firewall freeBSD

Definisi Firewall :
adalah sebuah sistem atau perangkat yang mengizinkan lalu lintas jaringan yang dianggap aman untuk melaluinya dan mencegah lalu lintas jaringan yang tidak aman. Umumnya, sebuah tembok-api diterapkan dalam sebuah mesin terdedikasi, yang berjalan pada pintu gerbang (gateway) antara jaringan lokal dan jaringan lainnya. Tembok-api umumnya juga digunakan untuk mengontrol akses terhadap siapa saja yang memiliki akses terhadap jaringan pribadi dari pihak luar. Saat ini, istilah firewall menjadi istilah lazim yang merujuk pada sistem yang mengatur komunikasi antar dua jaringan yang berbeda. Mengingat saat ini banyak perusahaan yang memiliki akses ke Internet dan juga tentu saja jaringan berbadan hukum di dalamnya, maka perlindungan terhadap modal digital perusahaan tersebut dari serangan para peretas, pemata-mata, ataupun pencuri data lainnya, menjadi hakikat.



Syntax Firewall
IPFW :
COntoh :
Ipfw show : melihat perintah berjalan di firewall
ipfw 90 deny ip from 192.168.66.20 to any : Mengeblok ip 192.168.66.20
ipfw delete 90 : menghapus perintah ipfw dibaris 90
 Drop all www traffic from a network
– ipfw add deny tcp from 12.12.12.0/24 to www.ubc.ca 80
 Drop all telnet traffic from a bad host
– ipfw add deny tcp from bad.host.com to my.host.com 23
 Throw away RFC 1918 networks
– ipfw add deny all from 10.0.0.0/8 to any in via fxp0
– ipfw add deny all from 172.16.0.0/12 to any in via fxp0
– ipfw add deny all from 192.168.0.0/16 to any in via fxp0
 Allow ssh
– ipfw add allow tcp from any to any 22 in via fxp0 setup keep-state
 Limit WWW traffic to 100Mbps
 ipfw pipe 1 config bw 100Mbit/s
 ipfw add pipe 1 ip from any to any dst-port 80
 Prefer ssh to telnet traffic
 ipfw pipe 2 config bw 256kbit/s
 ipfw queue 1 config pipe 2 weight 7
 ipfw queue 2 config pipe 2 weight 3
 ipfw add queue 1 ip from any to any dst-port 22
 ipfw add queue 2 ip from any to any dst-port 23
Security :
1. Port (allow/deny) contoh allow : http port (80), ftp (21), ssh (22), telnet (23) Deny : netbios (port 135 – 139)
2. Arp
Arp -an
Arp -da
arp -f /home/atrih/arp-test
192.168.71.254 00:1b:b9:b2:07:e9
192.168.71.72 00:1c:25:5f:ab:b2
3. Monitoring besar paket (Iftop, ifstat), jenis paket (tcpdump)
4. Subneting (ip calculator)
255.255.240.0 /20
255.255.248.0 /21
255.255.252.0 /22
255.255.254.0 /23
255.255.255.0 /24
255.255.255.128 /25
255.255.255.192 /26
255.255.255.224 /27
255.255.255.240 /28
255.255.255.248 /29
255.255.255.252 /30
5. Ping (-n, -t, l)








Read More..

Posts filed under 'FreeBSD'

Pertama-tama konfigurasi kernel anda agar support pf :

#Packet Filter Options

device pf
device pflog
device pfsync

#Enabling ALTQ

options ALTQ
options ALTQ_CBQ # Class Bases Queuing (CBQ)
options ALTQ_RED # Random Early Detection (RED)
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options ALTQ_PRIQ # Priority Queuing (PRIQ)
options ALTQ_NOPCC # Required for SMP build

Berikut konfigurasi yg saya implementasikan pada box FreeBsd saya, buat para admin jaringan yang menggunakan box FreeBsd silahkan anda kopas. Tapi sesuaikan dengan kondisi box sampeyan..

