亚洲av成人无遮挡网站在线观看,少妇性bbb搡bbb爽爽爽,亚洲av日韩精品久久久久久,兔费看少妇性l交大片免费,无码少妇一区二区三区

Chinaunix

標(biāo)題: ipfw 配置好后為啥沒(méi)有遠(yuǎn)程sh防火墻規(guī)則的權(quán)限? [打印本頁(yè)]
作者: bleakwind    時(shí)間: 2015-07-07 21:22
標(biāo)題: ipfw 配置好后為啥沒(méi)有遠(yuǎn)程sh防火墻規(guī)則的權(quán)限?
遠(yuǎn)程root來(lái)sh防火墻規(guī)則的時(shí)候提示:
dev sshd[749]: fatal: Write failed: Permission denied


加入: net.inet.ip.fw.default_to_accept="1" 也不行.

遠(yuǎn)程編譯內(nèi)核也提示沒(méi)權(quán)限.

是不是規(guī)則要加入什么?
我規(guī)則已經(jīng)加入下面的了:

# Allow out FreeBSD root operate
$cmd 00150 allow tcp from me to any out via $oif setup $ks uid root
作者: bleakwind    時(shí)間: 2015-07-07 21:22
遠(yuǎn)程root sh規(guī)則的時(shí)候提示上述信息并且會(huì)斷開(kāi).
作者: lsstarboy    時(shí)間: 2015-07-08 08:33
sh啥意思?

另外你那句用在遠(yuǎn)程上,不是找死么?服務(wù)器本身是接受的,你弄了個(gè)出的,并且還是tcp的setup,你是讓服務(wù)器連接你呢還是你連接服務(wù)器呢?
作者: bleakwind    時(shí)間: 2015-07-15 12:43
lsstarboy 發(fā)表于 2015-07-08 08:33
sh啥意思?

另外你那句用在遠(yuǎn)程上,不是找死么?服務(wù)器本身是接受的,你弄了個(gè)出的,并且還是tcp的setup ...


sh是載入防火墻腳本啊,比如:
# sh /etc/ipfw.rules

我遠(yuǎn)程su到root,如何載入防火墻腳本的時(shí)候不斷開(kāi)? 應(yīng)該如何調(diào)整? 以下是我防火墻腳本.
  1. #!/bin/sh

  3. # Flush out the list before we begin.
  4. ipfw -q -f flush

  6. # Set rules command prefix
  7. cmd="ipfw -q add"
  8. ks="keep-state"
  9. oif="em0"
  10. odns1="202.96.134.133"
  11. odns2="8.8.8.8"

  13. # Change xl0 to LAN NIC interface name
  14. $cmd 00005 allow all from any to any via xl0

  16. # No restrictions on Loopback Interface
  17. $cmd 00010 allow all from any to any via lo0

  19. # allows the packet through in dynamic rules table
  20. $cmd 00100 check-state

  22. # ------------------ IPFW Rules Priority ------------------
  23. # Allow outbound SSH
  24. $cmd 00110 allow tcp from any to any 22 out via $oif setup $ks
  25. $cmd 00120 allow tcp from any to me 22 in via $oif setup limit src-addr 12

  27. # Allow out FreeBSD root operate
  28. $cmd 00150 allow tcp from me to any out via $oif setup $ks uid root

  30. # ------------------ IPFW Rules System --------------------
  31. # Allow access to public DNS
  32. $cmd 00200 allow tcp from any to $odns1 53 out via $oif setup $ks
  33. $cmd 00210 allow udp from any to $odns1 53 out via $oif $ks
  34. $cmd 00220 allow tcp from any to $odns2 53 out via $oif setup $ks
  35. $cmd 00230 allow udp from any to $odns2 53 out via $oif $ks

  37. # Allow access to ISP's DHCP server for cable/DSL configurations
  38. #$cmd 00300 allow log udp from any to any 67 out via $oif $ks
  39. #$cmd 00310 allow udp from any to x.x.x.x 67 out via $oif $ks
  40. #$cmd 00320 allow udp from any to x.x.x.x 67 in via $oif $ks

  42. # Allow ping
  43. $cmd 00400 allow icmp from any to any out via $oif $ks
  44. $cmd 00410 allow icmp from any to any in via $oif $ks

  46. # Allow NTP
  47. $cmd 00420 allow tcp from any to any 37 out via $oif setup $ks
  48. $cmd 00430 allow udp from any to any 123 out via $oif $ks

  50. # ------------------ IPFW Rules Service -------------------
  51. # Allow HTTP connections
  52. $cmd 00500 allow tcp from any to any 80 out via $oif setup $ks
  53. $cmd 00510 allow tcp from any to me 80 in via $oif setup limit src-addr 24

  55. # Allow HTTPS connections
  56. $cmd 00550 allow tcp from any to any 443 out via $oif setup $ks
  57. $cmd 00560 allow tcp from any to me 443 in via $oif setup limit src-addr 24

  59. # Allow out secure FTP
  60. $cmd 00600 allow tcp from any to any 21 out via $oif setup $ks
  61. $cmd 00610 allow tcp from any to me 21 in via $oif setup limit src-addr 12

  63. # Allow in non-secure Telnet session from public Internet
  64. $cmd 00650 allow tcp from any to me 23 in via $oif setup limit src-addr 12

