注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

欢迎来到我的博客进行技术交流

 
 
 

日志

 
 

FreeBSD Firewall Configuration  

2009-08-27 01:54:38|  分类: 汗泪译文 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

from :http://acme.com/firewall.html

 

声明!本文属于原创翻译文章,版权所有。欢迎转载,但务必保持原文完整,保留作者名,并注明出处。

作者:星外天空

本文章由“星外天空”翻译,当属原创翻译,转载请务必保留声明全部内容。

原文地址:http://vsbsd.blog.163.com  

                                                     FreeBSD Firewall Configuration

FreeBSD可以非常容易地设置一个基于规则包过滤的防火墙。让你能够保护一台机或整个网络。你也可以轻易地添加网络地址翻译,所以你可以利用一个IP地址使内部所有的机器连接到外网。

一共有三个步骤:
1.首先,你应该修改一下内核。这并不像听起来那么难。su 变成 root,cd /usr/src/sys/i386/conf,复制 GENERIC 为ACME。这是你新的内核配置文件。以下是你须要修改的地方:
*** GENERIC     Sun Apr 27 20:41:46 2003
--- ACME        Sun May  9 12:47:24 2004
***************
*** 22,29 ****
  cpu           I486_CPU
  cpu           I586_CPU
  cpu           I686_CPU
! ident         GENERIC
  maxusers      0
 
  #makeoptions  DEBUG=-g                #Build kernel with gdb(1) debug symbols
 
--- 22,40 ----
  cpu           I486_CPU
  cpu           I586_CPU
  cpu           I686_CPU
! ident         ACME
  maxusers      0
+
+ # Enable ipfw.
+ options               IPFIREWALL
+ options               IPFIREWALL_VERBOSE
+
+ # Enable ip6fw too.
+ options               IPV6FIREWALL
+ options               IPV6FIREWALL_VERBOSE
+
+ # Enable NAT.
+ options               IPDIVERT
 
  #makeoptions  DEBUG=-g                #Build kernel with gdb(1) debug symbols

换句话说,就是修改了ident和添加了firewall选项。添加 IPV6FIREWALL 选项到内核并不会真正启用IPv6。这样做,你可以添加ipv6_enable="YES"到/etc/rc.conf。然而,如果你启用了IPv6网络,并且设立了IPv4防火墙,你必须也要启用IPv6防火墙。如果你设立一个v4防火墙而不是一个v6的防火墙,所有v6包将会允许通过,这就糟透了。

然后进行 config,build和install 新内核
# /usr/sbin/config ACME
# cd ../../compile/ACME
# make depend
# make
# make install

2.第二步,编辑/etc/rc.conf并在末尾添加以下内容
# Enable ipfw.
firewall_enable="YES"
firewall_type="type"             # see rc.firewall for what goes here
firewall_quiet="NO"

# Enable ip6fw.
ipv6_firewall_enable="YES"
ipv6_firewall_type="type"        # see rc.firewall6 for what goes here
ipv6_firewall_quiet="NO"

防火墙的types部分,对于安全独立机器应该是“client”,对于一个网关保护一个内部网络是“simple”。
如果你想使用网络地址翻译,就添加以下东西吧:
# Enable natd.
natd_enable="YES"
natd_interface="fxp0"            # 你的公网网卡
natd_flags="-m"                  # preserve port numbers if possible

3.第三步,你必须对rc.firewall和rc.firewall6进行一些修改。注释会说明须要什么,真的很简单。根据防火墙type,看一下规则部分,“client”或“simple”。在章节的开始,将有一些对你IP号码,网卡,etc的一些定义;填入这些。

Important Troubleshooting Note(重要疑难解答注意项)
FreeBSD的防火墙设备是设计好的,所以默认已经很安全。如果你开启它,不加任何规则。它会drops 掉所有的 packets.也就是说如果在防火墙配置中,把某些东西搞砸了,你会发现不能以网络连接到你的机器进行修复。你将使用系统控制台才能登陆。

在debugging期间,曾发生一次在我身上。这没什么大不了的,只要你明白这是怎么回事。如果你可以访问控制台,这是很容易恢复的。只要编辑/etc/rc.conf,只要修改 firewall_type 为“open” 或仅仅注释掉 firewall 那些行,然后重启。但如果别处,通常网络访问,那你就要小心注意一下了。

FTP Note (ftp注意项)
这样防止防火墙设置常规从网络进来的FTP。这真的是ftp的缺点。它是一个老式的和过于复杂的协议,这需要服务器启动回调连接到客户端。由于防火墙防止外部新的连接(除了诸如电子邮件几个协议外),ftp会失败。

有一个解决办法-使用ftp的“passive”模式,基本上是告诉它坚持定期client-server协议。每次你运行ftp,只须使用“passive"命令。使用最新版本的FTP客户端,您可以通过设置环境变量FTP_PASSIVE_MODE 为“yes”以作默认值。

其它解决方法,当然,可以不使用ftp,仅仅使用HTTP或scp代替。

More Advanced Topics(更高级的主题)

