FreeBSD ipfw App配置Examples

Step # 1: Enabling IPFW

Open /etc/rc.conf file
# vi /etc/rc.conf
Append following settings:
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

Save and close the file..

Step # 2 Write a Firewall Rule Script

You need to place a firewall rules in a script called /usr/local/etc/ipfw.rule:
# vi /usr/local/etc/ipfw.rules
Append following code:

IPF="ipfw -q add"
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
# deny and log everything
$IPF 500 deny log all from any to any

Save and close the file.

Step # 3: Start a firewall

You can reboot the box or you could reload these rules by entering on the command line.
# sh /usr/local/etc/ipfw.rules

Task: List all the rules in sequence

Type the following command:
# ipfw list

IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

#statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

#open port ftp(20,2),ssh(22),mail(25),http(80),dns(53)
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out

$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out

#deny and log everything
$IPF 500 deny log all from any to any

修改/etc/rc.conf
Append following settings
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

/etc/rc.d/ipfw restart

相对针对debian及Centos 系统 的初始化一个系统的 时候设置的iptables shell (仅放行 22 （或是被修改为别的端口）and 80) 以建立的连接ping 等

#!/bin/bash

iptables -F
iptables -X
/etc/rc.d/init.d/iptables save
service iptables restart


iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

#iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#iptables -A INPUT -p tcp --dport 25158 -j ACCEPT
iptables -A INPUT -p tcp --dport 19258 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
#from out hosts ping
#iptables -A OUTPUT -p icmp -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT 

# ping Internet 
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Dns 53
#iptables -A OUTPUT -p tcp --sport 53 -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT