Lace
Aktives Mitglied
- Dabei seit
- 05.06.2003
- Beiträge
- 1.621
- Reaktionspunkte
- 13
Naja, das ist natürlich schon ganz gut. Du erlaubst bisher aber nur DNS Anfragen und http Anfragen. Du solltest noch folgende Ports öffnen:
https 443
allow tcp from any to any 443 out
allow tcp from any 443 to any in
Nebenbei, Du kannst für Deinen Rechner auch das Schlüsselwort "me" einsetzen, zusätzlich stateful firewalling
allow tcp from me to any 443 setup keep-state
FTP ist schwierig. Es gibt Passives und aktives FTP. Du solltest Passives bevorzugen.
allow tcp from me 1024-32768 to any 21 setup keep-state
allow tcp from any 20 to me 1024-32768 setup keep-state
# für passives ftp, scheissregel
add pass tcp from me 1024-32768 to any 1024-32768 setup keep-state
Also alles zusammen.
allow ip from any to any via lo*
deny ip from 127.0.0.0/8 to any in setup
deny ip from any to 127.0.0.0/8 in setup
deny ip from 224.0.0.0/3 to any in setup
deny tcp from any to 224.0.0.0/3 in setup
allow udp from any to any 53 out # DNS Anfrage
allow udp from any 53 to any in # DNS Antowrt
allow tcp from any to any 80 out setup keep-state # HTTP
allow tcp from me to any 443 setup keep-state # HTTPS
allow tcp from me 1024-32768 to any 21 setup keep-state # FTP Command
allow tcp from any 20 to me 1024-32768 setup keep-state # FTP Data
# für passives ftp
add pass tcp from me 1024-32768 to any 1024-32768 setup keep-state # Passive FTP Data
deny ip from any to any
Ich denke den Zugriff von 127.0.0.0, 224.0.0.0, 192.168.0.0, 10.0.0.0, 172.16.0.0 solltest Du noch mit dem via Command verknüpfen
deny tcp from 127.0.0.0 to me in via tun0
deny udp from 127.0.0.0 to me in via tun0
deny tcp from 10.0.0.0 to me in via tun0
deny udp from 10.0.0.0 to me in via tun0
deny tcp from 172.16.0.0 to me in via tun0
deny udp from 172.16.0.0 to me in via tun0
deny tcp from 192.168.0.0 to me in via tun0
deny udp from 192.168.0.0 to me in via tun0
oder so...
https 443
allow tcp from any to any 443 out
allow tcp from any 443 to any in
Nebenbei, Du kannst für Deinen Rechner auch das Schlüsselwort "me" einsetzen, zusätzlich stateful firewalling
allow tcp from me to any 443 setup keep-state
FTP ist schwierig. Es gibt Passives und aktives FTP. Du solltest Passives bevorzugen.
allow tcp from me 1024-32768 to any 21 setup keep-state
allow tcp from any 20 to me 1024-32768 setup keep-state
# für passives ftp, scheissregel
add pass tcp from me 1024-32768 to any 1024-32768 setup keep-state
Also alles zusammen.
allow ip from any to any via lo*
deny ip from 127.0.0.0/8 to any in setup
deny ip from any to 127.0.0.0/8 in setup
deny ip from 224.0.0.0/3 to any in setup
deny tcp from any to 224.0.0.0/3 in setup
allow udp from any to any 53 out # DNS Anfrage
allow udp from any 53 to any in # DNS Antowrt
allow tcp from any to any 80 out setup keep-state # HTTP
allow tcp from me to any 443 setup keep-state # HTTPS
allow tcp from me 1024-32768 to any 21 setup keep-state # FTP Command
allow tcp from any 20 to me 1024-32768 setup keep-state # FTP Data
# für passives ftp
add pass tcp from me 1024-32768 to any 1024-32768 setup keep-state # Passive FTP Data
deny ip from any to any
Ich denke den Zugriff von 127.0.0.0, 224.0.0.0, 192.168.0.0, 10.0.0.0, 172.16.0.0 solltest Du noch mit dem via Command verknüpfen
deny tcp from 127.0.0.0 to me in via tun0
deny udp from 127.0.0.0 to me in via tun0
deny tcp from 10.0.0.0 to me in via tun0
deny udp from 10.0.0.0 to me in via tun0
deny tcp from 172.16.0.0 to me in via tun0
deny udp from 172.16.0.0 to me in via tun0
deny tcp from 192.168.0.0 to me in via tun0
deny udp from 192.168.0.0 to me in via tun0
oder so...