一旦你有一个防火墙配置,你可能会发现你不喜欢固有的规则设置。如此,可以轻易地制作自己的规则。首先,你要做的是允许ssh连接。(ssh是代替telnet/rlogin的安全工具;你可以从http://www.openssh.org/下载它)。你的规则集显示 "Allow setup of incoming email", 添加一个类似的规则,给ssh修改端口为25到22

或者,你可以干到底,做一个全新的规则集,最后我提出两个新的规则,分别叫做和acme-sole和acme-net,它们是默认规则集client和simple的加强版。

[Aa][Cc][Mm][Ee]-[Ss][Oo][Ll][Oo])
        ############
        # ACME single-machine custom firewall setup.  Protects somewhat
        # against the outside world.
        ############

        # Set this to your ip address.
        ip="192.100.666.1"

        setup_loopback

        # Allow anything outbound from this address.
        ${fwcmd} add allow all from ${ip} to any out

        # Deny anything outbound from other addresses.
        ${fwcmd} add deny log all from any to any out

        # Allow TCP through if setup succeeded.
        ${fwcmd} add allow tcp from any to any established

        # Allow IP fragments to pass through.
        ${fwcmd} add allow all from any to any frag

        # Allow all IPv6 packets through - they are handled by the separate
        # ipv6 firewall rules in rc.firewall6.
        ${fwcmd} add allow ipv6 from any to any

        # Allow inbound ftp, ssh, email, tcp-dns, http, https, imap, imaps,
        # pop3, pop3s.
        ${fwcmd} add allow tcp from any to ${ip} 21 setup
        ${fwcmd} add allow tcp from any to ${ip} 22 setup
        ${fwcmd} add allow tcp from any to ${ip} 25 setup
        ${fwcmd} add allow tcp from any to ${ip} 53 setup
        ${fwcmd} add allow tcp from any to ${ip} 80 setup
        ${fwcmd} add allow tcp from any to ${ip} 443 setup
        ${fwcmd} add allow tcp from any to ${ip} 143 setup
        ${fwcmd} add allow tcp from any to ${ip} 993 setup
        ${fwcmd} add allow tcp from any to ${ip} 110 setup
        ${fwcmd} add allow tcp from any to ${ip} 995 setup

        # Deny inbound auth, netbios, ldap, and Microsoft's DB protocol
        # without logging.
        ${fwcmd} add reset tcp from any to ${ip} 113 setup
        ${fwcmd} add reset tcp from any to ${ip} 139 setup
        ${fwcmd} add reset tcp from any to ${ip} 389 setup
        ${fwcmd} add reset tcp from any to ${ip} 445 setup

        # Deny some chatty UDP broadcast protocols without logging.
        ${fwcmd} add deny udp from any 137 to any
        ${fwcmd} add deny udp from any to any 137
        ${fwcmd} add deny udp from any 138 to any
        ${fwcmd} add deny udp from any 513 to any
        ${fwcmd} add deny udp from any 525 to any

        # Allow inbound DNS and NTP replies.  This is somewhat of a hole,
        # since we're looking at the incoming port number, which can be
        # faked, but that's just the way DNS and NTP work.
        ${fwcmd} add allow udp from any 53 to ${ip}
        ${fwcmd} add allow udp from any 123 to ${ip}

        # Allow inbound DNS queries.
        ${fwcmd} add allow udp from any to ${ip} 53

        # Allow inbound NTP queries.
        ${fwcmd} add allow udp from any to ${ip} 123

        # Allow traceroute to function, but not to get in.
        ${fwcmd} add unreach port udp from any to ${ip} 33435-33524

        # Allow some inbound icmps - echo reply, dest unreach, source quench,
        # echo, ttl exceeded.
        ${fwcmd} add allow icmp from any to any icmptypes 0,3,4,8,11

        # Everything else is denied and logged.
        ${fwcmd} add deny log all from any to any
        ;;

[Aa][Cc][Mm][Ee]-[Nn][Ee][Tt])
        ############
        # ACME network custom firewall setup.  The assumption here is that
        # the internal hosts are trusted, and can do almost anything they want.
        # The only thing we have to be careful about is what comes in over
        # the outside interface.  So, you'll see a lot of "in via ${oif}"
        # clauses here.
        ############

        # Set these to your outside interface network and netmask and ip.
        oif="fxp0"
        onet="216.27.1234.0"
        omask="255.255.255.0"
        oip="216.27.1234.1"

        # Set these to your inside interface network and netmask and ip.
        iif="fxp1"
        inet="192.100.666.0"
        imask="255.255.255.0"
        iip="192.100.666.1"

        setup_loopback

        # Stop spoofing.
        ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
        ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

        # Stop RFC1918 nets on the outside interface.
        ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
        ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
        ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

        # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
        # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
        # on the outside interface.
        ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
        ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
        ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
        ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
        ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

