00000 flush 00010 add allow ip from any to any via lo0 00020 add deny all from any to 127.0.0.0/8 00030 add deny all from 127.0.0.0/8 to any ##### ##### deny-and-log bogus packets 00040 add deny log tcp from any to any frag # XMAS tree 00041 add deny log tcp from any to any in tcpflags fin,psh,urg # NULL scan (no flag set at all) 00042 add deny log tcp from any to any in tcpflags !fin,!syn,!rst,!psh,!ack,!urg # SYN flood (SYN,FIN) 00043 add deny log tcp from any to any in tcpflags syn,fin # Stealth FIN scan (FIN,RST) 00044 add deny log tcp from any to any in tcpflags fin,rst # forced packet routing 00045 add deny log ip from any to any in ipoptions ssrr,lsrr,rr,ts # ACK scan (ACK,RST) 00046 add deny log tcp from any to any in tcpflags ack,rst ##### 00050 add allow tcp from me to any dst-port 22 out setup keep-state 00060 add allow tcp from me to any dst-port 80 out setup keep-state 00070 add allow udp from me to any dst-port 123 out keep-state 00080 add allow tcp from me to any dst-port 443 out setup keep-state 00090 add allow tcp from me to any dst-port 993 out setup keep-state 00100 add allow tcp from me 1024-65535 to any out setup keep-state 00110 add allow udp from me 1024-65535 to any out keep-state 00150 add check-state log # echo-reply, echo, dest. unreachable, time-exceeded, param. problem 00200 add allow icmp from any to me icmptypes 0,8,3,11,12 in 00210 add allow log icmp from me to any icmptypes 0,3,11,12 out 00220 add allow icmp from me to any icmptypes 8 out 00400 add deny log logamount 65535 ip from any to any out 00410 add deny ip from 172.16.0.0/12 to any in 00420 add deny ip from 10.0.0.0/8 to any in 00430 add deny ip from 127.0.0.0/8 to any in 00440 add deny ip from 0.0.0.0/8 to any in 00450 add deny ip from 169.254.0.0/16 to any in 00460 add deny ip from 192.0.2.0/24 to any in 00470 add deny ip from 204.152.64.0/23 to any in 00480 add deny ip from 224.0.0.0/3 to any in 00500 add reset tcp from any to me dst-port 113 in 00510 add deny tcp from any to any dst-port 137 in 00520 add deny tcp from any to any dst-port 138 in 00530 add deny tcp from any to any dst-port 139 in 00540 add deny tcp from any to any dst-port 81 in 00600 add allow udp from any to any dst-port 68 in keep-state 00610 add allow log tcp from any to me dst-port 22 in setup limit src-addr 2 00999 add deny log logamount 65535 ip from any to any 65535 add allow ip from any to any
(j'ai tjr un super team de sécuritaires mongos dans les parages - je vais faire send, dieu sait les goûts de lolettes, doudoux, odeur de doigts dans le cul suivant l'envoi de 30sec.) (je ne veux pas être flic, vous m'en avez dégouté) -- Philippe STRAUSS http://strauss.pas.nu/
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ gull mailing list [email protected] http://forum.linux-gull.ch/mailman/listinfo/gull
