jajajaja i think the same. grrr
2009/5/4 Marco Peereboom <sl...@peereboom.us>:
> MY EYES!!! make it stop bleeding!!!
>
> On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote:
>> Hi,
>>
>> I have a firewall running on a Fedora Core 4 (STentz) with iptables. The
Guy
>> Who installed it left our company some months ago.
>> I spent some years far from iptables, now i have to migrate this firewall
to
>> PF.
>> THere are some 'special' features on this firewall, i need some
documentation
>> or help about implementing this features at new firewall ( PF ).
>>
>> This is the iptables scripts:
>>
>> #!/bin/bash
>> FW=/sbin/iptables
>> LOAD=/sbin/modprobe
>>
#__________________________________________________________________________
>>
>> # Carregando Modulo do IPTABLES
>> . /etc/rc.d/init.d/prodata/fw_modulos
>>
>> # Carregando Variaveis
>> . /etc/rc.d/init.d/prodata/fw_variaveis
>>
>> if [ $KERNEL = "sim" ]
>> then . /etc/rc.d/init.d/prodata/fw_kernel
>> fi
>>
>>
#___________________________________________________________________________
>> # Cria politicas de LOGs
>>
#___________________________________________________________________________
>>
>> if [ $LOGS = "sim" ]
>> then . /etc/rc.d/init.d/prodata/fw_politicas
>> fi
>>
>> Normal rules here
>> #################################################################### EOF
>>
>>
>>
>> /etc/rc.d/init.d/prodata/fw_modulos
>> #$LOAD nfnetlink
>>
>> $LOAD ip_conntrack
>> $LOAD ip_conntrack_ftp
>> #$LOAD ip_conntrack_pptp ##
>> #$LOAD ip_conntrack_netlink ##
>> #$LOAD ip_conntrack_tftp ##
>>
>> #$LOAD ip_nat
>> $LOAD ip_nat_ftp
>> $LOAD ip_gre
>> #$LOAD ip_nat_pptp ##
>> #$LOAD ip_nat_tftp ##
>> $LOAD ip_queue ##
>> $LOAD ip_tables
>>
>> $LOAD iptable_filter
>> $LOAD iptable_nat
>> $LOAD iptable_mangle
>>
>> $LOAD ipt_helper
>> $LOAD ipt_LOG
>> $LOAD ipt_limit
>> $LOAD ipt_state
>> #$LOAD ipt_layer7 ##
>> $LOAD ipt_MASQUERADE
>> $LOAD ipt_multiport
>> #$LOAD ipt_string
>> $LOAD ipt_tcpmss
>> $LOAD ipt_TCPMSS
>> ######################################################### EOF
>>
>>
>> /etc/rc.d/init.d/prodata/fw_kernel
>>
#___________________________________________________________________________
>> # Protecao do KERNEL
>>
#___________________________________________________________________________
>> #Enable forwarding in kernel
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>
>> #Disabling IP Spoofing attacks.
>> if [ $IPSEC = "sim" ]
>> then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f
>> done
>> else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 > $f
>> done
>> fi
>>
>> #Don't respond to broadcast pings (Smurf-Amplifier-Protection)
>> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>>
>> #Block source routing
>> echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route
>>
>> #Kill timestamps
>> echo 0 > /proc/sys/net/ipv4/tcp_timestamps
>>
>> #Enable SYN Cookies
>> #echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>>
>> #Kill redirects
>> echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects
>>
>> #Enable bad error message protection
>> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>>
>> #Log martians (packets with impossible addresses)
>> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
>>
>> #Set out local port range
>> echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
>>
>> #Reduce DoS'ing ability by reducing timeouts
>> echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
>> echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
>> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
>> echo 0 > /proc/sys/net/ipv4/tcp_sack
>> ################################################################### EOF
>>
>>
>>
>> /etc/rc.d/init.d/prodata/fw_politicas
>>
#___________________________________________________________________________
>> # LOG - Politica de Negacao de frames
>>
#___________________________________________________________________________
>>
>> LOGLIMIT="2/s"
>> LOGLIMITBURST="10"
>> # Overall Limit for TCP-SYN-Flood detection
>> TCPSYNLIMIT="5/s"
>> # Burst Limit for TCP-SYN-Flood detection
>> TCPSYNLIMITBURST="10"
>> # Overall Limit for Ping-Flood-Detection
>> PINGLIMIT="5/s"
>> # Burst Limit for Ping-Flood-Detection
>> PINGLIMITBURST="1"
>>
>> $FW -N LOG_DROP
>> $FW -A LOG_DROP -p tcp -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST
>> -j LOG --log-prefix "fp=TCP:1 a=DROP "
>> $FW -A LOG_DROP -p udp -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST
>> -j LOG --log-prefix "fp=UDP:2 a=DROP "
>> $FW -A LOG_DROP -p icmp -m limit --limit $LOGLIMIT --limit-burst
>> $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP "
>> $FW -A LOG_DROP -p 47 -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST
>> -j LOG --log-prefix "fp=VPN:4 a=DROP "
>> $FW -A LOG_DROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j
>> LOG --log-prefix "fp=FRAGMENT:5 a=DROP "
>> $FW -A LOG_DROP -p tcp ! --syn -m state --state NEW -j LOG --log-prefix
>> "fp=NEW nao SYN: "
>> $FW -A LOG_DROP -j DROP
>>
>>
#___________________________________________________________________________
>> # LOG - Politica de Liberacao de frames
>>
#___________________________________________________________________________
>>
>> $FW -N LOG_OK
>> $FW -A LOG_OK -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j
