Sergiu Icobescu dixit (2006-12-11, 20:03:03): > # Packet Filter - example for two interfaces
Dezastru total si global :)
[...]
Astea nu le folosesti, comenteaza-le:
int_ip="10.11.1.1"
not_local_network="!10.11.1.0/24"
gateway="a.b.34.129"
block_in_tcp_ports="{ 137, 138, 139, 81, 445, 199 }"
Astea iti trebuie dar nu vad nici un pass pentru ele:
permit_in_udp_ports="{ 53, 953 }"
Aici e problema ta: iti lipsesc regulile cu pass in/out pentru traficul
pe care il astepti pe port-urile astea. Restul e vorba goala dar daca
vrei poti citi in continuare.
Astea daca sunt "default values" de ce le-ai pus?!
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
Inlocuieste asta:
set loginterface none
cu asta: set loginterface $ext_if
:) Security through obscurity anyone?
set block-policy drop
Cam asa cum e aici iti trebuie si pentru udp-urile tale favorite (scuze
pentru no-wrapping...):
pass in quick on $ext_if inet proto tcp from any to $ext_ip port
$permit_in_tcp_ports flags S/SA keep state
Cat despre rc.conf....
pflog_enable="YES"
Bine ai venit in lumea celor cu firewall-uri:
man 5 pf.conf
http://cvs.openbsd.org/faq/pf/
http://www.tcpipguide.com/
Distractie placuta.
--
Digitally yours,
Florin Iamandi (Slippery)
Reason is the first victim of emotion. -- Scytale, Dune Messiah
pgpJYGX8v7bwD.pgp
Description: PGP signature
_______________________________________________ RLUG mailing list [email protected] http://lists.lug.ro/mailman/listinfo/rlug
