Firewall
Napsal: 15 Aug 2008 23:09
Mohol by sa my niekto pozrieť na postupnosť a či to mám vôbec dobre???
Dik . Caf
0 ;;; allow established connections
chain=forward connection-state=established action=accept
1 ;;; allow related connections
chain=forward connection-state=related action=accept
2 ;;; drop invalid connections
chain=forward connection-state=invalid action=drop
3 chain=forward connection-state=invalid action=log log-prefix=""
4 ;;; jump to the virus chain
chain=forward action=jump jump-target=virus
5 ;;; zakaz-virusy
chain=virus protocol=tcp dst-port=135-139 action=drop
6 chain=virus protocol=udp dst-port=135-139 action=drop
7 chain=virus protocol=tcp dst-port=445 action=drop
8 chain=virus protocol=udp dst-port=445 action=drop
9 chain=virus protocol=tcp dst-port=593 action=drop
10 chain=virus protocol=tcp dst-port=1024-1030 action=drop
11 chain=virus protocol=tcp dst-port=1080 action=drop
12 chain=virus protocol=tcp dst-port=1214 action=drop
13 chain=virus protocol=tcp dst-port=1363 action=drop
14 chain=virus protocol=tcp dst-port=1364 action=drop
15 chain=virus protocol=tcp dst-port=1368 action=drop
16 chain=virus protocol=tcp dst-port=1373 action=drop
17 chain=virus protocol=tcp dst-port=1433-1434 action=drop
18 chain=virus protocol=tcp dst-port=2745 action=drop
19 chain=virus protocol=tcp dst-port=2283 action=drop
20 chain=virus protocol=tcp dst-port=2535 action=drop
21 chain=virus protocol=tcp dst-port=2745 action=drop
22 chain=virus protocol=tcp dst-port=3127-3128 action=drop
23 chain=virus protocol=tcp dst-port=3410 action=drop
24 chain=virus protocol=tcp dst-port=4444 action=drop
25 chain=virus protocol=tcp dst-port=5554 action=drop
26 chain=virus protocol=tcp dst-port=8866 action=drop
27 chain=virus protocol=tcp dst-port=9898 action=drop
28 chain=virus protocol=tcp dst-port=10000 action=drop
29 chain=virus protocol=tcp dst-port=10080 action=drop
30 chain=virus protocol=tcp dst-port=12345 action=drop
31 chain=virus protocol=tcp dst-port=17300 action=drop
32 chain=virus protocol=tcp dst-port=27374 action=drop
33 chain=virus protocol=tcp dst-port=65506 action=drop
34 chain=virus protocol=tcp dst-port=28000-29000 action=drop
35 ;;; jump to the ostatne chain
chain=forward action=jump jump-target=ostatne
36 ;;; Sledovanie odosielanych emailov
chain=forward protocol=tcp dst-port=25 tcp-flags=syn action=log log-prefix="Send mail"
37 ;;; /SPAMER TRAP/ Povoli mimo smtp_spam 5 spojenia a 20 syn SMTP spojeni za 1min
chain=ostatne protocol=tcp dst-port=25 tcp-flags=syn connection-limit=!15,32 limit=0/1m,20 src-address-list=!smtp_spam action=accept
38 chain=ostatne protocol=tcp dst-port=25 tcp-flags=syn limit=1/15m,0 src-address-list=!smtp_spam action=log log-prefix="smtp spam"
39 ;;; /SPAMER TRAP/ Oznaci do spam listu IP spamera na 6hodin mimo smtp_spam a verejnych ip adries!
chain=ostatne protocol=tcp dst-port=25 tcp-flags=syn src-address-list=!smtp_spam action=add-src-to-address-list address-list=smtp_spam
address-list-timeout=6h
40 ;;; /SPAMER TRAP/ Zahodi nove spojenia smtp_spam
chain=ostatne protocol=tcp dst-port=25 tcp-flags=syn src-address-list=smtp_spam action=drop
41 ;;; Sanity Check
chain=forward action=jump jump-target=sanity-check
42 ;;; Deny illegal NAT traversal
chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop
43 ;;; Block port scans
chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list address-list=blocked-addr address-list-timeout=5m
44 chain=sanity-check protocol=tcp psd=20,3s,3,1 action=log log-prefix=""
45 ;;; Block TCP Null scan
chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=blocked-addr address-list-timeout=5m
46 chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=log log-prefix=""
47 ;;; Block TCP Xmas scan
chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=blocked-addr address-list-timeout=5m
48 chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=log log-prefix=""
49 ;;; Drop TCP RST
chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop
50 chain=sanity-check protocol=tcp tcp-flags=rst action=log log-prefix=""
51 ;;; Dropping invalid connections at once
chain=sanity-check connection-state=invalid action=jump jump-target=drop
52 ;;; Drop All blocked-addr
chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-target=drop
53 ;;; Drop TCP SYN+FIN
chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop
54 ;;; Accepting already established connections
chain=sanity-check connection-state=established action=accept
55 ;;; Also accepting related connections
chain=sanity-check connection-state=related action=accept
56 ;;; Drop all traffic that goes to multicast or broadcast addresses
chain=sanity-check dst-address-type=broadcast,multicast action=jump jump-target=drop
57 ;;; Drop all traffic that goes from multicast or broadcast addresses
