#######IPFW

CONFIGURAÇÕES DE KERNEL
options IPFIREWALL # Suporte ao IPFIREWALL
options IPFIREWALL_VERBOSE # Suporte a LOG
options IPFIREWALL_VERBOSE_LIMIT=100 # limite padrao de
registro por regra
options IPFIREWALL_DEFAULT_TO_ACCEPT # Padrao de firewall
aberto
options IPFIREWALL_FORWARD # Adiciona a ação fwd disponivel no
ipfw(encaminha pacote sem reescreve-lo ou seja sem nat)
options IPFIREWALL_NAT # in-kernel NAT
options LIBALIAS # Dependencia do IPFIREWALL_nat
options DUMMYNET # verificar
options IPDIVERT # VERIFICAR

options IPFW_NTABLE=<VARLOR> ---> AUMENTAR QTD DE TABLES

####### CARREGAR VIA MODULO (verificar - possui perca de

performance)
/usr/src/sys/modules/ipfw ---> posso editar o MakeFile de kernel e
carregar com as opçoes tal qual como em kernel. (só usar se for de
maneira rápida, se nao tiver compilado o modulo… depois é só dar
um make para compilar o módulo e depois é só dar um kldload ipfw
tem disponivel o modulo para ipfw_nat)

####### SCRIPT DE INICIALIZAÇAO

/etc/rc.d/ipfw (start) --> lê o rc.conf e procura as linhas
firewall_enable="YES"
firewall_script="/etc/rc.firewall" -----> firewall_type="CLIENT |
SIMPLE | CLOSE | OPEN | /arquivo"

CLIENT -> protege a si mesmo

SIMPLE ->
CLOSE ->
OPEN ->

####### COMANDOS IPFWudi

ipfw list -> lista regras carregadas no esquema first match wins!
ipfw show -> mostra também o número de pacotes e na coluna 3 a
quant. de bytes
ipfw -t show - > mostra a ultima vez que a regra deu match (T
formato epoc segundos desde 1970)
ipfw zero -> zera contadores de pacotes do ipfw
ipfw resetlog -> zera os contadores de log
interessante zerrar log a cada 8 horas via crontab
* */8 * * * root /sbin/ipfw resetlog

#SINTAXE
ipfw <comando> <acao> <protocolo> from <origem> [porta] to
<destino> [porta]
ver no diretorio treina, arquivo ipfw.txt
log do ipfw - /var/log/security

keep-state - fullstate dinamico

estabilished - fullstate convensional
ipfw -d show -> exibe regras dinamicas
ipfw -de show -> dinamicas e expiradas

#SCRIPT DE FIREWALL

#!/bin/sh
fw="/sbin/ipfw"
$fw -f flush
ifi="rl1"
ife="rl0"
redelocal=''10.2.0.0/24"
client_ssh1="10.10.2.64"
client_ssh2="10.10.2.65"
#clientes_SSH="{ 10.10.2.0/22{30,31} or 192.168.4.1 }" # --> menor
processamento
#clientes_SSH="table(1)"
$fw table 1 flush
$fw table 1 add 10.10.2.30
$fw table 1 add 10.10.2.31
$fw table 1 add 192.168.4.1

# . /etc/rc.table1 #-> posso carregar em um arquivo externo

# Controle de loopback
$fw add allow all from any to any via lo0
$fw add deny log all from 127.0.0.0/8 to any
$fw add deny log all from any to 127.0.0.0/8
# Controle de fragmentacao (se tiver keep-state nao precisa desta
regra)
$fw add deny tcp from any to any frag

# Controle antispoof (politica aberta)

$fw add deny log all from any to any not verrevpath

# Trata pacotes inconformes (se tiver keep-state nao precisa desta

regra)
$fw add deny tcp from any to any tcpflags syn,fin
$fw add deny tcp from any to any tcpflags fin,!ack

# Trata icmp
$fw add allow icmp from any to any icmptypes 0,8,3,11,12 iplen 20-
276
$fw add deny log icmp from any to any

# DNS - comunicacao publica, porem transf zona apenas slave

$fw add allow udp from any to any 53 in via $ife
$fw add allow tcp from <ip do slave dns> to any 53 in via $ife
$fw add deny log { udp or tcp } from any to any 53 in

# WEB - permite apenas para sua ree

$fw add allow tcp from $redelocal to me 80,443 in via $ife
$fw add deny log tcp from any to me 80,443 in

# Banco - apenas com a maquina de aplicacao

$fw add allow tcp from $redelocal to me 5432 in via $ife
$fw add deny log logamount 10 tcp from any to me 5432 in

# SSH - apenas com computador confiavel

#$fw add allow tcp from { $client_ssh1 or $client_ssh2 } to me 22 in
via $ife
#$fw add allow tcp from $clientes_SSH to me 22 in via $ife
$fw add deny log tcp from not $clientes_SSH to me 22 in via $ife

$fw add deny log logamount 20000 tcp from any to me 22 in

# politica: fechada
#$fw add 65534 deny log all from any to any
#SCRIPT DE FIREWALL STATEFULL

#!/bin/sh
fw="/sbin/ipfw"
$fw -f flush
ifi="rl1"
ife="rl0"
redelocal=''10.2.0.0/24"
client_ssh1="10.10.2.64"
client_ssh2="10.10.2.65"
#clientes_SSH="{ 10.10.2.0/22{30,31} or 192.168.4.1 }" # --> menor
processamento
#clientes_SSH="table(1)"
$fw table 1 flush
$fw table 1 add 10.10.2.30
$fw table 1 add 10.10.2.31
$fw table 1 add 192.168.4.1

