Re: OpenBSD ¿¡¼­ ±âº» ºÒº® Ç®¾îÁִ°Í?

[Kwangyul SEO <skyul@xxxxxxxxxxxxx>]

³×.

Àú´Â FreeBSD¿¡¼­ ipf¸¦ »ç¿ëÇϴµ¥¿ä. OpenBSD¿Í ¾ó¸¶³ª ºñ½ÁÇÑÁö´Â
¸ð¸£°ÚÁö¸¸ ÀÏ´Ü FreeBSD °°Àº °æ¿ì´Â ipf.rules¿¡ ¾Æ¹« ³»¿ëµµ ¾øÀ¸¸é
±âº»ÀûÀ¸·Î packetÀ» ¸ðµÎ ¹Þ½À´Ï´Ù. default »óÅ°¡ allow¶õ À̾߱âÁÒ.

°¡Àå ´Ü¼øÇÏ°Ô »ç¿ëÇÑ´Ù¸é Ä¿³Î ¼³Á¤ ÆÄÀÏ¿¡

options     IPFILTER
options     IPFILTER_LOG

/etc/ipfw.rules ÆÄÀÏ¿¡

pass in from any to any
pass out from any to any

³Ö°í ipf -Fa -f /etc/ipfw.rules ½ÇÇàÇÏ¸é ¾Æ¹« ¹®Á¦ ¾øÀÌ ÀߵǴµ¥¿ä.

> root:184# ipfstat                                                              
>  input packets:         blocked 0 passed 522568 nomatch 3 counted 0 short 0
> output packets:         blocked 0 passed 203708 nomatch 1 counted 0 short 0
>  input packets logged:  blocked 0 passed 0
> output packets logged:  blocked 0 passed 0

¿©±æ º¸¸é ¾Ë ¼ö ÀÖÁö¸¸ ¹æÈ­º® rule ¶§¹®¿¡ ¹®Á¦°¡ »ý±â´Â °ÍÀº ¾Æ´Ñ
°Í °°½À´Ï´Ù. blocked µÈ packetÀÌ Çϳªµµ ¾øÀ¸´Ï±ñ¿ä. Ȥ½Ã ADSL °ü·ÃÇؼ­
³×Æ®¿÷ ¼³Á¤Àº Á¦´ë·Î µÇ¾ú´ÂÁö È®ÀÎÇØ º¸¼Ì´ÂÁö¿ä. ÀÏ´Ü ipf -F a Çؼ­
ruleÀ» ¸ðµÎ flush ÇÏ½Ã°í ¿ÜºÎ¿¡¼­ Á¢¼ÓÀÌ °¡´ÉÇÑÁö È®ÀÎÇغ¸¼¼¿ä.

