Minggu, 20 Mei 2012

StateFul Firewall dan limiter di FreeBSD

Edit Kernel :

#ALTQ
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_CDNR
options ALTQ_PRIQ

#pf
device pf
device pflog
device pfsync

#options .> normalization .> queueing .> translation .> filtering

#input ke /etc/pf.conf

int_if="bge0"
vpn_if="tun1"
vpn_network="10.254.0.0/24"
internal_network="192.168.2.0/24"
ext_if="tun0"

#######OPTIONS############
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization aggressive
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
############################

table blok {scs.msg.yahoo.com,scsa.msg.yahoo.com,scsb.msg.yahoo.com,scsc.msg.yahoo.com,webcam.yahoo.com}


#####Normalization##########
scrub in all

ssh_ports = "{ 22 }"
#im_ports = "{ 5050 5222 6667 }"
tcp_services = "{ 8291 8080 21 25 53 80 113 110 143 443 2082 5050 5222 6667 1723 1701 5999 }"
udp_services = "{ 8291 1194 1723 1701 1194 }"
#icmp_types = "echoreq"
############################
####queue################
#altq on $ext_if bandwidth 40Kb hfsc queue { uploadlimit, andri, free }
#queue uploadlimit bandwidth 1Kb hfsc ( default upperlimit 1Kb )
#queue andri bandwidth 8Kb hfsc ( red realtime 8Kb upperlimit 8Kb )
#queue free bandwidth 31Kb hfsc ( red realtime 31Kb upperlimit 31Kb )

altq on $int_if bandwidth 1Mb hfsc queue { downloadlimit, bebas, sukur, sukurdech }
queue downloadlimit bandwidth 1Kb hfsc( default upperlimit 1Kb )
queue bebas bandwidth 600Kb hfsc ( red realtime 600Kb upperlimit 600Kb )
queue sukur bandwidth 30Kb hfsc ( red realtime 30Kb upperlimit 30Kb )
queue sukurdech bandwidth 60Kb priority 3 hfsc ( red realtime 60Kb upperlimit 60Kb ) { acc, credit, ao }
queue acc bandwidth 20Kb hfsc ( realtime 20Kb linkshare 20Kb upperlimit 60Kb )
queue credit bandwidth 20Kb hfsc ( realtime 20Kb linkshare 20Kb upperlimit 60Kb )
queue ao bandwidth 20Kb hfsc ( realtime 20Kb linkshare 20Kb upperlimit 60Kb )


#########################

#####Translation###########
#nat on $ext_if from to any -> ($ext_if)
nat on $ext_if from $vpn_network to any -> ($ext_if)
#rdr on $int_if proto tcp from any to any port 80 -> 125.162.125.190 port 8080
#rdr on rl1 proto tcp from 192.168.1.0/24 to any port www -> 192.168.1.100 port 3128
############################

#########FILTERING############
set skip on lo0
block in log on $ext_if all
pass out on $ext_if inet proto tcp from ($ext_if) to any port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass on $ext_if inet proto icmp from any to any icmp-type 0 keep state
pass on $ext_if inet proto icmp from any to any icmp-type 8 keep state
pass out on $ext_if inet proto udp from ($ext_if) to any port $udp_services keep state
pass in on $ext_if inet proto udp from any to any port $udp_services keep state
pass out on $ext_if inet proto udp from any to 202.134.0.155 port 53 keep state
pass out on $ext_if inet proto udp from any to 203.130.206.250 port 53 keep state
pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port domain keep state
pass out on $ext_if inet proto tcp from ($ext_if) to any port $ssh_ports flags S/SA keep state
pass in on $ext_if inet proto tcp from any to any port $ssh_ports flags S/SA keep state
#pass out on $ext_if inet proto tcp from ($ext_if) to any port $im_ports flags S/SA keep state
block out on $ext_if from 192.168.2.99 to blok
block out on $ext_if from 192.168.2.56 to blok
block out on $ext_if from 192.168.2.155 to blok
block out on $ext_if from 192.168.2.21 to blok
block out on $ext_if from 192.168.2.250 to blok
block out on $ext_if from 192.168.2.75 to blok
block out on $ext_if from 192.168.2.50 to blok
block out on $ext_if from 192.168.2.47 to blok
block out on $ext_if from 192.168.2.45 to blok
block out on $ext_if from 192.168.2.61 to blok
pass quick on $vpn_if

###########Limiter################################################

pass in on $int_if from 192.168.2.99 to any keep state queue sukur
pass in on $int_if from 192.168.2.144 to any keep state queue bebas
pass in on $int_if from 192.168.2.146 to any keep state queue bebas
pass in on $int_if from 192.168.2.155 to any keep state queue bebas
pass in on $int_if from 192.168.2.56 to any keep state queue bebas
pass in on $int_if from 192.168.2.21 to any keep state queue bebas
pass in on $int_if from 192.168.2.75 to any keep state queue acc
pass in on $int_if from 192.168.2.61 to any keep state queue bebas
pass in on $int_if from 192.168.2.45 to any keep state queue bebas
pass in on $int_if from 192.168.2.250 to any keep state queue credit
pass in on $int_if from 192.168.2.253 to any keep state queue bebas
pass in on $int_if from 192.168.2.50 to any keep state queue bebas
pass in on $int_if from 192.168.2.47 to any keep state queue ao
####################################################################
Diposting oleh di 20.06

Tidak ada komentar:

Posting Komentar

Komentarnya mana
readbud - get paid to read and rate articles