Keywords: osx, mac, ipfw, firewall, waterroof
Sabe aquela falsa sensação de segurança. É isso que sinto ao utilizar o firewall padrão do Leopard, no Tiger a história era outra, eu tinha total controle sobre as regras, quais portas estavam abertas, quais estavam fechadas e por ae vai. Com a atualização para o Leopard veio a bomba... o tal do AppFirewall (apple-firewall, application-firewall, vai saber?) ...
Brincando um pouco no shell notei que o bom e velho ipfw tava lá ainda. Fazia um tempo que eu não brincava com ele, mas nunca é tarde para aprender (novamente). E lá vou eu ... fazer as regras para o danado até que foram tranquilas o complicado estava ser colocar as mesmas para iniciar junto com a máquina.
Depois de várias tentativas achei um tal de WaterRoof, que nada mais é que uma interface gráfica para o ipfw e o melhor de tudo, vem com algumas regras prontas (bloquear varredura de portas, bloquear pacotes estranhos, bloquear pings, etc.)... Beleza mas e a inicialização??? Calma que ele tem também! Basta salvar as regras atuais para o "Startup Script" e depois instalar o mesmo.
Prontooo! Após o reboot tava lá o ipfw no ar, bloqueando alguns pacotes já ... maravilha!!
Hoje estou rodando apenas o ipfw e sinto-me muito mais seguro do que antes.
Mas tem aquela né, eu faço parte daqueles 0,002% dos usuários de Mac que curtem "sujar as mãos" ... então acho que esse post não vai servir para muita coisa. :P
Bom, só de lambuja vai a config do meu firewall atual ...
00100 allow ip from any to any via lo*
00200 deny log ip from 127.0.0.0/8 to any in
00300 deny log ip from any to 127.0.0.0/8 in
00400 deny log ip from 224.0.0.0/3 to any in
00500 deny log tcp from any to 224.0.0.0/3 in
00600 allow tcp from any to any out keep-state
00700 allow tcp from any to any established keep-state
00800 deny ip from any to any ipoptions rr
00900 deny ip from any to any ipoptions ts
01000 deny ip from any to any ipoptions lsrr
01100 deny ip from any to any ipoptions ssrr
01200 deny log tcp from any to any tcpflags syn,fin
01210 deny log tcp from any to any tcpflags syn,rst
01220 deny log tcp from any 0 to any
01230 deny log tcp from any to any dst-port 0
01240 deny log udp from any 0 to any
01250 deny log udp from any to any dst-port 0
01270 deny log ip from 0.0.0.0/8 to any
65533 deny log icmp from any to me in icmptypes 8
65534 deny log tcp from any to any
65535 allow ip from any to any
Meu firewall é 1000 vezes mais eficiente que o seu, ai está a linha de configuracão que prova isso:
ResponderExcluir[ 927.782764] eth0: link down.
Uahuahuah
abracos...
Realmente via rede ninguém entra neste seu server.
ResponderExcluirSe bem que ver "eth0" me deixa levemente triste. Mas fazer o que, malditas licenças que não deixam agente rodar o que quer aonde quer.
hunf!!
:)
Otimo post.
ResponderExcluirVou testar mais tarde.
Abraços.
Salve salve humanos...
ResponderExcluirE ai como vão vcs??? Grande Matheus... pode deixar que vamos precisar trocar figurinhas sim... to ligado que vc tava mexendo com administracao de servidores Windows tb. Eu ainda nao estou usando o MSN por aqui, so o Gtalk, mas logo logo estarei presente no msn, e ai qlqr coisa a gente coloca as informacoes em dia... abracao pra vc meu velho!...
vo anotar aqui as config
ResponderExcluirhehehehe
blza
Uso junto com o throttled pro, tem em cli segue meu script.
ResponderExcluirroot at bitnew dot net
Sou dos 0,002%, qualquer melhoria posta ae.
