RES: RES: [FUGSPBR] Seguranca

Qui Nov 7 16:10:38 BRST 2002

> Beleza.... entendi a sistemática....
> mas ainda nao entendi a solução... 

você tem várias formas de faze-lo:

no man natd voce encontra
     -punch_fw basenumber:count
                 This option directs natd to ``punch holes'' in an
                 ipfirewall(4) based firewall for FTP/IRC DCC connections.
                 This is done dynamically by installing temporary firewall
                 rules which allow a particular connection (and only that
con-
                 nection) to go through the firewall.  The rules are removed
                 once the corresponding connection terminates.

                 A maximum of count rules starting from the rule number
                 basenumber will be used for punching firewall holes.  The
                 range will be cleared for all rules on startup.

voce pode tambem limitar ftp somente no modo ativo,
permitindo acesso somente as portas 20 e 21, lembrando que o sentido de
conexão da 20 é inverso ao sentido da 21

voce pode habilitar regras dinamicas com o ipfw
no man ipfw você encontra
   check-state
             Checks the packet against the dynamic ruleset.  If a match is
             found, execute the action associated with the rule which gener-
             ated this dynamic rule, otherwise move to the next rule.
             Check-state rules do not have a body.  If no check-state rule
is
             found, the dynamic ruleset is checked at the first keep-state
or
             limit rule.

ou simplesmente permitir conexoes entre 1024 e 65500 da rede interna para a
internet
ipfw add allow tcp from $sua_rede to any out setup

att,
Marcello Silva Coutinho

ps: Recomendo a leitura do livro "Construindo Firewalls para a Internet
Segunda edição" da O'Reilly .
http://superdownloads.ubbi.com.br/materias/20010406,67,1.html
_______________________________________________________________
Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/