Cara Mudah Membuat Firewall Sederhana OPENBSD

Sabtu, 16 Oktober 2010

Cara Mudah Membuat Firewall Sederhana OPENBSD


Sebelum membuat firewall ini, sebaiknya membaca dulu di
ftp://ftp.openbsd.org/pub/OpenBSD/doc/pf-faq.pdf (download komplit)
khusus
http://www.openbsd.org/faq/pf/example1.html

Firewall ini sederhana, cuman menutup port-port default yg terbuka (kl buka terus nanti masuk angin) supaya tidak mudah untuk disusupi

[root@luckyy_man]# vi /etc/pf_firewall.conf

ext_if = "rl0" # ---> Ethernet card
int_if = "rl1"

tcp_services = "{ 22, 53, 113 }"
icmp_types = "echoreq"



priv_nets = "{ 192.168.1.0/24, 192.168.0.0/24 }" # --> tergantung ip privat anda
ip_isp = "{202.xxx.xxx.xxx, 202.xxx.xxx.xxx }" #--> bukan Triple X loh

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from 192.168.1.0/24 to any -> ($ext_if)
nat on $ext_if from 192.168.0.0/24 to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 80 -> 192.168.1.1 port 3128

# filter rules
block all # Menutup semua port

pass quick on lo0 all

# provide unrestricted Internet access to internal computers
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

# allow the following incoming traffic to the firewall
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state

#Agar ISP bisa Baca SNMP -mu
pass in quick on $ext_if proto udp from $ip_isp to port { 161, 162 }

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass in on $int_if from 192.168.0.0/24 to any keep state
pass out on $int_if from any to 192.168.0.0/24 keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

Save & exit

[root@luckyy_man]# pfctl -f /etc/pf_firewall.conf

Untuk mengecek apakah udah jalan gunakan nmap
tapi nmap dari ip public, jgn nmap dari localhost,
kl dari localhost maka tetap terlihat terbuka :D
Hasil Nmap dari Bos JALI (TCP)
(The 1647 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
69/tcp filtered tftp
113/tcp open auth
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
707/tcp filtered unknown
1433/tcp filtered ms-sql-s
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
5050/tcp filtered mmcc

hasil Nmap dari Bos Jali (UDP)
(The 1429 ports scanned but not shown below are in state: open|filtered)
PORT STATE SERVICE
37/udp closed time
59/udp closed priv-file
84/udp closed ctf
102/udp closed iso-tsap
108/udp closed snagas
121/udp closed erpc
187/udp closed aci
249/udp closed unknown
261/udp closed nsiiops
266/udp closed unknown
280/udp closed http-mgmt
299/udp closed unknown
320/udp closed unknown
352/udp closed dtag-ste-sb
423/udp closed opc-job-start
462/udp closed datasurfsrvsec
520/udp closed route
556/udp closed remotefs
573/udp closed banyan-vip
599/udp closed acp
608/udp closed sift-uft
660/udp closed mac-srvr-admin
675/udp closed unknown
687/udp closed unknown
700/udp closed unknown
714/udp closed unknown
773/udp closed notify
837/udp closed unknown
845/udp closed unknown
872/udp closed unknown
896/udp closed unknown
954/udp closed unknown
962/udp closed unknown
974/udp closed unknown
1083/udp closed ansoft-lm-1
1389/udp closed iclpv-dm
1435/udp closed ibm-cics
1438/udp closed eicon-server
1454/udp closed interhdl_elmd
1460/udp closed proshare2
1495/udp closed cvc
1499/udp closed fhc
1524/udp closed ingreslock
1541/udp closed rds2
2041/udp closed interbase
6146/udp closed lonewolf-lm
7004/udp closed afs3-kaserver
7006/udp closed afs3-errors
32779/udp closed sometimes-rpc22

ini firewall sederhana, akan meng close semua port termasuk port 80, saat ini belum tau caranya buka port http :D (soalnya gak pake web server) mungkin ada teman2 yg bisa bantu ?