+ Responder ao Tópico



  1. cara vc poderia me dar um exemplo destas regras sem ip?, pois aqui utilizo dhcpd em um servidor que controla toda minha rede wireless.

    Grato,

    Citação Postado originalmente por balisteri Ver Post
    Código :
    / ip firewall filter 
    add chain=forward protocol=tcp dst-port=135 action=drop comment="" disabled=no 
    add chain=input connection-state=invalid action=drop comment="Drop Invalid connections" disabled=no 
    add chain=input connection-state=established action=accept comment="Allow Established connections" disabled=no 
    add chain=input protocol=udp action=accept comment="Allow UDP" disabled=no 
    add chain=input protocol=tcp dst-port=23 action=drop comment="" disabled=yes 
    add chain=input protocol=icmp action=accept comment="Allow ICMP" disabled=no 
    add chain=input src-address=192.168.0.0/24 action=accept comment="Allow access to router from known network" disabled=no 
    add chain=input action=drop comment="Drop anything else" disabled=no 
    add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections" disabled=no 
    add chain=forward connection-state=established action=accept comment="allow already established connections" disabled=no 
    add chain=forward connection-state=related action=accept comment="allow related connections" disabled=no 
    add chain=forward src-address=0.0.0.0/8 action=drop comment="" disabled=no 
    add chain=forward dst-address=0.0.0.0/8 action=drop comment="" disabled=no 
    add chain=forward src-address=127.0.0.0/8 action=drop comment="" disabled=no 
    add chain=forward dst-address=127.0.0.0/8 action=drop comment="" disabled=no 
    add chain=forward src-address=224.0.0.0/3 action=drop comment="" disabled=no 
    add chain=forward dst-address=224.0.0.0/3 action=drop comment="" disabled=no 
    add chain=forward protocol=tcp action=jump jump-target=tcp comment="" disabled=no 
    add chain=forward protocol=udp action=jump jump-target=udp comment="" disabled=no 
    add chain=forward protocol=icmp action=jump jump-target=icmp comment="" disabled=no 
    add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP" disabled=no 
    add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper" disabled=no 
    add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper" disabled=no 
    add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT" disabled=no 
    add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs" disabled=no 
    add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS" disabled=no 
    add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus" disabled=no 
    add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus" disabled=no 
    add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice" disabled=no 
    add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP" disabled=no 
    add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP" disabled=no 
    add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper" disabled=no 
    add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper" disabled=no 
    add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT" disabled=no 
    add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS" disabled=no 
    add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice" disabled=no 
    add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="drop invalid connections" disabled=no 
    add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="allow established connections" disabled=no 
    add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="allow already established connections" disabled=no 
    add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow source quench" disabled=no 
    add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request" disabled=no 
    add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed" disabled=no 
    add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad" disabled=no 
    add chain=icmp action=drop comment="deny all other types" disabled=no 
    add chain=forward src-address=192.168.0.0/24 dst-address=192.168.0.0/24 action=drop comment="Bloqueio acesso entre \
        usuarios" disabled=no 
    add chain="forward protocol=tcp dst-port=135-139 action=drop" action=accept comment="" disabled=no 
    add chain="forward protocol=udp dst-port=135-139 action=drop" action=accept comment="" disabled=no 
    add chain="forward protocol=tcp dst-port=445-449 action=drop" action=accept comment="" disabled=no 
    add chain="forward protocol=udp dst-port=445-449 action=drop" action=accept comment="" disabled=no 
    add chain=input in-interface=Local protocol=tcp src-port=6776 action=drop comment="2000 Cracks " disabled=no 
    add chain=input in-interface=Local protocol=tcp src-port=32418 action=drop comment="Acid Battery " disabled=no 
    add chain=input in-interface=Local protocol=tcp src-port=0-65535 action=drop comment="" disabled=no 
    add chain=input src-address=192.168.1.0/24 action=accept comment="Allow access to router from known network   2" \
        disabled=no 
    add chain=forward src-address=192.168.1.0/24 dst-address=192.168.1.0/24 action=drop comment="Bloqueio acesso entre \
        usuarios 2" disabled=no 
    add chain=forward in-interface=Local out-interface=Local action=accept comment="Allow traffic between wired and wireless \
        networks" disabled=no 
    add chain=forward action=jump jump-target=sanity-check comment="Sanity Check" disabled=no 
    add chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop comment="Deny illegal NAT traversal" \
        disabled=no 
    add chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list address-list=blocked-addr \
        address-list-timeout=1d comment="Block port scans" disabled=no 
    add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list \
        address-list=blocked-addr address-list-timeout=1d comment="Block TCP Null scan" disabled=no 
    add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list \
        address-list=blocked-addr address-list-timeout=1d comment="Block TCP Xmas scan" disabled=no 
    add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-target=drop comment="" disabled=no 
    add chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop comment="Drop TCP RST" disabled=no 
    add chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop comment="Drop TCP SYN+FIN" disabled=no 
    add chain=sanity-check connection-state=invalid action=jump jump-target=drop comment="Dropping invalid connections at \
        once" disabled=no

