Widok
Moderator-Следопыт | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору
Network Control Rules (типовые правила)
Блокировка исходящих по протоколу IGMP:
BLOCK IP OUT FROM IP [Any] TO IP [Any] WHERE IPPROTO IS IGMP
Общая блокировка всех входящих на 135, 445 порты:
BLOCK TCP or UDP IN FROM IP [Any] TO IP [Any] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS IN [135,445]
Разрешение NetBIOS в локальной сети:
ALLOW TCP or UDP IN or OUT FROM IP ZONE:[Local Network1] TO IP ZONE:[Local Network] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS 137-139
Разрешение ping'а в локальной сети:
ALLOW ICMP OUT FROM IP ZONE:[Local Network] TO IP ZONE:[Local Network] WHERE ICMP MESSAGE IS ECHO REQUEST
ALLOW ICMP IN FROM IP ZONE:[Local Network] TO IP ZONE:[Local Network] WHERE ICMP MESSAGE IS FRAGMENTATION NEEDED
ALLOW ICMP IN FROM IP ZONE:[Local Network] TO IP ZONE:[Local Network] WHERE ICMP MESSAGE IS TIME EXCEEDED
Блокировка портов 135, 137-139 (NetBIOS) и 445 в И-нет зоне:
BLOCK TCP or UDP OUT FROM IP ZONE:[Internet Zone1] TO IP [Any] WHERE SOURCE PORT IS IN [135,137,138,139,445] AND DESTINATION PORT IS [Any]
BLOCK TCP or UDP IN FROM IP [Any] TO IP ZONE:[Internet Zone] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS IN [135,137,138,139,445]
DNS Server:
ALLOW UDP OUT FROM IP ZONE:[Internet Zone] TO IP DNS_server2 WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS 53
Web Browser:
ALLOW TCP OUT FROM IP ZONE:[Internet Zone] TO IP [Any] WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS IN [80,81,82,83,443]
Mail Client:
ALLOW TCP OUT FROM IP ZONE:[Internet Zone] TO IP [Any] WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS IN [25,110,143,993,995]
FTP Client:
ALLOW TCP OUT FROM IP ZONE:[Internet Zone] TO IP FTP_server3 WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS 21
ALLOW TCP IN FROM IP FTP_server TO IP ZONE:[Internet Zone] WHERE SOURCE PORT IS 20 AND DESTINATION PORT IS 1024-4999
для пассивного режима:
ALLOW TCP OUT FROM IP ZONE:[Internet Zone] TO IP FTP_server WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS 1024-65535
ICQ Messenger:
ALLOW TCP OUT FROM IP ZONE:[Internet Zone] TO IP [Any] WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS IN [443,5190]
Comodo Submit:
ALLOW TCP OUT FROM IP ZONE:[Internet Zone] TO IP 195.92.253.141 WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS 21
ALLOW TCP OUT FROM IP ZONE:[Internet Zone] TO IP 195.92.253.141 WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS 1024-4999
Завершающее правило, блокирующее все:
BLOCK and LOG4 TCP or UDP IN or OUT FROM IP [Any] TO IP [Any] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS [Any]
1 Зоны предварительно создаются здесь: Tasks>Add/Remove/Modify a Zone
ZONE:[Local Network] - диапазон адресов локальной сети (пример: 192.168.0.0-192.168.0.255)
ZONE:[Internet Zone] - IP (диапазон IP), выделенный провайдером для выхода в И-нет.
2 Вместо DNS_server подставляется соответствующий DNS своего провайдера.
3 Вместо FTP_server подставляется соответствующий IP-адрес.
4 Для включения лога на правило нужно в его настройках поставить флажок у строки "Create an alert if this rule is fired" |
Всего записей: 24190 | Зарегистр. 07-04-2002 | Отправлено: 15:46 12-12-2007 | Исправлено: XenoZ, 09:29 04-03-2009 |
|
