From: ZEKI CATAV (zcatav@isnet.net.tr)
Date: Wed 30 Apr 2003 - 22:43:26 EEST
Merhaba,
Mandrake linux 9.1 kullanmaya ba=FElad=FDm. Daha =F6nce Suse 7.1'de Suse pe=
rsonal=20
firewall ve bir ara Gelecek 2'de lokkit kullan=FDyordum. Mandrake'de shorew=
all=20
y=FCkledim. =D6nceki sistemlerde firewall ayarlar=FD otomatik olup her=FEey=
=20
kendili=F0inden (art=FDk ne kadar oluyorsa) halloluyordu. Shorewall ve ipta=
bles=20
Mandrake'de de otomatik olarak yap=FDland=FD. Sadece drakesec ile iptables =
i=E7in=20
sistemi nete a=E7an servislerin hi=E7birini i=FEaretlemedim. Gelelim sorunu=
ma;=20
a=FEa=F0=FDda g=F6r=FClen kurallar y=FCr=FCrl=FCkte san=FDr=FDm. =DDnternet=
ba=F0lant=FDm=FD dialup=20
olarak sa=F0l=FDyorum. Kppp ba=F0lant=FDy=FD sa=F0l=FDyor ama firewall akti=
f iken ne mail=20
al=FD=FEveri=FEi nede s=F6rf yapmak m=FCmk=FCn oluyor. Firewall kapat=FDl=
=FDnca mail ve=20
internet trafi=F0inin di=F0er k=FDs=FDmlar=FD =E7al=FD=FE=FDr hale geliyor.=
Linuxu amat=F6r=20
olarak ev ve i=FE yeri bilgisayarlar=FDmda kullanan bir amat=F6r oldu=F0um =
i=E7in=20
a=FEa=F0=FDdaki tabloyu yorumlamam veya istedi=F0im yeni bir konfig=FCrasyo=
nu=20
tan=FDmlamam m=FCmk=FCn de=F0il.
Olmas=FDn=FD istedi=F0im =FEey, evdeki ba=F0lant=FDmda beni istenmeyen ziya=
ret=E7iler ve=20
sald=FDr=FDlara kar=FE=FD olabildi=F0ince koruyacak ama benim d=FD=FEa a=E7=
=FDlmam=FD=20
engellemeyecek bir firewall konfig=FCrasyonu. Bunu a=FEa=F0=FDdaki konfig=
=FCrasyonu=20
modifiye ederek mi sa=F0layabilirim? Lokkit v.b. ba=FEka bir program m=FD=20
kullanmal=FDy=FDm?
=46irewall kapal=FD iken dialup bir ev kullan=FDc=FDs=FD olarak ne kadar te=
hlikedeyim?
Mandrake ile gelen "secure" derlenmi=FE =E7ekirde=F0i kullanmak bu konulard=
a bana=20
yarar sa=F0lar m=FD?=20
=DD=FEyerinde online ba=F0lant=FD kullan=FDyorum, ayr=FDca intranet ve inte=
rnete a=E7=FDk web=20
server olarak kullanmay=FD d=FC=FE=FCnd=FC=F0=FCm bu makina i=E7in =F6neril=
eriniz nedir?
Yard=FDmlar=FDn=FDz i=E7in te=FEekk=FCr ederim.
# Generated by iptables-save v1.2.7a on Mon Apr 28 21:26:31 2003
*mangle
:PREROUTING ACCEPT [1108:102419]
:INPUT ACCEPT [1108:102419]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1108:102419]
:POSTROUTING ACCEPT [1108:102419]
:outtos - [0:0]
:pretos - [0:0]
=2DA PREROUTING -j pretos=20
=2DA OUTPUT -j outtos=20
=2DA outtos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10=20
=2DA outtos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10=20
=2DA outtos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10=20
=2DA outtos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10=20
=2DA outtos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08=20
=2DA outtos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08=20
=2DA pretos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10=20
=2DA pretos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10=20
=2DA pretos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10=20
=2DA pretos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10=20
=2DA pretos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08=20
=2DA pretos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08=20
COMMIT
# Completed on Mon Apr 28 21:26:31 2003
# Generated by iptables-save v1.2.7a on Mon Apr 28 21:26:31 2003
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [13:818]
:OUTPUT ACCEPT [13:818]
COMMIT
# Completed on Mon Apr 28 21:26:31 2003
# Generated by iptables-save v1.2.7a on Mon Apr 28 21:26:31 2003
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:all2all - [0:0]
:common - [0:0]
:dynamic - [0:0]
:icmpdef - [0:0]
:loc2net - [0:0]
:net2all - [0:0]
:newnotsyn - [0:0]
:ppp0_fwd - [0:0]
:ppp0_in - [0:0]
:reject - [0:0]
:shorewall - [0:0]
=2DA INPUT -i lo -j ACCEPT=20
=2DA INPUT -i ppp0 -j ppp0_in=20
=2DA INPUT -j common=20
=2DA INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6=20
=2DA INPUT -j reject=20
=2DA FORWARD -i ppp0 -j ppp0_fwd=20
=2DA FORWARD -j common=20
=2DA FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6=
=20
=2DA FORWARD -j reject=20
=2DA OUTPUT -o lo -j ACCEPT=20
=2DA OUTPUT -p icmp -j ACCEPT=20
=2DA OUTPUT -j common=20
=2DA OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6=20
=2DA OUTPUT -j reject=20
=2DA all2all -m state --state RELATED,ESTABLISHED -j ACCEPT=20
=2DA all2all -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK S=
YN -j=20
newnotsyn=20
=2DA all2all -j common=20
=2DA all2all -j LOG --log-prefix "Shorewall:all2all:REJECT:" --log-level 6=
=20
=2DA all2all -j reject=20
=2DA common -p icmp -j icmpdef=20
=2DA common -p tcp -m state --state INVALID -j DROP=20
=2DA common -p udp -m udp --dport 137:139 -j REJECT --reject-with=20
icmp-port-unreachable=20
=2DA common -p udp -m udp --dport 445 -j REJECT --reject-with=20
icmp-port-unreachable=20
=2DA common -p tcp -m tcp --dport 135 -j reject=20
=2DA common -p udp -m udp --dport 1900 -j DROP=20
=2DA common -d 255.255.255.255 -j DROP=20
=2DA common -d 224.0.0.0/240.0.0.0 -j DROP=20
=2DA common -p tcp -m tcp --dport 113 -j reject=20
=2DA loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT=20
=2DA loc2net -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK S=
YN -j=20
newnotsyn=20
=2DA loc2net -j ACCEPT=20
=2DA net2all -m state --state RELATED,ESTABLISHED -j ACCEPT=20
=2DA net2all -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK S=
YN -j=20
newnotsyn=20
=2DA net2all -j common=20
=2DA net2all -j LOG --log-prefix "Shorewall:net2all:DROP:" --log-level 6=20
=2DA net2all -j DROP=20
=2DA newnotsyn -j DROP=20
=2DA ppp0_fwd -j dynamic=20
=2DA ppp0_in -j dynamic=20
=2DA reject -p tcp -j REJECT --reject-with tcp-reset=20
=2DA reject -j REJECT --reject-with icmp-port-unreachable=20
COMMIT
# Completed on Mon Apr 28 21:26:31 2003
=2D-=20
Zeki =C7atav
catav@isnet.net.tr
http://catav.kolayweb.com