FreeBSD + 网关 + 防火(Ipfilter) 配置
|
最近配置了台FreeBSD6.0的网关(带防火).下面把配置文件帖出:
双网卡 rl0 & rl1
rl0:用于ADSL拨号;rl1用于内网网络,地址为:192.168.1.1
[linyin@linyin ~]$ more /etc/rc.conf
# -- sysinstall generated deltas -- # Wed May 3 01:52:57 2006
# Created: Wed May 3 01:52:57 2006
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
# -- sysinstall generated deltas -- # Wed May 3 09:56:21 2006
# Hostname
ifconfig_rl1="inet 192.168.1.1 netmask 255.255.255.0"
defaultrouter="192.168.1.1"
hostname="linyin.8800.org"
# Service
sshd_enable="YES"
apache_enable="YES"
gateway_enable="YES"
inetd_enable="YES"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
/usr/local/bin/ez-ipupdate -c /root/dns.conf
/usr/local/nessus/sbin/nessusd -D
# ADSL
ppp_enable="YES"
ppp_mode="ddial"
ppp_profile="linyin"
# Security
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.conf"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.conf"
[linyin@linyin ~]$ more /etc/ipf.conf
block in all
block out all
block in log quick on tun0 proto icmp from any to any
block in log quick all with short
block in log quick all with ipopts
block in log quick all with frag
block in log quick all with opt lsrr
block in log quick all with opt ssrr
pass out quick on lo0
pass in quick on lo0
pass out quick on rl1
pass in quick on rl1
block in log body quick on tun0 from 192.168.0.0/16 to any
block in log body quick on tun0 from 172.16.0.0/12 to any
block in log body quick on tun0 from 10.0.0.0/8 to any
block in log body quick on tun0 from 192.0.2.0/24 to any
block in log body quick on tun0 from 0.0.0.0/8 to any
block in log body quick on tun0 from 127.0.0.0/8 to any
block in log body quick on tun0 from 169.254.0.0/16 to any
block in log body quick on tun0 from 224.0.0.0/3 to any
block in log body quick on tun0 from 204.152.64.0/23 to any
block out log body quick on tun0 from any to 192.168.0.0/16
block out log body quick on tun0 from any to 172.16.0.0/12
block out log body quick on tun0 from any to 10.0.0.0/8
block out log body quick on tun0 from any to 127.0.0.0/8
block out log body quick on tun0 from any to 0.0.0.0/8
block out log body quick on tun0 from any to 169.254.0.0/16
block out log body quick on tun0 from any to 192.0.2.0/24
block out log body quick on tun0 from any to 204.152.64.0/23
block out log body quick on tun0 from any to 224.0.0.0/3
pass in on tun0 proto tcp from any to any port = 20 flags S keep state
pass in on tun0 proto tcp from any to any port = 21 flags S keep state
pass in on tun0 proto tcp from any to any port = 22 flags S keep state
pass in on tun0 proto tcp from any to any port = 80 flags S keep state
pass in on tun0 proto tcp from any to any port = 1241 flags S keep state
pass in on tun0 proto tcp from any to any port = 3389 flags S keep state
pass in on tun0 proto tcp from any to any port = 8080 flags S keep state
pass out quick on tun0 proto tcp from any to any flags S/SAFR keep state keep frags
pass out quick on tun0 proto udp from any to any keep state keep frags
pass out quick on tun0 proto icmp from any to any keep state keep frags
[linyin@linyin ~]$ more /etc/ipnat.conf
map tun0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
map tun0 192.168.1.0/24 -> 0/32
rdr tun0 0/0 port 3389 -> 192.168.1.5 port 3389 tcp
rdr tun0 0/0 port 8080 -> 192.168.1.10 port 8080 tcp |
|
阅读(1396) | 评论(0) | 转发(0) |
