Firewall

Večeřa Antonín antonin.vecera at jme.cz
Mon Feb 23 12:14:35 CET 2004

Previous message: Firewall
Next message: OpenSSH
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Ipfilter (ipf/ipnat) je plne stavovy filter a pokud prechazite od 
> nestavoveho (napr. stare nestavove ipfw) tak to chce zmenit pohled na 
> vec. Muzete mit ke stavove filtraci vyhrady, ale faktem je ze urcite 
> veci s nestavovym filtrem proste nejdou udelat vubec. Ohledne 
> toho co tu 
> padlo o vetsi nachylnosti proti DoSu ve stavovem filtru je to nazor, 
> ktery nikomu nevyvracim, ale osobne bych to neprecenoval. Nic vam 
> nebrani napsat si i ve stavovem filtru (ipf) staticka pravidla, ktera 
> zamezi provozu, ktery nechcete stejne jako u nestavoveho filtru, ale 
> navic pomoci stavovych pravidel mate moznost si privrit 
> zbytek a vyrazne 
> tim zvysit jeho bezpecnost.

Zeptam se takto - je neco spatneho (z hlediska bezpecnosti)
na takto definovanem firewallu:    (xl0 - Intenet, xl1 - privatni sit)

-----------------
block in quick on xl0 all head 1
pass in quick proto icmp from any to 111.222.111.222/32 icmp-type echo group 1
pass in quick proto tcp from any to 111.222.111.222/32 port = http group 1
block return-icmp(port-unr) in quick proto udp from any to 111.222.111.222/32 group 1
block return-rst in quick proto tcp from any to 111.222.111.222/32 group 1

pass in quick on xl1 all head 2
pass in quick proto icmp from any to 192.168.0.2/32 icmp-type echo group 2
pass in quick proto udp from any to 192.168.0.2/32 port = domain group 2
pass in quick proto udp from any to 192.168.0.2/32 port = dhcps group 2
pass in quick proto tcp from any to 192.168.0.2/32 port = ssh group 2
block return-icmp(port-unr) in quick proto udp from any to 192.168.0.2/32 group 2
block return-rst in quick proto tcp from any to 192.168.0.2/32 group 2

pass out quick on lo0 all
pass out quick proto udp from 192.168.0.2/32 port = domain to any
pass out quick proto udp from 192.168.0.2/32 port = dhcpc to any
pass out quick proto icmp all icmp-type echo keep state                         
pass out quick proto udp all keep state keep frags
pass out quick proto tcp all flags S keep state keep frags
-----------------

Prichozi provoz je resen bezstavovymi pravidly (obrana proti DoS),
odchozi provoz ma stavova pravidla - umozni to uplne uzavrit firewall.

Antonin V.

Previous message: Firewall
Next message: OpenSSH
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users-l mailing list