FreeBSD下的IPFilter 防火墙配置 ipf.rules
来源:互联网 发布:原声吉他音箱 知乎 编辑:程序博客网 时间:2024/06/05 05:26
FreeBSD系统自带有多个防火墙软件,经过比较,最后选择ipfilter 防火墙——功能强,配置也比较方便。
在经过查阅网上的若干资料后,完成了下面的防火墙模板
说明:
1、该防火墙脚本采用了分组模式,将内外网、进出策略以分组的模式出现,避免因策略过长引起的效率的降低。
group 100 内网 进策略组
group 150 内网 出策略组
group 200 外网 进策略组
group 250 外网 出策略组2、将常用的和服务策略尽量放在各组策略的前面。
3、加入了木马扫描策略及返回扫描器虚假包信息。
4、加入了FreeBSD系统日常维护所需的策略,如:系统审计、系统更新、port树更新等。
完成防火墙的配置后就是日志的记录啦
ipfilter 防火墙有专门的日志记录服务程序 ipmon 需要启动该服务,
默认日志会发送给系统的syslogd系统,也可修改ipmon的启动参数直接写日志文件。
对于使用syslogd记录的需要配置/etc/syslog.conf 配置文件,并要在重启 syslogd 服务前手动创建 日志文件。
syslog.conf 配置文件中加入下面的两行:
local0.*;local0.!notice /var/log/ipfilter.loglocal0.warning /var/log/ipfilter-warning.log
还需修改messages 行为:
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;local0.none /var/log/messages
可将ipfilter日志和系统日志分开存放,便于查阅。
/etc/ipf.rules 文件
#------------------------------------# 因FreeBSD系统的特点,需要根据实际情况修改内网、外网网卡的名称# bce0 - internal interface# bce1 - external interface#------------------------------------# First, nasty pakets which we don't want near us at all# pakets which are too short to be real except echo replies on lo0pass in log quick on lo0 proto icmp from 127.0.0.1/8 to 127.0.0.1/8 with shortblock in log quick all with shortblock in log quick all with opt lsrrblock in log quick all with opt ssrrblock in quick from any to 255.255.255.255/32 #广播地址,避免将过多的广播信息记入log中block in quick from any to xxx.xxx.xxx.xxx/32 block in quick from any to 224.0.0.0/8#-------------------------------------# loopback packets left unmolestedpass in quick on lo0 allpass out quick on lo0 all#-------------------------------------# Group setup:# 100 incoming bce0 (internal Ethernel)# 150 outgoing bce0 (internal Ethernel)# 200 incoming bce1 (external Ethernel)# 250 outgoing bce1 (external Ethernel)#-------------------------------------block in log body on bce0 all head 100block out log body on bce0 all head 150#-------------------------------------block in log on bce1 all head 200block out log on bce1 all head 250#-------------------------------------#--------------------------------------------------------------------------# incoming internal Ethernel traffic - group 100#--------------------------------------------------------------------------# Remote Control ssh policypass in log first quick proto tcp from 10.0.1.0/24 to any port = 22 flags S/SA keep state group 100pass in log first quick proto tcp from 10.0.0.5/32 to any port = 22 flags S/SA keep state group 100#----------------------------------# incoming internal Ethernel Services rulespass in quick proto tcp from any to any port = http flags S/SA keep state group 100#----------------------------------# Manage policypass in quick proto udp from 10.0.x.xx to any port = snmp keep state group 100pass in quick proto icmp from any to any keep state keep frags group 100#----------------------------------# prevent internalhost spoofingblock in log quick from 127.0.0.1/32 to 192.168.0.0/16 group 100block in log quick from any to 127.0.0.1/8 group 100#----------------------------------# deny pakets which should not be seen on th internet (paranoid)block in log quick from 10.0.0.0/8 to any group 100block in log quick from any to 10.0.0.0/8 group 100#----------------------------------# if nothing applies, block and return icmp-replies (unreachable and rst)block return-icmp(net-unr) in log proto udp from any to any group 100block return-rst in log proto tcp from any to any group 100block in log first all group 100#--------------------------------------------------------------------------# outgoing internal Ethernel traffic - group 150#--------------------------------------------------------------------------# outgoing internal Ethernel Services rulespass out quick proto tcp from any to any port = 22 flags S/SA keep state group 150pass out quick proto udp from any to any port = snmp keep state group 150#----------------------------------# Setup outgoing icmppass out quick proto icmp from any to any keep state keep frag group 150#----------------------------------# block other trafficblock out log first all group 150#--------------------------------------------------------------------------# incoming traffic on external Ethernel - group 200#--------------------------------------------------------------------------# Remote Control policypass in log first quick proto tcp from xxx.xxx.xxx.xxx to any port = 22 flags S/SA keep state group 200#----------------------------------# incoming external Ethernel Services policypass in quick proto tcp from any to any port = http flags S/SA keep state group 200pass in quick proto tcp from any to any port = smtp flags S/SA keep state group 200#----------------------------------# manage prolicypass in quick proto udp from xx.xx.xx.xx to any port = snmp keep state group 200#----------------------------------# prevent external host spoofingblock in log quick from 127.0.0.0/8 to any group 200block in log quick from 192.168.0.0/16 to any group 200#----------------------------------# if nothing applies, block and return icmp-replies (unreachable and rst)block return-icmp(net-unr) in log proto udp from any to any group 200block return-rst in log proto tcp from any to any group 200block in log first all group 200#--------------------------------------------------------------------------# outgoing traffic on external Ethernel - group 250#--------------------------------------------------------------------------# outgoing external Ethernel Services rulespass out quick proto tcp from any to any port = http flags S/SA keep state group 250#----------------------------------# Setup outgoing DNSpass out quick proto udp from any to 8.8.8.8 port = domain keep state group 250pass out quick proto udp from any to 8.8.4.4 port = domain keep state group 250#----------------------------------# manage prolicy pass out quick proto tcp from any to 113.105.167.213 keep state group 250pass out quick proto udp from any to any port = snmp keep state group 250pass out quick proto udp from any to 114.80.81.1 port = ntp keep state group 250pass out quick proto udp from any to 122.226.192.4 port = ntp keep state group 250pass out quick proto icmp from any to any keep frag keep state group 250#----------------------------------# allow system update prolicy# portaudit.FreeBSD.orgpass out quick proto tcp from any to 69.147.83.36 port = http flags S keep state group 250# package server ports.cn.freebsd.orgpass out quick proto tcp from any to 114.80.81.13 port = http flags S keep state group 250# portsnap1 portsnap2 and portsnapr4.freebsd.orgpass out quick proto tcp from any to 204.109.56.116 port = http flags S keep state group 250pass out quick proto tcp from any to 208.83.221.214 port = http flags S keep state group 250pass out quick proto tcp from any to 93.158.155.199 port = http flags S keep state group 250# update2.freeBSD.org update4.freeBSD.org update5.freeBSD.orgpass out quick proto tcp from any to 149.20.53.40 port = http flags S keep state group 250pass out quick proto tcp from any to 209.193.13.98 port = http flags S keep state group 250pass out quick proto tcp from any to 204.9.55.80 port = http flags S keep state group 250# port tree update server: cvsup.cn.FreeBSD.orgpass out quick proto tcp from any to 61.129.66.77 port = 5999 flags S keep state group 250#----------------------------------# block other all out trafficblock out log quick from 127.0.0.0/8 to any group 250block out log quick from any to 127.0.0.0/8 group 250block out log quick from any to 192.168.0.0/16 group 250block out log first all group 250#--------------------------------------------------------------------------
- FreeBSD下的IPFilter 防火墙配置 ipf.rules
- FreeBSD IPFilter防火墙的安装与设置
- FreeBSD IPFilter防火墙的安装与设置
- Solaris 的防火墙ipfilter配置
- ipfilter sunOs防火墙的配置
- 开发Windows 2000/XP下的防火墙-IPFilter技术介绍
- HPUX防火墙IPF
- FreeBSD下的网络配置
- FreeBSD下的VLAN配置
- 使用FreeBSD配置基于ADSL的VPN网关+防火墙
- solaris10默认防火墙软件ipfilter
- hpux ipfilter简单配置
- ubuntu下防火墙的配置
- liunx下防火墙的配置
- CentOS下防火墙的配置
- CentOS下防火墙的配置
- IPF的使用
- FREEBSD下JDK的安装配置
- 在linux下安装tomcat的操作
- mvc中传值
- IBM X346 板载 Raid1 功能启用及Win2003系统安装小记
- subversion的配置
- 用Visual C++操作INI文件 .
- FreeBSD下的IPFilter 防火墙配置 ipf.rules
- D-Bus入门(三)——使QT D-Bus编译通过的小技巧
- 线程的一些知识 .
- 批量修改多台设备密码
- 动态参数_Min
- iphone应用程序在转换成ipa文件并upload是出现问题的解决
- VS2010不能引用System.Data.OracleClient解决方法
- sqlserver 邮件附件异常
- Berkeley DB Java Edition