        # Special early rules for protocols handled on the gateway machine,
        # so that these packets don't have to go through natd which is slow.
        ${fwcmd} add allow tcp from any to ${oip} 21 in via ${oif}      # ftp
        ${fwcmd} add allow tcp from ${oip} 21 to any out via ${oif}
        ${fwcmd} add allow tcp from any to ${oip} 22 in via ${oif}      # ssh
        ${fwcmd} add allow tcp from ${oip} 22 to any out via ${oif}
        ${fwcmd} add allow tcp from any to ${oip} 25 in via ${oif}      # smtp
        ${fwcmd} add allow tcp from ${oip} 25 to any out via ${oif}
        ${fwcmd} add allow tcp from any to ${oip} 53 in via ${oif}      # tcpdns
        ${fwcmd} add allow tcp from ${oip} 53 to any out via ${oif}
        ${fwcmd} add allow tcp from any to ${oip} 80 in via ${oif}      # http
        ${fwcmd} add allow tcp from ${oip} 80 to any out via ${oif}
        ${fwcmd} add allow tcp from any to ${oip} 443 in via ${oif}     # https
        ${fwcmd} add allow tcp from ${oip} 443 to any out via ${oif}
        ${fwcmd} add allow tcp from any to ${oip} 143 in via ${oif}     # imap
        ${fwcmd} add allow tcp from ${oip} 143 to any out via ${oif}
        ${fwcmd} add allow tcp from any to ${oip} 993 in via ${oif}     # imaps
        ${fwcmd} add allow tcp from ${oip} 993 to any out via ${oif}
        ${fwcmd} add allow tcp from any to ${oip} 110 in via ${oif}     # pop3
        ${fwcmd} add allow tcp from ${oip} 110 to any out via ${oif}
        ${fwcmd} add allow tcp from any to ${oip} 995 in via ${oif}     # pop3s
        ${fwcmd} add allow tcp from ${oip} 995 to any out via ${oif}

        # Network Address Translation.  This rule is placed here deliberately
        # so that it does not interfere with the surrounding address-checking
        # rules.  If for example one of your internal LAN machines had its IP
        # address set to 192.0.2.1 then an incoming packet for it after being
        # translated by natd(8) would match the `deny' rule above.  Similarly
        # an outgoing packet originated from it before being translated would
        # match the `deny' rule below.
        case ${natd_enable} in
        [Yy][Ee][Ss])
                if [ -n "${natd_interface}" ]; then
                        ${fwcmd} add divert natd all from any to any via ${natd_interface}
                fi
                ;;
        esac

        # Stop RFC1918 nets on the outside interface.
        ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
        ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
        ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

        # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
        # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
        # on the outside interface.
        ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
        ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
        ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
        ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
        ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}

        # Allow anything on the internal net.
        ${fwcmd} add allow all from any to any via ${iif}

        # Allow anything outbound from this net.
        ${fwcmd} add allow all from ${onet}:${omask} to any out via ${oif}

        # Deny anything outbound from other nets.
        ${fwcmd} add deny log all from any to any out via ${oif}

        # Allow TCP through if setup succeeded.
        ${fwcmd} add allow tcp from any to any established

        # Allow IP fragments to pass through.
        ${fwcmd} add allow all from any to any frag

        # Allow all IPv6 packets through - they are handled by the separate
        # ipv6 firewall rules in rc.firewall6.
        ${fwcmd} add allow ipv6 from any to any

        # Deny inbound auth, netbios, ldap, and Microsoft's DB protocol
        # without logging.
        ${fwcmd} add reset tcp from any to ${oip} 113 setup in via ${oif}
        ${fwcmd} add reset tcp from any to ${oip} 139 setup in via ${oif}
        ${fwcmd} add reset tcp from any to ${oip} 389 setup in via ${oif}
        ${fwcmd} add reset tcp from any to ${oip} 445 setup in via ${oif}

        # Deny some chatty UDP broadcast protocols without logging.
        ${fwcmd} add deny udp from any 137 to any in via ${oif}
        ${fwcmd} add deny udp from any to any 137 in via ${oif}
        ${fwcmd} add deny udp from any 138 to any in via ${oif}
        ${fwcmd} add deny udp from any 513 to any in via ${oif}
        ${fwcmd} add deny udp from any 525 to any in via ${oif}

        # Allow inbound DNS and NTP replies.  This is somewhat of a hole,
        # since we're looking at the incoming port number, which can be
        # faked, but that's just the way DNS and NTP work.
        ${fwcmd} add allow udp from any 53 to ${oip} in via ${oif}
        ${fwcmd} add allow udp from any 123 to ${oip} in via ${oif}

        # Allow inbound DNS queries.
        ${fwcmd} add allow udp from any to ${oip} 53 in via ${oif}
                                                               
        # Allow inbound NTP queries.
        ${fwcmd} add allow udp from any to ${oip} 123 in via ${oif}

        # Allow traceroute to function, but not to get in.
        ${fwcmd} add unreach port udp from any to ${oip} 33435-33524 in via ${oif}

        # Allow some inbound icmps - echo reply, dest unreach, source quench,
        # echo, ttl exceeded.
        ${fwcmd} add allow icmp from any to any in via ${oif} icmptypes 0,3,4,8,11

        # Broadcasts are denied and not logged.
        ${fwcmd} add deny all from any to 255.255.255.255

        # Everything else is denied and logged.
        ${fwcmd} add deny log all from any to any
        ;;

 

 

 

 


 

  评论这张
 
阅读(271)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017