RE: Problem med IPFILTER

From: Allan Wermuth (none@alw--it-service.sdu.dk.lh.bsd-dk.dk)
Date: Wed 01 Sep 2004 - 08:29:04 CEST 

Subject: RE: Problem med IPFILTER
Date: Wed, 1 Sep 2004 08:29:04 +0200
From: "Allan Wermuth" <none@alw--it-service.sdu.dk.lh.bsd-dk.dk>
To: <none@bsd-dk--bsd-dk.dk.lh.bsd-dk.dk>

> -----Original Message-----
> From: owner-bsd-dk@hobbes.bsd-dk.dk
> [mailto:owner-bsd-dk@hobbes.bsd-dk.dk] On Behalf Of Erik Norgaard
> Sent: Tuesday, August 31, 2004 1:50 PM
> To: bsd-dk@bsd-dk.dk
> Subject: Re: Problem med IPFILTER
> Mvh Erik
>
> Til inspiration, her er mit regelsæt, vr0 har ip 192.168.0.4:
>
> # Default policy (these rules should never be matched!)
> block out log all
> block in log all
>
> # Interface #1: vr0 192.168.0.4/24
> block out log quick on vr0 all head 10
> block in log quick on vr0 all head 11
>
> # Main group: 10
> # Anti-spoofing on destination:
> block out quick from any to 0.0.0.0/8 group 10
> block out quick from any to 10.0.0.0/8 group 10
> block out quick from any to 14.0.0.0/8 group 10
> block out quick from any to 127.0.0.0/8 group 10
> block out quick from any to 169.254.0.0/16 group 10
> block out quick from any to 172.16.0.0/12 group 10
> block out quick from any to 192.0.2.0/24 group 10
> block out quick from any to 198.18.0.0/15 group 10
> block out quick from any to 224.0.0.0/4 group 10
> block out quick from any to 240.0.0.0/4 group 10
> # Anti-spoofing on source:
> block out quick from !192.168.0.0/24 to any group 10
>
> # Allow access to standard tcp services
> pass out quick proto tcp from 192.168.0.0/16 to any port < 1024 \
> flags S keep state group 10
> # cvsup
> pass out quick proto tcp from 192.168.0.0/16 to any port = 5999 \
> flags S keep state group 10
> # passive ftp client
> pass out quick proto tcp from 192.168.0.0/16 to any port > 49151 \
> flags S keep state group 10
> # Allow access to standard udp services
> pass out quick proto udp from 192.168.0.0/16 to any port < 1024 \
> keep state group 10
> # icmp: allow ping
> pass out quick proto icmp from 192.168.0.0/16 to any icmp-type 8 \
> keep state group 10
>
> # Main group 11
> # Anti spoofing:
> block in quick from 0.0.0.0/8 to any group 11
> block in quick from 10.0.0.0/8 to any group 11
> block in quick from 14.0.0.0/8 to any group 11
> block in quick from 127.0.0.0/8 to any group 11
> block in quick from 169.254.0.0/16 to any group 11
> block in quick from 172.16.0.0/12 to any group 11
> block in quick from 192.0.2.0/24 to any group 11
> block in quick from 198.18.0.0/15 to any group 11
> block in quick from 224.0.0.0/4 to any group 11
> block in quick from 240.0.0.0/4 to any group 11
> block in quick from any to !192.168.0.0/24 group 11
>
> # Inbound access to provided services
> pass in quick proto tcp from any to 192.168.0.0/24 port = 22
> flags S \
> keep state group 11
> pass in quick proto tcp from any to 192.168.0.0/24 port = 25
> flags S \
> keep state group 11
> pass in quick proto tcp from any to 192.168.0.0/24 port = 53
> flags S \
> keep state group 11
> pass in quick proto tcp from any to 192.168.0.0/24 port = 80
> flags S \
> keep state group 11
> pass in quick proto udp from any to 192.168.0.0/24 port = 53 \
> keep state group 11
>

Når du i dit regelsæt bruger "keep state" sammen med udp, er det så ikke
en fejl? UDP er da stateless, ik'?

mvh Allan Wermuth

This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:24:43 CET