FreeBSD下的IPFilter 防火墙配置 ipf.rules

最新推荐文章于 2021-10-21 18:17:08 发布
最新推荐文章于 2021-10-21 18:17:08 发布
阅读量1.2k 收藏
点赞数
分类专栏: FreeBSD 系统配置 文章标签: freebsd 防火墙 tcp domain server internet
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/hellyhe/article/details/6756811
版权

FreeBSD系统自带有多个防火墙软件,经过比较,最后选择ipfilter 防火墙——功能强,配置也比较方便。

在经过查阅网上的若干资料后,完成了下面的防火墙模板

说明:

1、该防火墙脚本采用了分组模式,将内外网、进出策略以分组的模式出现,避免因策略过长引起的效率的降低。
      group 100 内网 进策略组
      group 150 内网 出策略组
      group 200 外网 进策略组
      group 250 外网 出策略组

2、将常用的和服务策略尽量放在各组策略的前面。
3、加入了木马扫描策略及返回扫描器虚假包信息。
4、加入了FreeBSD系统日常维护所需的策略,如:系统审计、系统更新、port树更新等。

完成防火墙的配置后就是日志的记录啦

ipfilter 防火墙有专门的日志记录服务程序 ipmon 需要启动该服务,

默认日志会发送给系统的syslogd系统,也可修改ipmon的启动参数直接写日志文件。

对于使用syslogd记录的需要配置/etc/syslog.conf 配置文件,并要在重启 syslogd 服务前手动创建 日志文件。

syslog.conf 配置文件中加入下面的两行:

local0.*;local0.!notice         /var/log/ipfilter.log
local0.warning                  /var/log/ipfilter-warning.log

还需修改messages 行为:

*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;local0.none /var/log/messages

可将ipfilter日志和系统日志分开存放,便于查阅。


/etc/ipf.rules  文件 

#------------------------------------
# 因FreeBSD系统的特点,需要根据实际情况修改内网、外网网卡的名称
# bce0 - internal interface
# bce1 - external interface
#------------------------------------
# First, nasty pakets which we don't want near us at all
# pakets which are too short to be real except echo replies on lo0
pass  in log quick on lo0 proto icmp from 127.0.0.1/8 to 127.0.0.1/8 with short
block in log quick all with short
block in log quick all with opt lsrr
block in log quick all with opt ssrr
block in quick from any to 255.255.255.255/32  #广播地址,避免将过多的广播信息记入log中
block in quick from any to xxx.xxx.xxx.xxx/32     
block in quick from any to 224.0.0.0/8
#-------------------------------------
# loopback packets left unmolested
pass in  quick on lo0 all
pass out quick on lo0 all
#-------------------------------------
# Group setup:
# 100 incoming bce0 (internal Ethernel)
# 150 outgoing bce0 (internal Ethernel)
# 200 incoming bce1 (external Ethernel)
# 250 outgoing bce1 (external Ethernel)
#-------------------------------------
block in  log body on bce0 all head 100
block out log body on bce0 all head 150
#-------------------------------------
block in  log on bce1 all head 200
block out log on bce1 all head 250
#-------------------------------------


#--------------------------------------------------------------------------
# incoming internal Ethernel traffic - group 100
#--------------------------------------------------------------------------
# Remote Control ssh policy
pass in log first quick proto tcp from 10.0.1.0/24 to any port = 22 flags S/SA keep state group 100
pass in log first quick proto tcp from 10.0.0.5/32 to any port = 22 flags S/SA keep state group 100
#----------------------------------
# incoming internal Ethernel Services rules
pass in quick proto tcp from any to any port = http flags S/SA keep state group 100


#----------------------------------
# Manage policy
pass in quick proto udp from 10.0.x.xx to any port = snmp keep state group 100
pass in quick proto icmp from any to any keep state keep frags group 100
#----------------------------------
# prevent internalhost spoofing
block in log quick from 127.0.0.1/32 to 192.168.0.0/16 group 100
block in log quick from any to 127.0.0.1/8 group 100
#----------------------------------
# deny pakets which should not be seen on th internet (paranoid)
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from any to 10.0.0.0/8 group 100
#----------------------------------
# if nothing applies, block and return icmp-replies (unreachable and rst)
block return-icmp(net-unr) in log proto udp from any to any group 100
block return-rst in log proto tcp from any to any group 100
block in log first all group 100


#--------------------------------------------------------------------------
# outgoing internal Ethernel traffic - group 150
#--------------------------------------------------------------------------
# outgoing internal Ethernel Services rules
pass out quick proto tcp from any to any port = 22 flags S/SA keep state group 150
pass out quick proto udp from any to any port = snmp keep state group 150


