现网站和外挂经常带和攻击,本来用ros做网吧路由器顶不住ddos,只能换FB6.2+pf,前几天用FB6.1+PF,人多时出watchdog timeout,老大说用FB6.2可能不会出了,那就装起测测看,下面是步骤,操作一个写一个,
cd /usr/src/sys/i386/conf
cp GERENIC PFOK
ee FFOK
修改并加入下面东东
复制内容到剪贴板代码:
ident PFOK
device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ
options ALTQ_NOPCC
options PANIC_REBOOT_WAIT_TIME=0
options DEVICE_POLLING
options HZ=2000
options IPSTEALTH
# options RANDOM_IP_ID
options TCP_DROP_SYNFIN
config PFOK
cd /usr/src/sys/i386/compile/PFOK
make depend
make
make install
reboot
ee /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.ip.fastforwarding=1
net.inet.tcp.drop_synfin=1
net.inet.tcp.sendspace=65536
net.inet.tcp.recvspace=65536
#net.inet.udp.sendspace=65535
net.inet.udp.maxdgram=65535
net.local.stream.sendspace=65535
net.inet.tcp.rfc1323=1
#net.inet.tcp.rfc1644=1
net.inet.tcp.rfc3042=1
net.inet.tcp.rfc3390=1
kern.ipc.maxsockbuf=2097152
kern.maxfiles=65536
kern.maxfilesperproc=32768
kern.polling.enable=1
kern.polling.burst_max=500
kern.ipc.somaxconn=2048
kern.ipc.nmbclusters=32768
net.inet.tcp.delayed_ack=0
net.inet.icmp.icmplim=100
net.inet.icmp.icmplim_output=0
net.inet.tcp.drop_synfin=1
ee /boot/loader.conf
autobootdelay="2"
ee /etc/rc.conf
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
clear_tmp_enable="YES"
update_motd="NO"
tcp_drop_synfin="YES"
#icmp_drop_redirect="YES"
#icmp_log_redirect="YES"
#log_in_vain="YES"
#accounting_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
#pflog_enable="YES"
#pflog_logfile="/var/log/pflog"
这里我就加了句pf_enable="YES"
uname -a
pf.com 6.2-RC1 FreeBSD 6.2-RC1 #0: Thu Nov 23 04:20:46 CST 2006:/usr/src/sys/i386/compile/PFOK i386
我的pf.conf
#pfctl -e -F all -f /etc/pf.conf
#只重新load过滤规则
#pfctl -F rules -Rf /etc/pf.conf
#pfctl -f /etc/pf.conf # 重新加载pf.conf 设定档
#pfctl -nf /etc/pf.conf # 确认有无符合,但不载入
#pfctl -Nf /etc/pf.conf # 只加载 NAT 的设定档
#pfctl -Rf /etc/pf.conf # 只加载防火墙的过滤设定档
#pfctl -sn # 显示现阶段 NAT 的规则
#pfctl -sr # 显示现阶段过滤的规则
#pfctl -ss # 显示现阶段封包运作状态
#pfctl -si # 显示现阶段过滤封包的统计资料
#pfctl -sa # 显示现阶段所有统计的数据
复制内容到剪贴板代码:
ext_if="rl0"
#edu_if=""
int_if="fxp0"
ext_addr="192.168.1.51"
int_net="172.16.0.0/16"
ext_net = "192.168.0.0/16"
loop = "{lo0, 127.0.0.1}"
OpenPorts = "{21, 22, 80, 88, 4899}"
InsideManagerIPs = "{172.16.0.100}"
InsiteManagerOpenPorts = "{21, 22, 23, 24, 25, 80, 4899}"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12}" # 定义符合 RFC 1918 私有IP 部份
tcp_services = "{ 22, 88, 4899, 123 }" # 定义对外服务的端口
icmp_types = "echoreq" # 定义icmp类型
## down inactive connection quickly
set optimization aggressive
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
nat on $ext_if from $int_net to any -> ($ext_if)
#nat on $ext_if from $int_net to $ext_net -> ($ext_if)
#web server map
#rdr pass on $ext_if proto tcp from any to $ext_if port {www,3389,4899,7745} -> $web_server
#----------------------------以下防DOS攻击--------------------------------
#每个IP最大可以有120个非并发的连接(为局域网用户访问本站考虑)
#每个IP最大连接建立的速率小于每秒8个
#单个IP的最大持续连接数 30
#违反以上规则,把这个ip添加到
表中
table persist #维持一个持续的表
block in quick from #阻止表中的ip
pass in on $int_if inet proto tcp from any to $int_if flags S/SA keep state \
(source-track rule,max-src-conn 100, max-src-conn-rate 15/3,max-src-states 30,overload flush, src.track 1)
LSassVirusPort = "{445, 135, 139, 593, 512, 5554, 9996, 9995}"
block quick on $int_if inet proto tcp from any to any port $LSassVirusPort
BitTorrentPort= "{ 512, 2049, 4662, 6880, 6881, 6882, 6883, 6884, 6885, 6886, 6887, 6888, 6889, \
6890, 8880, 8881, 8882, 8883, 8884, 8885, 8886, 8887, 8888, 8889, 8890, 6969, 10700, 21881}"
block quick on $int_if inet proto tcp from any to any port $BitTorrentPort
block quick on $int_if inet proto tcp from any port $BitTorrentPort to any
block quick on $ext_if inet proto tcp from any to any port $BitTorrentPort
block quick on $ext_if inet proto tcp from any port $BitTorrentPort to any
#gameClientPorts = "{4002, 2000, 3838, 4410, 4210, 4230, 5005, 4290, 10010 }"
#GameDenyClients ="{192.168.128.0/24, 192.168.132.0/24}"
#GameServerIps = "{204.251.15.167, 61.152.93.145}"
#block quick on $int_if inet proto tcp from $GameDenyClients to any port $gameClientPorts
#block quick on $ext_if from $GameServerIps to $GameDenyClients
#block quick on $int_if from $GameDenyClients to $GameServerIps
denyserverips = "{202.108.193.21}"
block quick on $int_if from any to $denyserverips
#LSassVirusIp ="{192.168.1.194}"
#block quick on $int_if from $LSassVirusIp to any