nastaveni firewallu

[Jaroslav Votruba]

prosim o pomoc se sestavenim firewallu pro branu. Neco jsem spachal s 
pomoci webu a trochy svojich zkusennosti.
BSD funguje jako brana pro vnitrni sit, bezi na nem posta ,samba a web a 
vse musi byt dostupne jak zevnitr , tak i zvenci.
Jde mi spise o to, jestli jsem neprehodil nejake pravidlo, pripadne 
jestli neco nejde napsat jednoduseji.
Dan bude urcite propagovat prednastavene reseni, ja bych si to stejne 
radsi sesmolil sam


#vycisteni pravidel
#ipfw -f flush

#znovunacteni pravidel
#sh  /etc/rc.firewall.rules

#bezpecny zavedeni IPFW
#ipfw -f flush && ipfw add 61000 allow all from any to any



fwcmd="ipfw -q add"

#zde nastavte venkovni rozhrani a masku .   
oif="xl0"    #sitovka
omask="255.255.255.252"    #maska
oip="89.31.47.158"    #ip adresa sitovky


#zde nastavte vnitrni rozhrani a masku .   
iif="re0"    #sitovka
inet="192.168.0.0"    #sit
imask="255.255.255.0"    #maska
iip="192.168.0.1"    #ip adresa sitovky


#zde nastavte VPN rozhrani a masku .   
vif="tap0"    #sitovka
vnet="10.0.1.0"    #sit
vmask="255.255.255.0"    #maska
vip="10.0.1.1"    #ip adresa sitovky



# Stop spoofing.
${fwcmd} 10 deny all from ${inet}:${imask} to any in via ${oif}
 

# Stop RFC1918 nets on the outside interface.
${fwcmd} 30 deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} 40 deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} 50 deny all from any to 192.168.0.0/16 via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface.
${fwcmd} 60 deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} 70 deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} 80 deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} 90 deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} 100 deny all from any to 240.0.0.0/4 via ${oif}

#povoleni NATu (maskarady)
${fwcmd} 110 divert natd ip from any to any via xl0

# Povoleni ftp a ssh
${fwcmd} 200 allow tcp from any to any 21  # ftp
${fwcmd} 210 allow tcp from any to any 22  # ssh

#nastaveni emailu

#povoleni odesilani mailu na danou IP
${fwcmd} 300 allow tcp from 192.168.0.200 to mail.keytec.cz 25 out via 
${oif} 
#zablokovani odesilani mailu na cizi smtp - pri zavirovani stanice hrozi 
umistneni na 
blacklisty                                                         
${fwcmd} 310 deny  tcp from ${inet}:${imask} not to me 25
# smtp
${fwcmd} 320 allow tcp from any to any 25 in
# imap
${fwcmd} 330 allow tcp from any to any 143  
# imaps
${fwcmd} 340 allow tcp from any to any 993
# pop3
${fwcmd} 350 allow tcp from any to any 110 
# pop3s
${fwcmd} 360 allow tcp from any to any 995

#povolení dotazu na dns
${fwcmd} 400 allow  from any to any 53
#povolení dotazu na casove servery
${fwcmd} 410 allow udp from any to any 123


#povoleni webu
# http
${fwcmd} 500 allow tcp from any to any 80
# https
${fwcmd} 510 allow tcp from any to any 443


#pro openvpn
${fwcmd} 600 allow all from any to any 1194 via ${vif}


# Allow TCP through if setup succeeded.
${fwcmd} 700 allow tcp from any to any established
# Allow IP fragments to pass through.
${fwcmd} 710 allow all from any to any frag


#pro sambu
#NETBIOS Name Service :137/udp, NETBIOS Datagram Service :138/udp
#NETBIOS Session Service:139/tcp, Microsoft-DS:445/tcp

${fwcmd} 800 allow udp from any to any 137 via ${iif}
${fwcmd} 810 allow udp from any to any 138 via ${iif}
${fwcmd} 820 allow tcp from any to any 139 via ${iif}
${fwcmd} 830 allow udp from any to any 445 via ${iif}


# zahazuj prichozi auth, netbios, ldap, a Microsoft's DB protocol bez 
logovani
${fwcmd} 840 reset tcp from any to ${oip} 113 setup in via ${oif}
${fwcmd} 850 reset tcp from any to ${oip} 139 setup in via ${oif}
${fwcmd} 860 reset tcp from any to ${oip} 389 setup in via ${oif}
${fwcmd} 870 reset tcp from any to ${oip} 445 setup in via ${oif}

# blokuj podvodne UDP broadcast protocols bez logovani
${fwcmd} 900 deny udp from any 137 to any in via ${oif}
${fwcmd} 910 deny udp from any to any 137 in via ${oif}
${fwcmd} 920 deny udp from any 138 to any in via ${oif}
${fwcmd} 930 deny udp from any 513 to any in via ${oif}
${fwcmd} 940 deny udp from any 525 to any in via ${oif}



# Allow some inbound icmps - echo reply, dest unreach, source quench,
# echo, ttl exceeded.
${fwcmd} 950 allow icmp from any to any in via ${oif} icmptypes 0,3,4,8,11


# priklad nastaveni slusnych lidi-
#goodguys="{ 192.168.0.0/24{20,35,66,18} or 10.2.3.0/28{6,3,11} }"
#${fwcmd} 10000 allow all from ${goodguys} to any in via ${oif}

#hajzlici
#badguys="{ 192.168.0.0/24{11,105,111,113,114,119,121,125,144,203,222 } }"




#otevri vse ostatni a loguj
#pri problemech zkus odkomentovat nasledujici radek, pripadne jej 
nakopiruj dopredu s cislem pravidla 1
#${fwcmd} 60000 alow log all from any to any

# vse ostatni je blokovane a logovane
${fwcmd} 60001 deny log all from any to any




#DUMMYNET
# Pajpy zakladani rour
#pipe 10 config bw 128Kbps queue 32Kbytes
#pipe 11 config bw 256Kbps queue 64Kbytes
#pipe 12 config bw 512Kbps queue 128Kbytes
#pipe 13 config bw 768Kbps queue 192Kbytes

#nasmerovani provozu do half duplex roury
#add 1000 set 10 pipe 10 ip from any to 192.168.6.0/24
#add 1001 set 10 pipe 10 ip from 192.168.6.0/24 to any

# Vysoka priority fronta - pouze zalozeni
#queue 1 config pipe 10 weight 90

# Nizka priorita fronta (procentech) -pouze zalozeni
#queue 2 config pipe 10 weight 10

# nasmerovani paketu do fronty cislo 1
#add 1000 queue 1 ip from 192.168.100.50 to any
#add 1010 queue 1 ip from any to 192.168.100.50