Реклама: |
Up to this point, all blocked and passed packets have been silently blocked and
silently passed. Usually you want to know if you're being attacked rather than wonder if
that firewall is really buying you any added benefits. While I wouldn't want to log every
passed packet, and in some cases every blocked packet, I would want to know about the
blocked packets from 20.20.20.0/24. To do this, we add the log keyword:
block in quick on tun0 from 192.168.0.0/16 to any
block in quick on tun0 from 172.16.0.0/12 to any
block in quick on tun0 from 10.0.0.0/8 to any
block in quick on tun0 from 127.0.0.0/8 to any
block in log quick on tun0 from 20.20.20.0/24 to any
pass in all
So far, our firewall is pretty good at blocking packets coming to it from suspect
places, but there's still more to be done. For one thing, we're accepting packets destined
anywhere. One thing we ought to do is make sure packets to 20.20.20.0/32 and
20.20.20.255/32 get dropped on the floor. To do otherwise opens the internal network for a
smurf attack. These two lines would prevent our hypothetical network from being used as a
smurf relay:
block in log quick on tun0 from any to 20.20.20.0/32
block in log quick on tun0 from any to 20.20.20.255/32
This brings our total ruleset to look something like this:
block in quick on tun0 from 192.168.0.0/16 to any
block in quick on tun0 from 172.16.0.0/12 to any
block in quick on tun0 from 10.0.0.0/8 to any
block in quick on tun0 from 127.0.0.0/8 to any
block in log quick on tun0 from 20.20.20.0/24 to any
block in log quick on tun0 from any to 20.20.20.0/32
block in log quick on tun0 from any to 20.20.20.255/32
pass in all