вторник, 23 сентября 2008 г.

Настройка фаервола (брандмауэра) IPF под хостинг-панель WHM/cPanel

Итак, в продолжение статьи о настройке ядра FreeBSD для WHM/cPanel рассмотрим создание правил для IPFILTER (IPF). Синтаксис очень прост, и мы рассмотрим готовый вариант правил для сервера с сетевой картой rl0 (необходимо заменить, если у Вас другая) и хостинг-панелью cPanel.

[ad#ad-5]
Сохраните данные инструкции в файл и примените его командой
ipf -Fa -f путь/к/файлу,
после чего сервер будет прикрыт межсетевым экраном IPF.

# Контроль исходящих соеденений. Открыты http, https, ftp, ftp-data, pop3, imap, smtp, ssh, dns, urchin, whois, time, ntp
pass out quick on rl0 proto tcp from any to any port = 80 flags S keep frags keep state
pass out quick on rl0 proto tcp from any to any port = 443 flags S keep frags keep state
pass out quick on rl0 proto icmp from any to any icmp-type 8 keep state
pass out quick on rl0 proto tcp from any to any port = 21 flags S keep frags keep state
pass out quick on rl0 proto tcp from any to any port = 20 flags S keep state keep frags
pass out quick on rl0 proto tcp from any to any port = 110 flags S keep frags keep state
pass out quick on rl0 proto tcp from any to any port = 143 flags S keep frags keep state
pass out quick on rl0 proto tcp from any to any port = 25 flags S keep frags keep state
pass out quick on rl0 proto tcp from any to any port = 22 flags S keep frags keep state
pass out quick on rl0 proto udp from any to any port = 53 keep state keep frags
pass out quick on rl0 proto tcp from any to any port = 53 keep state keep frags
pass out quick on rl0 proto tcp from any to any port = 5999 flags S keep state
pass out quick on rl0 proto tcp from any to any port = 37 keep state
pass out quick on rl0 proto tcp from any to any port = 123 keep state
pass out quick on rl0 proto tcp from any to any port = 43 flags S keep state
# Открываем доступ к специфическим портам хостинг панели WHM/cPanel
pass out quick on rl0 proto tcp from any to any port = 2089 keep state keep frags

# Запрещаем любые исходящие igmp и icmp

block out quick on rl0 proto igmp all
block out quick on rl0 proto icmp from any to any

# Запрещаем исходящие пакеты в резервированные сети
block out quick on rl0 from any to 0.0.0.0/7
block out quick on rl0 from any to 2.0.0.0/8
block out quick on rl0 from any to 5.0.0.0/8
block out quick on rl0 from any to 10.0.0.0/8
block out quick on rl0 from any to 23.0.0.0/8
block out quick on rl0 from any to 27.0.0.0/8
block out quick on rl0 from any to 31.0.0.0/8
block out quick on rl0 from any to 69.0.0.0/8
block out quick on rl0 from any to 70.0.0.0/7
block out quick on rl0 from any to 72.0.0.0/5
block out quick on rl0 from any to 82.0.0.0/7
block out quick on rl0 from any to 84.0.0.0/6
block out quick on rl0 from any to 88.0.0.0/5
block out quick on rl0 from any to 96.0.0.0/3
block out quick on rl0 from any to 127.0.0.0/8
block out quick on rl0 from any to 128.0.0.0/16
block out quick on rl0 from any to 128.66.0.0/16
block out quick on rl0 from any to 169.254.0.0/16
block out quick on rl0 from any to 172.16.0.0/12
block out quick on rl0 from any to 191.255.0.0/16
block out quick on rl0 from any to 192.0.0.0/19
block out quick on rl0 from any to 192.0.48.0/20
block out quick on rl0 from any to 192.0.64.0/18
block out quick on rl0 from any to 192.0.128.0/17
block out quick on rl0 from any to 192.168.0.0/16
block out quick on rl0 from any to 197.0.0.0/8
block out quick on rl0 from any to 201.0.0.0/8
block out quick on rl0 from any to 204.152.64.0/23
block out quick on rl0 from any to 206.112.0.0/16
block out quick on rl0 from any to 224.0.0.0/3