# . /etc/rc.table1 #-> posso carregar em um arquivo externo

# Controle de loopback
$fw add allow all from any to any via lo0
$fw add deny log all from 127.0.0.0/8 to any
$fw add deny log all from any to 127.0.0.0/8

# Controle de fragmentacao (se tiver keep-state nao precisa desta

regra)
$fw add deny tcp from any to any frag

# Controle antispoof (politica aberta)

$fw add deny log all from any to any not verrevpath

# Trata pacotes inconformes (se tiver keep-state nao precisa desta

regra)
$fw add deny tcp from any to any tcpflags syn,fin
$fw add deny tcp from any to any tcpflags fin,!ack

# Trata icmp
$fw add allow icmp from any to any icmptypes 0,8,3,11,12 iplen 20-
276
$fw add deny log icmp from any to any
# DNS - comunicacao publica, porem transf zona apenas slave
$fw add allow udp from any to any 53 in via $ife
$fw add allow tcp from <ip do slave dns> to any 53 in via $ife
$fw add deny log { udp or tcp } from any to any 53 in

# WEB - permite apenas para sua ree

$fw add allow tcp from $redelocal to me 80,443 in via $ife
$fw add deny log tcp from any to me 80,443 in

# Banco - apenas com a maquina de aplicacao

$fw add allow tcp from $redelocal to me 5432 in via $ife
$fw add deny log logamount 10 tcp from any to me 5432 in

# SSH - apenas com computador confiavel

#$fw add allow tcp from { $client_ssh1 or $client_ssh2 } to me 22 in
via $ife
#$fw add allow tcp from $clientes_SSH to me 22 in via $ife
$fw add deny log tcp from not $clientes_SSH to me 22 in via $ife

$fw add deny log logamount 20000 tcp from any to me 22 in

# politica: fechada
#$fw add 65534 deny log all from any to any

port link-mode bridge

description Port_trk-bkpmidia05
port link-type trunk
port trunk permit vlan all
stp edged-port enable
port link-aggregation group 3
10.41.4.100 - 0040a71f4545
10.41.4.200 - 0c54a5bdaa6f
10.41.4.169 - e0d55ef264ba
10.41.4.135 - e0d55ef264a3
10.41.4.143 - 202564918563 x
10.41.4.147 - 0c54a5bda486
10.41.4.140 - e0d55ef2675d
10.41.4.126 - 0c54a5bda180
10.41.4.40
10.41.4.111

root 8236 0.1 0.4 227848 15968 ?

S 10:39 0:05 bpbkar32 -r 604800 -dt 0 -to 0
-bpstart_time 1566999842 -clnt
audiencias.tjap.local -class Backup_BD_Audiencias
-sched Semanal_Full_BD_Audiencias -st FULL -
bpstart_to 300 -bpend_to 300 -read_to 300 -ru root
-stream_count 4 -stream_number 1 -jobgrpid 139066
-blks_per_buffer 512 -use_otm -fso -throttle -
throttle_kbytes 256 -b
audiencias.tjap.local_1566999542 -kl 28 -fscp -S
srv-bkpmaster01.tjap.local -storagesvr bkp-
midia02.tjap.local -bidlist
bid@Backup_BD_Audiencias_audiencias.tjap.local_156
6999542 -use_ofb

/audiencias/html/_lib/file/doc/115 (2018-07-12
14'05'04 - 2018-07-12 14'06'15).avi
/audiencias/html/_lib/file/doc/145 (2017 07 08
17'07'34 2017 07 08 17'12'02).mp4
/audiencias/html/_lib/file/doc/185 (2018-07-26
20'45'32 - 2018-07-26 21'03'32).avi
/audiencias/html/_lib/file/doc/39 (2017 07 08
17'16'15 2017 07 08 17'16'42).mp4
/audiencias/html/_lib/file/doc/5 (2019-04-12
04'00'00 - 2019-04-12 05'00'00).avi
/audiencias/html/_lib/file/doc/5 (2019-04-12
04'00'00 - 2019-04-12 05'00'00).mp4
/audiencias/html/_lib/file/doc/9 (2018-12-04
15'17'00 - 2018-12-04 15'18'00).asf
/audiencias/html/_lib/file/doc/video 1- 'Não Tenho
Mágoa de Ninguém' Diz Jovem Que Foi Preso
Injustamente .mp4
/audiencias/html/_lib/file/doc/video (2019-04-12
04'00'00 - 2019-04-12 05'00'00).avi
/audiencias/html/_lib/file/doc/Comarca de
Santana's VMR 100137.mp4
/audiencias/html/_lib/file/doc/Comarca de
Santana's VMR 122402.mp4
/audiencias/html/_lib/file/doc/D'ALMEIDA Produções
e Eventos (@sigaadalmeida) ?~@? Fotos e vídeos do
Instagram_4.mp4
/audiencias/html/_lib/file/doc/Dentro de casa n°
processo 000136-69.2019.8.03.0002.mp4

postgres 794 0.0 0.3 275100 12564 ?

S Jul03 1:42 /opt/pg952/bin/postmaster -p
5444 -D /home/postgres/data952-2/
postgres 795 0.0 0.3 275100 11840 ?
S Jul03 1:44 /opt/pg952/bin/postmaster -p
5433 -D /home/postgres/data952/
postgres 2148 0.0 1.3 1228696 51712 ?
S Jul03 0:31 /opt/pg/bin/postmaster -D
/home/postgres/data

opt/pg9311/bin/postgres "-D" "/home/postgres/data"