[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Need_help_with_this_script

Hi

On Mon, May 28, 2001 at 01:02:54PM +0200, luismi@adp.adpsoft.com wrote:
> Does any one check is this firewall script has any bug?
> Is very imporatnt to me
> Thanks for your support
> 
> LuisMi
> 
> 
[snip]
> # Variables
> # ---------
> interfaz0="eth0"
> interfaz_loopback="lo"
> 
> ip_eth0=`ifconfig $interfaz0 | grep "inet addr:" | awk -F: {'print $2'} | cut -d\  -f 1`

It's best to put the firewall rules in place before the
interface is brought up.  Otherwise there will be a short time
when your interface is up, but you have no firewall rules.

> CUALQUIERA="0.0.0.0/0"
> LOOPBACK="127.0.0.0/8"
> CLASE_A="10.0.0.0/8"
> CLASE_B="172.16.0.0/12"
> CLASE_C="192.168.0.0/16"
> MULTICAST="224.0.0.0/4"
> BROADCAST_SRC="0.0.0.0"
> BROADCAST_DEST="255.255.255.255"
> 
> PRIVPORTS="0:1023"
> UNPRIVPORTS="1024:65535"
> UNPRIVPORTS=`cat /etc/sysctl.conf | awk '/local_port/{print $3 ":" $4}'`
> TRACER_SRC_PORTS="32769:65535"
> TRACER_DEST_PORTS="33434:33523"
> SOCKS_PORT="1080"
> OPENWINDOWS_PORT="2000"
> NFS_PORT="2049"

NFS is not guaranteed to be on this port.

> XWINDOW_PORTS="6000"

If you ever run more than one X server on a machine it will use
more than just port 6000.  (e.g. DISPLAY=:1.0 will use port 6001
etc.)

> SSH_PORTS="1020:1023"
> 
> # Servidor DNS
> # ¡¡¡¡¡¡¡¡¡¡¡Faltan definir los servidores DNS!!!!!!!!!
> # ¡¡¡¡¡¡¡¡¡¡¡Faltan definir los servidores DNS!!!!!!!!!
> # ¡¡¡¡¡¡¡¡¡¡¡Faltan definir los servidores DNS!!!!!!!!!
> 
> # Servidor HORA
> HORA=hora.uniovi.es
> 
> # Protecciones varias TCP/IP
> # --------------------------
> 
> # Habilitar TCP SYN Cookie Protection
> # echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> # *** /etc/sysctl.conf habilitado ***
> 
> # Activando protección contra IP spoofing en Source Addess Verification
> # for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> #	echo 1 > $f
> # done
> # *** /etc/sysctl.conf habilitado ***
> 
> # Deshabilitar la aceptación de direcciones ICMP
> # for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
> #	echo 0 > $f
> # done
> # *** /etc/sysctl.conf habilitado ***
> 
> # Deshabilitar paquetes de origen enrutado
> # for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
> # 	echo 0 > $f
> # done
> # *** /etc/sysctl.conf habilitado ***
> 
> 
> # Arranque cortafuegos
> # --------------------
> 
> start() {
> 	# Cargando el cortafuegos
> 	echo -n "Cargando cortafuegos... "
> 	echo 
> 	# Testeando los interfaces y las direcciones IP
> 	# ---------------------------------------------
> 	echo "interfaz0: ${interfaz0} con direccion ${ip_eth0}"
> 	echo
> 
> 
> 
> # Limpiando todas las cadenas del cortafuegos
> # -------------------------------------------
> /sbin/ipchains -F
> 
> 
> # Estableciendo politicas por defecto a las cadenas INPUT, OUTPUT, FORWARD
> /sbin/ipchains -P input REJECT
> /sbin/ipchains -P output REJECT
> /sbin/ipchains -P forward REJECT

Set the policy before clearing the rules.  Otherwise you have
the default policy and no firewall rules for a short while
before your policies are applied.

i.e. first do ipchains -P input REJECT etc., and THEN do
ipchains -F; ipchains -X

Argh!  This is one *long* firewall script :)  I'll leave the
rest for someone else to comment on.  You might consider making
it simpler, though.

-- 
Michael Wood        | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies
Reply to: