Repository 32bit  Forum
Repository 64bit  Wiki

Guarddog per il p2p

Postate qui per tutte le discussioni legate alla sicurezza di Linux/Slackware

Moderatore: Staff

Regole del forum
1) Citare sempre la versione di Slackware usata, la versione del Kernel e magari anche la versione della libreria coinvolta. Questi dati aiutano le persone che possono rispondere.
2) Specificare se discussione/suggerimento o richiesta d'aiuto.
3) Leggere attentamente le risposte ricevute.
4) Scrivere i messaggi con il colore di default, evitare altri colori.
5) Scrivere in Italiano o in Inglese, se possibile grammaticalmente corretto, evitate stili di scrittura poco chiari, quindi nessuna abbreviazione tipo telegramma o scrittura stile SMS o CHAT.
6) Appena registrati è consigliato presentarsi nel forum dedicato.

La non osservanza delle regole porta a provvedimenti di vari tipo da parte dello staff, in particolare la non osservanza della regola 5 porta alla cancellazione del post e alla segnalazione dell'utente. In caso di recidività l'utente rischia il ban temporaneo.

Guarddog per il p2p

Messaggioda sunreal » dom ott 23, 2005 9:21

Ho impostato guarddog come consigliato in slack for dummies in più ho attivato in PROTOCOLLO sia nella zona INTERNET chein quella LOCALE le seguenti voci:
peer bittorrent
protocollo condivisione 2p2 eDonkey
tracker bittorrent
Perche ho pensato che usando amule e bittorrent sarebbe meglio, tengo a precisare che i due programmi prima della modifica funzionavano.
Ho fatto bene, o sono esposto a troppi rischi? Ciao.
sunreal
Master
Master
 
Messaggi: 1549
Iscritto il: sab apr 09, 2005 23:00
Località: P.P.P.

Messaggioda zzt » dom ott 23, 2005 12:45

I programmi prima della modifica funzionavano? Ma avevi il firewall prima?
Non sono sicuro al 100% che sia così, ma in teoria Guarddog ti chiude tutto quello che non specifichi aperto, quindi non avrebbero dovuto funzionare...

Prova a dare
Codice: Seleziona tutto
iptables -L -n -v

da root e vedi se il firewall effettivamente è stato "caricato"...
Avatar utente
zzt
Linux 2.4
Linux 2.4
 
Messaggi: 249
Iscritto il: lun mar 07, 2005 0:00

Messaggioda Paoletta » dom ott 23, 2005 14:18

posta il contenuto di /etc/rc.d/rc.firewall
Avatar utente
Paoletta
Staff
Staff
 
Messaggi: 3893
Iscritto il: dom apr 24, 2005 23:00
Località: Varese
Slackware: 13.1
Desktop: fluxbox

Messaggioda sunreal » dom ott 23, 2005 14:29

Confermo che sia amule che azureus prima e anche dopo funzionavano. Ho digitato iptables -L -n -v e mi sono apparse tre pagine di scritte da cui si potrebbe dedurre che iptables sia in funzione se vuoi te le posto mentre invece ciò che mi preoccupa è che /etc/rc.d/rc.firewall NON ESISTE. Ciao.

P.S. ho riletto come configurare Guarddog su slack for dummies e ho letto che attivando "Https" si attivano anche i servizi di p2p ovviamente Https lo avevo attivato alla prima configurazione di guarddog. Ariciao
sunreal
Master
Master
 
Messaggi: 1549
Iscritto il: sab apr 09, 2005 23:00
Località: P.P.P.

Messaggioda sunreal » dom ott 23, 2005 14:34

Paoletta ha scritto:posta il contenuto di /etc/rc.d/rc.firewall


Ho trovato /etc/rc.firewall parlavi di questo?
sunreal
Master
Master
 
Messaggi: 1549
Iscritto il: sab apr 09, 2005 23:00
Località: P.P.P.

Messaggioda Paoletta » dom ott 23, 2005 15:12

sunreal ha scritto:
Paoletta ha scritto:posta il contenuto di /etc/rc.d/rc.firewall


Ho trovato /etc/rc.firewall parlavi di questo?

già, guarddog mette lì la configurazione....prova a postarlo
Avatar utente
Paoletta
Staff
Staff
 
Messaggi: 3893
Iscritto il: dom apr 24, 2005 23:00
Località: Varese
Slackware: 13.1
Desktop: fluxbox

Messaggioda sunreal » dom ott 23, 2005 21:57

Ecco qua /etc/rc.firewall. Visto che ci sono faccio un' altra domanda come si può anzichè fare copia incolla "allegare" il file.
Ciao.

#!/bin/bash
# [Guarddog2]
# DO NOT EDIT!
# This firewall script was generated by "Guarddog" by Simon Edwards
# http://www.simonzone.com/software/guarddog/ This script requires Linux
# kernel version 2.2.x and ipchains OR Linux kernel 2.4.x and iptables.
#
# [Description]
#
# [Config]
# LOCALPORTRANGESTART=1024
# LOCALPORTRANGEEND=5999
# DISABLED=0
# LOGREJECT=1
# LOGDROP=1
# LOGABORTEDTCP=1
# LOGIPOPTIONS=1
# LOGTCPOPTIONS=1
# LOGTCPSEQUENCE=1
# LOGLEVEL=4
# LOGRATELIMIT=1
# LOGRATE=1
# LOGRATEUNIT=0
# LOGRATEBURST=10
# LOGWARNLIMIT=1
# LOGWARNRATE=2
# LOGWARNRATEUNIT=1
# DHCPC=0
# DHCPCINTERFACENAME=eth0
# DHCPD=0
# DHCPDINTERFACENAME=eth0
# ALLOWTCPTIMESTAMPS=0
# [ServerZone] Internet
# [ClientZone] Locale
# CONNECTED=1
# PROTOCOL=bt-tracker
# PROTOCOL=smtp
# PROTOCOL=edonkey2000
# PROTOCOL=bt-peer
# PROTOCOL=ping
# PROTOCOL=https
# PROTOCOL=domain
# PROTOCOL=http
# PROTOCOL=ftp
# PROTOCOL=pop3
# PROTOCOL=pgpkeyserver
# [ServerZone] Locale
# [ClientZone] Internet
# CONNECTED=1
# PROTOCOL=bt-tracker
# PROTOCOL=smtp
# PROTOCOL=edonkey2000
# PROTOCOL=auth
# PROTOCOL=bt-peer
# PROTOCOL=pop3
# [End]

# Real code starts here
# If you change the line below then also change the # DISABLED line above.
DISABLE_GUARDDOG=0
if test -z $GUARDDOG_VERBOSE; then
GUARDDOG_VERBOSE=0
fi;
if [ $DISABLE_GUARDDOG -eq 0 ]; then
# Set the path
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin
# Detect which filter command we should use.
FILTERSYS=0
# 0 = unknown, 1 = ipchains, 2 = iptables
# Check for ipchains.
if [ -e /sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/local/sbin/ipchains ]; then
FILTERSYS=1
fi;
# Check for iptables support.
if [ -e /proc/sys/kernel/osrelease ]; then
KERNEL_VERSION=`sed "s/^\([0-9][0-9]*\.[0-9][0-9]*\).*\$/\1/" < /proc/sys/kernel/osrelease`
if [ $KERNEL_VERSION == "2.6" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.5" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.4" ]; then
if [ -e /sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/local/sbin/iptables ]; then
FILTERSYS=2
fi;
fi;
fi;
if [ $FILTERSYS -eq 0 ]; then
logger -p auth.info -t guarddog "ERROR Can't determine the firewall command! (Is ipchains or iptables installed?)"
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "ERRORE: non riesco a determinare il comando di firewall! (E' installato ipchains o iptables?)"
false
fi;
if [ $FILTERSYS -eq 1 ]; then
###############################
###### ipchains ###############
###############################
logger -p auth.info -t guarddog Configuring ipchains firewall now.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Uso ipchains."
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Reimposto le regole del firewall."
# Shut down all traffic
ipchains -P forward DENY
ipchains -P input DENY
ipchains -P output DENY

# Delete any existing chains
ipchains -F
ipchains -X

[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Imposto i parametri del kernel."
# Turn on kernel IP spoof protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Set the up TCP timestamps config
echo 0 > /proc/sys/net/ipv4/tcp_timestamps 2> /dev/null
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 2> /dev/null
# Log truly weird packets.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 2> /dev/null
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Set kernel rp_filter. NICs used for IPSEC should not have rp_fitler turned on.
# Find the IPs of any ipsecX NICs
IPSEC_IPS="`ifconfig | gawk '/^ipsec\w/ { grabip = 1}
/inet addr:[[:digit:]\\.]+/ { if(grabip==1) printf \"%s \",gensub(/^.*inet addr:([[:digit:]\\.]+).*$/,\"\\\\1\",\"g\",$0)
grabip = 0}'`"
# Build a list of NIC names and metching IPs
IP_NIC_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*/ {match($0,/inet addr:[[:digit:]\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
printf \"%s_%s\\n\",nic,ip }'`"

# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL

# Activate rp_filter for each NIC, except for NICs that are using
# an IP that is involved with IPSEC.
for X in $IP_NIC_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
RPF="1"
for SEC_IP in $IPSEC_IPS ; do
if [[ $SEC_IP == $IP ]]; then
RPF="0"
fi
done
echo $RPF > /proc/sys/net/ipv4/conf/$NIC/rp_filter 2> /dev/null
done

echo "1024 5999" > /proc/sys/net/ipv4/ip_local_port_range 2> /dev/null

[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Configuro le regole del firewall."
# Allow loopback traffic.
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT

# Accept broadcasts from ourself.
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
IP_BCAST_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*Bcast/ {match($0,/inet addr:[[:digit:]\\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
match($0,/Bcast:[[:digit:]\\.]+/)
bcast = substr($0,RSTART+6,RLENGTH-6)
printf \"%s_%s_%s\\n\",nic,ip,bcast }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
for X in $IP_BCAST_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
BCAST="`echo \"$X\" | cut -f 3 -d _`"
ipchains -A input -i $NIC -s $IP -d $BCAST -j ACCEPT
done

# Allow certain critical ICMP types
ipchains -A input -p icmp --sport 3 -j ACCEPT # Dest unreachable
ipchains -A output -p icmp --sport 3 -j ACCEPT # Dest unreachable
ipchains -A forward -p icmp --sport 3 -j ACCEPT &> /dev/null # Dest unreachable
ipchains -A input -p icmp --sport 11 -j ACCEPT # Time exceeded
ipchains -A output -p icmp --sport 11 -j ACCEPT # Time exceeded
ipchains -A forward -p icmp --sport 11 -j ACCEPT &> /dev/null # Time exceeded
ipchains -A input -p icmp --sport 12 -j ACCEPT # Parameter Problem
ipchains -A output -p icmp --sport 12 -j ACCEPT # Parameter Problem
ipchains -A forward -p icmp --sport 12 -j ACCEPT &> /dev/null # Parameter Problem
# Work out our local IPs.
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
NIC_IP="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",\$1)}
/inet addr:/ { match(\$0,/inet addr:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+10,RLENGTH-10) }
/Bcast/ { match(\$0,/Bcast:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+6,RLENGTH-6) }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Create the nicfilt chain
ipchains -N nicfilt
GOT_LO=0
NIC_COUNT=0
for X in $NIC_IP ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
ipchains -A nicfilt -i $NIC -j RETURN
# We also take this opportunity to see if we only have a lo interface.
if [ $NIC == "lo" ]; then
GOT_LO=1
fi
let NIC_COUNT=$NIC_COUNT+1
done
IPS="`echo \"$NIC_IP\" | cut -f 2 -d _`"
# Do we have just a lo interface?
if [ $GOT_LO -eq 1 ] && [ $NIC_COUNT -eq 1 ] ; then
MIN_MODE=1
else
MIN_MODE=0
fi
# Are there *any* interfaces?
if [ $NIC_COUNT -eq 0 ] ; then
MIN_MODE=1
fi
# If we only have a lo interface or no interfaces then we assume that DNS
# is not going to work and just skip any iptables calls that need DNS.
ipchains -A nicfilt -l -j DENY

# Create the filter chains
# Create chain to filter traffic going from 'Internet' to 'Locale'
ipchains -N f0to1
# Create chain to filter traffic going from 'Locale' to 'Internet'
ipchains -N f1to0
# Add rules to the filter chains

# Traffic from 'Internet' to 'Locale'
# Allow 'bt-tracker'
# Questo protocollo viene usato per contattare un Tracker che coordina i peer di scaricamento di BitTorrent.
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 6969:6969 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 6969:6969 --dport 1024:65535 -j ACCEPT
# Allow 'smtp'
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 25:25 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 25:25 --dport 1024:65535 -j ACCEPT
# Allow 'edonkey2000'
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 4661:4661 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 4661:4661 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 4662:4662 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 4662:4662 --dport 1024:65535 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 4662:4662 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 4662:4662 --dport 1024:5999 -j ACCEPT
ipchains -A f0to1 -p udp --sport 1024:65535 --dport 4665:4665 -j ACCEPT
ipchains -A f1to0 -p udp --sport 4665:4665 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p udp --sport 1024:65535 --dport 4666:4666 -j ACCEPT
ipchains -A f1to0 -p udp --sport 4666:4666 --dport 1024:65535 -j ACCEPT
ipchains -A f1to0 -p udp --sport 1024:5999 --dport 4666:4666 -j ACCEPT
ipchains -A f0to1 -p udp --sport 4666:4666 --dport 1024:5999 -j ACCEPT
# Allow 'auth'
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 113:113 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 113:113 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p udp --sport 0:65535 --dport 113:113 -j ACCEPT
ipchains -A f1to0 -p udp --sport 113:113 --dport 0:65535 -j ACCEPT
# Allow 'bt-peer'
# Peer BitTorrent
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 6881:6889 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 6881:6889 --dport 1024:65535 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 6881:6889 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 6881:6889 --dport 1024:5999 -j ACCEPT
# Allow 'pop3'
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 110:110 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 110:110 --dport 1024:65535 -j ACCEPT

# Rejected traffic from 'Internet' to 'Locale'

# Traffic from 'Locale' to 'Internet'
# Allow 'bt-tracker'
# Questo protocollo viene usato per contattare un Tracker che coordina i peer di scaricamento di BitTorrent.
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 6969:6969 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 6969:6969 --dport 1024:5999 -j ACCEPT
# Allow 'smtp'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 25:25 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 25:25 --dport 1024:5999 -j ACCEPT
# Allow 'edonkey2000'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 4661:4661 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 4661:4661 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 4662:4662 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 4662:4662 --dport 1024:5999 -j ACCEPT
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 4662:4662 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 4662:4662 --dport 1024:65535 -j ACCEPT
ipchains -A f1to0 -p udp --sport 1024:5999 --dport 4665:4665 -j ACCEPT
ipchains -A f0to1 -p udp --sport 4665:4665 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p udp --sport 1024:5999 --dport 4666:4666 -j ACCEPT
ipchains -A f0to1 -p udp --sport 4666:4666 --dport 1024:5999 -j ACCEPT
ipchains -A f0to1 -p udp --sport 1024:65535 --dport 4666:4666 -j ACCEPT
ipchains -A f1to0 -p udp --sport 4666:4666 --dport 1024:65535 -j ACCEPT
# Allow 'bt-peer'
# Peer BitTorrent
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 6881:6889 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 6881:6889 --dport 1024:5999 -j ACCEPT
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 6881:6889 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 6881:6889 --dport 1024:65535 -j ACCEPT
# Allow 'ping'
# Richiesta di risposta (Echo Request)
ipchains -A f1to0 -p icmp --sport 8 -j ACCEPT
# Replica di risposta (Echo Reply)
ipchains -A f0to1 -p icmp --sport 0 -j ACCEPT
# Allow 'https'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 443:443 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 443:443 --dport 1024:5999 -j ACCEPT
# Allow 'domain'
ipchains -A f1to0 -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT
ipchains -A f1to0 -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A f0to1 -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
# Allow 'http'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 80:80 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 80:80 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8080:8080 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 8080:8080 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8008:8008 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 8008:8008 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8000:8000 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 8000:8000 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8888:8888 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 8888:8888 --dport 1024:5999 -j ACCEPT
# Allow 'ftp'
# Controllo connessione
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 21:21 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 21:21 --dport 1024:5999 -j ACCEPT
# Connessione dati
ipchains -A f0to1 -p tcp --sport 20:20 --dport 1024:65535 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 1024:65535 --dport 20:20 -j ACCEPT
# Modo passivo della connessione dati
ipchains -A f1to0 -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 1024:65535 --dport 1024:65535 -j ACCEPT
# Allow 'pop3'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 110:110 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 110:110 --dport 1024:5999 -j ACCEPT
# Allow 'pgpkeyserver'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 11371:11371 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 11371:11371 --dport 1024:5999 -j ACCEPT

