Archive for May, 2014

Datanglah kau kepada ku ..

Posted: May 10, 2014 in My live

Kisah silam dah berlalu
Tinggal kau dan aku
Menagih kasih yang dijanjikan

Datanglah kau kepada ku
Berikan hatiku
Padamu kasih aku curahkan

Air yang mengalir
Tidak dapat aku hentikan
Selagi kau sangsi kan diriku
Yang menyayangi dirimu
Mengertilah sayang

Satu diriku untukmu
Usahlah kau ragu
Cahaya mu kasih dalam genggaman

Akan ku bina
Mahligai kota untuk kita
Disaksikan malam yang melambai
Akan aku buktikan untuk mu
Tanda kebesaran

Pengorbanan mu kasih
Takkan aku siakan
Akan aku buktikan

 

Ranjang mawar yang ku mimpi…

Posted: May 10, 2014 in My live

Ranjang mawar – Mael Wings

Kerana dia aku menangis
Tanggalkan sisa kewarasan
Rela melepaskan kemudi di tangan
Di kala ribut gelora
Datang mendera samudera

Kerana dia aku menangis
Padamkan gaya dan perasaan
Sanggup memutuskan pertalian diri
Kepada selain dia yang kudamba

Ku tenggelam dalam rindu
Tidak berdasar dan bertepi
Ku terdampar dalam sendu
Tidak bernoktah dan berhuruf

Ku terkorban dalam cinta
Tak beralasan dari lembar
Satu lagi tak menjanjikan
Ranjang mawar yang ku mimpi

Ku mimpikan yang ku mimpi

 

 

Ku biarkan rambutmu
Gugur jatuh dan terdambar
Atas dara cinta luka
Ratapan mimpi yang terhimpit
Di bawah angin menyepi
Ku asyik merindumu
Terangkat di awan berpusar
Malam yang kian terbakar
Tapi mengepak suratnya
Di segenap penjuru jantungku
Malam yang kau tiduri
Mimpi ku yang hening terasing
Jadi satu igauan
Seorang pengemis cinta
Yang bagaikan pengembara
Di hujung perjalanan
Tak bermusim bercinta lagi
Mendung tiada awal dan akhir
Jika tiada kesudahannya
Aku pergi takkan kembali

Malam yang kau tiduri
Mimpi ku yang hening terasing
Jadi satu igauan
Seorang pengemis cinta
Yang bagaikan pengembara
Di hujung perjalanan

Tak bermusim bercinta lagi
Mendung tiada awal dan akhir
Jika tiada kesudahannya
Aku pergi takkan kembali

Bilakah ombak ‘kan reda

Posted: May 10, 2014 in My live

Zamree – Tugu Cinta

Ku pinjam sebuah ilusi dari lautan sepi
Senja indah kian temaram
Sembunyi di balik kegelapan
Ku ukirkan sebuah nama
Bersama jemari gementar
Ingin hati mengabdikan sebuah tugu cinta

Titisan airmata pilunya hati ini
Deburan ombak memecah membahana
Musnahlah sebuah citra cinta berganti airmata
Kulangkahkan kaki yang guntai
Menyusur buih yang menghilang
Dalam hati pun bertanya
Bilakah ombak ‘kan reda

Transparent Terminal Mac

Posted: May 10, 2014 in Mac OSX

Transparent Terminal in Mac

Open Terminal issued this command, after that restart terminal

defaults write com.apple.terminal TerminalOpaqueness '0.85'

Screen Shot 2014-05-10 at 10.31.04 PM

Freebsd pf.conf

Posted: May 10, 2014 in Freebsd

Firewall Get from this website..

http://alpha.telemedellin.tv/public/pf.conf

Guide Only not for Production …

For using this please use your own brain..

###########################################

# Firewall on FreeBSD with PF: The OpenBSD Packet Filter
#
# How-tos: 
# FreeBSD http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook
# PF: The OpenBSD Packet Filter	http://www.openbsd.org/faq/pf/index.html
#
# Warning: When browsing the PF FAQ, please keep in mind that different versions of
# FreeBSD can contain different versions of PF. Currently, FreeBSD 8.X and prior is
# using the same version of PF as OpenBSD 4.1. FreeBSD 9.X and later is using the
# same version of PF as OpenBSD 4.5.

# Working with PF
#
# Use pfctl(8) to control PF. Below are some useful commands (be sure to review the pfctl(8) man page for all available options):
#   Command                          Purpose
# # pfctl -e                         Enable PF
# # pfctl -d                         Disable PF
# # pfctl -F all -f /etc/pf.conf     Flush all rules (nat, filter, state, table, etc.) and reload from the file /etc/pf.conf
# # pfctl -s [ rules | nat | state ] Report on the filter rules, nat rules, or state table
# # pfctl -vnf /etc/pf.conf          Check /etc/pf.conf for errors, but do not load ruleset

# Conexion Monopuesto:
# En este caso el router es simplemente utilizado como un Modem, ya que es el
# FreeBSD quien envia el usuario y la contrasena a nuestro ISP para solicitar
# conexion (esto genera la interface tun0 y se configura PPPoE en FreeBSD).
# En este caso ext_if = "tun0"
#
# The network is setup like this:
#
# ISP---ADSL---(ext_if)-[FreeBSD]-(int_if)---Suiche---LAN
#                           |    \
#                       (vpn_if)  '-(dmz_if)
#
# Conexion Multipuesto:
# En este caso es el router quien envia el nombre de usuario y la contrasena a
# nuestro ISP y los equipos conectados a este router lo utilizan como puerta
# de enlace (gateway) para obtener una salida a internet.
# En este caso ext_if = "bge0"
#
# The network is setup like this:
#
# ISP---ADSL---(ext_if)-[FreeBSD]-(int_if)---Suiche---LAN
#                           |    \
#                       (vpn_if)  '-(dmz_if)
#
# Fibra Optica
# En este caso al servidor le entra un pacth cord y la IP publica se le pone a
# la tarjeta de red del servidor.
#
# The network is setup like this:
#
# ISP----------(ext_if)-[FreeBSD]-(int_if)---Suiche---LAN
#                           |    \
#                       (vpn_if)  '-(dmz_if)
#
# Historial de cambios:
#
# * 2010-01-13	Se agrega esta seccion
# * 2010-09-12	Adaptacion para FreeBSD 8.2 y depuracion general
# * 2011-11-25	Depuracion general
# * 2012-02-15  Se abre el puerto TCP 554 RTSP para Livestream mobile
# * 2012-06-12	Depuracion general
# * 2012-08-10	Excepcion proxy Charlie (RobotOfima) y Streaming (Procaster)

#-------------------------------------------------------------------------------
# PF: List and Macros
#-------------------------------------------------------------------------------

logopt = "log"

# Interfaces
ext_if = "bge0"		# Internet Interface (bge0 o tun0)
int_if = "bge1"		# Network Interface  LAN
#dmz_if = "bge2"	# Network Interface  DMZ
vpn_if = "tap0"		# OpenVPN Interface

# External services
serv_tcp = "{ 5432, 667, 8000 }"
serv_udp = "{ 1194 }"

# Internal services
lanserv_tcp = "{ 21, 8021, 22, 37, 53, 80, 82, 84, 443, 110, 143, 995, 993, 25, 465, 518, \
	587, 1626, 1723, 2082, 2095, 8080, 8083, 4080, 8090,  8091, 8092, 7777, \
	5432, 5999, 9339, 1935, 3128, 3129, 6667, 8030, 8443, 993, 587, \
	3306, 7780, 7778, 81, 8001, 8099, 5900, 2628, 7781, 3493, 3551, 8443, \
	1025, 8060, 2083, 9091, 6969, 667, 8082, 11371, 8087, 5050, 2096, 4443, \
	8190, 9001, 5222, 5223, 5228, 9090, 48080, 18080, 22300, 8030, 554, \
	38080, 48780, 3389, 2880, 18091, 7003, 1688, 18087, 5001:5011, 5242, \
	4244, 1935, 8888, 8009, 8080, 3680, 8181, 10040, 7005, 1621, 2086, \
	4643, 2086, 2087, 8191, 8086, 8089, 8150, 8348, 8127, 8000 }"
lanserv_udp = "{ 53, 67, 68, 69, 123, 1194, 5060, 1770, 5243, 9785, 3690, 500, \
	4500, 10000, 4000, 4040, 8000, 8050 }"

