Search the Community

AVG Internet Security 2015 provides you with protection against viruses, malware, spam, scams, phishing, and more. Plus, it has additional features such as a firewall, internet accelerator, privacy protector, and more. Read more at Nothing found for - | SharewareOnSale Free AVG Internet Security 2015 (100% discount) - SharewareOnSale

Xvirus Personal Firewall PRO is a lightweight, easy-to-use firewall for Windows. With features such as blocking untrusted programs, network monitor, ransom checker, and cloud check, Xvirus Personal Firewall PRO provides you with everything you need for additional protection against hackers — without slowing down your computer. Read more at Free Xvirus Personal Firewall PRO (100% discount) - SharewareOnSale Free Xvirus Personal Firewall PRO (100% discount) - SharewareOnSale

knockd is a port-knock server. It listens to all traffic on an ethernet (or PPP) interface, looking for special "knock" sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open -- since knockd listens at the link-layer level, it sees all traffic even if it's destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access. Options: -i, --interface <int> Specify an interface to listen on. The default is eth0. -d, --daemon Become a daemon. This is usually desired for normal server-like operation. -c, --config <file> Specify an alternate location for the config file. Default is /etc/knockd.conf. -D, --debug Ouput debugging messages. -l, --lookup Lookup DNS names for log entries. This may be a security risk! See section SECURITY NOTES. -v, --verbose Output verbose status messages. -V, --version Display the version. -h, --help Syntax help. Download: http://www.zeroflux.org/projects/knock

iptables is built on top of netfilter, the packet alteration framework for Linux 2.4.x and 2.6.x. It is a major rewrite of its predecessor ipchains, and is used to control packet filtering, Network Address Translation (masquerading, portforwarding, transparent proxying), and special effects such as packet mangling. Changes: This release adds support for the Day Transition Ignore option in xt_time. Download Linux IPTables Firewall 1.4.17 ? Packet Storm

Salut , si cum zice titlu ma refer la blocarea accesului out/in . PS: Folosesc Linux BackTrack 5 R3. Daca nu am postat bine .. pe grabite

In acest mini-how to voi explica cum trebuie configurat firewall-ul intrun sistem Unix/Solaris10 [blade]# uname -a SunOS blade 5.10 Generic_147440-01 sun4u sparc SUNW,Sun-Blade Pentru a porni firewall-ul vor trebui puse online 3 servicii [blade]# svcadm enable svc:/network/pfil:default [blade]# svcadm enable svc:/network/ipfilter:default [blade]# svcadm enable svc:/system/rmtmpfiles:default Pentru a verifica daca serviciile sunt online [blade]# svcs | egrep '(pfil|ipfilter)' online 17:52:51 svc:/network/pfil:default online 17:53:04 svc:/network/ipfilter:default online 17:53:05 svc:/system/rmtmpfiles:default /etc/ipf/pfil.ap va trebui populat cu numele interfetei de retea Pentru a vedea numele interfetei de retea se va folosi ifconfig [blade]# ifconfig -a lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.123.110 netmask ffffff00 broadcast 192.168.123.255 ether 0:3:ba:92:89:ec [blade]# Interfata de retea este bge0 Numele interfetei bge . 0 fiind valoare primei interfete In fisierul /etc/ipf/pfil.ap se va introduce urmatoarea linie de ced echo "bge -1 0 pfil" > /etc/ipf/pfil.ap Regulile firewall-ului pot fi puse in /etc/ipf/ipf.conf Urmatorul comand va face in asa fel incat regulile sa fie citite din fisier ,deobicei vine rulat dupa ce vin introduse regulile ipf -Fa -f /etc/ipf/ipf.conf Urmatorul comand afiseaza in terminal regulile care au fost introduse si vin procesate de catre ipf [blade]# ipfstat -io block out log on bge0 all head 150 # Group 150 pass out quick proto tcp from any to any flags S/SA keep state group 150 pass out quick proto udp from any to any keep state group 150 pass out quick proto icmp from any to any keep state group 150 block in log on bge0 all head 100 # Group 100 pass in quick proto tcp from any to any port = ssh keep state group 100 pass in quick proto tcp from any to any port = 443 keep state group 100 pass in quick proto tcp from any to any port = 8080 keep state group 100 pass in quick proto icmp from any to any icmp-type echo keep state group 100 [blade]# Pentru a intelege structura regulilor puteti vizita urmatorul link IPFilter FAQ

