За да използваме защитната стена, трябва да зададем име (name) и да определим правило (rule). След rule имаме различни команди според изискванията ни като action, description, destination, fragment, icmp, ipsec, log, protocol, recent,,source, state. За да работят всички тези правила трябва да ги закачим към някой от интерфейсите. В случая имаме три възможности:
in Прилагайки това правило в защитната стена ще филтрираме пакети, влизащи в интерфейса.
out Прилагайки това правило в защитната стена ще филтрираме пакети, излизащи от интерфейса.
local Прилагайки това правило в защитната стена ще филтрираме пакети, за самата система.
За всеки интерфейс, могат да се прилагат и трите правила (in, out и local) в защитната стена. Правилата на веригите по подразбиране отхвърлят всички пакети.
set firewall name eth0local rule 10 action accept set firewall name eth0local rule 10 protocol icmp set firewall name eth0local rule 10 state established enable set firewall name eth0local rule 10 state related enable set firewall name eth0local rule 11 action accept set firewall name eth0local rule 11 protocol udp set firewall name eth0local rule 11 source port 53,123 set firewall name eth0local rule 11 state established enable set firewall name eth0local rule 11 state related enable set firewall name eth0local rule 12 action accept set firewall name eth0local rule 12 protocol udp set firewall name eth0local rule 12 destination port 68 set firewall name eth0local rule 12 source port 67 set firewall name eth0local rule 12 state established enable set firewall name eth0local rule 12 state related enable set firewall name eth0local rule 20 action accept set firewall name eth0local rule 20 source address 93.155.130.0/23 set firewall name eth0local rule 20 protocol tcp set firewall name eth0local rule 20 destination port 22,443 set firewall name eth0local rule 20 state new enable set firewall name eth0local rule 20 state established enable set firewall name eth0local rule 20 state related enable set firewall name eth0local rule 21 action accept set firewall name eth0local rule 21 source address 93.155.162.0/24 set firewall name eth0local rule 21 protocol tcp set firewall name eth0local rule 21 destination port 22,443 set firewall name eth0local rule 21 state new enable set firewall name eth0local rule 21 state established enable set firewall name eth0local rule 21 state related enable set interfaces ethernet eth0 firewall local name eth0local set firewall name eth0in rule 10 action drop set firewall name eth0in rule 10 source address 213.91.213.195 set firewall name eth0in rule 20 action accept set firewall name eth0in rule 20 protocol all set firewall name eth0in rule 20 state established enable set firewall name eth0in rule 20 state related enable set firewall name eth0in rule 20 state new enable set firewall name eth0in rule 21 action drop set firewall name eth0in rule 21 protocol all set firewall name eth0in rule 21 state invalid enable set interfaces ethernet eth0 firewall in name eth0in vyatta@vyatta# show firewall name eth0in { rule 10 { action drop source { address 213.91.213.195 } } rule 20 { action accept protocol all state { established enable new enable related enable } } rule 21 { action drop protocol all state { invalid enable } } } name eth0local { rule 10 { action accept protocol icmp state { established enable related enable } } rule 11 { action accept protocol udp source { port 53,123 } state { established enable related enable } } rule 12 { action accept destination { port 68 } protocol udp source { port 67 } state { established enable related enable } } rule 20 { action accept destination { port 22,443 } protocol tcp source { address 93.155.130.0/23 } state { established enable new enable related enable } } rule 21 { action accept destination { port 22,443 } protocol tcp source { address 93.155.162.0/24 } state { established enable new enable related enable } } } [edit] |