Firewall

[farmar]

Mohol by sa my niekto pozrieť na postupnosť a či to mám vôbec dobre???
Dik . Caf

0 ;;; allow established connections
chain=forward connection-state=established action=accept
1 ;;; allow related connections
chain=forward connection-state=related action=accept
2 ;;; drop invalid connections
chain=forward connection-state=invalid action=drop
3 chain=forward connection-state=invalid action=log log-prefix=""

4 ;;; jump to the virus chain
chain=forward action=jump jump-target=virus

5 ;;; zakaz-virusy
chain=virus protocol=tcp dst-port=135-139 action=drop
6 chain=virus protocol=udp dst-port=135-139 action=drop
7 chain=virus protocol=tcp dst-port=445 action=drop
8 chain=virus protocol=udp dst-port=445 action=drop
9 chain=virus protocol=tcp dst-port=593 action=drop
10 chain=virus protocol=tcp dst-port=1024-1030 action=drop
11 chain=virus protocol=tcp dst-port=1080 action=drop
12 chain=virus protocol=tcp dst-port=1214 action=drop
13 chain=virus protocol=tcp dst-port=1363 action=drop
14 chain=virus protocol=tcp dst-port=1364 action=drop
15 chain=virus protocol=tcp dst-port=1368 action=drop
16 chain=virus protocol=tcp dst-port=1373 action=drop
17 chain=virus protocol=tcp dst-port=1433-1434 action=drop
18 chain=virus protocol=tcp dst-port=2745 action=drop
19 chain=virus protocol=tcp dst-port=2283 action=drop
20 chain=virus protocol=tcp dst-port=2535 action=drop
21 chain=virus protocol=tcp dst-port=2745 action=drop
22 chain=virus protocol=tcp dst-port=3127-3128 action=drop
23 chain=virus protocol=tcp dst-port=3410 action=drop
24 chain=virus protocol=tcp dst-port=4444 action=drop
25 chain=virus protocol=tcp dst-port=5554 action=drop
26 chain=virus protocol=tcp dst-port=8866 action=drop
27 chain=virus protocol=tcp dst-port=9898 action=drop
28 chain=virus protocol=tcp dst-port=10000 action=drop
29 chain=virus protocol=tcp dst-port=10080 action=drop
30 chain=virus protocol=tcp dst-port=12345 action=drop
31 chain=virus protocol=tcp dst-port=17300 action=drop
32 chain=virus protocol=tcp dst-port=27374 action=drop
33 chain=virus protocol=tcp dst-port=65506 action=drop
34 chain=virus protocol=tcp dst-port=28000-29000 action=drop

35 ;;; jump to the ostatne chain
chain=forward action=jump jump-target=ostatne

36 ;;; Sledovanie odosielanych emailov
chain=forward protocol=tcp dst-port=25 tcp-flags=syn action=log log-prefix="Send mail"
37 ;;; /SPAMER TRAP/ Povoli mimo smtp_spam 5 spojenia a 20 syn SMTP spojeni za 1min
chain=ostatne protocol=tcp dst-port=25 tcp-flags=syn connection-limit=!15,32 limit=0/1m,20 src-address-list=!smtp_spam action=accept
38 chain=ostatne protocol=tcp dst-port=25 tcp-flags=syn limit=1/15m,0 src-address-list=!smtp_spam action=log log-prefix="smtp spam"
39 ;;; /SPAMER TRAP/ Oznaci do spam listu IP spamera na 6hodin mimo smtp_spam a verejnych ip adries!
chain=ostatne protocol=tcp dst-port=25 tcp-flags=syn src-address-list=!smtp_spam action=add-src-to-address-list address-list=smtp_spam
address-list-timeout=6h
40 ;;; /SPAMER TRAP/ Zahodi nove spojenia smtp_spam
chain=ostatne protocol=tcp dst-port=25 tcp-flags=syn src-address-list=smtp_spam action=drop

