Glavna arrow Linux/Unix arrow Konfiguracija arrow Firewall IPFILTER (FreeBSD) petak 25 jul 2008 
Sadrzaj
Glavna
Forum
Linux/Unix
Windows
Mreze
Sigurnost
Hardware
Knjige
Mobilni/PDA
Preuzimanje
Whois
Web Alati
Adresar
Galerija
Pretraga
E-mail
Kontakt
Pristup





Zaboravili ste lozinku?
Nemate nalog? Napravite nalog
 
samo po 1o1.com
po celom SCG web-u
Firewall IPFILTER (FreeBSD) | Štampaj |
Autor Tim 1o1   

________________________________________
Sadrzaj :
1.Uvod
2.Zahtevnost
3.Kompilacija kernela
4.Konfiguracija distribucije
5.Konfiguracija primera IPFILTER-a
6.Komande
________________________________________
1.Uvod
FreeBSD koristi vise firewalls-a.
Istorijiski, firewall FreeBSD je IpFirewall, ali on je u stanju nestanka zbog pojave I korscenja firewalls od OpenBSD (starog, sada OpenBSD koristi PF).
IPFILTER je jedan od firewalls tezak ali i siguran. IPFILTER je jedan firewall koji omogucava kontrolu svih ulaska-izlaska na karti Network.
Prednost u odnosu na ostale firewall-e kao sto je ifchains, ipfw ... je ta sto IPFILTER omogucava najbolju kontrolu ulaska,nezavistan od izlaska, i jos omogucava koriscenje protokola NAT.
Za koriscenje IPFILTER, moramo vise fajlova modifikovati i izvrsiti korekciju.
Mi cemo sada pogledati u nastavku ali i sami cete primetiti da nista nije strasno..
1.Zahtevnost
Korticemo karte network 3COM 3c905 Boomerang.

Dodacemo im IP 192.168.1.5 i192.168.1.6 xl0 i xl1 gde je Xl1 uzet kao spoljna karta i spoljni IP u SNAT-u kao ruter spoljasnji.
3.Komilacija kernela
Morate da dodate sledece linije u fajlu conf vaseg kernela.
options PFIL_HOOKS
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK


"opcija PFIL_HOOKS": Ako je ne dodate imacete jedan problem prilikom rekompilacije kernela.
"opcija IPFILTER": koristicemo IPFILTER na nasem kernelu.
"opcija IPFILTER_LOG “ Korstimo je za log paketa ulaska-izslaska
"opcija IPFILTER_DEFAULT_BLOCK": Blokiramo sve.

Komande za rekompilaciju kernela


make buildkernel KERNCONF=/usr/src/sys/i386/conf/MOJKERNEL
make installkernel KERNCONF=/usr/src/sys/i386/conf/MOJKERNEL
4.Konfiguracija distribucije
Dodajemo u fajlu konfiguracije :

vi /etc/rc.conf
--
ipfilter_enable="YES"
ipfilter_flags=""
ipfilter_program="/sbin/ipf"
ipfilter_rules="/etc/ipf.rules"

# monitoring
ipmon_enable="YES" # Logovi d'IPFILTER
ipmon_flags="-Dsvn"
#ipnat_enable="YES" #
5.Konfiguracija jednog primera IPFILTER-a
Konfiguraciju ipfiltera objavljacemo u /etc/ipf.rules, Kojeg ovde kreiramo. :

vi /etc/ipf.rules
--

# Pustamo sve lokalno.
pass in quick on lo0 all
pass out quick on lo0 all

# Pustamo sve interno.
pass in quick on xl0 all

# Pustamo sav trafik izlazeci.
pass out quick proto tcp all keep state
pass out quick proto udp all keep state

# Blokiramo sve pakete IP sa ipopts I podrazumevajuci lsrr i ssrr
block in quick all with ipopts

# blokiramo sve fragmentirane pakete.
block in quick all with frag

# blokiramo sve nmpa OS fingerprint
block in quick on xl1 proto tcp all flags FUP
block in log quick on xl1 proto tcp from any to any flags SF/SFRA
block in log quick on xl1 proto tcp from any to any flags /SFRA
block in log quick on xl1 proto tcp all flags SF/SFRA
block in log quick on xl1proto tcp all flags /SFRA
block in log quick on xl1 proto tcp all flags F/SFRA
block in log quick on xl1 proto tcp all flags U/SFRAU
block in log quick on xl1 proto tcp all flags P
block in log quick on xl1 proto tcp from any to any flags FUP
block in log quick on xl1 proto tcp from any to any port = 111

# Ne rutiran slog IP adresa blokiramo na Izlasku.
block in quick on xl1 from 255.255.255.255/32 to any
# block in quick on xl1 from 192.168.0.0/16 to any
block in quick on xl1 from 172.16.0.0/12 to any
block in quick on xl1 from 127.0.0.0/8 to any
block in quick on xl1 from 10.0.0.0/8 to any
block in quick on xl1 from 0.0.0.0/32 to any

# Blokiramo ICMP izlazeci
block in quick on xl1 proto icmp from any to any icmp-type 0 keep state
block in quick on xl1 proto icmp from any to any icmp-type 3 keep state
block in quick on xl1 proto icmp from any to any icmp-type 8 keep state
block in quick on xl1 proto icmp from any to any icmp-type 11 keep state
pass in quick on xl0 proto icmp from any to any icmp-type 0 keep state
pass in quick on xl0 proto icmp from any to any icmp-type 3 keep state
pass in quick on xl0 proto icmp from any to any icmp-type 8 keep state
pass in quick on xl0 proto icmp from any to any icmp-type 11 keep state
pass out quick on xl0 proto icmp from any to any icmp-type 0 keep state
pass out quick on xl0 proto icmp from any to any icmp-type 3 keep state
pass out quick on xl0 proto icmp from any to any icmp-type 8 keep state
pass out quick on xl0 proto icmp from any to any icmp-type 11 keep state

# crna lista
block in quick on xl1 from 216.133.253.100 to any
block out quick on xl1 from any to 216.133.253.100

# Pustamo zahtevane servise.
pass in quick on xl1 proto tcp from any to any port = 22 keep state
pass in quick on xl1 proto tcp from any to any port = 25 keep state
pass in quick on xl1 proto tcp from any to any port = 21 keep state
pass in quick on xl1 proto tcp from any to any port = 443 keep state
pass in quick on xl1 proto tcp from any to any port = 80 keep state

# Blokiramo sve
block in quick on xl1
6.Komande
Startovanje firewalla:

root@machine[~]% ipf -Fa -f /etc/ipf.rules

Kontrola firewalla :

root@machine[~]% ipfstat -hio

Rsetartrovanje firewalla :

root@machine[~]% /sbin/ipf -Fa -f /etc/ipf.rules

Statistika 'top' :

root@machine[~]% /sbin/ipfstat -t

VerzijaIPFILTER :

root@machine[~]% /sbin/ipf -V
 
[ Nazad ]
: Glavna :: Forum :: Linux/Unix :: Windows :: Mreze :: Sigurnost :: Hardware :: Knjige :: Mobilni/PDA :: Preuzimanje :
Powered by 1o1
PodignimoStupove!