segunda-feira, 22 de março de 2010

IPF e IPnat - Firewall Opensolaris

Configurando um FW/Router com Opensolaris

Com base no blog do Franklin Ronald, resolvi escrever este manualzinho para ajudar o pessoal, boa leitura.

Pré Configurações:

Desabilitando o nwam:
#svcadm disable svc:/network/physical:nwam

Habilitando modo manual:
#svcadm enable svc:/network/physical:default

Configurando o modo manual

Usando Gnome, vá em:
System->Administration->Network

Configure sua interface e reinicie o serviço:

# svcadm restart milestone/network
feito isso , basta dar um reboot e atribuir os seus IPS.

Configurando o Arquivo ipf.conf

###/etc/ipf/ipf.conf###
pass in quick on lo0 all
pass out quick on lo0 all

pass in quick proto tcp from 192.168.10.2/32 to any port = 25 keep state
pass in quick proto tcp from 192.168.10.2/32 to any port = 110 keep state
pass in quick proto tcp from 192.168.10.2/32 to any port = 143 keep state
pass in quick proto tcp from any to any port = 22 keep state
pass in quick proto tcp from any to any port = 80 keep state
pass in quick proto tcp from any to any port = 8080 keep state
pass in quick proto tcp from any to any port = 443 keep state
pass in quick proto icmp from any to any icmp-type 8 keep state
pass in quick proto icmp from any to any icmp-type 13 keep state
pass in quick proto tcp from any to any port = 222 keep state
pass in quick proto tcp from any to any port = 3389 keep state

pass out quick from any to any keep state
# Libera porta FTP-DATA
pass in quick on rge0 proto tcp/udp from any to any port = 20 keep state
# Libera porta do FTP
pass in quick on rge0 proto tcp/udp from any to any port = 21 keep state
# Libera portas passivas do FTP
pass in quick on rge0 proto tcp/udp from any to any port 32768 >< style="font-weight: bold;">Ativando o ipf:
# svcadm refresh ipfilter && ipf -E && ipf -Fa -f /etc/ipf/ipf.conf

Verifique suas regras com:
# ipfstat -nih

Configuração de Redirecionamento de portas -- ipnat

####/etc/ipf/ipnat.conf####
rdr rtls0 0/0 port 3389 -> 192.168.10.204 port 3389
rdr rtls0 0/0 port 53 -> 192.168.10.245 port 53 udp
#email
rdr rtls0 0/0 port 25 -> 192.168.10.2 port 25
rdr rtls0 0/0 port 110 -> 192.168.10.2 port 110
rdr rtls0 0/0 port 143 -> 192.168.10.2 port 143
rdr rtls0 0/0 port 80 -> 192.168.10.2 port 80

map rtls0 192.168.10.0/24 -> 0/32
#### EOF ####

Ativando ipnat:
# ipnat -CF -f /etc/ipf/ipnat.conf

Verifique suas regras com:
# ipnat -l

DICA: Sempre que houver NAT deve-se abrir a porta no firewall (sim,no BSD não precisa) mas no ipf há essa necessidade. Note também a necessidade de dizer que é "tcp" , "udp" ou "tcp/udp" , parece besta mas me quebrei com isso.


É bem gostoso trabalhar com o ipf, ele é durão mas é muito bom, boa sorte...


Manpages:
http://docs.sun.com/app/docs/doc/816-5166/6mbb1kq4r?a=view
http://docs.sun.com/app/docs/doc/816-5175/ipfilter-5?a=view

route
http://slashzeroconf.wordpress.com/2008/03/05/enabling-and-disabling-ip-forwarding-in-solaris-10/

ftp
http://tecnolovers.skhizos.com/?q=taxonomy/term/16

nwan
http://joaocep.blogspot.com/2009/07/opensolaris-desabilitando-nwam-e-usando.html