[ Pobierz całość w formacie PDF ]

One which allows outbound traffic as long as it's going to port 80
(http). The second allows outbound traffic as long as it's going to port
25 (smtp), etc. Add as many rules as you need to define the outbound
traffic that you're allowing. Then, add a rule before all of these that
blocks all outbound traffic to broadcast addresses (i.e. anything that
ends with a 255...like x.x.x.255). And you'd add another rule that blocks
all outbound traffic if the source address isn't on the 192.168.1.0
network or the IP address of your ed0 interface (the one that's connected
to your ISP). So, you'd be blocking all packets that aren't coming from
your network or your own system. In other words, you know that your users
will only need to go out to web sites, send mail, etc. And they'll never
need to send broadcast packets out to the Internet, etc. And they better
not be spoofing their source IP address. This is only a sample of what
egress filtering is all about. Good (read as 'restrictive') egress
filtering can be quite complex, but is in the best interest of the
Internet because it doesn't allow your box (in the off-chance that it
does get hacked) to be used maliciously for things like "smurf" attacks
and other broadcast amplification attacks (where your system sends out
broadcast packets to a target network to get as many systems to respond
as possible...which eats up their bandwidth). In addition, it lets you
know if you have any systems on the inside of your network that are
trying to access the internet over unauthorized protocols & services
(read as "misbehaving users...").
And as a final note, since we're using IPFILTER's stateful packet
inspection abilities, we don't need to reject traffic spoofing
non-routable or reserved addresses...they'll be blocked automatically
since they don't match a corresponding packet in the state table. If you
do allow certain services into your firewall (say, SSH access from the
Internet so that you can manage the firewall remotely), then you'll have
to add these filters in. To do so, block all incoming traffic on your ed0
interface that claims to have a source IP address of 192.168.0.0/16,
10.0.0.0/8, or any of the other reserved addresses, etc.
Use this IPFILTER ruleset as a starting point. After you have everything
running, add in whatever you want (egress filtering, protection from
non-routable addresses, IP spoofing protection, etc.) to complete the
job. This is only a starting point.
Note: Remember to modify the bold red text (below) so that it matches the
IP address of your ISP's DHCP server
#################################################################
# Outside Interface
#################################################################
#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state on it
# so that it's allowed back in.
#
# If you wanted to do egress filtering...here's where you'd do
it.
# You'd change the lines below so that rather than allowing
out any
# arbitrary TCP connection, it would only allow out mail,
pop3, and http
# connections (for example). So, the first line, below, would
be
# replaced with:
# pass out quick on ed0 proto tcp from any to any port = 25
keep state
# pass out quick on ed0 proto tcp from any to any port =
110 keep state
# pass out quick on ed0 proto tcp from any to any port = 80
keep state
# ...and then do the same for the remaining lines so that you
allow
# only specified protocols/ports 'out' of your network
#----------------------------------------------------------------
pass out quick on ed0 proto tcp from any to any keep state
pass out quick on ed0 proto udp from any to any keep state
pass out quick on ed0 proto icmp from any to any keep state
block out quick on ed0 all
#---------------------------------------------------------------------
# Block all inbound traffic from non-routable or reserved
address spaces
#---------------------------------------------------------------------
block in log quick on ed0 from 192.168.0.0/16 to any #RFC
1918 private IP
block in log quick on ed0 from 172.16.0.0/12 to any #RFC
1918 private IP
block in log quick on ed0 from 10.0.0.0/8 to any #RFC
1918 private IP
block in log quick on ed0 from 127.0.0.0/8 to
any #loopback
block in log quick on ed0 from 0.0.0.0/8 to
any #loopback
block in log quick on ed0 from 169.254.0.0/16 to any #DHCP
auto-config
block in log quick on ed0 from 192.0.2.0/24 to
any #reserved for doc's
block in log quick on ed0 from 204.152.64.0/23 to any #Sun [ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • goskas.keep.pl
  •