[]'s
#!/bin/sh
# this is the main configuration file for throttled.
# if you used a previous release, the syntax has changed in 0.5.0
# you have been warned. make sure to specify weights for your divert sockets.
# set your network interface
# you can get a full list by doing "ifconfig -a"
# these examples are osx specific
# ethernet - "INTERFACE=en0"
# airport - "INTERFACE=en1"
# pppoe - "INTERFACE=ppp0"
INTERFACE=ppp0
# set your maximum speed in bytes...
# this should be set to your maximum upstream speed.
# recommended common adsl/cable speeds:
# 384k upload - "MAXSPEED=49152"
# 256k upload - "MAXSPEED=32768"
# 128k upload - "MAXSPEED=16384"
MAXSPEED=32768
# DON'T CHANGE ANYTHING BELOW UNLESS YOU KNOW WHAT YOUR DOING.
# most users should not edit anything below. you have been warned.
# ipfw rule number (1-65535)
# Rule 00070 allows throttled to coexist with the apple firewall
# and internet connection sharing.
# You may have to change this if you use certain firewall products.
RULENUM=00070
# usage: throttled [-ATLh] -s speed -r rule [-i increment] [-d port] [-p priority]
# -s speed Max speed in bytes/second (required)
# -r rule IPFW rule number to remove when quit (required)
# -i increment Amount to change the throttle in bytes/sec (USR1 - Decrease | USR2 - Increase)
# -T Enable iTunes TTL fix
# -h This help screen
# -v Version information
# -d port Divert port (optional, may specify more than one)
# -w weight Weight for the divert port specified prior to this option.
# launch throttled with a maxspeed of $MAXSPEED
# this throttled instance has 3 weights, this allows us to prioritize low
# bandwidth flows, normal flows, and very fast flows (for ACK priority)..
# You will understand this more when you look how the rules are setup below.
/usr/local/sbin/throttled -s $MAXSPEED -r $RULENUM -d 17779 -w 50 -d 17778 -w 10 -d 17777 -w 1 -T || exit
# all rules below are for ipfw, there is many ways you can set this up.
# we have simplified this for new users by removing ip specific ipfw rules.
# this fixes isses for dynamic ip users, but if you want rules bound to
# a single ip you can use either of the examples below.
#
# the line below finds your ip automatically
# IP=$(/sbin/ifconfig $INTERFACE inet | /usr/bin/sed -n 's/^.*inet\ \(\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\).*/\1/p' | tail -n 1)
#
# you can also specify the ip address by doing
# IP=192.168.1.6
IP=any
/sbin/ipfw -f flush
# skip your internal network, this example is for 192.168.1.x
# /sbin/ipfw add $RULENUM skipto `expr $RULENUM + 1` ip from $IP to 192.168.1.0/24 out xmit $INTERFACE
# prioritize empty acks and setup
/sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any out xmit $INTERFACE tcpflags ack iplen 0-70
/sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any setup out xmit $INTERFACE
# prioritize icmp
/sbin/ipfw add $RULENUM divert 17779 icmp from any to any out xmit $INTERFACE
# these rules allow http/https/ssh/telnet/pop/irc/sirc
# to be prioritized by the throttle.
#
# Setting up the configuration this way catches more file transfer types
# and minimizes lag in response driven services.
# prioritize nameserver lookups
/sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any 53 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17779 udp from $IP to any 53 out xmit $INTERFACE
# prioritize http/https
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 80 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 443 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 3130 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 8080 out xmit $INTERFACE
# prioritize proxy
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 8118 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 9001 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 9030 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any 9050 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 9051 out xmit $INTERFACE
# prioritize ssh
/sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any 22 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any 2222 out xmit $INTERFACE
# prioritize imap
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 143 out xmit $INTERFACE
# prioritize ftp directory listings
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 21 out xmit $INTERFACE
# prioritize msn
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 1863 out xmit $INTERFACE
# prioritize irc and sirc
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 6667 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 6668 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 9999 out xmit $INTERFACE
