|
Here's a simple example of config ipfilterd on IRIX:
1.You should probably systune 'ipfilterd_inactive_behavior = 0' before you
start experimenting with this so that you don't kill your connection
totally.
#echo yes | systune ipfilterd_inactive_behavior 0
2. vi /etc/ipfilterd.conf
#
# ipfilterd.conf
# $Revision: 1.3 $
#
# Configuration file for ipfilterd(1M) IP layer packet filtering.
# Lines that begin with # are comments and are ignored.
# Lines begin with a keyword, followed either by a macro definition or
# by an optional interface filter, which may be followed by a protocol
# filter.
# Both macros and filters use SGI's netsnoop(1M) filter syntax.
#
# The currently supported keywords are:
# accept : accept all packets matching this filter
# reject : silently discard packets matching this filter
# define : define a new macro to add to the standard netsnoop macros
#
# See the ipfilterd(1M) man page for examples of filters and macros.
#
# The network administrator may find the following macros useful:
#
define ip.netAsrc (src&0xff000000)=$1
define ip.netAdst (dst&0xff000000)=$1
define ip.netBsrc (src&0xffff0000)=$1
define ip.netBdst (dst&0xffff0000)=$1
define ip.netCsrc (src&0xffffff00)=$1
define ip.netCdst (dst&0xffffff00)=$1
define ip.notnetAsrc not((src&0xff000000)=$1)
define ip.notnetAdst not((dst&0xff000000)=$1)
define ip.notnetBsrc not((src&0xffff0000)=$1)
define ip.notnetBdst not((dst&0xffff0000)=$1)
define ip.notnetCsrc not((src&0xffffff00)=$1)
define ip.notnetCdst not((dst&0xffffff00)=$1)
#
# Additional macros:
#
# Filters follow:
#
# Allow your class C nett to do it all:
accept ip.netCsrc XXX.XXX.XXX.0
#
# Allow incoming secure shell from everywhere
accept -i ec0 tcp.dport 22
#
# Allow incoming http from everywhere
accept -i ec0 tcp.dport 80
#
# Allow incoming ftp + ftp-data from everywhere (do you really want this?)
accept -i ec0 tcp.dport 21
accept -i ec0 tcp.dport 20
#
# allow in identd.
accept -i ec0 tcp.dport auth
#
# reject all other incoming tcp SYNs so that no one can connect
reject -i ec0 ip.dst my.ip.add.res and tcp.flags == SYN
#
# reject what are typically X connections (use ssh forwarding instead)
reject -i ec0 ip.dst my.ip.add.res and tcp.dport > 5999 and tcp.dport <
6011
#
# allow in non-privileged ports (remember to set "UsePrivilegedPort no" in
# /etc/ssh-config!)
accept -i ec0 tcp.dport > 1023
accept -i ec0 udp.dport > 1023
#
# allow in certain ICMP traffic
accept -i ec0 icmp.type == ECHO
accept -i ec0 icmp.type == ECHOREPLY
accept -i ec0 icmp.type == UNREACHABLE
accept -i ec0 icmp.type == TIMXCEED
3.start ipfilterd
#ipfilterd -d
|
![[ 永远的UNIX::UNIX技术资料的宝库 ]](/images/title.gif)
