FreeBSD ipfw设置
一、开机启动IPFW防火墙
ee /etc/rc.conf
加入以下代码:
firewall_type="open"
/* firewall_type说明
firewall_type="open"
从/etc/rc.firewall或包含规则集的文件中的防火墙类型中指定防火墙类型。 /etc/rc.firewall中可选的防火墙类型为:
open-不限制IP访问;closed-禁止除通过lo0进行的之外的所有IP服务; client-对工作站的基本保护;simple-对LAN
的基本保护。如果给的是一个指定的文件名,则必须使用全路径名
*/
firewall_script="/etc/ipfw.rules" // ipfw.rules 是防火墙规则文件
firewall_quiet="NO" // 启用脚本时,是否显示规则信息;假如你的防火墙脚本已经不会再有修改,那么就可以把这里设置成“YES”了。
firewall_logging="YES"
二、建立防火墙规则
ee /etc/ipfw.rules
三、Ipfw命令
1、使用规则
# ipfw show
65535 5294 820413 allow ip from any to any
#ipfw add 10001 deny all from 10.5.3.70 to any
# ipfw show
10001 0 0 deny ip from 10.5.3.70 to any
65535 5673 854504 allow ip from any to any
2、保存规则
# ee /etc/rc.firewall
查找到open
添加ipfw add 10001 deny all from 10.5.3.70 to any
# sh /etc/rc.firewall all (生效)
Flushed all rules.
10001 deny ip from 10.5.3.70 to any
或
# /etc/netstart
# ipfw show
10001 0 0 deny ip from 10.5.3.70 to any
65535 6712 791642 allow ip from any to any
3、ipfw命令
按顺序列出所有的规则:
# ipfw list
列出所有的规则, 同时给出最后一次匹配的时间戳:
# ipfw -t list
列出所有的记账信息、 匹配规则的包的数量, 以及规则本身。 第一列是规则的编号,随后是发出包匹配的数量, 进入
包的匹配数量, 最后是规则本身。
# ipfw -a list
列出所有的动态规则和静态规则:
# ipfw -d list
同时显示已过期的动态规则:
# ipfw -d -e list
将计数器清零:
# ipfw zero
只把规则号为 NUM 的计数器清零:
# ipfw zero NUM
四、Ipfw规则集
规则集是一组根据包中选择的数值使用 allow 或 deny 写出的 ipfw 规则。在两个主机之前的双向包交换组成了一次会
话交互。 防火墙规则集, 会对同一个包处理两次:第一次是包从公网上到达防火墙时, 而第二次则是包返回 Internet
公网上的主机时。 每一个 TCP/IP 服务 (例如 telnet, www, mail, 等等), 都有事先定义好的协议, 以及一个端口号。
这可以作为建立允许或阻止规则时的基本选择依据。当有数据包进入防火墙时, 会从规则集里的第一个规则开始进行比较,
并自顶向下地进行匹配。 当包与某个选择规则参数相匹配时, 将会执行规则所定义的动作,并停止规则集搜索。 这种策
略, 通常也被称作 “最先匹配者获胜” 的搜索方法。如果没有任何与包相匹配的规则, 那么它就会根据强制的 ipfw默
认规则, 也就是 65535 号规则截获。 一般情况下这个规则是阻止包, 而且不给出任何回应。
注意: 如果规则定义的动作是 count、 skipto 或 tee 规则的话, 搜索会继续。这里所介绍的规则, 都是使用了那些包
含状态功能的, 也就是 'keep state'、 'limit'、 'in'/'out'、 或者 'via' 选项的规则。 这是编写包容式防火
墙规则集所需的基本框架。包容式防火墙只允许与规则匹配的包通过。 这样,您就既能够控制来自防火墙后面的机器
请求 Internet 公网上的那些服务, 同时也可以控制来自 Internet 的请求能够访问内部网上的哪些服务。 所有其它
的访问请求都会被阻止, 并记录下来。包容式防火墙一般而言要远比排斥式的要安全, 而且也只需要定义允许哪些访
问通过。
警告: 在操作防火墙规则时应谨慎行事, 如果操作不当,有可能将自己反锁在外面。
#################################################
# ipfw Firewall Commands
#################################################
cmd="ipfw -q add"
ipfw -q -f flush
pif="em0"
#################################################
# Allow Loopback and Deny Loopback Spoofing
#################################################
$cmd allow all from any to any via lo0
$cmd deny all from any to 127.0.0.0/8
$cmd deny all from 127.0.0.0/8 to any
$cmd deny tcp from any to any frag
#################################################
# Stateful rules
#################################################
$cmd check-state
$cmd deny tcp from any to any established
$cmd allow all from any to any out keep-state //开放本机访问Internet主要是为了放行web服务
$cmd allow icmp from any to any
#################################################
# Table 10 for IP blocks
#################################################
ipfw -q table 10 add 127.0.0.2
ipfw -q add 900 deny ip from 'table(10)' to any
#################################################
# Incoming/Outgoing Services
#################################################
$cmd 60001 allow tcp from any to any 21 setup limit src-addr 10
$cmd 60002 allow tcp from any to any 22 setup limit src-addr 8
$cmd 60003 allow tcp from any to any 25 setup limit src-addr 10
$cmd 60004 allow tcp from any to any 587 setup limit src-addr 20
$cmd 60005 allow tcp from any to any 53 setup limit src-addr 3
$cmd 60006 allow udp from any to any 53 limit src-addr 3
$cmd 60007 allow tcp from any to any 80 setup limit src-addr 20
$cmd 60008 allow tcp from any to any 110 setup limit src-addr 20
$cmd 60009 allow tcp from any to any 143 setup limit src-addr 10
$cmd 60010 allow tcp from any to any 443 setup limit src-addr 10
$cmd 60011 allow tcp from any to any 2222 setup limit src-addr 12
