root@wl ~ # wget http://coombs.anu.edu.au/~avalon/ip_fil4.1.33.tar.gz root@wl ~ # wget http://coombs.anu.edu.au/~avalon/pfil-2.1.13.tar.gz root@wl ~ # tar xvfz ip_fil4.1.33.tar.gz root@wl ~ # tar xvfz pfil-2.1.13.tar.gz root@wl ~ # cd pfil root@wl ~/pfil # /usr/ccs/bin/make SunOS32 1) root@wl ~/pfil # /usr/ccs/bin/make package 1) root@wl ~/pfil # pkgadd -d /tmp/pfil.pkg 2) root@wl ~/pfil # ifconfig -a lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 pcn0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.0.11 netmask ffffff00 broadcast 192.168.0.255 ether 0:c:29:d4:e0:bd root@wl ~/pfil # cat /etc/opt/pfil/iu.ap 3) pcn -1 0 pfil root@wl ~/pfil # cd .. root@wl ~ # cd ip_fil4.1.33 root@wl ~/ip_fil4.1.33 # /usr/ccs/bin/make solaris root@wl ~/ip_fil4.1.33 # cd SunOS5 root@wl ~/ip_fil4.1.33/SunOS5 # /usr/ccs/bin/make package 4) root@wl ~/ip_fil4.1.33/SunOS5 # sync; sync; reboot 5)1) 반드시 /usr/ccs/bin/make 를 사용한다. 만약 gnu make를 사용하고 있으면 컴파일이 되지 않는다. 64bit 솔라리스를 사용하고 있다면 32대신 64를 입력한다.
root@wl ~ # /etc/init.d/ipfboot start 1) Set 0 now inactive filter sync'd 0 entries flushed from NAT table 0 entries flushed from NAT list filter sync'd root@wl ~ # ndd /dev/pfil qif_status 2) ifname ill q OTHERQ ipmp num sap hl nr nw bad copy copyfail drop notip nodata notdata QIF1 0x0 0xd40d2cf0 0xd40d2d74 0x0 1 806 0 3 14 0 0 0 0 0 0 0 pcn0 0xd3c49a9c 0xd4054180 0xd4054204 0x0 0 800 14 695 572 0 0 0 0 0 0 0 root@wl ~/pfil # strconf < /dev/pcn 2) pfil pcn root@wl ~ #1) 시작하기. /etc/rc2.d/S65ipfboot에 등록되어있다.
| 구분 | 솔라리스 10 번들 | 소스설치 |
| 설정 파일 디렉토리 | /etc/ipf | /etc/opt/ipf |
| ipmon 위치 | /usr/sbin/ipmon | /opt/ipf/bin/ipmon |
| 시작하기 중단하기 |
svcadm enable ipfilter svcadm disable ipfilter |
/etc/init.d/ipfboot start /etc/init.d/ipfboot stop |
root@wl ~ # ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
pcn0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 192.168.0.11 netmask ffffff00 broadcast 192.168.0.255
ether 0:c:29:d4:e0:bd
root@wl ~ # vi /etc/opt/ipf/ipf.conf block in all block out all root@wl ~ # /etc/init.d/ipfboot reload각 단어의 의미는 다음과 같다.
block in all pass out allpass: 패킷을 통과시킴.
block in all pass out on pcn0 proto tcp from any to any keep state pass out on pcn0 proto udp from any to any keep state pass out on pcn0 proto icmp from any to any keep stateon: 다음에 오는 인터페이스를 지정한다.
block in all pass out on pcn0 proto tcp from any to any keep state pass out on pcn0 proto udp from any to any keep state pass in all위와 같은 룰이 있다면 처음엔 막으려고 생각했는데, 마지막줄에서 모두 통과시킨다. 결과적으로 인바운드 패킷은 통과한다. 물론 위 예는 극단적인 것이다. 따라서 더이상 룰을 확인할 필요 없다는 것을 IPF에 명시해줘야 한다. 그 지시어가 quick이다.
block in quick all pass out on pcn0 proto tcp from any to any keep state pass out on pcn0 proto udp from any to any keep state pass out on pcn0 proto icmp from any to any keep state pass in allquick: 빨리. 더이상 아래의 룰을 확인할 필요 없다.
pass in quick on pcn0 proto tcp from any to any port=80 keep state block in quick all pass out on pcn0 proto tcp from any to any keep state pass out on pcn0 proto udp from any to any keep state pass out on pcn0 proto icmp from any to any keep stateport: 포트 번호
pass in quick on pcn0 from 192.168.0.8 to 192.168.0.11 port=21 block in quick on pcn0 from any to 192.168.0.11 port=21- 방화벽에 의해 보호된 FTP 서버에서, 위와 같이 열었을때 FTP 데이터 전송 방식은 반드시 PORT를 사용해야 한다.
