Mersi. Datorez o bere(no joke) :)
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Florin Iamandi
Sent: Monday, December 11, 2006 9:46 PM
To: Romanian Linux Users Group
Subject: Re: [rlug] DNS FreeBSD
Sergiu Icobescu dixit (2006-12-11, 20:03:03):
> # Packet Filter - example for two interfaces
Dezastru total si global :)
[...]
Astea nu le folosesti, comenteaza-le:
int_ip="10.11.1.1"
not_local_network="!10.11.1.0/24"
gateway="a.b.34.129"
block_in_tcp_ports="{ 137, 138, 139, 81, 445, 199 }"
Astea iti trebuie dar nu vad nici un pass pentru ele:
permit_in_udp_ports="{ 53, 953 }"
Aici e problema ta: iti lipsesc regulile cu pass in/out pentru traficul pe
care il astepti pe port-urile astea. Restul e vorba goala dar daca vrei poti
citi in continuare.
Astea daca sunt "default values" de ce le-ai pus?!
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set
timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout {
udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20,
icmp.error 10 } set timeout { other.first 60, other.single 30,
other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set
limit { states 10000, frags 5000 }
Inlocuieste asta:
set loginterface none
cu asta: set loginterface $ext_if
:) Security through obscurity anyone?
set block-policy drop
Cam asa cum e aici iti trebuie si pentru udp-urile tale favorite (scuze
pentru no-wrapping...):
pass in quick on $ext_if inet proto tcp from any to $ext_ip port
$permit_in_tcp_ports flags S/SA keep state
Cat despre rc.conf....
pflog_enable="YES"
Bine ai venit in lumea celor cu firewall-uri:
man 5 pf.conf
http://cvs.openbsd.org/faq/pf/
http://www.tcpipguide.com/
Distractie placuta.
--
Digitally yours,
Florin Iamandi (Slippery)
Reason is the first victim of emotion. -- Scytale, Dune Messiah
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