$cmd 60012 allow tcp from any to any 35000-35999 in setup limit src-addr 10
$cmd 60013 allow tcp from any to any 993 setup limit src-addr 10
$cmd 60014 allow tcp from any to any 995 setup limit src-addr 10
$cmd 60015 allow tcp from any to any 465 setup limit src-addr 10
$cmd 60016 allow tcp from any to any 585 setup limit src-addr 10
#################################################
# Deny Port scanning (Nmap)
#################################################
$cmd 00600 deny log logamount 50 ip from any to any ipoptions rr
$cmd 00610 deny log logamount 50 ip from any to any ipoptions ts
$cmd 00620 deny log logamount 50 ip from any to any ipoptions lsrr
$cmd 00630 deny log logamount 50 ip from any to any ipoptions ssrr
$cmd 00640 deny log logamount 50 tcp from any to any tcpflags syn,fin
$cmd 00650 deny log logamount 50 tcp from any to any tcpflags syn,rst
#################################################
# Deny and Log
#################################################
$cmd deny log all from any to any
扩展
1、配置FreeBSD 防火墙
ee /etc/rc.conf #编辑,在最后添加
firewall_enable="yes" #开启防火墙
net.inet.ip.fw.verbose=1 #启用防火墙日志功能
net.inet.ip.fw.verbose_limit=5 #启用防火墙日志功能
natd_enable="YES" # 开启防火墙NAT功能
natd_interface="rl0"
natd_flags="-dynamic -m"
firewall_script="/etc/ipfw.rules" #自定义防火墙规则路径
按esc,回车,再按a保存配置
2、添加防火墙规则
ee /etc/ipfw.rules #编辑防火墙规则,添加以下代码
#!/bin/sh ################ Start of IPFW rules file ###################### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" skip="skipto 800" pif="rl0" # public interface name of NIC # facing the public Internet ################################################################# # No restrictions on Inside LAN Interface for private network # Change xl0 to your LAN NIC interface name ################################################################# $cmd 005 allow all from any to any via xl0 ################################################################# # No restrictions on Loopback Interface ################################################################# $cmd 010 allow all from any to any via lo0 ################################################################# # check if packet is inbound and nat address if it is ################################################################# $cmd 014 divert natd ip from any to any in via $pif ################################################################# # Allow the packet through if it has previous been added to the # the "dynamic" rules table by a allow keep-state statement. ################################################################# $cmd 015 check-state ################################################################# # Interface facing Public Internet (Outbound Section) # Check session start requests originating from behind the # firewall on the private network or from this gateway server # destined for the public Internet. ################################################################# # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state # Allow out access to my ISP's DHCP server for cable/DSL configurations. $cmd 030 $skip udp from any to x.x.x.x 67 out via $pif keep-state # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state # Allow out send & get email function $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state # Allow out FreeBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root # Allow out ping $cmd 080 $skip icmp from any to any out via $pif keep-state # Allow out Time $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state # Allow out nntp news (i.e. news groups) $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state # Allow out whois $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state # Allow ntp time server $cmd 130 $skip udp from any to any 