LOG
>> --log-level 3 --log-prefix "fp=LOG_OK:3 a=ACCEPT "
>> $FW -A LOG_OK -j ACCEPT
>>
>>
#___________________________________________________________________________
>> # LOG - Politica de Negacao TCP-SYN-Flood
>>
#___________________________________________________________________________
>>
>> $FW -N LSYNFLOOD
>> $FW -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j
>> LOG --log-prefix "fp=SYNFLOOD:1 a=DROP "
>> $FW -A LSYNFLOOD -j DROP
>>
>>
#___________________________________________________________________________
>> # TCP - Politica para Aceitar conexoes TCP verificando SYN-Floods
>>
#___________________________________________________________________________
>>
>> $FW -N TCPACCEPT
>> $FW -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst
>> $TCPSYNLIMITBURST -j ACCEPT
>> $FW -A TCPACCEPT -p tcp -m state --state ESTABLISHED,RELATED --syn -m
limit
>> --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
>> $FW -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
>> $FW -A TCPACCEPT -p tcp ! --syn -j ACCEPT
>>
>>
#___________________________________________________________________________
>> # SMB - Rejeita frames SMB (Netbios)
>>
#___________________________________________________________________________
>>
>> $FW -N SMB
>> $FW -A SMB -p tcp --dport 137 -j DROP
>> $FW -A SMB -p tcp --dport 138 -j DROP
>> $FW -A SMB -p tcp --dport 139 -j DROP
>> $FW -A SMB -p tcp --dport 445 -j DROP
>> $FW -A SMB -p udp --dport 137 -j DROP
>> $FW -A SMB -p udp --dport 138 -j DROP
>> $FW -A SMB -p udp --dport 139 -j DROP
>> $FW -A SMB -p udp --dport 445 -j DROP
>>
>> $FW -A SMB -p tcp --sport 137 -j DROP
>> $FW -A SMB -p tcp --sport 138 -j DROP
>> $FW -A SMB -p tcp --sport 139 -j DROP
>> $FW -A SMB -p tcp --sport 445 -j DROP
>> $FW -A SMB -p udp --sport 137 -j DROP
>> $FW -A SMB -p udp --sport 138 -j DROP
>> $FW -A SMB -p udp --sport 139 -j DROP
>> $FW -A SMB -p udp --sport 445 -j DROP
>>
>>
>>
#___________________________________________________________________________
>> # ICMP/TRACEROUTE (IN)
>>
#___________________________________________________________________________
>>
>> #Logging of possible Ping-Floods
>>
>> $FW -N LPINGFLOOD
>> $FW -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j
>> LOG --log-prefix "fp=PINGFLOOD:1 a=DROP "
>> $FW -A LPINGFLOOD -j DROP
>>
>>
#___________________________________________________________________________
>>
>> $FW -N ICMPINBOUND
>>
>> #Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be
>> logged/dropped
>> $FW -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit
>> $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT
>> $FW -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD
>>
>> #Block ICMP-Redirects (Should already be catched by sysctl-options, if
>> enabled)
>> $FW -A ICMPINBOUND -p icmp --icmp-type redirect -j LOG_DROP
>>
>> #Block ICMP-Timestamp (Should already be catched by sysctl-options, if
>> enabled)
>> $FW -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LOG_DROP
>> $FW -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LOG_DROP
>>
>> #Block ICMP-address-mask (can help to prevent OS-fingerprinting)
>> $FW -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LOG_DROP
>> $FW -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LOG_DROP
>>
>> #Allow all other ICMP in
>> $FW -A ICMPINBOUND -p icmp -j ACCEPT
>>
>>
>>
#___________________________________________________________________________
>> # ICMP/TRACEROUTE (OUT)
>>
#___________________________________________________________________________
>>
>>
>> $FW -N ICMPOUTBOUND
>>
>> #Block ICMP-Redirects (Should already be catched by sysctl-options, if
>> enabled)
>> $FW -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LOG_DROP
>>
>> #Block ICMP-TTL-Expired
>> #MS Traceroute (MS uses ICMP instead of UDp for tracert)
>> $FW -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j
LOG_DROP
>> $FW -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j
>> LOG_DROP
>>
>> #Block ICMP-Parameter-Problem
>> $FW -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LOG_DROP
>>
>> #Block ICMP-Timestamp (Should already be catched by sysctl-options, if
>> enabled)
>> $FW -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LOG_DROP
>> $FW -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LOG_DROP
>>
>> #Block ICMP-address-mask (can help to prevent OS-fingerprinting)
>> $FW -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LOG_DROP
>> $FW -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LOG_DROP
>>
>> ##Accept all other ICMP going out
>> $FW -A ICMPOUTBOUND -p icmp -j ACCEPT
>>
>>
>>
#___________________________________________________________________________
>> # PING Server - Libera ICMP
>>
#___________________________________________________________________________
>>
>> $FW -N icmp_packets
>> $FW -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
>> $FW -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
>>
>>
#___________________________________________________________________________
>> # PING Client - Libera ICMP
>>
#___________________________________________________________________________
>>
>> $FW -N icmp_ping
>> $FW -A icmp_ping -p ICMP --icmp-type 8 -j ACCEPT
>> $FW -A icmp_ping -p ICMP --icmp-type 11 -j ACCEPT
