Linux-Bulgaria.ORG
навигация

 

начало

пощенски списък

архив на групата

семинари ...

документи

как да ...

 

 

Предишно писмо Следващо писмо Предишно по тема Следващо по тема По Дата По тема (thread)

Re:lug-bg:zashtita


  • Subject: Re:lug-bg:zashtita
  • From: vlk@xxxxxxxxxxx (Vesselin Kolev)
  • Date: Wed, 26 Sep 2001 17:05:15 +0300



Parvo ne filtruvai samo echo-request. Edinstvenoto, koeto shte
pusnesh ot ICMP - tipovete sa echo-reply, destination-unreachible
i time exceeded:

ipchains -A input -i ppp0 -p 1 -s 0/0 0:0 -j ACCEPT
ipchains -A input -i ppp0 -p 1 -s 0/0 3:3 -j ACCEPT
ipchains -A input -i ppp0 -p 1 -s 0/0 11:11 -j ACCEPT
ipchains -A input -i ppp0 -p 1 -s 0/0 -l -j DENY

led tova si zashtitavash DNS-a, kato ne davash na nikoi ot
interface ppp0 da dava zaiavki, da transferira zoni i t.n. Predpolaga
se, che ne darzhish pri sebe si zona, t.e. imash caching-only 
DNS-server:

ipchains -A input -i ppp0 -p 6 -s 0/0 -d TVOIA_IP_ADDRESS 53:53 -j DENY
(tozi parvia red ne e nuzhen, ako po-natatak blokirash idbvashtite zaiavki
kam mashinata si).
ipchains -A input -i ppp0 -p 17 -s 0/0 -d TVOIA_IP_ADDRESS 53:53 -j DENY

Ako niamsh niakakvi services, koito da iksat zaiavki otvan zablokirai
SYN-paketite za da ne se priemat zaiavki i si govov v nai-obshti linii.
Nakraia pishesh :

ipchains -A input -i ppp0 -p 6 -s 0/0 -y -j DENY

Razbira se ima i po-finni i slozhni nastroiki. No vsiaka ot tiah
zapochva sas scanirane na portovete s nmap, primerno, za
da se vidi kakvo e otvoreno i kakvo ne i t.n.. Osven tova mislia,
che po-dobri rezultati shte postignesh s IPTABLES.

Shto se kasae do TOS-bitovete, ima opisano podrobno koe za
kakvo se polzva v LINUX NAG.

   Vesselin
   
On Wednesday 26 September 2001 16:26, you wrote:
> Imam si edno server v edna zala s 3 PC-ta mnoo moshti athlon
> no nemi e tva problema.
> Iskam da pitam kak da si izgradq ili da si napisha firewall
>  za linux stava vypros neshto kato anti DNS-spoofing
> IP-spoofing zabrana na ping
> ipchains -A input -l -i ppp0 -p icmp -s 0.0.0.0/0 echo-request -j DENY
> i iskam da pitam tiq parametri za kvo she mi pomognat
> ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10
> ipchains -A output -p tcp -d 0.0.0.0/0 ftp -t 0x01 0x10
> ipchains -A output -p tcp -d 0.0.0.0/0 ftp-data -t 0x01 0x10
> ===========================================================================
> A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
> http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
===========================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora



 

наши приятели

 

линукс за българи
http://linux-bg.org

FSA-BG
http://fsa-bg.org

OpenFest
http://openfest.org

FreeBSD BG
http://bg-freebsd.org

KDE-BG
http://kde.fsa-bg.org/

Gnome-BG
http://gnome.cult.bg/

проект OpenFMI
http://openfmi.net

NetField Forum
http://netField.ludost.net/forum/

 

 

Linux-Bulgaria.ORG

Mailing list messages are © Copyright their authors.