aboutsummaryrefslogtreecommitdiff
path: root/el_GR.ISO8859-7/articles/dialup-firewall/article.sgml
blob: 83bfd5f748331fb582e8ef4610b5ab1084c7bb86 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
<!--
        Dialup Firewall
        The FreeBSD Greek Documentation Project
        Original version: 1.17
-->

<!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
<!ENTITY % man PUBLIC "-//FreeBSD//ENTITIES DocBook Manual Page Entities//EN">
%man;
]>

<article>
  <articleinfo>
    <title>    firewalling  FreeBSD</title>

    <authorgroup>
      <author>
        <firstname>Marc</firstname>
        <surname>Silver</surname>

        <affiliation>
          <address><email>marcs@draenor.org</email></address>
        </affiliation>
      </author>
    </authorgroup>

    <pubdate>$FreeBSD$</pubdate>

    <abstract>
      <para>         firewall
          PPP     FreeBSD   IPFW.
         ,  firewall       
          IP .         
           PPP  .</para>
    </abstract>
  </articleinfo>

  <sect1 id="preface">
    <title></title>

    <para>    firewalling  FreeBSD</para>

     <para>         
         firewall  FreeBSD   IP   
         ISP .          
             ,     
             
       <email>marcs@draenor.org</email>.</para>    
   </sect1>

  <sect1 id="kernel">
    <title>  </title>
    
    <para>          
        .         ,  
            <ulink
        URL="http://www.freebsd.org/handbook/kernelconfig.html">
          </ulink>.     
             :</para>

    <variablelist>
      <varlistentry>
        <term><literal>options IPFIREWALL</literal></term>

        <listitem>
          <para>  firewall   .</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><literal>options IPFIREWALL_VERBOSE</literal></term>

        <listitem>
          <para>        log 
            .</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><literal>options
            IPFIREWALL_VERBOSE_LIMIT=<replaceable>100</replaceable></literal></term>

        <listitem>
          <para>        
            .     log      
               .
            <replaceable>100</replaceable>     , 
                    .</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><literal>options IPDIVERT</literal></term>

        <listitem>
          <para>  <emphasis>divert</emphasis> sockets,  
               .</para>
        </listitem>
      </varlistentry>
    </variablelist>

    <para>   <emphasis></emphasis>  
               .
             firewall   
      ,          
      .</para>

    <variablelist>
      <varlistentry>
        <term><literal>options TCP_DROP_SYNFIN</literal></term>

        <listitem>
          <para>          
            TCP      SYN   FIN .  
                nmap .    
              TCP stack  ,   
                   RFC1644.  
            <emphasis></emphasis>      
              web server.</para>
        </listitem>
      </varlistentry>
     </variablelist>

    <para>  reboot     .  
           ,   
        firewall.</para>
  </sect1>

  <sect1 id="rcconf">
    <title>  <filename>/etc/rc.conf</filename>   
       firewall</title>
    
    <para>      
      <filename>/etc/rc.conf</filename>      
      firewall.      :</para>
    
    <programlisting>firewall_enable="YES"
firewall_script="/etc/firewall/fwrules"
natd_enable="YES"
natd_interface="tun0"
natd_flags="-dynamic"</programlisting>

    <para>        
        ,    
      <filename>/etc/defaults/rc.conf</filename>    man 
      &man.rc.conf.5;</para>
  </sect1>

  <sect1>
    <title>     
      PPP</title>
    
    <para>       
       PPP (NAT).   ,      ,  
             &man.natd.8;  
         .</para>

    <para>          PPP
      ,    :</para>

    <programlisting>ppp_enable="YES"
ppp_mode="auto"
ppp_nat="YES"
ppp_profile="<replaceable>profile</replaceable>"</programlisting>

    <para> ,    <literal>ppp_nat="YES"</literal>.
            <literal>nat enable yes</literal> 
      <literal>alias enable yes</literal>  
      <filename>/etc/ppp/ppp.conf</filename> .</para>
  </sect1>

  <sect1 id="rules">
    <title>   firewall</title>
    
    <para>  .        
          firewall     
            firewall.      
              .   
               
               
      .          
      ,           
       .          
      firewall.             
            .     
             .     
                
            . :)</para>

    <para>,    <filename
      class="directory">/etc/firewall</filename>.     
           <filename>fwrules</filename>  
           <filename>rc.conf</filename>.   
                .   
              .</para>

    <para>     firewall,    
      .</para>

    <programlisting># Firewall rules
# Written by Marc Silver (marcs@draenor.org)
# http://draenor.org/ipfw
# Freely distributable 


# Define the firewall command (as in /etc/rc.firewall) for easy
# reference.  Helps to make it easier to read.
fwcmd="/sbin/ipfw"

# Force a flushing of the current rules before we reload.
$fwcmd -f flush

# Divert all packets through the tunnel interface.
$fwcmd add divert natd all from any to any via tun0

# Allow all data from my network card and localhost.  Make sure you
# change your network card (mine was fxp0) before you reboot.  :)
$fwcmd add allow ip from any to any via lo0
$fwcmd add allow ip from any to any via fxp0

# Allow all connections that I initiate.
$fwcmd add allow tcp from any to any out xmit tun0 setup

# Once connections are made, allow them to stay open.
$fwcmd add allow tcp from any to any via tun0 established

# Everyone on the internet is allowed to connect to the following
# services on the machine.  This example shows that people may connect
# to ssh and apache.
$fwcmd add allow tcp from any to any 80 setup
$fwcmd add allow tcp from any to any 22 setup

# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to any 113 in recv tun0

# Allow outgoing DNS queries ONLY to the specified servers.
$fwcmd add allow udp from any to <replaceable>x.x.x.x</replaceable> 53 out xmit tun0

# Allow them back in with the answers...  :)
$fwcmd add allow udp from <replaceable>x.x.x.x</replaceable> 53 to any in recv tun0

# Allow ICMP (for ping and traceroute to work).  You may wish to
# disallow this, but I feel it suits my needs to keep them in.
$fwcmd add 65435 allow icmp from any to any

# Deny all the rest.
$fwcmd add 65435 deny log ip from any to any</programlisting>

    <para>    firewall    
       22  80        log 
      .         firewall 
          .       ,  
       ,        
         ,     email.</para>
  </sect1>

  <sect1>
    <title></title>
    
    <qandaset>
      <qandaentry>
        <question>
          <para>   &man.natd.8;   &man.ipfw.8; 
                   &man.ppp.8;;</para>
        </question>
        
        <answer>
          <para>          
                  <command>ipfw</command>
              <command>natd</command>      
            <command>ppp</command>.        
                   : 
            <command>ipfw</command>      
                      
            <command>ppp</command>,       
                .      
                    firewall 
                ,      
              .</para>
        </answer>
      </qandaentry>

      <qandaentry>
        <question>
          <para>   <errorname>limit 100 reached on entry
            2800</errorname>         
            log .     firewall ;</para>
        </question>

        <answer>
          <para>        
             (logging)    .     
              ,        log
                   .  
                   <command>ipfw
            resetlog</command>.  ,     
                    
            <option>IPFIREWALL_VERBOSE_LIMIT</option>  
            .</para>
        </answer>
      </qandaentry>

      <qandaentry>
        <question>
          <para>       
            192.168.0.0 range,        
            <literal>$fwcmd add deny all from any to 192.168.0.0:255.255.0.0
            via tun0</literal>    firewall    
                       
            ;</para>
        </question>

        <answer>
          <para>    .        
            <command>natd</command>    
            <emphasis></emphasis>    interface
            <devicename>tun0</devicename>.  ,    
                 IP  
             interface  <emphasis></emphasis>  
              .       
              <literal>$fwcmd add deny all from
            192.168.0.4:255.255.0.0 to any via tun0</literal>   
                    
                firewall.</para>
        </answer>
      </qandaentry>

      <qandaentry>
        <question>
          <para>    .     
              .</para>
        </question>

        <answer>
          <para>      
            <emphasis>userland-ppp</emphasis>,      
               <devicename>tun0</devicename> interface,
                    
            &man.ppp.8; (    <emphasis>user-ppp</emphasis>).
                 
            <devicename>tun1</devicename>,  
            <devicename>tun2</devicename>   .</para>

          <para>       &man.pppd.8; 
             interface <devicename>ppp0</devicename>,    
                &man.pppd.8;     
            <devicename>tun0</devicename>  <devicename>ppp0</devicename>.
                      
            firewall .         
             <filename>fwrules_tun0</filename>.</para>

          <screen>          &prompt.user; <userinput>cd /etc/firewall</userinput>
            /etc/firewall&prompt.user; <userinput>su</userinput>
            <prompt>Password:</prompt>
            /etc/firewall&prompt.root; <userinput>mv fwrules fwrules_tun0</userinput>
            /etc/firewall&prompt.root; <userinput>cat fwrules_tun0 | sed s/tun0/ppp0/g > fwrules</userinput>
          </screen>

          <para>      &man.ppp.8;  
            &man.pppd.8;       &man.ifconfig.8;
                .  ..,    
               &man.pppd.8;     
            (    ):</para>

          <screen>          &prompt.user; <userinput>ifconfig</userinput>
            <emphasis>(skipped...)</emphasis>
            ppp0: flags=<replaceable>8051&lt;UP,POINTOPOINT,RUNNING,MULTICAST&gt; mtu 1524</replaceable>
                    inet <replaceable>xxx.xxx.xxx.xxx</replaceable> --&gt; <replaceable>xxx.xxx.xxx.xxx</replaceable> netmask <replaceable>0xff000000</replaceable>
            <emphasis>(skipped...)</emphasis>
            </screen>

          <para>  ,       
            &man.ppp.8; (<emphasis>user-ppp</emphasis>)     
               :</para>

          <screen>          &prompt.user; <userinput>ifconfig</userinput>
            <emphasis>(skipped...)</emphasis>
            ppp0: flags=<replaceable>8010&lt;POINTOPOINT,MULTICAST&gt; mtu 1500</replaceable>
            <emphasis>(skipped...)</emphasis>
            tun0: flags=<replaceable>8051&lt;UP,POINTOPOINT,RUNNING,MULTICAST&gt; mtu 1524</replaceable>
                    <emphasis>(IPv6 stuff skipped...)</emphasis>
                    inet <replaceable>xxx.xxx.xxx.xxx</replaceable> --&gt; <replaceable>xxx.xxx.xxx.xxx</replaceable> netmask <replaceable>0xffffff00</replaceable>
                    Opened by PID <replaceable>xxxxx</replaceable>
            <emphasis>(skipped...)</emphasis></screen>
        </answer>
      </qandaentry>
    </qandaset>
  </sect1>
</article>