User Tools

Site Tools


ipfilter_zastitni_zid


Uvod

FreeBSD koristi vise firewalls-a. Istorijiski, firewall FreeBSD je IpFirewall, ali on je u stanju nestanka zbog pojave I korscenja firewalls od OpenBSD (starog, sada OpenBSD koristi PF).

IPFILTER je jedan od firewalls tezak ali i siguran. IPFILTER je jedan firewall koji omogucava kontrolu svih ulaska-izlaska na karti Network.

Prednost u odnosu na ostale firewall-e kao sto je ifchains, ipfw … je ta sto IPFILTER omogucava koriscenje protokola NAT. Za koriscenje IPFILTER, moramo vise fajlova modifikovati i izvrsiti korekciju. Mi cemo sada pogledati u nastavku ali i sami cete primetiti da nista nije strasno…

Zahtevnost

Korticemo karte network 3COM 3c905 Boomerang.

Dodacemo im IP 192.168.1.5 i192.168.1.6 xl0 i xl1 gde je Xl1 uzet kao spoljna karta i spoljni IP u SNAT-u kao ruter spoljasnji.

Kompilacija kernela

Morate da dodate sledece linije u fajlu conf vaseg kernela.

options PFIL_HOOKS 
options IPFILTER 
options IPFILTER_LOG 
options IPFILTER_DEFAULT_BLOCK 

"opcija PFIL_HOOKS": Ako je ne dodate imacete jedan problem prilikom rekompilacije kernela. 
"opcija IPFILTER": koristicemo IPFILTER na nasem kernelu. 
"opcija IPFILTER_LOG “ Korstimo je za log paketa ulaska-izslaska 
"opcija IPFILTER_DEFAULT_BLOCK": Blokiramo sve. 

Komande za rekompilaciju kernela

make buildkernel KERNCONF=/usr/src/sys/i386/conf/MOJKERNEL 
make installkernel KERNCONF=/usr/src/sys/i386/conf/MOJKERNEL 

Konfiguracija distribucije

Dodajemo u fajlu konfiguracije:

vi /etc/rc.conf 

-- 

ipfilter_enable="YES" 
ipfilter_flags="" 
ipfilter_program="/sbin/ipf" 
ipfilter_rules="/etc/ipf.rules" 

# monitoring 
ipmon_enable="YES" # Logovi d'IPFILTER 
ipmon_flags="-Dsvn" 
#ipnat_enable="YES" # 

Konfiguracija jednog primera IPFILTER-a

Konfiguraciju ipfiltera objavljacemo u /etc/ipf.rules, kojeg ovde kreiramo. :

vi /etc/ipf.rules 

-- 

# Pustamo sve lokalno. 
pass in quick on lo0 all 
pass out quick on lo0 all 

# Pustamo sve interno. 
pass in quick on xl0 all 

# Pustamo sav trafik izlazeci. 
pass out quick proto tcp all keep state 
pass out quick proto udp all keep state 

# Blokiramo sve pakete IP sa ipopts I podrazumevajuci lsrr i ssrr 
block in quick all with ipopts 

# blokiramo sve fragmentirane pakete. 
block in quick all with frag 

# blokiramo sve nmpa OS fingerprint 
block in quick on xl1 proto tcp all flags FUP 
block in log quick on xl1 proto tcp from any to any flags SF/SFRA 
block in log quick on xl1 proto tcp from any to any flags /SFRA 
block in log quick on xl1 proto tcp all flags SF/SFRA 
block in log quick on xl1proto tcp all flags /SFRA 
block in log quick on xl1 proto tcp all flags F/SFRA 
block in log quick on xl1 proto tcp all flags U/SFRAU 
block in log quick on xl1 proto tcp all flags P 
block in log quick on xl1 proto tcp from any to any flags FUP 
block in log quick on xl1 proto tcp from any to any port = 111 

# Ne rutiran slog IP adresa blokiramo na Izlasku. 
block in quick on xl1 from 255.255.255.255/32 to any 
# block in quick on xl1 from 192.168.0.0/16 to any 
block in quick on xl1 from 172.16.0.0/12 to any 
block in quick on xl1 from 127.0.0.0/8 to any 
block in quick on xl1 from 10.0.0.0/8 to any 
block in quick on xl1 from 0.0.0.0/32 to any 

# Blokiramo ICMP izlazeci 
block in quick on xl1 proto icmp from any to any icmp-type 0 keep state 
block in quick on xl1 proto icmp from any to any icmp-type 3 keep state 
block in quick on xl1 proto icmp from any to any icmp-type 8 keep state 
block in quick on xl1 proto icmp from any to any icmp-type 11 keep state 
pass in quick on xl0 proto icmp from any to any icmp-type 0 keep state 
pass in quick on xl0 proto icmp from any to any icmp-type 3 keep state 
pass in quick on xl0 proto icmp from any to any icmp-type 8 keep state 
pass in quick on xl0 proto icmp from any to any icmp-type 11 keep state 
pass out quick on xl0 proto icmp from any to any icmp-type 0 keep state 
pass out quick on xl0 proto icmp from any to any icmp-type 3 keep state 
pass out quick on xl0 proto icmp from any to any icmp-type 8 keep state 
pass out quick on xl0 proto icmp from any to any icmp-type 11 keep state 

# crna lista 
block in quick on xl1 from 216.133.253.100 to any 
block out quick on xl1 from any to 216.133.253.100 

# Pustamo zahtevane servise. 
pass in quick on xl1 proto tcp from any to any port = 22 keep state 
pass in quick on xl1 proto tcp from any to any port = 25 keep state 
pass in quick on xl1 proto tcp from any to any port = 21 keep state 
pass in quick on xl1 proto tcp from any to any port = 443 keep state 
pass in quick on xl1 proto tcp from any to any port = 80 keep state 

# Blokiramo sve 
block in quick on xl1 

Komande

Startovanje firewalla:

root@machine[~]% ipf -Fa -f /etc/ipf.rules 

Kontrola firewalla:

root@machine[~]% ipfstat -hio 

Restartovanje firewalla :

root@machine[~]% /sbin/ipf -Fa -f /etc/ipf.rules 

Statistika 'top' :

root@machine[~]% /sbin/ipfstat -t 

Verzija IPFILTER :

root@machine[~]% /sbin/ipf -V


Autor: Problematican - Tim 1o1.com

ipfilter_zastitni_zid.txt · Last modified: 2017/04/28 10:25 (external edit)