Jump to content
新域网络技术论坛

FREEBSD10.1防火墙配置


Jamers
 Share

Recommended Posts

系统更换过也有一段时间了,防火墙也一直没有去管。今天抽出时间,将防火墙设置一番,将安全进行到底。

 

以前的FREEBSD默认是不带ipfw的,如果默认没有编译的话,我使用这个防火墙的想法肯定泡汤,因为服务器托管着的,如果编译势必有其它方面的影响,还好FREEBSD 10.1默认已经编译了ipfw支持,好了不废话,开工!

 

开启防火墙支持

ee /etc/rc.conf
#添加下列行
firewall_enable="YES" # 激活firewall防火墙
firewall_script="/etc/rc.firewall" # firewall防火墙的默认脚本
firewall_type="/etc/ipfw.conf" # firewall自定义脚本
firewall_quiet="NO" # 起用脚本时,是否显示规则信息。现在为“NO”假如你的防火墙脚本已经定型,那么就可以把这里设置
成“YES”了。
firewall_logging_enable="YES" # 启用firewall的log记录。

增加日志记录

ee /etc/syslog.conf
#加入下列行
!ipfw
*.*         /var/log/ipfw.log

创建规则包,最重要的步骤,小心一点,把需要打开的端口都打开,否则你可能需要到服务器旁才能够调整相应设置了。

假设服务器IP为192.168.1.50自己注意修改

ee /etc/ipfw.conf

##TCP
add 10000 allow tcp from any to 192.168.1.50 22 in
#允许SSH
add 10001 allow tcp from any to me dst-port 80 setup limit src-addr 50
#允许访问80端口并且限制每个IP地址50个并发连接数
add 10002 allow tcp from any to 192.168.1.50 21 in
#允许FTP
add 10003 allow tcp from any to 192.168.1.50 3306 in
#允许mysql
##允许服务器所有出站请求
add 19000 allow ip from 192.168.1.50 to any out

##允许DNS解析返回内容
add 20000 allow udp from any 53 to 192.168.1.50

##允许所有UDP出站请求
add 29000 allow udp from any to any out

##允许服务器使用ICMP出站和相应返回信息通过
add 39000 allow icmp from any to any icmptypes 8 out
add 39001 allow icmp from any to any icmptypes 0 in
add 39002 allow icmp from any to any icmptypes 11 in

##禁止所有不符合规则的数据通过
add 60000 deny all from any to any

配置好后,重启服务器,除了指定打开的端口外,其它端口均无法访问了。包括ping也直接无响应了。有需要的朋友可以根据自己的需求将相应的规则修改一下以满足自己的需要。

Link to comment
Share on other sites

icmptypes类型说明

           echo reply (0), destination unreachable (3), source quench (4),
           redirect (5), echo request (8), router advertisement (9), router
           solicitation (10), time-to-live exceeded (11), IP header bad
           (12), timestamp request (13), timestamp reply (14), information
           request (15), information reply (16), address mask request (17)
           and address mask reply (18).
Link to comment
Share on other sites

默认FREEBSD 10.1中禁用了ipfw的日志记录功能,需要添加相应参数:

 

ee /etc/sysctl.conf

net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5

测试一个日志记录规则:

10004 deny log logamount 1 tcp from any to me dst-port 20 in

尝试连接服务器的20端口,日志文件中显示内容为:

Jan  2 09:58:04 freebsd kernel: ipfw: 10004 Deny TCP 192.168.1.108:58021 192.168.1.50:20 in via em0
Jan  2 09:58:04 freebsd kernel: ipfw: limit 1 reached on entry 10004
Link to comment
Share on other sites

经过修改的不使用IP地址的防火墙配置:

这里仅仅开启了SSH/HTTP/FTP/Mysql几个端口,如果有需要可以自行添加,并且限制HTTP单IP并发连接数为50

##TCP
add 10000 allow tcp from any to me dst-port 22 in
#SSH
add 10001 allow tcp from any to me dst-port 80 setup limit src-addr 50
#HTTP
add 10002 allow tcp from any to me dst-port 21 in
#FTP
add 10003 allow tcp from any to me dst-port 3306 in
add 10004 allow tcp from any to me dst-port 50000-55000 in

#mysql
##out
add 19000 allow ip from any to any out

##DNS
add 20000 allow udp from any 53 to any

##ICMP
add 39000 allow icmp from any to any icmptypes 8 out
add 39001 allow icmp from any to any icmptypes 0 in
add 39002 allow icmp from any to any icmptypes 11 in
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...