#----------------------------------
# Setup outgoing icmp
pass out quick proto icmp from any to any keep state keep frag group 150
#----------------------------------
# block other traffic
block out log first all group 150


#--------------------------------------------------------------------------
# incoming traffic on external Ethernel - group 200
#--------------------------------------------------------------------------
# Remote Control policy
pass in log first quick proto tcp from xxx.xxx.xxx.xxx to any port = 22 flags S/SA keep state group 200
#----------------------------------
# incoming external Ethernel Services policy
pass in quick proto tcp from any to any port = http flags S/SA keep state group 200
pass in quick proto tcp from any to any port = smtp flags S/SA keep state group 200


#----------------------------------
# manage prolicy
pass in quick proto udp  from xx.xx.xx.xx to any port = snmp keep state group 200
#----------------------------------
# prevent external host spoofing
block in log quick from 127.0.0.0/8 to any group 200
block in log quick from 192.168.0.0/16 to any group 200
#----------------------------------
# if nothing applies, block and return icmp-replies (unreachable and rst)
block return-icmp(net-unr) in log proto udp from any to any group 200
block return-rst in log proto tcp from any to any group 200
block in log first all group 200


#--------------------------------------------------------------------------
# outgoing traffic on external Ethernel - group 250
#--------------------------------------------------------------------------
# outgoing external Ethernel Services rules
pass out quick proto tcp from any to any port = http flags S/SA keep state group 250


#----------------------------------
# Setup outgoing DNS
pass out quick proto udp from any to 8.8.8.8 port = domain keep state group 250
pass out quick proto udp from any to 8.8.4.4 port = domain keep state group 250
#----------------------------------
# manage prolicy 
pass out quick proto tcp from any to 113.105.167.213 keep state group 250
pass out quick proto udp from any to any port = snmp keep state group 250
pass out quick proto udp from any to 114.80.81.1 port = ntp keep state group 250
pass out quick proto udp from any to 122.226.192.4 port = ntp keep state group 250
pass out quick proto icmp from any to any keep frag keep state group 250
#----------------------------------
# allow system update prolicy
# portaudit.FreeBSD.org
pass out quick proto tcp from any to 69.147.83.36   port = http flags S keep state group 250
# package server ports.cn.freebsd.org
pass out quick proto tcp from any to 114.80.81.13 port = http flags S keep state group 250
# portsnap1  portsnap2  and portsnapr4.freebsd.org
pass out quick proto tcp from any to 204.109.56.116 port = http flags S keep state group 250
pass out quick proto tcp from any to 208.83.221.214 port = http flags S keep state group 250
pass out quick proto tcp from any to 93.158.155.199 port = http flags S keep state group 250
# update2.freeBSD.org update4.freeBSD.org update5.freeBSD.org
pass out quick proto tcp from any to 149.20.53.40   port = http flags S keep state group 250
pass out quick proto tcp from any to 209.193.13.98  port = http flags S keep state group 250
pass out quick proto tcp from any to 204.9.55.80    port = http flags S keep state group 250
# port tree update server: cvsup.cn.FreeBSD.org
pass out quick proto tcp from any to 61.129.66.77   port = 5999 flags S keep state group 250
#----------------------------------
# block other all out traffic
block out log quick from 127.0.0.0/8 to any group 250
block out log quick from any to 127.0.0.0/8 group 250
block out log quick from any to 192.168.0.0/16 group 250
block out log first all group 250
#--------------------------------------------------------------------------


