3.5 What are some reasonable filtering rules for a kernel-based packet screen?This example is written specifically for ipfwadm on Linux, but the principles (and even much of the syntax) applies for other kernel interfaces for packet screening on ``open source'' Unix systems.
There are four basic categories covered by the ipfwadm rules:
ipfwadm also has masquerading (-M) capabilities. For more information on switches and options, see the ipfwadm man page.
Here, our organization is using a private (RFC 1918) Class C network 192.168.1.0. Our ISP has assigned us the address 18.104.22.168 for our gateway's external interface and 22.214.171.124 for our external mail server. Organizational policy says:
The following block of commands can be placed in a system boot file (perhaps rc.local on Unix systems).
ipfwadm -F -f ipfwadm -F -p deny ipfwadm -F -i m -b -P tcp -S 0.0.0.0/0 1024:65535 -D 126.96.36.199 25 ipfwadm -F -i m -b -P tcp -S 0.0.0.0/0 1024:65535 -D 188.8.131.52 53 ipfwadm -F -i m -b -P udp -S 0.0.0.0/0 1024:65535 -D 184.108.40.206 53 ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 -W eth0 /sbin/route add -host 220.127.116.11 gw 192.168.1.2
include('phone.php') ?> include('address.php') ?>
|© 2000 - 2017 Vesaria Network Security Specialists|
|Call Us at include('phone.php') ?>|