41 ;;; Sanity Check
chain=forward action=jump jump-target=sanity-check
42 ;;; Deny illegal NAT traversal
chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop
43 ;;; Block port scans
chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list address-list=blocked-addr address-list-timeout=5m
44 chain=sanity-check protocol=tcp psd=20,3s,3,1 action=log log-prefix=""
45 ;;; Block TCP Null scan
chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=blocked-addr address-list-timeout=5m
46 chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=log log-prefix=""
47 ;;; Block TCP Xmas scan
chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=blocked-addr address-list-timeout=5m
48 chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=log log-prefix=""
49 ;;; Drop TCP RST
chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop
50 chain=sanity-check protocol=tcp tcp-flags=rst action=log log-prefix=""
51 ;;; Dropping invalid connections at once
chain=sanity-check connection-state=invalid action=jump jump-target=drop
52 ;;; Drop All blocked-addr
chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-target=drop
53 ;;; Drop TCP SYN+FIN
chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop
54 ;;; Accepting already established connections
chain=sanity-check connection-state=established action=accept
55 ;;; Also accepting related connections
chain=sanity-check connection-state=related action=accept
56 ;;; Drop all traffic that goes to multicast or broadcast addresses
chain=sanity-check dst-address-type=broadcast,multicast action=jump jump-target=drop
57 ;;; Drop all traffic that goes from multicast or broadcast addresses
chain=sanity-check src-address-type=broadcast,multicast action=jump jump-target=drop

[farmar]

No jasne na blbé otázky ako riešiť výpadky elektriny odpoviete HNEĎ , ale vyjadriť sa k firewallu nič.

Asi budem čakať neviem koľko

Len si chcem upresniť či postupnosť je správna takto ako je hore v príspevku
čiže
1. skok na virus
2. skok na spam
3. skok sanity čiže port scaner atď..
4. povolene ,alebo zakazane IP v sieti

DIK Caf

[andreas4all]

ak si to okopiroval z wiki MT.. tak to som mal nasadene a bolo to na chuja... blokovat porty nie je bohvieco... staci ti zabezpecit si WAN port.

[michal.siman]

No jasne na blbé otázky ako riešiť výpadky elektriny odpoviete HNEĎ , ale vyjadriť sa k firewallu nič.

<no flame>Sory, ale proc si myslis o otazce na reseni vypadku elektriny ze je to blbost? to samy si ja myslim o tvem fw, ale nemam potrebu to ventilovat, kazdy at si mysli co chce a odpovida na co chce.</no flame>

[net.work]

No jasne na blbé otázky ako riešiť výpadky elektriny odpoviete HNEĎ , ale vyjadriť sa k firewallu nič.

Asi budem čakať neviem koľko

je az neskutecne, co ti lidi si tady mysli a jak si žádají odpovědi na své dotazy........... Hochu, měl by sis uvědomit, že možná kdybys do svého topicu napsal něco jako - "budu rád za každou radu a odpověď" nebo něco podobného, možná by se ti dostalo odpovědi rychleji...............

[farmar]

No super funguje to sice som odpovede trochu vyprovokoval TAK SORRY.



No a k tým výpadkom EL..veď je to blbá otázka .
Jedine prepeťovka , alebo záložný zdroj áno ja viem že je to drahé a každý hľadá niečo lacnejšie.



Tak ešte raz sa ospravedlňujem .
Caf

[farmar]

ak si to okopiroval z wiki MT.. tak to som mal nasadene a bolo to na chuja... blokovat porty nie je bohvieco... staci ti zabezpecit si WAN port.

No práve mal som to predtým v poradí 1 sanity 2 spam 3 vírus a bolo to tak ako hovoríš na CHU.... , ale teraz to mam nasadené asi týždeň v poradí
1 virus 2 spam 3 sanity a asi to funguje.

Nikto my nevyvoláva.

Ďakujem za odpoveď.

Caf

[michal.siman]

Jedine prepeťovka , alebo záložný zdroj áno ja viem že je to drahé a každý hľadá niečo lacnejšie.

No jeste se lehce vratim k tomuto tematu: jenze ja nehledam UPSku, nechci aby to bylo zalohovany, chci jen aby kdyz vypnout proud tak to zase naskocilo, a prave to chci resit, nejde mi o zalohu napajeni.