分享
 
 
 

FreeBSD ipfw 防火墙基础指南

王朝system·作者佚名  2006-01-09
窄屏简体版  字體: |||超大  

一、内核配置

/usr/src/sys/i386/conf/HQ_SuperServer

代码:

options IPFIREWALL

options IPFIREWALL_DEFAULT_TO_ACCEPT

options IPDIVERT # IPDIVERT enables the divert IP sockets, used by ''ipfw divert''

options IPFIREWALL_VERBOSE

options IPFIREWALL_VERBOSE_LIMIT=30

#options IPFILTER #ipfilter support

#options IPFILTER_LOG #ipfilter logging

# traffic shaper, bandwidth manager and delay emulator

options DUMMYNET # enables the "dummynet" bandwidth limiter. You need IPFIREWALL as well.

# Statically Link in accept filters for a web server on this box

options ACCEPT_FILTER_DATA

options ACCEPT_FILTER_HTTP

options ICMP_BANDLIM # D.O.S. protection

options IPSTEALTH #To hide firewall from traceroute

options TCP_DROP_SYNFIN #To hide from nmap OS fingerprint, remove if create web server

二、rc.conf配置

/etc/rc.conf

代码:

firewall_enable="YES"

firewall_logging="YES"

firewall_script="/etc/rc.firewall"

firewall_quiet="NO" #change to YES once happy with rules

firewall_logging_enable="YES"

#extra firewalling options

log_in_vain="YES"

#This option prevents something known as OS fingerprinting, must have TCP_DROP_SYNFIN compiled into kernel to use

tcp_drop_synfin="NO" #change to NO if create webserver

tcp_restrict_rst="YES"

icmp_drop_redirect="YES"

三、ipfw使用

代码:

ipfw add allow tcp from to in recv

添加和除去规则例子:

代码:

$ sudo ipfw add deny tcp from 61.49.203.115 to 61.49.203.114 22 in recv fxp0

$ sudo ipfw -t list

$ sudo ipfw delete 00100

禁止icmp

代码:

$ sudo ipfw add deny icmp from any to any in recv fxp0

显示rules

代码:

$ sudo ipfw show

按照序号显示规则

代码:

$ sudo ipfw -t list

列出信息包的数目,和与它们相对应的规则匹配

代码:

$ sudo ipfw -a list

四、/etc/ipfw.rules规则文件

代码:

allow 00010 udp from any to me 67 in via $iif

allow 00020 udp from me 68 to any out via $iif

五、/etc/rc.firewall脚本

代码:

# mv /etc/rc.firewall /etc/rc.firewall.orig

# touch /etc/rc.firewall

# chmod u=+rx,og=-rwx /etc/ipfw.rules

/etc/rc.firewall

代码:

#!/bin/sh

# This will flush the existing rules - sudo ipfw -f flush

# You can execute this script without dropping existing connections/states

fwcmd="/sbin/ipfw -q"

extif="fxp0"

myip="10.1.8.114"

mybcast="10.1.8.119"

mynetwork="10.1.8.112/29"

dns_server="10.1.8.1"

# Reset all rules in case script run multiple times

${fwcmd} -f flush

${fwcmd} add 200 check-state

# Block RFC 1918 networks - the , syntax only works in ipfw2

${fwcmd} add 210 deny all from 0.0.0.0/7,1.0.0.0/8,2.0.0.0/8,5.0.0.0/8,10.0.0.0/8,23.0.0.0/8,\

27.0.0.0/8,31.0.0.0/8,67.0.0.0/8,68.0.0.0/6,72.0.0.0/5,80.0.0.0/4,96.0.0.0/3,127.0.0.0/8,\

128.0.0.0/16,128.66.0.0/16,169.254.0.0/16,172.16.0.0/12,191.255.0.0/16,192.0.0.0/16,\

192.168.0.0/16,197.0.0.0/8,201.0.0.0/8,204.152.64.0/23,224.0.0.0/3,240.0.0.0/8 to any

# Allow all via loopback to loopback

${fwcmd} add 220 allow all from any to any via lo0

# Allow from me to anywhere

${fwcmd} add 240 allow tcp from ${myip} to any setup keep-state

${fwcmd} add 260 allow udp from ${myip} to any keep-state

${fwcmd} add 280 allow icmp from ${myip} to any

# Allow local LAN to connect to us

${fwcmd} add 300 allow ip from ${mynetwork} to ${mynetwork}

# Allow INCOMING SSH,SMTP,HTTP from anywhere on the internet

${fwcmd} add 320 allow log tcp from any to ${myip} 22,25,80 in keep-state setup

# Disable icmp

${fwcmd} add 340 allow icmp from any to any icmptype 0,3,11

# Block all other traffic and log in

${fwcmd} add 360 deny log all from any to any

# End of /etc/rc.firewall

六、 ipfw日志纪录配置

/etc/syslog.conf

代码:

!ipfw

*.* /var/log/ipfw.log

代码:

$ sudo touch /var/log/ipfw.log

$ sudo killall -HUP syslogd

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有