탐색 링크 건너뛰기 | |
인쇄 보기 종료 | |
Oracle Solaris 11.1의 네트워크 보안 Oracle Solaris 11.1 Information Library (한국어) |
3. 웹 서버 및 Secure Sockets Layer 프로토콜
다른 또는 업데이트된 패킷 필터링 규칙 세트 활성화 방법
활성 패킷 필터링 규칙 세트와 비활성 패킷 필터링 규칙 세트 간 전환 방법
다음 예에서는 단일 호스트, 서버 및 라우터에 적용되는 패킷 필터링 규칙을 보여 줍니다.
구성 파일은 표준 UNIX 구문 규칙을 따릅니다.
파운드 기호(#)는 행에 주석이 포함되어 있음을 나타냅니다.
규칙과 주석은 동일한 행에 함께 사용될 수 있습니다.
규칙을 쉽게 읽을 수 있도록 임의로 공백을 사용할 수 있습니다.
규칙의 길이는 두 행 이상일 수 있습니다. 행 끝에 백슬래시(\)를 사용하여 규칙이 다음 행에서 계속됨을 나타낼 수 있습니다.
자세한 구문 정보는 패킷 필터링 규칙 구성을 참조하십시오.
예 5-20 IP 필터 호스트 구성
이 예에서는 net0 네트워크 인터페이스가 있는 호스트 시스템에 대한 구성을 보여 줍니다.
# pass and log everything by default pass in log on net0 all pass out log on net0 all # block, but don't log, incoming packets from other reserved addresses block in quick on net0 from 10.0.0.0/8 to any block in quick on net0 from 172.16.0.0/12 to any # block and log untrusted internal IPs. 0/32 is notation that replaces # address of the machine running IP Filter. block in log quick from 192.168.1.15 to <thishost> block in log quick from 192.168.1.43 to <thishost> # block and log X11 (port 6000) and remote procedure call # and portmapper (port 111) attempts block in log quick on net0 proto tcp from any to net0/32 port = 6000 keep state block in log quick on net0 proto tcp/udp from any to net0/32 port = 111 keep state
이 규칙 세트는 net0 인터페이스에서 모든 항목을 주고받을 수 있도록 허용하는 제한되지 않은 두 개의 규칙으로 시작합니다. 두번째 규칙 세트는 개인 주소 공간 10.0.0.0 및 172.16.0.0의 수신 패킷이 방화벽에 들어오지 못하도록 차단합니다. 다음 규칙 세트는 호스트 시스템의 특정 내부 주소를 차단합니다. 마지막 규칙 세트는 포트 6000 및 포트 111에서 수신되는 패킷을 차단합니다.
예 5-21 IP 필터 서버 구성
이 예에서는 웹 서버로 사용되는 호스트 시스템에 대한 구성을 보여 줍니다. 이 시스템에는 net0 네트워크 인터페이스가 있습니다.
# web server with an net0 interface # block and log everything by default; # then allow specific services # group 100 - inbound rules # group 200 - outbound rules # (0/32) resolves to our IP address) *** FTP proxy *** # block short packets which are packets # fragmented too short to be real. block in log quick all with short # block and log inbound and outbound by default, # group by destination block in log on net0 from any to any head 100 block out log on net0 from any to any head 200 # web rules that get hit most often pass in quick on net0 proto tcp from any \ to net0/32 port = http flags S keep state group 100 pass in quick on net0 proto tcp from any \ to net0/32 port = https flags S keep state group 100 # inbound traffic - ssh, auth pass in quick on net0 proto tcp from any \ to net0/32 port = 22 flags S keep state group 100 pass in log quick on net0 proto tcp from any \ to net0/32 port = 113 flags S keep state group 100 pass in log quick on net0 proto tcp from any port = 113 \ to net0/32 flags S keep state group 100 # outbound traffic - DNS, auth, NTP, ssh, WWW, smtp pass out quick on net0 proto tcp/udp from net0/32 \ to any port = domain flags S keep state group 200 pass in quick on net0 proto udp from any \ port = domain to net0/32 group 100 pass out quick on net0 proto tcp from net0/32 \ to any port = 113 flags S keep state group 200 pass out quick on net0 proto tcp from net0/32 port = 113 \ to any flags S keep state group 200 pass out quick on net0 proto udp from net0/32 to any \ port = ntp group 200 pass in quick on net0 proto udp from any \ port = ntp to net0/32 port = ntp group 100 pass out quick on net0 proto tcp from net0/32 \ to any port = ssh flags S keep state group 200 pass out quick on net0 proto tcp from net0/32 \ to any port = http flags S keep state group 200 pass out quick on net0 proto tcp from net0/32 \ to any port = https flags S keep state group 200 pass out quick on net0 proto tcp from net0/32 \ to any port = smtp flags S keep state group 200 # pass icmp packets in and out pass in quick on net0 proto icmp from any to net0/32 keep state group 100 pass out quick on net0 proto icmp from net0/32 to any keep state group 200 # block and ignore NETBIOS packets block in quick on net0 proto tcp from any \ to any port = 135 flags S keep state group 100 block in quick on net0 proto tcp from any port = 137 \ to any flags S keep state group 100 block in quick on net0 proto udp from any to any port = 137 group 100 block in quick on net0 proto udp from any port = 137 to any group 100 block in quick on net0 proto tcp from any port = 138 \ to any flags S keep state group 100 block in quick on net0 proto udp from any port = 138 to any group 100 block in quick on net0 proto tcp from any port = 139 to any flags S keep state group 100 block in quick on net0 proto udp from any port = 139 to any group 100
예 5-22 IP 필터 라우터 구성
이 예에서는 내부 인터페이스 net0 및 외부 인터페이스 net1이 있는 라우터에 대한 구성을 보여 줍니다.
