LINUX.ORG.RU

Список «ненужных» сетей


0

0

Нужен полный список "ненужных" сетей, которые необходимо drop-ать на внешнем интерфейсе... Я дропаю вот эти...

deny ip host 255.255.255.255 any log deny ip 10.0.0.0 0.255.255.255 any log deny ip 127.0.0.0 0.255.255.255 any log deny ip 172.16.0.0 0.15.255.255 any log deny ip 192.168.0.0 0.0.255.255 any log deny ip 224.0.0.0 15.255.255.255 any log deny ip 240.0.0.0 7.255.255.255 any log deny ip 169.254.0.0 0.0.255.255 any log deny ip 192.0.2.0 0.0.0.255 any log

anonymous

Re: Список "ненужных" сетей

-i ext_iface -P INPUT DROP
:)
А разрешить все что нужно.

zgen ★★★★★ ()

Re: Список "ненужных" сетей

Можешь попробовать что-то вроде этого - 

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 in via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

# Stop draft-manning-dsua-01.txt nets on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 10.0.0.0/8 in via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

#Stop reserved IANA addresses
${fwcmd} add deny all from any to 1.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 2.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 5.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 7.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 23.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 27.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 31.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 37.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 39.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 41.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 42.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 58.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 70.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 71.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 73.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 74.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 75.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 76.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 77.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 78.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 79.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 96.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 112.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 113.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 114.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 115.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 116.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 117.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 118.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 119.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 120.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 121.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 122.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 123.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 124.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 125.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 126.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 218.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 219.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 220.0.0.0/6 via ${oif}

ну и также соответственно - 

${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}

И так далее... Только учти, что те, что относятся к зарезервированным в IANA периодически включаются в используемые... то есть есть шанc забанить вполне себе невинные ресурсы...


MiracleMan ★★★★★ ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.