[SIZE=2]# Sem restrições na interface interna para tráfego da rede interna. [Saída][/SIZE]
[SIZE=2]pass out quick on rl1 all[/SIZE]
[SIZE=2]# Sem restrições na interface interna para tráfego da rede interna. [Entrada][/SIZE]
[SIZE=2]pass in quick on rl1 all[/SIZE]
[SIZE=2]# Sem restrições na Loopback [Entrada][/SIZE]
[SIZE=2]pass in quick on lo0 all[/SIZE]
[SIZE=2]# Sem restrições na Loopback [Saída][/SIZE]
[SIZE=2]pass out quick on lo0 all[/SIZE]
[SIZE=2]# Se origem for rede externa tentando acessar o DNS, permitir.[/SIZE]
[SIZE=2]pass in quick proto udp from any to any port = 53 keep state[/SIZE]
[SIZE=2]# Se destino for sistema de Imposto de Renda na porta 3456, permitir.[/SIZE]
[SIZE=2]pass out quick on nfe0 proto tcp from any to any port = 3456 keep state[/SIZE]
[SIZE=2]# Permitir acesso ao DNS externo para resolver nomes. [UDP][/SIZE]
[SIZE=2]pass out quick proto udp from any to any port = 53 keep state[/SIZE]
[SIZE=2]# Permitir acesso a sites WWW [Saída][/SIZE]
[SIZE=2]pass out quick on nfe0 proto tcp from any to any port = 80 flags S keep state[/SIZE]
[SIZE=2]# Permitir conexão segura https SSL [Saída][/SIZE]
[SIZE=2]pass out quick on nfe0 proto tcp from any to any port = 443 flags S keep state[/SIZE]
[SIZE=2]# Permitir receber e enviar mensagens [pop3][/SIZE]
[SIZE=2]pass out quick on nfe0 proto tcp from any to any port = 110 flags S keep state[/SIZE]
[SIZE=2]# Permitir receber e enviar mensagens [pop3] GMail[/SIZE]
[SIZE=2]pass out quick on nfe0 proto tcp from any to any port = 995 keep state[/SIZE]
[SIZE=2]# Permitir receber e enviar mensagens [smtp][/SIZE]
[SIZE=2]pass out quick on nfe0 proto tcp from any to any port = 25 flags S keep state[/SIZE]
[SIZE=2]# Permitir receber e enviar mensagens [smtp] no GMail[/SIZE]
[SIZE=2]pass out quick on nfe0 proto tcp from any to any port = 587 keep state[/SIZE]
[SIZE=2]# Permitir saida de tempo.[/SIZE]
[SIZE=2]pass out quick on nfe0 proto tcp from any to any port = 37 flags S keep state[/SIZE]
[SIZE=2]# Permitir que a rede interna e o gateway consigam usar FTP[/SIZE]
[SIZE=2]pass out quick on nfe0 proto tcp from any to any port = 21 flags S keep state[/SIZE]
[SIZE=2]# Permitir FTP, Telnet e SCP seguro[/SIZE]
[SIZE=2]pass out quick on nfe0 proto tcp from any to any port = 22 flags S keep state[/SIZE]
[SIZE=2]# Permitir Telnet não-seguro[/SIZE]
[SIZE=2]pass out quick on nfe0 proto tcp from any to any port = 23 flags S keep state[/SIZE]
[SIZE=2]#Permitir função FBSD CVSUP[/SIZE]
[SIZE=2]pass out quick on nfe0 proto tcp from any to any port = 5999 flags S keep state[/SIZE]
[SIZE=2]# Permitir pingar para a internet pública[/SIZE]
[SIZE=2]pass out quick on nfe0 proto icmp from any to any icmp-type 8 keep state[/SIZE]
[SIZE=2]# Permitir whois da LAN para a internet [/SIZE]
[SIZE=2]pass out quick on nfe0 proto tcp from any to any port = 43 flags S keep state[/SIZE]
[SIZE=2]# Bloquear e gravar a primeira ocorrencia de tudo que esta tentando sair. A regra reforça o "negar tudo" por padrão.[/SIZE]
[SIZE=2]block out log first quick on nfe0 all[/SIZE]
[SIZE=2]# Barrar RFC 1918 IP Privado[/SIZE]
[SIZE=2]block in quick on nfe0 from 192.168.0.0/16 to any[/SIZE]
[SIZE=2]# Barrar RFC 1918 IP Privado[/SIZE]
[SIZE=2]block in quick on nfe0 from 172.16.0.0/12 to any[/SIZE]
[SIZE=2]# Barrar RFC 1918 IP Privado[/SIZE]
[SIZE=2]block in quick on nfe0 from 10.0.0.0/8 to any[/SIZE]
[SIZE=2]# Barrar loopback[/SIZE]
[SIZE=2]block in quick on nfe0 from 127.0.0.0/8 to any[/SIZE]
[SIZE=2]# Barrar loopback[/SIZE]
[SIZE=2]block in quick on nfe0 from 0.0.0.0/8 to any[/SIZE]
[SIZE=2]# Configurção automática de DHCP[/SIZE]
[SIZE=2]block in quick on nfe0 from 169.254.0.0/16 to any[/SIZE]
[SIZE=2]# Reservado para documentos[/SIZE]
[SIZE=2]block in quick on nfe0 from 192.0.2.0/24 to any[/SIZE]
[SIZE=2]# Interconexão de cluster Sun[/SIZE]
[SIZE=2]block in quick on nfe0 from 204.152.64.0/23 to any[/SIZE]
[SIZE=2]# Multicast Classe D e E[/SIZE]
[SIZE=2]block in quick on nfe0 from 224.0.0.0/3 to any[/SIZE]
[SIZE=2]# Bloquear frags[/SIZE]
[SIZE=2]block in quick on nfe0 all with frags[/SIZE]
[SIZE=2]# Bloquear pacotes curtos de TCP[/SIZE]
[SIZE=2]block in quick on nfe0 proto tcp all with short[/SIZE]
[SIZE=2]# Bloquear pacotes com fonte roteada[/SIZE]
[SIZE=2]block in quick on nfe0 all with opt lsrr[/SIZE]
[SIZE=2]# Bloqueia PING externo.[/SIZE]
[SIZE=2]block in quick on nfe0 proto icmp all icmp-type 8[/SIZE]
[SIZE=2]# Bloqueia tentativa de acesso NetBios (por nome)[/SIZE]
[SIZE=2]block in log first quick on nfe0 proto tcp/udp from any to any port = 137[/SIZE]
[SIZE=2]# Bloqueia tentativa de acesso NetBios (por datagrama)[/SIZE]
[SIZE=2]block in log first quick on nfe0 proto tcp/udp from any to any port = 138[/SIZE]
[SIZE=2]# Permitir acesso a servidor www pela rede internet (Apache)[/SIZE]
[SIZE=2]pass in quick on nfe0 proto tcp from any to any port = 80 flags S keep state[/SIZE]
[SIZE=2]# Se origem for firewall com proxy, tentando acessar a DMZ onde se encontra o servidor web, permitir.[/SIZE]
[SIZE=2]pass out quick from 200.200.200.200 mask 255.255.255.255 to 192.168.255.1 mask 255.255.255.255 port = 80 keep state[/SIZE]
[SIZE=2]# Se destino for o servidor Web na DMZ, permitir acesso na porta 80.[/SIZE]
[SIZE=2]pass out quick from any to 192.168.255.1 mask 255.255.255.255 port = 80 keep state[/SIZE]
[SIZE=2]# Se destino for servidor web na DMZ, sendo a porta 21 (FTP) permitir.[/SIZE]
[SIZE=2]pass out quick from any to 192.168.255.1 mask 255.255.255.255 port = 21 keep state[/SIZE]
[SIZE=2]# Se destino for rede da DMZ, barrar tráfego.[/SIZE]
[SIZE=2]block out quick from any to 192.168.255.0 mask 255.255.255.0 keep state[/SIZE]
[SIZE=2]# Bloquear qualquer entrada pela rede externa.[/SIZE]
[SIZE=2]block in log first quick on nfe0 all[/SIZE]