blog.keesmeijs.nl » ferm http://blog.keesmeijs.nl Waarom ook niet eigenlijk? Sat, 14 Jan 2012 16:58:56 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 Nieuwe configuratie voor ferm(1) http://blog.keesmeijs.nl/archives/1099 http://blog.keesmeijs.nl/archives/1099#comments Wed, 09 Feb 2011 09:20:56 +0000 kees http://blog.keesmeijs.nl/?p=1099 Ter referentie heb ik eerder wat geschreven over ferm. Ziehier een nieuwe versie, nu volledig met IPv4. De configuratie is geschikt voor een werkstation en prima te gebruiken op een publiek netwerk. Voor IPv4:

table filter {
 chain INPUT {
 # Drop all packets per default.
 policy DROP;

 # Allow tracked connections.
 mod state state INVALID DROP;
 mod state state (ESTABLISHED RELATED) ACCEPT;

 # Allow local connections.
 interface lo ACCEPT;

 # Respond to ICMP packets (diagnostic).
 proto icmp icmp-type echo-request ACCEPT;

 # Drop UDP connections.
 proto udp DROP;

 # Reject everything else.
 proto tcp REJECT reject-with tcp-reset;
 REJECT;
 }

 chain OUTPUT {
 # Allow all packets per default.
 policy ACCEPT;
 }

 chain FORWARD {
 # Drop all packets per default.
 policy DROP;

 # Drop UDP connections.
 proto udp DROP;

 # Reject everything else.
 proto tcp REJECT reject-with tcp-reset;
 REJECT;
 }
}

En voor IPv6:

domain ip6 table filter {
 chain INPUT {
 # Drop all packets per default.
 policy DROP;

 # Respond to ICMP packets (NDP and RA).
 proto icmpv6 icmp-type (neighbour-solicitation neighbour-advertisement router-advertisement) ACCEPT;

 # Allow tracked connections.
 mod state state INVALID DROP;
 mod state state (ESTABLISHED RELATED) ACCEPT;

 # Allow local connections.
 interface lo ACCEPT;

 # Respond to ICMP packets (diagnostic).
 proto icmpv6 icmp-type echo-request ACCEPT;

 # Drop UDP connections.
 proto udp DROP;

 # Reject everything else.
 proto tcp REJECT reject-with tcp-reset;
 REJECT;
 }

 chain OUTPUT {
 # Allow all packets per default.
 policy ACCEPT;
 }

 chain FORWARD {
 # Drop all packets per default.
 policy DROP;

 # Drop UDP connections.
 proto udp DROP;

 # Reject everything else.
 proto tcp REJECT reject-with tcp-reset;
 REJECT;
 }
}
]]> http://blog.keesmeijs.nl/archives/1099/feed 0 Minimale configuratie voor IPv6 in ferm(1) http://blog.keesmeijs.nl/archives/882 http://blog.keesmeijs.nl/archives/882#comments Mon, 05 Jul 2010 14:30:42 +0000 kees http://blog.keesmeijs.nl/?p=882 Ter referentie:

domain ip6 table filter {
	chain INPUT {
		# Drop all packets per default.
		policy DROP;

		# Respond to ICMP packets (NDP).
		proto icmpv6 icmp-type (neighbour-solicitation neighbour-advertisement) ACCEPT;

		# Allow tracked connections.
		mod state state INVALID DROP;
		mod state state (ESTABLISHED RELATED) ACCEPT;

		# Allow local connections.
		interface lo ACCEPT;

		# Respond to ICMP packets (diagnostic).
		proto icmpv6 icmp-type echo-request ACCEPT;

		# SSH connections.
		proto tcp dport ssh ACCEPT;

		# Reject everything else.
		proto tcp REJECT reject-with tcp-reset;
		REJECT;
	}

	chain OUTPUT {
		# Allow all packets per default.
		policy ACCEPT;
	}

	chain FORWARD {
		# Drop all packets per default.
		policy DROP;

		# Reject everything else.
		proto tcp REJECT reject-with tcp-reset;
		REJECT;
	}
}
]]> http://blog.keesmeijs.nl/archives/882/feed 0