salut
mi-am cam prins nasul in regulile de ipfw - si am nevoie de cateva lamuriri mai jos e ceea ce eu zic ca e un firewall - dar daca ma contraziceti nu ma supar :-) ideea este urmatoarea - am taiat toate open ports pe host si dupa aia am pus un deny all from any to any ca regula 65000 - si imi taiam singur reteaua ce este intre liniile cu +++++ sunt niste comenzi de care nu sunt prea sigur - dar am reusit sa imi fac sa mearga reteaua e ceva de capul lui sau sa il refac ? :-) multumesc, petre $fwcmd add deny all from any to 127.0.0.0/8 $fwcmd add deny ip from 127.0.0.0/8 to any $fwcmd add deny ip from any to any frag echo echo "# SPOOFING CHECK" $fwcmd add deny all from 10.0.0.0/8 to any in via rl0 $fwcmd add deny all from 172.160.0.0/12 to any in via rl0 $fwcmd add deny all from 192.168.0.0/16 to any in via rl0 # This sends a RESET to all ident packets. $fwcmd add allow tcp from 193.231.237.197 to $JE 113 via rl0 $fwcmd add allow tcp from 193.231.189.11 to $JE 113 via rl0 $fwcmd add reset log tcp from any to any ident in recv rl0 echo echo "#ssh" $fwcmd add allow tcp from 193.231.237.197 to $JE 22 $fwcmd add allow tcp from $lubyanka to $JE 22 $fwcmd add allow tcp from 193.231.237.1 to $JE 22 $fwcmd add allow tcp from 193.231.189.30 to $JE 22 $fwcmd add deny log tcp from any to $JE 22 in setup echo echo "#samba" $fwcmd add allow tcp from 193.231.237.171 to any 136-139 $fwcmd add allow udp from 193.231.237.171 to any 136-139 $fwcmd add deny log tcp from any to $JE 136-139 in setup $fwcmd add deny log udp from any to $JE 136-139 in setup echo echo "#nfs" for i in tcp udp do $fwcmd add allow $i from 193.231.189.0/26 to $JE 1011,1022,2049,1023,111 $fwcmd add allow $i from $lubyanka to $JE 1011,1022,2049,1023,111 $fwcmd add deny log $i from any to $JE 1011,1022,2049,1023,111 done ++++++++++++++++++++++++++++++++++ #allow dns queries to outside $fwcmd add allow udp from $JE to any 53 $fwcmd add allow udp from any 53 to $JE #allow ftp connections $fwcmd add allow tcp from any 20,21 to $JE established #las all outside $fwcmd add allow all from $JE to any #porturi free $fwcmd add allow tcp from any to $JE 2250-2300 ++++++++++++++++++++++++++++++++++++++++++ #tai syn ptr < 1024 $fwcmd add deny log tcp from any to $JE 1-1024 ++++++++++++++++++++++++++++++++++++ $fwcmd add allow tcp from any to $JE established $fwcmd add allow tcp from $JE to any setup +++++++++++++++++++++++++++++++++++++ #ICMP $fwcmd add allow icmp from any to any out icmptypes 8 $fwcmd add allow icmp from any to any in icmptypes 0 $fwcmd add 65000 deny log all from any to any -- 1:57PM up 1:56, 1 user, load averages: 0.36, 0.23, 0.13 __________________________________________________________ Send 'unsubscribe rofug' to [EMAIL PROTECTED] to unsubscribe