# prioritize Skype
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 16732 out xmit $INTERFACE
# bind to throttle low priority services.
/sbin/ipfw add $RULENUM divert 17777 ip from $IP to any out xmit $INTERFACE
ipfw add 00100 allow ip from any to any via lo0
ipfw add 00200 check-state
ipfw add 00700 allow tcp from any to any out keep-state
ipfw add 00710 allow udp from any to any out keep-state
ipfw add 00720 allow icmp from any to any out keep-state
ipfw add 00800 allow tcp from any to any established keep-state
ipfw add 03000 allow udp from any to any dst-port 53,16000,32000,32003,32715
ipfw add 03001 allow tcp from any to any dst-port 53,16000,32000,32003,32715
ipfw add 03002 allow udp from any to any src-port 53,16000,32000,32003,32715
ipfw add 03003 allow tcp from any to any src-port 53,16000,32000,32003,32715
ipfw add 03004 allow tcp from any to any dst-port 51413
ipfw add 03010 allow icmp from any to any icmptypes 0,3,4,11
ipfw add 03011 allow icmp from any to any icmptypes 8 out
ipfw add 03012 deny icmp from any to any
ipfw add 04000 deny all from any to any in frag
ipfw add 04001 deny all from 127.0.0.0/8 to any in
ipfw add 04101 deny all from any to 127.0.0.0/8 in
ipfw add 04201 deny all from 224.0.0.0/3 to any in
ipfw add 04301 deny tcp from any to 224.0.0.0/3 in
ipfw add 04801 deny all from any to any ipoptions rr
ipfw add 04901 deny all from any to any ipoptions ts
ipfw add 05001 deny all from any to any ipoptions lsrr
ipfw add 05101 deny all from any to any ipoptions ssrr
ipfw add 05301 deny tcp from any to any tcpflags syn,fin
ipfw add 05311 deny tcp from any to any tcpflags syn,rst
ipfw add 05321 deny tcp from any 0 to any
ipfw add 05331 deny tcp from any to any dst-port 0
ipfw add 05341 deny udp from any 0 to any
ipfw add 05351 deny udp from any to any dst-port 0
ipfw add 05371 deny ip from 0.0.0.0/8 to any
ipfw add 65534 deny ip from any to any
ipfw add 65535 allow ip from any to any
ifconfig lo0 mtu 1500
sysctl -w net.inet.ip.fw.debug=1
sysctl -w net.inet.ip.fw.verbose=1
sysctl -w net.inet.ip.fw.verbose_limit=200
sysctl -w net.inet.ip.fw.dyn_max=3000
sysctl -w net.inet.ip.fw.dyn_fin_lifetime=2
sysctl -w net.inet.ip.fw.dyn_rst_lifetime=2
sysctl -w net.inet.ip.fw.one_pass=1
sysctl -w net.inet.ip.intr_queue_maxlen=100
sysctl -w net.inet.tcp.strict_rfc1948=1
sysctl -w kern.sysv.shmmax=167772160
sysctl -w kern.sysv.shmmin=1
sysctl -w kern.sysv.shmmni=64
sysctl -w kern.sysv.shmseg=16
sysctl -w kern.sysv.shmall=32768
sysctl -w net.inet.icmp.icmplim=200
sysctl -w net.local.stream.recvspace=8388608
sysctl -w net.local.stream.sendspace=8388608
sysctl -w net.inet.udp.maxdgram=32768
sysctl -w net.inet.tcp.delayed_ack=0
sysctl -w net.inet.tcp.newreno=1
sysctl -w kern.ipc.somaxconn=512
sysctl -w kern.ipc.maxsockbuf=16777216
sysctl -w net.inet.tcp.sendspace=8388608
sysctl -w net.inet.tcp.recvspace=8388608
sysctl -w net.inet.tcp.slowstart_flightsize=4
sysctl -w net.inet.udp.recvspace=32768
sysctl -w net.inet.raw.recvspace=32768
sysctl -w net.inet.ip.redirect=0
sysctl -w net.inet.icmp.drop_redirect=1
sysctl -w net.inet.tcp.keepintvl=3000
sysctl -w net.inet.tcp.keepidle=24000
sysctl -w net.inet.tcp.keepinit=70000
sysctl -w kern.maxvnodes=65840
sysctl -w net.inet.ip.ttl=128
sysctl -w net.inet.icmp.bmcastecho=0
sysctl -w net.inet.tcp.mssdflt=1440
sysctl -w net.inet.tcp.always_keepalive=1
sysctl -w net.inet.tcp.rfc1644=1
sysctl -w net.inet.tcp.icmp_may_rst=0
sysctl -w net.inet.ip.rtmaxcache=256
sysctl -w net.inet.ip.rtminexpire=2
sysctl -w net.inet.ip.rtexpire=2
sysctl -w net.inet.ip.dummynet.hash_size=256
sysctl -w net.inet.tcp.blackhole=2
sysctl -w net.inet.udp.blackhole=1
sysctl -w net.inet.icmp.icmplim=150
Puxa, depois de ter migrado para o OS X uma das primeiras coisas que procurei foi um bom firewall grátis, afinal, para Windows existem vários. Experimentei esse citado no post mas o que eu realmente queria era controlar a conxão dos programas instalados como se faz facilmente no Comodo ou ZoneAlarm. Quando um programa tenta acessar a Internet o usuário é avisado e opta por autorizar ou bloquear e pode definir essa regra como padrão para que não seja incomodado novamente pelo mesmo programa. No Leopard tem uma configuração no Firewall para adicionar programas, mas vejo que além de não funcionar de verdade (marquei o Paralles como bloueado e mesmo assim ele acessa a rede) eu preciso bloquear o programa preventivamente. O que eu queria é tudo bloqueado, para que eu soubesse exatamente quem acessa a Internet (talvez eu seja paranóico...)
ResponderExcluir