免费注册 查看新帖 |


  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 5024 | 回复: 0
打印 上一主题 下一主题

[IRIX] How to config ipfilterd on IRIX [复制链接]

1 [收藏(0)] [报告]
发表于 2002-07-13 10:08 |显示全部楼层 |倒序浏览
Here's a simple example of config ipfilterd on IRIX:

1.You should probably systune 'ipfilterd_inactive_behavior = 0' before you
start experimenting with this so that you don't kill your connection
#echo yes | systune ipfilterd_inactive_behavior 0

2. vi /etc/ipfilterd.conf
# ipfilterd.conf
# $Revision: 1.3 $
# Configuration file for ipfilterd(1M) IP layer packet filtering.
# Lines that begin with # are comments and are ignored.
# Lines begin with a keyword, followed either by a macro definition or
# by an optional interface filter, which may be followed by a protocol
# filter.
# Both macros and filters use SGI's netsnoop(1M) filter syntax.
# The currently supported keywords are:
# accept        : accept all packets matching this filter
# reject        : silently discard packets matching this filter
# define        : define a new macro to add to the standard netsnoop macros
# See the ipfilterd(1M) man page for examples of filters and macros.
# The network administrator may find the following macros useful:
define ip.netAsrc (src&0xff000000)=$1
define ip.netAdst (dst&0xff000000)=$1
define ip.netBsrc (src&0xffff0000)=$1
define ip.netBdst (dst&0xffff0000)=$1
define ip.netCsrc (src&0xffffff00)=$1
define ip.netCdst (dst&0xffffff00)=$1
define ip.notnetAsrc not((src&0xff000000)=$1)
define ip.notnetAdst not((dst&0xff000000)=$1)
define ip.notnetBsrc not((src&0xffff0000)=$1)
define ip.notnetBdst not((dst&0xffff0000)=$1)
define ip.notnetCsrc not((src&0xffffff00)=$1)
define ip.notnetCdst not((dst&0xffffff00)=$1)
# Additional macros:
# Filters follow:
# Allow your class C nett to do it all:
accept ip.netCsrc XXX.XXX.XXX.0
# Allow incoming secure shell from everywhere
accept -i ec0 tcp.dport 22
# Allow incoming http from everywhere
accept -i ec0 tcp.dport 80
# Allow incoming ftp + ftp-data from everywhere (do you really want this?)
accept -i ec0 tcp.dport 21
accept -i ec0 tcp.dport 20
# allow in identd.  
accept -i ec0 tcp.dport auth
# reject all other incoming tcp SYNs so that no one can connect
reject -i ec0 ip.dst my.ip.add.res and tcp.flags == SYN
# reject what are typically X connections (use ssh forwarding instead)
reject -i ec0 ip.dst my.ip.add.res and tcp.dport >; 5999 and tcp.dport <
# allow in non-privileged ports (remember to set &quot;UsePrivilegedPort no&quot; in
# /etc/ssh-config!)
accept -i ec0 tcp.dport >; 1023
accept -i ec0 udp.dport >; 1023
# allow in certain ICMP traffic
accept -i ec0 icmp.type == ECHO
accept -i ec0 icmp.type == ECHOREPLY
accept -i ec0 icmp.type == UNREACHABLE
accept -i ec0 icmp.type == TIMXCEED

3.start ipfilterd
#ipfilterd -d

您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复


北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP