• 公告栏使用li标签,同时你可以使用FontAwesome以及其他HTML语法
  • FontAwesome示例
  • 中国共产党是一心一意为人民服务的政党 -- 你想不让它服务都不行 :)

FreeBSD防火墙Firewall(ipfw)

*BSD shaobo 55次浏览 1683字 0个评论

先將kernel複製出來

mkdir /usr/local/etc/FreeBSD

cd /usr/src/sys/i386/conf

cp GENERIC /usr/local/etc/FreeBSD/MYKERNEL

ln -s /usr/local/etc/FreeBSD/MYKERNEL

vi /usr/local/etc/FreeBSD/MYKERNEL

加入

options IPFIREWALL #firewall

options IPFIREWALL_VERBOSE #enable logging to syslogd(8)

options IPFIREWALL_FORWARD #packet destination changes

options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default

cd /usr/src;make kernel

完成後開始設定

vi /etc/rc.conf

加入

#firewall

firewall_enable="YES"

firewall_logging="YES"

firewall_script="/etc/rc.firewall"

vi /etc/rc.firewall

將內容全部刪除改為

#!/bin/sh

fwcmd="/sbin/ipfw"

Trust_IP1="127.0.0.1" #這裡要換成server本身的IP

Trust_IP2="120.119.1.0/24" #可通過的網段

UnTrust_IP1="192.83.191.0/24"

Allowed_TCP_In_1="22,25,53,80,443"

#you want to open port

Traceroute="33433-33499"

Allowed_UDP_Out="20,21,53,113"

Allowed_UDP_In="20,21,53,113"

Allowed_UDP_ftp_Out="65000-65500"

Allowed_UDP_ftp_In="65000-65500"

Allowed_TCP_ftp_Out="65000-65500"

Allowed_TCP_ftp_In="65000-65500"

#ipfw [add/del/fwd] [serial] [allow/deny] [protocol] [from] [ports] to [destation] [ports]

$fwcmd -f flush

#flush ipfw tables

$fwcmd add 1 allow ipv6 from any to any

$fwcmd add 00010 allow tcp from me to any setup keep-state

$fwcmd add 00021 check-state

$fwcmd add 00030 allow ip from ${Trust_IP1} to any

$fwcmd add 00031 allow ip from ${Trust_IP2} to any

$fwcmd add 00060 allow icmp from any to any

$fwcmd add 00061 allow udp from any to any $Traceroute

$fwcmd add 00120 deny ip from ${UnTrust_IP1} to me

$fwcmd add 00121 deny tcp from ${UnTrust_IP1} to me 25

$fwcmd add 56000 allow tcp from any to any ${Allowed_TCP_In_1}

$fwcmd add 56003 allow udp from any ${Allowed_UDP_In} to any

$fwcmd add 56004 allow udp from any to any ${Allowed_UDP_ftp_Out}

$fwcmd add 56005 allow tcp from any to any ${Allowed_TCP_ftp_Out}

$fwcmd add 65534 deny log ip from any to any

#deny all ip

$fwcmd zero

#clean counter

sh /etc/rc.firewall &

reboot


喜欢 (0)

您必须 登录 才能发表评论!