Re: [FreeBSD] ipfw hakkýnda

Wed, 13 Apr 2005 23:36:49 -0700

Kernel dosyaniza
 
options         IPFIREWALL_DEFAULT_TO_ACCEPT
yazmaniz yeterlidir
 
 
----- Original Message -----
Sent: Thursday, April 14, 2005 9:33 AM
Subject: [FreeBSD] ipfw hakkında

Merhaba arkadaşlar
 
FreeBSD 5.3 kurdum ve /usr/local/etc/firewall.rules dosyasına aşağıdaki kuralları yazdım
 
fakat ne dışarıya ping atabiliyorum nede internete çıkabiliyorum  ancak ( ipfw add allow all from any to any ) kuralı yazdığım zaman çıkabiliyorum. bu kuralı yazmadan dışarıya çıkış için kurallar ne olabilir.
 
şimdiden teşekkürler
 
 
#define oif  rl0
#define oip  10.0.0.205
#define onet 10.0.0.205:255.255.255.0
#define iif1  rl1
#define iip1  192.168.0.205
#define inet1 192.168.0.0/24
add allow tcp from any to any 1000 via rl0
add allow udp from any to any 1000 via rl0
 
/**
 Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
 DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
 on the outside interface
**/
add deny all from any to 0.0.0.0/8 via oif
add deny all from any to 169.254.0.0/16 via oif
add deny all from any to 192.0.2.0/24 via oif     
add deny all from any to 224.0.0.0/4 via oif     
add deny all from any to 240.0.0.0/4 via oif       
/**
 Network Address Translation.  This rule is placed here deliberately
 so that it does not interfere with the surrounding address-checking
 rules.  If for example one of your internal LAN machines had its IP
 address set to 192.0.2.1 then an incoming packet for it after being
 translated by natd(8) would match the `deny' rule above.  Similarly
 an outgoing packet originated from it before being translated would
 match the `deny' rule below.
**/
add divert natd all from any to any via oif
/**
 Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
 DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
 on the outside interface
**/
add deny all from 0.0.0.0/8 to any via oif
add deny all from 169.254.0.0/16 to any via oif
add deny all from 192.0.2.0/24 to any via oif
add deny all from 224.0.0.0/4 to any via oif
add deny all from 240.0.0.0/4 to any via oif
/************************/
/** Check dynamic rule
/************************/
add check-state
 
/** Allow TCP through if setup succeeded **/
add allow tcp from any to any established 
/** Allow IP fragments to allow through **/ 
add allow all from any to any frag
/** Allow setup of SMTP **/
add allow tcp from any to any 25
add allow tcp from any 25 to any
/** Allow setup of POP3 **/
add allow tcp from any to any 110
add allow tcp from any 110 to any
/** Allow setup of IMAP4 **/
add allow tcp from any to any 143 setup
/** Allow setup of ssh **/
add allow tcp from any to any 22 established
/** Allow setup of HTTP **/
add allow tcp from any to any 80,443,8443 setup
add allow tcp from any to any 1000 via rl0
add allow udp from any to any 1000 via rl0
add allow tcp from any to any 5555 via rl0
add allow udp from any to any 5555 via rl0
add allow tcp from any to any 6800-7000 via rl0
add allow udp from any to any 6800-7000 via rl0
add allow tcp from any to any 4899 via rl0
add allow udp from any to any 4899 via rl0
add allow tcp from any to any 5631 via rl0
add allow udp from any to any 5632 via rl0
add allow udp from any to any 53 via rl0
add allow udp from any 53 to any via rl0
/** Set Loopback for DNS **/
add allow udp from any to any 53 via lo0
add allow udp from any 53 to any via lo0
/** Set Loopback for SNMP **/
add allow udp from any to any 161 via lo0
add allow udp from any 161 to any via lo0
/** Blocked TCP and UDP Ports **/
add deny tcp from any to any 135
add deny udp from any to any 1434
add deny tcp from any to any 2025
add deny tcp from any to any 1243
add deny tcp from any to any 27374
add deny udp from any to any 31337
/** Allow setup of any other TCP connection **/
add allow tcp from any to any setup
/**************************/
/** Allow UDP to outside
/**************************/
add allow udp from oip to any out via oif keep-state
add allow udp from oip to any in via oif keep-state
/**************************/
/** Allow ping to outside
/**************************/
add allow icmp from any to any
/*******************************/
/** Log all unrecognize attempt
/*******************************/
add deny all from any to not oip in via oif
add deny log all from any to any
add deny tcp from 192.168.0.1 to any

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Cevap