J'ai une machine qui me sert de NAT/passerelle ADSL/firewall
j'ai configuré ipfw de la façon suivante: (j'y connais rien en firewall, j'ai trouvé ces règles sur un site)
ma question est: est-ce que les règles avec keep-state (nécessaires pour que mon frère puisse jouer à CS) me rendent très vulnérable ?
# Firewall rules
# Written by Marc Silver (marcs@draenor.org)
# http://draenor.org/ipfw
# Freely distributable
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference. Helps to make it easier to read.
fwcmd="/sbin/ipfw"
# Force a flushing of the current rules before we reload.
$fwcmd -f flush
# Divert all packets through the tunnel interface.
$fwcmd add divert natd all from any to any via tun0
# Allow all data from my network card and localhost. Make sure you
# change your network card (mine was fxp0) before you reboot.
$fwcmd add allow ip from any to any via lo0
$fwcmd add allow ip from any to any via ed0
$fwcmd add allow ip from any to any via ed1
# Allow all connections that I initiate.
$fwcmd add allow tcp from any to any out xmit tun0 setup
# Once connections are made, allow them to stay open.
$fwcmd add allow tcp from any to any via tun0 established
#keep state rules are needed for online games
$fwcmd add allow tcp from any to any via tun0 out keep-state
$fwcmd add allow udp from any to any via tun0 out keep-state
$fwcmd add allow tcp from any to any 1024-65000 via tun0 in keep-state
$fwcmd add allow udp from any to any 1024-65000 via tun0 in keep-state
# Everyone on the internet is allowed to connect to the following
# services on the machine. This example specifically allows connections
# to ssh and apache.
$fwcmd add allow tcp from any to any 22 setup
# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to any 113 in recv tun0
# Allow outgoing DNS queries ONLY to the specified servers.
$fwcmd add allow udp from any to 193.252.19.3 53 out xmit tun0
$fwcmd add allow udp from any to 193.252.19.4 53 out xmit tun0
# Allow them back in with the answers...
$fwcmd add allow udp from 193.252.19.3 53 to any in recv tun0
$fwcmd add allow udp from 193.252.19.4 53 to any in recv tun0
# Allow ICMP (for ping and traceroute to work). You may wish to
# disallow this, but I feel it suits my needs to keep them in.
$fwcmd add allow icmp from any to any
# Deny all the rest.
$fwcmd add deny log ip from any to any