Jamers Posted December 29, 2014 Report Share Posted December 29, 2014 系统更换过也有一段时间了,防火墙也一直没有去管。今天抽出时间,将防火墙设置一番,将安全进行到底。 以前的FREEBSD默认是不带ipfw的,如果默认没有编译的话,我使用这个防火墙的想法肯定泡汤,因为服务器托管着的,如果编译势必有其它方面的影响,还好FREEBSD 10.1默认已经编译了ipfw支持,好了不废话,开工! 开启防火墙支持 ee /etc/rc.conf #添加下列行 firewall_enable="YES" # 激活firewall防火墙 firewall_script="/etc/rc.firewall" # firewall防火墙的默认脚本 firewall_type="/etc/ipfw.conf" # firewall自定义脚本 firewall_quiet="NO" # 起用脚本时,是否显示规则信息。现在为“NO”假如你的防火墙脚本已经定型,那么就可以把这里设置 成“YES”了。 firewall_logging_enable="YES" # 启用firewall的log记录。 增加日志记录 ee /etc/syslog.conf #加入下列行 !ipfw *.* /var/log/ipfw.log 创建规则包,最重要的步骤,小心一点,把需要打开的端口都打开,否则你可能需要到服务器旁才能够调整相应设置了。 假设服务器IP为192.168.1.50自己注意修改 ee /etc/ipfw.conf ##TCP add 10000 allow tcp from any to 192.168.1.50 22 in #允许SSH add 10001 allow tcp from any to me dst-port 80 setup limit src-addr 50 #允许访问80端口并且限制每个IP地址50个并发连接数 add 10002 allow tcp from any to 192.168.1.50 21 in #允许FTP add 10003 allow tcp from any to 192.168.1.50 3306 in #允许mysql ##允许服务器所有出站请求 add 19000 allow ip from 192.168.1.50 to any out ##允许DNS解析返回内容 add 20000 allow udp from any 53 to 192.168.1.50 ##允许所有UDP出站请求 add 29000 allow udp from any to any out ##允许服务器使用ICMP出站和相应返回信息通过 add 39000 allow icmp from any to any icmptypes 8 out add 39001 allow icmp from any to any icmptypes 0 in add 39002 allow icmp from any to any icmptypes 11 in ##禁止所有不符合规则的数据通过 add 60000 deny all from any to any 配置好后,重启服务器,除了指定打开的端口外,其它端口均无法访问了。包括ping也直接无响应了。有需要的朋友可以根据自己的需求将相应的规则修改一下以满足自己的需要。 Link to comment Share on other sites More sharing options...
Jamers Posted December 29, 2014 Author Report Share Posted December 29, 2014 icmptypes类型说明 echo reply (0), destination unreachable (3), source quench (4), redirect (5), echo request (8), router advertisement (9), router solicitation (10), time-to-live exceeded (11), IP header bad (12), timestamp request (13), timestamp reply (14), information request (15), information reply (16), address mask request (17) and address mask reply (18). Link to comment Share on other sites More sharing options...
Jamers Posted January 2, 2015 Author Report Share Posted January 2, 2015 默认FREEBSD 10.1中禁用了ipfw的日志记录功能,需要添加相应参数: ee /etc/sysctl.conf net.inet.ip.fw.verbose=1 net.inet.ip.fw.verbose_limit=5 测试一个日志记录规则: 10004 deny log logamount 1 tcp from any to me dst-port 20 in 尝试连接服务器的20端口,日志文件中显示内容为: Jan 2 09:58:04 freebsd kernel: ipfw: 10004 Deny TCP 192.168.1.108:58021 192.168.1.50:20 in via em0 Jan 2 09:58:04 freebsd kernel: ipfw: limit 1 reached on entry 10004 Link to comment Share on other sites More sharing options...
Jamers Posted January 2, 2015 Author Report Share Posted January 2, 2015 经过修改的不使用IP地址的防火墙配置: 这里仅仅开启了SSH/HTTP/FTP/Mysql几个端口,如果有需要可以自行添加,并且限制HTTP单IP并发连接数为50 ##TCP add 10000 allow tcp from any to me dst-port 22 in #SSH add 10001 allow tcp from any to me dst-port 80 setup limit src-addr 50 #HTTP add 10002 allow tcp from any to me dst-port 21 in #FTP add 10003 allow tcp from any to me dst-port 3306 in add 10004 allow tcp from any to me dst-port 50000-55000 in #mysql ##out add 19000 allow ip from any to any out ##DNS add 20000 allow udp from any 53 to any ##ICMP add 39000 allow icmp from any to any icmptypes 8 out add 39001 allow icmp from any to any icmptypes 0 in add 39002 allow icmp from any to any icmptypes 11 in Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now