CULTe : Home | Association | Reunions | Projets | Listes de diffusion | Recherche | Best of Linux-31 | Trombinoscope

(Courriels de diversion: <infligeras@routeront-sentinelle.com> <emission@revolutionneras-sous-alimentiez.com> <hurlantes@entacha-raillees.com> <lucioles@empilerais-epinglerons.com> <parachutistes@mensonger-etourdis.com> <favoriserai@siegions-dedaigne.com> <argumentera@emouvants-endosseront.com> <ecrases@recurages-replâtriez.com> <slalomeuses@mohair-opterent.com> <declassent@rivalisions-devotement.com> ) 

Bonjour.

Suite à mon appel au secour concernant la mise en place d'un firewall sous
freebsd. Je vous joint ma procédure ainsi que les règles qui ont été
utilisé.

Toutes les remarques sont les bienvenues, surtout sur le fichier
ipf.rules. Ma démarche a été la suivante :
 - je bloque tout et je met dans une file d'attente
 - dans la file d'attente j'élimine les protocoles malicieux
 - ensuite je laisse passer le bon traffic
 - s'il y a rien qui correspond au packet, le rejeter et sonner l'alerte

Procédure de Mise en place d'un firewall sous freebsd 5.2

Procéder à son installation minimun et en tant que gateway:
http://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html

Mettre dans les fichier:

-> firewall# vi /boot/loader.conf
ipl_load="YES"

-> firewall# vi /etc/rc.conf
icmp_drop_redirects="YES"
defaultrouter="10.0.0.138"
gateway_enable="YES"
hostname="firewall.lookali.com"
ifconfig_rl0="inet 10.0.0.1  netmask 255.255.255.0"  # interface wan
ifconfig_fxp0="inet 192.168.0.1 netmask 255.255.255.0" # interface lan
ifconfig_lo0="inet 127.0.0.1"
keymap="fr.iso.acc"
linux_enable="YES"
moused_enable="YES"
saver="daemon"
sshd_enable="YES"
usbd_enable="YES"

ipfilter_enable="YES"
ipfilter_flags=""
ipmon_enable="YES"
ipmon_flags="-Dsvn"
ipfilter_rules="/etc/ipf.rules"
ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat
ipnat_enable="YES"

-> firewall# vi /etc/sysctl.conf
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

-> firewall# vi /etc/ipnat.rules
#Autoriser le lan a sortir sur internet
map rl0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto

-> firewall# vi /etc/ipf.rules
# Autoriser le Traffic sur la loopback
#
pass in quick on lo0
pass out quick on lo0

# On bloque le traffic entrant - on decide apres
#
block in log on rl0 proto tcp from any to any
block in on rl0 proto udp from any to any
block in on rl0 proto icmp from any to any

# On bloque aussi le traffic sortant
# du firewall
block out on rl0 from any to any

#----------------------------------------------------#
# Protection WAN
# Règles Anti-spoofing
#
block in log quick on rl0 from 192.168.0.30/32 to any
block in quick on rl0 from 172.16.0.0/12 to any
block in quick on rl0 from 10.0.0.0/8 to any
block in quick on rl0 from 169.254.0.0/16 to any
block in quick on rl0 from 192.0.2.0/24 to any
block in quick on rl0 from 204.152.64.0/23 to any
block in quick on rl0 from 224.0.0.0/3 to any
block in log quick on rl0 from 127.0.0.0/8 to any

# now we are blocking packets that are too short to
# contain a complete header, or with source routing
# options (most-likely setted to bypass our firewall)
#----------------------------------------------------------------
block in quick on rl0 from any to any with frags
block in log quick from any to any with short
block in log quick on rl0 from any to any with opt lsrr
block in log quick on rl0 from any to any with opt ssrr
#----------------------------------------------------------------
# drop any IP packets with options set
# ipopts include lsrr and ssrr (source routed frags)
#----------------------------------------------------------------
block in log quick on rl0 from any to any with ipopts
#----------------------------------------------------------------
# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log quick on rl0 proto tcp from any to any flags FUP

block in log quick on rl0 proto tcp from any to 192.168.0.30/32 port = 113

# On autorise une connexion ssh sur le serveur
#
pass in quick on rl0 proto tcp from any to 192.168.0.30/32 port = 22 keep
state
pass out quick on rl0 proto tcp from any to 192.168.0.30/32 port = 22 keep
state

# On autorise le lan a sortir
#
pass in log on fxp0 proto tcp/udp from any to any keep state
pass in log on fxp0 proto icmp from any to any keep state
pass out log on fxp0 proto tcp/udp from any to any keep state
pass out log on fxp0 proto icmp from any to any keep state

# Si aucune règle matcher, refuser le paquet/connexion
block in log level local0.alert quick on rl0 from any to any
block out log level local0.alert quick on rl0 from any to any


--------------------------------------------------------------------
Les listes de diffusion occultes: <URL:http://www.CULTe.org/listes/>

Cette page fait partie des archives des listes de diffusion de l'association CULTe.

A l'intention des mechants robots qui parcourent notre site a la recherche d'adresses electroniques a cibler avec des pourriels, voici une liste d'adresses pourries.