# Samba service
# If you are setting up a firewall, you need to know what TCP and UDP ports to
# allow and block. Samba uses the following:
# Port 135/TCP - used by smbd loc-srv
# Port 137/UDP - used by nmbd netbios-ns
# Port 138/UDP - used by nmbd netbios-dgm
# Port 139/TCP - used by smbd netbios-ssn
# Port 445/TCP - used by smbd microsoft-ds # no se requiere y da error en logs
# Port 901/TCP - used by swat
smb_tcp = "{ loc-srv, netbios-ssn, swat, microsoft-ds }"
smb_udp = "{ netbios-ns, netbios-dgm }"

# P2P (firewall and p2p in same computer)
#
# Transmission Port: /usr/ports/net-p2p/transmission-daemon
# Transmission (tcp 51413 defaul or range 49152:65535)
rpc_port_tcp = "9091"                   # Control web http://<ipserver>:9091
peer_port_tcp = "51413"
peer_port_range_tcp = "{ 49152:65535 }"

# Externally permitted inbound icmp types
icmp_types = "echoreq"

# OS X Recovery (no pasa bien el proxy)
# http://support.apple.com/kb/HT5286
# $ host osrecovery.apple.com
# $ host oscdn.apple.com
osxrecovery = "{ 17.164.1.12, 200.31.210.11, 200.31.210.12 }"

#-------------------------------------------------------------------------------
# PF: Tables
#-------------------------------------------------------------------------------

# RFC 1918 addresses that just shouldn't be floating around the Internet, and 
# when they are, are usually trying to cause trouble 
table <priv_nets> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }

#-------------------------------------------------------------------------------
# PF: Options
#-------------------------------------------------------------------------------

set block-policy return
set loginterface $ext_if
set optimization aggressive

# Every Unix system has a "loopback" interface. It's a virtual network interface that
# is used by applications to talk to each other inside the system. On OpenBSD, the 
# loopback interface is lo(4). It is considered best practice to disable all 
# filtering on loopback interfaces. Using set skip will accomplish this.
set skip on lo

#-------------------------------------------------------------------------------
# PF: Scrub (Packet Normalization)
#-------------------------------------------------------------------------------

#scrub all reassemble tcp no-df random-id	# Activa causa problemas en 8.2
#scrub all random-id fragment reassemble	# En pruebas en 8.2

#-------------------------------------------------------------------------------
# PF: Packet Queueing and Priorization
#-------------------------------------------------------------------------------

# http://www.openbsd.org/faq/pf/queueing.html#example2
# http://www.openbsd.org/faq/pf/es/queueing.html#example2

#-------------------------------------------------------------------------------
# PF: Netkwork Address Translation (NAT) and Packet Redirection
#-------------------------------------------------------------------------------

# Network address translation exception
#no nat on $ext_if from 192.168.16.8

# Network address translation
nat on $ext_if from !($ext_if) -> ($ext_if:0)

# OpenVPN
# NAT the VPN connections (for access to the remote secure networks)
nat on $vpn_if from !($ext_if) -> ($vpn_if:0)

# FTP-Proxy
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

# Redirect ftp traffic to proxy (ftp-proxy)
#
# Install port: /usr/ports/ftp/ftp-proxy/
# Add to /etc/rc.conf the line:
# ftpproxy_enable="YES"
# Start the service with:
# # /etc/rc.d/ftp-proxy start
#
rdr pass on $int_if proto tcp from any to port ftp \
	-> 127.0.0.1 port ftp-proxy

# Others sites ( Noticias RPTV, Comision TV)
rdr pass on $int_if proto tcp from any to port { 24, 18124 } \
	-> 127.0.0.1 port ftp-proxy