# Rejected traffic from 'Locale' to 'Internet'

# Place DENY and log rules at the end of our filter chains.
# Failing all the rules above, we DENY and maybe log the packet.
ipchains -A f0to1 -l -j DENY
# Failing all the rules above, we DENY and maybe log the packet.
ipchains -A f1to0 -l -j DENY

# Add some temp DNS accept rules to the input and output chains.
# This is so that we can pass domain names to ipchains and have ipchains be
# able to look it up without being blocked by the our half-complete firewall.
if [ $MIN_MODE -eq 0 ] ; then
ipchains -A output -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A input -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT
ipchains -A output -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A input -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi

# Chain to split traffic coming from zone 'Internet' by dest zone
ipchains -N s0
for X in $IPS ; do
ipchains -A s0 -d $X -j f0to1
done
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has a least something in it.
fi
ipchains -A s0 -l -j DENY

# Chain to split traffic coming from zone 'Locale' by dest zone
ipchains -N s1
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has a least something in it.
fi
ipchains -A s1 -j f1to0
# Create the srcfilt chain
ipchains -N srcfilt
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has a least something in it.
fi
# Assume internet default rule
ipchains -A srcfilt -j s0

# Remove the temp DNS accept rules
if [ $MIN_MODE -eq 0 ] ; then
ipchains -D output -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -D input -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT
ipchains -D output -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -D input -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi

# The output chain is quite simple. We diverge and filter any traffic from
# the local machine and accept the rest. The rest should have come via the
# forward chain, and hence is already filtered.
ipchains -A output -j nicfilt
for X in $IPS ; do
ipchains -A output -s $X -j s1
done
ipchains -A output -j ACCEPT

ipchains -A input -j nicfilt
# Direct local bound traffic on the input chain to the srcfilt chain
for X in $IPS ; do
ipchains -A input -d $X -j srcfilt
done
ipchains -A input -j ACCEPT

# All traffic on the forward chains goes to the srcfilt chain.
ipchains -A forward -j nicfilt &> /dev/null
ipchains -A forward -j srcfilt &> /dev/null

logger -p auth.info -t guarddog Finished configuring firewall
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Finito."
fi;
if [ $FILTERSYS -eq 2 ]; then
###############################
###### iptables firewall ######
###############################
logger -p auth.info -t guarddog Configuring iptables firewall now.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Uso iptables."
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Reimposto le regole del firewall."
# Shut down all traffic
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

# Delete any existing chains
iptables -F
iptables -X

# Load any special kernel modules.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Carico i moduli del kernel."
modprobe ip_conntrack_ftp

[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Imposto i parametri del kernel."
# Turn on kernel IP spoof protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Set the TCP timestamps config
echo 0 > /proc/sys/net/ipv4/tcp_timestamps 2> /dev/null
# Enable TCP SYN Cookie Protection if available
test -e /proc/sys/net/ipv4/tcp_syncookies && echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route 2> /dev/null
# Log truly weird packets.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 2> /dev/null
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians 2> /dev/null
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Set kernel rp_filter. NICs used for IPSEC should not have rp_fitler turned on.
# Find the IPs of any ipsecX NICs
IPSEC_IPS="`ifconfig | gawk '/^ipsec\w/ { grabip = 1}
/inet addr:[[:digit:]\\.]+/ { if(grabip==1) printf \"%s \",gensub(/^.*inet addr:([[:digit:]\\.]+).*$/,\"\\\\1\",\"g\",$0)
grabip = 0}'`"
# Build a list of NIC names and metching IPs
IP_NIC_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*/ {match($0,/inet addr:[[:digit:]\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
printf \"%s_%s\\n\",nic,ip }'`"

# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL

# Activate rp_filter for each NIC, except for NICs that are using
# an IP that is involved with IPSEC.
for X in $IP_NIC_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
RPF="1"
for SEC_IP in $IPSEC_IPS ; do
if [[ $SEC_IP == $IP ]]; then
RPF="0"
fi
done
echo $RPF > /proc/sys/net/ipv4/conf/$NIC/rp_filter 2> /dev/null
done

echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter 2> /dev/null
echo "1024 5999" > /proc/sys/net/ipv4/ip_local_port_range 2> /dev/null

[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Configuro le regole del firewall."
# Set up our logging and packet 'executing' chains
iptables -N logdrop2
iptables -A logdrop2 -j LOG --log-prefix "DROPPED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A logdrop2 -j DROP
iptables -N logdrop
iptables -A logdrop -m limit --limit 1/second --limit-burst 10 -j logdrop2
iptables -A logdrop -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4
iptables -A logdrop -j DROP
iptables -N logreject2
iptables -A logreject2 -j LOG --log-prefix "REJECTED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A logreject2 -p tcp -j REJECT --reject-with tcp-reset
iptables -A logreject2 -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A logreject2 -j DROP
iptables -N logreject
iptables -A logreject -m limit --limit 1/second --limit-burst 10 -j logreject2
iptables -A logreject -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4
iptables -A logreject -p tcp -j REJECT --reject-with tcp-reset
iptables -A logreject -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A logreject -j DROP
iptables -N logaborted2
iptables -A logaborted2 -j LOG --log-prefix "ABORTED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A logaborted2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -N logaborted
iptables -A logaborted -m limit --limit 1/second --limit-burst 10 -j logaborted2
iptables -A logaborted -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4

# Allow loopback traffic.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Accept broadcasts from ourself.
IP_BCAST_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*Bcast/ {match($0,/inet addr:[[:digit:]\\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
match($0,/Bcast:[[:digit:]\\.]+/)
bcast = substr($0,RSTART+6,RLENGTH-6)
printf \"%s_%s_%s\\n\",nic,ip,bcast }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
for X in $IP_BCAST_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
BCAST="`echo \"$X\" | cut -f 3 -d _`"
iptables -A INPUT -i $NIC -s $IP -d $BCAST -j ACCEPT
done

# Detect aborted TCP connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --tcp-flags RST RST -j logaborted
# Quickly allow anything that belongs to an already established connection.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow certain critical ICMP types
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable
iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT &> /dev/null # Dest unreachable
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded
iptables -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded
iptables -A FORWARD -p icmp --icmp-type time-exceeded -j ACCEPT &> /dev/null # Time exceeded
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem
iptables -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem
iptables -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT &> /dev/null # Parameter Problem

# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Work out our local IPs.
NIC_IP="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",\$1)}
/inet addr:/ { match(\$0,/inet addr:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+10,RLENGTH-10) }
/Bcast/ { match(\$0,/Bcast:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+6,RLENGTH-6) }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Create the nicfilt chain
iptables -N nicfilt
GOT_LO=0
NIC_COUNT=0
for X in $NIC_IP ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
iptables -A nicfilt -i $NIC -j RETURN
# We also take this opportunity to see if we only have a lo interface.
if [ $NIC == "lo" ]; then
GOT_LO=1
fi
let NIC_COUNT=$NIC_COUNT+1
done
IPS="`echo \"$NIC_IP\" | cut -f 2 -d _`"
iptables -A nicfilt -j logdrop
# Do we have just a lo interface?
if [ $GOT_LO -eq 1 ] && [ $NIC_COUNT -eq 1 ] ; then
MIN_MODE=1
else
MIN_MODE=0
fi
# Are there *any* interfaces?
if [ $NIC_COUNT -eq 0 ] ; then
MIN_MODE=1
fi
# If we only have a lo interface or no interfaces then we assume that DNS
# is not going to work and just skip any iptables calls that need DNS.

