Stiu, problema este ca sunt multe si nu sunt sigur ca sa le gasesc pe toate. Adica este cam aceeasi problema cu ICQ-ul. De exemplu ICQ-ul permite sa selectezi ip-ul si portul serverului. YM fuge pe o serie de IP-uri. Nu prea imi place sa banez clase... as vrea cat mai la obiect.
----- Original Message ----- From: "Mihai Badici" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 14, 2003 7:37 AM Subject: [rlug] Re: ICQ & YM and firewall > Pai si daca blochezi direct accesul la serverul (ele) respective? > (ma rog, mie mi se pare un instrument util, nu vad ce ai avea cu el, dar...) > > Radu wrote: > > >Frate, nu este nici o problema. > >Ideea este cum s-ar putea face totusi cu nenorocitul ala de yahoo > >messenger... ca si pe mine ma streseaza treaba asta. > >Si nu am nici prea multe idei... in directia asta... > >Poate s-a ocupat cineva totusi... doar de blocarea lui yahoo messenger ...? > > > >Radu. > >----- Original Message ----- > >From: "Knight" <[EMAIL PROTECTED]> > >To: "Radu" <[EMAIL PROTECTED]> > >Sent: Tuesday, October 14, 2003 8:23 AM > >Subject: [rlug] Re: ICQ & YM and firewall > > > > > > > > > >>Radu, > >> > >>cred ca mia culpa > >>da de unde dracu am citit eu cu ipchains ca stiu sigur ca asa am citit > >>what so ever > >>sorry > >> > >>Wednesday, October 15, 2003, 2:05:25 AM, you wrote: > >> > >>R> Frate Knight, > >> > >>R> Ar fi bine sa stai sa te uiti cu atentie la threaduri. Sarmanul om > >>R> intrebase pentru iptables. Asa, de chestie doar, uita-te in urma sa > >> > >> > >vezi ca > > > > > >>R> dai putin aiurea cu raspunsurile. Chestia cu deschisul ochilor... este > >>R> foarte adevarata. Incepe chiar din primul mail.... > >>R> Din ratiuni de documentare... il listez mai jos... sper sa nu te > >> > >> > >superi > > > > > >>R> pe mine, dar mi se pare ca scrie iptables. Stiu asta pentru ca am > >> > >> > >terminat > > > > > >>R> clasa I premiant... :)) > >> > >>R> Sa fi cuminte, > >>R> Radu. > >> > >> > >> > >> > >> > >R> ------------------------------------------------------------------------ - > >-- > > > > > >>R> Salut, > >> > >>R> Am un script de firewall, facut cu iptables, pe un gateway care > >> > >> > >are > > > > > >>R> ca politica pe chain-ul forward "DROP" si permite userilor din > >>R> reteua locala sa se conecteze, in internet, doar la porturile 80, > >> > >> > >25, > > > > > >>R> 110. > >>R> Ideea mea ar fi ca lumea din reteua locala sa nu poata iesi decat > >> > >> > >pe > > > > > >>R> web si pe mail. > >>R> Problema apare cand ICQ sau YM foloseste orice port pentru a > >> > >> > >se > > > > > >>R> conecta in exterior si se leaga la o multitudine de adrese. Astfel > >>R> din reteua locala se poate face chat in voie. > >>R> Imi poate spune cineva cum se rezolva beleua asta ? > >> > >> > >>R> -- > >>R> Multumesc anticipat, > >>R> Liviu mailto:[EMAIL PROTECTED] > >> > >> > >>R> --- > >>R> Detalii despre listele noastre de mail: http://www.lug.ro/ > >> > >> > >> > >R> ------------------------------------------------------------------------ > > > > > >> > >> > >> > >> > >>R> ----- Original Message ----- > >>R> From: "Knight" <[EMAIL PROTECTED]> > >>R> To: "Radu" <[EMAIL PROTECTED]> > >>R> Sent: Tuesday, October 14, 2003 7:55 AM > >>R> Subject: [rlug] Re: ICQ & YM and firewall > >> > >> > >> > >> > >>>>Radu, > >>>> > >>>>tu ai citit macar ce am scris? > >>>>omu care a postat threadul a cerut help pentru ipchains > >>>>asa ca nu sari la mine > >>>>chestie de alfabet pe dracu, chestie de urmarit un thread si de > >>>>deschis ochii larg :)) > >>>> > >>>>Wednesday, October 15, 2003, 1:48:55 AM, you wrote: > >>>> > >>>>R> Mosule, IPTABLES. Nu ipchains. > >>>>R> Chestie de alfabet. > >>>>R> ----- Original Message ----- > >>>>R> From: "Knight" <[EMAIL PROTECTED]> > >>>>R> To: "Dekxter X." <[EMAIL