¦b¹q¸£¦w¥þ¾Ô³õ¤W³Ì©ú´¼¤§Á|²ö¹L©ó¥ý¾×±¼¤@¤Á¡MµM«á¶}©ñ¥²»Ýªº¡C¦³¤@¥y¦Ü²z¦W¨¥¬O¡R`«D½Ð¤Å¶i'¡C§Ú«Øij±z¨c°O©ó¤ß¡M°²¦p±z³Ìª`«¦w¥þªº¸Ü¡C
¤£n¶]¨º¨Ç±z¥Î¤£¨ìªºªA°È¡M¤£ºÞ±z¬O§_¥H¬°¤w¸g±N¤§¾×¤U¨Ó¤F¡C
¦pªG±zn«Ø¥ß¤@Ó«ü©w¦¡¨¾¤õÀð(dedicated firewall)¡M¶}©l¤£n¶]¥ô¦óªF¦è¡M¦P®É¾×±¼©Ò¦³«Ê¥]¡MµM«á¼W¥[ªA°È¥H¤ÎÅý©Ò»Ýªº«Ê¥]³q¹L¡C
§Ú¯S§O±j½Õ¦w¥þ©Ê¡Rµ²¦X tcp-wrappers(¹ï©ó«Ê¥]¹LÂo¥»¨ªº³s±µ)¡NªA°È¥N²z(¹ï©ó³q¹L«Ê¥]¹LÂoªº³s±µ)¡N¸ô¥ÑÅçÃÒ¡N¥H¤Î«Ê¥]¹LÂoµ¥¤â¬q¡C¸ô¥ÑÅçÃÒ¬O«ü¡M¨º¨Ç¨Ó¦Û¥¼¹w´Á¬É±ªº«Ê¥]´N·|³Q¥á±ó¡RÁ|¨Ò»¡¡M¦pªG±zªº¤º³¡ºô¸ô¦³¤@¬q 10.1.1.0/24 ªº¦a§}¡M¦P®É¦³¤@Ó¨Ó¦Û¸Ó¦a§}ªº«Ê¥]«o±q¥ ³¡¬É±¶i¤J¡M¨º¥¦´N·|³Q¥á±ó±¼¡C¥¦¥i¥H¬°¤@Ӭɱ(¦p ppp0) ³]°_¨Ó¡M¦p¡R
# echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter
#
©Î¬O¥þ³¡²{¦³¤Î±N¦³ªº¬É±¡M¦p¡R
# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
# echo 1 > $f
# done
#
Debian ¦b¥i¯à¤§¤U¹w³]´N·|¦p¦¹¤F¡C¦pªG±z¦³¤£¹ïºÙ¸ô¥Ñ(¨Ò¦p¡M±z¹w´Á«Ê¥]·|±q¨ä¥¦¤è¦V¶i¤J)¡M±zÀ³¸Ó¦b¨º¨Ç¬É±¤WÃö³¬¦¹¤@¹LÂo¡C
³]©w¨¾¤õÀ𪺮ÉÔ¡M°²¦p¦³¬Y¨ÇªF¦è¤£¤u§@ªº¸Ü¡M°O¿ý¥\¯à´NÅã±o«Ü¦³¥Î¤F¡Q¦ý¦b¤@Ó¹ê»Ú¹B§@ªº¨¾¤õÀð¤W¡M¥ô¦ó®ÉÔ³£n±N¥¦µ²¦X `limit' ¤ñ¹ï¨Ó¤@°_¨Ï¥Î¡M¥HÁקK¦³¤HÄéÃz±zªº°O¿ýÀÉ¡C
§Ú±j¯P«Øij¹ï¦w¥þ¨t²Î°µ³s½u°lÂÜ¡R¥¦ÁöµM·|¤ÞP¤@¨Çt¾á(¦]¬°©Ò¦³³s½u³£n°lÂÜ)¡M¦ý¹ï©ó¶Qºô¸ôªº³s±µ±±¨î«o«Ü¦³¥Î¡C¦pªG±zªº®Ö¤ß¤£·|¦Û°Ê¸ü¤J¼Ò²Õªº¸Ü¡M±z©Î³\»Ýn¸ü¤J`ip_conntrack.o' ¼Ò²Õ¡C°²¦p±znºë½T°lÂܽÆÂøªº¨ó©w¡M±zÁÙ»Ýn¸ü¤J¦X¾Aªº helper ¼Ò²Õ(¦p¡M`ip_conntrack_ftp.o' )¡C
# iptables -N no-conns-from-ppp0
# iptables -A no-conns-from-ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A no-conns-from-ppp0 -m state --state NEW -i ! ppp0 -j ACCEPT
# iptables -A no-conns-from-ppp0 -i ppp0 -m limit -j LOG --log-prefix "Bad packet from ppp0:"
# iptables -A no-conns-from-ppp0 -i ! ppp0 -m limit -j LOG --log-prefix "Bad packet not from ppp0:"
# iptables -A no-conns-from-ppp0 -j DROP
# iptables -A INPUT -j no-conns-from-ppp0
# iptables -A FORWARD -j no-conns-from-ppp0
«Ø¸m¤@Ó¨}¦nªº¨¾¤õÀð¤w¸g¶W¥X³oÓ HOWTO ªº½d³ò¤F¡M¦ý§Úªº«Øij¬O¡R `¤@¤Á±qÄY(always be minimalist)'¡C¹ï©ó¦b±z¾÷¾¹¤W¶i¦æ´ú¸Õ»P±´¯Áªº§ó¦h¸ê®Æ¡M´Nn°Ñ¦Ò Security HOWTO ¤F¡C