# Create the filter chains
# Create chain to filter traffic going from 'Internet' to 'Locale'
iptables -N f0to1
# Create chain to filter traffic going from 'Locale' to 'Internet'
iptables -N f1to0
# Add rules to the filter chains

# Traffic from 'Internet' to 'Locale'
# Allow 'bt-tracker'
# Questo protocollo viene usato per contattare un Tracker che coordina i peer di scaricamento di BitTorrent.
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 6969:6969 -m state --state NEW -j ACCEPT
# Allow 'smtp'
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 25:25 -m state --state NEW -j ACCEPT
# Allow 'edonkey2000'
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 4661:4661 -m state --state NEW -j ACCEPT
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 4662:4662 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 4662:4662 -m state --state NEW -j ACCEPT
iptables -A f0to1 -p udp --sport 1024:65535 --dport 4665:4665 -j ACCEPT
iptables -A f0to1 -p udp --sport 1024:65535 --dport 4666:4666 -j ACCEPT
iptables -A f1to0 -p udp --sport 1024:5999 --dport 4666:4666 -j ACCEPT
# Allow 'auth'
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 113:113 -m state --state NEW -j ACCEPT
iptables -A f0to1 -p udp --sport 0:65535 --dport 113:113 -j ACCEPT
# Allow 'bt-peer'
# Peer BitTorrent
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 6881:6889 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 6881:6889 -m state --state NEW -j ACCEPT
# Allow 'pop3'
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 110:110 -m state --state NEW -j ACCEPT

# Rejected traffic from 'Internet' to 'Locale'

# Traffic from 'Locale' to 'Internet'
# Allow 'bt-tracker'
# Questo protocollo viene usato per contattare un Tracker che coordina i peer di scaricamento di BitTorrent.
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 6969:6969 -m state --state NEW -j ACCEPT
# Allow 'smtp'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 25:25 -m state --state NEW -j ACCEPT
# Allow 'edonkey2000'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 4661:4661 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 4662:4662 -m state --state NEW -j ACCEPT
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 4662:4662 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p udp --sport 1024:5999 --dport 4665:4665 -j ACCEPT
iptables -A f1to0 -p udp --sport 1024:5999 --dport 4666:4666 -j ACCEPT
iptables -A f0to1 -p udp --sport 1024:65535 --dport 4666:4666 -j ACCEPT
# Allow 'bt-peer'
# Peer BitTorrent
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 6881:6889 -m state --state NEW -j ACCEPT
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 6881:6889 -m state --state NEW -j ACCEPT
# Allow 'ping'
# Richiesta di risposta (Echo Request)
iptables -A f1to0 -p icmp --icmp-type echo-request -j ACCEPT
# Replica di risposta (Echo Reply)
iptables -A f0to1 -p icmp --icmp-type echo-reply -j ACCEPT
# Allow 'https'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 443:443 -m state --state NEW -j ACCEPT
# Allow 'domain'
iptables -A f1to0 -p tcp --sport 0:65535 --dport 53:53 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
# Allow 'http'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 80:80 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8080:8080 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8008:8008 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8000:8000 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8888:8888 -m state --state NEW -j ACCEPT
# Allow 'ftp'
# Controllo connessione
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 21:21 -m state --state NEW -j ACCEPT
# Connessione dati
# - Handled by netfilter state tracking
# Modo passivo della connessione dati
# - Handled by netfilter state tracking
# Allow 'pop3'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 110:110 -m state --state NEW -j ACCEPT
# Allow 'pgpkeyserver'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 11371:11371 -m state --state NEW -j ACCEPT

# Rejected traffic from 'Locale' to 'Internet'

# Place DROP and log rules at the end of our filter chains.
# Failing all the rules above, we log and DROP the packet.
iptables -A f0to1 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f1to0 -j logdrop

# Add some temp DNS accept rules to the input and output chains.
# This is so that we can pass domain names to ipchains and have iptables be
# able to look it up without being blocked by the our half-complete firewall.
if [ $MIN_MODE -eq 0 ] ; then
iptables -A OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -A INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT
iptables -A OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -A INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi

# Chain to split traffic coming from zone 'Internet' by dest zone
iptables -N s0
for X in $IPS ; do
iptables -A s0 -d $X -j f0to1
done
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has at least something in it.
fi
iptables -A s0 -j logdrop