chain=sanity-check src-address-type=broadcast,multicast action=jump jump-target=drop
Dik . Caf
0 ;;; allow established connections
chain=forward connection-state=established action=accept
1 ;;; allow related connections
chain=forward connection-state=related action=accept
2 ;;; drop invalid connections
chain=forward connection-state=invalid action=drop
3 chain=forward connection-state=invalid action=log log-prefix=""
4 ;;; jump to the virus chain
chain=forward action=jump jump-target=virus
5 ;;; zakaz-virusy
chain=virus protocol=tcp dst-port=135-139 action=drop
6 chain=virus protocol=udp dst-port=135-139 action=drop
7 chain=virus protocol=tcp dst-port=445 action=drop
8 chain=virus protocol=udp dst-port=445 action=drop
9 chain=virus protocol=tcp dst-port=593 action=drop
10 chain=virus protocol=tcp dst-port=1024-1030 action=drop
11 chain=virus protocol=tcp dst-port=1080 action=drop
12 chain=virus protocol=tcp dst-port=1214 action=drop
13 chain=virus protocol=tcp dst-port=1363 action=drop
14 chain=virus protocol=tcp dst-port=1364 action=drop
15 chain=virus protocol=tcp dst-port=1368 action=drop
16 chain=virus protocol=tcp dst-port=1373 action=drop
17 chain=virus protocol=tcp dst-port=1433-1434 action=drop
18 chain=virus protocol=tcp dst-port=2745 action=drop
19 chain=virus protocol=tcp dst-port=2283 action=drop
20 chain=virus protocol=tcp dst-port=2535 action=drop
21 chain=virus protocol=tcp dst-port=2745 action=drop
22 chain=virus protocol=tcp dst-port=3127-3128 action=drop
23 chain=virus protocol=tcp dst-port=3410 action=drop
24 chain=virus protocol=tcp dst-port=4444 action=drop
25 chain=virus protocol=tcp dst-port=5554 action=drop
26 chain=virus protocol=tcp dst-port=8866 action=drop
27 chain=virus protocol=tcp dst-port=9898 action=drop
28 chain=virus protocol=tcp dst-port=10000 action=drop
29 chain=virus protocol=tcp dst-port=10080 action=drop
30 chain=virus protocol=tcp dst-port=12345 action=drop
31 chain=virus protocol=tcp dst-port=17300 action=drop
32 chain=virus protocol=tcp dst-port=27374 action=drop
33 chain=virus protocol=tcp dst-port=65506 action=drop
34 chain=virus protocol=tcp dst-port=28000-29000 action=drop
35 ;;; jump to the ostatne chain
chain=forward action=jump jump-target=ostatne
36 ;;; Sledovanie odosielanych emailov
chain=forward protocol=tcp dst-port=25 tcp-flags=syn action=log log-prefix="Send mail"
37 ;;; /SPAMER TRAP/ Povoli mimo smtp_spam 5 spojenia a 20 syn SMTP spojeni za 1min
chain=ostatne protocol=tcp dst-port=25 tcp-flags=syn connection-limit=!15,32 limit=0/1m,20 src-address-list=!smtp_spam action=accept
38 chain=ostatne protocol=tcp dst-port=25 tcp-flags=syn limit=1/15m,0 src-address-list=!smtp_spam action=log log-prefix="smtp spam"
39 ;;; /SPAMER TRAP/ Oznaci do spam listu IP spamera na 6hodin mimo smtp_spam a verejnych ip adries!
chain=ostatne protocol=tcp dst-port=25 tcp-flags=syn src-address-list=!smtp_spam action=add-src-to-address-list address-list=smtp_spam
address-list-timeout=6h
40 ;;; /SPAMER TRAP/ Zahodi nove spojenia smtp_spam
chain=ostatne protocol=tcp dst-port=25 tcp-flags=syn src-address-list=smtp_spam action=drop
41 ;;; Sanity Check
chain=forward action=jump jump-target=sanity-check
42 ;;; Deny illegal NAT traversal
chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop
43 ;;; Block port scans
chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list address-list=blocked-addr address-list-timeout=5m
44 chain=sanity-check protocol=tcp psd=20,3s,3,1 action=log log-prefix=""
45 ;;; Block TCP Null scan
chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=blocked-addr address-list-timeout=5m
46 chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=log log-prefix=""
47 ;;; Block TCP Xmas scan
chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=blocked-addr address-list-timeout=5m
48 chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=log log-prefix=""
49 ;;; Drop TCP RST
chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop
50 chain=sanity-check protocol=tcp tcp-flags=rst action=log log-prefix=""
51 ;;; Dropping invalid connections at once
chain=sanity-check connection-state=invalid action=jump jump-target=drop
52 ;;; Drop All blocked-addr
chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-target=drop
53 ;;; Drop TCP SYN+FIN
chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop
54 ;;; Accepting already established connections
chain=sanity-check connection-state=established action=accept
55 ;;; Also accepting related connections
chain=sanity-check connection-state=related action=accept
56 ;;; Drop all traffic that goes to multicast or broadcast addresses
chain=sanity-check dst-address-type=broadcast,multicast action=jump jump-target=drop
57 ;;; Drop all traffic that goes from multicast or broadcast addresses
chain=sanity-check src-address-type=broadcast,multicast action=jump jump-target=drop
