[gull] un ipfw.conf qui peut tir être utile à qq'un, aussi, point de démarrage pour FW d'une station de travail mâc

Philippe STRAUSS philippe at strauss.pas.nu
Wed Jan 22 18:26:00 CET 2014 

00000 flush
00010 add allow ip from any to any via lo0
00020 add deny all from any to 127.0.0.0/8
00030 add deny all from 127.0.0.0/8 to any
#####
##### deny-and-log bogus packets
00040 add deny log tcp from any to any frag
# XMAS tree
00041 add deny log tcp from any to any in tcpflags fin,psh,urg
# NULL scan (no flag set at all)
00042 add deny log tcp from any to any in tcpflags !fin,!syn,!rst,!psh,!ack,!urg
# SYN flood (SYN,FIN)
00043 add deny log tcp from any to any in tcpflags syn,fin
# Stealth FIN scan (FIN,RST)
00044 add deny log tcp from any to any in tcpflags fin,rst
# forced packet routing
00045 add deny log ip from any to any in ipoptions ssrr,lsrr,rr,ts
# ACK scan (ACK,RST)
00046 add deny log tcp from any to any in tcpflags ack,rst
#####
00050 add allow tcp from me to any dst-port 22 out setup keep-state
00060 add allow tcp from me to any dst-port 80 out setup keep-state
00070 add allow udp from me to any dst-port 123 out keep-state
00080 add allow tcp from me to any dst-port 443 out setup keep-state
00090 add allow tcp from me to any dst-port 993 out setup keep-state
00100 add allow tcp from me 1024-65535 to any out setup keep-state
00110 add allow udp from me 1024-65535 to any out keep-state
00150 add check-state log
# echo-reply, echo, dest. unreachable, time-exceeded, param. problem
00200 add allow icmp from any to me icmptypes 0,8,3,11,12 in
00210 add allow log icmp from me to any icmptypes 0,3,11,12 out
00220 add allow icmp from me to any icmptypes 8 out
00400 add deny log logamount 65535 ip from any to any out 
00410 add deny ip from 172.16.0.0/12 to any in 
00420 add deny ip from 10.0.0.0/8 to any in 
00430 add deny ip from 127.0.0.0/8 to any in 
00440 add deny ip from 0.0.0.0/8 to any in 
00450 add deny ip from 169.254.0.0/16 to any in 
00460 add deny ip from 192.0.2.0/24 to any in 
00470 add deny ip from 204.152.64.0/23 to any in 
00480 add deny ip from 224.0.0.0/3 to any in 
00500 add reset tcp from any to me dst-port 113 in 
00510 add deny tcp from any to any dst-port 137 in 
00520 add deny tcp from any to any dst-port 138 in 
00530 add deny tcp from any to any dst-port 139 in 
00540 add deny tcp from any to any dst-port 81 in 
00600 add allow udp from any to any dst-port 68 in keep-state
00610 add allow log tcp from any to me dst-port 22 in setup limit src-addr 2
00999 add deny log logamount 65535 ip from any to any
65535 add allow ip from any to any


(j'ai tjr un super team de sécuritaires mongos dans les parages - je vais faire send, dieu sait les goûts de lolettes, doudoux, odeur de doigts dans le cul suivant l'envoi de 30sec.)
(je ne veux pas être flic, vous m'en avez dégouté)

--
Philippe STRAUSS
http://strauss.pas.nu/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://forum.linux-gull.ch/pipermail/gull/attachments/20140122/43711c86/attachment.sig>

More information about the gull mailing list