#/usr/local/etc/proftpd.conf
# Restrict the range of ports from which the server will
#select when sent the PASV command from a client.
#Use IANA-registered ephemeral port range of
#49260-49360
PassivePorts 49260 49360
另外,要記得在防火牆開允許
#/etc/rc.firewall
#passive ftp ports
/sbin/ipfw add allow all from any to 140.120.31.205 49260-49360
2007年8月19日 星期日
/etc/rc.firewall
參考 這裡
#先清除所有規則
/sbin/ipfw -f flush
# 所有nat的網路封包皆會通過xl0 這個網路介面
/sbin/ipfw add divert natd all from any to any via fxp0
# 放local對local
/sbin/ipfw add pass all from 127.0.0.1 to 127.0.0.1
# 放行local 對 任何地方
/sbin/ipfw add pass all from 127.0.0.1 to any
/sbin/ipfw add allow all from 140.120.31.205 to any
# 讓內部ip全部可以連上本機
/sbin/ipfw add pass all from 192.168.1.1/24 to 192.168.1.1/24
#test
/sbin/ipfw add deny udp from 140.120.90.0/24 to any
/sbin/ipfw add deny udp from 140.120.108.0/24 to any
# ICMP 的封包擋掉(不給ping)
#/sbin/ipfw add 001 deny icmp from any to any
/sbin/ipfw add allow icmp from any to any
#亂踹機器
/sbin/ipfw add deny all from 140.120.90.61 to any
/sbin/ipfw add deny all from 140.120.90.152 to any
#拿鐵對vida進行Rsync備份及ssh連線
/sbin/ipfw add allow all from 140.120.31.187 to 140.120.31.205 873
/sbin/ipfw add allow all from 140.120.31.187 to 140.120.31.205 22
#連線白名單
#news server
/sbin/ipfw add allow all from 140.114.87 to any
/sbin/ipfw add allow all from 140.120.1.6 to any
/sbin/ipfw add allow all from 140.113.54.117 to any
#允許來自403的IP連線
#ShinHsin @ NCKU
#開放常用daemon連線: ftp, bbs, http, https
#ssh 交由/etc/hosts.allow以tcp wrapper控制
/sbin/ipfw add allow all from any to any 20
/sbin/ipfw add allow all from any to any 21
/sbin/ipfw add allow all from any to any 23
/sbin/ipfw add allow all from any to any 80
/sbin/ipfw add allow all from any to any 443
#允許本機對外連線各種常用daemon:
#cvsup, ftp, telnet, ssh, http, https, news,
/sbin/ipfw add allow all from any 20 to 140.120.31.205
/sbin/ipfw add allow all from any 21 to 140.120.31.205
/sbin/ipfw add allow all from any 22 to 140.120.31.205
/sbin/ipfw add allow all from any 23 to 140.120.31.205
/sbin/ipfw add allow all from any 25 to 140.120.31.205
/sbin/ipfw add allow all from any 80 to 140.120.31.205
/sbin/ipfw add allow all from any 110 to 140.120.31.205
/sbin/ipfw add allow all from any 119 to 140.120.31.205
/sbin/ipfw add allow all from any 443 to 140.120.31.205
/sbin/ipfw add allow all from any 5999 to 140.120.31.205
#允許寄信來vida的IP
/sbin/ipfw add allow all from 140.114.78.150 to 140.120.31.205 25
#阻擋其它未被允許連線,不存log
/sbin/ipfw add deny all from any to any 137
/sbin/ipfw add deny all from any to any 138
/sbin/ipfw add deny udp from any to any
/sbin/ipfw add deny all from any to any 25
/sbin/ipfw add deny log tcp from any to any in tcpflags syn,fin
# 以上為阻止 nmap 和 queso 利用 syn 與 fin 封包進行掃描,防止 ddos攻擊。
#將被阻擋的存在/var/log/security
/sbin/ipfw add deny log logamount 500 all from any to any
#先清除所有規則
/sbin/ipfw -f flush
# 所有nat的網路封包皆會通過xl0 這個網路介面
/sbin/ipfw add divert natd all from any to any via fxp0
# 放local對local
/sbin/ipfw add pass all from 127.0.0.1 to 127.0.0.1
# 放行local 對 任何地方
/sbin/ipfw add pass all from 127.0.0.1 to any
/sbin/ipfw add allow all from 140.120.31.205 to any
# 讓內部ip全部可以連上本機
/sbin/ipfw add pass all from 192.168.1.1/24 to 192.168.1.1/24
#test
/sbin/ipfw add deny udp from 140.120.90.0/24 to any
/sbin/ipfw add deny udp from 140.120.108.0/24 to any
# ICMP 的封包擋掉(不給ping)
#/sbin/ipfw add 001 deny icmp from any to any
/sbin/ipfw add allow icmp from any to any
#亂踹機器
/sbin/ipfw add deny all from 140.120.90.61 to any
/sbin/ipfw add deny all from 140.120.90.152 to any
#拿鐵對vida進行Rsync備份及ssh連線
/sbin/ipfw add allow all from 140.120.31.187 to 140.120.31.205 873
/sbin/ipfw add allow all from 140.120.31.187 to 140.120.31.205 22
#連線白名單
#news server
/sbin/ipfw add allow all from 140.114.87 to any
/sbin/ipfw add allow all from 140.120.1.6 to any
/sbin/ipfw add allow all from 140.113.54.117 to any
#允許來自403的IP連線
#ShinHsin @ NCKU
#開放常用daemon連線: ftp, bbs, http, https
#ssh 交由/etc/hosts.allow以tcp wrapper控制
/sbin/ipfw add allow all from any to any 20
/sbin/ipfw add allow all from any to any 21
/sbin/ipfw add allow all from any to any 23
/sbin/ipfw add allow all from any to any 80
/sbin/ipfw add allow all from any to any 443
#允許本機對外連線各種常用daemon:
#cvsup, ftp, telnet, ssh, http, https, news,
/sbin/ipfw add allow all from any 20 to 140.120.31.205
/sbin/ipfw add allow all from any 21 to 140.120.31.205
/sbin/ipfw add allow all from any 22 to 140.120.31.205
/sbin/ipfw add allow all from any 23 to 140.120.31.205
/sbin/ipfw add allow all from any 25 to 140.120.31.205
/sbin/ipfw add allow all from any 80 to 140.120.31.205
/sbin/ipfw add allow all from any 110 to 140.120.31.205
/sbin/ipfw add allow all from any 119 to 140.120.31.205
/sbin/ipfw add allow all from any 443 to 140.120.31.205
/sbin/ipfw add allow all from any 5999 to 140.120.31.205
#允許寄信來vida的IP
/sbin/ipfw add allow all from 140.114.78.150 to 140.120.31.205 25
#阻擋其它未被允許連線,不存log
/sbin/ipfw add deny all from any to any 137
/sbin/ipfw add deny all from any to any 138
/sbin/ipfw add deny udp from any to any
/sbin/ipfw add deny all from any to any 25
/sbin/ipfw add deny log tcp from any to any in tcpflags syn,fin
# 以上為阻止 nmap 和 queso 利用 syn 與 fin 封包進行掃描,防止 ddos攻擊。
#將被阻擋的存在/var/log/security
/sbin/ipfw add deny log logamount 500 all from any to any
訂閱:
意見 (Atom)