freebsd 9.1.1
介绍 (Introduction)
When setting up a new FreeBSD server, there are a number of optional steps you can take to get your server into a more production-friendly state. In this guide, we will cover some of the most common examples.
设置新的FreeBSD服务器时,可以采取许多可选步骤,以使服务器进入对生产更友好的状态。 在本指南中,我们将介绍一些最常见的示例。
We will set up a simple, easy-to-configure firewall that denies most traffic. We will also make sure that your server’s time zone accurately reflects its location. We will set up NTP polling in order to keep the server’s time accurate and, finally, demonstrate how to add some extra swap space to your server.
我们将建立一个简单,易于配置的防火墙,以拒绝大多数流量。 我们还将确保您服务器的时区准确反映其位置。 我们将设置NTP轮询,以保持服务器的时间准确,并最终演示如何向服务器添加一些额外的交换空间。
Before you get started with this guide, you should log in and configure your shell environment the way you’d like it. You can find out how to do this by following this guide.
在开始使用本指南之前,您应该登录并按照自己的方式配置shell环境。 您可以按照本指南了解如何执行此操作。
如何配置简单的IPFW防火墙 (How To Configure a Simple IPFW Firewall)
The first task is setting up a simple firewall to secure your server.
第一项任务是设置一个简单的防火墙来保护您的服务器。
FreeBSD supports and includes three separate firewalls. These are called pf
, ipfw
, and ipfilter
. In this guide, we will be using ipfw
as our firewall. ipfw
is a secure, stateful firewall written and maintained as part of FreeBSD.
FreeBSD支持并包括三个单独的防火墙。 这些被称为pf
, ipfw
和ipfilter
。 在本指南中,我们将使用ipfw
作为防火墙。 ipfw
是作为FreeBSD的一部分编写和维护的安全的有状态防火墙。
配置基本防火墙 (Configuring the Basic Firewall)
Almost all of your configuration will take place in the /etc/rc.conf
file. To modify the configuration you’ll use the sysrc
command, which allows users to change configuration in /etc/rc.conf
in a safe manner. Inside this file you’ll add a number of different lines to enable and control how the ipfw
firewall will function. You’ll start with the essential rules; run the following command to begin:
几乎所有的配置都将在/etc/rc.conf
文件中进行。 要修改配置,您将使用sysrc
命令,该命令允许用户以安全的方式更改/etc/rc.conf
中的配置。 在此文件中,您将添加许多不同的行以启用和控制ipfw
防火墙的功能。 您将从基本规则入手; 运行以下命令开始:
- sudo sysrc firewall_enable="YES" sudo sysrc firewall_enable =“是”
Each time you run sysrc
to modify your configuration, you’ll receive output showing the changes:
每次运行sysrc
修改配置时,您都会收到显示更改的输出:
Output
firewall_enable: NO -> YES
As you may expect, this first command enables the ipfw
firewall, starting it automatically at boot and allowing it to be started with the usual service
commands.
如您所料,第一个命令启用ipfw
防火墙,在启动时自动启动它,并允许使用常规service
命令启动它。
Now run the following:
现在运行以下命令:
- sudo sysrc firewall_quiet="YES" sudo sysrc firewall_quiet =“ YES”
This tells ipfw
not to output anything to standard out when it performs certain actions. This might seem like a matter of preference, but it actually affects the functionality of the firewall.
这告诉ipfw
在执行某些操作时不要输出任何标准输出。 这似乎是一个优先事项,但实际上会影响防火墙的功能。
Two factors combine to make this an important option. The first is that the firewall configuration script is executed in the current shell environment, not as a background task. The second is that when the ipfw
command reads a configuration script without the "quiet"
flag, it reads and outputs each line, in turn, to standard out. When it outputs a line, it immediately executes the associated action.
两个因素相结合,使之成为一个重要的选择。 首先是防火墙配置脚本是在当前Shell环境中执行的,而不是作为后台任务执行的。 第二个是,当ipfw
命令读取不带"quiet"
标志的配置脚本时,它将依次读取并输出每行以输出标准输出。 当输出一行时,它立即执行相关的动作。
Most firewall configuration files flush the current rules at the top of the script in order to start fresh. If the ipfw
firewall comes across a line like this without the quiet flag, it will immediately flush all rule