Rodolfo, Vee se esse script te ajuda... fiz ele ja faz um tempo, seria apenas um exemplo que separa o fluxo, se alguma coisa der errado ou nao funcionar verifique os logs
[]´s JP #!/bin/sh # Regras de Firewall (ipfw - IP firewall and traffic shaper control program) # Escrito por Joao Paulo Marques Mattos ([EMAIL PROTECTED]) # Data: 27/12/2002 # # # para que este script funcione eh necessario que seja indicado a localizacao # dele no arquivo "/etc/rc.conf", procure por: firewall_enable="YES" # e insira na proxima linha: firewall_script="/etc/firewall/fwrules" # define o comando do firewall (igual ao /etc/rc.firewall) para simplificar # a referencia. facilita a leitura. fwcmd="/sbin/ipfw" # define a interface externa e o seu IP exteth="rl1" extIP="200.0.0.139/32" # define a interface interna inteth="rl0" # forca a remocao das regras atuais antes de carregar $fwcmd -f flush # dummynet setando o pipe e a sua velocidade #$fwcmd pipe 10 config mask src-ip 0x000000ff bw 64kbit/s queue 6Kbytes #$fwcmd pipe 11 config mask dst-ip 0x000000ff bw 64kbit/s queue 6Kbytes # Verifica todo o trafego entrante... interface externa # em caso positivo pula para a regra 50000 ################################################################################## $fwcmd add skipto 50000 all from any to me in recv $exteth ################################################################################## # Filtra e verifica todo trafego sainte e (com regras dinamicas) # todo trafego entrante ################################################################################## # libera pelo NAT $fwcmd add skipto 40000 tcp from 192.168.1.10 to any keep-state out xmit $exteth # ICMP GERAL $fwcmd add skipto 40000 icmp from any to any icmptypes 0,3,8,11 ################################################################################## # permite todas as conexoes confiaveis - interface interna ################################################################################## # localhost $fwcmd add allow ip from any to any via lo0 # dummynet para squid #$fwcmd add pipe 10 log all from 192.168.1.10 to me 3128 out via $exteth #$fwcmd add pipe 11 log all from me 3128 to 192.168.1.10 in via $exteth # liberado somente para interface interna $fwcmd add allow tcp from any to any out xmit $exteth setup $fwcmd add allow udp from any to any out xmit $exteth # uma vez que uma conexao foi estabelecida, permite que fique aberta $fwcmd add allow tcp from any to any via $exteth established # Libera e loga o resto do trafego da interface interna $fwcmd add allow log ip from any to any via $inteth $fwcmd add allow udp from any 53 to any in via $exteth # Pra ter certeza de que nao passara nada que nao for permitido $fwcmd add deny log ip from any to any ################################################################################## # Somente passarao por estas regras em duas circunstancias: # 1) Qualquer pacote sainte que recebeu a flag keep-state # 2) Qualquer pacote entrante que encontrar uma regra dinamica ################################################################################## # NAT $fwcmd add 40000 divert natd all from any to any out xmit $exteth # dummynet $fwcmd add pipe 11 log all from any 80 to 192.168.1.10 in via $exteth # Interface interna $fwcmd add allow ip from any to any via $inteth # conexoes iniciadas pelo servidor $fwcmd add allow tcp from any to any out xmit $exteth setup $fwcmd add allow udp from any to any out xmit $exteth # uma vez que uma conexao foi estabelecida, permite que fique aberta $fwcmd add allow tcp from any to any via $exteth established # ICMP (para ping e traceroute funcionarem) $fwcmd add allow icmp from any to any # DNS $fwcmd add allow udp from any 53 to any 1024-65535 in via $exteth # Liberacao de todo resto com log para debug $fwcmd add allow log all from any to any # Pra ter certeza de que nao passara nada que nao for permitido $fwcmd add deny log all from any to any ################################################################################## # Somente passarao por estas regras trafego entrante. Precisamos # definir o que queremos aceitar ou nao. A flag ckeck-state # ira disparar a regra dinamica e pular para a 40000 ################################################################################## $fwcmd add 50000 divert natd all from any to any in recv $exteth $fwcmd add check-state # conexoes iniciadas pelo servidor $fwcmd add allow tcp from any to any out xmit $exteth setup $fwcmd add allow udp from any to any out xmit $exteth # uma vez que uma conexao foi estabelecida, permite que fique aberta $fwcmd add allow tcp from any to any via $exteth established # UDP - DNS $fwcmd add allow udp from any 53 to any in $fwcmd add allow udp from any to any 53 in # ICMP (para ping e traceroute funcionarem) $fwcmd add allow icmp from any to any # rejeita o resto $fwcmd add deny log all from any to any ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
