Chinaunix首页 | 论坛 | 博客
  • 博客访问: 507102
  • 博文数量: 62
  • 博客积分: 2566
  • 博客等级: 少校
  • 技术积分: 520
  • 用 户 组: 普通用户
  • 注册时间: 2006-02-10 12:52
文章分类

全部博文(62)

文章存档

2008年(2)

2007年(22)

2006年(38)

我的朋友

分类: BSD

2007-08-11 17:06:20

现网站和外挂经常带arp和ddos攻击,本来用ros做网吧路由器顶不住ddos,只能换FB6.2+pf,前几天用FB6.1+PF,人多时出watchdog timeout,老大说用FB6.2可能不会出了,那就装起测测看,下面是安装步骤,操作一个写一个,

cd /usr/src/sys/i386/conf
cp GERENIC PFOK
ee FFOK

修改并加入下面东东

ident PFOK
device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ
options ALTQ_NOPCC
options PANIC_REBOOT_WAIT_TIME=0
options DEVICE_POLLING
options HZ=2000
options IPSTEALTH
# options RANDOM_IP_ID
options TCP_DROP_SYNFIN

config PFOK
cd /usr/src/sys/i386/compile/PFOK
make depend
make
make install
reboot

ee /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.ip.fastforwarding=1
net.inet.tcp.drop_synfin=1
net.inet.tcp.sendspace=65536
net.inet.tcp.recvspace=65536
#net.inet.udp.sendspace=65535
net.inet.udp.maxdgram=65535
net.local.stream.sendspace=65535
net.inet.tcp.rfc1323=1
#net.inet.tcp.rfc1644=1
net.inet.tcp.rfc3042=1
net.inet.tcp.rfc3390=1
kern.ipc.maxsockbuf=2097152
kern.maxfiles=65536
kern.maxfilesperproc=32768
kern.polling.enable=1
kern.polling.burst_max=500
kern.ipc.somaxconn=2048
kern.ipc.nmbclusters=32768
net.inet.tcp.delayed_ack=0
net.inet.icmp.icmplim=100
net.inet.icmp.icmplim_output=0
net.inet.tcp.drop_synfin=1

ee /boot/loader.conf
autobootdelay="2"

ee /etc/rc.conf
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
clear_tmp_enable="YES"
update_motd="NO"
tcp_drop_synfin="YES"
#icmp_drop_redirect="YES"
#icmp_log_redirect="YES"
#log_in_vain="YES"
#accounting_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
#pflog_enable="YES"
#pflog_logfile="/var/log/pflog"

这里我就加了句pf_enable="YES"

uname -a
FreeBSD pf.com 6.2-RC1 FreeBSD 6.2-RC1 #0: Thu Nov 23 04:20:46 CST 2006 :/usr/src/sys/i386/compile/PFOK i386


我的pf.conf

#pfctl -e -F all -f /etc/pf.conf

#只重新load过滤规则
#pfctl -F rules -Rf /etc/pf.conf

#pfctl -f /etc/pf.conf # 重新加载pf.conf 设定档
#pfctl -nf /etc/pf.conf # 确认语法有无符合,但不载入
#pfctl -Nf /etc/pf.conf # 只加载 NAT 的设定档
#pfctl -Rf /etc/pf.conf # 只加载防火墙的过滤设定档

#pfctl -sn # 显示现阶段 NAT 的规则
#pfctl -sr # 显示现阶段过滤的规则
#pfctl -ss # 显示现阶段封包运作状态
#pfctl -si # 显示现阶段过滤封包的统计资料
#pfctl -sa # 显示现阶段所有统计的数据

ext_if="rl0"
#edu_if=""
int_if="fxp0"

ext_addr="192.168.1.51"

int_net="172.16.0.0/16"
ext_net = "192.168.0.0/16"
loop = "{lo0, 127.0.0.1}"
OpenPorts = "{21, 22, 80, 88, 4899}"
InsideManagerIPs = "{172.16.0.100}"
InsiteManagerOpenPorts = "{21, 22, 23, 24, 25, 80, 4899}"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12}" # 定義符合 RFC 1918 私有IP 部份
tcp_services = "{ 22, 88, 4899, 123 }" # 定義 port 22, 113 服務
icmp_types = "echoreq" # 定義 tcmp 回應狀態


## down inactive connection quickly
set optimization aggressive

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all

nat on $ext_if from $int_net to any -> ($ext_if)
#nat on $ext_if from $int_net to $ext_net -> ($ext_if)

#web server map
#rdr pass on $ext_if proto tcp from any to $ext_if port {www,3389,4899,7745} -> $web_server


#----------------------------以下防DOS攻击--------------------------------
#每个IP最大可以有120个非并发的连接(为局域网用户访问本站考虑)
#每个IP最大连接建立的速率小于每秒8个
#单个IP的最大持续连接数 30
#违反以上规则,把这个ip添加到表中
table persist #维持一个持续的表
block in quick from #阻止表中的ip
pass in on $int_if inet proto tcp from any to $int_if flags S/SA keep state \
(source-track rule,max-src-conn 100, max-src-conn-rate 15/3,max-src-states 30,overload flush, src.track 1)

LSassVirusPort = "{445, 135, 139, 593, 512, 5554, 9996, 9995}"
block quick on $int_if inet proto tcp from any to any port $LSassVirusPort

BitTorrentPort= "{ 512, 2049, 4662, 6880, 6881, 6882, 6883, 6884, 6885, 6886, 6887, 6888, 6889, \
6890, 8880, 8881, 8882, 8883, 8884, 8885, 8886, 8887, 8888, 8889, 8890, 6969, 10700, 21881}"
block quick on $int_if inet proto tcp from any to any port $BitTorrentPort
block quick on $int_if inet proto tcp from any port $BitTorrentPort to any
block quick on $ext_if inet proto tcp from any to any port $BitTorrentPort
block quick on $ext_if inet proto tcp from any port $BitTorrentPort to any

#gameClientPorts = "{4002, 2000, 3838, 4410, 4210, 4230, 5005, 4290, 10010 }"
#GameDenyClients ="{192.168.128.0/24, 192.168.132.0/24}"
#GameServerIps = "{204.251.15.167, 61.152.93.145}"
#block quick on $int_if inet proto tcp from $GameDenyClients to any port $gameClientPorts
#block quick on $ext_if from $GameServerIps to $GameDenyClients
#block quick on $int_if from $GameDenyClients to $GameServerIps

denyserverips = "{202.108.193.21}"
block quick on $int_if from any to $denyserverips

#LSassVirusIp ="{192.168.1.194}"
#block quick on $int_if from $LSassVirusIp to any

阅读(2676) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~