pass in quick on pcn0 from 192.168.0.0/16 to any port=21
block in quick on pcn0 proto icmp from any to any icmp-type echo
pass in quick on pcn0 proto icmp from any to any icmp-type 8 code 0 keep state pass in quick on pcn0 proto tcp from any to any port=20 keep state pass in quick on pcn0 proto tcp from any to any port=21 keep state pass in quick on pcn0 proto tcp from any to any port=22 keep state pass in quick on pcn0 proto tcp from any to any port=25 keep state pass in quick on pcn0 proto tcp from any to any port=53 keep state pass in quick on pcn0 proto udp from any to any port=53 keep state pass in quick on pcn0 proto tcp from any to any port=80 keep state pass in quick on pcn0 proto tcp from any to any port=110 keep state pass in quick on pcn0 proto tcp from any to any port=443 keep state block in quick on pcn0 all pass out on pcn0 proto tcp from any to any keep state pass out on pcn0 proto udp from any to any keep state pass out on pcn0 proto icmp from any to any keep state
root@wl ~ # /opt/ipf/bin/mkfilters > ipf-example.conf1) root@wl ~ # cat ipf-example.conf1) # # The following routes should be configured, if not already: 2) # # route add 192.168.0.3 localhost 0 # block in log quick from any to any with ipopts block in log quick proto tcp from any to any with short pass out on tcge0 all head 150 block out from 127.0.0.0/8 to any group 150 block out from any to 127.0.0.0/8 group 150 block out from any to 192.168.0.3/32 group 150 pass in on tcge0 all head 100 block in from 127.0.0.0/8 to any group 100 block in from 192.168.0.3/32 to any group 1001) 솔라리스 10 에서는 /usr/share/ipfilter/examples/mkfilters 에 있다. 출력 내용을 파일로 저장해 사용하면 된다.
root@wl ~ # vi /etc/opt/ipf/ipf.conf block in log quick on pcn0 from any to any # in 또는 out 뒤에 log라는 단어를 추가하면 된다. root@wl ~ # /etc/init.d/ipfboot reload root@wl ~ # /opt/ipf/bin/ipmon # 로그 보기 01/01/2005 00:00:00.000000 pcn0 @0:1 b xxx.xxx.xxx.xxx,ppp -> xxx.xxx.xxx.xxx,ppp PR udp len 20 76 IN mbcast -------------------------1 ---2 ---3 4 -----------------------------------------5 -----6 --------7 --------8 1. 패킷 도달 날짜 및 시간 2. 패킷이 처리된 인터페이스 이름 3. 룰 이름. 0번째 그룹(기본그룹)의 1번째 룰. 4. Block, Pass의 앞글자. 5. 소스주소,포트 -> 목적지주소,포트 6. [PRotocol 프로토콜이름 또는 번호] 7. [LENth 헤더길이 총길이] 8. 추가 정보 Ctrl+C root@wl ~ #
root@wl ~ # vi /etc/syslog.conf
local0.debug /var/log/ipflog 1)
root@wl ~ # touch /var/log/ipflog
root@wl ~ # pkill -HUP syslogd
1) 간격은 '탭'으로 구분한다
root@wl ~ # ipf -V 1) ipf: IP Filter: v4.1.28 (500) Kernel: IP Filter: v4.1.28 Running: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 1 Feature mask: 0x187 root@wl ~ # ipfstat bad packets: in 0 out 0 IPv6 packets: in 0 out 0 input packets: blocked 2749 passed 31451095 nomatch 0 counted 0 short 0 output packets: blocked 11 passed 31530632 nomatch 0 counted 0 short 0 input packets logged: blocked 0 passed 0 output packets logged: blocked 0 passed 0 packets logged: input 0 output 0 log failures: input 0 output 0 fragment state(in): kept 0 lost 0 not fragmented 0 fragment state(out): kept 0 lost 0 not fragmented 0 packet state(in): kept 0 lost 0 packet state(out): kept 0 lost 0 ICMP replies: 0 TCP RSTs sent: 0 Invalid source(in): 0 Result cache hits(in): 6581514 (out): 6534071 IN Pullups succeeded: 3413 failed: 0 OUT Pullups succeeded: 192352 failed: 0 Fastroute successes: 0 failures: 0 TCP cksum fails(in): 0 (out): 0 IPF Ticks: 2419893 Packet log flags set: (0) none root@wl ~ # ipfstat -io 2) ...1) 버전확인
root@wl ~ # vi /etc/rc2.d/S69inet
[ ! -x /usr/sbin/in.routed ] || /usr/sbin/in.routed
else
/usr/sbin/ndd -set /dev/ip ip_forwarding 1 1)
fi
root@wl ~ # /usr/sbin/ndd -set /dev/ip ip_forwarding 1 1)
root@wl ~ # netstat -s -P ip 2)
IPv4 ipForwarding = 1 ipDefaultTTL = 255
ipInReceives =16557669 ipInHdrErrors = 0
...
