Allez un peu de pub pour pf
une config generique pour un firewalling assez robuste:
Code :
- * # File /etc/pf.conf
- * # RuleSet made by spybsd
- * # Updated 08-09-2004
- * # Please send me your comment : spybsd@free.Fr
- * # macros
- * int_if = "xl1"
- * ext_if = "xl0"
- * dmz_if = "xl2"
- * lan_net = "something"
- * dmz_net = "something"
- * taf_net = "something"
- *
- * tcp_services = "{ 22 }"
- * icmp_types = "echoreq"
- * dmz_services = "{ 25, 53 , 80 }"
- *
- * # table containing all IP addresses assigned to the firewall
- * table <firewall> const { self }
- * table <trusted> { 10.0.10.0/24, 192.168.1.100 }
- * table <NoRoute> { 127.0.0.1/8, 172.16.0.0/12, 192.168.0.0/16, !$lan_net, !$dmz_net, 10.0.0.0/8, 255.255.255.255/32}
- *
- *
- * # options
- * #set block-policy return
- * set loginterface $ext_if
- * set optimization aggressive
- *
- * # scrub
- * scrub in all
- *
- * ############
- * # nat/rdr###
- * ############
- * nat on $ext_if from $lan_net to any -> ($ext_if)
- * nat on $ext_if from $dmz_net to any -> ($ext_if)
- *
- * #Rules for ftp proxy and dmz services
- * #rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
- * #rdr on $ext_if proto tcp from any port $dmz_services -> $dmz_net
- * #rdr on $ext_if proto udp from any port 53 -> $dmz_net
- * #rdr on $ext_if proto tcp from any port 53 -> $dmz_net
- *
- * ###############
- * # filter rules#
- * ###############
- *
- * #default deny
- * block in all
- * block out all
- *
- * #Loopback rule
- * pass quick on lo0 all
- *
- * #antispoof rule
- * antispoof quick for $int_if inet
- * antispoof quick for $dmz_if inet
- * block in log quick on $ext_if inet from <NoRoute> to any
- * block in log quick on $ext_if inet from any to <NoRoute>
- *
- * #block IPv6
- * block quick inet6
- *
- * #block from and to trusted network
- * block drop in quick on $ext_if from $lan_net to any
- * block drop out quick on $ext_if from any to $lan_net
- * block drop in quick on $ext_if from $dmz_net to any
- * block drop out quick on $ext_if from any to $dmz_net
- *
- * #Anti NMAP Rule
- * block in log quick proto tcp flags FUP/WEUAPRSF
- * block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
- * block in log quick proto tcp flags SRAFU/WEUAPRSF
- * block in log quick proto tcp flags /WEUAPRSF
- * block in log quick proto tcp flags SR/SR
- * block in log quick proto tcp flags SF/SF
- * block in log quick on $ext_if os NMAP
- *
- * #ssh rule for accessing the gateway
- * pass in on $ext_if inet proto tcp from $taf_net to ($ext_if) port $tcp_services flags S/SA keep state
- *
- * #Fingerprint requested rule -> use only for testing purpose
- * #pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
- *
- * #dmz rule
- * pass in on $ext_if inet proto tcp from any to $dmz_net port $dmz_services
- * pass in on $ext_if inet proto udp from any to $dmz_net port $dmz_services
- *
- * #Allow ICMP -> use only for debug purpose
- * #pass in inet proto icmp all icmp-type $icmp_types keep state
- *
- * #Outgoing rule
- *
- * pass in on $int_if from $lan_net to any
- * pass out on $int_if from any to $lan_net
- * pass in on $dmz_if from $dmz_net to any
- * pass out on $dmz_if from any to $dmz_net
- *
- * pass out on $ext_if proto tcp all modulate state flags S/SA
- * pass out on $ext_if proto { udp, icmp } all keep state
- *
- * pass out on $ext_if from $lan_net to any keep state
|
Ces regles de filtrage restent assez basiques mais terriblement effciaces.
De plus elles vous permettent de fausser les reponses à l'OS fingerprint si vous activer l'option set block-policy return. il faut aussi activer 2 options dans sysctl.conf
net.inet.tcp.rfc1323 = 0
net.inet.tcp.recvspace = 30720
net.inet.tcp.sendspace = 30720
#Les 2 derniers parametres modifient la taille de la fenetre tcp
Rien n'empeche ensuite d'activer le module authpf
Message édité par spy le 19-05-2005 à 20:58:10