Chinaunix首页 | 论坛 | 博客
  • 博客访问: 938741
  • 博文数量: 102
  • 博客积分: 8134
  • 博客等级: 中将
  • 技术积分: 1072
  • 用 户 组: 普通用户
  • 注册时间: 2007-11-21 15:30
文章分类

全部博文(102)

文章存档

2019年(1)

2018年(1)

2014年(1)

2013年(2)

2012年(1)

2011年(2)

2010年(5)

2009年(9)

2008年(10)

2007年(70)

分类: BSD

2007-11-21 17:28:09

本文告诉你如何快速上手FreeBSD的IPFW防火墙
--------------------------------------------------------------------------------一、内核配置
/usr/src/sys/i386/conf/HQ_SuperServer 代码:
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT # IPDIVERT enables the divert IP sockets, used by ''ipfw divert''
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=30 #options IPFILTER #ipfilter support
#options IPFILTER_LOG #ipfilter logging # traffic shaper, bandwidth manager and delay emulator
options DUMMYNET # enables the "dummynet" bandwidth limiter. You need IPFIREWALL as well.
# Statically Link in accept filters for a web server on this box
options ACCEPT_FILTER_DATA
options ACCEPT_FILTER_HTTP
options ICMP_BANDLIM # D.O.S. protection
options IPSTEALTH #To hide firewall from traceroute
options TCP_DROP_SYNFIN #To hide from nmap OS fingerprint, remove if create web server
二、rc.conf配置
/etc/rc.conf 代码:
firewall_enable="YES"
firewall_logging="YES"
firewall_script="/etc/rc.firewall"
firewall_quiet="NO" #change to YES once happy with rules
firewall_logging_enable="YES" #extra firewalling options
log_in_vain="YES"
#This option prevents something known as OS fingerprinting, must have TCP_DROP_SYNFIN compiled into kernel to use
tcp_drop_synfin="NO" #change to NO if create webserver
tcp_restrict_rst="YES"
icmp_drop_redirect="YES" 三、ipfw使用 代码:
ipfw add allow tcp from to in recv
添加和除去规则例子:
代码:
$ sudo ipfw add deny tcp from 61.49.203.115 to 61.49.203.114 22 in recv fxp0
$ sudo ipfw -t list
$ sudo ipfw delete 00100
禁止icmp
代码:
$ sudo ipfw add deny icmp from any to any in recv fxp0
显示rules
代码:
$ sudo ipfw show
按照序号显示规则
代码:
$ sudo ipfw -t list
列出信息包的数目,和与它们相对应的规则匹配
代码:
$ sudo ipfw -a list 四、/etc/ipfw.rules规则文件
代码:
allow 00010 udp from any to me 67 in via $iif
allow 00020 udp from me 68 to any out via $iif
五、/etc/rc.firewall脚本 代码:
# mv /etc/rc.firewall /etc/rc.firewall.orig
# touch /etc/rc.firewall
# chmod u=+rx,og=-rwx /etc/ipfw.rules
/etc/rc.firewall 代码:
#!/bin/sh # This will flush the existing rules - sudo ipfw -f flush
# You can execute this script without dropping existing connections/states fwcmd="/sbin/ipfw -q"
extif="fxp0"
myip="10.1.8.114"
mybcast="10.1.8.119"
mynetwork="10.1.8.112/29"
dns_server="10.1.8.1" # Reset all rules in case script run multiple times
${fwcmd} -f flush ${fwcmd} add 200 check-state # Block RFC 1918 networks - the , syntax only works in ipfw2
${fwcmd} add 210 deny all from 0.0.0.0/7,1.0.0.0/8,2.0.0.0/8,5.0.0.0/8,10.0.0.0/8,23.0.0.0/8,\
27.0.0.0/8,31.0.0.0/8,67.0.0.0/8,68.0.0.0/6,72.0.0.0/5,80.0.0.0/4,96.0.0.0/3,127.0.0.0/8,\
128.0.0.0/16,128.66.0.0/16,169.254.0.0/16,172.16.0.0/12,191.255.0.0/16,192.0.0.0/16,\
192.168.0.0/16,197.0.0.0/8,201.0.0.0/8,204.152.64.0/23,224.0.0.0/3,240.0.0.0/8 to any # Allow all via loopback to loopback
${fwcmd} add 220 allow all from any to any via lo0 # Allow from me to anywhere
${fwcmd} add 240 allow tcp from ${myip} to any setup keep-state
${fwcmd} add 260 allow udp from ${myip} to any keep-state
${fwcmd} add 280 allow icmp from ${myip} to any # Allow local LAN to connect to us
${fwcmd} add 300 allow ip from ${mynetwork} to ${mynetwork} # Allow INCOMING SSH,SMTP,HTTP from anywhere on the internet
${fwcmd} add 320 allow log tcp from any to ${myip} 22,25,80 in keep-state setup # Disable icmp
${fwcmd} add 340 allow icmp from any to any icmptype 0,3,11 # Block all other traffic and log in
${fwcmd} add 360 deny log all from any to any # End of /etc/rc.firewall
六、 ipfw日志纪录配置
/etc/syslog.conf
代码:
!ipfw
*.* /var/log/ipfw.log
代码:
$ sudo touch /var/log/ipfw.log
$ sudo killall -HUP syslogd
阅读(853) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~