[转载]FreeBSD ipfw 防火墙基础指南
信息来源:hackbase.com一、内核配置
/usr/src/sys/i386/conf/HQ_SuperServer
代码:
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT # IPDIVERT enables the divert IP sockets, used by ""ipfw divert""
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIM_blank>IT=30
#options IPFILTER #ipfilter support
#options IPFILTER_LOG #ipfilter logging
# traffic shaper, bandwidth manager and delay emulator
options DUMMYNET # enables the "dummynet" bandwidth limiter. You need IPFIREWALL as well.
# Statically Link in accept filters for a web server on this box
options ACCEPT_FILTER_DATA
options ACCEPT_FILTER_HTTP
options ICMP_BANDLIM # D.O.S. protection
options IPSTEALTH #To hide firewall from traceroute
options TCP_DROP_SYNFIN #To hide from nmap OS fingerprint, remove if create web server
二、rc.conf配置
/etc/rc.conf
代码:
firewall_enable="YES"
firewall_logging="YES"
firewall_script="/etc/rc.firewall"
firewall_quiet="NO" #change to YES once happy with rules
firewall_logging_enable="YES"
#extra firewalling options
log_in_vain="YES"
#This option prevents something known as OS fingerprinting, must have TCP_DROP_SYNFIN compiled into kernel to use
tcp_drop_synfin="NO" #change to NO if create webserver
tcp_restrict_rst="YES"
icmp_drop_redirect="YES"
三、ipfw使用
代码:
ipfw add allow tcp from to in recv
添加和除去规则例子:
代码:
$ sudo ipfw add deny tcp from 61.49.203.115 to 61.49.203.114 22 in recv fxp0
$ sudo ipfw -t list
$ sudo ipfw delete 00100
禁止icmp
代码:
$ sudo ipfw add deny icmp from any to any in recv fxp0
显示rules
代码:
$ sudo ipfw show
按照序号显示规则
代码:
$ sudo ipfw -t list
列出信息包的数目,和与它们相对应的规则匹配
代码:
$ sudo ipfw -a list
四、/etc/ipfw.rules规则文件
代码:
allow 00010 udp from any to me 67 in via $iif
allow 00020 udp from me 68 to any out via $iif
五、/etc/rc.firewall脚本
代码:
# mv /etc/rc.firewall /etc/rc.firewall.orig
# touch /etc/rc.firewall
# chmod u=+rx,og=-rwx /etc/ipfw.rules
/etc/rc.firewall
代码:
#!/bin/sh
# This will flush the existing rules - sudo ipfw -f flush
# You can execute this script without dropping existing connections/states
fwcmd="/sbin/ipfw -q"
extif="fxp0"
myip="10.1.8.114"
mybcast="10.1.8.119"
mynetwork="10.1.8.112/29"
dns_server="10.1.8.1"
# Reset all rules in case script run multiple times
${fwcmd} -f flush
${fwcmd} add 200 check-state
# Block RFC 1918 networks - the , syntax only works in ipfw2
${fwcmd} add 210 deny all from 0.0.0.0/7,1.0.0.0/8,2.0.0.0/8,5.0.0.0/8,10.0.0.0/8,23.0.0.0/8,
27.0.0.0/8,31.0.0.0/8,67.0.0.0/8,68.0.0.0/6,72.0.0.0/5,80.0.0.0/4,96.0.0.0/3,127.0.0.0/8,
128.0.0.0/16,128.66.0.0/16,169.254.0.0/16,172.16.0.0/12,191.255.0.0/16,192.0.0.0/16,
192.168.0.0/16,197.0.0.0/8,201.0.0.0/8,204.152.64.0/23,224.0.0.0/3,240.0.0.0/8 to any
# Allow all via loopback to loopback
${fwcmd} add 220 allow all from any to any via lo0
# Allow from me to anywhere
${fwcmd} add 240 allow tcp from ${myip} to any setup keep-state
${fwcmd} add 260 allow udp from ${myip} to any keep-state
${fwcmd} add 280 allow icmp from ${myip} to any
# Allow local LAN to connect to us
${fwcmd} add 300 allow ip from ${mynetwork} to ${mynetwork}
# Allow INCOMING SSH,SMTP,HTTP from anywhere on the internet
${fwcmd} add 320 allow log tcp from any to ${myip} 22,25,80 in keep-state setup
# Disable icmp
${fwcmd} add 340 allow icmp from any to any icmptype 0,3,11
# Block all other traffic and log in
${fwcmd} add 360 deny log all from any to any
# End of /etc/rc.firewall
六、 ipfw日志纪录配置
/etc/syslog.conf
代码:
!ipfw
*.* /var/log/ipfw.log
代码:
$ sudo touch /var/log/ipfw.log
$ sudo killall -HUP syslogd 这是什么人写的阿,会不会用IPFW,及其失败的防火墙
The dynamic rules facility is vulnerable to resource depletion from a SYN-flood attack which would open a huge number of dynamic rules. To counter this attack, FreeBSD version 4.5 added another new option named limit. This option is used to limit the number of simultaneous session conversations by interrogating the rules source or destinations fields as directed by the limit option and using the packet's IP address found there, in a search of the open dynamic rules counting the number of times this rule and IP address combination occurred, if this count is greater that the value specified on the limit option, the packet is discarded.
页:
[1]