freebsd 9.1.1
The author selected the COVID-19 Relief Fund to receive a donation as part of the Write for DOnations program.
作者选择了COVID-19救济基金来接受捐赠,这是Write for DOnations计划的一部分。
介绍 (Introduction)
The firewall is arguably one of the most important lines of defense against cyber attacks. The ability to configure a firewall from scratch is an empowering skill that enables the administrator to take control of their networks.
防火墙可以说是抵御网络攻击的最重要的防御措施之一。 从头开始配置防火墙的能力是一项授权技能,使管理员能够控制其网络。
Packet Filter (PF) is a renown firewall application that is maintained upstream by the security-driven OpenBSD project. It is more accurately expressed as a packet filtering tool, hence the name, and it is known for its simple syntax, user-friendliness, and extensive features. PF is a stateful firewall by default, storing information about connections in a state table that can be accessed for analytical purposes. PF is part of the FreeBSD base system and is supported by a strong community of developers. Although there are differences between the FreeBSD and OpenBSD versions of PF related to kernel architectures, in general their syntax is similar. Depending on their complexity, common rulesets can be modified to work on either distribution with relatively little effort.
数据包筛选器(PF)是著名的防火墙应用程序,由安全性驱动的OpenBSD项目在上游维护。 它更准确地表示为包过滤工具,因此也称为名称,并且以其简单的语法,用户友好性和广泛的功能而闻名。 PF默认情况下是有状态的防火墙,将有关连接的信息存储在状态表中 ,可以出于分析目的对其进行访问。 PF是FreeBSD基本系统的一部分,并得到了强大的开发人员社区的支持。 尽管与内核体系结构有关的PF的FreeBSD版本和OpenBSD版本之间存在差异,但通常它们的语法相似。 根据它们的复杂性,可以轻松修改通用规则集以在两种分布上工作。
In this tutorial you’ll build a firewall from the ground up on a FreeBSD 12.1 server with PF. You’ll design a base ruleset that can be used as a template for future projects. You’ll also explore some of PF’s advanced features such as packet hygiene, brute force prevention, monitoring and logging, and other third-party tools.
在本教程中,您将在具有PF的FreeBSD 12.1服务器上从头开始构建防火墙。 您将设计一个基本规则集,可以将其用作将来项目的模板。 您还将探索PF的一些高级功能,例如数据包卫生,暴力预防,监视和日志记录以及其他第三方工具。
先决条件 (Prerequisites)
Before you start this tutorial, you’ll need the following:
在开始本教程之前,您需要满足以下条件:
A 1G FreeBSD 12.1 server (either ZFS or UFS). You can use our How To Get Started with FreeBSD tutorial to set your server up to your preferred configuration.
1G FreeBSD 12.1服务器( ZFS或UFS )。 您可以使用我们的《 如何开始FreeBSD教程》来将服务器设置为首选配置。
FreeBSD has no firewall enabled by default—customization is a hallmark of the FreeBSD ethos. Therefore when you first launch your server, you need temporary protection while PF is being configured. If you’re using DigitalOcean, you can enable your cloud firewall immediately after spinning up the server. Refer to DigitalOcean’s Firewall Quickstart for instructions on configuring a cloud firewall. If you’re using another cloud provider, determine the fastest route to immediate protection before you begin. Whichever method you choose, your temporary firewall must permit only inbound SSH traffic, and can allow all types of outbound traffic.
FreeBSD默认情况下没有启用防火墙-自定义是FreeBSD精神的标志。 因此,首次启动服务器时,在配置PF时需要临时保护。 如果您使用的是DigitalOcean,则可以在拆分服务器后立即启用云防火墙。 有关配置云防火墙的说明,请参阅DigitalOcean的防火墙快速入门 。 如果您使用的是其他云提供商,请在开始之前确定最快的途径以获得即时保护。 无论选择哪种方法,临时防火墙都必须仅允许入站SSH通信,并且可以允许所有类型的出站通信。
第1步-建立初步规则集 (Step 1 — Building Your Preliminary Ruleset)
You’ll begin this tutorial by drafting a preliminary ruleset that provides basic protection and access to critical services from the internet. At this point you have a running FreeBSD 12.1 server with an active cloud firewall.
