Ferm

Aus ConfigWiki
(Unterschied zwischen Versionen)
Wechseln zu: Navigation, Suche
(Die Seite wurde neu angelegt: ~# aptitude install ferm Beispielkonfiguration: /etc/ferm# cat ferm.conf # ferm rules generated by import-ferm # http://ferm.foo-projects.org/ hook pre "modprobe ...)
 
K
 
Zeile 14: Zeile 14:
 
                 mod state state (RELATED ESTABLISHED);
 
                 mod state state (RELATED ESTABLISHED);
 
         interface lo;
 
         interface lo;
        protocol (icmp esp ah);
+
        protocol (icmp esp ah);
        protocol udp dport 500;
+
        protocol udp dport 500;
protocol tcp {
+
protocol tcp {
    dport (http smtp);
+
    dport (http smtp);
    dport ssh mod hashlimit
+
    dport ssh mod hashlimit
    hashlimit 10/min
+
    hashlimit 10/min
    hashlimit-mode srcip
+
    hashlimit-mode srcip
    hashlimit-name ssh;
+
    hashlimit-name ssh;
}
+
}
 
             }
 
             }
 
             LOG log-prefix "reject-in ";
 
             LOG log-prefix "reject-in ";

Aktuelle Version vom 7. Januar 2011, 17:07 Uhr

~# aptitude install ferm

Beispielkonfiguration:

/etc/ferm# cat ferm.conf
# ferm rules generated by import-ferm
# http://ferm.foo-projects.org/
hook pre "modprobe nf_conntrack_ftp";
#hook pre "modprobe nf_nat_ftp";
domain ip {
   table filter {
       chain INPUT {
           policy DROP;
           ACCEPT {
               mod state state (RELATED ESTABLISHED);
       	interface lo;
	        protocol (icmp esp ah);
	        protocol udp dport 500;
		protocol tcp {
		    dport (http smtp);
		    dport ssh mod hashlimit
		    hashlimit 10/min
		    hashlimit-mode srcip
		    hashlimit-name ssh;
		}
           }
           LOG log-prefix "reject-in ";
           REJECT;
       }
       chain FORWARD { policy DROP; REJECT; }
       chain OUTPUT {
           policy DROP;
           ACCEPT {
               mod state state (RELATED ESTABLISHED);
       	outerface lo;
       	protocol udp dport domain daddr 192.168.4.100;
       	mod owner uid-owner (root rico);
           }
           LOG log-prefix reject-out;
           REJECT;
       }
   }
   table nat {
       chain POSTROUTING {
           policy ACCEPT;
           mod mark mark 0x25 MASQUERADE;
       }
       chain INPUT policy ACCEPT;
       chain OUTPUT policy ACCEPT;
       chain PREROUTING policy ACCEPT;
   }
   table mangle {
       chain OUTPUT {
           policy ACCEPT;
           protocol tcp dport 25 MARK set-xmark 0x25/0xffffffff;
       }
       chain FORWARD policy ACCEPT;
       chain INPUT policy ACCEPT;
       chain PREROUTING policy ACCEPT;
       chain POSTROUTING policy ACCEPT;
   }
}
Meine Werkzeuge