● IP firewall RULES,自己写的，大家帮忙看看 - 荔园在线 | 深圳大学学生论坛,荔园晨风BBS,深大在线网站

荔园之美，在春之萌芽，在夏之绽放，在秋之收获，在冬之沉淀

发信人: Chair (银发：黄天不负), 信区: Linux
标  题: IP firewall RULES,自己写的，大家帮忙看看
发信站: BBS 荔园晨风站 (Thu Sep 21 16:21:03 2000), 站内信件

   花了3天去研究，发现别人发表的绝对不是最好的 :-( ，没办法，只好
自己写了一个。防SCAN能力和BBS主机差不多，除了RFC之外所有我知道的
SCAN都不能成功，现在贴出来大家看看，师兄帮忙看看有什么漏了的 , :-）
只开了PROXY，SSH，TELNET， IP为192.168.168.1，做了MAP
外部MAP IP为202.104.119.102 port : 23,8080,1978

# The following routes should be configured, if not already:
#
#
block in quick all with ipopts
block in quick proto tcp all with short

block out on fxp0 all head 150
block out quick from 127.0.0.0/8 to any group 150
block out quick from any to 127.0.0.0/8 group 150

block in on fxp0 all head 100
block in quick from 127.0.0.0/8 to any group 100

############  IP-Spoofing  ###########
pass in quick on lo0 from 127.0.0.1/8 to 127.0.0.1/8
pass out quick on lo0 from 127.0.0.1/8 to 127.0.0.1/8
block out quick from 127.0.0.1/8 to any group 150
block out quick  from any to 127.0.0.1/8 group 150
block in quick from 127.0.0.1/8 to any group 100
block in quick from any to 127.0.0.1/8 group 100
block in quick from 10.0.0.0/8 to any group 100
block in quick from any to 10.0.0.0/8 group 100
block in quick from 172.16.0.0/16 to any group 100
block in quick from any to 172.16.0.0/16 group 100

############  IP-options  ############
block in quick all with ipopts
block in quick all with opt lsrr,ssrr

#############IP-short#############
block in quick all with shortblock
block in quick all with fragment
############GRONP SETUP###########
#block in on fxp0 all head 100
#block out on fxp0 all head 150

#############ICMP#################
#block out proto icmp all icmp-type unreach
#block in proto icmp all icmp-type echo
#block in proto icmp all icmp-type echorep
block in quick proto icmp all
#block out quick proto icmp all

## -- Setup DNS --##
pass out quick proto tcp/udp from any to any port = 53 keep state group 150
pass in quick proto tcp/udp from any port = 53 to any keep state group 100
pass out quick proto tcp from any to any port = 80 keep state group 150
## -- telnet --#
pass in quick proto tcp from any to 192.168.168.1 port = 23 flags S/SA keep
state group 100
#block in quick proto tcp from any to 192.168.168.1 port = 23 flags S/S
group 100
pass in quick proto tcp from any to 192.168.168.1 port = 8080 flags S/SA
keep state group 100
pass in quick proto tcp from any to 192.168.168.1 port >= 1024 flags S/SA
keep state group 100

## -- deny the SYN ATTACK -- ##

#block in quick proto tcp from any to any flags S/SA

     关键的rule就在下面，大家自己看一下找出来就明白的了
#### --  just for testing, forget it -- ###
#pass in proto tcp from any to any port = 23 keep state group 100
#pass in proto tcp from any to any port = 21
#pass out proto tcp from any port = 21  to any
#pass out proto tcp from any port = 20 to any
#pass in proto tcp from any port = 20 to any
pass in proto tcp from any to any flags A/A
pass out proto tcp from any to any flags A/A
#block in quick proto tcp from any to any flags S/SA

#block in proto udp all
#block in proto tcp all
#pass out proto tcp from any port = 23 to any keep state

#block in proto tcp from any to any port < 23
#block in proto tcp from any to any port 23 >< 1024

block out proto tcp from any port < 23  to any
block out proto tcp from any port 23 >< 1024 to any
#block return-icmp in proto tcp from any to any port < 23
#block return-icmp in proto tcp from any to any port 23 >< 1024
#block return-rst in proto tcp from any to any port < 23
#block return-rst in proto tcp from any to any port 23 >< 1024
#block in quick from any to any flags S/SA
#block in proto tcp from any to 192.168.0.0/16 port != 23 flags S/SA
#block out proto tcp from 192.168.0.0/16 port != 23 to any flags SA/SA

#block out proto tcp from any to any port != 23  flags S/S
#block out proto tcp from any port != 23 to 192.168.0.0/16 flags SA/SA

--
☆ 来源:．BBS 荔园晨风站 bbs.szu.edu.cn．[FROM: bbs@202.104.119.102]
※ 修改:·Chair 於 Sep 21 16:30:33 修改本文·[FROM: bbs.szptt.net.cn]

荔园在线首页友情链接：深圳大学深大招生荔园晨风BBS S-Term软件网络书店