## Check State
${fwcmd} add check-state
${fwcmd} add allow tcp from ${linkip} to any out via ${linkint} setup
keep-state
${fwcmd} add allow all from any to any out via ${linkip} keep-state######### tenta tirar esta e testar
####${fwcmd} add deny tcp from any to ${linkip} established
############## SSH
${fwcmd} add allow tcp from ${fastlane} to ${linkip} 22 in via fxp0## Permite qq pacote de conexao TCP ja estabelecida ####
${fwcmd} add allow tcp from any to any establishedvoc� tem 2 regars que se contradizem uma que nega as conexoes j� pre- estabelecidas e outra que libera n�o vejo o pq disto
um exemplo que eu uso em um cliente ..
$IPFW add check-state
#ICMP $IPFW add allow icmp from any to any icmptypes 3,4,8,11 keep-state $IPFW add deny icmp from any to any keep-state
# NTP $IPFW add allow udp from 200.144.121.33 123 to any 123 keep-state
# DNS $IPFW add allow udp from 192.168.1.97 53 to any keep-state $IPFW add allow udp from 200.203.191.8 53 to any keep-state $IPFW add allow udp from 200.193.136.60 53 to any keep-state
################################################################ # #protecoes rede externa
$IPFW add allow tcp from any to 192.168.200.1 22,80 in via ed1 setup keep-state
$IPFW add deny log tcp from any to 192.168.200.1 0-1023 in via ed1 keep-state
$IPFW add allow udp from any to 192.168.200.1 53,123 in via ed1 keep-state
$IPFW add deny log udp from any to 192.168.200.1 0-1023 in via ed1 keep-state
$IPFW add allow tcp from any to 192.168.200.1 48000-55000 in via ed1 keep-state
$IPFW add allow udp from any to 192.168.200.1 48000-55000 in via ed1 keep-state
$IPFW add allow ip from any to any out via ed1 keep-state
# #############################################################
############################################################ # # rede interna
# nega acesso da rede externa direto a rede interna $IPFW add deny log ip from not 192.168.1.96/27 to any in via ed0 keep-state
############################################ # Libera micro Full-Duplex $IPFW add count all from any to 192.168.1.100/32 $IPFW add pipe 7 all from any to 192.168.1.100/32
$IPFW add count all from 192.168.1.100/32 to any $IPFW add pipe 8 all from 192.168.1.100/32 to any $IPFW pipe 7 config bw 100Mbit/s $IPFW pipe 8 config bw 100Mbit/s
########################################## # Traffic Shaper Rede 192.168.1.96/27 $IPFW add count all from 192.168.1.96/27 to any $IPFW add pipe 13 all from 192.168.1.96/27 to any
$IPFW add count all from any to 192.168.1.96/27 $IPFW add pipe 14 all from any to 192.168.1.96/27 $IPFW pipe 13 config mask dst-ip 0x000000ff bw 10Mbit/s queue 8Kbytes $IPFW pipe 14 config mask src-ip 0x000000ff bw 10Mbit/s queue 8Kbytes
$IPFW add allow tcp from 192.168.1.96/27 to any in via ed0 setup keep-state $IPFW add allow udp from 192.168.1.96/27 to any in via ed0 keep-state
$IPFW add allow all from 192.168.1.96/27 to any out via ed0 keep-state
#$IPFW add allow all from any to 192.168.1.96/27 out via ed0 keep-state #$IPFW add allow all from 192.168.1.96/27 to any in via ed0 keep-state
# ############################################################ ############################################################ # nega tudo #$IPFW add 65435 allow all from any to any keep-state $IPFW add 65433 deny log tcp from any to any keep-state $IPFW add 65434 deny log udp from any to any keep-state $IPFW add 65435 deny log all from any to any keep-state $IPFW zero 65535
-- -=-=-=-=-=-=-=-=-=-
William David Armstrong .Administrator Bio Systems Security.
http://biohazard.kicks-ass.org:8080/ bio (at) bsd-unix.com.br bio_wolf (at) yahoo.com ICQ 102537476 ICQ 27550645
_______________________________________________________________ Sair da Lista: http://lists.fugspbr.org/listinfo.cgi Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
