ipkungfu

[Grenville]

hei jeg lurer på om det er noen som har erfaring med firewallen ipkungfu som kan hjelpe meg , jeg har tenkt til å bruke maskinen til surfing og til å irc'e , jeg poster config filen så trenger jeg å vite h va som må endres på:

 

# Please read the README and FAQ for more information

#

# Where is your iptables?

# run "which iptables" to find out

IPTABLES="/sbin/iptables"

 

# Ditto for modprobe

MODPROBE="/sbin/modprobe"

 

# Your external interface

# This is the one that connects to the internet

EXT_NET=eth0

 

# Your internal interfaces, if any. If you have more

# than 1 internal interface, separate them with

# spaces. If you only have one interface, put "lo"

# here.

INT_NET="eth1"

 

# IP Range of your internal network

# Example: 192.168.0.0/255.255.255.0

LOCAL_NET="192.168.0.0/255.255.255.0"

 

# Do you want to set up IP Masquerading? If you have

# only 1 machine, then say 0 here. You should set this

# to 1 if you want internet connection sharing.

# Set to 1 for yes, 0 for no

MASQ_LOCAL_NET=0

 

# IP Forwarding?

# If you have only 1 machine, then say no here. IP

# forwarding is necessary for internet connection

# sharing.

# Set to 1 for yes, 0 for no

IP_FORWARD=1

 

# TCP ports you want to allow for incoming traffic

# Don't add ports here that you intend to forward.

# This should be a list of tcp ports that have

# servers listening on them on THIS machine,

# separated by spaces.

ALLOWED_TCP_IN="21 22"

 

# UDP ports to allow for incoming traffic

# See the comments above for ALLOWED_TCP_IN

ALLOWED_UDP_IN=""

 

# Temporarily block future connection attempts from an

# IP that hits these ports (If module is present)

FORBIDDEN_PORTS="139"

 

# Drop all ping packets?

# Set to 1 for yes, 0 for no

BLOCK_PINGS=0

 

# How many pings do you want to reply to?

PING_FLOOD=3

 

# Possible values here are "DROP", "REJECT", or "MIRROR"

#

# "DROP" means your computer will not respond at all. "Stealth mode"

#

# "REJECT" means your computer will respond with a

# message that the packet was rejected.

#

# "MIRROR", if your kernel supports it, will swap the source and

# destination IP addresses, and send the offending packet back

# where it came from. USE WITH EXTREME CAUTION! Only use this if you fully

# understand the consequences.

#

# The safest option is "DROP". Don't change unless you fully understand this.

 

 

# What to do with 'probably malicious' packets

#SUSPECT="REJECT"

SUSPECT="DROP"

 

# What to do with obviously invalid traffic

# This is also the action for FORBIDDEN_PORTS

#KNOWN_BAD="REJECT"

KNOWN_BAD="DROP"

 

# What to do with port scans

#PORT_SCAN="REJECT"

PORT_SCAN="DROP"

 

# If supported, this will automatically save your iptables

# rules for other use

SAVE_RULES=1

 

# How should ipkungfu determine your IP address? The default

# answer, "NONE", will cause ipkungfu to not use the few

# features that require it to know your external IP address.

# This option is good for dialup users who run ipkungfu on

# bootup, since dialup users rarely use the features that

# require this, and the IP address for a dialup connection

# generally isn't known at bootup. "AUTO" will cause

# ipkungfu to automatically determine the IP address of

# $EXT_NET when it is started. If you have a static IP

# address you can simply enter your IP address here.

# If you do port forwarding and your ISP changes your IP

# address, choose NONE here, or your port forwarding

# will break when your IP address changes.

#GET_IP=NONE

GET_IP="AUTO"

#GET_IP="128.238.244.16"

 

# If the target for identd (113/tcp) is DROP, it can take

# a long time to connect to some IRC servers. Set this to

# 1 to speed up these connections with a negligible cost

# to security. Identd probes will be rejected with the

# 'reject-with-tcp-reset' option to close the connection

# gracefully. If you want to actually allow ident probes,

# and you're running an identd, and you've allowed port

# 113 in ALLOWED_TCP_IN, set this to 0.

DONT_DROP_IDENTD=0

 

# Set this to 0 if you're running ipkungfu on a machine

# inside your LAN. This will cause private IP addresses

# coming in on $EXT_NET to be identified as a spoof,

# which would be inaccurate on intra-LAN traffic

DISALLOW_PRIVATE=1

 

takk for all hjelp jeg får

:smile: :smile: :smile:

[Grenville]

Det må da være noen som vet det , hjelp meg da

[JoKr]

# Do you want to set up IP Masquerading? If you have

# only 1 machine, then say 0 here. You should set this

# to 1 if you want internet connection sharing.

# Set to 1 for yes, 0 for no

MASQ_LOCAL_NET=0

 

# IP Forwarding?

# If you have only 1 machine, then say no here. IP

# forwarding is necessary for internet connection

# sharing.

# Set to 1 for yes, 0 for no

IP_FORWARD=1

 

Konflikt i det du setter opp her?

For å være på den den sikre siden ville jeg satt;

MASQ_LOCAL_NET=1

=====================================

# TCP ports you want to allow for incoming traffic

# Don't add ports here that you intend to forward.

# This should be a list of tcp ports that have

# servers listening on them on THIS machine,

# separated by spaces.

ALLOWED_TCP_IN="21 22"

 

Kjører du FTP server?

Ville satt denne som;

ALLOWED_TCP_IN=""

 

(Hvis du har tenkt å hoste spill, må du åpne for porten i denne linja her)

=====================================

# Drop all ping packets?

# Set to 1 for yes, 0 for no

BLOCK_PINGS=0

 

Brannmur, og du tilbyr ikke tjenester?

Sett denne til

BLOCK_PINGS=1

=====================================

 

Den skal støtte alt fra intern nettet og ut;

altså irc og slikt fungerer fint.

Denne begrenser bare hva som kommer inn; som du ikke har startet selv.

Så selv om du ikke tillatet port 21 inn, betyr ikke det at du ikke kan connecte til port 21 med ftp til noen andre. F. eks kan du spille CS på port 27005 eller hva det nå var; men for å hoste et slikt spill må du åpne for den porten.

 

Eksempel;

Hvis du mottar et trojan virus som sender informasjon fra din maskin vil det være fullt mulig selv om du har brannmur som denne, men da må det initialiseres fra din maskin. Hvis det bare er et program som lager en bakdør, åpen -listening port-, vil du ikke kunne bli rammet, for brannmuren tillater ikke incomming.

 

Dette begrenser seg til hva du tilbyr.

===

 

Det er tross alt helg og heligdag, så hvem som svarer på ting kan være noe begrenset.

[MarcelSB]

Konfiggen ser grei ut for meg... Det står jo ganske klart og tydelig i kommentarene hva du trenger og ikke trenger...

 

MarcelSB

[Grenville]

Fint da kan jeg være sikker på at min maskin er sikker , vil ikke ha uvedkommende på min maskin... igjen :oops: