FreeBSD Bugzilla – Attachment 123194 Details for
Bug 166482
Chapter about IPFW in russian handbook (27.6)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
file.txt
file.txt (text/plain), 50.35 KB, created by
Vladimir
on 2012-03-29 09:50:09 UTC
(
hide
)
Description:
file.txt
Filename:
MIME Type:
Creator:
Vladimir
Created:
2012-03-29 09:50:09 UTC
Size:
50.35 KB
patch
obsolete
>31.6 IPFW > >IPFIREWALL (IPFW) - ïðåäñòàâëÿåò ñîáîé ìåæñåòåâîé ýêðàí, ðàçðàáàòûâàåìûé, ôèíàíñèðóåìûé è ïîääåðæèâàþùèéñÿ àññîöèàöèåé FreeBSD. Çäåñü èñïîëüçóþòñÿ ïðàâèëà áåç íàñëåäîâàíèÿ ñîñòîÿíèÿ è ïðàâèëà íàñëåäîâàíèÿ òåõíèêè êîäèðîâàíèÿ äëÿ äîñòèæåíèÿ òîãî, ÷òî íàçûâàþò ýëåìåíòàðíîé ëîãèêîé ñîõðàíåíèÿ ñîñòîÿíèé (ïðè ïåðâîì ïðî÷òåíèè ðåêîìåíäóåòñÿ ïîêà íå çàîñòðÿòü âíèìàíèå íà òåðìèíå "ñîõðàíåíèå ñîñòîÿíèÿ", òàê êàê â äàëüíåéøåì áóäóò ïðèâåäåíû äàííûå, íåîáõîäèìûå äëÿ ïîëíîãî ïîíèìàíèÿ ýòîãî òåðìèíà). > >Ïðèìåð ïðîñòåéøèõ ïðàâèë IPFW (íàõîäèòñÿ â /etc/rc.firewall è /etc/rc.firewall6) ñîäåðæèòñÿ â ñòàíäàðòíîé ïîñòàâêå è íå îæèäàåòñÿ, ÷òî áóäåò èñïîëüçîâàí ïðÿìî áåç ìîäèôèêàöèé. > >Ñèíòàêñèñ ïðàâèë áåç ñîõðàíåíèÿ ñîñòîÿíèÿ â IPFW îáåñïå÷èâàåò ðàñøèðåííûå âîçìîæíîñòè îòáîðà, êîòîðûå íàìíîãî ïðåâîñõîäÿò óðîâåíü çíàíèé îáû÷íîãî ïîëüçîâàòåëÿ ìåæñåòåâîãî ýêðàíà. IPFW âûáèðàþò ïðîôåññèîíàëüíûå ïîëüçîâàòåëè èëè ëþáèòåëè ñîâðåìåííîé êîìïüþòåðíîé òåõíèêè, êòî èìååò ïîâûøåííûå òðåáîâàíèÿ ïî îòáîðó ïàêåòîâ. Óãëóáëåííûå çíàíèÿ òîãî, êàê ðàçíûå ïðîòîêîëû èñïîëüçóþò è ôîðìèðóþò ñâîè óíèêàëüíûå çàãîëîâêè íåîáõîäèìû äëÿ òîãî, ÷òîáû èñïîëüçîâàòü âîçìîæíîñòè IPFW â ïîëíóþ ñèëó. Ïðåäîñòàâëåíèå áîëåå ïîäðîáíûõ îáúÿñíåíèé âûõîäèò çà ðàìêè òåêóùåãî ðàçäåëà ðóêîâîäñòâà. > >IPFW ñîñòîèò èç ñåìè ñîñòàâíûõ ÷àñòåé, ãëàâíàÿ êîìïîíåíòà - ïðîöåññîð ïðàâèë ôèëüòðà óðîâíÿ ÿäðà, â êîòîðûé âêëþ÷åíû âîçìîæíîñòè: ó÷åòà ïàêåòîâ, çàíåñåíèÿ èíôîðìàöèè î ïàêåòàõ â ëîã - ôàéë (æóðíàëèðîâàíèå), ïðàâèëà òèïà divert, ïîñðåäñòâîì êîòîðûõ àêòèâèðóåòñÿ ôóíêöèÿ NAT è äðóãèå âîçìîæíîñòè ñïåöèàëüíîãî íàçíà÷åíèÿ, òàêèå êàê ñðåäñòâà îãðàíè÷åíèÿ ïðîïóñêíîé ñïîñîáíîñòè òðàôôèêà (dummynet), ñðåäñòâà ïåðåíàïðàâëåíèÿ fwd rule, ñðåäñòâà ñîçäàíèÿ ñåòåâîãî ìîñòà, è ñðåäñòâà àíòèòðàññèðîâêè ipstealth. IPFW ïîääåðæèâàåò îáà ïðîòîêîëà IPv4 è IPv6. > >31.6.1 Àêòèâàöèÿ IPFW > >IPFW ñîäåðæèòñÿ â áàçîâîé ïîñòàâêå FreeBSD êàê îòäåëüíûé ïîäãðóæàåìûé ìîäóëü. Ñèñòåìà äèíàìè÷åñêè çàãðóæàåò ìîäóëü ÿäðà, êîãäà â rc.conf âêëþ÷åíà ñòðîêà firewall_enable="YES". > >Ïîñëå ïåðåçàãðóçêè âàøåé ñèñòåìû ñ çàïèñüþ firewall_enable="YES" â rc.conf âûñâåòèòñÿ áåëûì ïîñëåäóþùåå ñîîáùåíèå íà ýêðàíå êàê ÷àñòü ïðîöåññà çàãðóçêè îïåðàöèîííîé ñèñòåìû: > >ipfw2 initialized, divert disabled, rule-based forwarding disabled, default to deny, logging disabled > >Çàãðóæàåìûé ìîäóëü ñêîìïèëèðîâàí ñ ïîääåðæêîé âîçìîæíîñòè çàíåñåíèÿ â ëîã-ôàéë èíôîðìàöèè î òðàôôèêå. ×òîáû âêëþ÷èòü ôóíêöèþ çàíåñåíèÿ â ëîã ôàéë èíôîðìàöèè î òðàôôèêå è óñòàíîâèòü óðîâåíü äåòàëüíîñòè èíôîðìàöèè, çàíîñèìîé â ëîã-ôàéë, ìîæíî âîñïîëüçîâàòüñÿ ôóíêöèÿìè, ïðåäîñòàâëÿåìûìè êîíôèãóðàöèîííûì ôàéëîì /etc/sysctl.conf. Ïðè äîáàâëåíèè ñëåäóþùèõ äâóõ ñòðîê â /etc/sysctl.conf ôóíêöèÿ çàíåñåíèÿ â ëîã áóäåò àêòèâèðîâàíà ïðè ïîñëåäóþùèõ çàãðóçêàõ ñèñòåìû: > >net.inet.ip.fw.verbose=1 >net.inet.ip.fw.verbose_limit=5 > >31.6.2 Ïàðàìåòðû ÿäðà > >Íåò íåîáõîäèìîñòè â çàïèñè äàííîãî ïàðàìåòðà â êîíôèãóðàöèîííîì ôàéëå, ïðåäíàçíà÷åííîì äëÿ ïîñëåäóþùåé ñáîðêè ÿäðà, äî òîãî ìîìåíòà ïîêà íå ïîòðåáóåòñÿ ôóíêöèîíàë NAT. >Ýòè ïàðàìåòðû ïðåäñòàâëåíû çäåñü â êà÷åñòâå ñïðàâêè äëÿ äàëüíåéøèõ ïðèìåðîâ. > >options IPFIREWALL > >Ýòîò ïàðàìåòð óêàçûâàåò êîìïèëÿòîðó âêëþ÷èòü IPFW êàê ÷àñòü ÿäðà (íå ïîäãðóæàåìóþ). > >options IPFIREWALL_VERBOSE > >Ýòîò ïàðàìåòð âêëþ÷àåò âîçìîæíîñòü çàíåñåíèÿ â ëîã-ôàéë èíôîðìàöèè î ïàêåòàõ, êîòîðûå ïðîõîäÿò ÷åðåç IPFW ïî ïðàâèëàì, ñîäåðæàùèì êëþ÷åâîå ñëîâî log. > >options IPFIREWALL_VERBOSE_LIMIT=5 > >Îãðàíè÷èâàåò ÷èñëî ïàêåòîâ çàðåãèñòðèðîâàííûõ â syslogd (8), íà÷èíàÿ ñ ïåðâîãî. Ýòîò ïàðàìåòð ìîæåò áûòü èñïîëüçîâàí âî âðàæäåáíîì îêðóæåíèè, êîãäà îòñëåæèâàòü àêòèâíîñòü ìåæñåòåâîãî ýêðàíà âñå æå íåîáõîäèìî. Ýòî íå äàñò âîçìîæíîñòè àòàêóþùåìó âûçâàòü îòêàç â îáñëóæèâàíèè ïîñðåäñòâîì syslogd. > >options IPFIREWALL_DEFAULT_TO_ACCEPT > >Ýòîò ïàðàìåòð óêàçûâàåò êîìïèëÿòîðó âêëþ÷èòü äëÿ IPFW ðàçðåøàþùóþ ïîëèòèêó ïî óìîë÷àíèþ. Ýòî óäîáíî ïðè ïåðâûõ ïîïûòêàõ íàñòðîéêè IPFW. > >options IPDIVERT > >Ýòîò ïàðàìåòð âûâîäèò ïàêåòû íà óðîâåíü îáðàáîòêè ïðèëîæåíèÿìè, â òîì ÷èñëå NAT ôóíêöèîíàëîì. > >Ïðèìå÷àíèå: ìåæñåòåâîé ýêðàí áóäåò áëîêèðîâàòü âñå âõîäÿùèå è èñõîäÿùèå ïàêåòû, åñëè ïðèñóòñòâóåò îïöèÿ ÿäðà IPFIREWALL_DEFAULT_TO_ACCEPT èëè ïðàâèëî ÿâíî ðàçðåøàþùåå ýòè ñîåäèíåíèÿ îòñóòñòâóåò. > >31.6.3 Ïàðàìåòðû /etc/rc.conf > >Àêòèâàöèÿ ìåæñåòåâîãî ýêðàíà: > >firewall_enable="YES" > >Äëÿ âûáîðà îäíîãî èç ñòàíäàðòíûõ òèïîâ ìåæñåòåâîãî ýêðàíà, ïîñòàâëÿåìûõ ñ FreeBSD, íàéäèòå íàèáîëåå ïîäõîäÿùèé â ôàéëå /etc/rc.firewall è çàïèøèòå åãî êàê ïîêàçàíî íèæå: > >firewall_type="open" > >Äîñòóïíûå çíà÷åíèÿ äëÿ ýòîãî ïàðàìåòðà: > >open -- ïðîïóñêàåì âåñü òðàôôèê. > >client -- çàùèùàåì òîëüêî ýòó ìàøèíó. > >simple -- çàùèùàåì âñþ ñåòü. > >closed -- ïîëíîñòüþ çàïðåùàåò IP òðàôôèê êðîìå òðàôôèêà íà loopback èíòåðôåéñå. > >UNKNOWN -- îòêëþ÷àåò çàãðóçêó ïðàâèë ìåæñåòåâîãî ýêðàíà. > >filename -- àáñîëþòíûé ïóòü ôàéëà, ñîäåðæàùåãî ïðàâèëà ìåæñåòåâîãî ýêðàíà. > >Åñòü äâà âàðèàíòà çàãðóçêè ïîëüçîâàòåëüñêèõ ïðàâèë äëÿ ìåæñåòåâîãî ýêðàíà ipfw. Ïåðâûé ñïîñîá - óñòàíîâèòü çíà÷åíèå ïåðåìåííîé firewall_type â âèäå àáñîëþòíîãî ïóòè ôàéëà, ñîäåðæàùåãî ïðàâèëà äëÿ ìåæñåòåâîãî ýêðàíà ipfw áåç îáùåãî ïðåôèêñà êîìàíä ipfw. Íèæå ïðåäñòàâëåí ïðîñòîé ïðèìåð ôàéëà ïðàâèë, êîòîðûé áëîêèðóåò âåñü âõîäÿùèé è èñõîäÿùèé òðàôôèê: > >add deny in >add deny out > >Âòîðîé ñïîñîá - óñòàíîâèòü çíà÷åíèå ïåðåìåííîé firewall_script â âèäå àáñîëþòíîãî ïóòè èñïîëíÿåìîãî ñêðèïòà, ñîäåðæàùåãî êîìàíäû ipfw, âûïîëíÿþùèåñÿ âî âðåìÿ çàãðóçêè îïåðàöèîííîé ñèñòåìû. Ïðàâèëüíûé ôîðìàò ïðàâèë èñïîëíÿåìîãî ñêðèïòà äîëæåí ñîîòâåòñòâîâàòü ôîðìàòó ôàéëà ïðàâèë íèæå: > >#!/bin/sh > >ipfw -q flush > >ipfw add deny in >ipfw add deny out > >Ïðèìå÷àíèå: Åñëè çíà÷åíèå ïåðåìåííîé firewall_type îïðåäåëåíî êàê client èëè simple, òî ïðàâèëà, ðàñïîëîæåííûå ïî óìîë÷àíèþ â /etc/rc.firewall äîëæíû áûòü ïðèâåäåíû â ñîîòâåòñòâèå ñ êîíôèãóðàöèåé äàííîé ìàøèíû. Ñëåäóåò ïîìíèòü, ÷òî â ïðèìåðàõ, ïðèâåäåííûõ â ýòîé ãëàâå, çíà÷åíèåì ïåðåìåííîé firewall_script óñòàíîâëåíî /etc/ipfw.rules. > >Àêòèâàöèÿ ôóíêöèè æóðíàëèðîâàíèÿ: >firewall_logging="YES" > >Âíèìàíèå: Åäèíñòâåííîå, ÷òî äåëàåò ïàðàìåòð firewall_logging - ïðèñâàèâàåò ëîãè÷åñêóþ åäèíèöó ïåðåìåííîé net.inet.ip.fw.verbose â êîíôèãóðàöèîííîì ôàéëå sysctl (ñìîòðèòå ãëàâó 31.6.1).  