Lvey’s Freebsd系列之ipfw防火墙配置

Q Q:1262828
MSN:qwq721@hotmail.com
Lvey原创,转载请表明出处,谢谢!

1.加载内核#cd /sys/i386/conf
#cp GENERIC(内核自定义)./kernel_IPFW
#ee kernel_IPFW 在文件最后加入
options IPFIREWALL 将包过滤部分的代码编译进内核。
options IPFIREWALL_VERBOSE 启用通过Syslogd记录的日志;如果没有指定这个选项。使你在过滤规则中指定了记录包,也不会真的记录它们。
options IPFIREWALL_VERBOSE_LIMIT=10 限制通过Syslogd记录的每项包规则的记录条数
options IPFIREWALL_DEFAULT_TO_ACCEPT 这句是最关键的。将把默认的规则动作从 “deny” 改为 “allow”。这句命令的作用是,在默认状态下,IPFW会接受任何的数据,也就是说服务器看起来像没有防火墙一样,如果你需要什么规则,在安装完成后直接添加就可以了。
保存退出
2.编译系统内核

#/usr/sbin/config kernel_IPFW
#cd ../compile/kernel_IPFW
#make
 #make install
3.加载启动项

firewall_enable=”YES”  激活Firewall防火墙
firewall_script=”/etc/rc.firewall” Firewall防火墙的默认脚本(我改为/etc/ipfw.conf)
firewall_type=”/etc/ipfw.conf” Firewall自定义脚本
firewall_quiet=”NO”
启用脚本时,是否显示规则信息;假如你的防火墙脚本已经不会再有修改,那么就可以把这里设置成“YES”了。
firewall_logging_enable=”YES” 启用Firewall的Log记录
  
 Step2:编辑/etc/syslog.conf文件
在文件最后加入如下内容:
 

!ipfw
 *.* /var/log/ipfw.log
这行的作用是将IPFW的日志写到/var/log/ipfw.log文件里,当然,你也可以为日志文件指定其他目录。
以上步骤完成后重启电脑。
4.加入规则
在/etc/ipfw.conf加入

#!/bin/sh
fwcmd=”/sbin/ipfw”
#${fwcmd} -f flush
######### TCP ##########
${fwcmd} add 001 deny tcp from any to any in tcpflags syn,fin
######### DNS ##########
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 110 deny all from any to 127.0.0.0/8
${fwcmd} add 120 deny ip from 127.0.0.0/8 to any
${fwcmd} add 130 pass all from me to me ${fwcmd} add 1000 allow all from me to 202.96.209.5
${fwcmd} add 1000 allow all from me to 202.96.209.133
${fwcmd} add 1000 allow all from 202.96.209.5 to me
${fwcmd} add 1000 allow all from 202.96.209.133 to me
######### www ssh ftp mail ##########
${fwcmd} add 500 check-state
${fwcmd} add 10000 pass tcp from any to me 80 in setup keep-state
${fwcmd} add 10000 pass tcp from any to me 443 in setup keep-state
${fwcmd} add 10002 allow tcp from any to me 22 in setup keep-state
${fwcmd} add 10003 pass all from any to me 21 in setup keep-state
${fwcmd} add 10004 pass all from me to any 21 out setup keep-state
${fwcmd} add 10005 pass tcp from any to me 25 in setup keep-state
${fwcmd} add 10006 pass tcp from me to any 25 out setup keep-state
################################
${fwcmd} add 20000 allow all from any to any 53 setup keep-state
${fwcmd} add 20001 allow tcp from me to any out setup keep-state
${fwcmd} add 20002 allow all from me to any out setup keep-state
${fwcmd} add 20003 allow all from any to me in setup keep-state
######### ICMP #################
${fwcmd} add 30000 allow icmp from any to any icmptypes 3
${fwcmd} add 30001 allow icmp from any to any icmptypes 4
${fwcmd} add 30002 allow icmp from any to any icmptypes 8 out
${fwcmd} add 30003 allow icmp from any to any icmptypes 0 in
${fwcmd} add 30004 allow icmp from any to any icmptypes 11 in
${fwcmd} add 50000 deny all from any to any
这些规则要符合你的要求,我只是弄些例子,

5.命令应用

加载规则 sh /etc/ipfw.rules
显示规则 Ipfw show

Tags: FreeBsd, ipfw, 内核, 规则, 防火墙
转载 http://www.lovelvey.cn/server/freebsd/ipfw%e9%98%b2%e7%81%ab%e5%a2%99%e9%85%8d%e7%bd%ae.html

]]>

© 版权声明
THE END
喜欢就支持以下吧
点赞0
分享