RE: Problem med IPFILTER

From: Allan Wermuth (none@alw--it-service.sdu.dk.lh.bsd-dk.dk)
Date: Tue 31 Aug 2004 - 14:22:15 CEST

Next message: Simon L. Nielsen: "Re: DMA limited to UDMA33"
Previous message: Gorm J. Siiger: "Re: DMA limited to UDMA33"
Maybe in reply to: Allan Wermuth: "Problem med IPFILTER"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Subject: RE: Problem med IPFILTER
Date: Tue, 31 Aug 2004 14:22:15 +0200
From: "Allan Wermuth" <none@alw--it-service.sdu.dk.lh.bsd-dk.dk>
To: <none@bsd-dk--bsd-dk.dk.lh.bsd-dk.dk>

> -----Original Message-----
> From: owner-bsd-dk@hobbes.bsd-dk.dk
> [mailto:owner-bsd-dk@hobbes.bsd-dk.dk] On Behalf Of Erik Norgaard
> Sent: Tuesday, August 31, 2004 1:50 PM
> To: bsd-dk@bsd-dk.dk
> Subject: Re: Problem med IPFILTER
>
>
> Allan Wermuth wrote:
> > # IPFILTER support
> > options IPFILTER
> > options IPFILTER_LOG
> > options IPFILTER_DEFAULT_BLOCK
>
> Det anbefales normalt ikke at inkludere den sidste linie,
> specielt mens
> du roder med at lave et regelsæt. I stedet kan du sætte flg.
> to i toppen
> af dit regelsæt:
>
> block in log all
> block out log all
>
> > # block garbage
> > block in log quick from any to any with ipopts
> > block in log quick proto tcp from any to any with short
>
> Disse regler ville jeg i første omgang slette.
>
> > # outbound traffic
> > pass out on fxp0 all head 100
>
> du vil nok have "pass out quick", så ricikerer du ikke at pakkerne
> bliver filtreret senere.

Okay, jeg tilføjer "quick" til reglerne. Jeg troede bare ikke, at det havde
nogen effekt på regler afsluttet med "head xx"...?

>
> > # inbound traffic
> > block in on fxp0 all head 200
>
> Igen: "block in quick on fxp0"
>
> Giv lidt mere information, ifconfig, hvad forsøger du at forbinde med
> (ssh formoder jeg) etc... har du prøvet at portscanne din maskine?

Nej, jeg har ikke portscannet min maskine. Her er output fra "ifconfig",
men jeg tror jeg arbejder videre med regelsættet imorgen, og tilføjer
nogle af reglerne fra dit regelsæt.

<none@root--tmp:1.lh.bsd-dk.dk># ifconfig -a
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 130.225.156.24 netmask 0xffffffc0 broadcast 130.225.156.63
        inet6 fe80::202:a5ff:fef3:7090%fxp0 prefixlen 64 scopeid 0x1
        ether 00:02:a5:f3:70:90
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
fxp1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        ether 00:02:a5:f3:70:91
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4

>
> Mvh Erik
>
> Til inspiration, her er mit regelsæt, vr0 har ip 192.168.0.4:

Tak skal du have, jeg prøver at lave noget tilsvarende.

mvh Allan

Next message: Simon L. Nielsen: "Re: DMA limited to UDMA33"
Previous message: Gorm J. Siiger: "Re: DMA limited to UDMA33"
Maybe in reply to: Allan Wermuth: "Problem med IPFILTER"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:24:42 CET