|
|
| Тема |
 firewall |
|
| Автор | vancho (Нерегистриран) | |
| Публикувано | 09.09.04 12:24 |
|
|
|
Здравейте
нямам много опит с ФБСД Пуснал съм една машина FBSD 5.1 с пуснати на нея apache,DNS,qmail,squirelmail.Проблема е следния.Слагам firewall след което имам проблеми с пращане на пощата за определени домайни.При преглеждане на ipfw.log ми deny-ва UDP пакети от сорс порт 53
Задал съм правило
$(fwcmd) add allow udp from any 53 to ${ip} in
но май нещо не върши работа или аз бъркам някъде.от ipfw.log-a
Sep 8 10:25:46 srv kernel: ipfw: 3100 Deny UDPxxx.xxx.64.12:53 xxx.xxx.xxx.6:49152 in via bge0
Sep 8 10:25:48 srv kernel: ipfw: 3100 Deny UDP xxx.xxx.10.90:53 xxx.xxx.xxx.6:49152 in via bge0
По долу съм дал firewall script,ipfw list i ipfw.log Благодаря предварително
#!/bin/sh
fwcmd='/sbin/ipfw -q'
ip="xxx.xxx.xxx.6"
setup_loopback
${fwcmd} add allow all from any to any via lo0
${fwcmd} add deny all from any to 127.0.0.1/8
${fwcmd} add check-state
${fwcmd} add allow tcp from any to any out setup keep-state
${fwcmd} add allow all from ${ip} to any out
${fwcmd} add allow tcp from any to any established
${fwcmd} add allow all from any to any frag
${fwcmd} add allow tcp from any to ${ip} 22 setup
${fwcmd} add allow tcp from any to ${ip} 25 setup
${fwcmd} add allow tcp from any to ${ip} 53 setup
${fwcmd} add allow tcp from any to ${ip} 80 setup
${fwcmd} add allow tcp from any to ${ip} 443 setup
${fwcmd} add allow tcp from any to ${ip} 143 setup
${fwcmd} add allow tcp from any to ${ip} 993 setup
${fwcmd} add allow tcp from any to ${ip} 110 setup
${fwcmd} add allow tcp from any to ${ip} 995 setup
${fwcmd} add allow tcp from any to ${ip} 783 setup
#${fwcmd} add allow tcp from any to ${ip} 25 setup
${fwcmd} add reset tcp from any to ${ip} 113 setup
${fwcmd} add reset tcp from any to ${ip} 139 setup
${fwcmd} add reset tcp from any to ${ip} 389 setup
${fwcmd} add reset tcp from any to ${ip} 445 setup
$(fwcmd) add allow udp from any 53 to ${ip} in
${fwcmd} add allow udp from any 123 to ${ip} in
${fwcmd} add allow udp from any to ${ip} 53
${fwcmd} add deny udp from any 137 to any
${fwcmd} add deny udp from any to any 137
${fwcmd} add deny udp from any 138 to any
${fwcmd} add deny udp from any 513 to any
${fwcmd} add deny udp from any 525 to any
${fwcmd}add allow udp from any to ${ip} 123
${fwcmd} add unreach port udp from any to ${ip} 33435-33524
${fwcmd} add allow icmp from any to any icmptypes 0,3,4,8,11
${fwcmd} add deny log all from any to any
srv# ipfw show
00100 492 51954 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 check-state
00400 0 0 allow tcp from any to any out setup keep-state
00500 1629 382210 allow ip from xxx.xxx.xxx.6 to any out
