Firewall
Večeřa Antonín
antonin.vecera at jme.cz
Mon Feb 23 12:14:35 CET 2004
> Ipfilter (ipf/ipnat) je plne stavovy filter a pokud prechazite od
> nestavoveho (napr. stare nestavove ipfw) tak to chce zmenit pohled na
> vec. Muzete mit ke stavove filtraci vyhrady, ale faktem je ze urcite
> veci s nestavovym filtrem proste nejdou udelat vubec. Ohledne
> toho co tu
> padlo o vetsi nachylnosti proti DoSu ve stavovem filtru je to nazor,
> ktery nikomu nevyvracim, ale osobne bych to neprecenoval. Nic vam
> nebrani napsat si i ve stavovem filtru (ipf) staticka pravidla, ktera
> zamezi provozu, ktery nechcete stejne jako u nestavoveho filtru, ale
> navic pomoci stavovych pravidel mate moznost si privrit
> zbytek a vyrazne
> tim zvysit jeho bezpecnost.
Zeptam se takto - je neco spatneho (z hlediska bezpecnosti)
na takto definovanem firewallu: (xl0 - Intenet, xl1 - privatni sit)
-----------------
block in quick on xl0 all head 1
pass in quick proto icmp from any to 111.222.111.222/32 icmp-type echo group 1
pass in quick proto tcp from any to 111.222.111.222/32 port = http group 1
block return-icmp(port-unr) in quick proto udp from any to 111.222.111.222/32 group 1
block return-rst in quick proto tcp from any to 111.222.111.222/32 group 1
pass in quick on xl1 all head 2
pass in quick proto icmp from any to 192.168.0.2/32 icmp-type echo group 2
pass in quick proto udp from any to 192.168.0.2/32 port = domain group 2
pass in quick proto udp from any to 192.168.0.2/32 port = dhcps group 2
pass in quick proto tcp from any to 192.168.0.2/32 port = ssh group 2
block return-icmp(port-unr) in quick proto udp from any to 192.168.0.2/32 group 2
block return-rst in quick proto tcp from any to 192.168.0.2/32 group 2
pass out quick on lo0 all
pass out quick proto udp from 192.168.0.2/32 port = domain to any
pass out quick proto udp from 192.168.0.2/32 port = dhcpc to any
pass out quick proto icmp all icmp-type echo keep state
pass out quick proto udp all keep state keep frags
pass out quick proto tcp all flags S keep state keep frags
-----------------
Prichozi provoz je resen bezstavovymi pravidly (obrana proti DoS),
odchozi provoz ma stavova pravidla - umozni to uplne uzavrit firewall.
Antonin V.
More information about the Users-l
mailing list