|
ru.unix.bsd
- RU.UNIX.BSD ------------------------------------------------------------------
From : Andrey Lugovoy 2:5020/400 15 Apr 2004 19:23:15
To : All
Subject : IPFW - размышления
--------------------------------------------------------------------------------
Hello, All!
имеем: FreeBSD 4.9-RELEASE-p4
там живет: apache+php+mysql, sendmail, ssh, popa3d, ftp, named
соответственно нужно защитить тачку.
решилось так:
- ---
fwcmd="/sbin/ipfw -q"
${fwcmd} -f flush
${fwcmd} check-state
${fwcmd} add pass all from any to any via lo0
${fwcmd} add deny all from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any
${fwcmd} add pass tcp from any to me established
${fwcmd} add pass tcp from me to any established
${fwcmd} add pass all from any to any frag
${fwcmd} add pass tcp from any to me ssh setup
${fwcmd} add pass tcp from any to me smtp setup
${fwcmd} add pass tcp from any to me pop3 setup
${fwcmd} add pass tcp from any to me domain setup
${fwcmd} add pass udp from any to me domain
${fwcmd} add pass udp from me domain to any
${fwcmd} add pass tcp from any to me http setup
${fwcmd} add pass tcp from any to me ftp setup
${fwcmd} add pass tcp from me ftp\\-data to any setup
${fwcmd} add pass tcp from any ftp\\-data to me setup
${fwcmd} add deny log logamount 0 tcp from any to any in via fxp0 setup
${fwcmd} add pass udp from me to any domain keep-state
${fwcmd} add pass tcp from me to any ftp keep-state
${fwcmd} add pass tcp from me to any smtp keep-state
# # Allow setup of any other TCP connection
# ${fwcmd} add pass tcp from any to any setup
${fwcmd} add deny log logamount 0 ip from any to any
- ---
ipfw -e -d -N sh
00100 360 39804 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 6163 699619 allow tcp from any to me established
00500 6445 5563612 allow tcp from me to any established
00600 0 0 allow ip from any to any frag
00700 2 96 allow tcp from any to me ssh setup
00800 0 0 allow tcp from any to me smtp setup
00900 4 192 allow tcp from any to me pop3 setup
01000 1 60 allow tcp from any to me domain setup
01100 9 607 allow udp from any to me domain
01200 9 1408 allow udp from me domain to any
01300 97 4656 allow tcp from any to me http setup
01400 3 144 allow tcp from any to me ftp setup
01500 9 540 allow tcp from me ftp-data to any setup
01600 0 0 allow tcp from any ftp-data to me setup
01700 13 660 deny log tcp from any to any in recv fxp0 setup
01800 139 14699 allow udp from me to any domain keep-state
01900 0 0 allow tcp from me to any ftp keep-state
02000 2 120 allow tcp from me to any smtp keep-state
02100 11 700 deny log ip from any to any
65535 70 10363 deny ip from any to any
## Dynamic rules:
01800 1 154 (T 0, slot 49) <-> udp, 81.3.178.141 1664<-> 217.195.65.9 53
02000 0 0 (T 0, slot 53) <-> tcp, 81.3.178.141 1092<-> 81.3.172.229 25
02000 0 0 (T 0, slot 54) <-> tcp, 81.3.178.141 1095<-> 81.3.172.229 25
01800 0 0 (T 0, slot 63) <-> udp, 81.3.178.141 1658<-> 217.196.66.253 53
01800 1 120 (T 0, slot 158) <-> udp, 81.3.178.141 1583<-> 217.195.65.9 53
01800 7 688 (T 0, slot 203) <-> udp, 81.3.178.141 1658<-> 217.195.65.9 53
01800 1 150 (T 0, slot 204) <-> udp, 81.3.178.141 1661<-> 217.195.65.9 53
01800 1 121 (T 0, slot 206) <-> udp, 81.3.178.141 1663<-> 217.195.65.9 53
01800 1 180 (T 0, slot 207) <-> udp, 81.3.178.141 1662<-> 217.195.65.9 53
01800 1 56 (T 0, slot 208) <-> udp, 81.3.178.141 1658<-> 217.195.69.18 53
- ---
tail -f /var/log/security
Apr 15 18:52:41 tornado last message repeated 2 times
Apr 15 18:54:33 tornado /kernel: ipfw: 1700 Deny TCP 210.24.100.100:3991
81.3.178.141:445 in via fxp0
Apr 15 18:54:36 tornado /kernel: ipfw: 1700 Deny TCP 210.24.100.100:3991
81.3.178.141:445 in via fxp0
Apr 15 18:57:53 tornado /kernel: ipfw: 2100 Deny UDP 195.159.193.18:1796
81.3.178.141:27015 in via fxp0
Apr 15 18:57:56 tornado /kernel: ipfw: 2100 Deny UDP 195.159.193.18:1797
81.3.178.141:27015 in via fxp0
Apr 15 18:57:56 tornado /kernel: ipfw: 2100 Deny UDP 195.159.193.18:1798
81.3.178.141:27015 in via fxp0
Apr 15 18:58:00 tornado /kernel: ipfw: 2100 Deny UDP 195.159.193.18:1799
81.3.178.141:27015 in via fxp0
Apr 15 19:02:34 tornado /kernel: ipfw: 1700 Deny TCP 81.1.66.65:4596
81.3.178.141:135 in via fxp0
Apr 15 19:09:22 tornado /kernel: ipfw: 1700 Deny TCP 61.36.133.61:50054
81.3.178.141:443 in via fxp0
Apr 15 19:09:31 tornado last message repeated 2 times
- ---
соответственно все работает. по логам понятно кто-куда и как ломиться ко
мне.
но может кто-что присоветует? кто-что подправит? кто-что улучшит? буду рад
любым замечаниям.
- ---
в догонку как сделать что б при boot -s спрашивала пароль?
console none unknown off insecure
так надо?
With best regards, Andrey Lugovoy. E-mail: andrey.lugovoy@billing.ru
--- ifmail v.2.15dev5.3
* Origin: Demos online service (2:5020/400)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
|