rc.conf íåò ïåðåìåííîé, îãðàíè÷èâàþùåé æóðíàëèðîâàíèå, íî îíî ìîæåò áûòü óñòàíîâëåíî ÷åðåç ïåðåìåííóþ sysctl âðó÷íóþ èëè ÷åðåç êîíôèãóðàöèîííûé ôàéë /etc/sysctl.conf > >net.inet.ip.fw.verbose_limit=5 > >Åñëè âàøà ìàøèíà âûïîëíÿåò ðîëü øëþçà, ò.å. îáåñïå÷èâàåò òðàíñëÿöèþ ñåòåâûõ àäðåñîâ (NAT) ñ ïîìîùüþ natd, èìååò ñìûñë ñðàçó ïåðåéòè ê ÷òåíèþ ãëàâû 32.10 äëÿ óòî÷íåíèÿ èíôîðìàöèè êàñàòåëüíî ïàðàìåòðîâ /etc/rc.conf > >31.6.4 Êîìàíäà IPFW > >Èñïîëíÿåìûé ôàéë ipfw ýòî óíèâåðñàëüíûé ìåõàíèçì, ïîçâîëÿþùèé âðó÷íóþ äîáàâëÿòü è óäàëÿòü ïðàâèëà ïðè óñëîâèè àêòèâíîñòè ìåæñåòåâîãî ýêðàíà. Îñíîâíàÿ ïðîáëåìà ïðè èñïîëüçîâàíèè ýòîãî ìåòîäà ñîñòîèò â òîì, ÷òî ïðè ïåðåçàãðóçêå îïåðàöèîííîé ñèñòåìû, âñå èçìåíåíèÿ, ïðîèçâåäåííûå ñ ïîìîùüþ äàííîé êîìàíäû, ñáðàñûâàþòñÿ. Âçàìåí ýòîãî ìåòîäà, ðåêîìåíäóåòñÿ çàïèñàòü âñå âàøè ïðàâèëà â ôàéë èç êîòîðîãî áóäóò ïðîèçâîäèòüñÿ ÷òåíèå ïðàâèë âî âðåìÿ çàãðóçêè îïåðàöèîííîé ñèñòåìû, èëè ïðè ïåðåçàãðóçêå äàåìîíà ipfw. > >Òåì íå ìåíåå, èñïîëüçîâàíèå êîìàíäû ipfw ïîëåçíî â ñëó÷àå âîçíèêíîâåíèÿ íåîáõîäèìîñòè âèçóàëüíî îòîáðàçèòü òåêóùóþ êîíôèãóðàöèþ ïðàâèë. >Ó÷åòíûé ìîäóëü IPFW ñîçäàåò ñ÷åò÷èê äëÿ êàæäîãî ïðàâèëà, êîòîðûé ïîäñ÷èòûâàåò êîëè÷åñòâî ïàêåòîâ ñîîòâåòñòâóþùèõ óñëîâèÿì ñðàáàòûâàíèÿ ïðàâèëà. Âî âðåìÿ ïðîöåññà òåñòèðîâàíèÿ ïðàâèë, âûâîä ñòàòèñòè÷åñêîé èíôîðìàöèè ïî ñïèñêó çàãðóæåííûõ ïðàâèë, ÿâëÿåòñÿ îäíèì èç ñïîñîáîâ óáåäèòüñÿ, ñðàáàòûâàåò ëè ïðàâèëî, ïðè ïðîõîæäåíèè ÷åðåç íåãî ïàêåòà èëè íåò. > >Âûâîä ïîëíîãî ñïèñêà ïðàâèë: > ># ipfw list > >Âûâîä ïîëíîãî ñïèñêà ïðàâèë ñ ìàðêåðîì âðåìåíè êîãäà â ïîñëåäíèé ðàç ñðàáàòûâàëî ïðàâèëî: > ># ipfw -t list > >Ýòà êîìàíäà âûâîäèò ó÷åòíóþ èíôîðìàöèþ â ñëåäóþùåì âèäå: >- ïåðâûì ñòîëáöîì ñëåäóåò íîìåð ïðàâèëà, >- âòîðûì ñòîëáöîì - ÷èñëî èñõîäÿùèõ ïàêåòîâ, âûçâàâøèõ ñðàáàòûâàíèå ïðàâèëà, >- òðåòüèì ñòîëáöîì - ÷èñëî ñîîòâåòñòâóþùèõ âõîäÿùèõ ïàêåòîâ, >- ÷åòâåðòûì ñòîëáöîì - ñàìè ïðàâèëà. > ># ipfw -a list > >Âûâîä äèíàìè÷åñêèõ ïðàâèë âìåñòå ñî ñòàòè÷åñêèìè. > ># ipfw -d list > >Îòîáðàçèòü ñòàòè÷åñêèå è äèíàìè÷åñêèå ïðàâèëà, â ò.÷. è ñ èñòåêøèì ñðîêîì æèçíè: > ># ipfw -d -e list > >Îáíóëåíèå ñ÷åò÷èêîâ: > ># ipfw zero > >Îáíóëèòü ñ÷åò÷èê òîëüêî äëÿ ïðàâèëà ïîä íîìåðîì NUM: > ># ipfw zero NUM > >31.6.5 Ïðàâèëà IPFW > >Ñïèñîê ïðàâèë - ýòî òàêîé íàáîð ïðàâèë, êîòîðûé ïîçâîëÿåò ïðîèçâîëüíûì îáðàçîì ðàçðåøèòü èëè çàïðåòèòü ïðîõîæäåíèå ïàêåòà ÷åðåç ìåæñåòåâîé ýêðàí, íà îñíîâàíèè çíà÷åíèé êëþ÷åâûõ ïàðàìåòðîâ ïîëåé ïàêåòà. Äâóíàïðàâëåííûé îáìåí ïàêåòîâ ìåæäó ìàøèíàìè ÿâëÿåòñÿ ñåññèåé. Ìåæñåòåâîé ýêðàí îáðàáàòûâàåò ñ ïîìîùüþ ñïèñêà ïðàâèë ïàêåòû, ïðèõîäÿùèå èç ãëîáàëüíîé ñåòè, à òàêæå ïàêåòû, èñõîäÿùèå èç ñèñòåìû â ãëîáàëüíóþ ñåòü. Êàæäûé TCP/IP ñåðâèñ (ò.å.: telnet, www, mail, è ò.ä.)ïðèíàäëåæèò îïðåäåëåííîìó ïðîòîêîëó è ïðèâèëåãèðîâàííîìó (ñëóøàþùåìóñÿ) ïîðòó. Ïàêåòû, àäðåñîâàííûå îïðåäåëåííîìó ñåðâèñó, èñõîäÿò ïî íåïðèâèëåãèðîâàííîìó (ïîðÿäêîâûé íîìåð ñòàðøå 1024) ïîðòó è îòïðàâëÿþòñÿ ïî àäðåñó íàçíà÷åíèÿ íà ïðèâèëåãèðîâàííûé ïîðò ñåðâèñà. Âñå ýòè ïàðàìåòðû (ò.å. ïîðòû è àäðåñà) ìîãóò áûòü èñïîëüçîâàíû â êà÷åñòâå êðèòåðèåâ îòáîðà, äëÿ ñîçäàíèÿ ïðàâèë, êîòîðûå ïðîïóñêàþò èëè áëîêèðóþò ñåðâèñû. > >Êîãäà ïàêåò âõîäèò â ìåæñåòåâîé ýêðàí, ïðîèñõîäèò ïðîâåðêà íà óñëîâèå ñðàáàòûâàíèÿ ïåðâîãî ïðàâèëà â ñïèñêå è òàê äàëåå äâèãàÿñü ñâåðõó âíèç â ïîðÿäêå âîçðàñòàíèÿ íîìåðà ïðàâèëà. Êîãäà ïàêåò ïðîõîäèò ïðîâåðêó ïî îïðåäåëåííûì ïàðàìåòðàì, âûïîëíÿåòñÿ äåéñòâèå, îïèñàííîå â ïðàâèëå è íà ýòîì ïîèñê ïðàâèë çàêàí÷èâàåòñÿ. Ýòîò ìåòîä ïîèñêà íàçûâàþò "ïîáåäîé ïåðâîãî ñîâïàäåíèÿ". Åñëè ñîäåðæèìîå ïàêåòà íå ñîîòâåòñòâóåò íè îäíîìó èç óñëîâèé ñðàáàòûâàíèÿ ïðàâèë, îí ïîïàäàåò íà âñòðîåííîå ïðàâèëî, çàäàííîå ïî óìîë÷àíèþ, ïîä íîìåðîì 65535, êîòîðîå çàïðåùàåò ïðîõîæäåíèå ïàêåòà è îòáðàñûâàåò åãî áåç îòêëèêà â ñòîðîíó èñòî÷íèêà çàïðîñà. > >Ïðèìå÷àíèå: Ïîèñê ïðîäîëæàåòñÿ ïîñëå ïðàâèë, èñïîëüçóþùèõ êëþ÷åâûå ñëîâà count, skipto è tee. > >Èíñòðóêöèè, óïîìèíàþùèåñÿ â ïðèìåðàõ, âñòðå÷àþùèõñÿ â äàííîì ðóêîâîäñòâå, áàçèðóþòñÿ íà èñïîëüçîâàíèè ïðàâèë, âêëþ÷àþùèõ â ñåáÿ êëþ÷åâûå ñëîâà ñîõðàíåíèÿ ñîñòîÿíèÿ keep-state, limit, in, out è via. Ýòè êëþ÷åâûå ñëîâà ÿâëÿþòñÿ îñíîâîé êîäèðîâàíèÿ ìåæñåòåâîãî ýêðàíà çàêðûòîãî òèïà. > >Âíèìàíèå: Áóäüòå îñòîðîæíû, êîãäà ðàáîòàåòå ñî ñïèñêîì ïðàâèë ìåæñåòåâîãî ýêðàíà, òàê êàê â êîíå÷íîì èòîãå âû ìîæåòå çàáëîêèðîâàòü ñåáÿ. > >31.6.5.1 Ñèíòàêñèñ ïðàâèë. > >Ñèíòàêñèñ ïðàâèë ïðåäñòàâëåííûé çäåñü áûë óïðîùåí äëÿ ñîçäàíèÿ ñïèñêà ïðàâèë ñòàíäàðòíîãî ìåæñåòåâîãî ýêðàíà çàêðûòîãî òèïà. Äëÿ ïîëó÷åíèÿ ïîëíîé èíôîðìàöèè ïî ñèíòàêñèñó ïðàâèë, ñìîòðèòå ðóêîâîäñòâî ipfw(8). > >Ïðàâèëà ñîäåðæàò êëþ÷åâûå ñëîâà: ýòè êëþ÷åâûå ñëîâà çàïèñûâàþòñÿ â îïðåäåëåííîì ëèíåéíîì ïîðÿäêå ñëåâà íàïðàâî. Êëþ÷åâûå ñëîâà â äàííîì ðóêîâîäñòâå çàïèñûâàþòñÿ bold øðèôòîì. Íåêîòîðûå êëþ÷åâûå ñëîâà èìåþò äîïîëíèòåëüíûå ïàðàìåòðû, êîòîðûå ìîãóò ÿâëÿòüñÿ êëþ÷åâûìè ñëîâàìè äëÿ íèõ ñàìèõ è òàêæå ñîäåðæàòü âëîæåííûå äîïîëíèòåëüíûå îïöèè. > >Çíàê "#" èñïîëüçóåòñÿ äëÿ îáîçíà÷åíèÿ íà÷àëà êîììåíòàðèÿ è ìîæåò áûòü ðàñïîëîæåí â êîíöå ñòðîêè ïðàâèëà èëè â íà÷àëå ñòðîêè ïîä ïðàâèëîì. Ïóñòûå ñòðîêè èíòåðïðåòàòîðîì èãíîðèðóþòñÿ. > >CMD RULE_NUMBER ACTION LOGGING SELECTION STATEFUL > >31.6.5.1.1 CMD > >Êàæäîå íîâîå ïðàâèëî íà÷èíàåòñÿ ñ êëþ÷åâîãî ñëîâà add, äëÿ äîáàâëåíèÿ ïðàâèëà ê òàáëèöå. > >31.6.5.1.2 RULE_NUMBER > >Êàæäîå ïðàâèëî îáîçíà÷åíî íîìåðîì â äèàïàçîíå 1..65535 > >31.6.5.1.3 ACTION > >Ïðè ñîîòâåòñòâèè êðèòåðèåâ îòáîðà ïàêåòó, îïèñàííûõ â ïðàâèëå, ìîæåò áûòü âûïîëíåíî îäíî èç ñëåäóþùèõ äåéñòâèé: > >allow | accept | pass | permit > >Âñå ïåðå÷èñëåííûå êîìàíäû ðàçðåøàþò ïàêåòû, êîòîðûå ïîïàäàþò ïîä ïðàâèëî. Ïåðå÷èñëåííûå âûøå êëþ÷åâûå ñëîâà ñëóæàò äëÿ òîãî, ÷òîáû ðàçðåøèòü ïðîõîæäåíèå ïàêåòîâ ÷åðåç ìåæñåòåâîé ýêðàí. Åñëè ïàêåò ïîïàäàåò ïîä ñîîòâåòñòâèå ïðàâèëó, ñîäåðæàùåå îäíî èç ýòèõ êëþ÷åâûõ ñëîâ, äàëüíåéøèé ïîèñê ñîîòâåòñòâèé ïðåêðàùàåòñÿ. > >check-state > >Ïðîâåðÿåò ïàêåò íà ñîîòâåòñòâèå ñ äèíàìè÷åñêèìè ïðàâèëàìè. Åñëè ñîîòâåòñòâèå íàéäåíî, ê ïàêåòó ïðèìåíÿåòñÿ äåéñòâèå, ñîäåðæàùååñÿ â äèíàìè÷åñêîì ïðàâèëå, êîòîðîå ðàíåå áûëî ñãåíåðèðîâàííî ïðè ïîìîùè keep-state èëè limit.  