# Exception for not Redirect to squid
no rdr on $int_if proto tcp from 192.168.31.35 to !$int_if port www	# Otro
no rdr on $int_if proto tcp from 192.168.16.7 to !$int_if port www	# Charlie
no rdr on $int_if proto tcp from 192.168.20.59 to !$int_if port www	# Procaster
#no rdr on $int_if proto tcp from 192.168.20.50 to !$int_if port www	# Nexio2
no rdr on $int_if proto tcp from 192.168.16.12 to !$int_if port www	# Core1 (Clima)
no rdr on $int_if proto tcp from 192.168.16.13 to !$int_if port www	# Core2 (Clima)

# OS X Recovery (no pasa bien el proxy)
no rdr on $int_if proto tcp from any to $osxrecovery

# Redirect and allow outgoing to WWW requests to the squid, but not from LAN to my server
#rdr pass on $int_if proto tcp from any to !$int_if port www \
	-> 127.0.0.1 port 3128

# Redirect and allow outgoing to WWW requests to the squid, but not from LAN to my server Squid 3.2
rdr pass on $int_if proto tcp from any to !$int_if port www \
	-> 127.0.0.1 port 3129

# Redirect and allow remote SIP with Panasonic (la planta no lo soporta los sip no conectan)
#rdr pass on $ext_if proto udp from any to port 5062 -> 192.168.20.31 \
	port 5062

# Redirect and allow remote administration with SSH
# Echo (ssh user@alpha.telemedellin.tv -p 2222)
rdr pass on $ext_if proto tcp from any to port 2222 -> 192.168.16.9 \
	port 22
# Delta (ssh user@alpha.telemedellin.tv -p 2223)
rdr pass on $ext_if proto tcp from any to port 2223 -> 192.168.16.8 \
	port 22
# smb-testdomain.com (ssh user@alpha.telemedellin.tv -p 2224)
rdr pass on $ext_if proto tcp from any to port 2224 -> 192.168.20.48 \
	port 22

# Redirect and allow remote administration with RealVNC
# Streaming
rdr pass on $ext_if proto tcp from any to port 5900 -> 192.168.20.40 \
	port 5900
# Charlie
rdr pass on $ext_if proto tcp from any to port 5901 -> 192.168.16.7 \
	port 5900
# Delta
#rdr pass on $ext_if proto tcp from any to port 5903 -> 192.168.16.8 \
	port 5900
# Echo
#rdr pass on $ext_if proto tcp from any to port 5904 -> 192.168.16.9 \
	port 5901

# HP Workstation xw8200 S/N: 2UA6321CL4
rdr pass on $ext_if proto tcp from any to port 5905 -> 192.168.20.66 \
	port 5900

# Algun equipo temporalmente (tcp y udp)
#rdr pass on $ext_if proto {tcp, udp} from any to port 58021 -> 192.168.16.96 \
	port 58021