### macros

# internal and external interfaces (ketikan ‘ifconfig’ buat lihat interface)

int_if = “vr0″

ext_if = “rl0″

# Port Yang Boleh Diakses dari Luar Box silahkan sesuaikan

tcp_services = “{ 80, 110, 25, 53, 113, 21}”

udp_services = “{ 53, 1194 }”

# ping requests

icmp_types = “echoreq”

# Private Network, Yg Mau di Blok Traffiknya

priv_nets = “{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }”

### options


set block-policy return

set loginterface $ext_if

set skip on lo0

### Scrub

scrub in all

### nat/rdr

# NAT traffic dari Internal Ke External

nat on $ext_if from $int_if:network to any -> ($ext_if)

# Port Redirector untuk Transparent Proxy & Transparent FTP

rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128

### filter rules

block all

# Blok Traffik Dari Luar Yang Pake IP Private


block drop in quick on $ext_if from $priv_nets to any

# Blok Trafik dari Luar ke Internal

block drop out quick on $ext_if from any to $priv_nets

# Perbolehkan Akses ke TCP port tertentu

pass in on $ext_if inet proto tcp from any to ($ext_if) \

port $tcp_services flags S/SA keep state

# Perbolehkan Akses ke UDP port tertentu

pass in on $ext_if proto udp to any port $udp_services keep state

# Perbolehkan Akses FTP


pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \

user proxy flags S/SA keep state

# Ping Reply OK

pass in inet proto icmp all icmp-type $icmp_types keep state

# Perbolehkan Traffik dari Internal ke Internal Interface

pass in on $int_if from $int_if:network to any keep state

pass out on $int_if from any to $int_if:network keep state

# Perbolehkan Traffik keluar melalui External Interface

pass out on $ext_if proto tcp all modulate state flags S/SA


pass out on $ext_if proto { udp, icmp } all keep state

Untuk ngecek nat dan konfigurasi anda silahkan gunakan perintah

# pfctl -Fn -Nf /etc/pf.conf

flush rules

# pfctl -f /etc/pf.conf

Dan untuk me-restart pf anda gunakan perintah

# pfctl -NORf /etc/pf.conf

Biar auto start, masukkan script berikut di rc.conf anda :

pf_enable="YES" # Enable PF (load module if required)
pf_rules="/etc/pf.conf" # rules definition file for pf
pf_flags="" # additional flags for pfctl startup
pflog_enable="YES" # start pflogd(8)
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags="" # additional flags for pflogd startup
gateway_enable="YES" # Enable as LAN gateway


Read More..

Install MySQL Server

First you need to login as root or run su in order to get the required permissions.
Then navigate to the ports folder for MySQL:

cd /usr/ports/databases/mysql50-server

Now run:

make install clean

in order to download and install MySQL.
Once the install is finished we install the databases by running:

mysql_install_db --user=mysql

If you get an error, run rehash in order to update FreeBSD's path environment variables.
Once this is done we want to grant permissions to the mysql user in /var/db/mysql.

chown -R mysql /var/db/mysql/
chgrp -R mysql /var/db/mysql/

Now we can start MySQL by running:

/usr/local/bin/mysqld_safe -user=mysql &

Since we probably want MySQL to start after a reboot we will drop a line to /etc/rc.conf

echo 'mysql_enable="YES"' >> /etc/rc.conf

By default MySQL's root account has no password, so we need to change it (If we want our system to be somewhat secure). To change the password for root we enter the following command:

mysqladmin -u root password newpassword

...where newpassword is the password of our choice.

Now we can start making use of our new database server.

If you want to tweak your machine there are different configuration files you can use with your MySQL Server depending on load and what it will be used for. They are located in /usr/local/share/mysql and are called:

my-huge.cnf
my-innodb-heavy-4G.cnf
my-large.cnf
my-medim.cnf
my-small.cnf

We make an example with my-medium.cnf and copy it to /var/db/mysql as my.cnf.

cp /usr/local/share/mysql/my-medim.cnf /var/db/mysql/my.cnf
Read More..