On Fri, Feb 02, 2001 at 04:19:55AM +0900, KIM sungjin wrote:
> On Fri, Feb 02, 2001 at 12:20:42AM +0000, Kwangyul SEO wrote:
> > ¾È³çÇϼ¼¿ä.
> > 
> > Á¦°¡ ¾Ë±â·Î ipfilter´Â ipfw¿Í´Â ´Ù¸£°Ô ¸¶Áö¸· ruleÀ»
> > Àû¿ëÇÏ´Â °É·Î ¾Ë°í ÀÖ½À´Ï´Ù. Áï À§¿¡¼­ allow¸¦ ÇÏ´õ¶óµµ
> > ¸¶Áö¸· ruleÀÌ deny¶ó¸é ÆÐŶÀ» denyÇÏ°Ô µÇ´Â°ÅÁÒ. 
> > 
> > Ȥ½Ã ¸¶Áö¸· ruleÀÌ deny·Î ¼³Á¤µÇ¾î ÀÖÁö´Â ¾ÊÀºÁö¿ä? 
> > ipfw¿Í °°ÀÌ ruleÀÌ ³ª¿À´Â ¼ø¼­´ë·Î ÆÐŶ¿¡ Àû¿ëÇÏ·Á¸é 
> > quickÀ̶ó´Â ¿É¼ÇÀ» ÁÖ¾î¾ß ÇÕ´Ï´Ù.
> > 
> > ÀÚ¼¼ÇÑ »çÇ×Àº http://www.obfuscation.org/ipf/À» Âü°íÇϽøé
> > ÁÁ°Ú³×¿ä.
> 
> À½.. Áö±Ý ÇÑÅë ADSL·Î Á¢¼ÓÇؼ­ »ç¿ëÇϴµ¥¿ä. ÇÏ¿ìÅõ´Â Àü¿¡ ºÃ´Âµ¥.. -_-;
> ÀÌ»óÇÏ°Ô Àß Àû¿ëÀÌ ¾ÈµÇ´Â°Å °°½À´Ï´Ù.
> 
> /etc/ipf.rules
> 
> #       $OpenBSD: ipf.rules,v 1.6 1997/11/04 08:39:32 deraadt Exp $
> #
> # IP filtering rules.  See the ipf(5) man page for more
> # information on the format of this file, and /usr/share/ipf
> # for example configuration files.
> #
> # Pass all packets by default.
> # edit the ipfilter= line in /etc/rc.conf to enable IP filtering
> #
> pass in from any to any
> pass out from any to any
> 
> À§¿¡ ¸ðµç ÆÐŶÀº Åë°ú¶ó°í µÇ¾îÀִµ¥..
> 
> pass in quick on tun0 from any to any port = 21
> pass in quick on tun0 from any to any port = 22
> pass in quick on tun0 from any to any port = 80
> pass in quick on tun0 from any to any port = 443
> 
> ÀÌ·¸°Ô ³Ö¾îÁÖ°í ÇغÁµµ ¾ÈµÇ´Â±º¿ä. 
> 
> root:184# ipfstat                                                              
>  input packets:         blocked 0 passed 522568 nomatch 3 counted 0 short 0
> output packets:         blocked 0 passed 203708 nomatch 1 counted 0 short 0
>  input packets logged:  blocked 0 passed 0
> output packets logged:  blocked 0 passed 0
>  packets logged:        input 0 output 0
>  log failures:          input 0 output 0
> fragment state(in):     kept 0  lost 0
> fragment state(out):    kept 0  lost 0
> packet state(in):       kept 0  lost 0
> packet state(out):      kept 0  lost 0
> ICMP replies:   0       TCP RSTs sent:  0
> Result cache hits(in):  403968  (out):  195912
> IN Pullups succeeded:   0       failed: 0
> OUT Pullups succeeded:  76      failed: 0
> Fastroute successes:    0       failures:       0
> TCP cksum fails(in):    0       (out):  0
> Packet log flags set: (0)
>         none
> 
> root:185# ipfstat -s                                                           
> IP states added:
>         0 TCP
>         0 UDP
>         0 ICMP
>         0 hits
>         726276 misses
>         0 maximum
>         0 no memory
>         buckets in use  0
>         0 active
>         0 expired
>         0 closed
> 
> root:196# man ipfstat | head -4
> IPFSTAT(8)              OpenBSD System Manager's Manual             IPFSTAT(8)
> 
> NAME
>      ipfstat - reports on packet filter statistics and filter lists
> 
> ...
>      -s      Show packet/flow state information (statistics) and held state
>              information (in the kernel) if any is present.
> 
> 
> root:189# ipftest                                                              
> no rule file present
> 
> root:189# man ipftest | head -4
> IPFTEST(1)                 OpenBSD Reference Manual                 IPFTEST(1)
> 
> NAME
>      ipftest - test packet filter rules with arbitrary input
> 
> ·ÎÄÿ¡¼­ Á¢¼ÓÀº ¹°·Ð Àߵ˴ϴÙ. ftp, httpd, sshd,....
> 
> > On Fri, Feb 02, 2001 at 05:42:00AM +0900, KIM sungjin wrote:
> > > À½... OpenBSD »ç¿ëÇϽôºеµ °è½Ç°Í °°¾Æ ±×³É Áú¹® ¿Ã¸³´Ï´Ù. -_-;
> > > 
> > > FreeBSD´Â Ä¿³ÎÀ̳ª rc.XXX ¼³Á¤À¸·Î ºÒº®À» Á¶ÀýÇÒ ¼ö Àִµ¥ OpenBSD´Â
> > > Àß µÇÁú ¾Ê´Â±º¿ä. OpenBSD´Â ipf·Î ipfiltering Çϴµ¥ /etc/ipf.rules¿¡ 
> > > ±âº»À¸·Î Çã¿ëÇÏ°Ô Çسõ¾Ò´Âµ¥µµ ´Ù¸¥ ½Ã½ºÅÛ¿¡¼­ Á¢¼ÓÀÌ °ÅºÎµÇ´Â±º¿ä.
> > > 
> > > ±âº»À¸·Î Á¢¼ÓÇã¿ëÇÏ´Â ¿É¼ÇÀÌ ÀÖ´ÂÁö ¾Æ½Ã´ÂºÐ °¡¸£ÃÄ Áֽʽÿä. 
> --
> To Unsubscribe: send mail to majordomo@kr.FreeBSD.org
> with "unsubscribe questions" in the BODY of the message
> 

-- 
Thanks
icq UIN 104946812, Kwangyul Seo <skyul@postech.edu>
--
To Unsubscribe: send mail to majordomo@kr.FreeBSD.org
with "unsubscribe questions" in the BODY of the message