Menu
▾
▴
Re: [Sshguard-users] Is sshguard working?
|
From: SASAKI K. <cr...@sa...> - 2015-08-23 05:14:40
|
Hi.
On Fri, 21 Aug 2015 21:53:35 -0700
li...@la... wrote:
> I think I understand how the rule-number works. Doing the ipfw list, unless a number is specified, all the denies are at the end. That is where my new rule is at the moment.
>
> How about if I made the new rule be number 2450?
>
> # ipfw list
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
...
> 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
> 01100 check-state
> 01200 allow tcp from me to any established
> 01300 allow tcp from me to any setup keep-state
...
> 02500 allow tcp from any to me dst-port 22
> 02600 allow tcp from any to me dst-port 25
> 02700 allow tcp from any to me dst-port 80
> 02800 allow tcp from any to me dst-port 143
> 02900 allow tcp from any to me dst-port 443
> 03000 allow tcp from any to me dst-port 465
> 03100 allow tcp from any to me dst-port 500
> 03200 allow tcp from any to me dst-port 993
> 03300 allow tcp from any to me dst-port 4500
> 03400 allow tcp from any to me dst-port 110 in setup
> 03500 allow tcp from any to me dst-port 995 in setup
> 03600 allow tcp from any to me dst-port 25 in setup
> 03700 allow tcp from me to any dst-port 25 out setup
> 03800 allow tcp from any to me dst-port 465 in setup
> 03900 allow tcp from any to me dst-port 143 in setup
> 04000 allow tcp from any to me dst-port 993 in setup
> 65000 count ip from any to any
> 65100 allow log udp from any to any dst-port 500 keep-state
> 65200 allow log udp from any 500 to any keep-state
> 65300 allow log udp from any to any dst-port 4500 keep-state
> 65400 allow log udp from any 4500 to any keep-state
> 65500 deny log ip from table(22) to any
> 65500 deny { tcp or udp } from any to any dst-port 135-139,445 in
...
IPFW is an packet filtering system that is referred to as “first match
wins". So, incoming ssh packet that is permitted by rule 2500 does not
reach rule 65500 denying rule.
Inserting a rule that blocks IP-addresses listed in table 22 between
rule 1000 and rule 1100 seems better for me.
--
SASAKI Katuhiro
mailto: cr...@sa...
|