您将通过草拟一个初步的规则集来开始本教程,该规则集提供了基本的保护并可以从Internet访问关键服务。 至此,您已经有一台运行中的带有活动云防火墙的FreeBSD 12.1服务器。
There are two approaches to building a firewall: default deny and default permit. The default deny approach blocks all traffic, and only permits what is specified in a rule. The default permit approach does the exact opposite: it passes all traffic, and only blocks what is specified in a rule. You’ll use the default deny approach.
有两种构建防火墙的方法: 默认拒绝和默认允许 。 默认的拒绝方法将阻止所有流量,并且仅允许规则中指定的内容。 默认的许可方法与之完全相反:它传递所有流量,并且仅阻止规则中指定的内容。 您将使用默认的拒绝方法。
PF rulesets are written in a configuration file named /etc/pf.conf, which is also its default location. It is OK to store this file somewhere else as long as it is specified in the /etc/rc.conf configuration file. In this tutorial you’ll use the default location.
PF规则集写在名为/etc/pf.conf的配置文件中,这也是它的默认位置。 只要将此文件存储在/etc/rc.conf配置文件中,就可以将其存储在其他位置。 在本教程中,您将使用默认位置。
Log in to your server with your non-root user:
使用非root用户登录到服务器:
ssh freebsd@your_server_ip
ssh freebsd @ your_server_ip
Next create your /etc/pf.conf file:
接下来创建/etc/pf.conf文件:
- sudo vi /etc/pf.conf 须藤vi /etc/pf.conf
Note: If you would like to see the complete base ruleset at any point in the tutorial, you can refer to the examples in Step 4 or Step 8.
注意:如果您想在本教程中的任何时候看到完整的基本规则集,则可以参考步骤4或步骤8中的示例。
PF filters packets according to three core actions: block, pass, and match. When combined with other options they form rules. An action is taken when a packet meets the criteria specified in a rule. As you may expect, pass and block rules will pass and block traffic. A match rule performs an action on a packet when it finds a matching criteria, but doesn’t pass or block it. For example, you can perform network address translation (NAT) on a matching packet without passing or blocking it, and it will sit there until you tell it to do something in another rule, such as route it to another machine or gateway.
PF根据三个核心操作过滤数据包: block , pass和match 。 当与其他选项组合时,它们形成规则。 当数据包满足规则中指定的条件时,将采取措施。 如您所料, pass和block规则将pass和block流量。 match规则在找到匹配条件时对数据包执行操作,但不通过或阻止它。 例如,您可以对匹配的数据包执行网络地址转换 (NAT),而不会传递或阻止它,该数据包将一直坐在那里,直到您告诉它按照另一条规则执行某项操作,例如将其路由到另一台计算机或网关。
Next add the first rule to your /etc/pf.conf file:
接下来,将第一个规则添加到您的/etc/pf.conf文件中:
block allThis rule blocks all forms of traffic in every direction. Since it does not specify a direction, it defaults to both in and out. This rule is legitimate for a local workstation that needs to be insulated from the world, but it is largely impractical, and will not work on a remote server because it does not permit SSH traffic. In fact, had you enabled PF, you would have locked yourself out of the server.
该规则将阻止所有方向的所有流量。 由于未指定方向,因此默认为in和out 。 对于需要与世界隔离的本地工作站,此规则是合法的,但是它在很大程度上不切实际,并且因为它不允许SSH通信而在远程服务器上不起作用。 实际上,如果启用PF,则将自己锁定在服务器之外。
Revise your /etc/pf.conf file to allow SSH traffic with the following highlighted line:
修改/etc/pf.conf文件以使用以下突出显示的行来允许SSH通信:
block all
pass in proto tcp to port 22Note: Alternatively, you can use the name of the protocol:
注意:或者,您可以使用协议名称:
block all
pass in proto tcp to port sshFor the sake of consistency we will use port numbers, unless there is a valid reason not to. There is a detailed list of protocols and their respective port numbers in the /etc/services file, which you are encouraged to view.
