Script firewall ipfw yg rada nyeleneh..:D

weew…

dah lama juga ga ngupdate page ini..maklum,,kesibukan yang menggila ama TA n sejenisnya..hehe..

jadi cerita nya kemarin gateway nya jurusan mampus gara2 listrik yg ga stabil..pas malem taun baru pula itu… -_-

hampir aja taun baruan di kampus…tp untung aja ada mesin cadangan yg emang udah mayan dedicated buat server,,,jadi kanibal in mesin itu dulu buat bikin router temporer..hehehe..

singkat cerita,,ini router make OS FreeBSD 7.0 Stable Release, ama quagga buat advertise nya.

bahasan cara instalasi quagga di freebsd kyknya udah banyak y di tempat lain,tp ntarlah aku tulisin disini juga kalo sempet..

langsung aja y.. nih scriptnya…

#!/bin/sh
#This script is For general setup Rule in * Gateway Firewall
#All change should be notify/mail to admins@*.itb.ac.id
# First Created 02 Jan 2009
#copyleft Zeki Fithra MS, e-mail : fithra@*.itb.ac.id

#Set command prefix
fwcmd=”/sbin/ipfw -q”

# uplink interface.
oif=”bge0″

# Downlink interface.
iif=”bge1″

# Network address/mask.
inet=”xxx.xxx.xxx.0/24″

# Port Terlarang dari luar $inetforb=”1-1024″
vrsports=”445,5554,9996,4444″

# ITB DNS SERVERS.
dns1=”xxx.xxx.xxx.xxx/32″
dns2=”xxx.xxx.xxx.xxx/32″

# Host Bebas Firewall — > Masukkan IP-IP yg khusus buat NOC, biasanya si IP2 kecil biar ga ribet di subnet in aja
servers=”xxx.xxx.xxx.0/28″ # IP NOC (xxx.xxx.xxx.1/32 – xxx.xxx.xxx.15/32)
noc1=”"xxx.xxx.xxx.0/32″

noc2=”xxx.xxx.xxx.0/32″

servers1=”xxx.xxx.xxx.0/32″ # —> Server aja,, bukan NOC, gbisa di ssh dari luar,,cuman buka port default buat webclient,email, dsb
# Loopback interface and network address.
loif=”lo0″
lonet=”127.0.0.0/8″

#First, Flush All rule
$fwcmd -f flush

# Short circuits.
$fwcmd add pass all from any to any via $iif
$fwcmd add pass all from any to any via $loif

#don’t let anything from the “outside” talk to localhost
$fwcmd add deny all from any to $lonet

#don’t let the computer talk other computers as localhost
$fwcmd add deny log ip from 127.0.0.0/8 to any

#**********tangkal virus*******************************************
$fwcmd add deny tcp from ${inet} to any ${vrsports}
$fwcmd add deny tcp from any to ${inet} ${vrsports}

#Allow packets from outside destined to NOC vice versa
for noc in $servers $noc1 $noc2 ; do
$fwcmd add pass ip from any to ${noc} via $oif
$fwcmd add pass ip from ${noc} to any via $oif
done

for dns in $dns1 $dns2; do
$fwcmd add pass tcp from any to $dns 53 via $oif
$fwcmd add pass udp from $dns to any 53 via $oif
done

#————–Allow ICMP From any to this Network——————-#
#allow path-mtu in both directions
$fwcmd add allow icmp from any to any icmptypes 3

#allow source quench in and out
$fwcmd add allow icmp from any to any icmptypes 4

#allow outbound traceroutes
$fwcmd add allow icmp from any to any icmptypes 11 in

#allow outbound pings and incoming ping responses
$fwcmd add allow icmp from any to any icmptypes 8 out
$fwcmd add allow icmp from any to any icmptypes 0 in

#=====================Rule Tambahan=======================#
#Port Untuk “servers1″ yg dibuka hanya standar servers, Not NOC
$fwcmd add pass ip from any to ${servers1} 21,25,80,443,110 via $oif
$fwcmd add pass ip from ${servers1} to any 21,22,25,80,443,110 via $oif

#Untuk shaping Bandwidth jadi cuman 1,25 Mbyte/s buat “servers1″ tadi
$fwcmd pipe 1 config bw 10Mbit/s
$fwcmd pipe 2 config bw 10Mbit/s
$fwcmd queue 100 config pipe 1 weight 90
$fwcmd queue 101 config pipe 1 weight 60
$fwcmd add queue 101 tcp from any to ${servers1} in
$fwcmd add pipe 2 all from ${servers1} to any out
$fwcmd add pipe 1 all from any to ${servers1} via $oif

#Rule Tambahan Masukkan di bawah ini di space antara tanda # ( ini untuk kalo ada user2 nakal yg nyoba2 abuse aja…block mac-address nya..
####################################################################
$fwcmd add deny mac 00:0F:EA:BD:26:67 any
$fwcmd add deny mac 00:16:D3:F9:1E:2A any
$fwcmd add deny mac 00:11:85:DA:68:1C any
$fwcmd add deny mac 00:1A:4D:8D:43:62 any

#Block koneksi dari luar Network lokal untuk service2 http
$fwcmd add deny ip from 81.199.149.21 to xxx.xxx.xxx.xxx 80
$fwcmd add deny ip from 81.199.149.25 to xxx.xxx.xxx.xxx 80
$fwcmd add deny ip from 196.29.122.4 to xxx.xxx.xxx.xxx 80
$fwcmd add deny mac 00:16:17:6e:9c:1e any

####################################################################

# DEFAULT POLICY !!!! :
#Block port default milik Root dan default NOC dari luar ke dalam
$fwcmd add deny all from any to $inet $forb in via $oif

#Buka Semua port selain yang di deny di atas
$fwcmd add allow all from any to any via $oif

#——————End All rules———————#

harusnya sih dengan konfigurasi segini aja udah cukup….

udah cukup strict itu..:D

~ by fithraleizure on January 18, 2009.