FreeBSD下的IPFilter 防火墙配置 ipf.rules

FreeBSD系统自带有多个防火墙软件，经过比较，最后选择ipfilter 防火墙——功能强，配置也比较方便。

在经过查阅网上的若干资料后，完成了下面的防火墙模板

说明：

1、该防火墙脚本采用了分组模式，将内外网、进出策略以分组的模式出现，避免因策略过长引起的效率的降低。
      group 100 内网 进策略组
      group 150 内网 出策略组
      group 200 外网 进策略组
      group 250 外网 出策略组

2、将常用的和服务策略尽量放在各组策略的前面。
3、加入了木马扫描策略及返回扫描器虚假包信息。
4、加入了FreeBSD系统日常维护所需的策略，如：系统审计、系统更新、port树更新等。

完成防火墙的配置后就是日志的记录啦

ipfilter 防火墙有专门的日志记录服务程序 ipmon 需要启动该服务，

默认日志会发送给系统的syslogd系统，也可修改ipmon的启动参数直接写日志文件。

对于使用syslogd记录的需要配置/etc/syslog.conf 配置文件，并要在重启 syslogd 服务前手动创建 日志文件。

syslog.conf 配置文件中加入下面的两行：

local0.*;local0.!notice         /var/log/ipfilter.loglocal0.warning                  /var/log/ipfilter-warning.log

还需修改messages 行为：

*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;local0.none /var/log/messages

可将ipfilter日志和系统日志分开存放，便于查阅。

/etc/ipf.rules  文件

#------------------------------------# 因FreeBSD系统的特点，需要根据实际情况修改内网、外网网卡的名称# bce0 - internal interface# bce1 - external interface#------------------------------------# First, nasty pakets which we don't want near us at all# pakets which are too short to be real except echo replies on lo0pass  in log quick on lo0 proto icmp from 127.0.0.1/8 to 127.0.0.1/8 with shortblock in log quick all with shortblock in log quick all with opt lsrrblock in log quick all with opt ssrrblock in quick from any to 255.255.255.255/32  #广播地址，避免将过多的广播信息记入log中block in quick from any to xxx.xxx.xxx.xxx/32     block in quick from any to 224.0.0.0/8#-------------------------------------# loopback packets left unmolestedpass in  quick on lo0 allpass out quick on lo0 all#-------------------------------------# Group setup:# 100 incoming bce0 (internal Ethernel)# 150 outgoing bce0 (internal Ethernel)# 200 incoming bce1 (external Ethernel)# 250 outgoing bce1 (external Ethernel)#-------------------------------------block in  log body on bce0 all head 100block out log body on bce0 all head 150#-------------------------------------block in  log on bce1 all head 200block out log on bce1 all head 250#-------------------------------------#--------------------------------------------------------------------------# incoming internal Ethernel traffic - group 100#--------------------------------------------------------------------------# Remote Control ssh policypass in log first quick proto tcp from 10.0.1.0/24 to any port = 22 flags S/SA keep state group 100pass in log first quick proto tcp from 10.0.0.5/32 to any port = 22 flags S/SA keep state group 100#----------------------------------# incoming internal Ethernel Services rulespass in quick proto tcp from any to any port = http flags S/SA keep state group 100#----------------------------------# Manage policypass in quick proto udp from 10.0.x.xx to any port = snmp keep state group 100pass in quick proto icmp from any to any keep state keep frags group 100#----------------------------------# prevent internalhost spoofingblock in log quick from 127.0.0.1/32 to 192.168.0.0/16 group 100block in log quick from any to 127.0.0.1/8 group 100#----------------------------------# deny pakets which should not be seen on th internet (paranoid)block in log quick from 10.0.0.0/8 to any group 100block in log quick from any to 10.0.0.0/8 group 100#----------------------------------# if nothing applies, block and return icmp-replies (unreachable and rst)block return-icmp(net-unr) in log proto udp from any to any group 100block return-rst in log proto tcp from any to any group 100block in log first all group 100#--------------------------------------------------------------------------# outgoing internal Ethernel traffic - group 150#--------------------------------------------------------------------------# outgoing internal Ethernel Services rulespass out quick proto tcp from any to any port = 22 flags S/SA keep state group 150pass out quick proto udp from any to any port = snmp keep state group 150#----------------------------------# Setup outgoing icmppass out quick proto icmp from any to any keep state keep frag group 150#----------------------------------# block other trafficblock out log first all group 150#--------------------------------------------------------------------------# incoming traffic on external Ethernel - group 200#--------------------------------------------------------------------------# Remote Control policypass in log first quick proto tcp from xxx.xxx.xxx.xxx to any port = 22 flags S/SA keep state group 200#----------------------------------# incoming external Ethernel Services policypass in quick proto tcp from any to any port = http flags S/SA keep state group 200pass in quick proto tcp from any to any port = smtp flags S/SA keep state group 200#----------------------------------# manage prolicypass in quick proto udp  from xx.xx.xx.xx to any port = snmp keep state group 200#----------------------------------# prevent external host spoofingblock in log quick from 127.0.0.0/8 to any group 200block in log quick from 192.168.0.0/16 to any group 200#----------------------------------# if nothing applies, block and return icmp-replies (unreachable and rst)block return-icmp(net-unr) in log proto udp from any to any group 200block return-rst in log proto tcp from any to any group 200block in log first all group 200#--------------------------------------------------------------------------# outgoing traffic on external Ethernel - group 250#--------------------------------------------------------------------------# outgoing external Ethernel Services rulespass out quick proto tcp from any to any port = http flags S/SA keep state group 250#----------------------------------# Setup outgoing DNSpass out quick proto udp from any to 8.8.8.8 port = domain keep state group 250pass out quick proto udp from any to 8.8.4.4 port = domain keep state group 250#----------------------------------# manage prolicy pass out quick proto tcp from any to 113.105.167.213 keep state group 250pass out quick proto udp from any to any port = snmp keep state group 250pass out quick proto udp from any to 114.80.81.1 port = ntp keep state group 250pass out quick proto udp from any to 122.226.192.4 port = ntp keep state group 250pass out quick proto icmp from any to any keep frag keep state group 250#----------------------------------# allow system update prolicy# portaudit.FreeBSD.orgpass out quick proto tcp from any to 69.147.83.36   port = http flags S keep state group 250# package server ports.cn.freebsd.orgpass out quick proto tcp from any to 114.80.81.13 port = http flags S keep state group 250# portsnap1  portsnap2  and portsnapr4.freebsd.orgpass out quick proto tcp from any to 204.109.56.116 port = http flags S keep state group 250pass out quick proto tcp from any to 208.83.221.214 port = http flags S keep state group 250pass out quick proto tcp from any to 93.158.155.199 port = http flags S keep state group 250# update2.freeBSD.org update4.freeBSD.org update5.freeBSD.orgpass out quick proto tcp from any to 149.20.53.40   port = http flags S keep state group 250pass out quick proto tcp from any to 209.193.13.98  port = http flags S keep state group 250pass out quick proto tcp from any to 204.9.55.80    port = http flags S keep state group 250# port tree update server: cvsup.cn.FreeBSD.orgpass out quick proto tcp from any to 61.129.66.77   port = 5999 flags S keep state group 250#----------------------------------# block other all out trafficblock out log quick from 127.0.0.0/8 to any group 250block out log quick from any to 127.0.0.0/8 group 250block out log quick from any to 192.168.0.0/16 group 250block out log first all group 250#--------------------------------------------------------------------------