Re: Need_help_with_this_script
Hi
On Mon, May 28, 2001 at 01:02:54PM +0200, luismi@adp.adpsoft.com wrote:
> Does any one check is this firewall script has any bug?
> Is very imporatnt to me
> Thanks for your support
>
> LuisMi
>
>
[snip]
> # Variables
> # ---------
> interfaz0="eth0"
> interfaz_loopback="lo"
>
> ip_eth0=`ifconfig $interfaz0 | grep "inet addr:" | awk -F: {'print $2'} | cut -d\ -f 1`
It's best to put the firewall rules in place before the
interface is brought up. Otherwise there will be a short time
when your interface is up, but you have no firewall rules.
> CUALQUIERA="0.0.0.0/0"
> LOOPBACK="127.0.0.0/8"
> CLASE_A="10.0.0.0/8"
> CLASE_B="172.16.0.0/12"
> CLASE_C="192.168.0.0/16"
> MULTICAST="224.0.0.0/4"
> BROADCAST_SRC="0.0.0.0"
> BROADCAST_DEST="255.255.255.255"
>
> PRIVPORTS="0:1023"
> UNPRIVPORTS="1024:65535"
> UNPRIVPORTS=`cat /etc/sysctl.conf | awk '/local_port/{print $3 ":" $4}'`
> TRACER_SRC_PORTS="32769:65535"
> TRACER_DEST_PORTS="33434:33523"
> SOCKS_PORT="1080"
> OPENWINDOWS_PORT="2000"
> NFS_PORT="2049"
NFS is not guaranteed to be on this port.
> XWINDOW_PORTS="6000"
If you ever run more than one X server on a machine it will use
more than just port 6000. (e.g. DISPLAY=:1.0 will use port 6001
etc.)
> SSH_PORTS="1020:1023"
>
> # Servidor DNS
> # ¡¡¡¡¡¡¡¡¡¡¡Faltan definir los servidores DNS!!!!!!!!!
> # ¡¡¡¡¡¡¡¡¡¡¡Faltan definir los servidores DNS!!!!!!!!!
> # ¡¡¡¡¡¡¡¡¡¡¡Faltan definir los servidores DNS!!!!!!!!!
>
> # Servidor HORA
> HORA=hora.uniovi.es
>
> # Protecciones varias TCP/IP
> # --------------------------
>
> # Habilitar TCP SYN Cookie Protection
> # echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> # *** /etc/sysctl.conf habilitado ***
>
> # Activando protección contra IP spoofing en Source Addess Verification
> # for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> # echo 1 > $f
> # done
> # *** /etc/sysctl.conf habilitado ***
>
> # Deshabilitar la aceptación de direcciones ICMP
> # for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
> # echo 0 > $f
> # done
> # *** /etc/sysctl.conf habilitado ***
>
> # Deshabilitar paquetes de origen enrutado
> # for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
> # echo 0 > $f
> # done
> # *** /etc/sysctl.conf habilitado ***
>
>
> # Arranque cortafuegos
> # --------------------
>
> start() {
> # Cargando el cortafuegos
> echo -n "Cargando cortafuegos... "
> echo
> # Testeando los interfaces y las direcciones IP
> # ---------------------------------------------
> echo "interfaz0: ${interfaz0} con direccion ${ip_eth0}"
> echo
>
>
>
> # Limpiando todas las cadenas del cortafuegos
> # -------------------------------------------
> /sbin/ipchains -F
>
>
> # Estableciendo politicas por defecto a las cadenas INPUT, OUTPUT, FORWARD
> /sbin/ipchains -P input REJECT
> /sbin/ipchains -P output REJECT
> /sbin/ipchains -P forward REJECT
Set the policy before clearing the rules. Otherwise you have
the default policy and no firewall rules for a short while
before your policies are applied.
i.e. first do ipchains -P input REJECT etc., and THEN do
ipchains -F; ipchains -X
Argh! This is one *long* firewall script :) I'll leave the
rest for someone else to comment on. You might consider making
it simpler, though.
--
Michael Wood | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies
Reply to: