scrub in all fragment reassemble
block drop in log all
block drop out log all
block drop in on ! tun0 inet from 212.194.141.130 to any
block drop in inet from 212.194.141.130 to any
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! lo0 inet6 from ::1 to any
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on em0 all
pass out quick on em0 all
block drop in log quick on tun0 inet proto tcp all flags FPU/FPU
block drop in log quick on tun0 inet proto tcp all flags FS/FSRA
block drop in log quick on tun0 inet proto tcp all flags /FSRA
block drop in log quick on tun0 inet from 127.0.0.0/8 to any
block drop in log quick on tun0 inet from 192.168.0.0/16 to any
block drop in log quick on tun0 inet from 172.16.0.0/12 to any
block drop in log quick on tun0 inet from 10.0.0.0/8 to any
block drop in log quick on tun0 inet from 255.255.255.255 to any
block drop out log quick on tun0 inet from any to 127.0.0.0/8
block drop out log quick on tun0 inet from any to 192.168.0.0/16
block drop out log quick on tun0 inet from any to 172.16.0.0/12
block drop out log quick on tun0 inet from any to 10.0.0.0/8
block drop out log quick on tun0 inet from any to 255.255.255.255
block drop in quick on tun0 inet proto tcp from any to any port = epmap
block drop in quick on tun0 inet proto udp from any to any port 135 >< 139
pass in quick on tun0 inet proto icmp all icmp-type echoreq code 0 keep state
pass in quick on tun0 inet proto icmp all icmp-type timex keep state
block drop in log quick on tun0 proto icmp all
pass out quick on tun0 inet proto tcp all flags S/SA keep state
pass out quick on tun0 inet proto udp all keep state
pass out quick on tun0 inet proto icmp all keep state
elles sont pas byzarres ces regles :heink:
block drop in on ! tun0 inet from 212.194.141.130 to any block drop in on ! lo0 inet from 127.0.0.0/8 to any block drop in on ! lo0 inet6 from ::1 to any
et puis quand je fais un 'tcpdump -n -e -ttt /var/log/pflog'
ca me sort: tcpdump: synthax error
je comprends pas trop..
up
je vous postes mon script:
dites moi ce que vous en pensez
# On souhaite pouvoir réaliser des statistiques
# sur l' interface tun0.
set loginterface tun0
# On limite le nombre d' entrées dans les tables de suivi
# de connexion et dans celle de normalisation.
set limit { states 10000, frags 5000 }
set optimization aggressive
set block-policy drop
#--- NORMALISATION -----------------------------------------
scrub in all
#--- REGLES DE TRANSLATION D' ADRESSES ---------------------
nat on tun0 from $Int_Net to any -> $Net_iface
#--- REGLES DE FILTRAGE ------------------------------------
# Politique par défaut.
block in log all
block out log all
antispoof for $Net_iface
# Règles pour LoOpback
antispoof for $Loop
pass in quick on $Loop all
pass out quick on $Loop all
# Lan
pass in quick on $Int_iface all
pass out quick on $Int_iface all
# On bloque les scans nmap et les tentatives # de prise d' empreinte de pile tcp/ip.
block in log quick on $Net_iface inet proto tcp from any to any flags FUP/FUP
block in log quick on $Net_iface inet proto tcp from any to any flags SF/SFRA
block in log quick on $Net_iface inet proto tcp from any to any flags /SFRA
# On bloque les adresses non routables.
block in log quick on $Net_iface from $No_route to any
block out log quick on $Net_iface from any to $No_route
# Serveur WEB: #pass in quick on $Net_iface proto tcp from any to any port = 80 flags S/SA #keep state # Serveur SSH:
#pass in quick on $Net_iface proto tcp from any to any port = 22 flags S/SA #keep state
# Icmp:
pass in quick on $Net_iface inet proto icmp all icmp-type 8 code 0 keep state
pass in quick on $Net_iface inet proto icmp all icmp-type 11 keep state
block in log quick on $Net_iface proto icmp from any to any
pass out quick on $Net_iface inet proto tcp flags S/SA keep state
pass out quick on $Net_iface inet proto udp all keep state
pass out quick on $Net_iface inet proto icmp keep state
si vous voyez qqc de louche, de mon coté le nat fonctionne, je vois pas de problèmes
il y a juste un truc que je voulais savoir par ex ds les règles pour les scans
est ce necessaire de rajouter "from any to any", je ne penses pas mais j' attends confirmation.
autre chose pour le support dcc sous irc, comment faire ?
enfin bref si vous avez des conseils à me filer ca pourra servir également à d' autres personnes, hesitez pas :D merci :hello: