FreeBSD防火墙Firewall(ipfw)

先將kernel複製出來

mkdir /usr/local/etc/FreeBSD

cd /usr/src/sys/i386/conf

cp GENERIC /usr/local/etc/FreeBSD/MYKERNEL

ln -s /usr/local/etc/FreeBSD/MYKERNEL

vi /usr/local/etc/FreeBSD/MYKERNEL

加入

options IPFIREWALL #firewall

options IPFIREWALL_VERBOSE #enable logging to syslogd(8)

options IPFIREWALL_FORWARD #packet destination changes

options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default

cd /usr/src;make kernel

完成後開始設定

vi /etc/rc.conf

加入

#firewall

firewall_enable=”YES”

firewall_logging=”YES”

firewall_script=”/etc/rc.firewall”

vi /etc/rc.firewall

將內容全部刪除改為

#!/bin/sh

fwcmd=”/sbin/ipfw”

Trust_IP1=”127.0.0.1″ #這裡要換成server本身的IP

Trust_IP2=”120.119.1.0/24″ #可通過的網段

UnTrust_IP1=”192.83.191.0/24″

Allowed_TCP_In_1=”22,25,53,80,443″

#you want to open port

Traceroute=”33433-33499″

Allowed_UDP_Out=”20,21,53,113″

Allowed_UDP_In=”20,21,53,113″

Allowed_UDP_ftp_Out=”65000-65500″

Allowed_UDP_ftp_In=”65000-65500″

Allowed_TCP_ftp_Out=”65000-65500″

Allowed_TCP_ftp_In=”65000-65500″

#ipfw [add/del/fwd] [serial] [allow/deny] [protocol] [from] [ports] to [destation] [ports]

$fwcmd -f flush

#flush ipfw tables

$fwcmd add 1 allow ipv6 from any to any

$fwcmd add 00010 allow tcp from me to any setup keep-state

$fwcmd add 00021 check-state

$fwcmd add 00030 allow ip from ${Trust_IP1} to any

$fwcmd add 00031 allow ip from ${Trust_IP2} to any

$fwcmd add 00060 allow icmp from any to any

$fwcmd add 00061 allow udp from any to any $Traceroute

$fwcmd add 00120 deny ip from ${UnTrust_IP1} to me

$fwcmd add 00121 deny tcp from ${UnTrust_IP1} to me 25

$fwcmd add 56000 allow tcp from any to any ${Allowed_TCP_In_1}

$fwcmd add 56003 allow udp from any ${Allowed_UDP_In} to any

$fwcmd add 56004 allow udp from any to any ${Allowed_UDP_ftp_Out}

$fwcmd add 56005 allow tcp from any to any ${Allowed_TCP_ftp_Out}

$fwcmd add 65534 deny log ip from any to any

#deny all ip

$fwcmd zero

#clean counter

sh /etc/rc.firewall &

reboot

Drop Your Comment