123 out via $pif keep-state ################################################################# # Interface facing Public Internet (Inbound Section) # Check packets originating from the public Internet # destined for this gateway server or the private network. ################################################################# # Deny all inbound traffic from non-routable reserved address spaces #$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Deny ident $cmd 315 deny tcp from any to any 113 in via $pif # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 $cmd 320 deny tcp from any to any 137 in via $pif $cmd 321 deny tcp from any to any 138 in via $pif $cmd 322 deny tcp from any to any 139 in via $pif $cmd 323 deny tcp from any to any 81 in via $pif # Deny any late arriving packets $cmd 330 deny all from any to any frag in via $pif # Deny ACK packets that did not match the dynamic rule table $cmd 332 deny tcp from any to any established in via $pif # Allow traffic in from ISP's DHCP server. This rule must contain # the IP address of your ISP's DHCP server as it's the only # authorized source to send this packet type. # Only necessary for cable or DSL configurations. # This rule is not needed for 'user ppp' type connection to # the public Internet. This is the same IP address you captured # and used in the outbound section. $cmd 360 allow udp from x.x.x.x to any 68 in via $pif keep-state # Allow in standard www function because I have Apache server $cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2 # Allow in secure FTP, Telnet, and SCP from public Internet $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Allow in non-secure Telnet session from public Internet # labeled non-secure because ID & PW are passed over public # Internet as clear text. # Delete this sample group if you do not have telnet server enabled. $cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2 # Reject & Log all unauthorized incoming connections from the public Internet $cmd 400 deny log all from any to any in via $pif # Reject & Log all unauthorized out going connections to the public Internet $cmd 450 deny log all from any to any out via $pif # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out via $pif $cmd 801 allow ip from any to any # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 999 deny log all from any to any ################ End of IPFW rules file ###############################
备注:参数说明:
#$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
我的IP地址是192.168.21.173,是属于192.168.0.0/16 IP段,所以这里要注释掉这一行,允许连接外网,否则主机无法联网。
$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
是开启SSH默认端口22
3、重启网络服务,使防火墙规则生效
系统运维 www.osyunwei.com 温馨提醒:qihang01原创内容版权所有,转载请注明出处及原文链接
/etc/netstart #重启网络
/etc/rc.d/ipfw start #开启防火墙
ipfw disable firewall #关闭防火墙
ipfw enable firewall #开启防火墙
/etc/rc.d/ipfw restart #重启防火墙
sh /etc/ipfw.rules #使防火墙规则生效
4、开启SSH服务
(1)ee /etc/inetd.conf #编辑,去掉sshd前面的#
ssh stream tcp nowait root /usr/sbin/sshd sshd -i -4
(2)ee /etc/rc.conf #编辑,在最后添加
sshd_enable="yes"
(3)ee /etc/ssh/sshd_config #编辑配置文件
PermitRootLogin yes #允许root登录
PasswordAuthentication yes #使用密码验证
PermitEmptyPasswords no #不允许空密码登录
/etc/rc.d/sshd start #启动ssh服务
/etc/rc.d/sshd restart #重启ssh
配置完成,现在已经可以使用Putty等远程连接工具连接服务器了。
#####################################################
扩展阅读:
有两种加载自定义 ipfw 防火墙规则的方法。
其一是将变量 firewall_type 设为包含不带 ipfw(8) 命令行选项的 防火墙规则 文件的完整路径。
例如:
add allow in
add allow out
firewall_type="open"参数说明
open ── 允许所有流量通过。
client ── 只保护本机。
simple ── 保护整个网络。
closed ── 完全禁止除回环设备之外的全部 IP 流量。
UNKNOWN ── 禁止加载防火墙规则。
filename ── 到防火墙规则文件的绝对路径。
IPFW防火墙规则集样例在这两个文件中
/etc/rc.firewall
/etc/rc.firewall6
除此之外, 也可以将 firewall_script 变量设为包含 ipfw 命令的可执行脚本, 这样这个脚本会在启动时自动执行。
#####################################################
浙公网安备 33010602011771号