Home HomeLinux. .Mandrake.10.Podręcznik.Użytkownika.[eBook.PL]Kirch O, Dawson T Linux. Podręcznik administratora sieciLinux administracja sieciami zaawansowane ( 554 strony )Teach yourself linux in 24 hoursTrevor Kay Linux Certification Biblediderot denis zakonnica (2)Sienkiewicz Henryk Pan Wolodyjowski 9789185805396Rice Anne Krzyk w niebiosaMorrell DavNieÂśmiałoÂść. Jak się jej pozbyć Aleksander Łamek full
  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • jajeczko.pev.pl
    •  

    [ Pobierz całość w formacie PDF ]
    .168.0/24ipfwadm -F -a accept -P all -S 192.168.0/24 -i eth1 -D 10.0/24ipfwadm -F -p deny## And of course we have to allow those packets in#ipfwadm -I -a accept -P tcp -S 10.0/24 -i eth0 -D 192.168.0/24ipfwadm -I -a accept -P tcp -S 192.168.0/24 -i eth1 -D 10.0/24## Let them access the mail server port on the server but nothing else#ipfwadm -I -a accept -P tcp -S 10.0/24 -i eth0 -D 10.1 25ipfwadm -I -a accept -P tcp -S 192.168.0/24 -i eth0 -D 192.168.1 25ipfwadm -I -p denyThere is not time you should choose ipfwadm over ipchains, FreeS/WAN now supports the2.2.x series of kernels.109 IPCHAINSSeveral new things in IPCHAINS, you can create chains of rules (hence the name) and linkthem together, making administration of firewalls far easier.Ipchains supports more targetsthen ipfwadm, you can point a rule at: ACCEPT, DENY, REJECT, MASQ, REDIRECT, orRETURN or a user defined chain.As such it is very powerful, for example I could redirect allpackets bound for port 80 (i.e.any www traffic) going through my gateway machine to beredirected to local port 3128, the squid proxy server.You can also use this in conjunction withquality of service routing, the example given in ipfwadm's documentation is that ofprioritizing traffic going over a PPP link, you can give telnet traffic a much higher prioritythen say ftp, reducing latency problems caused by a saturated link.Typically I create an/etc/rc.d/init.d/ipchains-sh (or wherever appropriate) and call it immediately after thenetworking is brought up, this leaves a small time in which the server is vulnerable, butminimally so since no network daemons are running.The following script is appropriate for agateway with 2 interfaces running, the reason I have used the DENY instead of REJECTtarget is so that the packet is dropped and not responded to in any way, this slows downnetwork scans (as they wait for the packet to timeout instead of receiving a response) andgives away less information.I would also advise against logging data unless you have asignificant amount of drive space available, for each packet I send (several bytes) many bytesof drive space is used up to create a log entry, making it easy to overwhelm syslog and/oryour drive space on a fast connection.The ipchains homepage is at:http://www.rustcorp.com/linux/ipchains/.#!/bin/bash## This script sets up firewall rules appropriate for a server with 2interfaces# running as a gateway# This script needs to be edited if you plan to use it.# We assume the internal machines call all talk to the gateway, so no rulesblock# internal traffic## A couple of variables## ETH0 is the IP address on ETH0 (the external interface)# ETH0NET is the network# ETH0NETMASK is the network mask# TRUSTEDHOST1 is a trusted host (for webmin/ssh)# TRUSTEDHOST2 is a trusted host (for webmin/ssh)# ETH1IP is the IP address on ETH1 (internal interface)# ETH1NET is the network# ETH1NETMASK is the network mask#ETH0IP=1.1.1.1ETH0NET=1.1.1.0ETH0NETMASK=24TRUSTEDHOST1=1.5.1.1TRUSTEDHOST2=1.5.1.2ETH1IP=10.1ETH1NET=10.0ETH1NETMASK=24#PATH=/sbin# FLUSH ALL RULES110 ipchains -F inputipchains -F outputipchains -F forward# ANTI-SPOOFINGipchains -A input -p