00600 676 48156 allow tcp from any to any established
00700 0 0 allow ip from any to any frag
00800 3 144 allow tcp from any to xxx.xxx.xxx.6 dst-port 22 setup
00900 0 0 allow tcp from any to xxx.xxx.xxx.6 dst-port 25 setup
01000 0 0 allow tcp from any to xxx.xxx.xxx.6 dst-port 53 setup
01100 5 240 allow tcp from any to xxx.xxx.xxx.6 dst-port 80 setup
01200 0 0 allow tcp from any to xxx.xxx.xxx.6 dst-port 443 setup
01300 0 0 allow tcp from any to xxx.xxx.xxx.6 dst-port 143 setup
01400 0 0 allow tcp from any to xxx.xxx.xxx.6 dst-port 993 setup
01500 4 192 allow tcp from any to xxx.xxx.xxx.6 dst-port 110 setup
01600 0 0 allow tcp from any to xxx.xxx.xxx.6 dst-port 995 setup
01700 0 0 allow tcp from any to xxx.xxx.xxx.6 dst-port 783 setup
01800 0 0 reset tcp from any to xxx.xxx.xxx.6 dst-port 113 setup
01900 0 0 reset tcp from any to xxx.xxx.xxx.6 dst-port 139 setup
02000 0 0 reset tcp from any to xxx.xxx.xxx.6 dst-port 389 setup
02100 3 144 reset tcp from any to xxx.xxx.xxx.6 dst-port 445 setup
02200 0 0 allow udp from any 123 to xxx.xxx.xxx.6 in
02300 1 61 allow udp from any to xxx.xxx.xxx.6 dst-port 53
02400 0 0 deny udp from any 137 to any
02500 0 0 deny udp from any to any dst-port 137
02600 0 0 deny udp from any 138 to any
02700 0 0 deny udp from any 513 to any
02800 0 0 deny udp from any 525 to any
02900 0 0 unreach port udp from any to xxx.xxx.xxx.6 dst-port 33435-335
24
03000 2 120 allow icmp from any to any icmptypes 0,3,4,8,11
03100 1001 159752 deny log ip from any to any
65535 0 0 allow ip from any to any
srv#
ipfw.log
Sep 8 10:25:16 srv kernel: ipfw: 3100 Deny UDP xxx.xxx.27.33:53 xxx.xxx.xxx.6:49152 in via bge0
Sep 8 10:25:18 srv kernel: ipfw: 3100 Deny UDP xxx.xxx.4.12:53 xxx.xxx.xxx.6:49152 in via bge0
Sep 8 10:25:20 srv kernel: ipfw: 3100 Deny UDP xxx.xxx.36.4:53 xxx.xxx.xxx.6:49152 in via bge0
Sep 8 10:25:22 srv kernel: ipfw: 3100 Deny UDP xxx.xxx.0.107:53 xxx.xxx.xxx.6:49152 in via bge0
Sep 8 10:25:24 srv kernel: ipfw: 3100 Deny UDP xxx.xxx.230.10:53 xxx.xxx.xxx.6:49152 in via bge0
Sep 8 10:25:36 srv kernel: ipfw: 3100 Deny UDP xxx.xxx.0.107:53 xxx.xxx.xxx.6:49152 in via bge0
Sep 8 10:25:38 srv kernel: ipfw: 3100 Deny UDP xxx.xxx.230.10:53 xxx.xxx.xxx.6:49152 in via bge0
Sep 8 10:25:40 srv kernel: ipfw: 3100 Deny UDPxxx.xxx.5.241:53 xxx.xxx.xxx.6:49152 in via bge0
Sep 8 10:25:42 srv kernel: ipfw: 3100 Deny UDP xxx.xxx.0.4:53 xxx.xxx.xxx.6:49152 in via bge0
Sep 8 10:25:44 srv kernel: ipfw: 3100 Deny UDP xxx.xxx.148.17:53 xxx.xxx.xxx.6:49152 in via bge0
Sep 8 10:25:46 srv kernel: ipfw: 3100 Deny UDPxxx.xxx.64.12:53 xxx.xxx.xxx.6:49152 in via bge0
Sep 8 10:25:48 srv kernel: ipfw: 3100 Deny UDP xxx.xxx.10.90:53 xxx.xxx.xxx.6:49152 in via bge0
| |
| |
| 
|
|