ïðàâèëå check-state îòñóòñòâóåò óñëîâèå ïðîâåðêè ñðàáàòûâàíèÿ. Åñëè êëþ÷åâîå ñëîâî check-state îòñóòñòâóåò â ñïèñêå ïðàâèë, òî ïðîâåðêà ïî äèíàìè÷åñêîé òàáëèöå ïðîèñõîäèò îäíîâðåìåííî ñ ïåðâûì âõîæäåíèåì keep-state èëè limit êëþ÷åâûõ ñëîâ. > >deny | drop > >Ïåðå÷èñëåííûå êîìàíäû çàïðåùàþò ïðîõîæäåíèå ïàêåòîâ è îòáðàñûâàþò èõ ïðè ñîâïàäåíèè ñ ïðàâèëîì, ñîäåðæàùèì ýòè êëþ÷åâûå ñëîâà. Åñëè ïàêåò ïîïàäàåò ïîä ñîîòâåòñòâèå ïðàâèëó, ñîäåðæàùåå îäíî èç ýòèõ êëþ÷åâûõ ñëîâ, äàëüíåéøèé ïîèñê ñîîòâåòñòâèé ïðåêðàùàåòñÿ. > >31.6.5.1.4 LOGGING > >log èëè logamount > >Êîãäà ïàêåò ñîîòâåòñòâóåò êðèòåðèÿì îòáîðà â óêàçàííîì ïðàâèëå, ñîäåðæàùåì êëþ÷åâîå ñëîâî log, èíôîðìàöèÿ îá ýòîì ïåðåñûëàåòñÿ äàåìîíó syslogd(8) ñ ïîìåòêîé SECURITY. Æóðíàëèðîâàíèå ïðîèñõîäèò òîëüêî â òîì ñëó÷àå, åñëè ÷èñëî ñðàáàòûâàíèé äëÿ äàííîãî ïðàâèëà, ñîäåðæàùåãî êëþ÷åâîå ñëîâî log íå ïðåâûñèëî çíà÷åíèÿ ïàðàìåòðà êëþ÷åâîãî ñëîâà logamount. Åñëè çíà÷åíèå ïàðàìåòðà logamount íå îáúÿâëåíî, èñïîëüçóåòñÿ îãðàíè÷åíèå, óñòàíàâëèâàåìîå çíà÷åíèåì ïàðàìåòðà net.inet.ip.fw.verbose_limit â êîíôèãóðàöèîííîì ôàéëå sysctl.  îáîèõ ñëó÷àÿõ, óñòàíîâêà çíà÷åíèÿ 0 ñíèìàåò îãðàíè÷åíèÿ. Ïî äîñòèæåíèþ ìàêñèìàëüíîãî óñòàíîâëåííîãî êîëè÷åñòâà çàïèñåé â ëîã, îãðàíè÷åíèå íà çàïèñü ìîæåò áûòü ñíÿòî ïóòåì ñáðîñà âíóòðåííèõ ñ÷åò÷èêîâ. Ýòî ìîæíî ñäåëàòü ïðè ïîìîùè êîìàíäû ipfw reset log. > >Ïðèìå÷àíèå: Æóðíàëèðîâàíèå îñóùåñòâëÿåòñÿ ïîñëå ïðîâåðêè íà ñîîòâåòñòâèå ïî âñåì óñëîâèÿì â ïðàâèëå è ïåðåä âûïîëíåíèåì ïîñëåäíåãî äåéñòâèÿ (ðàçðåøåíèå/çàïðåùåíèå ïðîõîæäåíèÿ) íàä ïàêåòîì. Ýòî âàæíî äëÿ ïðèíÿòèÿ ðåøåíèÿ, êàêèå äåéñòâèÿ ïðàâèë âû õîòèòå çàíîñèòü â ëîã. > >31.6.5.1.5 SELECTION > >Êëþ÷åâûå ñëîâà, îïèñàííûå â ýòîì ðàçäåëå èñïîëüçóþòñÿ äëÿ îïèñàíèÿ êðèòåðèåâ ïî êîòîðûì ïðîâåðÿåòñÿ óñëîâèå ñðàáàòûâàíèÿ ïðàâèëà. Ïîñëåäîâàòåëüíîñòü èñïîëüçîâàíèÿ êëþ÷åâûõ ñëîâ îòáîðà ïî ïðîòîêîëó: > >udp | tcp | icmp > >Òàêæå ìîãóò áûòü èñïîëüçîâàíû èìåíà ïðîòîêîëîâ, îïèñàííûå â /etc/protocols. Ëþáîå èìÿ ïðîòîêîëà, íå îáîçíà÷åííîå â /etc/protocols, áóäåò èíòåðïðåòèðîâàòüñÿ êàê îøèáî÷íîå. > >from src to dst > >Êëþ÷åâûå ñëîâà from è to ñëóæàò äëÿ îòáîðà ïî IP àäðåñàì. Îáÿçàòåëüíî äîëæíû áûòü óêàçàíû è èñòî÷íèê è ïîëó÷àòåëü. any - ýòî ñïåöèàëüíîå êëþ÷åâîå ñëîâî, êîòîðîå ñîîòâåòñòâóåò ëþáîìó IP - àäðåñó. me - ýòî ñïåöèàëüíîå êëþ÷åâîå ñëîâî, êîòîðîå ñîîòâåòñòâóåò ëþáîìó èç IP àäðåñîâ, ïðèíàäëåæàùèõ èíòåôåéñàì âàøåé ñèñòåìû FreeBSD. >Ïðèìåðû êðèòåðèåâ îòáîðà ôîðìàòà from src to dst: >from me to any >from any to me >from 0.0.0.0/0 to any >from any to 0.0.0.0/0 >from 0.0.0.0 to any >from any to 0.0.0.0 >from me to 0.0.0.0 >IP àäðåñ ìîæåò áûòü îïðåäåëåí êàê ïðîñòî IP àäðåñîì òàê è IP àäðåñîì ñ ïðåôèêñîì ïîäñåòè. Äëÿ óïðîùåíèÿ âû÷èñëåíèé, ñâÿçàííûõ ñ IP àäðåñàìè èñïîëüçóéòå ïîðò net-mgmt/ipcalc. Áîëåå äåòàëüíóþ èíôîðìàöèþ ìîæíî ïîñìîòðåòü ïî àäðåñó http://jodies.de/ipcalc. > >port number > >Äëÿ ïðîòîêîëîâ, ïîääåðæèâàþùèõ ïîðòû (tcp è udp) îáÿçàòåëüíî óòî÷íèòå íîìåð ïîðòà ñîîòâåòñòâóþùåãî ñåðâèñà. Âìåñòî íîìåðà ïîðòà ìîæíî èñïîëüçîâàòü èìÿ ñåðâèñà. Ñïèñîê ïîääåðæèâàåìûõ èìåí, ìîæåò áûòü íàéäåí ïî àäðåñó /etc/services. > >in | out > >Îòáîð ïî âõîäÿùèì è èñõîäÿùèì ïàêåòàì. Äëÿ ôîðìèðîâàíèÿ îòáîðà, ïðèñóòñòâèå îäíîãî èç ýòèõ ñëîâ îáÿçàòåëüíî. > >via IF > >via êëþ÷åâîå ñëîâî äëÿ îòáîðà ïî èíòåðôåéñó, çàäàííîãî èìåíåì IF. > >setup > >Ýòî îáÿçàòåëüíîå êëþ÷åâîå ñëîâî, ñëóæàùåå äëÿ îïðåäåëåíèÿ çàïðîñà íà÷àëà ñåññèè äëÿ TCP ïàêåòà. > >keep-state > >Ïðè óñëîâèè ñðàáàòûâàíèÿ ïðàâèëà ñ ïðèñóòñòâèåì äàííîãî êëþ÷åâîãî ñëîâà, ìåæñåòåâîé ýêðàí ñîçäàåò äèíàìè÷åñêîå ïðàâèëî, êîòîðîå ïðîïóñêàåò ïàêåòû â îáå ñòîðîíû ïî ïðîòîêîëó, óêàçàííîìó â èçíà÷àëüíîì ïðàâèëå ìåæäó èñòî÷íèêîì è ïðèåìíèêîì, êîòîðûå òàêæå óêàçàíû â èçíà÷àëüíîì ïðàâèëå. Ýòî îáÿçàòåëüíîå êëþ÷åâîå ñëîâî. > >limit {src-addr | src-port | dst-addr | dst-port} > >Ïðè óñëîâèè ñðàáàòûâàíèÿ ïðàâèëà, âêëþ÷àþùåãî â ñåáÿ äàííîå êëþ÷åâîå ñëîâî, ìåæñåòåâîé ýêðàí ðàçðåøèò òîëüêî N îäíîâðåìåííûõ ñîåäèíåíèé ñ íàáîðîì óñëîâèé, óêàçàííûõ â èçíà÷àëüíîì ïðàâèëå. Ìîãóò áûòü óêàçàíû áîëåå ÷åì îäèí èñòî÷íèê è ïðèåìíèê.  îäíîì è òîì æå ïðàâèëå íå ìîãóò áûòü îäíîâðåìåííî èñïîëüçîâàíû êëþ÷åâûå ñëîâà limit è keep-state, ò.ê. ôóíêöèîíàë êëþ÷åâîãî ñëîâà limit îñíîâàí íà ðàñøèðåííûõ âîçìîæíîñòÿõ ôóíêöèè keep-state. > >31.6.5.2 Ïðèìåð ïðàâèë ñ ñîõðàíåíèåì ñîñòîÿíèÿ. > >Ñ òî÷êè çðåíèÿ ôèëüòðàöèè ïî ïðàâèëàì ñ ñîõðàíåíèåì ñîñòîÿíèÿ, âåñü òðàôôèê âûãëÿäèò êàê äâóñòîðîííèé îáìåí ïàêåòàìè, âêëþ÷àÿ äàííûå î ñåññèÿõ. Ïðè òàêîé ôèëüòðàöèè ó íàñ åñòü ñðåäñòâà ñîïîñòàâëåíèÿ è îïðåäåëåíèÿ êîððåêòíîñòè ïðîöåäóðû äâóñòîðîííåãî îáìåíà ïàêåòàìè, ìåæäó ñòîðîíîé ïîðîäèâøåé ïàêåò è ñòîðîíîé-ïðèåìíèêîì. Ëþáûå ïàêåòû, êîòîðûå íå ïîäõîäÿò ïîä øàáëîí ñåññèè, àâòîìàòè÷åñêè îòáðàñûâàþòñÿ, êàê çëîíàìåðåííûå. > >Êëþ÷åâîå ñëîâî check-state ñëóæèò äëÿ óêàçàíèÿ òî÷íîãî ìîìåíòà, êîãäà ïàêåò áóäåò ïåðåäàí íà ïðîâåðêó ñîîòâåòñòâèé äèíàìè÷åñêèì ïðàâèëàì. > ñëó÷àå ñîîòâåòñòâèÿ îäíîìó èç äèíàìè÷åñêèõ ïðàâèë, ïðèìåíÿåòñÿ äåéñòâèå, ñîïîñòàâëåííîå ýòîìó ïðàâèëó; ñ÷åò÷èê âðåìåíè æèçíè ïðàâèëà ñáðàñûâàåòñÿ.  ïðîòèâíîì ñëó÷àå ïàêåò ïðîäîëæàåò äâèãàòüñÿ ïî îáû÷íûì ïðàâèëàì, íà÷èíàÿ ñ ïîçèöèè íèæå ïðàâèëà check-state. > >Äèíàìè÷åñêèå ïðàâèëà óÿçâèìû ê àòàêå SYN-ïàêåòàìè, êîòîðûå ìîãóò ïîðîäèòü ãèãàíòñêîå êîëè÷åñòâî äèíàìè÷åñêèõ ïðàâèë. Äëÿ ïðåäîòâðàùåíèÿ òàêîãî ðîäà àòàê, âî FreeBSD ïðåäóñìîòðåíî åùå îäíî êëþ÷åâîå ñëîâî - limit. > >31.6.5.3 Æóðíàëèðîâàíèå ñîîáùåíèé ìåæñåòåâîãî ýêðàíà > >Âîçìîæíîñòü æóðíàëèðîâàíèÿ âàæíà è ïîëåçíà. Ñ åå ïîìîùüþ âû ìîæåòå îòñëåæèâàòü, ïîñò-ôàêòóì, ïðîõîæäåíèå êàêèõ ïàêåòîâ áûëî îòêëîíåíî, îòêóäà ýòè ïàêåòû ïðèøëè è êóäà îíè íàçíà÷àëèñü äëÿ òåõ ïðàâèë, â êîòîðûõ âêëþ÷åíà ôóíêöèÿ æóðíàëèðîâàíèÿ. Ýòî çàìå÷àòåëüíûé èíñòðóìåíò äëÿ îòñëåæèâàíèÿ àòàê íà âàøó ñèñòåìó. > >Äàæå ïðè âêëþ÷åííîé ôóíêöèè âåäåíèÿ ëîãà, ïðè óñëîâèè îòñóòñòâèÿ â ïðàâèëàõ ÿâíîãî óêàçàíèÿ æóðíàëèðîâàíèÿ, îíî ïðîèçâîäèòüñÿ íå áóäåò. Àäìèíèñòðàòîð ìåæñåòåâîãî ýêðàíà äîëæåí ñàì ïðèíÿòü ðåøåíèå ïî ïîâîäó òîãî, äëÿ êàêèõ ïðàâèë áóäåò âêëþ÷åíà ôóíêöèÿ æóðíàëèðîâàíèÿ, ïîñðåäñòâîì äîáàâëåíèÿ â ñîñòàâ ïðàâèëà êëþ÷åâîãî ñëîâà log.  áîëüøèíñòâå ñèòóàöèé âïîëíå äîñòàòî÷íî âåñòè ëîãè òîëüêî ïî ñîáûòèÿì çàïðåùåíèÿ ïðîõîæäåíèÿ ïàêåòà, íàïðèìåð çàïðåò âõîäÿùåãî ICMP òðàôôèêà. Ðàñïðîñòðàíåííàÿ ïðàêòèêà äîáàâëÿòü â êîíåö ñïèñêà ïðàâèëî, êîòîðîå áóäåò çàïðåùàòü è æóðíàëèðîâàòü âåñü îñòàâøèéñÿ òðàôôèê, äàæå â òîì ñëó÷àå, åñëè äî ýòîãî ïîäîáíûå ïðàâèëà óæå ïðèñóòñòâîâàëè. >Ýòî óäîáíûé ñïîñîá îòñëåæèâàòü òå òèïû ïàêåòîâ, äëÿ êîòîðûõ âû íå ïðåäóñìîòðåëè ïðàâèë. > >Áóäüòå êðàéíå îñìîòðèòåëüíû ïðè èñïîëüçîâàíèè ôóíêöèè æóðíàëèðîâàíèÿ, òàê êàê ýòî ÷ðåâàòî íåñîðàçìåðíûì ðàçðàñòàíèåì ëîã-ôàéëà, âïëîòü äî ïîëíîãî çàïîëíåíèÿ ìåñòà íà æåñòêîì äèñêå è åãî íå÷èòàáåëüíîñòè. DoS àòàêè, íàïðàâëåííûå íà ïåðåïîëíåíèå ñâîáîäíîãî ïðîñòðàíñòâà æåñòêîãî äèñêà, ÿâëÿþòñÿ îäíèìè èç ñàìûõ ñòàðåéøèõ. Ïîìèìî çàïîëíåíèÿ æåñòêîãî äèñêà ýòî íåïðèÿòíî åùå è òåì, ÷òî âûâîä syslogd íàïðàâëåí íå òîëüêî â ëîã-ôàéë, íî è â ñòàíäàðòíûé âûâîä, ÷òî ìåøàåò ëîêàëüíîé ðàáîòå íà òåðìèíàëå. > >Îïöèÿ ÿäðà IPFIREWALL_VERBOSE_LIMIT=5 îãðàíè÷èâàåò ÷èñëî ïîñëåäîâàòåëüíûõ îòïðàâëåíèé ñîîáùåíèé â ñèñòåìíûé ðåãèñòðàòîð syslogd,êàñàþùèõñÿ ïàêåòà, ñîâïàâøåãî ñ ïðàâèëîì.  