  66. # Allow outbound email connections
  67. $cmd 00710 allow tcp from any to any 25 out via $oif setup $ks
  68. $cmd 00720 allow tcp from any to any 110 out via $oif setup $ks

  70. # Allow ident
  71. #$cmd 00800 allow tcp from any to any 113 in via $oif setup $ks

  73. # Allow out whois
  74. $cmd 00810 allow tcp from any to any 43 out via $oif setup $ks

  76. # Allow out nntp news (i.e., news groups)
  77. #$cmd 00820 allow tcp from any to any 119 out via $oif setup $ks

  79. # ------------------ IPFW Rules Deny ----------------------
  80. # Deny all Netbios service. 137=name, 138=datagram, 139=session, 81=hosts2
  81. $cmd 00910 deny tcp from any to any 137 in via $oif
  82. $cmd 00920 deny tcp from any to any 138 in via $oif
  83. $cmd 00930 deny tcp from any to any 139 in via $oif
  84. $cmd 00940 deny tcp from any to any 81 in via $oif

  86. # Deny any late arriving packets
  87. $cmd 00950 deny all from any to any frag in via $oif

  89. # Deny ACK packets that did not match the dynamic rule table
  90. $cmd 00960 deny tcp from any to any established in via $oif

  92. # deny and log all other outbound and incoming connections`
  93. $cmd 00991 deny log all from any to any out via $oif
  94. $cmd 00992 deny log all from any to any in via $oif

  96. # Everything else is denied by default
  97. $cmd 00999 deny log all from any to any
復(fù)制代碼
作者: lsstarboy    時(shí)間: 2015-07-15 15:03
回復(fù) 4# bleakwind

1、ipfw.rule的開(kāi)頭已經(jīng)有#!sh了,就不需要再sh /etc/ipfw.rule

2、重載規(guī)則不被鎖,要么crontab定時(shí)重啟,要么set 31。

3、你從哪兒抄的規(guī)則?
   
作者: bleakwind    時(shí)間: 2015-07-19 09:24
lsstarboy 發(fā)表于 2015-07-15 15:03
回復(fù) 4# bleakwind

1、ipfw.rule的開(kāi)頭已經(jīng)有#!sh了,就不需要再sh /etc/ipfw.rule


官方手冊(cè)
作者: lsstarboy    時(shí)間: 2015-07-20 09:00
那只是示例,要根據(jù)你自己的具體情況修改。
作者: bleakwind    時(shí)間: 2015-10-19 05:40
本帖最后由 bleakwind 于 2015-10-19 05:42 編輯
lsstarboy 發(fā)表于 2015-07-20 09:00
那只是示例,要根據(jù)你自己的具體情況修改。


想問(wèn)下那個(gè)規(guī)則哪里有不合理的地方?

還有set 31如何設(shè)定? 是否下面這樣? 還有其他方法嗎?

ipfw -q add 00110 set 31 allow tcp from any to any 22 out via em0 setup keep-state
ipfw -q add 00120 set 31 allow tcp from any to me 22 in via em0 setup limit src-addr 12
ipfw -q add 00150 set 31 allow tcp from me to any out via em0 setup keep-state uid root
作者: lsstarboy    時(shí)間: 2015-10-19 09:24
建議先學(xué)一下協(xié)議,再把ipfw的man多讀幾遍,然后再配防火墻,否則最多只能算是照本宣科。

既使給你說(shuō)了答案,又有什么用呢?下次遇到仍然是不會(huì),況且你連你的需求都不是很明確。
作者: bleakwind    時(shí)間: 2015-10-19 10:34
lsstarboy 發(fā)表于 2015-10-19 09:24
建議先學(xué)一下協(xié)議,再把ipfw的man多讀幾遍,然后再配防火墻,否則最多只能算是照本宣科。

既使給你說(shuō)了答 ...


手冊(cè)上,包括你的那篇翻譯都沒(méi)有明確set number的應(yīng)用場(chǎng)合.

我自己試出來(lái)了,并為了不重載導(dǎo)致重復(fù)規(guī)則寫了個(gè)判斷, 不知道對(duì)不對(duì):

if [ -z "`ipfw -S list 00110`" ]; then
$cmd 00110 set 31 allow tcp from any to any 22 out via $oif setup $ks
fi
if [ -z "`ipfw -S list 00120`" ]; then
$cmd 00120 set 31 allow tcp from any to me 22 in via $oif setup limit src-addr 12
fi
作者: lsstarboy    時(shí)間: 2015-10-19 11:13
問(wèn)題出在from where to where上面
作者: bleakwind    時(shí)間: 2015-10-19 18:39
lsstarboy 發(fā)表于 2015-10-19 09:24
建議先學(xué)一下協(xié)議,再把ipfw的man多讀幾遍,然后再配防火墻,否則最多只能算是照本宣科。

既使給你說(shuō)了答 ...


我只是想能遠(yuǎn)程重新加載防火墻而不被擋出來(lái).
而且我也試驗(yàn)過(guò)10樓兩句是可以的.

如果遠(yuǎn)程加載防火墻被擋出來(lái)還如何學(xué)習(xí)試驗(yàn)后面的詳細(xì)規(guī)則?
作者: lsstarboy    時(shí)間: 2015-10-20 21:36
如果沒(méi)有tcp、udp這類的協(xié)議基礎(chǔ),配防火墻會(huì)很累的。



歡迎光臨 Chinaunix (http://72891.cn/) Powered by Discuz! X3.2