27 junho, 2008

Você está seguro?

Keywords: osx, mac, ipfw, firewall, waterroof

Sabe aquela falsa sensação de segurança. É isso que sinto ao utilizar o firewall padrão do Leopard, no Tiger a história era outra, eu tinha total controle sobre as regras, quais portas estavam abertas, quais estavam fechadas e por ae vai. Com a atualização para o Leopard veio a bomba... o tal do AppFirewall (apple-firewall, application-firewall, vai saber?) ...

Brincando um pouco no shell notei que o bom e velho ipfw tava lá ainda. Fazia um tempo que eu não brincava com ele, mas nunca é tarde para aprender (novamente). E lá vou eu ... fazer as regras para o danado até que foram tranquilas o complicado estava ser colocar as mesmas para iniciar junto com a máquina.

Depois de várias tentativas achei um tal de WaterRoof, que nada mais é que uma interface gráfica para o ipfw e o melhor de tudo, vem com algumas regras prontas (bloquear varredura de portas, bloquear pacotes estranhos, bloquear pings, etc.)... Beleza mas e a inicialização??? Calma que ele tem também! Basta salvar as regras atuais para o "Startup Script" e depois instalar o mesmo.

Prontooo! Após o reboot tava lá o ipfw no ar, bloqueando alguns pacotes já ... maravilha!!
Hoje estou rodando apenas o ipfw e sinto-me muito mais seguro do que antes.

Mas tem aquela né, eu faço parte daqueles 0,002% dos usuários de Mac que curtem "sujar as mãos" ... então acho que esse post não vai servir para muita coisa. :P

Bom, só de lambuja vai a config do meu firewall atual ...

00100 allow ip from any to any via lo*
00200 deny log ip from 127.0.0.0/8 to any in
00300 deny log ip from any to 127.0.0.0/8 in
00400 deny log ip from 224.0.0.0/3 to any in
00500 deny log tcp from any to 224.0.0.0/3 in
00600 allow tcp from any to any out keep-state
00700 allow tcp from any to any established keep-state
00800 deny ip from any to any ipoptions rr
00900 deny ip from any to any ipoptions ts
01000 deny ip from any to any ipoptions lsrr
01100 deny ip from any to any ipoptions ssrr
01200 deny log tcp from any to any tcpflags syn,fin
01210 deny log tcp from any to any tcpflags syn,rst
01220 deny log tcp from any 0 to any
01230 deny log tcp from any to any dst-port 0
01240 deny log udp from any 0 to any
01250 deny log udp from any to any dst-port 0
01270 deny log ip from 0.0.0.0/8 to any
65533 deny log icmp from any to me in icmptypes 8
65534 deny log tcp from any to any
65535 allow ip from any to any

7 comentários:

  1. Meu firewall é 1000 vezes mais eficiente que o seu, ai está a linha de configuracão que prova isso:

    [ 927.782764] eth0: link down.

    Uahuahuah

    abracos...

    ResponderExcluir
  2. Realmente via rede ninguém entra neste seu server.
    Se bem que ver "eth0" me deixa levemente triste. Mas fazer o que, malditas licenças que não deixam agente rodar o que quer aonde quer.

    hunf!!

    :)

    ResponderExcluir
  3. Otimo post.
    Vou testar mais tarde.

    Abraços.

    ResponderExcluir
  4. Salve salve humanos...

    E ai como vão vcs??? Grande Matheus... pode deixar que vamos precisar trocar figurinhas sim... to ligado que vc tava mexendo com administracao de servidores Windows tb. Eu ainda nao estou usando o MSN por aqui, so o Gtalk, mas logo logo estarei presente no msn, e ai qlqr coisa a gente coloca as informacoes em dia... abracao pra vc meu velho!...

    ResponderExcluir
  5. vo anotar aqui as config
    hehehehe

    blza

    ResponderExcluir
  6. Uso junto com o throttled pro, tem em cli segue meu script.
    root at bitnew dot net

    Sou dos 0,002%, qualquer melhoria posta ae.

    []'s

    #!/bin/sh

    # this is the main configuration file for throttled.
    # if you used a previous release, the syntax has changed in 0.5.0
    # you have been warned. make sure to specify weights for your divert sockets.
    # set your network interface
    # you can get a full list by doing "ifconfig -a"
    # these examples are osx specific
    # ethernet - "INTERFACE=en0"
    # airport - "INTERFACE=en1"
    # pppoe - "INTERFACE=ppp0"
    INTERFACE=ppp0

    # set your maximum speed in bytes...
    # this should be set to your maximum upstream speed.
    # recommended common adsl/cable speeds:
    # 384k upload - "MAXSPEED=49152"
    # 256k upload - "MAXSPEED=32768"
    # 128k upload - "MAXSPEED=16384"
    MAXSPEED=32768

    # DON'T CHANGE ANYTHING BELOW UNLESS YOU KNOW WHAT YOUR DOING.
    # most users should not edit anything below. you have been warned.

    # ipfw rule number (1-65535)
    # Rule 00070 allows throttled to coexist with the apple firewall
    # and internet connection sharing.
    # You may have to change this if you use certain firewall products.
    RULENUM=00070

    # usage: throttled [-ATLh] -s speed -r rule [-i increment] [-d port] [-p priority]
    # -s speed Max speed in bytes/second (required)
    # -r rule IPFW rule number to remove when quit (required)
    # -i increment Amount to change the throttle in bytes/sec (USR1 - Decrease | USR2 - Increase)
    # -T Enable iTunes TTL fix
    # -h This help screen
    # -v Version information
    # -d port Divert port (optional, may specify more than one)
    # -w weight Weight for the divert port specified prior to this option.

    # launch throttled with a maxspeed of $MAXSPEED
    # this throttled instance has 3 weights, this allows us to prioritize low
    # bandwidth flows, normal flows, and very fast flows (for ACK priority)..
    # You will understand this more when you look how the rules are setup below.
    /usr/local/sbin/throttled -s $MAXSPEED -r $RULENUM -d 17779 -w 50 -d 17778 -w 10 -d 17777 -w 1 -T || exit

    # all rules below are for ipfw, there is many ways you can set this up.
    # we have simplified this for new users by removing ip specific ipfw rules.
    # this fixes isses for dynamic ip users, but if you want rules bound to
    # a single ip you can use either of the examples below.
    #
    # the line below finds your ip automatically
    # IP=$(/sbin/ifconfig $INTERFACE inet | /usr/bin/sed -n 's/^.*inet\ \(\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\).*/\1/p' | tail -n 1)
    #
    # you can also specify the ip address by doing
    # IP=192.168.1.6
    IP=any

    /sbin/ipfw -f flush

    # skip your internal network, this example is for 192.168.1.x
    # /sbin/ipfw add $RULENUM skipto `expr $RULENUM + 1` ip from $IP to 192.168.1.0/24 out xmit $INTERFACE

    # prioritize empty acks and setup
    /sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any out xmit $INTERFACE tcpflags ack iplen 0-70
    /sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any setup out xmit $INTERFACE

    # prioritize icmp
    /sbin/ipfw add $RULENUM divert 17779 icmp from any to any out xmit $INTERFACE

    # these rules allow http/https/ssh/telnet/pop/irc/sirc
    # to be prioritized by the throttle.
    #
    # Setting up the configuration this way catches more file transfer types
    # and minimizes lag in response driven services.

    # prioritize nameserver lookups
    /sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any 53 out xmit $INTERFACE
    /sbin/ipfw add $RULENUM divert 17779 udp from $IP to any 53 out xmit $INTERFACE

    # prioritize http/https
    /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 80 out xmit $INTERFACE
    /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 443 out xmit $INTERFACE
    /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 3130 out xmit $INTERFACE
    /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 8080 out xmit $INTERFACE

    # prioritize proxy
    /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 8118 out xmit $INTERFACE
    /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 9001 out xmit $INTERFACE
    /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 9030 out xmit $INTERFACE
    /sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any 9050 out xmit $INTERFACE
    /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 9051 out xmit $INTERFACE

    # prioritize ssh
    /sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any 22 out xmit $INTERFACE
    /sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any 2222 out xmit $INTERFACE

    # prioritize imap
    /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 143 out xmit $INTERFACE

    # prioritize ftp directory listings
    /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 21 out xmit $INTERFACE

    # prioritize msn
    /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 1863 out xmit $INTERFACE

    # prioritize irc and sirc
    /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 6667 out xmit $INTERFACE
    /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 6668 out xmit $INTERFACE
    /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 9999 out xmit $INTERFACE

    # prioritize Skype
    /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 16732 out xmit $INTERFACE

    # bind to throttle low priority services.
    /sbin/ipfw add $RULENUM divert 17777 ip from $IP to any out xmit $INTERFACE

    ipfw add 00100 allow ip from any to any via lo0

    ipfw add 00200 check-state

    ipfw add 00700 allow tcp from any to any out keep-state
    ipfw add 00710 allow udp from any to any out keep-state
    ipfw add 00720 allow icmp from any to any out keep-state

    ipfw add 00800 allow tcp from any to any established keep-state

    ipfw add 03000 allow udp from any to any dst-port 53,16000,32000,32003,32715
    ipfw add 03001 allow tcp from any to any dst-port 53,16000,32000,32003,32715
    ipfw add 03002 allow udp from any to any src-port 53,16000,32000,32003,32715
    ipfw add 03003 allow tcp from any to any src-port 53,16000,32000,32003,32715

    ipfw add 03004 allow tcp from any to any dst-port 51413

    ipfw add 03010 allow icmp from any to any icmptypes 0,3,4,11
    ipfw add 03011 allow icmp from any to any icmptypes 8 out
    ipfw add 03012 deny icmp from any to any