# internal interface is net0 at 192.168.1.1 # external interface is net1 IP obtained via DHCP # block all packets and allow specific services *** NAT *** *** POOLS *** # Short packets which are fragmented too short to be real. block in log quick all with short # By default, block and log everything. block in log on net0 all block in log on net1 all block out log on net0 all block out log on net1 all # Packets going in/out of network interfaces that aren't on the loopback # interface should not exist. block in log quick on net0 from 127.0.0.0/8 to any block in log quick on net0 from any to 127.0.0.0/8 block in log quick on net1 from 127.0.0.0/8 to any block in log quick on net1 from any to 127.0.0.0/8 # Deny reserved addresses. block in quick on net1 from 10.0.0.0/8 to any block in quick on net1 from 172.16.0.0/12 to any block in log quick on net1 from 192.168.1.0/24 to any block in quick on net1 from 192.168.0.0/16 to any # Allow internal traffic pass in quick on net0 from 192.168.1.0/24 to 192.168.1.0/24 pass out quick on net0 from 192.168.1.0/24 to 192.168.1.0/24 # Allow outgoing DNS requests from our servers on .1, .2, and .3 pass out quick on net1 proto tcp/udp from net1/32 to any port = domain keep state pass in quick on net0 proto tcp/udp from 192.168.1.2 to any port = domain keep state pass in quick on net0 proto tcp/udp from 192.168.1.3 to any port = domain keep state # Allow NTP from any internal hosts to any external NTP server. pass in quick on net0 proto udp from 192.168.1.0/24 to any port = 123 keep state pass out quick on net1 proto udp from any to any port = 123 keep state # Allow incoming mail pass in quick on net1 proto tcp from any to net1/32 port = smtp keep state pass in quick on net1 proto tcp from any to net1/32 port = smtp keep state pass out quick on net1 proto tcp from 192.168.1.0/24 to any port = smtp keep state # Allow outgoing connections: SSH, WWW, NNTP, mail, whois pass in quick on net0 proto tcp from 192.168.1.0/24 to any port = 22 keep state pass out quick on net1 proto tcp from 192.168.1.0/24 to any port = 22 keep state pass in quick on net0 proto tcp from 192.168.1.0/24 to any port = 80 keep state pass out quick on net1 proto tcp from 192.168.1.0/24 to any port = 80 keep state pass in quick on net0 proto tcp from 192.168.1.0/24 to any port = 443 keep state pass out quick on net1 proto tcp from 192.168.1.0/24 to any port = 443 keep state pass in quick on net0 proto tcp from 192.168.1.0/24 to any port = nntp keep state block in quick on net1 proto tcp from any to any port = nntp keep state pass out quick on net1 proto tcp from 192.168.1.0/24 to any port = nntp keep state pass in quick on net0 proto tcp from 192.168.1.0/24 to any port = smtp keep state pass in quick on net0 proto tcp from 192.168.1.0/24 to any port = whois keep state pass out quick on net1 proto tcp from any to any port = whois keep state # Allow ssh from offsite pass in quick on net1 proto tcp from any to net1/32 port = 22 keep state # Allow ping out pass in quick on net0 proto icmp all keep state pass out quick on net1 proto icmp all keep state # allow auth out pass out quick on net1 proto tcp from net1/32 to any port = 113 keep state pass out quick on net1 proto tcp from net1/32 port = 113 to any keep state # return rst for incoming auth block return-rst in quick on net1 proto tcp from any to any port = 113 flags S/SA # log and return reset for any TCP packets with S/SA block return-rst in log on net1 proto tcp from any to any flags S/SA # return ICMP error packets for invalid UDP packets block return-icmp(net-unr) in proto udp all