izvinqwam se kat ne sam si izpil kafeto e taka.... dokolkoto widqh entry-to w loga e ot fp=UDP:2 a towa koeto si paste-nal se otnasq za ICMP koeto si e syffsem druga bira...... ogledai si 4asta ot scripta koqto preglejda UDP-to .......
Kostadin Karaivanov Senior System Administrator @ Ministry Of Finace tel: +359 2 98592062 [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Qsin Sent: Wednesday, July 03, 2002 08:52 To: [EMAIL PROTECTED] Subject: Re: lug-bg: iptables Za suzhalenie i az kato Ivan Dobrinov ne sum mnogo najsno s iptables, zatova mozhe moja vupros sushto da izglezhda mngo laishki za koeto predvaritelno se izvinjvam, NO: Pri opit da sverja chasovnika pod Windows XP Pro v log-a se pojavjava slednoto: Jul 3 08:43:51 firewall kernel: fp=UDP:2 a=DROP IN=eth0 OUT=eth1 SRC=192.168.xxx.yyy DST=129.6.15.28 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=60553 PROTO=UDP SPT=123 DPT=123 LEN=56 i chasovnika ne se sverjava. V iptables otnosno ICMP ima slednite neshta: [0:0] -A INPUT -s 192.168.xxx.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 41031:41900 -j REJECT --reject-with icmp-port-unreachable [0:0] -A INPUT -i eth1 -p icmp -j ICMPINBOUND [0:0] -A FORWARD -s 192.168.xxx.0/255.255.255.0 -d ! 192.168.xxx.0/255.255.255.0 -p tcp -m tcp --dport 41031:41900 -j REJECT --reject-with icmp-port-unreachable [0:0] -A FORWARD -s 192.168.xxx.0/255.255.255.0 -i eth0 -o eth1 -p icmp -j ACCEPT [0:0] -A FORWARD -i eth1 -p icmp -m state --state RELATED -j ACCEPT [0:0] -A OUTPUT -o eth1 -p icmp -j ICMPOUTBOUND [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -j LPINGFLOOD [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 5 -j LDROP [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 13 -j LDROP [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 14 -j LDROP [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 17 -j LDROP [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 18 -j LDROP [0:0] -A ICMPINBOUND -p icmp -j ACCEPT [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 5 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/0 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/1 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 12 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 13 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 14 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 17 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 18 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -j ACCEPT [0:0] -A LDROP -p icmp -m limit --limit 2/sec --limit-burst 10 -j LOG --log-prefix "fp=ICMP:3 a=DROP " [0:0] -A LREJECT -p icmp -m limit --limit 2/sec --limit-burst 10 -j LOG --log-prefix "fp=ICMP:3 a=REJECT " [0:0] -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable [0:0] -A LREJECT -j REJECT --reject-with icmp-port-unreachable Zadadoh vuprosa na choveka kojto e napravil nastrojkite, no toj ne mozha da mi otgovori koe spira sverjavaneto na chasovnika. Chetejki po-dolu posochenata stranica (ne che shvanah neshto:) se zamislih dali imenno filtracijata na ICMP ne e vinovna za tozi problem. Znam che RTFM e zlatno pravilo no chestno kazano v momenta sum malko orjazan otkum vreme zatova i zadavam vuprosa. Ako vuprosa e mnogo tup ili vi drazni - prosto ne otgovarjajte za da ne suzdavame izlishen i bezmislen trafik. Yavor Atanasov P.S. Che sum tup si go znam i bez da mi kazvate :)))) ----- Original Message ----- From: "Boyan Krosnov" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 03, 2002 1:29 AM Subject: RE: lug-bg: iptables > > Hmm, dosta e glupavo da zabraniavash ICMP paketite, tui kato te > > nosiat mnogo cenna informacia. No ponezhe v dobrite unix tradicii > > horata ti davat dostatychno vyzhe za da se zastreliash v kraka > > probvai tova: > mnogo dobre go kaza. Ne nablegna spored men dostatychno na fakta che > _NE_ trqbwa da se filtrirat wsichki ICMP-ta po nikakyv powod. > http://boyan.ludost.net/papers/pmtu.html za poweche informaciq. > > BR, > Boyan ============================================================================ A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html ============================================================================ ============================================================================ A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html ============================================================================
