Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Scroll Title
titleauthentication header 허용
Code Block
$ sudo firewall-cmd --permanent --add-rich-rule='rule protocol value="ah" accept'

...

Scroll Title
titleauthentication header 허용 삭제
Code Block
$ sudo firewall-cmd --permanent --remove-rich-rule='rule protocol value="ah" accept'

...

Scroll Title
titleftp 허용
Code Block
$ sudo firewall-cmd --zone=dmz --permanent --add-rich-rule='rule family="ipv4" service name="ftp" source address="192.168.10.0/24" log limit value="30/s" prefix="ftp" audit accept'

...

Scroll Title
title베스천 호스트에서만 ssh 허용
Code Block
$ sudo firewall-cmd --zone=dmz --permanent --add-rich-rule='rule family="ipv4" source address="192.168.58.2" service name="ssh" accept'

...

Scroll Title
title화이트 리스트 허용
Code Block
$ sudo firewall-cmd --zone=public --permanent --add-rich-rule='rule family="ipv4" source address="192.168.20.2" accept'

...

Scroll Title
title블랙 리스트 거부
Code Block
$ sudo firewall-cmd --zone=dmz --permanent --add-rich-rule='rule family="ipv4" source address="192.168.58.10" reject type="icmp-net-prohibited"'

...

Scroll Title
titleblack list 패킷 drop
Code Block
$ sudo firewall-cmd --zone=dmz --permanent --add-rich-rule='rule family="ipv4" source address="192.168.58.11" drop'

...

Scroll Title
titleIP 위장 방어
Code Block
$ sudo firewall-cmd --zone=dmz --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" drop'
$ sudo firewall-cmd --zone=dmz --permanent --add-rich-rule='rule family="ipv4" source address="172.16.0.0/12" drop'
$ sudo firewall-cmd --zone=dmz --permanent --add-rich-rule='rule family="ipv4" source address="192.168.0.0/16" drop'
$ sudo firewall-cmd --zone=dmz --permanent --add-rich-rule='rule family="ipv4" source address="169.254.0.0" drop'
$ sudo firewall-cmd --zone=dmz --permanent --add-rich-rule='rule family="ipv4" source address="192.0.2.0/24" drop'
$ sudo firewall-cmd --zone=dmz --permanent --add-rich-rule='rule family="ipv4" source address="224.0.0.0/4" drop'
$ sudo firewall-cmd --zone=dmz --permanent --add-rich-rule='rule family="ipv4" source address="240.0.0.0/5" drop'
$ sudo firewall-cmd --reload


이중에서 사설 IP 대역과 멀티캐스트를 위해 예약된 224.0.0.0 대역은 회사의 네트워크 구성 여부에 따라 사용할 수 있지만 인터넷 상의 서버에 도착한 패킷이 사설 IP 로 왔을 경우에만 차단해야 하므로 --zone 옵션으로 명시적으로 사설 IP 를 차단할 존을 기술하는 게 좋습니다.

...

Scroll Title
titleSmurf 공격 방어
Code Block
$ sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 destination address="0.0.0.0/8" drop'
$ sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 destination address="255.255.255.255" drop'

...