# Redirect and allow remote administration whit web browser

# UPS Alphasys (puerto 80)
rdr pass on $ext_if proto tcp from any to port 81 -> 192.168.20.2 port 80

# UPS MinuteMan (puerto 82)
#rdr pass on $ext_if proto tcp from any to port 82 -> 192.168.16.251 port 82

# Control Encoder (puerto 80)
rdr pass on $ext_if proto tcp from any to port 83 -> 192.168.20.06 port 80

# Control Modulator (puerto 80)
rdr pass on $ext_if proto tcp from any to port 84 -> 192.168.20.05 port 80

# Control TANDBERG Encoder 8040
rdr pass on $ext_if proto tcp from any to port 85 -> 192.168.20.06 port 80

# Control TANDBERG 8092
rdr pass on $ext_if proto tcp from any to port 86 -> 192.168.16.193 port 80

#  TANDERG RX8200
rdr pass on $ext_if proto tcp from any to port 87 -> 192.168.16.191 port 80

# UPS APC SURT10000XLT-1TF10K
rdr pass on $ext_if proto tcp from any to port 88 -> 192.168.20.1 port 80

# Dell PowerEdge R610 iDRAC6
#rdr pass on $ext_if proto tcp from any to port 89 -> 192.168.16.179 port 80

# Dell PowerConnect 5424
rdr pass on $ext_if proto tcp from any to port 90 -> 192.168.18.10 port 80

# Circuito Camaras
#rdr pass on $ext_if proto tcp from any to port 91 -> 192.168.20.24 port 80

# TANDBERG Reciver
rdr pass on $ext_if proto tcp from any to port 92 -> 192.168.1.193 port 80

# Miranda Kaleido Model: X16-D S/N:086999-r45263010
rdr pass on $ext_if proto tcp from any to port 93 -> 192.168.1.170 port 80

# ECHO
rdr pass on $ext_if proto tcp from any to port 94 -> 192.168.1.180 port 80
# DarkStat
#rdr pass on $ext_if proto tcp from any to port 668 -> 192.168.1.180 port 667

# DELTA, sitio web
rdr pass on $ext_if proto tcp from any to port 95 -> 192.168.1.6 port 80

# Redirect and allow remote administration whit others

# Control HPA (puerto 2000)
rdr pass on $ext_if proto tcp from any to port 2000 -> 192.168.20.7 port 2000

# Camaras OLD (puerto 554:557)
#rdr pass on $ext_if proto tcp from any to port 554:557 -> 192.168.1.243 port 554:*

# Redireccion temporal para algun equipo
#rdr pass on $ext_if proto udp from any to port 1770 -> 192.168.1.165 port 1770

# Redireccion Escritorio Remoto Windows (Margarita Monsalve)
rdr pass on $ext_if proto tcp from any to port 3389 -> 192.168.20.62 port 3389

# examples
# Redirect range to one port... port 2000:2999 -> 4000
#rdr pass on $ext_if proto tcp from any to port 2000:2999 -> $host port 4000
# Redirect range to another range... port 2000 to 4000, 2001 to 4001,.. 2999 to 4999
#rdr pass on $ext_if proto tcp from any to port 2000:2999 -> $host port 4000:*

#-------------------------------------------------------------------------------
# PF: Packet Filtering
#-------------------------------------------------------------------------------

# Restrictive default rules
block all

# Block packets and reply with a TCP RST or ICMP Unreachable response
block return

# FTP-Proxy
# We need to have an anchor for ftp-proxy
anchor "ftp-proxy/*"

# Blocking Spoofed Packets (Paquetes Falsificados)
antispoof quick for { lo0 $int_if }

#-------------------------------------------------------------------------------
# Filter rules for $ext_if inbound

# Toy with script kiddies scanning us (nmap os detection block)
block in $logopt quick proto tcp flags FUP/WEUAPRSF
block in $logopt quick proto tcp flags WEUAPRSF/WEUAPRSF
block in $logopt quick proto tcp flags SRAFU/WEUAPRSF
block in $logopt quick proto tcp flags /WEUAPRSF
block in $logopt quick proto tcp flags SR/SR
block in $logopt quick proto tcp flags SF/SF

# RFC 1918 addresses that just shouldn't be floating around the Internet, and
# when they are, are usually trying to cause trouble
block drop in on $ext_if from <priv_nets> to any

# Blocking some ip address in table
#block in quick on $ext_if from <blockedips>

# Allow permitted icmp (ping)
#pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state

# PF "Self-Protecting" an FTP Server (passive)
pass in on $ext_if proto tcp from any to any port { ftp, > 49151 } \
	keep state

# Special rule for http, https
pass in on $ext_if proto tcp from any to ($ext_if) port { http, https } \
	flags S/SA keep state \
	(max-src-conn-rate 100/30, overload <web-ddns> flush global)
# block the web-ddns bastards
block drop in quick on $ext_if from <web-ddns>

# Manipulating with pfctl
# pfctl -t web-ddns -T show
# pfctl -t web-ddns -T add 218.70.0.0/16
# pfctl -t web-ddns -T delete 218.70.0.0/16

# Allow remote administration with SSH (better use the option to down)
#pass in on $ext_if proto tcp from any to port ssh flags S/SA keep state

# Special rule for ssh http://johan.fredin.info/openbsd/block_ssh_bruteforce.html
pass in on $ext_if proto tcp from any to ($ext_if) port ssh \
	flags S/SA keep state \
	(max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
# block the ssh bruteforce bastards
block drop in quick on $ext_if from <ssh-bruteforce>

# Manipulating with pfctl
# pfctl -t ssh-bruteforce -T show
# pfctl -t ssh-bruteforce -T add 218.70.0.0/16
# pfctl -t ssh-bruteforce -T delete 218.70.0.0/16

# For security reasons always allow some ip address for administration
pass in on $ext_if proto tcp from 190.0.38.166 to port ssh \
	flags S/SA keep state

# serv_tcp
pass in on $ext_if proto tcp from any to any port $serv_tcp \
	flags S/SA keep state
# serv_udp
#pass in on $ext_if proto udp from any to any port $serv_udp

# P2P
#
# Transmission (tcp 51413 defaul or range 49152:65535)
pass in on $ext_if proto tcp from any to ($ext_if) port $rpc_port_tcp \
	flags S/SA keep state
pass in on $ext_if proto tcp from any to ($ext_if) port $peer_port_tcp \
	flags S/SA keep state
pass in on $ext_if proto tcp from any to ($ext_if) port $peer_port_range_tcp \
	flags S/SA keep state

# VPN connections inbound
pass in on $ext_if proto udp from any to port 1194 keep state
pass quick on $vpn_if

#-------------------------------------------------------------------------------
# Filter rules for $ext_if outbound

pass out on $ext_if keep state

block drop out on $ext_if from any to { <priv_nets>, <ssh-bruteforce> }

#-------------------------------------------------------------------------------
# Filter rules for $int_if inbound

# For testing purpose allow temporary connection to all ports from the LAN
#pass in on $int_if keep state

# Blocking some IP address, by example causing problems to squid
#block in quick on $int_if from 192.168.1.85

# Blocking some IP address, by example causing problems to DNS
#block in quick on $int_if from 192.168.1.172

# Allow temporary connection to all ports (TCP and UDP) upper to 1024 to some ip address
#pass in on $int_if proto { tcp, udp } from 192.168.20.58 to any port > 1024 \
	keep state
# Allow temporary connection to all ports (TCP and UDP) upper to 80 to some ip address M24
pass in on $int_if proto { tcp, udp } from 192.168.29.122 to any port > 80 \
	keep state

# Core1 y Core2 (TCP: 80, 443, 1270, 53  UDP: 1270, 53) (Clima)
pass in on $int_if proto { tcp, udp } from { 192.168.16.12, 192.168.16.13 } to any port > 80 \
	keep state

# Allow permitted icmp (ping) Traceroute/Tracert needed ping!
pass in on $int_if inet proto icmp all icmp-type $icmp_types keep state

# Allow ports needed by Traceroute/Tracert test
pass in on $int_if proto udp from any to any port 33433:33626

# Network time protocol
pass in on $int_if proto udp from any to any port ntp

# Icecast2 from lan
pass in on $int_if proto tcp from !($ext_if) to 192.168.16.1 port 8000 \
	keep state

# NTOP from lan
pass in on $int_if proto tcp from !($ext_if) to 192.168.16.1 port 3000 \
	keep state

# lanserv_tcp
pass in on $int_if proto tcp from !($ext_if) to any port $lanserv_tcp \
	keep state
# lanserv_udp
pass in on $int_if proto udp from !($ext_if) to any port $lanserv_udp

# Allow ports needed by Samba from LAN
pass in on $int_if proto tcp from !($ext_if) to any port $smb_tcp \
	keep state
pass in on $int_if proto udp from !($ext_if) to any port $smb_udp

# Allow ports needed by passive FTP server from LAN
# be careful with this line, if activated, all computers from the LAN could
# connect to ports above 49151, because the filter is applied in $int_if,
# pending a solution!
#pass in on $int_if proto tcp from !($ext_if) to $int_if port { ftp, > 49151 \
	} keep state

