作者 主題: [請教] 浮動式 ADSL 的安全防護  (閱讀 3615 次)

0 會員 與 1 訪客 正在閱讀本文。

Anonymous

  • 訪客
[請教] 浮動式 ADSL 的安全防護
« 於: 2002-03-10 01:04 »
Dear All
小弟前段時間用 FreeBSD 作 NAT 以便讓內部的機器可以連上 Internet;但是有鑒於目前網路安全的問題,因此花了點時間設定一些安全安全防護,請各位大大幫忙看一下需要改進的地方.

: rc.conf
... 略
# network
ifconfig_vr0="inet 10.0.0.254  netmask 255.255.255.0"
gateway_enable="YES"

# security
log_in_vain="YES"
kern_securelevel_enable="YES"
kern_securelevel="2"
firewall_enable="YES"
firewall_script="/etc/ipfw.sh"

# daemons disable
inetd_enable="NO"
sendmail_enable="NO"
portmap_enable="NO"
sshd_enable="NO"
tcp_extensions="NO"

# daemon nat
natd_enable="YES"
natd_interface="tun0"
natd_flags="-dynamic -u -p 8668"

# daemon log
syslogd_enable="YES"
syslogd_flags="-s"
... 略

因為這台對外的機器不做任何服務,因此所有服務全部關閉.

: ipfw.sh
#! /bin/sh

fwcmd=/sbin/ipfw
net="10.0.0.0"
mask="255.255.255.0"
iip="10.0.0.254"

tif="tun0"
iif="vr0"
oif="vr1"

${fwcmd} -f flush

${fwcmd} add allow all from any to any via lo0
${fwcmd} add allow all from 127.0.0.1 to 127.0.0.1
${fwcmd} add deny all from any to 127.0.0.0/8

${fwcmd} add deny ip from any to any via ${oif} frag

#${fwcmd} add deny icmp from any to any in via ${tif}
${fwcmd} add reset tcp from any to any 113 in via ${tif}

${fwcmd} add reset tcp from not ${net}:${mask} to any 22,111,113,2049,1021,1022,1023,960 in via ${tif}
${fwcmd} add deny udp from not ${net}:${mask} to any 22,111,113,2049,1021,1022,1023,960 in via ${tif}

${fwcmd} add deny tcp from not ${net}:${mask} to ${net}:${mask} 137-139,445,111 via ${oif}
${fwcmd} add deny udp from not ${net}:${mask} to ${net}:${mask} 137-139,445,111 via ${oif}

${fwcmd} add deny all from any to any ipoptions ssrr,lsrr via ${oif}

${fwcmd} add deny all from ${net}:${mask} to any in via ${oif}

${fwcmd} add deny all from any to ${net}:${mask} out xmit ${tif}
${fwcmd} add deny all from any to 10.0.0.0/8 out xmit ${tif}
${fwcmd} add deny all from any to 172.16.0.0/12 out xmit ${tif}
${fwcmd} add deny all from any to 192.168.0.0/16 out xmit ${tif}
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

${fwcmd} add divert natd all from any to any via ${oif}

${fwcmd} add deny all from ${net}:${mask} to any in recv ${tif}
${fwcmd} add deny all from 10.0.0.0/8 to any in recv ${tif}
${fwcmd} add deny all from 172.16.0.0/12 to any in recv ${tif}
${fwcmd} add deny all from 192.168.0.0/16 to any in recv ${tif}
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}

${fwcmd} add allow tcp from any to any established
${fwcmd} add deny tcp from any to any in via ${oif} setup
${fwcmd} add allow tcp from any to any setup

# default is pass
${fwcmd} add 65000 pass all from any to any

目前正常運行無誤,且從外部做過掃埠的動作也一切沒有問題,但是有時總覺得似乎不太對勁...
請諸位先進指教, Thanks!