òîì ñëó÷àå, êîãäà ýòà îïöèÿ âêëþ÷åíà â ÿäðî, ÷èñëî ïîñëåäîâàòåëüíûõ ñîîáùåíèé, êàñàþùèõñÿ îïðåäåëåííîãî ïðàâèëà, îãðàíè÷åíî óêàçàííûì ÷èñëîì. > >Îïöèÿ ÿäðà IPFIREWALL_VERBOSE_LIMIT=5 îãðàíè÷èâàåò ÷èñëî ñîîáùåíèé, êîòîðûå áóäóò çàíåñåíû â ëîã ïî êàæäîìó îòäåëüíî âçÿòîìó ïðàâèëó. Âñå ïàêåòû, êîòîðûå áóäóò ïðîõîäèòü ÷åðåç ïðàâèëà ñîäåðæàùèå êëþ÷åâîå ñëîâî log, ïðè óñëîâèè äîñòèæåíèÿ ïðàâèëîì ìàêñèìàëüíîãî ÷èñëà çàïèñåé çàíåñåííûõ â ëîã, çàäàííîãî îïöèåé IPFIREWALL_VERBOSE_LIMIT, ÍÈÊÀÊÈÕ ÇÀÏÈÑÅÉ Â ËÎÃ-ÔÀÉËÅ ÏÎÐÎÆÄÀÒÜ ÍÅ ÁÓÄÓÒ.  ñëó÷àå, åñëè syslogd äàåìîí ïîëó÷èò 200 èäåíòè÷íûõ ëîã-ñîîáùåíèé ïîäðÿä, â ëîã ôàéëå íå áóäóò îòðàæåíû âñå 200 ñîîáùåíèé, à, âìåñòî ýòîãî, áóäåò îòðàæåíà çàïèñü âèäà: >last message repeated 200 times > >Ïóòü êóäà áóäóò çàïèñûâàòüñÿ äàåìîíîì syslogd ñîîáùåíèÿ ñ ïîìåòêîé SECURITY çàäàåòñÿ â ôàéëå /etc/syslogd.conf è â áàçîâîé ñèñòåìå FreeBSD ýòîò ïóòü - /var/log/security. > >31.6.5.4 Íàïèñàíèå ñêðèïòà, ñîäåðæàùåãî ïðàâèëà > >Íàèáîëåå îïûòíûå ïîëüçîâàòåëè IPFW ñîçäàþò ñêðèïò, ñîäåðæàùèé â ñåáå ïðàâèëà, îôîðìëåííûå òàêèì îáðàçîì, ÷òî îíè ìîãóò áûòü èñïîëíåíû êàê îáûêíîâåííûé sh-ñêðèïò. Îñíîâíîå ïðåèìóùåñòâî òàêîãî ïîäõîäà â òîì, ÷òî îí èçáàâëÿåò íàñ îò íåîáõîäèìîñòè ïðè êàæäîì âîçíèêíîâåíèè ïîòðåáíîñòè ïåðåçàãðóçèòü ïðàâèëà, äåëàòü ýòî âðó÷íóþ. Ýòî êðàéíå ïîëåçíî íà ýòàïå ðàçðàáîòêè è òåñòèðîâàíèÿ íàáîðà ïðàâèë, ò.ê., âåðîÿòíåå âñåãî, ïîòðåáóåòñÿ ÷àñòàÿ ïåðåçàãðóçêà âñåãî ñïèñêà ïðàâèë. Ïîìèìî òîãî, ÷àñòî âîçíèêàåò íåîáõîäèìîñòü îáúÿâèòü íåêóþ ãðîìîçäêóþ ôðàçó êàê ïåðåìåííóþ ñ êîðîòêèì èìåíåì, ÷òî ñóùåñòâåííî ñîêðàòèò ðàçìåð ïðàâèë è ïîâûñèò èõ ÷èòàáåëüíîñòü, êàê â ïðèìåðå ïðåäñòàâëåííîì íèæå. > >Ñèíòàêñèñ ïðèìåðà, ïðèâåäåííîãî íèæå, ñîâìåñòèì ñ òðåìÿ êîìàíäíûìè îáîëî÷êàìè: sh, csh, tcsh. Äëÿ èñïîëüçîâàíèÿ çíà÷åíèÿ ðàíåå îáúÿâëåííîé ïåðåìåííîé èñïîëüçóåòñÿ ñèìâîë $. Âî âðåìÿ ïðèñâîåíèÿ çíà÷åíèÿ ïåðåìåííîé, çíà÷åíèå äîëæíî áûòü âûäåëåíî ñ äâóõ ñòîðîí äâîéíûìè êàâû÷êàìè. > >Âîò ïðèìåð îò êîòîðîãî âû ìîæåòå îòòîëêíóòüñÿ âî âðåìÿ ïåðâûõ ýêñïåðèìåíòîâ ñ IPFW: > >############### íà÷àëî ïðèìåðà ñêðèïòà, ñîäåðæàùåãî ïðàâèëà ipfw ############# ># >ipfw -q -f flush # Ñáðîñ âñåõ ïðàâèë. ># Óñòàíîâêè ïî óìîë÷àíèþ. >oif="tun0" # íàçâàíèå âíåøíåãî èíòåðôåéñà, ïðèíàäëåæàùåãî > # ãëîáàëüíîé ñåòè. >odns="192.0.2.11" # IP DNS ñåðâåðà ïðîâàéäåðà. >cmd="ipfw -q add " # ñòàíäàðòíûé ïðåôèêñ äëÿ äîáàâëåíèÿ ïðàâèë ipfw. >ks="keep-state" # ïðîñòî ëåíü ââîäèòü êàæäûé ðàç. >$cmd 00500 check-state >$cmd 00502 deny all from any to any frag >$cmd 00501 deny tcp from any to any established >$cmd 00600 allow tcp from any to any 80 out via $oif setup $ks >$cmd 00610 allow tcp from any to $odns 53 out via $oif setup $ks >$cmd 00611 allow udp from any to $odns 53 out via $oif $ks >################### End of example ipfw rules script ########################## > > äàííîì ñëó÷àå, íå ñòîèò îáðàùàòü âíèìàíèÿ íà ïðàâèëà - îíè íàïèñàíû ðàäè òîãî, ÷òîáû ïðèâåñòè ïðèìåð ïîäñòàíîâêè çíà÷åíèÿ ïåðåìåííîé ïî åå èìåíè. > >Åñëè ýòîò ñèíòàêñèñ ñîáëþäåí â ôàéëå /etc/ipfw.rules, òî ïðàâèëà ìîãóò áûòü áûñòðî ïåðåçàãðóæåíû êîìàíäîé: > ># sh /etc/ipfw.rules > >Èìÿ è ðàñïîëîæåíèå ñêðèïòà íå íåñóò ðåøàþùåé ðîëè, íî ïî óìîë÷àíèþ â FreeBSD èñïîëüçóåòñÿ èìåííî ýòîò ïóòü. > >Âñå îïèñàííûå âûøå äåéñòâèÿ ìîãó áûòü çàìåíåíû ýêâèâàëåíòíûìè êîìàíäàìè, ïîñëåäîâàòåëüíî ââåäåííûìè â êîìàíäíóþ ñòðîêó: > ># ipfw -q -f flush ># ipfw -q add check-state ># ipfw -q add deny all from any to any frag ># ipfw -q add deny tcp from any to any established ># ipfw -q add allow tcp from any to any 80 out via tun0 setup keep-state ># ipfw -q add allow tcp from any to 192.0.2.11 53 out via tun0 setup keep-state ># ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state > >31.6.5.5 Ïðàâèëà ñ ñîõðàíåíèåì ñîñòîÿíèÿ > >Ñëåäóþùèé ñïèñîê ïðàâèë, íå âêëþ÷àþùèé â ñåáÿ ïðàâèëà òðàíñëÿöèè àäðåñîâ NAT, ÿâëÿåòñÿ ïðèìåðîì òîãî êàê ñîçäàòü ïðîñòûå è â òîæå âðåìÿ áåçîïàñíûå ïðàâèëà äëÿ ìåæñåòåâîãî ýêðàíà çàêðûòîãî òèïà. Çàêðûòûé ìåæñåòåâîé ýêðàí ðàçðåøàåò òðàôôèê, îïèñàííûé â ðàçðåøàþùèõ ïðàâèëàõ è áëîêèðóåò îñòàëüíîé. Ìåæñåòåâîé ýêðàí, ïðåäíàçíà÷åííûé äëÿ çàùèòû ñåãìåíòîâ ñåòè, ñîñòîèò èç, êàê ìèíèìóì, äâóõ èíòåðôåéñîâ è ðàçðåøàþùèõ ïðàâèë äëÿ ýòèõ äâóõ èíòåðôåéñîâ. > >Âñå þíèêñîïîäîáíûå îïåðàöèîííûå ñèñòåìû, âêëþ÷àÿ FreeBSD èñïîëüçóþò èíòåðôåéñ lo0 è ñîîòâåòñòâóþùèé åìó IP àäðåñ 127.0.0.1 äëÿ âíóòðåííèõ êîììóíèêàöèé. Ïðàâèëà ìåæñåòåâîãî ýêðàíà äîëæíû ñîäåðæàòü â ñâîåì ñîñòàâå ïðàâèëà, ðàçðåøàþùèå áåñïðåïÿòñòâåííîå äâèæåíèå òðàôôèêà ïî ýòîìó èíòåðôåéñó. > >Íà èíòåðôåéñå, ïîäêëþ÷åííîì ê èíòåðíåò, ñëåäóåò ðàçìåñòèòü ïðàâèëà, êîòîðûå ðàçðåøàþò è êîíòðîëèðóþò äîñòóï äëÿ âõîäÿùèõ è èñõîäÿùèõ ñîåäèíåíèé. Ýòî ìîæåò áûòü, êàê òóííåëüíûé PPP tun0 èíòåðôåéñ, òàê è ñòàíäàðòíûé èíòåðôåéñ âûñîêîñêîðîñòíîãî ïðîâîäíîãî ïîäêëþ÷åíèÿ. > > ñëó÷àå êîãäà, îäèí èëè áîëåå èíòåðôåéñ, ïîäñîåäèíåí ê ëîêàëüíîé ñåòè çà ìåæñåòåâûì ýêðàíîì, äîëæíû ïðèñóòñòâîâàòü ïðàâèëà, êîòîðûå ïîçâîëÿò áåñïðåïÿòñòâåííûé èñõîäÿùèé ïîòîê òðàôôèêà ñ ýòîãî èíòåðôåéñà. > >Ëîãè÷åñêè, ïðàâèëà ðàçäåëÿþòñÿ íà òðè áîëüøèå ñåêöèè: èíòåðôåéñû íå îãðàíè÷åííûå ïðàâèëàìè, ïðàâèëà äëÿ èñõîäÿùåãî òðàôôèêà íà âíåøíåì èíòåðôåéñå, ïðàâèëà äëÿ âõîäÿùåãî òðàôôèêà íà âíåøíåì èíòåðôåéñå. > > êàæäîé èç ñåêöèé, îòíîñÿùèõñÿ ê âíåøíåìó èíòåðôåéñó, ïðàâèëà äîëæíû áûòü óïîðÿäî÷åííû ïî ñëåäóþùåìó ïðèíöèïó: íàèáîëåå èñïîëüçóåìûå - â íà÷àëå, íàèìåíåå èñïîëüçóåìûå - â êîíöå. Ïîñëåäíèì ïðàâèëîì äîëæíî èäòè ïðàâèëî áëîêèðîâàíèÿ è çàíåñåíèÿ â ëîã èíôîðìàöèè î òðàôôèêå íà ýòîì èíòåôåéñå, íå ïîïàâøåãî ïîä ïðåäûäóùèå ïðàâèëà. > >Ðàçäåë, îïèñûâàþùèé ïðàâèëà äëÿ èñõîäÿùåãî òðàôôèêà íà âíåøíåì èíòåðôåéñå, ñîäåðæèò òîëüêî ðàçðåøàþùèå ïðàâèëà, ñîñòîÿùèå èç çíà÷åíèé îòáîðà, êîòîðûå óíèêàëüíî èäåíòèôèöèðóþò ñåðâèñ, êîòîðîìó ðàçðåøåí äîñòóï â èíòåðíåò. Êàæäîå èç ïðàâèë ñîñòîèò èç ïîëåé proto, port, in/out, via è keep state , êîòîðûå ìîãóò áûòü îïóùåíû îïöèîíàëüíî. Ïðàâèëà, íàêëàäûâàåìûå íà tcp òðàôôèê ñîäåðæàò êëþ÷åâîå ñëîâî setup, êîòîðîå ñëóæèò äëÿ èäåíòèôèêàöèè íà÷àëà ñåññèè, êîòîðîå â äàëüíåéøåì ïåðåäàåòñÿ êàê óñëîâèå ñðàáàòûâàíèÿ â òàáëèöó keep-state. > > ñåêöèè, îïèñûâàþùåé ïðàâèëà äëÿ âõîäÿùåãî òðàôôèêà íà âíåøíåì èíòåðôåéñå, ïðàâèëà, áëîêèðóþùèå íåæåëàòåëüíûå ïàêåòû äîëæíû ñòîÿòü â ñàìîì íà÷àëå, ïî äâóì ïðè÷èíàì: Ïåðâàÿ ïðè÷èíà ñîñòîèò â òîì, ÷òî ïàêåòû, ñôîðìèðîâàííûå çëîóìûøëåííèêîì ìîãóò ÷àñòè÷íî èëè ïîëíîñòüþ ñîîòâåòñòâîâàòü ðàçðåøàþùèì ïðàâèëàì. Âòîðàÿ ïðè÷èíà ñîñòîèò â òîì, ÷òî çàâåäîìî íå èíòåðåñóþùèå íàñ ïî îïðåäåëåííûì ïðèçíàêàì ïàêåòû ìîãóò áûòü ïðîñòî îòêëîíåíû, âìåñòî òîãî, ÷òîáû áûòü ïåðåõâà÷åííûìè è çàïèñàííûìè â ëîã-ôàéë ïî ïîñëåäíåìó ïðàâèëó. Ïîñëåäíåå ïðàâèëî â êàæäîé ñåêöèè áëîêèðóåò è æóðíàëèðóåò âñå ïàêåòû è ìîæåò áûòü èñïîëüçîâàíî äëÿ þðèäè÷åñêèõ îáîñíîâàíèé â õîäå ðàçáèðàòåëüñòâ ïðîòèâ çëîóìûøëåííèêà, àòàêîâàâøåãî âàøó ñèñòåìó. > >Òàêæå ñëåäóåò óáåäèòüñÿ â òîì, ÷òî âàø ñåðâåð íå îòâå÷àåò íè íà êàêèå äðóãèå ôîðìû íå ïðåäóñìîòðåííîãî òðàôôèêà. Íåêîððåêòíûå ïàêåòû äîëæíû áûòü îòáðîøåíû.  