# Chain to split traffic coming from zone 'Locale' by dest zone
iptables -N s1
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has at least something in it.
fi
iptables -A s1 -j f1to0
# Create the srcfilt chain
iptables -N srcfilt
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has at least something in it.
fi
# Assume internet default rule
iptables -A srcfilt -j s0

if [ $MIN_MODE -eq 0 ] ; then
# Remove the temp DNS accept rules
iptables -D OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -D INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT
iptables -D OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -D INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi

# The output chain is very simple. We direct everything to the
# 'source is local' split chain.
iptables -A OUTPUT -j s1

iptables -A INPUT -j nicfilt
iptables -A INPUT -j srcfilt

# All traffic on the forward chains goes to the srcfilt chain.
iptables -A FORWARD -j srcfilt &> /dev/null

logger -p auth.info -t guarddog Finished configuring firewall
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Finito."
fi;
fi;
true
sunreal
Master
Master
 
Messaggi: 1549
Iscritto il: sab apr 09, 2005 23:00
Località: P.P.P.

Messaggioda Paoletta » lun ott 24, 2005 12:21

aaaaaaargh non credevo che guardogg facesse le cose così lunghe!!
comunque credo che per un sistema desktop avere un file così sia un po' da paranoici...se vuoi ti posto il mio fw;
però anche se lasci le cose come stanno dovresti essere in una botte di ferro.

ciao!
Avatar utente
Paoletta
Staff
Staff
 
Messaggi: 3893
Iscritto il: dom apr 24, 2005 23:00
Località: Varese
Slackware: 13.1
Desktop: fluxbox

Messaggioda sunreal » lun ott 24, 2005 13:15

Paoletta ha scritto:aaaaaaargh non credevo che guardogg facesse le cose così lunghe!!
comunque credo che per un sistema desktop avere un file così sia un po' da paranoici...se vuoi ti posto il mio fw;
però anche se lasci le cose come stanno dovresti essere in una botte di ferro.

ciao!


Non è che sono paranoico, anche se più si èsicuri e meglio è, tutto quello che vedi guarddog lo ha fatto ad solo forse sono stato un po restrittivo ma su slack for dummies c' era scritto che tutto quello che non vi serve o non sapete che cosa è non abilitatelo e così ho fatto se puoi postami il tuo così faccio un confronto. Grazie mille.
sunreal
Master
Master
 
Messaggi: 1549
Iscritto il: sab apr 09, 2005 23:00
Località: P.P.P.

Messaggioda Paoletta » lun ott 24, 2005 13:38

sì, lo so che guarddog lo fa da solo...mi sembra solo esagerato avere un file del genere per un sistema desktop;
comunque ti ho postato il mio con un PM.

P.S. IMHO è sempre meglio capire come funziona iptables e farsi un fw da sè piuttosto che lasciar fare a strumenti automatici; così se capisci come fare una cosa sai dove metter le mani; tutto qui, non ti volevo offendere!
Avatar utente
Paoletta
Staff
Staff
 
Messaggi: 3893
Iscritto il: dom apr 24, 2005 23:00
Località: Varese
Slackware: 13.1
Desktop: fluxbox

Messaggioda sunreal » lun ott 24, 2005 14:04

Paoletta ha scritto:sì, lo so che guarddog lo fa da solo...mi sembra solo esagerato avere un file del genere per un sistema desktop;
comunque ti ho postato il mio con un PM.

P.S. IMHO è sempre meglio capire come funziona iptables e farsi un fw da sè piuttosto che lasciar fare a strumenti automatici; così se capisci come fare una cosa sai dove metter le mani; tutto qui, non ti volevo offendere!


E chi si è offeso, volevo solo spiegarti come lo avevo "creato" tutto qui. Bene ora che non mi sono offeso...... ma che è un PM nonchè IMHO. Sono daccordo sul fai da te solo che ho letto la guida di iptables che viene da una cosa tipo OpenSkills e debbo dire che non è roba che si mangia tutti i giorni soprattutto per uno come me che l' informatica la conosciuta con linux. Ancora grazie.

PM = Messaggio Privato ok. ci sono arrivato adesso.E ho letto il tuo mini firewall beh certo non è come il mio. Ciao
sunreal
Master
Master
 
Messaggi: 1549
Iscritto il: sab apr 09, 2005 23:00
Località: P.P.P.


Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 3 ospiti