  2. olha só amigo a regra se aplica a network, os ips que voce estão vendo
    add chain=forward src-address=0.0.0.0/8 action=drop comment="" disabled=no
    add chain=forward dst-address=0.0.0.0/8 action=drop comment="" disabled=no
    add chain=forward src-address=127.0.0.0/8 action=drop comment="" disabled=no
    add chain=forward dst-address=127.0.0.0/8 action=drop comment="" disabled=no
    add chain=forward src-address=224.0.0.0/3 action=drop comment="" disabled=no
    add chain=forward dst-address=224.0.0.0/3 action=drop comment="" disabled=no

    são para o bogons de rede.

    agora para aplicar as regras a outros ips de rede são o que esta lá para a faixa inteira

    192.168.0.0/32 e 192.168.1.0/32

    da uma olhada melhor que essa regra é para a classe inteira de ips



  3. Gotei do topico!!
    ta de parabens

  4. Citação Postado originalmente por balisteri Ver Post
    olha só amigo a regra se aplica a network, os ips que voce estão vendo
    add chain=forward src-address=0.0.0.0/8 action=drop comment="" disabled=no
    add chain=forward dst-address=0.0.0.0/8 action=drop comment="" disabled=no
    add chain=forward src-address=127.0.0.0/8 action=drop comment="" disabled=no
    add chain=forward dst-address=127.0.0.0/8 action=drop comment="" disabled=no
    add chain=forward src-address=224.0.0.0/3 action=drop comment="" disabled=no
    add chain=forward dst-address=224.0.0.0/3 action=drop comment="" disabled=no

    são para o bogons de rede.

    agora para aplicar as regras a outros ips de rede são o que esta lá para a faixa inteira

    192.168.0.0/32 e 192.168.1.0/32

    da uma olhada melhor que essa regra é para a classe inteira de ips
    oi balisteri,

    cara vc poderia colocar o resto das regra do controle p2p?, vc tem msn?

    Grato,









Tópicos Similares

  1. Problemas com regras de Firewall
    Por Felipe_ no fórum Servidores de Rede
    Respostas: 9
    Último Post: 24-08-2004, 18:54
  2. Vejam as minhas regras de firewall
    Por Abutre no fórum Servidores de Rede
    Respostas: 4
    Último Post: 12-09-2003, 14:33
  3. regras de firewall
    Por roggy no fórum Servidores de Rede
    Respostas: 1
    Último Post: 17-05-2003, 10:47
  4. Respostas: 3
    Último Post: 27-03-2003, 12:17
  5. Regras de firewall
    Por Skill no fórum Servidores de Rede
    Respostas: 1
    Último Post: 26-02-2003, 10:49

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L