免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
论坛 IT运维 数据安全 开个专题:贴出自己的IPFW规则来交流吧!
最近访问板块 发新帖
查看: 4754 | 回复: 8
打印 上一主题 下一主题

开个专题:贴出自己的IPFW规则来交流吧! [复制链接]

zyme

论坛徽章:
1
荣誉版主 日期:2011-11-23 16:44:17
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2002-01-29 13:12 |只看该作者 |倒序浏览
希望大家交流交流一下。我的很简单,因为我还不是很会用。

deny all ip from 192.168.0.0/24 to any   //我是小区宽带,怕闲杂人等进入。
deny all ip from 192.168.0.0/16 to any
zyme

论坛徽章:
1
荣誉版主 日期:2011-11-23 16:44:17
2 [报告]
发表于 2002-01-31 09:12 |只看该作者

开个专题:贴出自己的IPFW规则来交流吧!

难道大家不想交流???
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
wxy

论坛徽章:
1
荣誉版主 日期:2011-11-23 16:44:17
3 [报告]
发表于 2002-01-31 10:05 |只看该作者

开个专题:贴出自己的IPFW规则来交流吧!

其实也没有什么,不过你可以去看看一本叫《linux安全》的书,上面就是说LINUX上的IPCHAINS在各种应用下的配置。
比较翔实。
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
zyme

论坛徽章:
1
荣誉版主 日期:2011-11-23 16:44:17
4 [报告]
发表于 2002-01-31 18:49 |只看该作者

开个专题:贴出自己的IPFW规则来交流吧!

没得这书了嘛!!
我的意思是说:
不断的有新的非法入侵者的IP产生,我们要形成统一战线,把他们挡住。
安全第一。安全第一。安全第一。
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
MaxBSD

论坛徽章:
0
5 [报告]
发表于 2002-02-23 21:00 |只看该作者

开个专题:贴出自己的IPFW规则来交流吧!

Here's my OpenBSD2.9+Ipfilter rules output   

#cat /etc/ipf.rules

#####################################################################


# All rules are "quick" so go strictly top to bottom

#  Don't bug loopback
#
pass out quick on lo0
pass in quick on lo0

#  Don't bother the inside interface either
#
pass out quick on rl1
pass in quick on rl1

#####################################################################
#
#  First, we deal with bogus packets.
#

#  Block any inherently bad packets coming in from the outside world.
#  These include ICMP redirect packets and IP fragments so short the
#  filtering rules won't be able to examine the whole UDP/TCP header.
#
block in log quick on rl0 proto icmp from any to any icmp-type redir
block in log quick on rl0 proto tcp/udp all with short

#  Block any IP spoofing atempts.  (Packets "from" non-routable
#  addresses shouldn't be coming in from the outside).
#
block in quick on rl0 from 192.168.0.0/16 to any
block in quick on rl0 from 127.0.0.0/8    to any
block in quick on rl0 from 172.16.0.0/12  to any
block in quick on rl0 from 10.0.0.0/8     to any
block in quick on rl0 from 0.0.0.0/8      to any
block in quick on rl0 from 169.254.0.0/16 to any
block in quick on rl0 from 192.0.2.0/24   to any
block in quick on rl0 from 204.152.64.0/23 to any
block in quick on rl0 from 224.0.0.0/3    to any
block in quick on rl0 from 255.255.255.255/32 to any

#  Kill all source-routed packets
#
block in quick on rl0 all with opt lsrr
block in quick on rl0 all with opt ssrr

#  Don't allow non-routable packets to leave our network
#
block out quick on rl0 from any to 192.168.0.0/16
block out quick on rl0 from any to 127.0.0.0/8
block out quick on rl0 from any to 172.16.0.0/12
block out quick on rl0 from any to 10.0.0.0/8
block out quick on rl0 from any to 0.0.0.0/8
block out quick on rl0 from any to 169.254.0.0/16
block out quick on rl0 from any to 192.0.2.0/24
block out quick on rl0 from any to 204.152.64.0/23
block out quick on rl0 from any to 224.0.0.0/3
block out quick on rl0 from any to 255.255.255.255/32

#
#####################################################################


#####################################################################
#
#  Now the normal filtering rules
#

#  ICMP: allow incoming ping and traceroute only
#
pass in quick on rl0 proto icmp from any to any icmp-type echorep
pass in quick on rl0 proto icmp from any to any icmp-type echo
pass in quick on rl0 proto icmp from any to any icmp-type timex
pass in quick on rl0 proto icmp from any to any icmp-type unreach
block in log quick on rl0 proto icmp from any to any

#  TCP: Allow ssh, smtp, http and https incoming. Only match
#  SYN packets, and allow the state table to handle the rest of the
#  connection.
#
pass in quick on rl0 proto tcp from any to any port = ssh   flags S keep frags keep state
# If you're not running sendmail, comment this out
pass in quick on rl0 proto tcp from any to any port = smtp  flags S keep frags keep state
# If you're not running Apache, comment the next two rules out
pass in quick on rl0 proto tcp from any to any port = http  flags S keep frags keep state
# If you're not using SSL with Apache (for https), comment this out
pass in quick on rl0 proto tcp from any to any port = https flags S keep frags keep state

#  UDP: reject all UDP from the outside. The raudio proxy will
#  insert temporary entries into the table when it sees PNA
#  connections.

#  Of course we need to allow packets coming in as replies to our
#  connections so we keep state. Strictly speaking, with packets
#  coming from our network we don't have to only match SYN,
#  and it's rather unlikely that there will be any fragments. But
#  what the hell.
#
pass out quick on rl0 proto tcp  from any to any flags S keep frags keep state
pass out quick on rl0 proto udp  from any to any keep state
pass out quick on rl0 proto icmp from any to any keep state

#  End of rules. Block everything to all ports, all protocols and return
#  RST (TCP) or ICMP/port-unreachable (UDP). Don't forget to rewrite the
#  source address of the "port unreachable" message, hence -as-dest
#
block return-rst in log quick on rl0 proto tcp from any to any
block return-icmp-as-dest in log quick on rl0 proto udp from any to any
block in quick all

#
#  End of file
#

实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
白虹

论坛徽章:
0
6 [报告]
发表于 2002-02-25 18:24 |只看该作者

开个专题:贴出自己的IPFW规则来交流吧!

新版本的iptables功能多了好多!
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
freewing

论坛徽章:
0
7 [报告]
发表于 2002-11-15 00:40 |只看该作者

开个专题:贴出自己的IPFW规则来交流吧!

等我试好就贴出来

各位老大,IPFW如何刷新
比如在修改规则文件后
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
JohnBull

论坛徽章:
0
8 [报告]
发表于 2002-11-15 09:28 |只看该作者

开个专题:贴出自己的IPFW规则来交流吧!

01000 allow ip from any to any via lo0
01500 deny tcp from any to any recv tun0 setup
02000 divert 8668 ip from any to any via tun0
65535 allow ip from any to any
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
iceblood

论坛徽章:
1
金牛座 日期:2014-05-29 15:55:47
9 [报告]
发表于 2002-11-15 10:13 |只看该作者

开个专题:贴出自己的IPFW规则来交流吧!

关于ipfw我已经写过两篇文章了,里面的规则,大家可以试试。
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP