IPFilter

Roman Neuhauser neuhauser at bellavista.cz
Fri May 23 11:11:04 CEST 2003

Previous message: IPFilter
Next message: PERL
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

# bojda at centrum.sk / 2003-05-21 17:08:47 +0200:
> Pravidla IPF:
> 
> # zaciatok pravidiel
> #odmietnutie paketov nedavajuvich zmysel, ktore nikdy nebudem 
> chciet prijat
> block in log quick from any to any with ipopts
> block in log quick proto tcp from any to any with short

> pass in quick on lo0 all
> pass out quick on lo0 all

> pass out on rl0 all head 100
> block out from 127.0.0.0/8 to any group 100
> block out from any to 127.0.0.0/8 group 100
> block out from any to #mojaIP/32 group 100

> block in on rl0 all head 200
> block in from 127.0.0.0/8 to any group 200
> block in from #mojaIP/32 to any group 200
> pass in quick proto tcp from any to any port = 22 keep state group 200

> block return-rst in log proto tcp from any to any flags S/SA group 200
> block return-icmp(net-unr) in proto udp all group 200
> #koniec pravidiel
 
    zkuste tento ruleset:

    pass in quick on lo0 all
    pass out quick on lo0 all

    pass out quick on rl0 all keep state head 100
    block in quick on rl0 all head 200

    block out quick from 127.0.0.0/8 to any group 100
    block out quick from any to 127.0.0.0/8 group 100

    block in from #mojaIP/32 to any group 200
    pass in quick proto tcp from any to any port = 22 keep state group 200

    block return-rst in quick log proto tcp all group 200
    block return-icmp(port-unr) in quick proto udp all group 200

> Nacitanie pravidiel IPFiltru:
> ipf -F a && ipf -f /etc/ipf.rules

    doporucuju jediny prikaz:
    ipf -Fa -FS -f /etc/ipf.rules
 
> Problemy su nasledujuce:
> -spustanie systemu trva 15 minut,

    hm... zrejme cekate na nekolik DNS dotazu (apod.) vysilanych
    startujicimi sitovymi sluzbami

> -nefunguje mi ani jedna sietova sluzba a spojenia smerom von.

    neni se co divit, vsechno jste zakazal.

> -ani sa nepripojim cez ssh do pocitaca.

    hmmm, to by melo jit...

> -navyse v centralnom syslogu sa mi okamzite objavuju tieto logy:
> 
> May 15 14:07:15 dns kernel: #mojaIP sent an invalid ICMP error 
> to a broadcast.
> May 15 14:08:24 samba last message repeated 4 times
> May 15 14:08:25 samba kernel: #mojaIP sent an invalid ICMP error 
> to a broadcast.

    ted si nejsem jisty, ale mam za to, ze v pripade, ze se nejedna o
    router, je "destination network unreachable" opravdu nesmysl.
    jelikoz zminujete jenom jednu sitovku, predpokladam, ze se jedna o
    stroj zapojeny jen do jedne site. pak ma smysl pouze
    "port unreachable".
 
-- 
If you cc me or remove the list(s) completely I'll most likely ignore
your message.    see http://www.eyrie.org./~eagle/faqs/questions.html

Previous message: IPFilter
Next message: PERL
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users-l mailing list