● 11. Advice on Packet Filter Design - 荔园在线 | 深圳大学学生论坛,荔园晨风BBS,深大在线网站

荔园之美，在春之萌芽，在夏之绽放，在秋之收获，在冬之沉淀

发信人: georgehill (清风浮云人生), 信区: Linux
标  题: 11. Advice on Packet Filter Design
发信站: BBS 荔园晨风站 (Thu Oct 12 07:27:00 2000), 站内信件

【以下文字转载自 georgehill 的信箱】
【原文由 georgehill.bbs@smth.org 所发表】
发信人: zixia (Do you zixia tonight), 信区: Linux
标  题: 11. Advice on Packet Filter Design
发信站: BBS 水木清华站 (Wed Oct 11 01:19:05 2000) WWW-POST

   Next Previous Contents

     ----------------------------------------------------------------------

11. Advice on Packet Filter Design
he

   Common wisdom in the computer security arena is to block everything, then
   open up holes as neccessary. This is usually phrased `that which is not
   explicitly allowed is prohibited'. I recommend this approach if security
   is your maximal concern.

   Do not run any services you do not need to, even if you think you have
   blocked access to them.

   If you are creating a dedicated firewall, start by running nothing, and
   blocking all packets, then add services and let packets through as
   required.

   I recommend security in depth: combine tcp-wrappers (for connections to
   the packet filter itself), proxies (for connections passing through the
   packet filter), route verification and packet filtering. Route
   verification is where a packet which comes from an unexpected interface
is
   dropped: for example, if your internal network has addresses 10.1.1.0/24,
   and a packet with that source address comes in your external interface,
it
   will be dropped. This can be enabled for one interface (ppp0) like so:

n
# echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter
#

   Or for all existing and future interfaces like this:

# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
#     echo 1 > $f
# done
#

   Debian does this by default where possible. If you have asymmetric
routing
   (ie. you expect packets coming in from strange directions), you will want
   to disable this filtering on those interfaces.
O
   Logging is useful when setting up a firewall if something isn't working,
   but on a production firewall, always combine it with the `limit' match,
to
   prevent someone from flooding your logs.

   I highly recommend connection tracking for secure systems: it introduces
   some overhead, as all connections are tracked, but is very useful for
he
   controlling access to your networks. You may need to load the
   `ip_conntrack.o' module if your kernel does not load modules
   automatically, and it's not built into the kernel. If you want to
   accurately track complex protocols, you'll need to load the appropriate
   helper module (eg. `ip_conntrack_ftp.o').

# iptables -N no-conns-from-ppp0
# iptables -A no-conns-from-ppp0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
# iptables -A no-conns-from-ppp0 -m state --state NEW -i ! ppp0 -j ACCEPT
# iptables -A no-conns-from-ppp0 -i ppp0 -m limit -j LOG --log-prefix "Bad
pack
# iptables -A no-conns-from-ppp0 -i ! ppp0 -m limit -j LOG --log-prefix "Bad
pa
# iptables -A no-conns-from-ppp0 -j DROP

# iptables -A INPUT -j no-conns-from-ppp0
# iptables -A FORWARD -j no-conns-from-ppp0

   Building a good firewall is beyond the scope of this HOWTO, but my advice
   is `always be minimalist'. See the Security HOWTO for more information on
   testing and probing your box.

     ----------------------------------------------------------------------
n

   Next Previous Contents

--
        )))))))))))))))))))))))))))))))))))))))))))))))))))
        ((((((((((((生命的欢喜可以再影印一张吗?((((((((((((
        ))))))))))))老去的热情可以再拉皮整形吗?))))))))))))
        ((((((((((((病中的真理可以再传真校对吗?((((((((((((
        ))))))))))))死掉的爱情可以再输入键出吗?))))))))))))
        (((((((((((((((((((((((((((((((((((((((((((((((((((

※ 来源:·BBS 水木清华站 smth.org·[FROM: 202.112.45.49]
--
※ 转载:·BBS 荔园晨风站 bbs.szu.edu.cn·[FROM: 192.168.1.115]

荔园在线首页友情链接：深圳大学深大招生荔园晨风BBS S-Term软件网络书店