| Реклама: |
So far we have only presented fragments of a complete ruleset. When you're actually
creating your ruleset, you should setup rules for every direction and every interface. The
default state of ipfilter is to pass packets. It is as though there were an invisible rule
at the beginning which states pass in all and pass out all. Rather than
rely on some default behaviour, make everything as specific as possible, interface by
interface, until every base is covered.
First we'll start with the lo0 interface, which wants to run wild and free.
Since these are programs talking to other on the local system, go ahead and keep it
unrestricted:
pass out quick on lo0
pass in quick on lo0
Next, there's the xl0 interface. Later on we'll begin placing restrictions
on the xl0 interface, but to start with, we'll act as though everything on our
local network is trustworthy and give it much the same treatment as lo0:
pass out quick on xl0
pass in quick on xl0
Finally, there's the tun0 interface, which we've been half-filtering with up
until now:
block out quick on tun0 from any to 192.168.0.0/16
block out quick on tun0 from any to 172.16.0.0/12
block out quick on tun0 from any to 10.0.0.0/8
pass out quick on tun0 from 20.20.20.0/24 to any
block out quick on tun0 from any to any
block in quick on tun0 from 192.168.0.0/16 to any
block in quick on tun0 from 172.16.0.0/12 to any
block in quick on tun0 from 10.0.0.0/8 to any
block in quick on tun0 from 127.0.0.0/8 to any
block in log quick on tun0 from 20.20.20.0/24 to any
block in log quick on tun0 from any to 20.20.20.0/32
block in log quick on tun0 from any to 20.20.20.255/32
pass in all
This is a pretty significant amount of filtering already, protecting 20.20.20.0/24
from being spoofed or being used for spoofing. Future examples will continue to show
one-sideness, but keep in mind that it's for brevity's sake, and when setting up your own
ruleset, adding rules for every direction and every interface is necessary.