ipfw/natd pravidla

michal.kutnohorsky at asp1000.com michal.kutnohorsky at asp1000.com
Tue May 29 11:42:45 CEST 2001
Previous message: FYI
Next message: ipfw/natd pravidla
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
ahoj, 
nejdrive napisu co potrebuji :)
--co potrebuji od ipfw/natd: veskery provoz z vnitrni site ven, preklad
adresni site 192.168.0.0 na venkovni, ssh z pc v praci, zakazat dovnitr
netbios -ns a ssn, port 8008, port 80, port 3306, aby mi nikdo nelez na
mysql a apache server..

--nevite o nejakem pekne "command-line" programku na generovani paketu? Kde
by napr vygeneroval paket tcp na src port 80 dest adr. serveru a videl, jak
ten paket dorazi k cili a co s nim cil udelal? dost by mi to usnadnilo
konfiguraci firewallu

predem diky rady.

pouzivam nasledujici pravidla, vse co potrebuji (dovnitr/ven) funguje, ale
tyto pravidla se mi zdaji trochu krkolomna. chtel jsem to zjednodusit
nasledovne:
ipfw add allow tcp from any 1024-65535 to any out
ipfw add allow tcp from any to any 1024-65535 in tcpflags ack
v tomto pripade fungovalo http,ssh,icq a pod tcp sluzby, ale uz mi
nefungovalo https a radio mp3 streaming z serveru mp3.radio1.cz:8000

pri logovani pravidel sem mel v logu pri pouziti nasl. pravidla tohle, kde
xxx.xxx.xxx.xxx

194.213.194.31:8000 192.168.0.40:1175 in via xl1
Apr 18 20:53:00 romeo /kernel: ipfw: 4400 Accept TCP 194.213.194.31:8000
192.168.0.40:1175 out via xl0
Apr 18 20:53:00 romeo /kernel: ipfw: 4400 Accept TCP 192.168.0.40:1175
194.213.194.31:8000 in via xl0
Apr 18 20:53:00 romeo /kernel: ipfw: 4400 Accept TCP xxx.xxx.xxx.xxx:1175
194.213.194.31:8000 out via xl1
Apr 18 20:53:00 romeo /kernel: ipfw: 4400 Accept TCP 194.213.194.31:8000
192.168.0.40:1175 in via xl1
Apr 18 20:53:00 romeo /kernel: ipfw: 4400 Accept TCP xxx.xxx.xxx.xxx:1175
194.213.194.31:8000 out via xl1

192.168.0.40:1523 216.136.204.21:80 in via xl0
May 28 21:27:53 romeo /kernel: ipfw: 265 Accept TCP xxx.xxx.xxx.xxx:1523
216.136.204.21:80 out via xl1
May 28 21:27:53 romeo /kernel: ipfw: 264 Accept TCP 216.136.204.21:80
192.168.0.40:1523 in via xl1
May 28 21:27:53 romeo /kernel: ipfw: 264 Accept TCP 216.136.204.21:80
192.168.0.40:1523 out via xl0


--pokud sem to prepsal na nasledujici, tak vse fungovalo
ipfw add allow tcp from any 1024-65535 to any
ipfw add allow tcp from any to any 1024-65535

