Nastavenie IPFiltra

Ciernik Tomas tomas17 at zoznam.sk
Fri Jul 14 13:32:29 CEST 2006


Dobry den prajem,


po niekolkych dnoch trapenia sa s nastavenim ipfiltra na FreeBSD 6.0 som
prisiel k nasledujucej konfiguracii:

block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
block return-rst in log on rl0 proto tcp from any to any flags S/SA
block return-icmp(port-unr) in on rl0 proto udp all

block out quick on rl0 from 127.0.0.0/8 to any
block out quick on rl0 from any to 127.0.0.0/8
block out quick on rl0 from any to 192.168.1.40/32

block in quick on rl0 from 127.0.0.0/8 to any
block in quick on rl0 from 192.168.1.40/32 to any

pass in quick on lo0 all
pass out quick on lo0 all

pass in quick proto tcp from 192.168.1.0/24 to any port = apcups keep state
pass in quick proto tcp from any to any port = http keep state
pass in quick proto tcp from any to any port = ssh keep state
pass in quick proto tcp from any to any port = openvpn keep state

pass out on rl0 all keep state


V kerneli je zapnuta volba IPFILTER_DEFAULT_BLOCK.



Nie je mi jasne, ci je potrebne pouzit blokovacie pravidla (predpokladam, ze
co nie je explicitne povolene, neprejde).


Druha vec, ktoru si neviem vysvetlit, je spravanie ssh. Po uprave posledneho
pravidla "pass out on rl0 all keep state" na "pass out on rl0 all" sa
nedostanem dalej ako po zadanie uzivatelskeho mena - neskor nasleduje uz iba
timeout. Ale po vyradeni tohto pravidla cela overovacie procedura
(meno-heslo) prebehne vyrazne rychlejsie.


Dakujem za pomoc,


Tomas.




More information about the Users-l mailing list