ðåçóëüòàòå àòàêóþøèå íå ïîëó÷àò èíôîðìàöèè î òîì, äîñòèã ëè åãî ïàêåò âàøåãî ñåðâåðà èëè íåò. ×åì ìåíüøå àòàêóþùèå áóäóò çíàòü î âàøåé ñèñòåìå, òåì áîëåå îíà çàùèùåíà. Ïðè íåäîñòàòî÷íîñòè âàøèõ çíàíèé î îáùåïðèíÿòûõ íîìåðàõ ïîðòîâ, ýòè çíàíèÿ ìîãóò áûòü ðàñøèðåíû ñîäåðæèìûì äèðåêòîðèè /etc/services/ è ïî ññûëêå http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers. Ðåêîìåíäóåì îçíàêîìèòüñÿ ñ ñîäåðæèìûì ññûëêè íèæå äëÿ ðàñøèðåíèÿ ñâîèõ çíàíèé îòíîñèòåëüíî îáùåïðèíÿòûõ íîìåðîâ ïîðòîâ, èñïîëüçóåìûõ òðîÿíàìè: http://www.sans.org/security-resources/idfaq/oddports.php. > >31.6.5.6 Ïðèìåð ïðàâèë äëÿ ìåæñåòåâîãî ýêðàíà çàêðûòîãî òèïà. > >Ïîñëåäóþùèå ïðàâèëà, íå âêëþ÷àþùèå ïîääåðæêó òðàíñëÿöèè ñåòåâûõ àäðåñîâ, ÿâëÿþòñÿ ëîãè÷åñêè ïîëíûì íàáîðîì ïðàâèë äëÿ ìåæñåòåâîãî ýêðàíà çàêðûòîãî òèïà. Ïðè èñïîëüçîâàíèè ïîäîáíîãî íàáîðà ïðàâèë âû âïîëíå ìîæåòå áûòü óâåðåíû â áåçîïàñíîñòè âàøåé ñèñòåìû. ×òîáû èçáåæàòü æóðíàëèðîâàíèÿ íåæåëàòåëüíûõ ñîîáùåíèé, äîáàâüòå ïðàâèëî "deny" â ðàçäåë, îïèñûâàþùèé âõîäÿùèé òðàôôèê íà èíòåðôåéñ. Çàìåíèòå íàçâàíèå èíòåðôåéñà dc0, óïîìèíàþùåãîñÿ â ïðàâèëàõ íèæå, íà íàçâàíèå èíòåðôåéñà, êîòîðûé â âàøåé ñèñòåìå ïðèíàäëåæèò ãëîáàëüíîé ñåòè. Äëÿ ppp ñîåäèíåíèé ýòî áóäåò tun0. > >Ïðèìå÷àíèå ïî èñïîëüçîâàíèþ ýòèõ ïðàâèë. >- âñå çàïðîñû íà÷àëà ñåññèè ñ âíåøíåé ñåòüþ èñïîëüçóþò ïàðàìåòð keep-state. >- âñå ðàçðåøåííûå ñåðâèñû âíåøíåé ñåòè èìåþò êëþ÷åâîå ñëîâî limit äëÿ çàùèòû îò øòîðìà ïîðîæäåíèé äèíàìè÷åñêèõ ïðàâèë (flooding). >- Âñå ïðàâèëà èñïîëüçóþò in èëè out ïàðàìåòðû äëÿ óêàçàíèÿ íàïðàâëåíèÿ òðàôôèêà. >- Âñå ïðàâèëà èñïîëüçóþò ïàðàìåòð via interface-name äëÿ óòî÷íåíèÿ èíòåðôåéñà. >Ïîñëåäóþùèå ïðàâèëà çàïèñûâàþòñÿ â /etc/ipfw.rules > >####################### Íà÷àëî ôàéëà ïðàâèë IPFW ####################### ># Ñáðîñ âñåõ ïðàâèë ïåðåä íà÷àëîì ðàáîòû ñêðèïòà. >ipfw -q -f flush > ># Çàäàíèå ñòàíäàðòíûõ ïåðåìåííûõ >cmd="ipfw -q add" # ñòàíäàðòíûé ïðåôèêñ äëÿ äîáàâëåíèÿ ïðàâèë ipfw >pif="dc0" # íàçâàíèå âíåøíåãî èíòåðôåéñà, ïðèíàäëåæàùåãî > # ãëîáàëüíîé ñåòè > >######################################################################## ># Íåò îãðàíè÷åíèÿ âíóòðè ñåòåâîãî èíòåðôåéñà äëÿ ëîêàëüíîé ñåòè ># Íåò íåîáõîäèìîñòè â ýòîì, ïîêà ó âàñ íåò ëîêàëüíîé ñåòè. ># Çàìåíèòå xl0 íà íàçâàíèå èíòåðôåéñà âàøåé ëîêàëüíîé ñåòè. >######################################################################## >#$cmd 00005 allow all from any to any via xl0 > >######################################################################## ># Íåò îãðàíè÷åíèé íà ïåòëåâîì èíòåðôåéñå >######################################################################## >$cmd 00010 allow all from any to any via lo0 > >######################################################################## ># Ðàçðåøèòü ïàêåò, åñëè îí áûë ðàíåå äîáàâëåí â äèíàìè÷åñêóþ ># òàáëèöó ïðè ïîìîùè keep-state >######################################################################## >$cmd 00015 check-state > >######################################################################## ># Ðàçäåë, îïèñûâàþùèé ïðàâèëà äëÿ èñõîäÿùåãî òðàôôèêà íà ># èíòåðôåéñå, ïðèíàäëåæàùåì ãëîáàëüíîé ñåòè. ># Àíàëèç çàïðîñîâ íà÷àëà ñåññèè èäóùèõ èç-çà ìåæñåòåâîãî ýêðàíà ># â ëîêàëüíóþ ñåòü èëè îò ýòîãî øëþçà â èíòåðíåò. >######################################################################## > ># Ðàçðåøèòü èñõîäÿùèé òðàôôèê ê DNS ñåðâåðó âàøåãî ># èíòåðíåò-ïðîâàéäåðà ># x.x.x.x íåîáõîäèìî çàìåíèòü íà IP àäðåñ DNS ñåðâåðà âàøåãî ># èíòåðíåò-ïðîâàéäåðà ># Ïðîäóáëèðóéòå ýòè ñòðîêè, åñëè ó âàñ áîëüøå ÷åì îäèí DNS ñåðâåð ># èíòåðíåò ïðîâàéäåðà ># Ýòè IP àäðåñà ìîãóò áûòü îïèñàíû â /etc/resolv.conf ôàéëå. >$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state >$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state > ># Ðàçðåøèòü èñõîäÿùèé òðàôôèê ê DHCP ñåðâåðó âàøåãî èíòåðíåò-ïðîâàéäåðà ># äëÿ cable/DSL êîíôèãóðàöèé. ># Ýòî ïðàâèëî íå íóæíî äëÿ .user ppp. ñîåäèíåíèé ñ ãëîáàëüíîé ñåòüþ ># â ýòîì ñëó÷àå âû ìîæåòå óäàëèòü ýòè ïðàâèëà. ># Èñïîëüçóéòå ýòî ïðàâèëî äëÿ çàïèñè íåîáõîäèìîãî íàì IP àäðåñà â ëîã-ôàéë. ># Âîçüìèòå çíà÷åíèå IP àäðåñà èç ëîã-ôàéëà è çàìåíèòå â çàêîììåíòèðîâàííîì ># íèæå ïðàâèëå x.x.x.x íà çíà÷åíèå ýòîãî IP àäðåñà è óäàëèòå ïåðâîå ïðàâèëî. >$cmd 00120 allow log udp from any to any 67 out via $pif keep-state >#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state > ># Ðàçðåøèòü èñõîäÿùèé òðàôôèê äëÿ ñåññèè íåçàùèùåííîãî www ñîåäèíåíèÿ >$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state > ># Ðàçðåøèòü èñõîäÿùèé òðàôôèê äëÿ ñåññèè çàùèùåííîãî www ñîåäèíåíèÿ ># https ñ ïîääåðæêîé TLS è SSL >$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state > ># Ðàçðåøèòü èñõîäÿùèé POP/SMTP òðàôôèê. >$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state >$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state > ># Ðàçðåøèòü èñõîäÿùèé FBSD (make install & cvsup) òðàôôèê ># Íàçíà÷àåì ïîëüçîâàòåëþ root ïîëíûå ïðèâèëåãèè. >$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root > ># Ðàçðåøàåì èñõîäÿùèé icmp òðàôôèê äëÿ êîððåêòíîé ðàáîòû óòèëèòû ping >$cmd 00250 allow icmp from any to any out via $pif keep-state > > ># Ðàçðåøàåì èñõîäÿùèé tcp òðàôôèê äëÿ óòèëèòû Time. >$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state > ># Ðàçðåøàåì èñõîäÿùèé tcp òðàôôèê äëÿ óòèëèò nntp news >$cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state > ># Ðàçðåøàåì èñõîäÿùèé áåçîïàñíûé òðàôôèê äëÿ óòèëèò FTP, Telnet, è SCP ># Ýòà ôóíêöèÿ èñïîëüçóåòñÿ ïðîãðàììíûì îáåñïå÷åíèåì, ðàáîòàþùèì ÷åðåç ïðîòîêîë SSH >$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state > ># Ðàçðåøàåì èñõîäÿùèé òðàôôèê äëÿ óòèëèòû whois >$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state > ># Çàïðåùàåì è çàíîñèì â ëîã îñòàëüíîé òðàôôèê, ÷òî ïûòàåòñÿ âûéòè ñ âíåøíåãî èíòåðôåéñà. ># Ïðè íàëè÷èè ïîäîáíîãî ïðàâèëà âíå çàâèñèìîñòè îò âûáðàííîé óìîë÷àòåëüíîé ïîëèòèêè, ># ìåæñåòåâîé ýêðàí áóäåò