|
Ubuntu下配置shorewall防火墙 |
|
|
|
|
|
PKTTYPE=Yes # # DROP INVALID PACKETS # # Netfilter classifies packets relative to its connection tracking table into # four states: # # NEW - thes packet initiates a new connection # ESTABLISHED - thes packet is part of an established connection # RELATED - thes packet is related to an established connection; it may # establish a new connection # INVALID - the packet does not related to the table in any sensible way. # # Recent 2.6 kernels include code that evaluates TCP packets based on TCP # Window analysis. This can cause packets that were previously classified as # NEW or ESTABLISHED to be classified as INVALID. # # The new kernel code can be disabled by including this command in your # /etc/shorewall/init file: # # echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal # # Additional kernel logging about INVALID TCP packets may be obtained by # adding this command to /etc/shorewall/init: # # echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid # # Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID # option allows INVALID packets to be passed through the normal rules chains by # setting DROPINVALID=No. # # If not specified or if specified as empty (e.g., DROPINVALID="") then # DROPINVALID=Yes is assumed. DROPINVALID=No # # RFC 1918 BEHAVIOR # # Traditionally, the RETURN target in the 'rfc1918' file has caused 'norfc1918' # processing to cease for a packet if the packet's source IP address matches # the rule. Thus, if you have: # # SUBNETS TARGET # 192.168.1.0/24 RETURN # # then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you # also have: # # SUBNETS TARGET # 10.0.0.0/8 logdrop # # Setting RFC1918_STRICT=Yes will cause such traffic to be logged and dropped # since while the packet's source matches the RETURN rule, the packet's # destination matches the 'logdrop' rule. # # If not specified or specified as empty (e.g., RFC1918_STRICT="") then # RFC1918_STRICT=No is assumed. # # WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support # 'conntrack state' match. RFC1918_STRICT=No # # MACLIST caching # # If your iptables and kernel support the "Recent Match" (see the output of # "shorewall check" near the top), you can cache the results of a 'maclist' # file lookup and thus reduce the overhead associated with MAC Verification # (/etc/shorewall/maclist). # # When a new connection arrives from a 'maclist' interface, the packet passes # through then list of entries for that interface in /etc/shorewall/maclist. If # there is a match then the source IP address is added to the 'Recent' set for # that interface. Subsequent connection attempts from that IP address occuring # within $MACLIST_TTL seconds will be accepted without having to scan all of # the entries. After $MACLIST_TTL from the first accepted connection request, # the next connection request from that IP address will be checked against # the entire list. # # If MACLIST_TTL is not specified or is specified as empty (e.g, # MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not # be cached. MACLIST_TTL= ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################ # # BLACKLIST DISPOSITION # # Set this variable to the action that you want to perform on packets from # Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, # DROP is assumed. # BLACKLIST_DISPOSITION=DROP # # MAC List Disposition # # This variable determines the disposition of connection requests arriving # on interfaces that have the 'maclist' option and that are from a device # that is not listed for that interface in /etc/shorewall/maclist. Valid # values are ACCEPT, DROP and REJECT. If not specified or specified as # empty (MACLIST_DISPOSITION="") then REJECT is assumed MACLIST_DISPOSITION=REJECT # # TCP FLAGS Disposition # # This variable determins the disposition of packets having an invalid # combination of TCP flags that are received on interfaces having the # 'tcpflags' option specified in /etc/shorewall/interfaces or in # /etc/shorewall/hosts. If not specified or specified as empty # (TCP_FLAGS_DISPOSITION="") then DROP is assumed. TCP_FLAGS_DISPOSITION=DROP #LAST LINE -- DO NOT REMOVE
共8页: 上一页 [1] [2] [3] [4] [5] [6] [7] 8 下一页 |
上一篇:Ubuntu下Mplayer安装设置及相应编码安装 下一篇:Linux系统中试试安装杀毒软件AntiVir
|
相关文档 |
|
|
发表评论 |
|
|
|
|