# Запрещаем все остальные исходящие соединения
block out on rl0 all

# Контроль Входящих соединений. Открыты http, https, ftp, ftp-data, pop3, imap, smtp, ssh, dns
pass in quick on rl0 proto tcp from any to any port = 22 flags S keep frags keep state
pass in quick on rl0 proto tcp from any to any port = 25 keep state
pass in quick on rl0 proto tcp from any to any port = 110 flags S keep frags keep state
pass in quick on rl0 proto tcp from any to any port = 143 keep state
pass in quick on rl0 proto tcp from any to any port = 443 flags S keep frags keep state
pass in quick on rl0 proto tcp from any to any port = 21 flags S keep state
pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state
pass in quick on rl0 proto udp from any to any port = 53 keep state keep frags
pass in quick on rl0 proto tcp from any to any port = 80 flags S keep frags keep state
pass in quick on rl0 proto tcp from any to any port =
# Открываем доступ к специфическим портам хостинг-панели WHM/cPanel
2084 keep state keep frags
pass in quick on rl0 proto tcp from any to any port = 2086 keep state keep frags
pass in quick on rl0 proto tcp from any to any port = 2095 keep state keep frags
pass in quick on rl0 proto tcp from any to any port = 2082 keep state keep frags
pass in quick on rl0 proto tcp from any to any port = 2096 keep state keep frags
pass in quick on rl0 proto tcp from any to any port = 2087 keep state keep frags
pass in quick on rl0 proto tcp from any to any port = 2083 keep state keep frags

# Запрещаем любые входящие igmp и icmp

block in quick on rl0 proto icmp all
block in quick on rl0 proto igmp all

# Окончательные настройки и антиспуфинг
block in quick on rl0 all with ipopts
block in quick on rl0 all with frag
block in quick on rl0 all with short
block return-rst in quick on rl0 proto tcp all flags FUP
block return-rst in quick on rl0 proto tcp from any to any
block return-icmp-as-dest(port-unr) in quick on rl0 proto udp from any to any
block in log quick on rl0 all with opt lsrr
block in log quick on rl0 all with opt ssrr
block in quick on rl0 from 0.0.0.0/7 to any
block in quick on rl0 from 2.0.0.0/8 to any
block in quick on rl0 from 5.0.0.0/8 to any
block in quick on rl0 from 10.0.0.0/8 to any
block in quick on rl0 from 23.0.0.0/8 to any
block in quick on rl0 from 27.0.0.0/8 to any
block in quick on rl0 from 31.0.0.0/8 to any
block in quick on rl0 from 69.0.0.0/8 to any
block in quick on rl0 from 70.0.0.0/7 to any
block in quick on rl0 from 72.0.0.0/5 to any
block in quick on rl0 from 82.0.0.0/7 to any
block in quick on rl0 from 84.0.0.0/6 to any
block in quick on rl0 from 88.0.0.0/5 to any
block in quick on rl0 from 96.0.0.0/3 to any
block in quick on rl0 from 127.0.0.0/8 to any
block in quick on rl0 from 128.0.0.0/16 to any
block in quick on rl0 from 128.66.0.0/16 to any
block in quick on rl0 from 169.254.0.0/16 to any
block in quick on rl0 from 172.16.0.0/12 to any
block in quick on rl0 from 191.255.0.0/16 to any
block in quick on rl0 from 192.0.0.0/19 to any
block in quick on rl0 from 192.0.48.0/20 to any
block in quick on rl0 from 192.0.64.0/18 to any
block in quick on rl0 from 192.0.128.0/17 to any
block in quick on rl0 from 192.168.0.0/16 to any
block in quick on rl0 from 197.0.0.0/8 to any
block in quick on rl0 from 201.0.0.0/8 to any
block in quick on rl0 from 204.152.64.0/23 to any
block in quick on rl0 from 224.0.0.0/3 to any

# Запрещаем остальные входящие соединения
block in log quick on rl0 all

# Включаем полное разрешение loopback
pass in quick on lo0 all
pass out quick on lo0 all

Комментариев нет:

Отправить комментарий