User Tools

Site Tools


ipfilter_zastitni_zid

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

ipfilter_zastitni_zid [2017/04/28 10:25] (current)
Line 1: Line 1:
 +\\
 +====== Uvod ======
  
 +FreeBSD koristi vise firewalls-a. Istorijiski,​ firewall FreeBSD je IpFirewall, ali on je u stanju nestanka zbog pojave I korscenja firewalls od OpenBSD (starog, sada OpenBSD koristi PF).
 +
 +IPFILTER je jedan od firewalls tezak ali i siguran. IPFILTER je jedan firewall koji omogucava kontrolu svih ulaska-izlaska na karti Network.
 +
 +Prednost u odnosu na ostale firewall-e kao sto je ifchains, ipfw ... je ta sto IPFILTER omogucava koriscenje protokola ​ NAT. Za koriscenje IPFILTER, moramo vise fajlova modifikovati i izvrsiti korekciju. Mi cemo sada pogledati u nastavku ali i sami cete primetiti da nista nije strasno...
 +
 +====== Zahtevnost ======
 +
 +Korticemo karte network 3COM 3c905 Boomerang.
 +
 +Dodacemo im IP 192.168.1.5 i192.168.1.6 xl0 i xl1 gde je Xl1 uzet kao spoljna karta i spoljni IP u SNAT-u kao ruter spoljasnji. ​
 +
 +====== Kompilacija kernela ======
 +
 +Morate da dodate sledece linije u fajlu conf vaseg kernela.
 +
 +  options PFIL_HOOKS ​
 +  options IPFILTER ​
 +  options IPFILTER_LOG ​
 +  options IPFILTER_DEFAULT_BLOCK ​
 +  ​
 +  "​opcija PFIL_HOOKS":​ Ako je ne dodate imacete jedan problem prilikom rekompilacije kernela. ​
 +  "​opcija IPFILTER":​ koristicemo IPFILTER na nasem kernelu. ​
 +  "​opcija IPFILTER_LOG “ Korstimo je za log paketa ulaska-izslaska ​
 +  "​opcija IPFILTER_DEFAULT_BLOCK":​ Blokiramo sve. 
 +
 +Komande za rekompilaciju kernela
 +
 +  make buildkernel KERNCONF=/​usr/​src/​sys/​i386/​conf/​MOJKERNEL ​
 +  make installkernel KERNCONF=/​usr/​src/​sys/​i386/​conf/​MOJKERNEL ​
 +
 +====== Konfiguracija distribucije ======
 +
 +Dodajemo u fajlu konfiguracije:​
 +
 +  vi /​etc/​rc.conf ​
 +  ​
 +  -- 
 +  ​
 +  ipfilter_enable="​YES" ​
 +  ipfilter_flags="" ​
 +  ipfilter_program="/​sbin/​ipf" ​
 +  ipfilter_rules="/​etc/​ipf.rules" ​
 +  ​
 +  # monitoring ​
 +  ipmon_enable="​YES"​ # Logovi d'​IPFILTER ​
 +  ipmon_flags="​-Dsvn" ​
 +  #​ipnat_enable="​YES"​ # 
 +
 +====== Konfiguracija jednog primera IPFILTER-a ======
 +
 +Konfiguraciju ipfiltera objavljacemo u ''/​etc/​ipf.rules'',​ kojeg ovde kreiramo. :
 +
 +  vi /​etc/​ipf.rules ​
 +  ​
 +  -- 
 +  ​
 +  # Pustamo sve lokalno. ​
 +  pass in quick on lo0 all 
 +  pass out quick on lo0 all 
 +  ​
 +  # Pustamo sve interno. ​
 +  pass in quick on xl0 all 
 +  ​
 +  # Pustamo sav trafik izlazeci. ​
 +  pass out quick proto tcp all keep state 
 +  pass out quick proto udp all keep state 
 +  ​
 +  # Blokiramo sve pakete IP sa ipopts I podrazumevajuci lsrr i ssrr 
 +  block in quick all with ipopts ​
 +  ​
 +  # blokiramo sve fragmentirane pakete. ​
 +  block in quick all with frag 
 +  ​
 +  # blokiramo sve nmpa OS fingerprint ​
 +  block in quick on xl1 proto tcp all flags FUP 
 +  block in log quick on xl1 proto tcp from any to any flags SF/​SFRA ​
 +  block in log quick on xl1 proto tcp from any to any flags /SFRA 
 +  block in log quick on xl1 proto tcp all flags SF/​SFRA ​
 +  block in log quick on xl1proto tcp all flags /SFRA 
 +  block in log quick on xl1 proto tcp all flags F/​SFRA ​
 +  block in log quick on xl1 proto tcp all flags U/​SFRAU ​
 +  block in log quick on xl1 proto tcp all flags P 
 +  block in log quick on xl1 proto tcp from any to any flags FUP 
 +  block in log quick on xl1 proto tcp from any to any port = 111 
 +  ​
 +  # Ne rutiran slog IP adresa blokiramo na Izlasku. ​
 +  block in quick on xl1 from 255.255.255.255/​32 to any 
 +  # block in quick on xl1 from 192.168.0.0/​16 to any 
 +  block in quick on xl1 from 172.16.0.0/​12 to any 
 +  block in quick on xl1 from 127.0.0.0/8 to any 
 +  block in quick on xl1 from 10.0.0.0/8 to any 
 +  block in quick on xl1 from 0.0.0.0/32 to any 
 +  ​
 +  # Blokiramo ICMP izlazeci ​
 +  block in quick on xl1 proto icmp from any to any icmp-type 0 keep state 
 +  block in quick on xl1 proto icmp from any to any icmp-type 3 keep state 
 +  block in quick on xl1 proto icmp from any to any icmp-type 8 keep state 
 +  block in quick on xl1 proto icmp from any to any icmp-type 11 keep state 
 +  pass in quick on xl0 proto icmp from any to any icmp-type 0 keep state 
 +  pass in quick on xl0 proto icmp from any to any icmp-type 3 keep state 
 +  pass in quick on xl0 proto icmp from any to any icmp-type 8 keep state 
 +  pass in quick on xl0 proto icmp from any to any icmp-type 11 keep state 
 +  pass out quick on xl0 proto icmp from any to any icmp-type 0 keep state 
 +  pass out quick on xl0 proto icmp from any to any icmp-type 3 keep state 
 +  pass out quick on xl0 proto icmp from any to any icmp-type 8 keep state 
 +  pass out quick on xl0 proto icmp from any to any icmp-type 11 keep state 
 +  ​
 +  # crna lista 
 +  block in quick on xl1 from 216.133.253.100 to any 
 +  block out quick on xl1 from any to 216.133.253.100 ​
 +  ​
 +  # Pustamo zahtevane servise. ​
 +  pass in quick on xl1 proto tcp from any to any port = 22 keep state 
 +  pass in quick on xl1 proto tcp from any to any port = 25 keep state 
 +  pass in quick on xl1 proto tcp from any to any port = 21 keep state 
 +  pass in quick on xl1 proto tcp from any to any port = 443 keep state 
 +  pass in quick on xl1 proto tcp from any to any port = 80 keep state 
 +  ​
 +  # Blokiramo sve 
 +  block in quick on xl1 
 +
 +====== Komande ======
 +
 +Startovanje firewalla:
 +
 +  root@machine[~]% ipf -Fa -f /​etc/​ipf.rules ​
 +
 +Kontrola firewalla:
 +
 +  root@machine[~]% ipfstat -hio 
 +
 +Restartovanje firewalla :
 +
 +  root@machine[~]% /sbin/ipf -Fa -f /​etc/​ipf.rules ​
 +
 +Statistika '​top'​ :
 +
 +  root@machine[~]% /​sbin/​ipfstat -t 
 +
 +Verzija IPFILTER :
 +
 +  root@machine[~]% /sbin/ipf -V
 +
 +
 +\\
 +
 +
 +Autor: Problematican - Tim 1o1.com ​
ipfilter_zastitni_zid.txt · Last modified: 2017/04/28 10:25 (external edit)