IPFilter

Petr Rympler freebsd at webguru.cz
Wed May 21 18:36:26 CEST 2003


Dobry den,
smazte:
options         IPFILTER_DEFAULT_BLOCK #vsetko zakazane

a az poznate co vsechny pravidla delaji, tak si to teprve zapnete.

BTW: zkuste ipfw.

S pozdravem
Petr Rympler


----- Original Message ----- 
From: <bojda at centrum.sk>
To: <users-l at freebsd.cz>
Sent: Wednesday, May 21, 2003 5:08 PM
Subject: IPFilter


> Dobry den, mam zavazny problem s IPFiltrom vo FreeBSD 4.8-
> RELEASE.
> Pouzil som pravidla filtrovania uvedene v knizke o FreeBSD,
> autor: Michael Lucas.
> Postup bol nasledovny:
> vi /usr/src/sys/i386/conf/MYKERNEL
>
> #IPFilter
> options         IPFILTER #IPFilter
> options         IPFILTER_LOG #logovanie
> options         IPFILTER_DEFAULT_BLOCK #vsetko zakazane
> Kompilacia jadra
>
> V konfiguracnom subore /etc/rc.conf som povolil spustanie IP
> Filtra:
> vi /etc/rc.conf
> ipfilter_enable="YES"            # YES = zapnutie ipfilteru
> ipfilter_program="/sbin/ipf"    # program, ktory sa spusti
> ipfilter_rules="/etc/ipf.rules" # subor s pravidlami
> ipfilter_flags=""               # pripadne volby pri spusteni
> programu
> ipmon_enable="YES" # logovanie
> ipmon_flags="-D /var/log/ipflog" # logovanie
>
> Pravidla IPF:
> touch /etc/ipf.rules
> vi /etc/ipf.rules
>
> # zaciatok pravidiel
> #odmietnutie paketov nedavajuvich zmysel, ktore nikdy nebudem
> chciet prijat
> block in log quick from any to any with ipopts
> block in log quick proto tcp from any to any with short
> #systemove rozhranie loopback
> #sam sebe mozem robit akokolvek zle
> pass in quick on lo0 all
> pass out quick on lo0 all
> #pravidla pre odchadzajuce pakety
> pass out on rl0 all head 100
> block out from 127.0.0.0/8 to any group 100
> block out from any to 127.0.0.0/8 group 100
> block out from any to #mojaIP/32 group 100
> #pravidla pre prichadzajuce pakety
> block in on rl0 all head 200
> block in from 127.0.0.0/8 to any group 200
> block in from #mojaIP/32 to any group 200
> pass in quick proto tcp from any to any port = 22 keep state
> group 200
> #pokusy o spojenie so sluzbami, ktore neposkytujem, necham
> klientami zatvorit!
> block return-rst in log proto tcp from any to any flags S/SA
> group 200
> block return-icmp(net-unr) in proto udp all group 200
> #koniec pravidiel
>
> Nacitanie pravidiel IPFiltru:
> ipf -F a && ipf -f /etc/ipf.rules
>
> Problemy su nasledujuce:
> -spustanie systemu trva 15 minut,
> -nefunguje mi ani jedna sietova sluzba a spojenia smerom von.
> -ani sa nepripojim cez ssh do pocitaca.
> -navyse v centralnom syslogu sa mi okamzite objavuju tieto logy:
>
> May 15 14:07:15 dns kernel: #mojaIP sent an invalid ICMP error
> to a broadcast.
> May 15 14:08:24 samba last message repeated 4 times
> May 15 14:08:25 samba kernel: #mojaIP sent an invalid ICMP error
> to a broadcast.
>
> Budem vdacny za kazdu radu. V uvedenej knizke su pravidla
> popisane podrobne a vsetko to navazuje logicky na seba. Naozaj
> neviem kde mozem robit chybu. Ked pouzijem v /etc/ipf.rules:
> pass in from any to any
> pass out from any to any
> vsetko zacne fungovat.
> Andrej
>
> --------------------------------------------------------------------------
-------------
> Získajte supervýhodné ADSL ešte výhodnejšie v cenovom odpočítavaní
Slovanet ADSL Teraz!
> Čím skôr sa rozhodnete, tým viac ušetríte.
> http://www.slovanet.sk/menu/adsl.html
> --------------------------------------------------------------------------
-------------
>




More information about the Users-l mailing list