FreeBSD

Detalhes

Escrito por Helio Loureiro

Categoria: FreeBSD

Publicado: 29 Outubro 2005

Acessos: 5203

Script utilizado para realizar o controle de banda no sistema wi-fi da Futurecom2005. O primeiro problema encontrado foi que o sistema utilizava VLANs para dividir o tráfego enquanto que o controle de banda é somente possível em interfaces físicas. Felizmente funcionou a contento.

AP_NET="172.20.0.0/22" 
MAN_NET="192.168.48.0/0" 
VLAN100="201.25.199.254" 
VLAN200="201.34.160.254" 
VLAN300="201.34.161.254" 
VLAN400="172.20.3.254" 
VLAN500="192.168.48.254" 
VLAN100_INTF="vlan1" 
VLAN200_INTF="vlan2" 
VLAN300_INTF="vlan3" 
VLAN400_INTF="vlan4" 
VLAN500_INTF="vlan5" 

ME="{ 192.168.48.254, 201.25.199.254, 201.34.160.254, \
   201.34.161.254, 172.20.3.254}" 
SSH="{ 192.168.48.254, 201.25.199.254 }" 
EXT="em0" 

set timeout { interval 10, frag 30 } 
set timeout { tcp.first 120, tcp.opening 30, \
   tcp.established 86400 } 
set timeout { tcp.closing 900, tcp.finwait 45, \
   tcp.closed 90 } 
set timeout { udp.first 60, udp.single 30, \
   udp.multiple 60 } 
set timeout { icmp.first 20, icmp.error 10 } 
set timeout { other.first 60, other.single 30, \
   other.multiple 60 } 
set timeout { adaptive.start 0, adaptive.end 0 } 
set limit { states 10000, frags 5000 } 

##set loginterface none 
set optimization normal 
#set block-policy drop 
set require-order yes 
set fingerprints "/etc/pf.os" 

scrub in all 

### bandwidth 
altq on $EXT 
cbq bandwidth 15Mb 
queue { ots, ssh, voip, web, dhcp } 
queue ots bandwidth 10% priority 0 cbq(default ecn) 
queue ssh bandwidth 100Kb priority 7 cbq(borrow) 
queue voip bandwidth 30% priority 5 cbq(borrow) 
queue web bandwidth 60% priority 3 { http, mail, msn, dns } 
queue http bandwidth 60% cbq(borrow red) 
queue mail bandwidth 30% cbq(borrow red) 
queue msn bandwidth 10% cbq(borrow red) 
queue dns bandwidth 10% cbq(borrow red) 
queue dhcp bandwidth 10% priority 5 cbq(borrow) 
nat on $VLAN100_INTF from $AP_NET to any -> ($VLAN100_INTF) 

block in log all 
block return in on $EXT inet all queue ots 

pass out all 
#pass in all 

pass out inet proto tcp from any to any port 80 keep state queue http 
pass out on $EXT inet proto tcp from any to any port { 80, 443 } \
   keep state queue http 
pass out on $EXT inet proto tcp from any to any port { 25, 110, 143, \
   465, 993, 995 } keep state queue mail 
pass in on $EXT inet proto tcp from any to any port 1863 keep state \
   queue msn 
pass out on $EXT inet proto tcp from any to any port 1863 keep state \
   queue msn 
pass in on $EXT inet proto tcp from any to any port 22 keep state queue \
   ssh 
pass out on $EXT inet proto tcp from any to any port 22 keep state queue \
   ssh 
pass in on $EXT inet proto udp from any to any port 5060 keep state \
   queue voip 
pass out on $EXT inet proto udp from any to any port 5060 keep state \
   queue voip 
pass in on $EXT inet proto udp from any to any port 10000:20000 keep \
   state queue voip 
pass out on $EXT inet proto udp from any to any port 10000:20000 keep \
   state queue voip 
pass in on $EXT inet proto udp from any to any port 67:68 keep state \
   queue dhcp 
pass out on $EXT inet proto udp from any to any port 67:68 keep state \
   queue dhcp 
pass in on $EXT inet proto udp from any to any port 53 keep state queue \
   dns 
pass out on $EXT inet proto udp from any to any port 53 keep state queue \
   dns 
#pass in quick proto tcp from any to $SSH port 22 keep state 
#block in proto tcp from any to any port 80 
pass in quick proto tcp from any to $ME port 80 
pass in quick proto udp from any to any port 53 keep state 
pass in quick proto udp from any port 53 to any keep state 
pass in quick proto { tcp, udp } from any to $ME port { 67, 68 } keep state 
pass in quick proto { tcp, udp } from $AP_NET to $VLAN400 port { 67, 68 } \
   keep state 
pass in quick proto { tcp, udp } from any to $ME port { 67, 68 } keep state 
#pass in proto { tcp, udp, icmp } from any to any 
block in quick log proto { tcp, udp } from any to any port { 135, 136, 137, \
   138, 139, 445, 1433, 1434 } 
pass in quick proto udp from any to $ME port 161 keep 
state pass in quick proto udp from any port 161 to $ME keep state 

#block in log from any to $MAN_NET 
#block out log from $MAN_NET to any pass out from $ME to any 
#block in quick log from any to $MAN_NET 
#block in quick log from $MAN_NET to any 

pass in quick proto icmp from any to $ME keep state 
pass out quick proto icmp from $ME to any keep state 
pass out quick proto tcp from $ME to 192.168.48.0/24 keep state 
pass in quick proto udp from 192.168.48.0/24 to $ME port 161 keep state 
pass in from any to any 
block in log from any to $ME 

Detalhes

Escrito por Helio Loureiro

Categoria: FreeBSD

Publicado: 08 Maio 2005

Acessos: 7953

Aqui segue a receita de bolo para configurar um servidor pppoe em um FreeBSD. O uso aqui foi para testes de equipamentos VoIP. O usuários são aqueles configurados no /etc/passwd do sistema, com suas respectivas senhas.

[root@hloureiro ~]# cat /etc/ppp/ppp.conf 
 default: 
     set log All Phase tun command Chat Radius 
     set ifaddr 10.0.0.1/24 10.0.0.100-10.0.0.199 
     enable pap chap passwdauth 
 
 pppoe:
  set device PPPoE:sis0:dlink
  enable lqr
  set cd 5
  set dial
  set login
  set redial 0 0 
 
 dlink:
  allow mode direct 
  enable lqr proxy   
  enable chap pap passwdauth 
  set ifaddr 10.0.0.1/24 10.0.0.100-10.0.0.199 
  accept dns 
 
 [root@hloureiro ~]# /usr/libexec/pppoed -p dlink -F -d sis0
 Sending NGM_LISTHOOKS to sis0:
 Got reply from id [1]: Type ether with 1 hooks
   Got [1]:orphans -> [3]:ethernet
 Sending PPPOE_LISTEN to .:pppoe-5538, provider dlink
 pppoed[5538]: Listening as provider dlink
 
 

Detalhes

Escrito por Helio Loureiro

Categoria: FreeBSD

Publicado: 04 Maio 2005

Acessos: 6622

  Nos tempos atuais, segurança deixou de ser um item reservados às grandes redes e servidores para tornar-se um companheiro mais próximo no nosso dia-à-dia.  Nesse contexto, o uso de um firewall faz-se mais que necessário.
    Esse é o script de inicialização de firewall que usava em meu laptop, baseado em FreeBSD.  É bem simples e permite um bom nível de segurança.

    Para utilizar, basta copiar o conteúdo abaixo para o arquivo /etc/rc.firewall e adicionar a seguinte entrada em /etc/rc.conf:

firewall_enable="YES"
    Para baixar as regras do firewall e permitir a passagem de todos os pacotes, basta rodar "sh /etc/rc.firewall stop".

#! /bin/sh

fwcmd="/sbin/ipfw"
LOOPB="127.0.0.1/8"

${fwcmd} -f flush
#${fwcmd} add divert natd ip from any to any via ep0
${fwcmd} add allow all from any to any via lo0
${fwcmd} add deny log all from any to ${LOOPB}
${fwcmd} add deny log all from ${LOOPB} to any

${fwcmd} add allow tcp from any to any established
${fwcmd} add allow tcp from me to any keep-state
${fwcmd} add allow udp from me to any keep-state
${fwcmd} add allow udp from me to any 53 keep-state
${fwcmd} add allow icmp from me to any keep-state

${fwcmd} add allow tcp from any to me 21 keep-state
${fwcmd} add allow tcp from any to me 22 keep-state
${fwcmd} add allow tcp from any to me 23 setup
${fwcmd} add allow tcp from any to me 69 setup
${fwcmd} add allow udp from any to me 69 keep-state
${fwcmd} add allow tcp from any to me 80 setup
${fwcmd} add allow tcp from any to me 33434 setup
${fwcmd} add allow udp from any to me 33434 setup
#${fwcmd} add allow tcp from any to me 6000 setup

#${fwcmd} add allow icmp from any to me icmptype 11
${fwcmd} add allow icmp from any to me

${fwcmd} add deny tcp from any to me 135-139
${fwcmd} add deny udp from any to me 135-139
${fwcmd} add deny log all from any to me
${fwcmd} add allow all from any to any

case $1 in
         clean|clear|stop) ${fwcmd} -f flush
                           ${fwcmd} add divert natd ip from any to any via ep0
                           ${fwcmd} add allow all from any to any
         ;;
esac