Software, Support, Documentation
|
|
News,
Internal,
Projects,
Home Software, Support, Documentation |
On Wed, Jan 15, 2003 at 12:21:01PM +0900, JungSoo HA wrote:
>> On Wed, Jan 15, 2003 at 12:16:23PM +0900, Pyun YongHyeon wrote:
>>
>> > ÃÖ¼ÒÇÑ ÇöÀç »ç¿ëÇÏ´Â pf·êÀº ¾Ë·Á ÁּžßÁÒ.
>>
>> ¾Ñ Á˼ÛÇÕ´Ï´Ù. ÷ºÎ¸¦ »©¸Ô¾ú½À´Ï´Ù.
>>
>> --
>> ÇÏÁ¤¼ö
>>
>> # $OpenBSD: pf.conf,v 1.3 2001/11/16 22:53:24 dhartmei Exp $
>> #
>> # See pf.conf(5) for syntax and examples
>> # ep1 : external 10Mbps
>>
>> localnet = "211.xxx.yyy.zzz/ww"
>>
>> # normalize all packets
>> #scrub out all
>> #scrub in all
>>
>> # block private IP address space
>> block in log quick on ep1 from { 127.0.0.0/8, 192.168.0.0/16, \
>> 172.16.0.0/12, 10.0.0.0/8 } to any
>> block out log quick on ep1 from any to { 127.0.0.0/8, 192.168.0.0/16, \
>> 172.16.0.0/12, 10.0.0.0/8 }
>>
>> # block incoming broadcast packets
>> block in quick on ep1 from any to 255.255.255.255
>>
>> # now block and log all by default
>> block in log on ep1 all
>> block return-rst out log on ep1 inet proto tcp all
>> block return-rst in log on ep1 inet proto tcp all
>> block return-icmp out on ep1 inet proto udp all
>> block return-icmp in on ep1 inet proto udp all
>>
>> # ICMP ping
>> pass in on ep1 inet proto icmp all icmp-type 8 code 0 keep state
>> pass out on ep1 inet proto icmp all icmp-type 8 code 0 keep state
>>
>> # outgoing
>>
>> # UDP
>> pass out on ep1 inet proto udp all keep state
>>
>> # TCP
>> pass out on ep1 inet proto tcp all modulate state
>>
>> # finally pass incoming
>>
>> pass in on ep1 inet proto tcp from any to $localnet \
>> port 22 flags S/SA keep state
·ê¿¡ º°´Ù¸¥ ¹®Á¦´Â ¾ø¾î º¸ÀÔ´Ï´Ù.
´Ù¸¸ ¿©·¯°³ÀÇ lanÄ«µå°¡ ÀÖ´Ù¸é ÀÌ¿¡ ´ëÇÑ ºÎºÐÀÌ ¸í½ÃµÇ¾î¾ß ÇÕ´Ï´Ù.
¿¹¸¦µé¸é ep0°¡ ÀÖ´Ù¸é ep0, ep1»çÀÌ´Â ¹«Á¶°Ç Åë°ú½ÃÅ°´Â ºÎºÐµîÀÌ ÀÖ¾î¾ß
ÇÕ´Ï´Ù.
¼Ò¸®¹Ù´Ù¿ÍÀÇ Á¢¼Ó½Ã ¹®Á¦°¡ ÀÖ´Ù°í Çϼ̴µ¥ pfctl·Î state¸¦ È®ÀÎÇØ
º¸¼Ì³ª¿ä?
#pfctl -s s
Á¢¼ÓµÈ ¼¹ö¿Í »óÅ°¡ ¸¸µé¾î Á³´ÂÁö ¾î¶² »óÅ¿¡ ÀÖ´ÂÁö È®ÀÎÇØ º¸¼¼¿ä.
Á¦°¡ ¼Ò¸®¹Ù´Ù¸¦ »ç¿ëÇÏÁö ¾Ê±â ¶§¹®¿¡ Á¤È®È÷´Â Àß ¸ð¸£°ÚÁö¸¸
UDP¸¦ »ç¿ëÇϴ°ÍÀ¸·Î ¾Ë°í ÀÖ½À´Ï´Ù.
ÀÌ ºÎºÐÀº
"pass out on ep1 inet proto udp all keep state"¿¡ ÀÇÇؼ state°¡ ¸¸µé¾î
Á³½À´Ï´Ù. µû¶ó¼ ¿ÜºÎÀÇ »õ·Î¿î Á¢¼ÓÀº Çã¿ëÇÏÁö ¾ÊÁö¸¸ ¿©±â¼ ³ª°£ Á¢¼ÓÀÇ
°æ¿ì´Â state table¿¡ ÀÇÇؼ Á¢¼ÓÀÌ Çã¿ëµË´Ï´Ù.
±×·¡µµ µ¿ÀÛÇÏÁö ¾ÊÀ¸¸é ¸ðµç rule¿¡ logÀ» ÁöÁ¤ÇÏ°í, tcpdump·Î È®ÀÎÇØ
º¸½Ã¸é µÇ°Ú½À´Ï´Ù.
#tcpdump -i -e pflog0 "¼Ò¸®¹Ù´ÙÆ÷Æ®¹øÈ£"
¶Ç´Â tcpdump¿¡¼ ep1À» ÁöÁ¤Çؼ Á÷Á¢ packetÀ» È®ÀÎ ÇÒ¼öµµ ÀÖ½À´Ï´Ù.
--
============================================================
// Korea Telecom Internet Solutions, Inc.
// FreeBSD/Linux Professional Consulting/Tech. Support
//
// Pyun YongHyeon
//
// WWW: http://www.kt-is.co.kr/
// FTP: ftp://ftp.kt-is.co.kr/
//
// TEL: +82-2-364-0400
// FAX: +82-2-364-9119
============================================================
--
Please look and take part in KFUG FAQ: <http://www.kr.freebsd.org/FAQ-kr/>
To Unsubscribe: send mail to majordomo@kr.FreeBSD.org
with "unsubscribe questions" in the BODY of the message
|
Copyright © 1998-2005 Korea FreeBSD Users Group. All rights reserved. webmaster at kr.FreeBSD.org $Date: 2003/01/31 23:01:28 $ |
|