    ipfw add 04000 deny all from any to any in frag

    ipfw add 04001 deny all from 127.0.0.0/8 to any in
    ipfw add 04101 deny all from any to 127.0.0.0/8 in
    ipfw add 04201 deny all from 224.0.0.0/3 to any in
    ipfw add 04301 deny tcp from any to 224.0.0.0/3 in

    ipfw add 04801 deny all from any to any ipoptions rr
    ipfw add 04901 deny all from any to any ipoptions ts
    ipfw add 05001 deny all from any to any ipoptions lsrr
    ipfw add 05101 deny all from any to any ipoptions ssrr
    ipfw add 05301 deny tcp from any to any tcpflags syn,fin
    ipfw add 05311 deny tcp from any to any tcpflags syn,rst
    ipfw add 05321 deny tcp from any 0 to any
    ipfw add 05331 deny tcp from any to any dst-port 0
    ipfw add 05341 deny udp from any 0 to any
    ipfw add 05351 deny udp from any to any dst-port 0
    ipfw add 05371 deny ip from 0.0.0.0/8 to any

    ipfw add 65534 deny ip from any to any
    ipfw add 65535 allow ip from any to any

    ifconfig lo0 mtu 1500

    sysctl -w net.inet.ip.fw.debug=1
    sysctl -w net.inet.ip.fw.verbose=1
    sysctl -w net.inet.ip.fw.verbose_limit=200
    sysctl -w net.inet.ip.fw.dyn_max=3000
    sysctl -w net.inet.ip.fw.dyn_fin_lifetime=2
    sysctl -w net.inet.ip.fw.dyn_rst_lifetime=2
    sysctl -w net.inet.ip.fw.one_pass=1

    sysctl -w net.inet.ip.intr_queue_maxlen=100

    sysctl -w net.inet.tcp.strict_rfc1948=1

    sysctl -w kern.sysv.shmmax=167772160
    sysctl -w kern.sysv.shmmin=1
    sysctl -w kern.sysv.shmmni=64
    sysctl -w kern.sysv.shmseg=16
    sysctl -w kern.sysv.shmall=32768

    sysctl -w net.inet.icmp.icmplim=200

    sysctl -w net.local.stream.recvspace=8388608
    sysctl -w net.local.stream.sendspace=8388608

    sysctl -w net.inet.udp.maxdgram=32768
    sysctl -w net.inet.tcp.delayed_ack=0

    sysctl -w net.inet.tcp.newreno=1

    sysctl -w kern.ipc.somaxconn=512
    sysctl -w kern.ipc.maxsockbuf=16777216
    sysctl -w net.inet.tcp.sendspace=8388608
    sysctl -w net.inet.tcp.recvspace=8388608

    sysctl -w net.inet.tcp.slowstart_flightsize=4

    sysctl -w net.inet.udp.recvspace=32768
    sysctl -w net.inet.raw.recvspace=32768

    sysctl -w net.inet.ip.redirect=0
    sysctl -w net.inet.icmp.drop_redirect=1

    sysctl -w net.inet.tcp.keepintvl=3000
    sysctl -w net.inet.tcp.keepidle=24000
    sysctl -w net.inet.tcp.keepinit=70000

    sysctl -w kern.maxvnodes=65840

    sysctl -w net.inet.ip.ttl=128
    sysctl -w net.inet.icmp.bmcastecho=0
    sysctl -w net.inet.tcp.mssdflt=1440
    sysctl -w net.inet.tcp.always_keepalive=1
    sysctl -w net.inet.tcp.rfc1644=1

    sysctl -w net.inet.tcp.icmp_may_rst=0
    sysctl -w net.inet.ip.rtmaxcache=256
    sysctl -w net.inet.ip.rtminexpire=2
    sysctl -w net.inet.ip.rtexpire=2
    sysctl -w net.inet.ip.dummynet.hash_size=256

    sysctl -w net.inet.tcp.blackhole=2
    sysctl -w net.inet.udp.blackhole=1
    sysctl -w net.inet.icmp.icmplim=150

    ResponderExcluir
  7. Puxa, depois de ter migrado para o OS X uma das primeiras coisas que procurei foi um bom firewall grátis, afinal, para Windows existem vários. Experimentei esse citado no post mas o que eu realmente queria era controlar a conxão dos programas instalados como se faz facilmente no Comodo ou ZoneAlarm. Quando um programa tenta acessar a Internet o usuário é avisado e opta por autorizar ou bloquear e pode definir essa regra como padrão para que não seja incomodado novamente pelo mesmo programa. No Leopard tem uma configuração no Firewall para adicionar programas, mas vejo que além de não funcionar de verdade (marquei o Paralles como bloueado e mesmo assim ele acessa a rede) eu preciso bloquear o programa preventivamente. O que eu queria é tudo bloqueado, para que eu soubesse exatamente quem acessa a Internet (talvez eu seja paranóico...)

    ResponderExcluir