为了保持一致,我们将使用端口号,除非有正当理由。 在/etc/services文件中有协议的详细列表及其各自的端口号,建议您查看。
PF processes rules sequentially from top-to-bottom, therefore your current ruleset initially blocks all traffic, but then passes it if the criteria on the next line is matched, which in this case is SSH traffic.
PF从上到下顺序处理规则,因此您当前的规则集最初会阻止所有流量,但是如果下一行中的条件匹配(在这种情况下为SSH流量),则将其传递。
You can now SSH in to your server, but you’re still blocking all forms of outbound traffic. This is problematic because you can’t access critical services from the internet to install packages, update your time settings, and so on.
您现在可以SSH到您的服务器,但是您仍在阻止所有形式的出站流量。 这是有问题的,因为您无法从Internet访问关键服务来安装程序包,更新时间设置等。
To address this, append the following highlighted rule to the end of your /etc/pf.conf file:
要解决此问题,请将以下突出显示的规则附加到/etc/pf.conf文件的末尾:
block all
pass in proto tcp to port { 22 }
pass out proto { tcp udp } to port { 22 53 80 123 443 }Your ruleset now permits outbound SSH, DNS, HTTP, NTP, and HTTPS traffic, as well as blocking all inward traffic, (with the exception of SSH). You place the port numbers and protocols inside curly brackets, which forms a list in PF syntax, allowing you to add more port numbers if needed. You also add a pass out rule for the UDP protocol on ports 53 and 123 because DNS and NTP often toggle between both the TCP and UDP protocols. You’re almost finished with the preliminary ruleset, and only need to add a couple of rules to achieve basic functionality.
现在,您的规则集允许出站SSH , DNS , HTTP , NTP和HTTPS流量,并阻止所有向内流量(SSH除外)。 您可以将端口号和协议放在大括号内,以PF语法形成一个列表,并在需要时添加更多端口号。 您还为端口53和123上的UDP协议添加了通过规则,因为DNS和NTP经常在TCP和UDP协议之间切换。 您已经基本完成了初步的规则集,仅需添加几个规则即可实现基本功能。
Complete the preliminary ruleset with the highlighted rules:
用突出显示的规则完成初步规则集:
set skip on lo0
block all
pass in proto tcp to port { 22 }
pass out proto { tcp udp } to port { 22 53 80 123 443 }
pass out inet proto icmp icmp-type { echoreq }Save and exit the file.
保存并退出文件。
You create a set skip rule for the loopback device because it does not need to filter traffic and would likely bring your server to a crawl. You add a pass out inet rule for the ICMP protocol, which allows you to use the ping(8) utility for troubleshooting. The inet option represents the IPv4 address family.
您为回送设备创建一个set skip规则,因为它不需要过滤流量,并且很可能使您的服务器进入爬网状态。 您为ICMP协议添加了一个pass out inet规则,该规则允许您使用ping(8)实用程序进行故障排除。 inet选项代表IPv4地址族。
ICMP is a multi-purpose messaging protocol used by networking devices for various types of communication. The ping utility for example uses a type of message known as an echo request, which you’ve added to your icmp_type list. As a precaution, you only permit the message types that you need to prevent unwelcome devices from contacting your server. As your needs increase you can add more message types to your list.
ICMP是联网设备用于各种类型通信的多用途消息传递协议。 例如,ping实用程序使用一种称为回显请求的消息类型,该消息已添加到icmp_type列表中。 作为预防措施,您仅允许使用所需的消息类型,以防止不受欢迎的设备与服务器联系。 随着需求的增加,您可以将更多消息类型添加到列表中。
You now have a working ruleset that provides basic functionality to most machines. In the next section, let’s confirm that everything is working correctly by enabling PF and testing your preliminary ruleset.
您现在有了一个工作规则集,该规则集为大多数计算机提供了基本功能。 在下一节中,我们将启用PF并测试您的初步规则集,以确保一切正常。
第2步-测试初步规则集 (Step 2 — Testing Your Preliminary Ruleset)
In this step you’ll test your preliminary ruleset and make the transition from your cloud firewall to your PF firewall, allowing PF to completely take over. You’ll activate your ruleset with the pfctl utility, which is PF’s built-in comma
最低0.47元/天 解锁文章
259
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
