E' possibile far si che chi si collega ad Internet possa visionare solo i siti(o IP)
a cui si vuole consentire l'accesso?
Se "si" con che strumento ? (Ovviamente dovra' essere uno strumento accessibile e modificabile
solo tramite password).
Io utilizzo come firewall una vecchia versione di Kerio(2.1.5 mi pare), e' possibile impostare delle regole che
consentano di uscire solo su determinati indirizzi IP remoto?
Puoi settare delle regole di blocco per determinati ip/range.
Penso che qualunque firewall decente integri una simile funzione.
Rilasciata Python FTP Server library 0.5.1
http://code.google.com/p/pyftpdlib/
We'll be those who'll make the italian folks know how difficult can be defecating in Southern California without having the crap flying all around the house.
Penso che tu possa farlo con una gran quantita' di firewall,p.es.Sygate e Kerio,facendo cosi':
1)regola che blocca qualunque protocollo
2)cerchi di connetterti e non ti lascia, guarda sul Traffic Log che cosa e' stato bloccato
3)fai una regola per autorizzarlo e la poni in cima a quella che blocca tutto n°1
4)ti connetti e vai sui siti che vuoi autorizzare creando una regola per ciascuno via via,che poi metterai sopra la numero 1,ma sotto la connessione.
Arks
Svelto!Inizia a procrastinare!
non mi e' chiara la sequenza :Originariamente inviato da Arks
Penso che tu possa farlo con una gran quantita' di firewall,p.es.Sygate e Kerio,facendo cosi':
1)regola che blocca qualunque protocollo
2)cerchi di connetterti e non ti lascia, guarda sul Traffic Log che cosa e' stato bloccato
3)fai una regola per autorizzarlo e la poni in cima a quella che blocca tutto n°1
4)ti connetti e vai sui siti che vuoi autorizzare creando una regola per ciascuno via via,che poi metterai sopra la numero 1,ma sotto la connessione.
regola 1 : permette al browser di uscire
regola 2 : permette di raggiungere il sito con IP xxx.xxx.xxx.xxx
regola 3 : regola che blocca tutto il traffico in/out TCP e UDP
oppure intendi :
regola 1 : permette di raggiungere il sito con IP xxx.xxx.xxx.xxx
regola 2 : regola che blocca tutto il traffico in/out TCP e UDP
regola 3 : permette al browser di uscire
Sono riuscito ad attuare la mia politica di filtro per l'accesso ad internet.
Ho utilizzato Kerio 2.1.5 visto che da la possibilita' d'impostare la password per accedere al pannello delle impostazioni.
Ho impostato le regole nel seguente ordine :
1 - protocolli TCP/UDP abilita l'accesso remoto all'IP xxx.xxx.xxx.xxx
2 - protocolli TCP/UDP blocca ogni accesso remoto alla porta 80
3 - abilita Internet explorer ad accedere all'esterno
Tra la regola 1 e la 2 vanno replicate le regole per ogni sito da rendere raggiungibile
Per conoscere l' IP dei vari siti ho attivato la scrittura del LOG nella regola 2 cosi quando Kerio segnala l'attivita' bloccata mette in chiaro l'indirizzo IP.
vici_1, bene se sei riuscito e ti va bene risultando stealth.
non e' esattamente come intendevo,dato che -secondo il metodo dell'americano che ti accludo (mi ha risposto sul forum di Sygate tempo fa)- l'idea e' di
1-impedire tutto con regola restrittiva
2-vedere IP o range (per il range usare WhoIS)
3-collocare questo IP/e/o range sopra la regola di blocco totale
continuare per gli altri in questa maniera.
Dare il permit/allow a IE mi pare in contrasto con la tua idea,perche' darebbe un permesso generale, ma forse ho capito male io,in questo caso ridimmelo.
Kerio 2.1.5 e' ottimo per quello che fai,ma anche Sygate potrebbe.
Comunque io p.es. saro' sempre grato a 2.1.5 perche' attraverso questo firewal ho appreso cosa significhi fare Advanced Rules.
metodo:
I have also used kpf 2.1.5 before and am still using it in a Win98 partition. In fact, I have learned how to write advanced rules using kpf at first.
What I have learned in the case of kpf can be easily applied to SPFPro with minor modifications. However, let me say that my approach is to write rules that apply strictly to specific IP addresses (ranges of IP addresses in most cases), protocols, port numbers, traffic direction, and applications or services. Each rule is suggested by the firewall itself each time it asks you whether it may or may not go to a site for which no specific instructions exist, i.e. when it is placed in 'ask' mode.
I never adopt rules from external sources. Here is an example of why:
quote:
allow ICMP Type 0 incoming # And receive the replies
In theory this is harmless because you can get a ping in reply only when you ping first. In practice, a ping reply can be spoofed and a wholesale rule as the above would allow spoofed pings in from any and all sources. Hardly a worthwhile objective for any firewall.
Kpf 2.1.5 allows one to write rules on the fly, i.e. by clicking 'make an appropriate rule' followed by 'customize rule' and then sellecting the remote IP address and port number. Unfortunately, SPFPro does not allow this. As a result the process of writing advanced rules becomes more cumbersome.
The way I suggest is as follows: Write two advanced rules first. The first blocking all ICMP traffic. The second blocking all traffic. All other advanced rules you write subsequently will be placed in between these two rules.
With these two rules in place connect to the internet (and attempt to visit some website if you start with a blank home page). Of course no connection will be made. Next disconnect from the internet, go to the traffic log and identify the blocked outgoing connection. In all probability, it will be UDP traffic to your ISP's primary DNS server. Write an advanced rule allowing this traffic (UDP) to the IP address shown, in the direction shown (outgoing - later you will have to modify this to 'both ways' but let us get to it when the firewall itself tips you) and for the application /service shown. Place this rule above the 'deny all' rule, i.e., the second of the two rules you created initially.
Next connect to the internet again. Now the traffic that was earlier blocked (UDP to your ISP's primary DNS server) will go through but something else (UDP traffic from your ISP's primary DNS server) will be blocked. Write a new advanced rule (or better edit the previous rule to allow 'two-way' traffic) to allow this traffic and place it above the 'deny all' rule. Continuing in this manner, you will eventually complete your ruleset that allows you to visit the websites you normally visit and nothing else.
There are a lot of ramifications to this basic procedure. For example, a lot of sites you normally connect to employ not a single IP address but a range of IP addresses. You can use the excellent free utility Whois View (http://www.whoisview.com/products/w...view_online.php)
to discover the relevant IP address range from the single IP address you see in your traffic log and modify your advanced rule accordingly. Eventually you will find it convenient to untick your 'deny all' rule at the end of your ruleset. For the moment though let it stay in effect to cut off all extraneous traffic.
If you carry this out to the end, you will construct your own ruleset applicable to you and your needs and guaranteeing more security than the wholesale settings most users rely on, in my opinion at least.
Arks
Svelto!Inizia a procrastinare!
probabilmente mi sono spiegato male , ma e' quello che ho fatto :Originariamente inviato da Arks
vici_1, bene se sei riuscito e ti va bene risultando stealth.
non e' esattamente come intendevo,dato che -secondo il metodo dell'americano che ti accludo (mi ha risposto sul forum di Sygate tempo fa)- l'idea e' di
1-impedire tutto con regola restrittiva
2-vedere IP o range (per il range usare WhoIS)
3-collocare questo IP/e/o range sopra la regola di blocco totale
continuare per gli altri in questa maniera.
la regola 2 blocca tutto sullo porta 80 perche' le altre porte mi servono p.e. aggiornare l'antivirus.
la regola 1 posta prima della 2 , abilita per un dato ip l'utilizzo della porto 80 in remoto.
la regola 3 che sta dopo la 1 e la 2 serve per abilitare un browser ad "uscire" , in questo caso IE.
l'accesso ai siti e' protetto dalla regola 2 che appunto sta prima della 3.Originariamente inviato da Arks
Dare il permit/allow a IE mi pare in contrasto con la tua idea,perche' darebbe un permesso generale, ma forse ho capito male io,in questo caso ridimmelo.
Grazie.Originariamente inviato da Arks
Kerio 2.1.5 e' ottimo per quello che fai,ma anche Sygate potrebbe.
Comunque io p.es. saro' sempre grato a 2.1.5 perche' attraverso questo firewal ho appreso cosa significhi fare Advanced Rules.
metodo:
I have also used kpf 2.1.5 before and am still using it in a Win98 partition. In fact, I have learned how to write advanced rules using kpf at first.
What I have learned in the case of kpf can be easily applied to SPFPro with minor modifications. However, let me say that my approach is to write rules that apply strictly to specific IP addresses (ranges of IP addresses in most cases), protocols, port numbers, traffic direction, and applications or services. Each rule is suggested by the firewall itself each time it asks you whether it may or may not go to a site for which no specific instructions exist, i.e. when it is placed in 'ask' mode.
I never adopt rules from external sources. Here is an example of why:
quote:
allow ICMP Type 0 incoming # And receive the replies
In theory this is harmless because you can get a ping in reply only when you ping first. In practice, a ping reply can be spoofed and a wholesale rule as the above would allow spoofed pings in from any and all sources. Hardly a worthwhile objective for any firewall.
Kpf 2.1.5 allows one to write rules on the fly, i.e. by clicking 'make an appropriate rule' followed by 'customize rule' and then sellecting the remote IP address and port number. Unfortunately, SPFPro does not allow this. As a result the process of writing advanced rules becomes more cumbersome.
The way I suggest is as follows: Write two advanced rules first. The first blocking all ICMP traffic. The second blocking all traffic. All other advanced rules you write subsequently will be placed in between these two rules.
With these two rules in place connect to the internet (and attempt to visit some website if you start with a blank home page). Of course no connection will be made. Next disconnect from the internet, go to the traffic log and identify the blocked outgoing connection. In all probability, it will be UDP traffic to your ISP's primary DNS server. Write an advanced rule allowing this traffic (UDP) to the IP address shown, in the direction shown (outgoing - later you will have to modify this to 'both ways' but let us get to it when the firewall itself tips you) and for the application /service shown. Place this rule above the 'deny all' rule, i.e., the second of the two rules you created initially.
Next connect to the internet again. Now the traffic that was earlier blocked (UDP to your ISP's primary DNS server) will go through but something else (UDP traffic from your ISP's primary DNS server) will be blocked. Write a new advanced rule (or better edit the previous rule to allow 'two-way' traffic) to allow this traffic and place it above the 'deny all' rule. Continuing in this manner, you will eventually complete your ruleset that allows you to visit the websites you normally visit and nothing else.
There are a lot of ramifications to this basic procedure. For example, a lot of sites you normally connect to employ not a single IP address but a range of IP addresses. You can use the excellent free utility Whois View (http://www.whoisview.com/products/w...view_online.php)
to discover the relevant IP address range from the single IP address you see in your traffic log and modify your advanced rule accordingly. Eventually you will find it convenient to untick your 'deny all' rule at the end of your ruleset. For the moment though let it stay in effect to cut off all extraneous traffic.
If you carry this out to the end, you will construct your own ruleset applicable to you and your needs and guaranteeing more security than the wholesale settings most users rely on, in my opinion at least.
Me lo studio con calma... ho qualche difficolta' di compresione.
Permessi di invio
Rispondi quotando