root@maid ~ #
1) 솔라리스 9 x86 u7의 경우 223번째 라인에 있다. 솔라리스 버전마다 라인 번호가 다를 수 있다. [/usr/sbin/ndd -get /dev/ip ip_forwarding] 명령을 내린 후 [0]이라 나오면 NAT가 작동하지 않는다. 명령프롬프트에서는 ndd명령을 이용해 실시간으로 변경할 수 있다.
root@maid ~ # routeadm -u -e ipv4-forwarding
root@maid ~ # routeadm
구성 현재 현재
옵션 구성 시스템 상태
---------------------------------------------------------------
IPv4 경로 지정 disabled disabled
IPv6 경로 지정 disabled disabled
IPv4 전달 enabled enabled
IPv6 전달 disabled disabled
경로 지정 서비스 "route:default ripng:default"
...
root@maid ~ #
root@wl ~ # vi /etc/opt/ipf/ipnat.conf
map pcn1 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map pcn1 192.168.0.0/16 -> 0.0.0.0/32
root@wl ~ # /etc/init.d/ipfboot reload
root@wl ~ # ipnat -slv 3)
3) 상태보기.root@maid /etc/opt/ipf # cat ipnat.conf map pcn1 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp map pcn1 192.168.0.0/16 -> 0.0.0.0/32 rdr pcn1 0.0.0.0/0 port 80 -> 192.168.0.3 port 80 rdr pcn1 0.0.0.0/0 port 53 -> 192.168.0.3 port 53 tcp/udp root@wl ~ # /etc/init.d/ipfboot reload
rdr pcn1 0.0.0.0/0 port 80 -> 192.168.0.3, 192.168.0.4, 192.168.0.5 port 80pcn1, 80포트로 들어오는 패킷은 192.168.0.3, 192.168.0.4, 192.168.0.5으로 분산되어 전송된다.
10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
192.168.0.0 - 192.168.255.255 (192.168.0.0/16)
내용 포트
FTP DATA 20
FTP 21
SSH 22 (TCP/UDP)
TELNET 23
SMTP(SENDMAIL) 25
DOMAIN(BIND) 53 (TCP/UDP)
TFTP 69 (UDP)
HTTP 80
POP3 110
RPC 111 (TCP/UDP)
SFTP 115
NTP 123 (UDP)
NetBIOS Name 137 (TCP/UDP)
NetBIOS Datagram 138 (TCP/UDP)
NetBIOS Session 139 (TCP/UDP)
IMAP 143
SNMP 161 (UDP)
SNMP Trap 162 (UDP)
IRC 194
RPC2PORTMAP 369 (TCP/UDP)
CLEARCASE 371
SSL (HTTPS) 443
SMB 445
Syslog 514 (UDP)
iSCSI 860
rsync 873
TFTP DATA 1390 (UDP)
ORACLE TCP 1521
NFS 2049 (TCP/UDP)
CVS PSERVER 2401 (TCP/UDP)
ORACLE TCP/SSL 2484
iSCSI 3260
MySQL 3306
Remote Desktop Protocol 3389 1)
SVN (Subversion) 3690 (TCP/UDP)
PCAnyWhere 5631
PCAnyWhere 5632 (UDP)
VNC 5900
X-Window 6000 (TCP/UDP)
WEB CACHE 8080 (TCP/UDP)
1) Microsoft의 Terminal Service/Virtual Box의 VRDP 서비스를 위한 포트이다SERVER> →CLOSED1→LISTEN2→SYN_RCVD4→ESTABLISHED6 CLIENT> →CLOSED1→SYN_SENT3→ESTABLISHED51 어떠한 접속 요청도 없는 상태이다. netstat 에서는 CLOSED라는 상태는 표시되지 않는다.
SERVER> →ESTABLISHED1→FIN_WAIT_12→FIN_WAIT_24→TIME_WAIT5→CLOSE7 CLIENT> →ESTABLISHED1→CLOSE_WAIT3→LAST_ACK6→CLOSE81 접속된 상태
이름 타입 코드 ipfilter예약어 설명 ICMP_ECHOREPLY 0 0 echorep Ping 응답. ICMP_UNREACH 3 4 needfrag 최적의 MTU 세팅을 위해 사용됨. ICMP_ECHO 8 0 echo Ping 요청. ICMP_TIMXCEED 11 0 timex TTL 만료시 사용됨. traceroute 또는 tracert에서 사용.
|
Copyright © 2004-2012 Jo HoSeok. All rights reserved. |