Ipfw
跳到导航
跳到搜索
设置启动
#设定防火墙可用 firewall_enable="YES" #启用脚本 firewall_script="YES" #脚本放置位置 firewall_script="/etc/ipfw.rules" #编写防火墙规则脚本文件 #仅开启http和ssh服务端口 ################Common################# cmd="/sbin/ipfw -q add" my_ip="138.197.220.125" #################Rules####################### #flush all rules /sbin/ipfw -q -f flush #Allow all via loopback to loopback $cmd 500 allow all from any to any via lo0 $cmd 600 check-state ###############SSH,WWW,and etc.################ #允许所有的ssh和http请求和回应 $cmd 01000 allow tcp from any to any 80,443,22 $cmd 01500 allow tcp from any 80,443,22 to any ##################ICMP################## #ping我的网络外的主机,ICMP type 8是一个查询请求,ICMP type 0是对查询请求的应答。 #由于我只允许反复地发出请求并接受应答,从而我可以ping别人而别人不能ping我。 ipfw add allow icmp from me to any icmptypes 8 out ipfw add allow icmp from any to me icmptypes 0 in # deny everything else $cmd add deny tcp from any to any setup $cmd add deny ip from any to any
参考
上面这个试过可以用的 http://www.jianshu.com/p/2969d9d54eec http://www.chinaunix.net/old_jh/90/230107.html
#如何deny 一个IP呢
other
警告: 在操作防火墙规则时应谨慎行事, 如果操作不当, 很容易将自己反锁在外面。 : freebsd 不能使用iptables Firewall https://www.freebsd.org/doc/en/articles/linux-users/firewall.html The IPFW syntax to allow inbound SSH would be: ipfw add allow tcp from any to me 22 in via $ext_if最简单的办法
First of all we need to enable the firewall, we do this by adding the following lines to our /etc/rc.conf file: firewall_enable="YES" firewall_quiet="YES" firewall_type="workstation" firewall_myservices="22 80 443" firewall_allowservices="any" firewall_logdeny="NO" http://blog.bobbyallen.me/2015/04/07/configuring-a-simple-web-server-firewall-on-freebsd-10-1/ Enhancing Security for FreeBSD Using IPFW and SSHGuard https://www.vultr.com/docs/enhancing-security-for-freebsd-using-ipfw-and-sshguard https://www.freebsd.org/doc/zh_CN.UTF-8/books/handbook/firewalls-ipfw.html https://wiki.freebsdchina.org/cnman/8/ipfw FreeBSD下防火墙的简单设置 http://blog.sina.com.cn/s/blog_4b4c636e0101dcaa.html FreeBSD8 开启IPFW防火墙 http://blog.sina.com.cn/s/blog_4b4c636e0101dc7s.html firewall_enable="YES" firewall_type="open" cmd="/sbin/ipfw -q" wan_if="em0" $cmd flush $cmd pipe flush #清空 ipfw flush ipfw pipe flush filename ── 到防火墙规则文件的绝对路径 #firewall_script="/usr/local/etc/IPFW.rules" #firewall_script="/etc/rc.firewall" #这个是作为脚本运行 然后怎么保存rule 呢 #!/bin/sh # /etc/ipfw.conf ipfw add deny tcp from any to me 3360 in ######### TCP ########## ipfw add 00001 deny log ip from any to any ipopt rr ipfw add 00002 deny log ip from any to any ipopt ts ipfw add 00003 deny log ip from any to any ipopt ssrr ipfw add 00004 deny log ip from any to any ipopt lsrr ipfw add 00005 deny tcp from any to any in tcpflags syn,fin # 这5行是过滤各种扫描包 ipfw add 10001 allow tcp from any to 10.10.10.1 80 in # 向整个Internet开放http服务。 ipfw add 10002 allow tcp from any to 10.10.10.1 21 in # 向整个Internet开放ftp服务。 #ipfw add 10000 allow tcp from 1.2.3.4 to 10.10.10.1 22 in ipfw add 10000 allow tcp from any to any 22 in # 向Internet的xx.xx.xx.xx这个IP开放SSH服务。也就是只信任这个IP的SSH登陆。 # 如果你登陆服务器的IP不固定,那么就要设为: ipfw add 10000 allow tcp from any to 192.168.2.230 22 in add 10000 allow tcp from any to 138.197.220.125 22 in add 19997 check-state add 19998 allow tcp from any to any out keep-state setup add 19999 allow tcp from any to any out #这三个组合起来是允许内部网络访问出去,如果想服务器自己不和Internet进行tcp连接出去,可以把19997和19998去掉。(不影响Internet对服务器的访问) ########## UDP ########## add 20001 allow udp from any 53 to 10.10.10.1 # 允许其他DNS服务器的信息进入该服务器,因为自己要进行DNS解析嘛~ add 29999 allow udp from any to any out # 允许自己的UDP包往外发送。 ########## ICMP ######### add 30000 allow icmp from any to any icmptypes 3 add 30001 allow icmp from any to any icmptypes 4 add 30002 allow icmp from any to any icmptypes 8 out add 30003 allow icmp from any to any icmptypes 0 in add 30004 allow icmp from any to any icmptypes 11 in 三.ipfw的动态规则 Netfilter有ip_conntrack机制可以追踪每一个流。这个ip_conntrack机制让人欢喜让人愁,于是可以在PREROUTING的raw表上配置notrack。ipfw就不一样了,它可以在任意地方针对任意流进行track,这就是其state机制,ipfw通过keep-state来追踪一个流,并且建立针对该包反向包的动态规则,通过check-state来匹配keep-state建立的动态规则,ipfw的state可以在任意匹配的地方被keep,所谓的keep就是建立一条动态规则,其动作就是keep-state的动作,这个比较类似Netfilter的ip_conntrack和state match的联动机制。以下是一个man手册中的实例,我在前面加上了注释: 对每一个包check所有的动态创建的rule: ipfw add check-state 对本地子网始发的TCP流量放行且保持连接,创建动态rule: ipfw add allow tcp from my-subnet to any setup keep-state 禁用其它地方始发的TCP连接: ipfw add deny tcp from any to any http://www.linuxidc.com/Linux/2012-03/56997p2.htm http://blog.haohtml.com/archives/9309 http://5361806.blog.51cto.com/5351806/1696122 ##试过 但是还太清楚怎么用 cp /etc/rc.firewal /etc/rc.firewalbak Step 1: Create a file: /etc/rc.firewall then put the following content in that file
(replace em0 with your network interface) #!/bin/sh cmd="/sbin/ipfw -q" wan_if="em0" $cmd flush $cmd pipe flush $cmd allow ip from any to any via lo0 $cmd add check-state $cmd add reset tcp from any to any established # allow HTTP traffic $cmd add allow tcp from any to me 80 setup in keep-state # allow DNS $cmd add allow udp from any to me 53 in keep-state $cmd add allow tcp from any to me 53 setup in keep-state # allow SMTP $cmd add allow tcp from any to me 25 setup in keep-state $cmd add allow tcp from any to me 22 setup in keep-state # allow FTP #$cmd add allow tcp from any to me 21 setup in keep-state #$cmd add allow tcp from any to me 20 setup in keep-state #$cmd add allow tcp from me 20 to any setup out keep-state #allow POP3 $cmd add allow tcp from any to me 110 setup in keep-state #allow IMAP $cmd add allow tcp from any to me 143 setup in keep-state # allow ping $cmd add allow icmp from any to me icmptypes 8 in keep-state # allow traffic to server $cmd add allow tcp from me to any setup out keep-state $cmd add allow ip from me to any out keep-state $cmd add allow tcp from any to me setup in keep-state $cmd add allow ip from any to me in keep-state # deny everything else $cmd add deny tcp from any to any setup $cmd add deny ip from any to any Step 2: Add the following lines in rc.conf
firewall_enable="YES" firewall_script="/etc/rc.firewall" Step3: Run firewall script
/etc/rc.firewall 测试freebsd上的pf防火墙和linux上的iptables防火墙-zz http://zqscm.qiniucdn.com/data/20100112170157/index.html