moje stavajici pravidla:
----------------------------------------- 
 /sbin/ipfw -f flush
 #loopback
 /sbin/ipfw add 100 allow all from any to any via lo0
 /sbin/ipfw add 200 deny all from any to 127.0.0.0/8
 #preklad adres
 /sbin/ipfw add divert natd all from any to any via xl1
 #
 /sbin/ipfw add count ip from any to any
 #ICMP
 /sbin/ipfw add allow icmp from any to any via xl0
 #povoleni ping-u
 /sbin/ipfw add allow icmp from any to any icmptypes 8 out via xl1
 /sbin/ipfw add allow icmp from any to any icmptypes 0 in via xl1
 /sbin/ipfw add allow icmp from any to any icmptypes 3,4,11,12 via xl1
 #DENY ZBYTEK
 /sbin/ipfw add deny icmp from any to any
 #SMTP
 /sbin/ipfw add allow tcp from any to any 25
 /sbin/ipfw add allow tcp from any 25 to any
 #RDATE - jednou za hodinu se pusti pres cron prikaz rdate -s 131.188.3.9
 /sbin/ipfw add allow tcp from any to 131.188.3.9 37 out via xl1
 /sbin/ipfw add allow tcp from 131.188.3.9 37 to any in via xl1
 #FTP passive a non passive
 /sbin/ipfw add allow tcp from any to any 21
 /sbin/ipfw add allow tcp from any 21 to any
 /sbin/ipfw add allow tcp from any 20 to any 1024-65535
 /sbin/ipfw add allow tcp from any 1024-65535 to any 20
 #SSH xxx.xxx.xxx.xxx je ip PC v praci, yyy.yyy.yyy.yyy.yyy je ip serveru
 /sbin/ipfw add allow tcp from any 1024-65535 to any 22 out
 /sbin/ipfw add allow tcp from any 22 to any 1024-65535 in
 /sbin/ipfw add allow tcp from 192.168.0.0/24 1024-65535 to any 22 in via
xl0
 /sbin/ipfw add allow tcp from any 22 to 192.168.0.0/24 1024-65535 out via
xl0
 /sbin/ipfw add allow tcp from xxx.xxx.xxx.xxx 1024-65535 to yyy.yyy.yyy.yyy
22 in via xl1
 /sbin/ipfw add allow tcp from yyy.yyy.yyy.yyy 22 to xxx.xxx.xxx.xxx
1024-65535 out via xl1
 #DNS
 /sbin/ipfw add allow udp from any to any 53
 /sbin/ipfw add allow udp from any 53 to any
 #DHCP NA VNITRNI SITI - dhcpd na vnitrni site je konfigurovani, aby
naslouchal na xl0
 /sbin/ipfw add allow udp from 192.168.0.0/24 to 192.168.0.22 67 in via xl0
 /sbin/ipfw add allow udp from 192.168.0.22 67 to 192.168.0.0/24 out via xl0
 #ZAKAZ DHCP Z VENKU NA SERVER
 /sbin/ipfw add deny udp from any 67 to any out via xl1
 /sbin/ipfw add deny udp from any 68 to any 67 in via xl1
 #povoleni dhcp dotazu na dhcp server u ISP
 /sbin/ipfw add allow udp from any 67 to any 68 in via xl1
 /sbin/ipfw add allow udp from any 68 to any 67 out via xl1
 #POVOLENI HTTP
 /sbin/ipfw add allow tcp from any to any 80
 /sbin/ipfw add allow tcp from any 80 to any
 #ZAKAZANI HTTP NA SERVER Z VENKU
 /sbin/ipfw add deny log tcp from any to any 80 in via xl1
 #POP3
 /sbin/ipfw add allow tcp from any to any 110
 /sbin/ipfw add allow tcp from any 110 to any
 #SAMBA
 /sbin/ipfw add allow udp from 192.168.0.0/24 to 192.168.0.22 137-139 in via
xl0
 /sbin/ipfw add allow udp from 192.168.0.22 137-139 to 192.168.0.0/24 out
via xl0
 /sbin/ipfw add allow tcp from 192.168.0.22 137-139 to 192.168.0.0/24
1024-65535 out via xl0
 /sbin/ipfw add allow tcp from 192.168.0.0/24 1024-65535 to 192.168.0.22
137-139 in via xl0
 /sbin/ipfw add allow udp from 192.168.0.0/24 to 192.168.0.255 137
 #ZAKAZ netbios paketu prichozich a odchozich na vnejsi ineterface
 /sbin/ipfw add deny udp from any 137-139 to any out via xl1
 /sbin/ipfw add deny tcp from any to any 137-139 in via xl1
 /sbin/ipfw add deny udp from any to any 137-139 in via xl1
 #HTTPS
 /sbin/ipfw add allow tcp from any to any 443
 /sbin/ipfw add allow tcp from any 443 to any
 #MYSQL
 /sbin/ipfw add allow tcp from any to any 3306
 /sbin/ipfw add allow tcp from any 3306 to any
 #zablokovani pristupu na muj mysql server
 /sbin/ipfw add deny log tcp from any to any 3306 in via xl1
 #TRACEROUTE
 /sbin/ipfw add allow udp from any to any 33434-33523 out via xl1
 #ICQ
 /sbin/ipfw add allow tcp from any to any 5190
 /sbin/ipfw add allow tcp from any 5190 to any
 #X-SERVER
 /sbin/ipfw add deny log tcp from any to any 6000-6010 in via xl1
 #RADIA
 /sbin/ipfw add allow tcp from any 8000 to any
 /sbin/ipfw add allow tcp from any to any 8000
 #WEBMIN je zkonfigurovan aby naslouchal pouze na vnitrni adrese a je omezen
na pristup jenom z jedne vnitrni adresy
 /sbin/ipfw add allow tcp from any 8008 to any via xl0
 /sbin/ipfw add allow tcp from any to any 8008 via xl0
 /sbin/ipfw add deny tcp from any to any 8008 in via xl1
 #odmitnti vsech tcp paketu zvenku
 /sbin/ipfw add deny tcp from any to any in via xl1
 #reject broadcast from outside interface
 /sbin/ipfw add deny all from any to 0.0.0.255:0.0.0.255 in via xl1
 #reject all other conn from outside interface
 /sbin/ipfw add deny all from any to any via xl1

