nastaveni firewallu
Dan Lukes
dan at obluda.cz
Tue Jul 8 11:19:21 CEST 2008
Jaroslav Votruba wrote:
> #bezpecny zavedeni IPFW
> #ipfw -f flush && ipfw add 61000 allow all from any to any
Kdyz uz jsme u tohohle - pokud pri startu systemu jednou spustis
ipfw add 61000 set 31 allow all from any to any
mas tam to pravidlo naporad. Takovehle pravidlo flush neodstrani.
Ale mam jeste jeden oblibeny "bezpecny" zpusob zmeny firewallu. Misto
fluh das na zacatek:
${fwcmd} delete set 1
${fwcmd} set move 0 to 1
${fwcmd} set enable 1 disable 0
${fwcmd} delete set 0
a uplne na konec
${fwcmd} set enable 0 disable 1
${fwcmd} delete set 1
Tim nemas firewall aktivni behem jeho naplnovani a tudiz v mezistavech
- nybrz ho cely naplnis novymi pravidly a pak na ne atomicky switchnes.
> BSD funguje jako brana pro vnitrni sit, bezi na nem posta ,samba a web a
> vse musi byt dostupne jak zevnitr , tak i zvenci.
> Jde mi spise o to, jestli jsem neprehodil nejake pravidlo, pripadne
> jestli neco nejde napsat jednoduseji.
No, jestli ocekavas velke toky, je vhodne mit pravidel co nejmene a ty,
ktera matchnou nejvice paketu pak co nejvys.
Jestli velke toky neocekavas, tak je to vice-mene jedno. I kdyz, nikdy
nevis, kdy prijde nejaky utok.
Takze budu predpokladat, ze velke toky cekas.
> Dan bude urcite propagovat prednastavene reseni, ja bych si to stejne
> radsi sesmolil sam
U firewallu a bezpecnosti obecne obvykle ne. To jsou natolik
individualni veci, ze se to casto ani neda ...
> #zde nastavte venkovni rozhrani a masku . oif="xl0" #sitovka
> omask="255.255.255.252" #maska
> oip="89.31.47.158" #ip adresa sitovky
>
>
> #zde nastavte vnitrni rozhrani a masku . iif="re0" #sitovka
> inet="192.168.0.0" #sit
> imask="255.255.255.0" #maska
> iip="192.168.0.1" #ip adresa sitovky
>
>
> #zde nastavte VPN rozhrani a masku . vif="tap0" #sitovka
> vnet="10.0.1.0" #sit
> vmask="255.255.255.0" #maska
> vip="10.0.1.1" #ip adresa sitovky
>
>
> # Stop spoofing.
> ${fwcmd} 10 deny all from ${inet}:${imask} to any in via ${oif}
Uplne vypustit, nahradit nastavenim sysctl
net.inet.ip.check_interface=1
Misto toho bys mel zabranit odchodu paketu s nepatricnymi adresami do
vnejsi site (utocnik muze byt i vevnitr):
${fwcmd} 10 unreach filter-prohib all from not $oip to any out xmit ${oif}
> # Stop RFC1918 nets on the outside interface.
> ${fwcmd} 30 deny all from any to 10.0.0.0/8 via ${oif}
> ${fwcmd} 40 deny all from any to 172.16.0.0/12 via ${oif}
> ${fwcmd} 50 deny all from any to 192.168.0.0/16 via ${oif}
> # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
> # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
> # on the outside interface.
> ${fwcmd} 60 deny all from any to 0.0.0.0/8 via ${oif}
> ${fwcmd} 70 deny all from any to 169.254.0.0/16 via ${oif}
> ${fwcmd} 80 deny all from any to 192.0.2.0/24 via ${oif}
> ${fwcmd} 90 deny all from any to 224.0.0.0/4 via ${oif}
> ${fwcmd} 100 deny all from any to 240.0.0.0/4 via ${oif}
Udelat z toho vseho jedno pravidlo (to 10.0.0.0/8,172.16.0.0/12,...),
zmenit deny za unreach filter-prohib
> # Povoleni ftp a ssh
> ${fwcmd} 200 allow tcp from any to any 21 # ftp
> ${fwcmd} 210 allow tcp from any to any 22 # ssh
> ${fwcmd} 330 allow tcp from any to any 143 # imaps
> ${fwcmd} 340 allow tcp from any to any 993
> ${fwcmd} 350 allow tcp from any to any 110 # pop3s
> ${fwcmd} 360 allow tcp from any to any 995
> ${fwcmd} 500 allow tcp from any to any 80
> ${fwcmd} 510 allow tcp from any to any 443
Sloucit do jednoho pravidla.
Misto # pis komentar za // - takto zapsany komentar si ipfw pamatuje a
ve vypisu (ipfw l) je uvidis.
> # Allow TCP through if setup succeeded.
> ${fwcmd} 700 allow tcp from any to any established
Pokud je tam tohle, pak je to typicky kandidat na pravidlo co nejvic
nahore. Nejlepe hned za divert. Naprostou vetsinu pravidel totiz vyresi
ono - a kdyz bude nahore, udela to brzo.
> ${fwcmd} 800 allow udp from any to any 137 via ${iif}
> ${fwcmd} 810 allow udp from any to any 138 via ${iif}
> ${fwcmd} 820 allow tcp from any to any 139 via ${iif}
> ${fwcmd} 830 allow udp from any to any 445 via ${iif}
Sloucit.
> ${fwcmd} 840 reset tcp from any to ${oip} 113 setup in via ${oif}
> ${fwcmd} 850 reset tcp from any to ${oip} 139 setup in via ${oif}
> ${fwcmd} 860 reset tcp from any to ${oip} 389 setup in via ${oif}
> ${fwcmd} 870 reset tcp from any to ${oip} 445 setup in via ${oif}
Sloucit. Ja osobne bych nepouzil 'reset' ale unreach filter-prohib
> # blokuj podvodne UDP broadcast protocols bez logovani
> ${fwcmd} 900 deny udp from any 137 to any in via ${oif}
> ${fwcmd} 920 deny udp from any 138 to any in via ${oif}
> ${fwcmd} 930 deny udp from any 513 to any in via ${oif}
> ${fwcmd} 940 deny udp from any 525 to any in via ${oif}
Sloucit
Obecne nemam rad "tiche" firewally, tedy akci 'deny'. Schopny utocnik
dokaze pritomnost firewallu detekovat tak jako tak, neschopny ho bude
jen tezko prekonavat i kdyz o nem bude vedet. Takze je prakticky jedno,
ze se o nem vi.
Zato se ale proklejes az budes hledat neprochazi nejaka komunikace.
Nebo te prokleje nekdo jiny. Situace, kdy pri konkretni komunikaci z
bodu A do bodu B se pakety kdesi po ceste tise ztraceji a nikdo nevi kde
je neprijemna, obtizne odstranitelna a obvykle naprosto zbytecna.
Dan
More information about the Users-l
mailing list