PROTECTED]> > >>>>R> Sent: Tuesday, October 14, 2003 7:01 AM > >>>>R> Subject: [rlug] Re: ICQ & YM and firewall > >>>> > >>>> > >>>> > >>>> > >>>>>>Dekxter, > >>>>>> > >>>>>>da dar omu a specificat ca vrea ipchains > >>>>>>:((((((( > >>>>>>cu -y cred ca era in ipchains :)) in loc de --syn > >>>>>> > >>>>>>Monday, October 13, 2003, 6:32:40 PM, you wrote: > >>>>>> > >>>>>>DX> va trebui sa modifici FORWARD cu: > >>>>>> > >>>>>>DX> iptables --policy FORWARD DROP > >>>>>> > >>>>>>DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --dport 25 --jump > >>>>>> > >>>>>> > >>R> ACCEPT > >> > >> > >>>>>>DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --dport 80 --jump > >>>>>> > >>>>>> > >>R> ACCEPT > >> > >> > >>>>>>DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --dport 110 --jump > >>>>>> > >>>>>> > >>R> ACCEPT > >> > >> > >>>>>>DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --dport 143 --jump > >>>>>> > >>>>>> > >>R> ACCEPT > >> > >> > >>>>>>DX> # aceste 4 reguli sunt pentru acces la orice adresa pentru > >>>>>>DX> # mail prin POP3, IMAP, send shi www > >>>>>> > >>>>>>DX> iptables -A FORWARD -d 192.168.0.0/24 --syn --jump DROP > >>>>>>DX> iptables -A FORWARD -s 192.168.0.0/24 --syn --jump DROP > >>>>>>DX> # aceste 2 reguli resping orice tentativa de initiere a unei > >>>>>> > >>>>>> > >>R> conectari > >> > >> > >>>>>>DX> # in reteaua locala sau de la reteaua locala spre internet > >>>>>> > >>>>>>DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --jump ACCEPT > >>>>>>DX> # acesta regula accepta orice alt tip de conexiune tcp > >>>>>> > >>>>>> > >>>>>> > >>>>>>DX> # man iptables > >>>>>> > >>>>>>DX> [!] --syn > >>>>>>DX> Only match TCP packets with the SYN bit set and the ACK and > >>>>>> > >>>>>> > >>R> RST > >> > >> > >>>>>>DX> bits cleared. Such packets are used to request TCP > >>>>>> > >>>>>> > >connection > > > > > >>>>>>DX> initiation; for example, blocking such packets coming in an > >>>>>> > >>>>>> > >>R> interface > >> > >> > >>>>>>DX> will prevent incoming TCP connections, but outgoing TCP > >>>>>> > >>>>>> > >connections > > > > > >>>>R> will > >>>> > >>>> > >>>>>>DX> be unaffected. > >>>>>>DX> It is equivalent to --tcp-flags SYN,RST,ACK SYN. If the "!" flag > >>>>>>DX> precedes the "--syn", the sense of the option is inverted. > >>>>>> > >>>>>>DX> ps: daca greshesc va rog sa ma corectatzi ... > >>>>>> > >>>>>>DX> Liviu wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>Salut, > >>>>>>>> Ideea mea ar fi ca lumea din reteua locala sa nu poata iesi > >>>>>>>> > >>>>>>>> > >>R> decat > >> > >> > >>>>R> pe > >>>> > >>>> > >>>>>>>> web si pe mail. > >>>>>>>> > >>>>>>>> > >>>>>> > >>>>>>-- > >>>>>>Best regards, > >>>>>> Knight > >>>>>> > >>>>>>This message was brought to you by the numbers 0 and 1. > >>>>>> > >>>>>> > >>>>>>--- > >>>>>>Detalii despre listele noastre de mail: http://www.lug.ro/ > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>R> --- > >>>>R> Detalii despre listele noastre de mail: http://www.lug.ro/ > >>>> > >>>> > >>>> > >>>>-- > >>>>Best regards, > >>>> Knight > >>>> > >>>>This message was brought to you by the numbers 0 and 1. > >>>> > >>>> > >>>>--- > >>>>Detalii despre listele noastre de mail: http://www.lug.ro/ > >>>> > >>>> > >>>> > >>>> > >>R> --- > >>R> Detalii despre listele noastre de mail: http://www.lug.ro/ > >> > >> > >> > >>-- > >>Best regards, > >> Knight > >> > >>This message was brought to you by the numbers 0 and 1. > >> > >> > >>--- > >>Detalii despre listele noastre de mail: http://www.lug.ro/ > >> > >> > >> > >> > > > > > >--- > >Detalii despre listele noastre de mail: http://www.lug.ro/ > > > > > > > > > >. > > > > > > > > > --- > Detalii despre listele noastre de mail: http://www.lug.ro/ > > --- Detalii despre listele noastre de mail: http://www.lug.ro/
