CIO Tech Eksperten IT-JOB IT-Kurser Events Podcast Søg

Log ind eller opret profil

Du kan også logge ind via nedenstående tjenester

shagwell Nybegynder

01. juni 2003 - 19:30 Der er 1 løsning

IPFW hjælp!

Jeg kan ikke komme på nettet, kan pinge 10.0.0.2 og 192.168.0.1 , tror det er et DNS ell. ICMP problem her er mine config filer :) har opgivet lidt så alt hjælp er velkommen:

################################################################
#RC.CONF INFOMATIONER:
################################################################

firewall_enable="YES"
kern_securelevel_enable="YES"
linux_enable="YES"
sendmail_enable="NO"
sshd_enable="YES"
usbd_enable="YES"
keymap="danish.cp865"
gateway_enable="YES"
hostname="webserver"
ifconfig_fxp0="inet 10.0.0.2 netmask 255.255.255.0"
defaultrouter="10.0.0.1"
ifconfig_xl0="inet 192.168.0.1 netmask 255.255.255.0"

################################################################
#RC.FIREWALL INFOMATIONER
################################################################

# Set these to your outside interface network and netmask and ip.
oif="fxp0"
onet="10.0.0.0"
omask="255.255.255.0"
oip="10.0.0.2"

# Set these to your inside interface network and netmask and ip.
iif="xl0"
inet="192.168.0.0"
imask="255.255.255.0"
iip="192.168.0.1"

fwcmd="ipfw"

# Stop spoofing
${fwcmd} add deny log all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny log all from ${onet}:${omask} to any in via ${iif}

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny log all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny log all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny log all from any to 192.168.0.0/16 via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny log all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny log all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny log all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny log all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny log all from any to 240.0.0.0/4 via ${oif}

# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd all from any to any via ${natd_interface}
fi
;;
esac

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny log all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny log all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny log all from 192.168.0.0/16 to any via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny log all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny log all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny log all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny log all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny log all from 240.0.0.0/4 to any via ${oif}

# Allow anything on the internal net
${fwcmd} add allow all from any to any via ${iif}

# Allow anything outbound from this net.
${fwcmd} add allow all from ${onet}:${omask} to any out via ${oif}

# Deny anything outbound from other nets.
${fwcmd} add deny log all from any to any out via ${oif}

# Allow TCP through if setup succeeded.
${fwcmd} add allow tcp from any to any established

# Allow IP fragments to pass through.
${fwcmd} add allow all from any to any frag

# Allow inbound ftp, ssh, email, tcp-dns, http, https, pop3, pop3s.
${fwcmd} add allow tcp from any to ${oip} 21 setup in via ${oif}
${fwcmd} add allow tcp from any to ${oip} 22 setup in via ${oif}
${fwcmd} add allow tcp from any to ${oip} 25 setup in via ${oif}
${fwcmd} add allow tcp from any to ${oip} 53 setup in via ${oif}
${fwcmd} add allow tcp from any to ${oip} 80 setup in via ${oif}
${fwcmd} add allow tcp from any to ${oip} 443 setup in via ${oif}
${fwcmd} add allow tcp from any to ${oip} 110 setup in via ${oif}
${fwcmd} add allow tcp from any to ${oip} 995 setup in via ${oif}

# Deny inbound auth, netbios, ldap, and Microsoft's DB protocol
# without logging.
${fwcmd} add deny tcp from any to ${oip} 113 setup in via ${oif}
${fwcmd} add deny tcp from any to ${oip} 139 setup in via ${oif}
${fwcmd} add deny tcp from any to ${oip} 389 setup in via ${oif}
${fwcmd} add deny tcp from any to ${oip} 445 setup in via ${oif}

# Deny some chatty UDP broadcast protocols without logging.
${fwcmd} add deny udp from any 137 to any in via ${oif}
${fwcmd} add deny udp from any to any 137 in via ${oif}
${fwcmd} add deny udp from any 138 to any in via ${oif}
${fwcmd} add deny udp from any 513 to any in via ${oif}
${fwcmd} add deny udp from any 525 to any in via ${oif}

# Allow inbound DNS and NTP replies. This is somewhat of a hole,
# since we're looking at the incoming port number, which can be
# faked, but that's just the way DNS and NTP work.
${fwcmd} add allow udp from any 53 to ${oip} in via ${oif}
${fwcmd} add allow udp from any 123 to ${oip} in via ${oif}

# Allow inbound DNS queries.
${fwcmd} add allow udp from any to ${oip} 53 in via ${oif}

# Deny inbound NTP queries without logging.
${fwcmd} add deny udp from any to ${oip} 123 in via ${oif}

# Allow traceroute to function, but not to get in.
${fwcmd} add unreach port udp from any to ${oip} 33435-33524 in via ${oif}

# Allow some inbound icmps - echo reply, dest unreach, source quench,
# echo, ttl exceeded.
${fwcmd} add allow icmp from any to any in via ${oif} icmptypes 0,3,4,8,11

# Broadcasts are denied and not logged.
${fwcmd} add deny all from any to 255.255.255.255

# Everything else is denied and logged.
${fwcmd} add deny log all from any to any

Synes godt om

shagwell Nybegynder

02. juni 2003 - 11:07 #1

Lukket, og oprettet med anden overskrift.

Synes godt om

Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Følg dette spørgsmål

Opret Preview

Se alle it-kurser fra Computerworld Kurser

IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Se alle it-kurser

Flere spørgsmål fra Unix kategorien

Titel	Indlæg	Oprettet	Seneste aktivitet
Windows 10: Kan ikke fjerne skrivebeskyttelse. Af Jan Post i Unix	4	15/05/202216:34	17/05/202208:51
Mount Nas Af Jesper-T i Unix	2	29/10/201913:58	29/10/201920:37
Shuttle OS Af bakobjak i Unix	1	19/11/201421:47	20/11/201407:51
FreeNAS på en gammel Medion NAS box Af bahne2000 i Unix	2	31/08/201414:04	31/08/201418:45
VPS server overskrider tilgængelig resourser. Af tintir i Unix	1	06/03/201413:54	24/11/201409:23

Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester

Alle kategorier på Eksperten

Seneste artiklerRSS