找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 4688|回复: 2

[BSD] [转帖]FreeBSD ipfw 防火墙基础指南

[复制链接]
发表于 2005-4-26 18:30:54 | 显示全部楼层 |阅读模式

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有账号?注册

×
一、内核配置 /usr/src/sys/i386/conf/HQ_SuperServer 代码: options      IPFIREWALL options      IPFIREWALL_DEFAULT_TO_ACCEPT options      IPDIVERT         #  IPDIVERT enables the divert IP sockets, used by ''ipfw divert'' options      IPFIREWALL_VERBOSE options      IPFIREWALL_VERBOSE_LIMIT=30 #options   IPFILTER         #ipfilter support #options   IPFILTER_LOG      #ipfilter logging # traffic shaper, bandwidth manager and delay emulator options      DUMMYNET         # enables the "dummynet" bandwidth limiter. You need IPFIREWALL as well. # Statically Link in accept filters for a web server on this box options      ACCEPT_FILTER_DATA options      ACCEPT_FILTER_HTTP options    ICMP_BANDLIM      # D.O.S. protection options      IPSTEALTH         #To hide firewall from traceroute options      TCP_DROP_SYNFIN      #To hide from nmap OS fingerprint, remove if create web server 二、rc.conf配置 /etc/rc.conf 代码: firewall_enable="YES" firewall_logging="YES" firewall_script="/etc/rc.firewall" firewall_quiet="NO"                             #change to YES once happy with rules firewall_logging_enable="YES" #extra firewalling options log_in_vain="YES" #This option prevents something known as OS fingerprinting, must have TCP_DROP_SYNFIN compiled into kernel to use tcp_drop_synfin="NO"   #change to NO if create webserver tcp_restrict_rst="YES" icmp_drop_redirect="YES" 三、ipfw使用 代码: ipfw add allow tcp from   to   in recv   添加和除去规则例子: 代码: $ sudo ipfw add deny tcp from 61.49.203.115 to 61.49.203.114 22 in recv fxp0 $ sudo ipfw -t list $ sudo ipfw delete 00100 禁止icmp 代码: $ sudo ipfw add deny icmp from any to any in recv fxp0 显示rules 代码: $ sudo ipfw show 按照序号显示规则 代码: $ sudo ipfw -t list 列出信息包的数目,和与它们相对应的规则匹配 代码: $ sudo ipfw -a list 四、/etc/ipfw.rules规则文件 代码: allow 00010 udp from any to me 67 in via $iif allow 00020 udp from me 68 to any out via $iif 五、/etc/rc.firewall脚本 代码: # mv /etc/rc.firewall /etc/rc.firewall.orig # touch /etc/rc.firewall # chmod u=+rx,og=-rwx /etc/ipfw.rules /etc/rc.firewall 代码: #!/bin/sh # This will flush the existing rules - sudo ipfw -f flush # You can execute this script without dropping existing connections/states fwcmd="/sbin/ipfw -q" extif="fxp0" myip="10.1.8.114" mybcast="10.1.8.119" mynetwork="10.1.8.112/29" dns_server="10.1.8.1" # Reset all rules in case script run multiple times ${fwcmd} -f flush ${fwcmd} add 200 check-state # Block RFC 1918 networks - the , syntax only works in ipfw2 ${fwcmd} add 210 deny all from 0.0.0.0/7,1.0.0.0/8,2.0.0.0/8,5.0.0.0/8,10.0.0.0/8,23.0.0.0/8,\ 27.0.0.0/8,31.0.0.0/8,67.0.0.0/8,68.0.0.0/6,72.0.0.0/5,80.0.0.0/4,96.0.0.0/3,127.0.0.0/8,\ 128.0.0.0/16,128.66.0.0/16,169.254.0.0/16,172.16.0.0/12,191.255.0.0/16,192.0.0.0/16,\ 192.168.0.0/16,197.0.0.0/8,201.0.0.0/8,204.152.64.0/23,224.0.0.0/3,240.0.0.0/8 to any # Allow all via loopback to loopback ${fwcmd} add 220 allow all from any to any via lo0 # Allow from me to anywhere ${fwcmd} add 240 allow tcp from ${myip} to any setup keep-state ${fwcmd} add 260 allow udp from ${myip} to any keep-state ${fwcmd} add 280 allow icmp from ${myip} to any # Allow local LAN to connect to us ${fwcmd} add 300 allow ip from ${mynetwork} to ${mynetwork} # Allow INCOMING SSH,SMTP,HTTP from anywhere on the internet ${fwcmd} add 320 allow log tcp from any to ${myip} 22,25,80 in keep-state setup # Disable icmp ${fwcmd} add 340 allow icmp from any to any icmptype 0,3,11 # Block all other traffic and log in ${fwcmd} add 360 deny log all from any to any # End of /etc/rc.firewall 六、 ipfw日志纪录配置 /etc/syslog.conf 代码: !ipfw        *.*                                        /var/log/ipfw.log 代码: $ sudo touch /var/log/ipfw.log $ sudo killall -HUP syslogd
routeros
发表于 2005-4-26 21:46:05 | 显示全部楼层
ipfw的东西,呵呵,用过的都知道,过时了。
routeros
回复

使用道具 举报

发表于 2005-5-8 17:09:29 | 显示全部楼层
还有不少人在用着的.嘿嘿.
routeros
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|Archiver|手机版|小黑屋|软路由 ( 渝ICP备15001194号-1|渝公网安备 50011602500124号 )

GMT+8, 2024-11-24 04:46 , Processed in 0.042898 second(s), 4 queries , Gzip On, Redis On.

Powered by Discuz! X3.5 Licensed

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表