Linux network инструкция администратора


Пример конфигурации Firewall Мы


Конфигурация в этом примере была разработана, чтобы быть легко расширенной и настроенной. Мы обеспечили три версии. Первая версия выполнена, используя команду ipfwadm (или скрипт

ipfwadm-wrapper), вторая использует ipchains и третья использует iptables. Пример не пытается использовать определяемые пользователем цепочки, но покажет Вам сходства и различия между старыми и новыми инструментами конфигурации firewall:

#!/bin/bash ########################################################################## # IPFWADM VERSION # This sample configuration is for a single host firewall configuration # with no services supported by the firewall machine itself. ##########################################################################

# USER CONFIGURABLE SECTION

# The name and location of the ipfwadm utility. Use ipfwadm-wrapper for # 2.2.* kernels. IPFWADM=ipfwadm

# The path to the ipfwadm executable. PATH="/sbin"

# Our internal network address space and its supporting network device. OURNET="172.29.16.0/24" OURBCAST="172.29.16.255" OURDEV="eth0"

# The outside address and the network device that supports it. ANYADDR="0/0" ANYDEV="eth1"

# The TCP services we wish to allow to pass - "" empty means all ports # note: space separated TCPIN="smtp www" TCPOUT="smtp www ftp ftp-data irc"

# The UDP services we wish to allow to pass - "" empty means all ports # note: space separated UDPIN="domain" UDPOUT="domain"

# The ICMP services we wish to allow to pass - "" empty means all types # ref: /usr/include/netinet/ip_icmp.h for type numbers # note: space separated ICMPIN="0 3 11" ICMPOUT="8 3 11"

# Logging; uncomment the following line to enable logging of datagrams # that are blocked by the firewall. # LOGGING=1

# END USER CONFIGURABLE SECTION ########################################################################### # Flush the Incoming table rules $IPFWADM -I -f

# We want to deny incoming access by default. $IPFWADM -I -p deny

# SPOOFING # We should not accept any datagrams with a source address matching ours # from the outside, so we deny them. $IPFWADM -I -a deny -S $OURNET -W $ANYDEV

# SMURF # Disallow ICMP to our broadcast address to prevent "Smurf" style attack. $IPFWADM -I -a deny -P icmp -W $ANYDEV -D $OURBCAST

# TCP # We will accept all TCP datagrams belonging to an existing connection # (i.e. having the ACK bit set) for the TCP ports we're allowing through. # This should catch more than 95 % of all valid TCP packets. $IPFWADM -I -a accept -P tcp -D $OURNET $TCPIN -k -b

# TCP - INCOMING CONNECTIONS # We will accept connection requests from the outside only on the # allowed TCP ports. $IPFWADM -I -a accept -P tcp -W $ANYDEV -D $OURNET $TCPIN -y

# TCP - OUTGOING CONNECTIONS # We accept all outgoing tcp connection requests on allowed TCP ports. $IPFWADM -I -a accept -P tcp -W $OURDEV -D $ANYADDR $TCPOUT -y

# UDP - INCOMING # We will allow UDP datagrams in on the allowed ports. $IPFWADM -I -a accept -P udp -W $ANYDEV -D $OURNET $UDPIN

# UDP - OUTGOING # We will allow UDP datagrams out on the allowed ports. $IPFWADM -I -a accept -P udp -W $OURDEV -D $ANYADDR $UDPOUT

# ICMP - INCOMING # We will allow ICMP datagrams in of the allowed types. $IPFWADM -I -a accept -P icmp -W $ANYDEV -D $OURNET $UDPIN

# ICMP - OUTGOING # We will allow ICMP datagrams out of the allowed types. $IPFWADM -I -a accept -P icmp -W $OURDEV -D $ANYADDR $UDPOUT

# DEFAULT and LOGGING # All remaining datagrams fall through to the default # rule and are dropped. They will be logged if you've # configured the LOGGING variable above. # if [ "$LOGGING" ] then # Log barred TCP $IPFWADM -I -a reject -P tcp -o

# Log barred UDP $IPFWADM -I -a reject -P udp -o

# Log barred ICMP $IPFWADM -I -a reject -P icmp -o fi # # end.

<




Начало  Назад  Вперед



Книжный магазин