Virus and Firewall
V13
v13 at priest.com
Sun Jun 6 23:57:54 EEST 2004
On Sunday 06 June 2004 14:15, Giorgos Keramidas wrote:
> On 2004-06-05 22:54, V13 <v13 at priest.com> wrote:
> > Ypotheto pos h poio apli texniki gia yperarketi asfaleia einai:
> >
> > iptables -F INPUT
> > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > iptables -A INPUT -p udp -j ACCEPT
> > iptables -A INPUT -p icmp -j ACCEPT
> > iptables -A INPUT -p tcp -j REJECT --syn --reject-with tcp-reset
> > iptables -A INPUT -j DROP
> >
> > ektos kai an to distribution toy bazei kapoio programma by-default to
> > opoio akoyei se udp port.
>
> Den exo dei teleutaia an paizei state keeping se UDP paketa sto Linux
> alla sto ipfilter sto BSD mou ego prospatho na apofugo ta axrhsta UDP
> paketa me kati san auto:
>
> giorgos at gothmog:/home/giorgos$ grep udp /etc/ipf.rules
> # Allow only outgoing udp packets.
> pass out quick proto udp from any to any keep state
> block return-icmp-as-dest(port-unr) in proto udp all
>
> An kati tetoio paizei kai me ta iptables einai kalh fash :)
Paizei mia xara. To connection tracking ta paei kala kai me ta udp kai me ta
icmp:
http://iptables-tutorial.frozentux.net/chunkyhtml/udpconnections.html
http://iptables-tutorial.frozentux.net/chunkyhtml/icmpconnections.html
Oson afora ta replies: (meta apo to RELATED,ESTABLISHED)
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
(an kai to icmp-port-unreachable einai default otan exeis -j REJECT)
> Anebazei ligo to forto tou mhxanhmatos afou prepei na krata dynamic
> rules gia kathe UDP 'connection' alla se dialup mhxanhmata pou ta UDP
> paketa pros ta ekso tha einai kuriws DNS lookups den peirazei toso polu.
mpa.. den exo dei na yparxei problima me to conntrack akoma kai gia firewall
me 100ades syndeseis / deyterolepto.
Par'ola ayta to connection tracking den mporei na boithisei an exeis topiko
nameserver (esto kai an prokeitai gia to lwres) opote ena default
installation enos distribution isos na thelei na epitrepsei ola ta udp mias
kai to pio pithano einai na min trexei kapia (alli) efarmogi poy na akoyei se
udp port.
<<V13>>
More information about the Linux-greek-users
mailing list