âåñòè ñåáÿ êàê ìåæñåòåâîé ýêðàí çàêðûòîãî òèïà. >$cmd 00299 deny log all from any to any out via $pif > > >######################################################################## ># Ðàçäåë, îïèñûâàþùèé ïðàâèëà äëÿ âõîäÿùåãî òðàôôèêà íà èíòåðôåéñå, ># ïðèíàäëåæàùåì ãëîáàëüíîé ñåòè. ># Ïðîèçâîäèòñÿ àíàëèç ïàêåòîâ, ïðèõîäÿùèõ ñ ãëîáàëüíîé ñåòè, ># ïðåäíàçíà÷åííûõ äëÿ ýòîãî øëþçà èëè ëîêàëüíîé ñåòè >######################################################################## > ># Çàïðåùàåì âåñü âõîäÿùèé òðàôôèê ñ àäðåñíûõ ïðîñòðàíñòâ, íå èñïîëüçóþùèõñÿ â ìàðøðóòèçàöèè. >$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif # ñòàíäàðò RFC 1918 äëÿ ëîêàëüíûõ IP >$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif # ñòàíäàðò RFC 1918 äëÿ ëîêàëüíûõ IP >$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif # ñòàíäàðò RFC 1918 äëÿ ëîêàëüíûõ IP >$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif # ïåòëåâîé èíòåðôåéñ >$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif # ïåòëåâîé èíòåðôåéñ >$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif # DHCP àâòî-êîíôèãóðèðîâàíèå >$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif # çàðåçåðâèðîâàíî >$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif # Sun cluster ñîåäèíåíèÿ. >$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif # D è E ìíîãîàäðåñíûå êëàññû > ># Çàïðåùàåì ïèíã èç ãëîáàëüíîé ñåòè >$cmd 00310 deny icmp from any to any in via $pif > ># Çàïðåùàåì âõîäÿùèå ñîåäèíåíèÿ ïî 113 ïîðòó >$cmd 00315 deny tcp from any to any 113 in via $pif > ># Çàïðåùàåì âñå Netbios ñëóæáû. 137=name, 138=datagram, 139=session ># Netbios ýòî MS/Windows ñåðâèñ îáìåíà. ># Áëîêèðóåì MS/Windows hosts2 çàïðîñû ñåðâåðà èìåí ïî ïîðòó 81 >$cmd 00320 deny tcp from any to any 137 in via $pif >$cmd 00321 deny tcp from any to any 138 in via $pif >$cmd 00322 deny tcp from any to any 139 in via $pif >$cmd 00323 deny tcp from any to any 81 in via $pif > ># Çàïðåùàåì ëþáûå îïîçäàâøèå ïàêåòû. >$cmd 00330 deny all from any to any frag in via $pif > ># Çàïðåùàåì ïàêåòû c ôëàãîì ACK, êîòîðûå íå ñîîòâåòñòâóþò äèíàìè÷åñêîé òàáëèöå ïðàâèë. >$cmd 00332 deny tcp from any to any established in via $pif > ># Ðàçðåøàåì âõîäÿùèé òðàôôèê ñ âíåøíåãî DHCP ñåðâåðà èíòåðíåò-ïðîâàéäåðà. Ýòî ïðàâèëî äîëæíî ñîäåðæàòü IP àäðåñà âàøåãî âíåøíåãî ># DHCP ñåðâåðà èíòåðíåò ïðîâàéäåðà, ÷òîáû ýòîò ðåñóðñ áûë åäèíñòâåííûì, îò êîãî ðàçðåøåíî ïîëó÷àòü ïàêåòû äàííîãî òèïà. ># Ýòî íåîáõîäèìî äëÿ ïðîâîäíûõ è DSL ñîåäèíåíèé. Äëÿ .user ppp. òèïîâ ñîåäèíåíèé ñ ãëîáàëüíîé ñåòüþ, â èñïîëüçîâàíèè ýòîãî ïðàâèëà íåò íåîáõîäèìîñòè. ># Ýòî òîò æå IP àäðåñ, âûáðàííûé è èñïîëüçóåìûé âàìè â ðàçäåëå, îïèñûâàþùåì ïðàâèëà äëÿ èñõîäÿùåãî òðàôôèêà. >$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state > ># Ðàçðåøèòü âõîäÿùèé òðàôôèê äëÿ ñåññèè íåçàùèùåííîãî www ñîåäèíåíèÿ, òàê êàê ÿ èñïîëüçóþ apache ñåðâåð. >$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2 > ># Ðàçðåøèòü âõîäÿùèé òðàôôèê áåçîïàñíûõ ñîåäèíåíèé ïî ïðîòîêîëó FTP, Telnet è SCP èç ãëîáàëüíîé ñåòè >$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2 > ># Ðàçðåøèòü âõîäÿùèé òðàôôèê íåáåçîïàñíûõ Telnet ñîåäèíåíèé èç ãëîáàëüíîé ñåòè ># ýòî ñîåäèíåíèå ñ÷èòàåòñÿ íåáåçîïàñíûì, ïîòîìó ÷òî ID è PW ïðîïóñêàþòñÿ èç ãëîáàëüíîé ñåòè â âèäå íåçàøèôðîâàííîãî òåêñòà, ># óäàëèòå ýòîò øàáëîí, åñëè âû íå èñïîëüçóåòå telnet. >$cmd 00420 allow tcp from any to me 23 in via $pif setup limit src-addr 2 > ># Îòáðàñûâàåì è çàíîñèì â ëîã âåñü âõîäÿùèé òðàôôèê èç ãëîáàëüíîé ñåòè. >$cmd 00499 deny log all from any to any in via $pif > > ># Çàïðåùàåì è çàíîñèì â ëîã âåñü òðàôôèê, ÷òî íå óäîâëåòâîðèë âûøåîïèñàííûì ïðàâèëàì. >$cmd 00999 deny log all from any to any >################ Êîíåö ôàéëà ïðàâèë IPFW ############################### > >31.6.5.7 Ïðèìåð ïðàâèë ìåæñåòåâîãî ýêðàíà çàêðûòîãî òèïà ñ ïîääåðæêîé NAT. > >Çäåñü ïåðå÷èñëåíû íåêîòîðûå äîïîëíèòåëüíûå ïàðàìåòðû, êîòîðûå äîëæíû àêòèâèðîâàòü ôóíêöèþ NAT ìåæñåòåâîãî ýêðàíà IPFW. Ê êîäó ÿäðà FreeBSD íàäî äîáàâèòü ïàðàìåòð option IPDIVERT ê óæå ïåðå÷èñëåííûì ïàðàìåòðàì, âêëþ÷àþùèì IPFIREWALL. > > äîïîëíåíèå ê ñòàíäàðòíûì IPFW ïàðàìåòðàì â /etc/rc.conf äîáàâèì ñëåäóþùåå: >natd_enable="YES" # Âêëþ÷èòü NATD ôóíêöèþ >natd_interface="rl0" # Íàçâàíèå ñåòåâîãî èíòåðôåéñà, > # ïðèíàäëåæàùåãî ãëîáàëüíîé ñåòè >natd_flags="-dynamic -m" # -m = ñîõðàíèòü íîìåðà ïîðòîâ, åñëè ýòî âîçìîæíî > >Èñïîëüçîâàíèå ïðàâèë ìåæñåòåâîãî ýêðàíà çàêðûòîãî òèïà ñ divert natd ïðàâèëîì (Network Address Translation) çíà÷èòåëüíî çàòðóäíÿåò ëîãèêó ñîñòàâëåíèÿ ïðàâèë. Ðàñïîëîæåíèå êëþ÷åâûõ ñëîâ check-state è divert natd â òàáëèöå ïðàâèë âëèÿåò íà ïîâåäåíèå ìåæñåòåâîãî ýêðàíà. Ýòî óæå íå ïðîñòî ïîñëåäîâàòåëüíûé ëîãè÷åñêèé ïîòîê. Ïðè ïðèìåíåíèè âûøåîçíà÷åííûõ ïàðàìåòðîâ ñòàíîâèòñÿ äîñòóïíûì íîâîå êëþ÷åâîå ñëîâî skipto. Ïðè èñïîëüçîâàíèè skipto íóìåðàöèÿ ïðàâèë ñòàíîâèòñÿ îáÿçàòåëüíîé.  êà÷åñòâå àðãóìåíòà skipto èñïîëüçóåòñÿ íîìåð ïðàâèëà, ê êîòîðîìó íóæíî ïåðåéòè. > >Íèæå ïîñëåäóåò ïðèìåð ìåòîäà êîäèðîâàíèÿ, íå ñíàáæåííûé êîììåíòàðèÿìè, ïðèâåäåííûé çäåñü äëÿ âíåñåíèÿ ÿñíîñòè îòíîñèòåëüíî ïîñëåäîâàòåëüíîñòè ïðîõîæäåíèÿ ïàêåòîâ ÷åðåç íàáîð ïðàâèë. > >Îáðàáîòêà ïðàâèë íà÷èíàåòñÿ ñ ïåðâîãî ïî ñ÷åòó è èäåò ïîñëåäîâàòåëüíî îò íà÷àëà ñïèñêà.  õîäå îáðàáîòêè, ïàêåò ïðîâåðÿòåñÿ íà ñîîòâåòñòâèå êðèòåðèÿì îòáîðà.  ñëó÷àå åñëè ñîîòâåòñòâèå íàéäåíî, ê ïàêåòó ïðèìåíÿåòñÿ òî äåéñòâèå, êîòîðîå ïðåäóñìîòðåíî ïðàâèëîì; â ñëó÷àå åñëè íè îäíî èç ïðàâèë íå ñðàáîòàëî, ïðèìåíÿåòñÿ ïîëèòèêà, ïðåäóñìîòðåííàÿ â ñèñòåìå (ìåæñåòåâîé ýêðàí çàêðûòîãî/îòêðûòîãî òèïà). > >Äëÿ ïðàâèë ïîä íîìåðàìè 100, 101, 450, 500 è 510 âàæåí ïîðÿäîê èõ ðàñïîëîæåíèÿ. Ýòè ïðàâèëà êîíòðîëèðóþò òðàíñëÿöèþ èñõîäÿùèõ è âõîäÿùèõ ïàêåòîâ; â òàáëèöå keep-state ðåãèñòðèðóþòñÿ òîëüêî ëîêàëüíûå IP àäðåñà.  ïîñëåäóþùåì ïðèìåðå ðàçðåøàþùèå è çàïðåùàþùèå ïðàâèëà óêàçûâàþò íàïðàâëåíèå ïàêåòîâ (èñõîäÿùèå èëè âõîäÿùèå) è òàêæå óòî÷íÿþò èíòåðôåéñ. Òàêæå ñòîèò îòìåòèòü, ÷òî âñå çàïðîñû íà÷àëà èñõîäÿùåé ñåññèè ïåðåäàþòñÿ ïî êëþ÷åâîìó ñëîâó skipto íà ïðàâèëî ïîä íîìåðîì 500 äëÿ òðàíñëÿöèè àäðåñîâ. > >Ïðåäïîëîæèì, ÷òî ïîëüçîâàòåëü ëîêàëüíîé ñåòè çàïðàøèâàåò ñòðàíèöó ÷åðåç áðàóçåð. Âåá-ñòðàíèöû ïåðåäàþòñÿ ïî ïîðòó 80. Ïàêåò âõîäèò â ìåæñåòåâîé ýêðàí. Ýòîò ïàêåò íå ïîïàäàåò ïîä ïðàâèëî 100, ïîòîìó ÷òî â åãî êðèòåðèÿõ îòáîðà çíà÷èòñÿ êëþ÷åâîå ñëîâî in. >Ýòîò ïàêåò íå ïîïàäàåò ïîä ïðàâèëî 101, ïîòîìó ÷òî ýòî ïåðâûé ïàêåò ñåññèè è îí åùå íå áûë çàíåñåí â äèíàìè÷åñêóþ òàáëèöó keep-state. Äîñòèãíóâ ïðàâèëà 125, ïàêåò, íàêîíåö, óäîâëåòâîðÿåò âñåì êðèòåðèÿì îòáîðà. Ïîñêîëüêó öåëü íàçíà÷åíèÿ ïàêåòà íàõîäèòñÿ â ãëîáàëüíîé ñåòè, ýòîò ïàêåò äîëæåí áûòü íàïðàâëåí íà èíòåðôåéñ, âçàèìîäåéñòâóþùèé ñ ãëîáàëüíîé ñåòüþ. Íà äàííîì ýòàïå ó ïàêåòà â êà÷åñòâå îáðàòíîãî àäðåñà óêàçàí IP àäðåñ ëîêàëüíîãî ïîëüçîâàòåëÿ. Ïî óñëîâèþ ýòîãî ïðàâèëà, ê ïàêåòó ïðèìåíÿþòñÿ äâà äåéñòâèÿ: >Ïàðàìåòð keep-state ñîçäàñò íîâóþ çàïèñü â äèíàìè÷åñêîé òàáëèöå è îñóùåñòâèò äåéñòâèå, óêàçàííîå â ïðàâèëå. Äàííîå äåéñòâèå òàêæå ÿâëÿåòñÿ ÷àñòüþ èíôîðìàöèè, çàíîñèìîé â äèíàìè÷åñêóþ òàáëèöó.  äàííîì ñëó÷àå ýòî skipto rule 500. Ïðàâèëî 500 òðàíñëèðóåò (NAT) àäðåñà ïàêåòà è îòïóñêàåò åãî â ñåòü. Äàííîå çàìå÷àíèå î÷åíü âàæíî. >Ýòîò ïàêåò èäåò ê öåëè, ãäå ãåíåðèðóåòñÿ îòâåòíûé ïàêåò è îòïðàâëÿåòñÿ îáðàòíî. Ýòîò íîâûé ïàêåò íà÷èíàåò ñâîé ïóòü âíóòðè NAT ìåæñåòåâîãî ýêðàíà ñ ïåðâîãî ïðàâèëà â ñïèñêå. Íà ýòîò ðàç ïàêåò ñîîòâåòñòâóåò ïðàâèëó 100 è åãî IP àäðåñ íàçíà÷åíèÿ òðàíñëèðóåòñÿ îáðàòíî íà ñîîòâåòñòâóþùèé IP àäðåñ ëîêàëüíîé ñåòè. Çàòåì îí îáðàáàòûâàåòñÿ ïðàâèëîì check-state, òî åñòü, ïîñêîëüêó ïðàâèëî, ñîîòâåòñòâóþùåå äàííîé ñåññèè óæå ïðèñóòñòâóåò â äèíàìè÷åñêîé òàáëèöå òî îñóùåñòâëÿåòñÿ äåéñòâèå, óêàçàííîå â ïðàâèëå ïî keep-state è ïàêåò îòïóñêàåòñÿ â ëîêàëüíóþ ñåòü. > >Äàëüøå ïàêåò âîçâðàùàåòñÿ ê îòïðàâèâøåìó åãî ïîëüçîâàòåëþ è ãåíåðèðóåòñÿ íîâûé ïàêåò, çàïðàøèâàþùèé íîâóþ ïîðöèþ äàííûõ ñ óäàëåííîãî ñåðâåðà. Íà ýòîò ðàç ïàêåò ñðàçó ïðîâåðÿåòñÿ ïðàâèëîì check-state è â ñëó÷àå ïðèñóòñòâèÿ èñõîäÿùåé çàïèñè äàííîãî ïàêåòà, âûïîëíÿåòñÿ äåéñòâèå skipto 500. Ïàêåò ïðûãàåò íà ïðàâèëî 500, òðàíñëèðóåòñÿ è îòïóñêàåòñÿ â ñåòü. > ðàçäåëå, îïèñûâàþùåì âõîäÿùèé òðàôôèê, âñå ïàêåòû, âõîäÿùèå â êà÷åñòâå îòâåòà, â ðàìêàõ ñóùåñòâóþùèõ ñåññèé, ïî ïðàâèëó keep-state, ïåðåíàïðàâëÿþòñÿ íà ïðàâèëî divert natd. Åñëè ÷òî-òî íóæíî ðàçðåøèòü ñâåðõ ýòîãî, òî íóæíî íàïèñàòü ñîîòâåòñòâóþùèå ïðàâèëà. Òàêæå íåîáõîäèìî â êîíöå óêàçàòü ïðàâèëî, êîòîðîå çàïðåùàåò âåñü îñòàëüíîé íåáåçîïàñíûé òðàôôèê. Äîïóñòèì íà ñåðâåðå ñ ìåæñåòåâûì ýêðàíîì çàïóùåí apache è ìû õîòèì ðàçðåøèòü ëþäÿì èç ãëîáàëüíîé ñåòè äîñòóï íà ëîêàëüíûé âåá-ñàéò. Íîâûé âõîäÿùèé ïàêåò, çàïðàøèâàþùèé íà÷àëî ñåññèè ñîîòâåòñòâóåò ïðàâèëó 100 è åãî IP àäðåñ òðàíñëèðóåòñÿ êàê ëîêàëüíûé IP. Äàëåå ïàêåò ïðîâåðÿåòñÿ íà ñîîòâåòñòâèå âðåäîíîñíîìó òðàôôèêó è â ñëó÷àå îòñóòñòâèÿ ñîîòâåòñòâèÿ ïîïàäàåò íà ïðàâèëî 425.  ñëó÷àå ñîîòâåòñòâèÿ äàííîìó ïðàâèëó ïðîèñõîäÿò äâå âåùè: Ïàêåò ïðàâèë ïîìåùàåòñÿ â äèíàìè÷åñêóþ òàáëèöó keep-state, íî â äàííûé ìîìåíò ëþáàÿ íîâàÿ ñåññèÿ çàïðîñîâ ïîðîæäåííûõ ñ ýòîãî IP, îãðàíè÷åíà 2 îäíîâðåìåííûìè ñîåäèíåíèÿìè. Ýòî çàùèùàåò îò ïåðåíàãðóçêè ñåðâè > ñà ïî îïðåäåëåííîìó ïðàâèëîì ïîðòó. > êà÷åñòâå äåéñòâèÿ â ïðàâèëå óêàçàí allow, ñëåäîâàòåëüíî ïàêåò ïðîïóñêàåòñÿ â ëîêàëüíóþ ñåòü. Ïàêåò ñôîðìèðîâàííûé â êà÷åñòâå îòâåòà ïîïàäàåò ïîä check-state è ðàñïîçíàåòñÿ èì êàê ïðèíàäëåæàùèé ñóùåñòâóþùåé ñåññèè. Äàëåå îí ïîïàäàåò ïîä ïðàâèëî 500, ãäå ïðîèñõîäèò îáðàòíàÿ òðàíñëÿöèÿ, ïîñëå ÷åãî ïàêåò ïîïàäàåò íà èíòåðôåéñ, ïðèíàäëåæàùèé ãëîáàëüíîé ñåòè. > >Ïðèìåð ôàéëà ïðàâèë #1: >#!/bin/sh >cmd="ipfw -q add" >skip="skipto 500" >pif=rl0 >ks="keep-state" >good_tcpo="22,25,37,43,53,80,443,110,119" > >ipfw -q -f flush > >$cmd 002 allow all from any to any via xl0 # ðàçðåøàåì òðàôôèê íà ëîêàëüíîì èíòåðôåéñå >$cmd 003 allow all from any to any via lo0 # ðàçðåøàåì òðàôôèê íà ïåòëåâîì èíòåðôåéñå > >$cmd 100 divert natd ip from any to any in via $pif >$cmd 101 check-state > ># Ðàçðåøåííûå èñõîäÿùèå ïàêåòû >$cmd 120 $skip udp from any to xx.168.240.2 53 out via $pif $ks >$cmd 121 $skip udp from any to xx.168.240.5 53 out via $pif $ks >$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks >$cmd 130 $skip icmp from any to any out via $pif $ks >$cmd 135 $skip udp from any to any 123 out via $pif $ks > > ># Çàïðåùàåì âåñü âõîäÿùèé òðàôôèê ñ àäðåñíûõ ïðîñòðàíñòâ, íå èñïîëüçóþùèõñÿ â ìàðøðóòèçàöèè. >$cmd 300 deny all from 192.168.0.0/16 to any in via $pif # ñòàíäàðò RFC 1918 äëÿ ëîêàëüíûõ IP >$cmd 301 deny all from 172.16.0.0/12 to any in via $pif # ñòàíäàðò RFC 1918 äëÿ ëîêàëüíûõ IP >$cmd 302 deny all from 10.0.0.0/8 to any in via $pif # ñòàíäàðò RFC 1918 äëÿ ëîêàëüíûõ IP >$cmd 303 deny all from 127.0.0.0/8 to any in via $pif # ïåòëåâîé èíòåðôåéñ >$cmd 304 deny all from 0.0.0.0/8 to any in via $pif # ïåòëåâîé èíòåðôåéñ >$cmd 305 deny all from 169.254.0.0/16 to any in via $pif # DHCP àâòî-êîíôèãóðèðîâàíèå >$cmd 306 deny all from 192.0.2.0/24 to any in via $pif # Çàðåçåðâèðîâàíî äëÿ äîêóìåíòîâ >$cmd 307 deny all from 204.152.64.0/23 to any in via $pif # Sun cluster ñîåäèíåíèÿ >$cmd 308 deny all from 224.0.0.0/3 to any in via $pif # D è E ìíîãîàäðåñíûå êëàññû > ># Ðàçðåøàåì âõîäÿùèå ïàêåòû >$cmd 400 allow udp from xx.70.207.54 to any 68 in $ks >$cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1 > > >$cmd 450 deny log ip from any to any > ># Ýòîò ðàçäåë skipto äëÿ ïðàâèë ñ íàñëåäîâàíèåì ñîñòîÿíèÿ, îïèñàííûõ äëÿ èñõîäÿùèõ ïàêåòîâ. >$cmd 500 divert natd ip from any to any out via $pif >$cmd 510 allow ip from any to any > >################################# Îêîí÷àíèå ôàéëà ïðàâèë ##################################### > >Ïðèìåð Ïðàâèë #2: >#!/bin/sh >################################# Íà÷àëî ôàéëà ïðàâèë IPFW #################################### ># Ñáðîñ âñåõ ïðàâèë ïåðåä íà÷àëîì ðàáîòû ñêðèïòà. >ipfw -q -f flush > ># Çàäàíèå ñòàíäàðòíûõ ïåðåìåííûõ >cmd="ipfw -q add" >skip="skipto 800" >pif="rl0" # íàçâàíèå âíåøíåãî èíòåðôåéñà, > # ïðèíàäëåæàùåãî ãëîáàëüíîé ñåòè > >############################################################################################### ># Íåò îãðàíè÷åíèÿ âíóòðè ñåòåâîãî èíòåðôåéñà äëÿ ëîêàëüíîé ñåòè ># Íåò íåîáõîäèìîñòè â äàííîì ïðàâèëå, ïîêà ó âàñ íåò ëîêàëüíîé ñåòè. ># Çàìåíèòå xl0 íà íàçâàíèå èíòåðôåéñà, ïðèíàäëåæàøåãî âàøåé ># ëîêàëüíîé ñåòè. >############################################################################################### >$cmd 005 allow all from any to any via xl0 > >############################################################################################### ># Íåò îãðàíè÷åíèé íà ïåòëåâîì èíòåðôåéñå >############################################################################################### >$cmd 010 allow all from any to any via lo0 > >############################################################################################### ># ïðîâåðêà âõîäÿùåãî ïàêåòà íà çàïèñü î íåì â äèíàìè÷åñêîé òàáëèöå >############################################################################################### >$cmd 014 divert natd ip from any to any in via $pif > >############################################################################################### ># Ðàçðåøèòü