Документация по ОС FreeBSD Пятница, 29.03.2024, 01:36
Приветствую Вас Гость | RSS
Меню сайта

Категории каталога
IPFW [58]

Главная » Статьи » FireWall » IPFW

Firewall своими руками

Запуск маскарадинга для диалап-клиентов

echo 1 > /proc/sys/net/ipv4/ip_forward  # без форвардинга не заработает
ipfwadm -F -p deny            # запретить всем
ipfwadm -F -a m -S 195.0.0.2/0 -D 0.0.0.0/0 # разрешить адресу 195.0.0.2
ipfwadm -F -a m -S 192.22.22.68/0 -D 0.0.0.0/0 # разрешить адресу 195.0.0.2

Ограничить траффик конкретной машины в сети

while sleep 5
do
  ipfw add 111 drop ip from baduser.host.name to any
  sleep 15
  ipfw delete 111
done

Статистика и accounting

NET-3 HOWTO (razdel "IP Accounting") i "man ipfwadm"

Проброс со своего порта на чужую машину

myhost:82 -- > secondhost:8499
ipfwadm -Fa accept -b -P tcp -S 0/0 82 -D secondIPaddr/32 8499

Пример настройки фильтра IPFWADM

Date: 17 Jun 1998
From: MushyPea

On Tue, 16 Jun 1998, Avery Pennarun wrote:

> Here is the script I use on my home IP masquerade system.  It is designed
> to deny everything except what is specifically allowed in some of the
> definitions near the top.  Note that there is one fatal problem -- the
> input firewall is changed to allow incoming data back to ports 1024
> through 65535, because any of those might have been used to create an
> _outgoing_ connection (and thus might have data been sent back to them).
> NFS servers might run on one of these high port numbers, so watch out.

I do the following:

1) To make the script more readable, use variables:

ME="a.b.c.d/32"
HI="1024:65535"
ANY="0.0.0.0/0"

2) Use "-y -o" options to log all connection attempts (ie. SYN bit set) to
syslog (you need verbose firewall logging compiled into the kernel), and
accept the packets in both directions for these connections.

2a) Example of a bi-directional service

# SMTP mail traffic
/bin/echo -n "SMTP/"
/sbin/ipfwadm -O -a accept -P tcp -S ${ME} ${HI} -D ${ANY} 25 -y -o
/sbin/ipfwadm -O -a accept -P tcp -S ${ME} ${HI} -D ${ANY} 25
/sbin/ipfwadm -I -a accept -P tcp -S ${ANY} 25 -D ${ME} ${HI}
/sbin/ipfwadm -I -a accept -P tcp -S ${ANY} ${HI} -D ${ME} 25 -y -o
/sbin/ipfwadm -I -a accept -P tcp -S ${ANY} ${HI} -D ${ME} 25
/sbin/ipfwadm -O -a accept -P tcp -S ${ME} 25 -D ${ANY} ${HI}

2b) A tricky one - FTP

# Incoming FTP
/bin/echo -n "FTPin/"
/sbin/ipfwadm -I -a accept -P tcp -S ${ANY} ${HI} -D ${ME} 20:21 -y -o
/sbin/ipfwadm -I -a accept -P tcp -S ${ANY} ${HI} -D ${ME} 20:21
/sbin/ipfwadm -O -a accept -P tcp -S ${ME} 20:21 -D ${ANY} ${HI}

3) Drop everything else - note, the 'without logging' section only applies if you ever set your interface(s) into promiscuous mode... it's wise not to log packets to/from elsewhere, otherwise the machine load hits the roof, and the log file expands rapidly... I found out the hard way. ;)

# Deny everything else
# with logging... (target = me)
/sbin/ipfwadm -I -a deny -S 0/0 -D ${ME} -o
/sbin/ipfwadm -O -a deny -S ${ME} -D 0/0 -o
# without logging... (target != me)
/sbin/ipfwadm -I -a deny -S 0/0 -D 0/0
/sbin/ipfwadm -O -a deny -S 0/0 -D 0/0

Hope that's of some help - oh, one thing - if you decide to use logging, make sure the logfile is on another partition somewhere, in case someone floods your box to try and fill up the disk!  Logging is worth the effort - I've detected port scans and other such nasties this way.

Пример от Рыкова

rc.firewall:

ifconfig eth0 promisc
ifconfig eth1 promisc
ifconfig eth1 arp
ifconfig eth0 arp
route add -net default gw 193.232.173.45 dev eth1
brcfg -enable >> /dev/null
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -f
ipfwadm -I -a reject -S 0.0.0.0/0.0.0.0               -D 0.0.0.0/0.0.0.0
ipfwadm -I -i accept -S 195.231.183.1/255.255.255.255 -D 0.0.0.0/0.0.0.0
ipfwadm -I -i accept -S 195.231.183.2/255.255.255.255 -D 0.0.0.0/0.0.0.0
ipfwadm -I -i accept -P tcp    -S 195.231.183.0/255.255.255.0 ftp telnet -D 0.0.0.0/0.0.0.0
ipfwadm -O -a reject -P tcp -k -S 195.231.183.0/255.255.255.0 -D 0.0.0.0/0.0.0.0 137 138 139

Защита named

From: Adam Sulmicki

One of reasons for presenting is that in all examples shown so far it seemed that everyone suggested to leave named full-open. However, it does not always have to be case. Say, if you are running an private network then you want just to allow named get data transfers from trusted host and that is all.

[root@eax /root]# cat ipfwadm-named
#!/bin/sh
#allow connection only from trusted named servers
ME="1.2.3.4"             # MY ip
NS1="10.20.30.41"        # IP of the primary name server
NS2="10.20.30.42"        # IP of the secondary name server
NS3="10.20.30.43"        # IP of the trietary name server
SRV="domain"
/sbin/ipfwadm -I -f
/sbin/ipfwadm -I -a accept -D ${ME} $SRV -W eth0 -P udp -S $NS1 $SRV
/sbin/ipfwadm -I -a accept -D ${ME} $SRV -W eth0 -P tcp -S $NS1 $SRV
/sbin/ipfwadm -I -a accept -D ${ME} $SRV -W eth0 -P udp -S $NS2 $SRV
/sbin/ipfwadm -I -a accept -D ${ME} $SRV -W eth0 -P tcp -S $NS2 $SRV
/sbin/ipfwadm -I -a accept -D ${ME} $SRV -W eth0 -P udp -S $NS3 $SRV
/sbin/ipfwadm -I -a accept -D ${ME} $SRV -W eth0 -P tcp -S $NS3 $SRV
/sbin/ipfwadm -I -a reject -D ${ME} $SRV -W eth0 -P tcp -o -v -x -e
/sbin/ipfwadm -I -a reject -D ${ME} $SRV -W eth0 -P udp -o -v -x -e

And while we are speaking about named. Here is an example as someone from "Catholic liberal arts institution" (as per their web page) connecting to my box. I assume that person was scanning whole subnet searching for vulnerable versions of named.

О статистике и подсчете траффика

Ставите mrtg, и считаете через smnpget.

"ipfwadm configuration utility"
http://www.ejj.net/~sonny/fwconfig/fwconfig.html
Категория: IPFW | Добавил: oleg (29.10.2007)
Просмотров: 1794 | Рейтинг: 0.0/0 |
Всего комментариев: 0
Добавлять комментарии могут только зарегистрированные пользователи.
[ Регистрация | Вход ]
Форма входа

Beastie

Друзья сайта

Статистика

Онлайн всего: 1
Гостей: 1
Пользователей: 0
links

Copyright MyCorp © 2024