FreeBSD ipfw 防火墙基础指南

  •   2009-07-28/15:34
  • 本文告诉你如何快速上手FreeBSD的IPFW防火墙

    一、内核配置
    /usr/src/sys/i386/conf/HQ_SuperServer

    代码:
    options IPFIREWALL
    options IPFIREWALL_DEFAULT_TO_ACCEPT
    options IPDIVERT # IPDIVERT enables the divert IP sockets, used by ''ipfw divert''
    options IPFIREWALL_VERBOSE
    options IPFIREWALL_VERBOSE_LIMIT=30

    #options IPFILTER #ipfilter support
    #options IPFILTER_LOG #ipfilter logging

    # traffic shaper, bandwidth manager and delay emulator
    options DUMMYNET # enables the "dummynet" bandwidth limiter. You need IPFIREWALL as well.
    # Statically Link in accept filters for a web server on this box
    options ACCEPT_FILTER_DATA
    options ACCEPT_FILTER_HTTP
    options ICMP_BANDLIM # D.O.S. protection
    options IPSTEALTH #To hide firewall from traceroute
    options TCP_DROP_SYNFIN #To hide from nmap OS fingerprint, remove if create web server




    二、rc.conf配置
    /etc/rc.conf

    代码:
    firewall_enable="YES"
    firewall_logging="YES"
    firewall_script="/etc/rc.firewall"
    firewall_quiet="NO" #change to YES once happy with rules
    firewall_logging_enable="YES"

    #extra firewalling options
    log_in_vain="YES"
    #This option prevents something known as OS fingerprinting, must have TCP_DROP_SYNFIN compiled into kernel to use
    tcp_drop_synfin="NO" #change to NO if create webserver
    tcp_restrict_rst="YES"
    icmp_drop_redirect="YES"



    三、ipfw使用

    代码:
    ipfw add allow tcp from to in recv


    添加和除去规则例子:
    代码:
    $ sudo ipfw add deny tcp from 61.49.203.115 to 61.49.203.114 22 in recv fxp0
    $ sudo ipfw -t list
    $ sudo ipfw delete 00100


    禁止icmp
    代码:
    $ sudo ipfw add deny icmp from any to any in recv fxp0


    显示rules
    代码:
    $ sudo ipfw show


    按照序号显示规则
    代码:
    $ sudo ipfw -t list


    列出信息包的数目,和与它们相对应的规则匹配
    代码:
    $ sudo ipfw -a list



    四、/etc/ipfw.rules规则文件
    代码:
    allow 00010 udp from any to me 67 in via $iif
    allow 00020 udp from me 68 to any out via $iif


    五、/etc/rc.firewall脚本

    代码:
    # mv /etc/rc.firewall /etc/rc.firewall.orig
    # touch /etc/rc.firewall
    # chmod u=+rx,og=-rwx /etc/ipfw.rules


    /etc/rc.firewall

    代码:
    #!/bin/sh

    # This will flush the existing rules - sudo ipfw -f flush
    # You can execute this script without dropping existing connections/states

    fwcmd="/sbin/ipfw -q"
    extif="fxp0"
    myip="10.1.8.114"
    mybcast="10.1.8.119"
    mynetwork="10.1.8.112/29"
    dns_server="10.1.8.1"

    # Reset all rules in case script run multiple times
    ${fwcmd} -f flush

    ${fwcmd} add 200 check-state

    # Block RFC 1918 networks - the , syntax only works in ipfw2
    ${fwcmd} add 210 deny all from 0.0.0.0/7,1.0.0.0/8,2.0.0.0/8,5.0.0.0/8,10.0.0.0/8,23.0.0.0/8,\
    27.0.0.0/8,31.0.0.0/8,67.0.0.0/8,68.0.0.0/6,72.0.0.0/5,80.0.0.0/4,96.0.0.0/3,127.0.0.0/8,\
    128.0.0.0/16,128.66.0.0/16,169.254.0.0/16,172.16.0.0/12,191.255.0.0/16,192.0.0.0/16,\
    192.168.0.0/16,197.0.0.0/8,201.0.0.0/8,204.152.64.0/23,224.0.0.0/3,240.0.0.0/8 to any

    # Allow all via loopback to loopback
    ${fwcmd} add 220 allow all from any to any via lo0

    # Allow from me to anywhere
    ${fwcmd} add 240 allow tcp from ${myip} to any setup keep-state
    ${fwcmd} add 260 allow udp from ${myip} to any keep-state
    ${fwcmd} add 280 allow icmp from ${myip} to any

    # Allow local LAN to connect to us
    ${fwcmd} add 300 allow ip from ${mynetwork} to ${mynetwork}

    # Allow INCOMING SSH,SMTP,HTTP from anywhere on the internet
    ${fwcmd} add 320 allow log tcp from any to ${myip} 22,25,80 in keep-state setup

    # Disable icmp
    ${fwcmd} add 340 allow icmp from any to any icmptype 0,3,11

    # Block all other traffic and log in
    ${fwcmd} add 360 deny log all from any to any

    # End of /etc/rc.firewall




    六、 ipfw日志纪录配置


    /etc/syslog.conf
    代码:
    !ipfw
    *.* /var/log/ipfw.log


    代码:
    $ sudo touch /var/log/ipfw.log
    $ sudo killall -HUP syslogd


    评论 {{userinfo.comments}}

    {{money}}

    {{question.question}}

    A {{question.A}}
    B {{question.B}}
    C {{question.C}}
    D {{question.D}}
    提交

    驱动号 更多