IPFilter

bojda at centrum.sk bojda at centrum.sk
Wed May 21 17:08:47 CEST 2003

Previous message: mc a konsole
Next message: IPFilter
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dobry den, mam zavazny problem s IPFiltrom vo FreeBSD 4.8-
RELEASE.
Pouzil som pravidla filtrovania uvedene v knizke o FreeBSD, 
autor: Michael Lucas.
Postup bol nasledovny:
vi /usr/src/sys/i386/conf/MYKERNEL

#IPFilter
options         IPFILTER		#IPFilter
options         IPFILTER_LOG		#logovanie
options         IPFILTER_DEFAULT_BLOCK	#vsetko zakazane
Kompilacia jadra

V konfiguracnom subore /etc/rc.conf som povolil spustanie IP 
Filtra:
vi /etc/rc.conf
ipfilter_enable="YES"            # YES = zapnutie ipfilteru
ipfilter_program="/sbin/ipf"    # program, ktory sa spusti 
ipfilter_rules="/etc/ipf.rules" # subor s pravidlami
ipfilter_flags=""               # pripadne volby pri spusteni 
programu
ipmon_enable="YES"		# logovanie
ipmon_flags="-D /var/log/ipflog" # logovanie

Pravidla IPF:
touch /etc/ipf.rules
vi /etc/ipf.rules

# zaciatok pravidiel
#odmietnutie paketov nedavajuvich zmysel, ktore nikdy nebudem 
chciet prijat
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
#systemove rozhranie loopback
#sam sebe mozem robit akokolvek zle
pass in quick on lo0 all
pass out quick on lo0 all
#pravidla pre odchadzajuce pakety
pass out on rl0 all head 100
block out from 127.0.0.0/8 to any group 100
block out from any to 127.0.0.0/8 group 100
block out from any to #mojaIP/32 group 100
#pravidla pre prichadzajuce pakety
block in on rl0 all head 200
block in from 127.0.0.0/8 to any group 200
block in from #mojaIP/32 to any group 200
pass in quick proto tcp from any to any port = 22 keep state 
group 200
#pokusy o spojenie so sluzbami, ktore neposkytujem, necham 
klientami zatvorit!
block return-rst in log proto tcp from any to any flags S/SA 
group 200
block return-icmp(net-unr) in proto udp all group 200
#koniec pravidiel

Nacitanie pravidiel IPFiltru:
ipf -F a && ipf -f /etc/ipf.rules

Problemy su nasledujuce:
-spustanie systemu trva 15 minut,
-nefunguje mi ani jedna sietova sluzba a spojenia smerom von.
-ani sa nepripojim cez ssh do pocitaca.
-navyse v centralnom syslogu sa mi okamzite objavuju tieto logy:

May 15 14:07:15 dns kernel: #mojaIP sent an invalid ICMP error 
to a broadcast.
May 15 14:08:24 samba last message repeated 4 times
May 15 14:08:25 samba kernel: #mojaIP sent an invalid ICMP error 
to a broadcast.

Budem vdacny za kazdu radu. V uvedenej knizke su pravidla 
popisane podrobne a vsetko to navazuje logicky na seba. Naozaj 
neviem kde mozem robit chybu. Ked pouzijem v /etc/ipf.rules:
pass in from any to any
pass out from any to any
vsetko zacne fungovat.
Andrej

---------------------------------------------------------------------------------------
Získajte supervýhodné ADSL ešte výhodnejšie v cenovom odpočítavaní Slovanet ADSL Teraz!
Čím skôr sa rozhodnete, tým viac ušetríte.
http://www.slovanet.sk/menu/adsl.html
---------------------------------------------------------------------------------------

Previous message: mc a konsole
Next message: IPFilter
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users-l mailing list