Mai jos puteti vedea un firewall minimal pentru Linux, care face urmatoarele lucruri: - Seteaza politica default cu drop (nu accepta niciun pachet, atat pe INPUT, FORWARD cat si pe OUTPUT). - Blocheaza pachetele TCP cu flag-uri invalide. - Blocheaza OS Fingerprint (detectarea sistemului de operare cu nmap sau alte tool-uri pentru os-fingerprint) - Permite icmp echo requests (ping) catre host. - Permite pachetele UDP venite de la nameserverele setate in "/etc/resolv.conf" (Source port 53) - Accepta conexiuni ssh doar de la surse bine stabilite (exemplu: de la office / home) . In acest fel suntem siguri ca daca ne stie cineva parola de la un utilizator, nu va putea intra. Este o buna masura de precautie impotriva scanning-ului. - Permite rularea serviciilor pe porturile standarde pentru: ftp, smtp, web, pop3 si https. Alte note: - EXTDEV reprezinta interfata externa de retea. - In sectiunea SECSHELL se pun adresele IP de unde dorim sa avem acces SSH. - NU folositi comanda "iptables -F" sau "iptables --flush"; politica default este DROP! (daca doriti sa scoateti firewall-ul din functiune, dati stop la el) - In sectiunea SERVICES sunt definite porturile pentru servicii: ftp, smtp, web, pop3 si https. - In acest exemplu minimal, nu exista reguli pe FORWARD. Daca serverul este folosit ca router, nu va functiona. Este necesar sa adaugati reguli pentru forward/nat - Nu folositi acest script inainte de a va da seama ce face exact, in special, nu folositi acest script pe servere la care nu aveti acces fizic, daca nu stiti ce face. - Scriptul se executa impreuna cu un argument: start, stop sau status. #!/bin/sh # Descriere: Firewall minimal pentru linux. ## -- Constante EXTDEV="eth0" SECSHELL="4.2.2.2 8.8.8.8 5.5.5.5" SERVICES="20 21 25 80 110 443" firewall_start () { echo "apply rules ...." ## -- Sterge orice regula prezenta iptables -F iptables -Z iptables -X iptables -F -t nat iptables -Z -t nat iptables -Z -t nat iptables -F -t mangle iptables -Z -t mangle iptables -X -t mangle ## -- Politica default iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables --policy FORWARD DROP ## -- Permite trafic nelimitat pe localhost iptables -I INPUT -d 127.0.0.0/8 -j ACCEPT iptables -I OUTPUT -s 127.0.0.0/8 -j ACCEPT ## -- Accepta orice conexiune care este stabilizata in momentul initializarii firewall-ului. iptables -I INPUT -m state --state ESTABLISHED -j ACCEPT ## -- Permite orice pachet catre OUT. iptables -I OUTPUT -p all -j ACCEPT ## -- Accepta sursele definite in SECSHELL pentru a se conecta la serviciul SSH. for i in $SECSHELL;do iptables -I INPUT -p tcp -s $i --dport 22 -j ACCEPT;done ## -- Accepta orice icmp echo (ping) iptables -I INPUT -p icmp --icmp-type 8 -j ACCEPT ## -- Blocheaza pachetele invalide iptables -I INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -I INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -I INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -I INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -I INPUT -p tcp --tcp-flags SYN,ACK NONE -j DROP iptables -I INPUT -p tcp --tcp-flags RST,FIN RST,FIN -j DROP iptables -I INPUT -p tcp --tcp-flags SYN,URG SYN,URG -j DROP iptables -I INPUT -p tcp --tcp-flags ALL SYN,PSH -j DROP iptables -I INPUT -p tcp --tcp-flags ALL SYN,ACK,PSH -j DROP ## -- Accepta orice port listat in SERVICES (pe tcp) for i in $SERVICES;do iptables -I INPUT -p tcp --dport $i -j ACCEPT;done ## -- Accepta orice pachet de la DNS-uri (port sursa 53) - doar cele listate in "/etc/resolv.conf" cat /etc/resolv.conf | \ awk '/^nameserver/ {print $2}' | \ xargs -n1 iptables -I INPUT -p udp --sport 53 -j ACCEPT -s echo "done, fw active." return 0 } firewall_status () { echo "fw status: " iptables -L -n -v return 0 } firewall_stop () { echo "ok. fw stop, clearing rules." iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -Z iptables -X iptables -F -t nat iptables -Z -t nat iptables -Z -t nat iptables -F -t mangle iptables -Z -t mangle iptables -X -t mangle return 0 } case "$1" in start) firewall_start ;; stop) firewall_stop ;; status) firewall_status ;; *) echo "Folosire: $0 {start|status|stop}" exit 1 esac exit 0 ------------------------------- Daca doriti sa puneti tutorialul pe un alt site, va rog sa specificati sursa: https://rstcenter.com/forum/46641-firewall-minimal-pentru-linux.rst "Avem a multumi"