Re: OpenBSD ¿¡¼­ ±âº» ºÒº® Ç®¾îÁִ°Í?

[KIM sungjin <mlvwm@xxxxxxxxxxxx>]

On Fri, Feb 02, 2001 at 12:20:42AM +0000, Kwangyul SEO wrote:
> ¾È³çÇϼ¼¿ä.
> 
> Á¦°¡ ¾Ë±â·Î ipfilter´Â ipfw¿Í´Â ´Ù¸£°Ô ¸¶Áö¸· ruleÀ»
> Àû¿ëÇÏ´Â °É·Î ¾Ë°í ÀÖ½À´Ï´Ù. Áï À§¿¡¼­ allow¸¦ ÇÏ´õ¶óµµ
> ¸¶Áö¸· ruleÀÌ deny¶ó¸é ÆÐŶÀ» denyÇÏ°Ô µÇ´Â°ÅÁÒ. 
> 
> Ȥ½Ã ¸¶Áö¸· ruleÀÌ deny·Î ¼³Á¤µÇ¾î ÀÖÁö´Â ¾ÊÀºÁö¿ä? 
> ipfw¿Í °°ÀÌ ruleÀÌ ³ª¿À´Â ¼ø¼­´ë·Î ÆÐŶ¿¡ Àû¿ëÇÏ·Á¸é 
> quickÀ̶ó´Â ¿É¼ÇÀ» ÁÖ¾î¾ß ÇÕ´Ï´Ù.
> 
> ÀÚ¼¼ÇÑ »çÇ×Àº http://www.obfuscation.org/ipf/À» Âü°íÇϽøé
> ÁÁ°Ú³×¿ä.

À½.. Áö±Ý ÇÑÅë ADSL·Î Á¢¼ÓÇؼ­ »ç¿ëÇϴµ¥¿ä. ÇÏ¿ìÅõ´Â Àü¿¡ ºÃ´Âµ¥.. -_-;
ÀÌ»óÇÏ°Ô Àß Àû¿ëÀÌ ¾ÈµÇ´Â°Å °°½À´Ï´Ù.

/etc/ipf.rules

#       $OpenBSD: ipf.rules,v 1.6 1997/11/04 08:39:32 deraadt Exp $
#
# IP filtering rules.  See the ipf(5) man page for more
# information on the format of this file, and /usr/share/ipf
# for example configuration files.
#
# Pass all packets by default.
# edit the ipfilter= line in /etc/rc.conf to enable IP filtering
#
pass in from any to any
pass out from any to any

À§¿¡ ¸ðµç ÆÐŶÀº Åë°ú¶ó°í µÇ¾îÀִµ¥..

pass in quick on tun0 from any to any port = 21
pass in quick on tun0 from any to any port = 22
pass in quick on tun0 from any to any port = 80
pass in quick on tun0 from any to any port = 443

ÀÌ·¸°Ô ³Ö¾îÁÖ°í ÇغÁµµ ¾ÈµÇ´Â±º¿ä. 

root:184# ipfstat                                                              
 input packets:         blocked 0 passed 522568 nomatch 3 counted 0 short 0
output packets:         blocked 0 passed 203708 nomatch 1 counted 0 short 0
 input packets logged:  blocked 0 passed 0
output packets logged:  blocked 0 passed 0
 packets logged:        input 0 output 0
 log failures:          input 0 output 0
fragment state(in):     kept 0  lost 0
fragment state(out):    kept 0  lost 0
packet state(in):       kept 0  lost 0
packet state(out):      kept 0  lost 0
ICMP replies:   0       TCP RSTs sent:  0
Result cache hits(in):  403968  (out):  195912
IN Pullups succeeded:   0       failed: 0
OUT Pullups succeeded:  76      failed: 0
Fastroute successes:    0       failures:       0
TCP cksum fails(in):    0       (out):  0
Packet log flags set: (0)
        none

root:185# ipfstat -s                                                           
IP states added:
        0 TCP
        0 UDP
        0 ICMP
        0 hits
        726276 misses
        0 maximum
        0 no memory
        buckets in use  0
        0 active
        0 expired
        0 closed

root:196# man ipfstat | head -4
IPFSTAT(8)              OpenBSD System Manager's Manual             IPFSTAT(8)

NAME
     ipfstat - reports on packet filter statistics and filter lists

...
     -s      Show packet/flow state information (statistics) and held state
             information (in the kernel) if any is present.


root:189# ipftest                                                              
no rule file present

root:189# man ipftest | head -4
IPFTEST(1)                 OpenBSD Reference Manual                 IPFTEST(1)

NAME
     ipftest - test packet filter rules with arbitrary input

·ÎÄÿ¡¼­ Á¢¼ÓÀº ¹°·Ð Àߵ˴ϴÙ. ftp, httpd, sshd,....

> On Fri, Feb 02, 2001 at 05:42:00AM +0900, KIM sungjin wrote:
> > À½... OpenBSD »ç¿ëÇϽôºеµ °è½Ç°Í °°¾Æ ±×³É Áú¹® ¿Ã¸³´Ï´Ù. -_-;
> > 
> > FreeBSD´Â Ä¿³ÎÀ̳ª rc.XXX ¼³Á¤À¸·Î ºÒº®À» Á¶ÀýÇÒ ¼ö Àִµ¥ OpenBSD´Â
> > Àß µÇÁú ¾Ê´Â±º¿ä. OpenBSD´Â ipf·Î ipfiltering Çϴµ¥ /etc/ipf.rules¿¡ 
> > ±âº»À¸·Î Çã¿ëÇÏ°Ô Çسõ¾Ò´Âµ¥µµ ´Ù¸¥ ½Ã½ºÅÛ¿¡¼­ Á¢¼ÓÀÌ °ÅºÎµÇ´Â±º¿ä.
> > 
> > ±âº»À¸·Î Á¢¼ÓÇã¿ëÇÏ´Â ¿É¼ÇÀÌ ÀÖ´ÂÁö ¾Æ½Ã´ÂºÐ °¡¸£ÃÄ Áֽʽÿä. 
--
To Unsubscribe: send mail to majordomo@kr.FreeBSD.org
with "unsubscribe questions" in the BODY of the message