-------------------------------------------------------------------------
zde je vypis sluzeb z netstat -a, kde romeo je hostname serveru /vnitrni
adresa 192.168.0.xx/

Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0     44  yyy.yyy.yyy.yyy.ssh    xxx.xxx.xxx.xxxx.4610
ESTABLISHED
tcp4       0      0  romeo.netbios-ssn      *.*                    LISTEN
tcp4       0      0  *.ssh                  *.*                    LISTEN
tcp4       0      0  romeo.8008             *.*                    LISTEN
tcp4       0      0  romeo.domain           *.*                    LISTEN
udp4       0      0  *.bootpc               *.*
udp4       0      0  *.*                    *.*
udp4       0      0  *.syslog               *.*
udp4       0      0  romeo.netbios-dgm      *.*
udp4       0      0  romeo.netbios-ns       *.*
udp4       0      0  *.netbios-dgm          *.*
udp4       0      0  *.netbios-ns           *.*
udp4       0      0  *.10000                *.*
udp4       0      0  romeo.1027             romeo.syslog
udp4       0      0  romeo.domain           *.*
udp4       0      0  *.bootps               *.*
div4       0      0  *.natd                 *.*
ip 4       0      0  *.*                    *.*
icm4       0      0  *.*                    *.*
icm4       0      0  *.*                    *.*
Active UNIX domain sockets
Address  Type   Recv-Q Send-Q    Inode     Conn     Refs  Nextref Addr
c5ebfd40 stream      0      0        0 c5ebfd80        0        0
c5ebfd80 stream      0      0        0 c5ebfd40        0        0
c5ebfdc0 stream      0      0        0 c5ebfe00        0        0
c5ebfe00 stream      0      0        0 c5ebfdc0        0        0
c5ebfe40 stream      0      0        0 c5ebfe80        0        0
c5ebfe80 stream      0      0        0 c5ebfe40        0        0
c5ebfec0 stream      0      0        0 c5ebff00        0        0
c5ebff00 stream      0      0        0 c5ebfec0        0        0
c5ebfd00 dgram       0      0        0 c5ebffc0        0 c5ebfcc0
c5ebfcc0 dgram       0      0        0 c5ebffc0        0 c5ebff40
c5ebff40 dgram       0      0        0 c5ebffc0        0        0
c5ebffc0 dgram       0      0 c5eba840        0 c5ebfd00        0
/var/run/log
c5ebff80 dgram       0      0        0        0        0        0
 
 Michal Kutnohorsky
 +420 608 88 18 47
 e-mail: kutny at centrum.cz,
 michal.kutnohorsky at asp1000.com
 ICQ UIN 24864416
Previous message: FYI
Next message: ipfw/natd pravidla
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users-l mailing list