NetBSD rules - Go to the first, previous, next, last, above section, table of contents.
Try Darren Reed's ipfilter, which is a TCP/IP packet filter. It
can:
- explicitly deny/permit any packet from passing through
- distinguish between various interfaces
- filter by IP networks or hosts
- selectively filter any IP protocol
- selectively filter fragmented IP packets
- selectively filter packets with IP options.
- send back an ICMP error/TCP reset for blocked packets
- keep packet state information for TCP, UDP and ICMP packet flows.
- keep fragment state information for any IP packet, applying the same rule to all fragments.
- act as a Network Address Translator (NAT)
- use redirection to setup true transparent proxy connections.
Special provision is made for the three most common Internet protocols,
TCP, UDP and ICMP. The IP Packet filter allows filtering of:
- TCP/UDP packets by port number or a port number range
- ICMP packets by type/code
- "established" TCP packets
- on any arbitary combination of TCP flags
- "short" (fragmented) IP packets with incomplete headers can be filtered
- any of the 19 IP options or 8 registered IP security classes
- TOS (Type of Service) field in packets
For more information, check out the ipfilter-homepage at
http://www.cyber.com.au/users/darrenr/.
If setting up a whole packet filter seems overkill to you, there's a
package called tcp_wrapper, which you can put in your `/etc/inetd.conf'
and which will only allow/deny certain services based on a pser host/user
basis. The package is available under
ftp://cert.org/pub/tools/tcp_wrappers/.
NetBSD rules - Go to the first, previous, next, last, above section, table of contents.