firewall - povoleni https

Peter Ronai linux na my-scotland.sk
Středa Leden 22 15:33:48 CET 2003


On Wed, 2003-01-22 at 13:52, Roman DAVID wrote:
> Jiri Drasnar wrote:
> > Predpokladal jsem, ze bude stacit povolit 
> > nasledujici (obdoba povoleni poru 80):
> > 
> > iptables -A FORWARD -i eth0 -p tcp --sport 443 -j ACCEPT
> > iptables -A FORWARD -i eth1 -p tcp --dport 443 -j ACCEPT
> > 
> > eth0 - internet
> > eth1 - vnitrni sit
> >
> 
> nema tam byt jeste -m tcp ?
> tzn.:
> iptables -A FORWARD -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
> dale by melo stacit:
> iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> a melo by to fachcit, pokud to neprebije nejake jine pravidlo.
> RELATED tam ani nemusi byt, pokud jde o https.
> 
> Roman DAVID
> 

no podla doporuceni s doku k netfiltru by som to riesil takto:

iptables -A FORWARD -i eth0 -d <IP_RANGE> -p tcp --sport 443 -m state
--state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -s <IP_RANGE> -p tcp --dport 443 -m state --state ESTABLISHED -j ACCEPT

Hovori sa tam nieco o nedostatocnosti STATUSu na filtrovanie. Je to
lepsie ako ipchains ale trba to vyuzit. Druha vec je comu chcete
zamedzit - userom robit blbosti alebo vonkajsim sofistikovanym utokom
(oboje?).
V ramci bezpecnosti jeden nie je nikdy dost paranoidny ....

dz


________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________


Další informace o konferenci Linux