 

 

#### translation: nat

#### NOTE: FreeBSD's firewall virtualmt2

####

#

#

# nat on $ext_if from $localnet to any -> ($ext_if)

# default: block all traffic

 

block all # block all traffic by default

 

 

#### antispoof and block non-routables

 

#antispoof quick for $ext_if # antispoof on external interface

#antispoof for $int_if # antispoof on internal interface - can't be quick b/c of bridge

#block drop in quick on $ext_if from $martians to any # block inbound traffic from non-routables

#block drop out quick on $ext_if from any to $martians # block outbound traffic destined to non-routables

 

#### filtering rules

 

pass out all # assume localhost is trusted, pass OUT all traffic

pass inet from { lo0, $localnet } to any # fwd traffic from localnets to anywhere

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services

pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_services

pass out on $ext_if inet proto udp from any to ($ext_if) port $udp_services

pass in on $ext_if inet proto icmp all icmp-type $icmp_types

 

pass in on $ext_if proto tcp from any to ($ext_if) port ssh \

flags S/SA keep state \

(max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)

 

 

 

# block the ssh bruteforce bastards

#block drop in quick on $ext_if from <ssh-bruteforce>

block in log quick on $ext_if from <ssh-bruteforce> to any

block out log quick on $ext_if from any to <ssh-bruteforce>

 

 

block out quick on tun0 from any to x.x.x.xx

block in quick on tun0 from x.x.x.x to any

 

 

Zamykamy edytor i restartujemy maszynę komendą reboot.