Ferm

Aus ConfigWiki
Version vom 7. Januar 2011, 17:07 Uhr von Netbreaker (Diskussion | Beiträge)

(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Wechseln zu: Navigation, Suche
~# aptitude install ferm

Beispielkonfiguration: 

/etc/ferm# cat ferm.conf
# ferm rules generated by import-ferm
# http://ferm.foo-projects.org/
hook pre "modprobe nf_conntrack_ftp";
#hook pre "modprobe nf_nat_ftp";
domain ip {
   table filter {
       chain INPUT {
           policy DROP;
           ACCEPT {
               mod state state (RELATED ESTABLISHED);
       	interface lo;
	        protocol (icmp esp ah);
	        protocol udp dport 500;
		protocol tcp {
		    dport (http smtp);
		    dport ssh mod hashlimit
		    hashlimit 10/min
		    hashlimit-mode srcip
		    hashlimit-name ssh;
		}
           }
           LOG log-prefix "reject-in ";
           REJECT;
       }
       chain FORWARD { policy DROP; REJECT; }
       chain OUTPUT {
           policy DROP;
           ACCEPT {
               mod state state (RELATED ESTABLISHED);
       	outerface lo;
       	protocol udp dport domain daddr 192.168.4.100;
       	mod owner uid-owner (root rico);
           }
           LOG log-prefix reject-out;
           REJECT;
       }
   }
   table nat {
       chain POSTROUTING {
           policy ACCEPT;
           mod mark mark 0x25 MASQUERADE;
       }
       chain INPUT policy ACCEPT;
       chain OUTPUT policy ACCEPT;
       chain PREROUTING policy ACCEPT;
   }
   table mangle {
       chain OUTPUT {
           policy ACCEPT;
           protocol tcp dport 25 MARK set-xmark 0x25/0xffffffff;
       }
       chain FORWARD policy ACCEPT;
       chain INPUT policy ACCEPT;
       chain PREROUTING policy ACCEPT;
       chain POSTROUTING policy ACCEPT;
   }
}
Von „http://mediawiki.netbreaker.de/mediawiki/index.php?title=Ferm&oldid=434
Meine Werkzeuge