# FTPS UdeA (ftps = 990, ftps-data = 989 y > 1024)
pass in on $int_if proto tcp from any to 200.24.23.206 port { ftps, ftps-data, > 1024 } \
	keep state

# Permitimos los puertos de Aviwest a la LAN
pass in on $int_if proto tcp from !($ext_if) to any port 8888 \
	keep state
pass in on $int_if proto udp from !($ext_if) to any port 7900:7904

#-------------------------------------------------------------------------------
# Filter rules for $int_if outbound

pass out on $int_if keep state

#-------------------------------------------------------------------------------
# Filter rules for $dmz_if inbound

#-------------------------------------------------------------------------------
# Filter rules for $int_if_dmz outbound

#-------------------------------------------------------------------------------
# Filter rules for $vpn_if inbound
pass in on $vpn_if keep state

#-------------------------------------------------------------------------------
# Filter rules for $vpn_if outbound
pass out on $vpn_if keep state


# NOTAS:
#
# * El firewall en FreeBSD bloquea la entrada de todo por defecto.
# * FreeBSD puede salir a todo, excepto a algunas direcciones IPs listadas en:
#   <priv_nets> y <ssh-bruteforce>.
# * Las peticiones de FTP las resuelve el proxy ftp-proxy.
# * Las peticiones de WWW las resuelve el proxy Squid-cache.
# * El control para la LAN se hace en la $int_if
#
# Network UPS Tools requiere el puerto TCP 3493

# Nmap + PF http://forums.freebsd.org/showthread.php?t=3420
# Firewalls usually modify packets, hence nmap will not function properly. 
# Nmap relies on odd/strange packets. Firewalls don't like that. Turn the firewall 
# off when scanning.
# Nmap Changelog: http://nmap.org/changelog.html

# HOW-TOs:
#
# FTP-Proxy
# How-to: http://www.cyberciti.biz/faq/freebsd-opebsd-pf-firewall-ftp-configuration/
#
# Step # 1: Turn on ftp-proxy under FreeBSD
#
# Turn on ftp-proxy under FreeBSD
# Open /etc/rc.conf file under FreeBSD
# # vi /etc/rc.conf
# Append following line:
# ftpproxy_enable="YES"
#
# Step # 2: Configure pf and ftp-proxy
#
# Open your /etc/pf.conf file and add following into your NAT section:
# To activate it, put something like this in the NAT section of pf.conf:
# nat-anchor "ftp-proxy/*"
# rdr-anchor "ftp-proxy/*"
# rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port ftp-proxy
#
#   20 = ftp-data
#   21 = ftp
# 8021 = ftp-proxy
#
# All three rules required, even if your setup does not use NAT. Find your filtering
# rule and append the following rules:
# anchor "ftp-proxy/*"
# Save and close the file.
#
# Step # 3: Restart PF firewall
#
# Type the following command under FreeBSD:
# # /etc/rc.d/pf restart
#
# Step # 4: Start ftp-proxy
#
# Type the following command to start ftp-proxy under, FreeBSD:
# # /etc/rc.d/ftp-proxy start
#
# For view the connections, type the following command under FreeBSD:
# # sockstat -4 |grep ftp-proxy
# proxy    ftp-proxy  79457 3  tcp4   127.0.0.1:8021        *:*
#
# FTP SERVER PASV
# http://slacksite.com/other/ftp.html#passive
#
# Livestream Mobile
#
# TCP 554: RTSP, 
#
# Subvension (SVN) 3690 TCP/UDP
#
# List of TCP and UDP port numbers
# http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
#
# About FTPS
#
# http://www.ipv4security.com/packet_flow/ftp_over_ssl.html
# http://www.cyberciti.biz/tips/configure-vsfptd-secure-connections-via-ssl-tls.html
#
#  989 = ftps-data
#  990 = ftps

 

Freebsd Squid3

Posted: May 10, 2014 in Freebsd, squid
squid.conf

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /usr/local/squid/cache
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
cache_dir ufs /usr/local/squid/cache 512 16 256