all -j DENY -s 10.0/8 -i eth0 -d 0.0/0ipchains -A input -p all -j DENY -s 127.0/8 -i eth0 -d 0.0/0ipchains -A input -p all -j DENY -s 192.168.0/16 -i eth0 -d 0.0/0ipchains -A input -p all -j DENY -s 172.16.0/16 -i eth0 -d 0.0/0ipchains -A input -p all -j DENY -s $ETH0IP -i eth0 -d 0.0/0# ICMP FIRSTipchains -A input -p icmp -j ACCEPT -s $ETH0NET/$ETH0NETMASK -i eth0 -d0.0/0ipchains -A input -p icmp -j DENY -s 0.0/0 -i eth0 -d 0.0/0# SSHipchains -A input -p tcp -j ACCEPT -s $TRUSTEDHOST1 -i eth0 -d 0.0/0 22ipchains -A input -p tcp -j ACCEPT -s $TRUSTEDHOST2 -i eth0 -d 0.0/0 22# BLOCKING 1:1023ipchains -A input -p tcp -j DENY -s 0.0/0 -i eth0 -d 0.0/0 1:1023ipchains -A input -p udp -j DENY -s 0.0/0 -i eth0 -d 0.0/0 1:1023# BLOCKING OTHER THINGSipchains -A input -p tcp -j DENY -s 0.0/0 -i eth0 -d 0.0/0 1109ipchains -A input -p tcp -j DENY -s 0.0/0 -i eth0 -d 0.0/0 1524ipchains -A input -p tcp -j DENY -s 0.0/0 -i eth0 -d 0.0/0 1600ipchains -A input -p tcp -j DENY -s 0.0/0 -i eth0 -d 0.0/0 2003ipchains -A input -p udp -j DENY -s 0.0/0 -i eth0 -d 0.0/0 2049ipchains -A input -p tcp -j DENY -s 0.0/0 -i eth0 -d 0.0/0 2105ipchains -A input -p udp -j DENY -s 0.0/0 -i eth0 -d 0.0/0 3001ipchains -A input -p tcp -j DENY -s 0.0/0 -i eth0 -d 0.0/0 3001ipchains -A input -p udp -j DENY -s 0.0/0 -i eth0 -d 0.0/03128:3130ipchains -A input -p tcp -j DENY -s 0.0/0 -i eth0 -d 0.0/03128:3130ipchains -A input -p tcp -j DENY -s 0.0/0 -i eth0 -d 0.0/0 3306ipchains -A input -p udp -j DENY -s 0.0/0 -i eth0 -d 0.0/0 3306ipchains -A input -p tcp -j DENY -s 0.0/0 -i eth0 -d 0.0/0 4444ipchains -A input -p tcp -j DENY -s 0.0/0 -i eth0 -d 0.0/06000:6100ipchains -A input -p udp -j DENY -s 0.0/0 -i eth0 -d 0.0/06000:6100ipchains -A input -p tcp -j DENY -s 0.0/0 -i eth0 -d 0.0/0 6667ipchains -A input -p tcp -j DENY -s 0.0/0 -i eth0 -d 0.0/0 7000# WEBMINipchains -A input -p tcp -j ACCEPT -s $TRUSTEDHOST1 -i eth0 -d 0.0/010000ipchains -A input -p tcp -j ACCEPT -s $TRUSTEDHOST2 -i eth0 -d 0.0/010000ipchains -A input -p tcp -j DENY -s 0.0/0 -i eth0 -d 0.0/0 10000# FORWARD RULESipchains -P forward DENYipchains -A forward -p all -j MASQ -s $ETH1NET/$ETH1NETMASK -d 0.0/0Rule Creationipfwadm2ipchainsA simple script that converts ipfwadm rules to ipchains rules, making migration a snap.Thescript is available at: http://users.dhp.com/~whisper/ipfwadm2ipchains/mason111 Mason is an automated firewall rule generator for ipfwadm and ipchains.You load it up and itmonitors the packets flowing through the machine, then based on that creates a set of rules toallow that type of access.A good tool for first time firewall admins, available from:http://users.dhp.com/~whisper/mason/.firewall.shA dialog based script that walks you through creation of firewall rules, nicely done and goodfor new users or admins with RSI, available from: http://devplanet.fastethernet.net/.MklinuxfwMklinuxfw is a perl tool that aims to provide a variety of interfaces (CGI, KDE, commandline, etc.) to creation of firewall rules.It currently supports a CGI interface and GTK is inprogress.You can download it from:http://www.madhouse.org.uk/~red/framepage.phtml?/mklinuxfw/index.html.112 Scanning / intrusion testing toolsOver the last few years the number of security tools for Windows and UNIX has risendramatically, even more surprising is the fact that most of them are freely available on theInternet.I will only cover the free tools since most of the commercial tools are ridiculouslyexpensive, are not open source, and in many cases have been shown to contain major securityflaws (like storing passwords in clear text after installation) [ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • syriusz777.pev.pl

    •