Eh, paketele alea de SYN pe care le-ai blocat, te vor proteja la SYN
flood, si de asemenea-i vor proteja pe altii sa se conecteze la tine :).
Incearca cu syn-cookies ca mijloc amarit de protectie ( e cam tot ce
poti face daca ai un port deschis) si lasa bietele packete sa vina la
tine ca altfel nu se va putea conecta nimeni.
Mircea C.
Ionut MURGOCI wrote:
>
> Salut, am si eu o problema cu regulile la sshd. Mi-am facut un firewall,
> tot ce vreau merge bine inafara de sshd. Daca un user da ssh din afara
> il rejecteaza, iar daca dau ssh din inauntru in afara merge.
> Regulile sunt urmatoarele :
> Mai intai :
> default policy pt input si output e reject - si asa tre sa ramana
> apoi reguli pt ssh client si server :
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE
> $UNPRIVPORTS
> -d $ANYWHERE 22 -j ACCEPT
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE 22
> -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE $SSH_PORTS
> -d $ANYWHERE 22 -j ACCEPT
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE 22
> -d $ANYWHERE $SSH_PORTS -j ACCEPT
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE 22 -j ACCEPT
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -d $ANYWHERE 22 -j ACCEPT
>
> Unde:
> ANYWHERE="any/0"
> PRIVPORTS="0:1023"
> UNPRIVPORTS="1024:65535"
> SSH_PORTS="1022:1023"
>
> Puteti sa-mi ziceti si mie unde-i baiu' ca mie mi se par corecte
> regulile pt server.
> Thx!
>
> --
> ----------------------------------------------------------
> Imagination is the only weapon in the war against reality.
> Sysadmin - Computer Science Highschool - IASI *
>
> ---
> Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to
> unsubscribe from this list.
---
Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to
unsubscribe from this list.
