Re: telnet filter and ftp filter
Dick St.Peters (stpeters@NetHeaven.com)
Fri, 25 Apr 1997 17:32:27 -0400
Carl Rigney writes:
> Drew C Morone <drew@j51.com> asks:
> > I would like to set up a filter that blocks the world from ftp'ing to and
> > from a dialin user with a static IP address. I would like to do the same
> > to keep the world from telnetting into this address. Anybody have a filter
> > like that?
>
> The following output filter will keep anyone connecting to the ftp,
> telnet, and http ports (which someone else asked for) on the dial-in
> user's host, but allow any other kind of access. Note that a clever
> user can change the ports these services listen on.
>
> add filter noftp.out
> set filter noftp.out 1 permit tcp established
> set filter noftp.out 2 deny tcp dst eq 21
> set filter noftp.out 3 deny tcp dst eq 23
> set filter noftp.out 4 deny tcp dst eq 80
> set filter noftp.out 5 permit
> save all
A tighter version:
add filter nosyn.out
set filter nosyn.out 1 permit tcp established
set filter nosyn.out 2 permit udp
set filter nosyn.out 3 permit tcp dst eq 20
set filter nosyn.out 4 permit tcp dst eq 113
set filter nosyn.out 5 deny tcp
set filter nosyn.out 6 permit
This blocks all sorts of servers, muds, and the like without having to
chase each one down.
Rule 2 isn't actually necessary but can save a lot of cpu when users
do audio/video stuff.
--
Dick St.Peters, stpeters@NetHeaven.com
Gatekeeper, NetHeaven, Ballston Spa, NY, 1-800-910-6671 (voice)
Albany/Saratoga/Glens Falls/North Creek/Lake Placid/Blue Mountain Lake
First Internet service based in the 518 area code