|
ru.unix.bsd
- RU.UNIX.BSD ------------------------------------------------------------------
From : Sergey A. Yakovets 2:5004/75.5088 05 Sep 2005 10:55:21
To : All
Subject : ipfw
--------------------------------------------------------------------------------
Hе могу разобраться в чем дело.
Hа сервере поднят HАТ, два интерфейса, один наружу, другой внутрь.
Hиже листинг firewall, написаный по образу и подобию того, что приведен в
хэндбуке.
Собственно вопросы:
1) 70-правилом разрешается выход пакетов, направленных на 80-й порт
Интернет вроде бы работает, но в логах регулярно валятся сообщения о том, что
какому-то хосту из локальной сети было это делать запрещено.
kernel: ipfw: 650 Deny TCP 192.168.0.103:2026 81.19.66.19:80 out via rl0
kernel: ipfw: 650 Deny TCP 192.168.0.184:1304 194.67.23.157:80 out via rl0
kernel: ipfw: 650 Deny TCP 192.168.0.184:1334 194.67.23.157:80 out via rl0
kernel: ipfw: 650 Deny TCP 192.168.0.184:1299 194.67.23.157:80 out via rl0
kernel: ipfw: 650 Deny TCP 192.168.0.184:1300 194.67.23.157:80 out via rl0
kernel: ipfw: 650 Deny TCP 192.168.0.184:1284 194.67.57.153:80 out via rl0
kernel: ipfw: 650 Deny TCP 192.168.0.103:2045 194.67.23.112:80 out via rl0
kernel: ipfw: 650 Deny TCP 192.168.0.184:1289 194.67.23.157:80 out via rl0
kernel: ipfw: 650 Deny TCP 192.168.0.184:1287 194.67.45.99:80 out via rl0
kernel: ipfw: 650 Deny TCP 192.168.0.184:1286 194.67.23.157:80 out via rl0
Что я неправильно сделал?
2) 150 и 160 правилом разрешено хождение по фтп. Проблема возникает при попытке
зайти на фтп-сервер, который работает в пассивном режиме.
kernel: ipfw: 600 Deny TCP 67.159.5.204:20 192.168.0.100:1378 in via rl0
kernel: ipfw: 600 Deny TCP 67.159.5.204:20 192.168.0.100:1378 in via rl0
kernel: ipfw: 600 Deny TCP 67.159.5.204:20 192.168.0.100:1378 in via rl0
Что я тут неправильно сделал?
Заранее спасибо за ответы.
ЛИСТИHГ ПРАВИЛ FIREWALL
**************************************************************************
#!/bin/sh
fwcmd="/sbin/ipfw -q add" # Firewall execution command
natdinterface="rl0" # NATD public interface
extinterface="rl0" # Public interface
localinterface="fxp0" # Private interface
# Reset all firewall rules
/sbin/ipfw -f flush
############################################################
## SECTION 1 #
## UNRESTRICTED ACCESS TO LOOPBACK AND LOCALNET INTERFACES #
############################################################
# No restrictions on LoopBack interface
$fwcmd 010 allow all from any to any via lo0
# Allow access to telnet, SSH, FTP, Rlogin only to administartor
$fwcmd 011 allow all from 192.168.0.100 to any 20,21,22,23,513 in via
$localinterface
# Deny access to telnet, SSH, FTP from other locations
$fwcmd 012 deny log all from any to any 20,21,22,23,513 in via $localinterface
# No restrictions on Local NIC for other (except telnet, FTP, SSH) services
$fwcmd 020 allow all from any to any via $localinterface
############################################################
## SUBSECTION 1-1 #
############################################################
# Check if packet is inbound and NAT him if it is
$fwcmd 030 divert natd ip from any to any in via $extinterface
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement
$fwcmd 040 check-state
############################################################
## SECTION 2 #
## PUBLIC INTERFACE OUTBOUND SECTION #
############################################################
# Allow access out to DNS-servers
$fwcmd 050 skipto 1000 udp from any to any 53 out via $extinterface keep-state
# Allow out non-secure standart WWW function
$fwcmd 070 skipto 1000 tcp from any to any 80 out via $extinterface setup
keep-state
# Allow out secure WWW function https over TLS SSL
$fwcmd 080 skipto 1000 tcp from any to any 443 out via $extinterface setup
keep-state
# Allow out send and get E-Mail function
$fwcmd 090 skipto 1000 tcp from any to any 25 out via $extinterface setup
keep-state
$fwcmd 100 skipto 1000 tcp from any to any 110 out via $extinterface setup
keep-state
# Allow out FreeBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges
$fwcmd 110 skipto 1000 tcp from me to any out via $extinterface setup keep-state
uid root
# Allow out ping
$fwcmd 120 skipto 1000 icmp from any to any out via $extinterface keep-state
# Allow out time
$fwcmd 130 skipto 1000 tcp from any to any 37 out via $extinterface setup
keep-state
# Allow out nntp news (i.e. news groups)
$fwcmd 140 skipto 1000 tcp from any to any 119 out via $extinterface setup
keep-state
# Allow out non-secure FTP
$fwcmd 150 skipto 1000 tcp from any to any 20 out via $extinterface setup
keep-state
$fwcmd 160 skipto 1000 tcp from any to any 21 out via $extinterface setup
