Parvo ne filtruvai samo echo-request. Edinstvenoto, koeto shte pusnesh ot ICMP - tipovete sa echo-reply, destination-unreachible i time exceeded: ipchains -A input -i ppp0 -p 1 -s 0/0 0:0 -j ACCEPT ipchains -A input -i ppp0 -p 1 -s 0/0 3:3 -j ACCEPT ipchains -A input -i ppp0 -p 1 -s 0/0 11:11 -j ACCEPT ipchains -A input -i ppp0 -p 1 -s 0/0 -l -j DENY sled tova si zashtitavash DNS-a, kato ne davash na nikoi ot interface ppp0 da dava zaiavki, da transferira zoni i t.n. Predpolaga se, che ne darzhish pri sebe si zona, t.e. imash caching-only DNS-server: ipchains -A input -i ppp0 -p 6 -s 0/0 -d TVOIA_IP_ADDRESS 53:53 -j DENY (tozi parvia red ne e nuzhen, ako po-natatak blokirash idbvashtite zaiavki kam mashinata si). ipchains -A input -i ppp0 -p 17 -s 0/0 -d TVOIA_IP_ADDRESS 53:53 -j DENY Ako niamsh niakakvi services, koito da iksat zaiavki otvan zablokirai SYN-paketite za da ne se priemat zaiavki i si govov v nai-obshti linii. Nakraia pishesh : ipchains -A input -i ppp0 -p 6 -s 0/0 -y -j DENY Razbira se ima i po-finni i slozhni nastroiki. No vsiaka ot tiah zapochva sas scanirane na portovete s nmap, primerno, za da se vidi kakvo e otvoreno i kakvo ne i t.n.. Osven tova mislia, che po-dobri rezultati shte postignesh s IPTABLES. Shto se kasae do TOS-bitovete, ima opisano podrobno koe za kakvo se polzva v LINUX NAG. Vesselin On Wednesday 26 September 2001 16:26, you wrote: > Imam si edno server v edna zala s 3 PC-ta mnoo moshti athlon > no nemi e tva problema. > Iskam da pitam kak da si izgradq ili da si napisha firewall > za linux stava vypros neshto kato anti DNS-spoofing > IP-spoofing zabrana na ping > ipchains -A input -l -i ppp0 -p icmp -s 0.0.0.0/0 echo-request -j DENY > i iskam da pitam tiq parametri za kvo she mi pomognat > ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10 > ipchains -A output -p tcp -d 0.0.0.0/0 ftp -t 0x01 0x10 > ipchains -A output -p tcp -d 0.0.0.0/0 ftp-data -t 0x01 0x10 > =========================================================================== > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) > http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora =========================================================================== A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora