Ferm
Aus ConfigWiki
(Unterschied zwischen Versionen)
(Die Seite wurde neu angelegt: ~# aptitude install ferm Beispielkonfiguration: /etc/ferm# cat ferm.conf # ferm rules generated by import-ferm # http://ferm.foo-projects.org/ hook pre "modprobe ...) |
K |
||
| Zeile 14: | Zeile 14: | ||
mod state state (RELATED ESTABLISHED); | mod state state (RELATED ESTABLISHED); | ||
interface lo; | interface lo; | ||
| − | + | protocol (icmp esp ah); | |
| − | + | protocol udp dport 500; | |
| − | + | protocol tcp { | |
| − | + | dport (http smtp); | |
| − | + | dport ssh mod hashlimit | |
| − | + | hashlimit 10/min | |
| − | + | hashlimit-mode srcip | |
| − | + | hashlimit-name ssh; | |
| − | + | } | |
} | } | ||
LOG log-prefix "reject-in "; | LOG log-prefix "reject-in "; | ||
Aktuelle Version vom 7. Januar 2011, 18:07 Uhr
~# aptitude install ferm
Beispielkonfiguration:
/etc/ferm# cat ferm.conf # ferm rules generated by import-ferm # http://ferm.foo-projects.org/ hook pre "modprobe nf_conntrack_ftp"; #hook pre "modprobe nf_nat_ftp"; domain ip { table filter { chain INPUT { policy DROP; ACCEPT { mod state state (RELATED ESTABLISHED); interface lo; protocol (icmp esp ah); protocol udp dport 500; protocol tcp { dport (http smtp); dport ssh mod hashlimit hashlimit 10/min hashlimit-mode srcip hashlimit-name ssh; } } LOG log-prefix "reject-in "; REJECT; } chain FORWARD { policy DROP; REJECT; } chain OUTPUT { policy DROP; ACCEPT { mod state state (RELATED ESTABLISHED); outerface lo; protocol udp dport domain daddr 192.168.4.100; mod owner uid-owner (root rico); } LOG log-prefix reject-out; REJECT; } } table nat { chain POSTROUTING { policy ACCEPT; mod mark mark 0x25 MASQUERADE; } chain INPUT policy ACCEPT; chain OUTPUT policy ACCEPT; chain PREROUTING policy ACCEPT; } table mangle { chain OUTPUT { policy ACCEPT; protocol tcp dport 25 MARK set-xmark 0x25/0xffffffff; } chain FORWARD policy ACCEPT; chain INPUT policy ACCEPT; chain PREROUTING policy ACCEPT; chain POSTROUTING policy ACCEPT; } }