keep-state
# Allow out non-secure FTP
$fwcmd 170 skipto 1000 tcp from any to any 23 out via $extinterface setup
keep-state
# Allow out secure FTP, Telnet, SSH
$fwcmd 180 skipto 1000 tcp from any to any 22 out via $extinterface setup
keep-state
# Allow out whois
$fwcmd 190 skipto 1000 tcp from any to any 43 out via $extinterface setup
keep-state
# Allow out ntp time server
$fwcmd 200 skipto 1000 udp from any to any 123 out via $extinterface keep-state
# Allow out BINK+ (FidoNet)
$fwcmd 210 skipto 1000 tcp from any to any 24554 out via $extinterface setup
keep-state
# Allow out ICQ
$fwcmd 220 skipto 1000 tcp from any to any 5190 out via $extinterface setup
keep-state
############################################################
## SECTION 3 #
## PUBLIC INTERFACE INBOUND SECTION #
############################################################
############################################################
## SUBSECTION 3-1 #
## DENY RULESET #
############################################################
# Deny all inbound traffic from non-routable reserved address spaces
$fwcmd 300 deny all from 192.168.0.0/16 to any in via $extinterface
$fwcmd 301 deny all from 172.16.0.0/12 to any in via $extinterface
$fwcmd 302 deny all from 10.0.0.0/8 to any in via $extinterface
$fwcmd 303 deny all from 127.0.0.0/8 to any in via $extinterface
$fwcmd 304 deny all from 0.0.0.0/8 to any in via $extinterface
$fwcmd 305 deny all from 169.254.0.0/16 to any in via $extinterface # DHCP
autoconfig
$fwcmd 306 deny all from 192.0.2.0/24 to any in via $extinterface # Reserved
for docs
$fwcmd 307 deny all from 204.152.64.0/23 to any in via $extinterface # SUN
cluster
$fwcmd 308 deny all from 224.0.0.0/3 to any in via $extinterface # Class D&E
multicast
# Deny ident
$fwcmd 320 deny tcp from any to any 113 in via $extinterface
# Deny all Netbios service. 137=name, 138=detagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows host2name server requests on port 81
$fwcmd 330 deny tcp from any to any 137 in via $extinterface
$fwcmd 340 deny tcp from any to any 138 in via $extinterface
$fwcmd 350 deny tcp from any to any 139 in via $extinterface
$fwcmd 360 deny tcp from any to any 81 in via $extinterface
# Deny all late arriving (fragmented) packets
$fwcmd 370 deny all from any to any frag in via $extinterface
# Deny ACK packets that did not match the dynamic rule table
$fwcmd 380 deny tcp from any to any established in via $extinterface
############################################################
## SUBSECTION 3-2 #
## ALLOW RULESET #
############################################################
# Allow in standart non-secure WWW function because I have Apache server
# $fwcmd 500 allow tcp from any to me 80 in via $extinterface setup limit
src-addr 2
# Allow in secure FTP, Telnet, SSH from public internet
# $fwcmd 510 allow tcp from any to me 22 in via $extinterface setup limit
src-addr 2
# Allow in non-secure FTP from public internet
# $fwcmd 520 allow tcp from any to me 20 in via $extinterface setup limit
src-addr 2
# $fwcmd 530 allow tcp from any to me 21 in via $extinterface setup limit
src-addr 2
# Allow in non-secure Telnet from public internet
# $fwcmd 540 allow tcp from any to me 23 in via $extinterface setup limit
src-addr 2
############################################################
## SUBSECTION 3-3 #
## PUBLIC INTERFACE REJECT&LOG IN\OUT RULESET #
############################################################
# Reject & log all unauthorized incomnig connections from the Internet
$fwcmd 600 deny log all from any to any in via $extinterface
# Reject & log all unauthorized outgiong connections to the Internet
$fwcmd 650 deny log all from any to any out via $extinterface
############################################################
## SECTION 4 #
## NATD SECTION #
############################################################
# This is skipto location for outgoing stateful rules
$fwcmd 1000 divert natd ip from any to any out via $extinterface
$fwcmd 1001 allow ip from any to any
############################################################
## SECTION 5 #
## END SECTION #
############################################################
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$fwcmd 9999 deny log all from any to any
### EOF
C уважением, Sergey A. Yakovets.
E-mail: for-transit@yandex.ru ICQ UIN: 165641526
... FaqServer 2:5088/50.50 Subj: %HELP %LIST
* Origin: "Емельянов" - это не фамилия, а диагноз... (2:5004/75.5088)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
ipfw |
Sergey A. Yakovets |
05 Sep 2005 10:55:21 |
 ipfw |
Alex Mogilnikov |
05 Sep 2005 12:56:11 |
|
|
