https://docs.freebsd.org/en/books/handbook/firewalls/#firewalls-ipfw
Nota: Extensiones imprescindibles Firefox 78.14.0 esr (64-bit)
IPFW - proteger una estación de trabajo freeBSD y permitir acceso remoto vía SSH.
IPFW es un cortafuegos stateful escrito para FreeBSD que soporta tanto IPv4 como IPv6. Está formado por varios componentes: el procesador de reglas de filtrado del kernel y su función integrada de contabilidad de paquetes, la función de registro, NAT, el conformador de tráfico dummynet(4), una función de reenvío, una función de puente y una función ipstealth.
# sysrc firewall_enable="YES" # sysrc firewall_script="/etc/ipfw.rules" # sysrc firewall_logging="YES" # echo "net.inet.ip.fw.verbose_limit=5" >> /etc/sysctl.conf # sysrc firewall_logif="YES" # service ipfw start # sysctl net.inet.ip.fw.verbose_limit=5% cat /etc/ipfw.rules
###################################
#!/bin/sh
ipfw -q -f flush
LAN="192.168.88.0/24"
cmd="/sbin/ipfw -q add"
pif="re0"
$cmd 00100 allow ip from any to any via lo0
$cmd 00200 deny ip from any to 127.0.0.0/8
$cmd 00300 deny ip from 127.0.0.0/8 to any
$cmd 00400 deny ip from any to ::1
$cmd 00500 deny ip from ::1 to any
$cmd 00600 allow ipv6-icmp from :: to ff02::/16
$cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
$cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
$cmd 00900 allow ipv6-icmp from any to any icmp6types 1
$cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136
$cmd 01100 check-state :default
$cmd 01200 allow tcp from me to any established
$cmd 01300 allow tcp from me to any setup keep-state :default
$cmd 01400 allow udp from me to any keep-state :default
$cmd 01500 allow icmp from me to any keep-state :default
$cmd 01600 allow ipv6-icmp from me to any keep-state :default
$cmd 01700 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
$cmd 01800 allow udp from any 67 to me 68 in
$cmd 01900 allow udp from any 67 to 255.255.255.255 68 in
$cmd 02000 allow udp from fe80::/10 to me 546 in
$cmd 02100 allow icmp from any to any icmptypes 8
$cmd 02200 allow ipv6-icmp from any to any icmp6types 128,129
$cmd 02300 allow icmp from any to any icmptypes 3,4,11
$cmd 02400 allow ipv6-icmp from any to any icmp6types 3
$cmd 02500 allow tcp from $LAN to me 22 in via $pif setup limit src-addr 2
$cmd 65000 count ip from any to any
$cmd 65100 deny { tcp or udp } from any to any 135-139,445 in
$cmd 65200 deny { tcp or udp } from any to any 1026,1027 in
$cmd 65300 deny { tcp or udp } from any to any 1433,1434 in
$cmd 65400 deny ip from any to 255.255.255.255
$cmd 65500 deny ip from any to 224.0.0.0/24 in
$cmd 65500 deny udp from any to any 520 in
$cmd 65500 deny tcp from any 80,443 to any 1024-65535 in
$cmd 65500 deny ip from any to any
$cmd 65535 deny ip from any to any
###################################
FreeBSD es genial!.
No hay comentarios:
Publicar un comentario