ïàêåò, åñëè îí áûë ðàíåå äîáàâëåí â äèíàìè÷åñêóþ ># òàáëèöó ïðè ïîìîùè keep-state >############################################################################################### >$cmd 015 check-state > >############################################################################################### ># Ðàçäåë, îïèñûâàþùèé ïðàâèëà äëÿ èñõîäÿùåãî òðàôôèêà íà ># èíòåðôåéñå, ïðèíàäëåæàùåì ãëîáàëüíîé ñåòè. ># Àíàëèç çàïðîñîâ íà÷àëà ñåññèè èäóùèõ èç-çà ìåæñåòåâîãî ýêðàíà â ëîêàëüíóþ ># ñåòü èëè îò ýòîãî øëþçà â èíòåðíåò. >############################################################################################### > ># Ðàçðåøèòü èñõîäÿùèé òðàôôèê ê DNS ñåðâåðó âàøåãî ># èíòåðíåò-ïðîâàéäåðà ># x.x.x.x äîëæåí áûòü IP àäðåñîì DNS ñåðâåðà âàøåãî ># èíòåðíåò-ïðîâàéäåðà ># Ïðîäóáëèðóéòå ýòè ñòðîêè, åñëè ó âàñ áîëüøå ÷åì îäèí DNS ñåðâåð ># èíòåðíåò ïðîâàéäåðà ># Ýòè IP àäðåñà ìîãóò áûòü îïèñàíû â /etc/resolv.conf ôàéëå. >$cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state > ># Ðàçðåøèòü èñõîäÿùèé òðàôôèê ê DHCP ñåðâåðó âàøåãî èíòåðíåò-ïðîâàéäåðà ># äëÿ cable/DSL êîíôèãóðàöèé >$cmd 030 $skip udp from any to x.x.x.x 67 out via $pif keep-state > ># Ðàçðåøèòü èñõîäÿùèé òðàôôèê äëÿ ñåññèè íåçàùèùåííîãî www ñîåäèíåíèÿ >$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state > ># Ðàçðåøèòü èñõîäÿùèé òðàôôèê äëÿ ñåññèè çàùèùåííîãî www ñîåäèíåíèÿ ># https ñ ïîääåðæêîé TLS è SSL >$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state > ># Ðàçðåøèòü èñõîäÿùèé POP/SMTP òðàôôèê. >$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state >$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state > ># Ðàçðåøèòü èñõîäÿùèé FBSD (make install & cvsup) òðàôôèê ># Íàçíà÷àåì ïîëüçîâàòåëþ root ïîëíûå ïðèâèëåãèè. >$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root > ># Ðàçðåøàåì èñõîäÿùèé icmp òðàôôèê äëÿ êîððåêòíîé ðàáîòû óòèëèòû ping >$cmd 080 $skip icmp from any to any out via $pif keep-state > ># Ðàçðåøàåì èñõîäÿùèé tcp òðàôôèê äëÿ óòèëèòû Time. >$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state > ># Ðàçðåøàåì èñõîäÿùèé tcp òðàôôèê äëÿ óòèëèò nntp, news (òî åñòü news groups) >$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state > ># Ðàçðåøàåì èñõîäÿùèé áåçîïàñíûé òðàôôèê äëÿ óòèëèò FTP, Telnet, è SCP ># Ýòà ôóíêöèÿ èñïîëüçóåòñÿ ïðîãðàììíûì îáåñïå÷åíèåì, ðàáîòàþùèì ÷åðåç ïðîòîêîë SSH >$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state > ># Ðàçðåøàåì èñõîäÿùèé òðàôôèê äëÿ óòèëèòû whois >$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state > ># Ðàçðåøàåì èñõîäÿùèé udp òðàôôèê äëÿ ntp time server >$cmd 130 $skip udp from any to any 123 out via $pif keep-state > >############################################################################################### ># Ðàçäåë, îïèñûâàþùèé ïðàâèëà äëÿ âõîäÿùåãî òðàôôèêà íà èíòåðôåéñå, ïðèíàäëåæàùåì ># ãëîáàëüíîé ñåòè ïðîèçâîäèòñÿ àíàëèç ïàêåòîâ, ïðèõîäÿùèõ ñ ãëîáàëüíîé ñåòè, ïðåäíàçíà÷åííûõ ># äëÿ ýòîãî øëþçà èëè ëîêàëüíîé ñåòè >############################################################################################### > ># Çàïðåùàåì âåñü âõîäÿùèé òðàôôèê ñ àäðåñíûõ ïðîñòðàíñòâ, íå èñïîëüçóþùèõñÿ â ìàðøðóòèçàöèè. >$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP >$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP >$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP >$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback >$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback >$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config >$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs >$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster >$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast > ># Çàïðåùàåì âõîäÿùèå ñîåäèíåíèÿ ïî 113 ïîðòó >$cmd 315 deny tcp from any to any 113 in via $pif > ># Çàïðåùàåì âñå Netbios ñëóæáû. 137=name, 138=datagram, 139=session ># Netbios ýòî MS/Windows ñåðâèñ îáìåíà. ># Áëîêèðóåì MS/Windows hosts2 çàïðîñû ñåðâåðà èìåí ïî ïîðòó 81 >$cmd 320 deny tcp from any to any 137 in via $pif >$cmd 321 deny tcp from any to any 138 in via $pif >$cmd 322 deny tcp from any to any 139 in via $pif >$cmd 323 deny tcp from any to any 81 in via $pif > ># Çàïðåùàåì ëþáûå îïîçäàâøèå ïàêåòû. >$cmd 330 deny all from any to any frag in via $pif > ># Çàïðåùàåì ïàêåòû c ôëàãîì ACK, êîòîðûå íå ñîîòâåòñòâóþò äèíàìè÷åñêîé òàáëèöå ïðàâèë. >$cmd 332 deny tcp from any to any established in via $pif > ># Ðàçðåøàåì âõîäÿùèé òðàôôèê ñ âíåøíåãî DHCP ñåðâåðà èíòåðíåò-ïðîâàéäåðà. Ýòî ïðàâèëî ># äîëæíî ñîäåðæàòü IP àäðåñà âàøåãî âíåøíåãî DHCP ñåðâåðà èíòåðíåò ïðîâàéäåðà, ÷òîáû ># ýòîò ðåñóðñ áûë åäèíñòâåííûì, îò êîãî ðàçðåøåíî ïîëó÷àòü ïàêåòû äàííîãî òèïà. ># Ýòî íåîáõîäèìî äëÿ ïðîâîäíûõ è DSL ñîåäèíåíèé. Äëÿ .user ppp. òèïîâ ñîåäèíåíèé ñ ># ãëîáàëüíîé ñåòüþ, â èñïîëüçîâàíèè ýòîãî ïðàâèëà íåò íåîáõîäèìîñòè. ># Ýòî òîò æå IP àäðåñ, âûáðàííûé è èñïîëüçóåìûé âàìè â ðàçäåëå, îïèñûâàþùåì ïðàâèëà äëÿ ># èñõîäÿùåãî òðàôôèêà. >$cmd 360 allow udp from x.x.x.x to any 68 in via $pif keep-state > ># Ðàçðåøèòü âõîäÿùèé òðàôôèê äëÿ ñåññèè íåçàùèùåííîãî www ñîåäèíåíèÿ, òàê êàê ÿ èñïîëüçóþ ># apache ñåðâåð. >$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2 > ># Ðàçðåøèòü âõîäÿùèé òðàôôèê áåçîïàñíûõ ñîåäèíåíèé ïî ïðîòîêîëó FTP, Telnet è SCP èç ># ãëîáàëüíîé ñåòè >$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2 > ># Ðàçðåøèòü âõîäÿùèé òðàôôèê íåáåçîïàñíûõ Telnet ñîåäèíåíèé èç ãëîáàëüíîé ñåòè. ># Ýòî ñîåäèíåíèå ñ÷èòàåòñÿ íåáåçîïàñíûì, ïîòîìó ÷òî ID è PW ïðîïóñêàþòñÿ èç ãëîáàëüíîé ñåòè ># â âèäå íåçàøèôðîâàííîãî òåêñòà. ># Óäàëèòå ýòîò øàáëîí, åñëè âû íå èñïîëüçóåòå telnet. >$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2 > ># Îòáðàñûâàåì è çàíîñèì â ëîã âåñü âõîäÿùèé òðàôôèê èç ãëîáàëüíîé ñåòè. >$cmd 400 deny log all from any to any in via $pif > ># Îòáðàñûâàåì è çàíîñèì â ëîã âåñü èñõîäÿùèé òðàôôèê â ãëîáàëüíóþ ñåòü. >$cmd 450 deny log all from any to any out via $pif > ># Ýòî ðàçäåë äëÿ êëþ÷åâîãî ñëîâà skipto ñîäåðæàùåãîñÿ â ïðàâèëàõ ñ íàñëåäîâàíèåì ñîñòîÿíèÿ. >$cmd 800 divert natd ip from any to any out via $pif >$cmd 801 allow ip from any to any > ># Çàïðåùàåì è çàíîñèì â ëîã âåñü òðàôôèê, ÷òî íå óäîâëåòâîðèë âûøåîïèñàííûì ïðàâèëàì. >$cmd 999 deny log all from any to any >################################# Îêîí÷àíèå ôàéëà ïðàâèë IPFW ####################################
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=123194">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 166482
: 123194