hellyhe
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
netty的ip过滤
mingtianhaiyouwo的博客
11-09 6133
我们经常需要用到ip白名单,ip黑名单。netty本身就帮我实现了一套验证机制,提供了IpFilterRuleHandler类   1 public class IpFilterRuleHandler extends IpFilteringHandlerImpl 1 public
IPF的使用
lzqmfc的专栏
01-24 1706
http://www.freebsd.org.cn/snap/doc/zh_CN.GB2312/books/handbook/firewalls-ipf.html要在启动时激活 IPF, 您需要在 /etc/rc.conf 中增加下面的设置:ipfilter_enable="YES"             # 启动 ipf 防火墙ipfilter_rules="/etc/ipf.rule
FreeBSD IPFilter防火墙的安装与设置
Louis的专栏
08-23 3764
FreeBSD IPFilter防火墙的安装与设置2001年9月23日 炼狱明王 其实设置FreeBSD防火墙是一件比较简单的事情。结合自己的实践经验和一些网上的资料,我来向大家介绍一下具体设置的方法。本文包括:1.最大化安全设置2.设置网卡3.设置Kernel4.打开包转发、防火墙和NAT5.配置NAT/防火墙后面的机器6.熟悉IPFilter
配置IPF过滤防火墙
weixin_33774615的博客
11-22 476
一、学会编写IPFfilter 规则 通过使用IPFfilter系统提供的特殊命令建立这些规则,并将其添加到内核空间特定信息包过滤表内的链中。关于添加、去除、编辑规则的命令,一般语法如下: action [in|out] option keyword, keyword... 参数说明: 1.每个规则都以操作开头。如果包与规...
FreeBSD上用IP Filter进行桥过滤(转)
cuiji1279的博客
08-11 119
FreeBSD上用IP Filter进行桥过滤(转)[@more@]   几年以前,我以前的一个大学老师准备利用Microsoft的一台大型赠品设备来组建一个实验室。希望把这个实验室建成某种供学生和职工使用的地方,让他们拥有学...
安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译
NULL BLOG
03-10 2103
目录 概述 安装 FreeBSD 开启 SSH登录 配置IPF防火墙 编译内核 概述 FreeBSD是一款优秀的 UNIX操作系统,本文介绍如果利用 FreeBSD搭建防火墙以及如何编译内核,FreeBSD系统内置了三款防火墙,PF、IPFIPFW,这三款防火墙各有特点,本文以 IPF防火墙为例,对配置文件进行设置及对内核进行编译。 安装 FreeBSD 此...
freebsd做NAT和防火墙详细案例.pdf
09-30
freebsd做NAT和防火墙详细案例.pdf
Gos-freebsd.rar_If...
09-19
Check if RIP points at sigreturn sequence.
IP Filter 以实现网络地址转换或者防火墙服务的功能
01-02
IP Filter是一款软件包,可以实现网络地址转换(network address translation)(NAT)或者防火墙服务的功能。 ,强烈推荐将其作为UNIX的核心模块。安装和为系统文件打补丁要使用脚本。IP Filter内置于FreeBSD、NetBSD和Solaris中。OpenBSD可以使用Openbsd PF,Linux用户可以使用Netfilter
使用IPFILTER设置小型企业防火墙系统
ncdawen的专栏
01-11 1465
使用IPFILTER设置小型企业防火墙系统作者:peijun.jiang一、        网络环境 1、主机A:安装freebsd4.7,安装三块网卡fxp0、xl0和xl1。fxp0为对外网卡,IP:x.x.x.x  ISP为我提供的IP地址xl0为对内公共区域网卡,IP:192.168.0.1xl1为对内服务提供区域网卡,IP:192.168.80.1 2、主机B:对外提供www服务主机,i
配置IPF
ai_hanghang的博客
09-09 549
实验拓扑图: 推荐步骤: Ø 配置IPF、修改交换机的编号、优先级 Ø 配置端口捆绑、将物理接口加入到IPF的逻辑端口 Ø 激活IPF配置LACP MAD检测 修改第二台交换机的编号 [SW2]irf member 1 renumber 2 保存配置信息并重启 [SW2]save reboot 修改第一台交换机的优先级 [SW1]irf member 1 priority 32 配置端口...
netty4 ip过滤器的使用(可做ip黑名单处理)
Gogym的博客
07-13 3745
netty4的ip过滤跟netty3的区别比较大。netty3的使用方法这里不介绍了,看看在netty4中怎么做ip的过滤。 从netty的文档中我们可以看到这么几个类: https://netty.io/4.1/api/io/netty/handler/ipfilter/package-summary.html ip过滤相关的类在 io.netty.handler.ipfilter这个...
(转)浅谈AIX下IPFilter防火墙
weixin_30652271的博客
08-22 614
1序言 AIX操作系统发行至今,经历数个版本,功能不断增强,就安全方面IP Security也变化不少,如动作中增加了If等功能,但这次暂且讨论配置防火墙策略及防火墙的基本操作,其他高级功能待下回分解。 2什么是IP Security IP Security是通过预定义的过滤器规则表中的过滤器规则定义,匹配指定的网络中的数据包,判断其通过还是被拦截,从而使得IP Sec...
Netty基于ip的黑名单过滤——RuleBasedIpFilter
moneywenxue的博客
10-21 1390
一、RuleBasedIpFilter RuleBasedIpFilter是基于ip的过滤器,可以自定义哪些ip或者ip范围允许通过或者被阻止。因为默认情况下,如果不添加任何IpSubnetFilterRule, RuleBasedIpFilter就会允许所有ip。如果我们使用白名单机制,要么继承RuleBasedIpFilter类,重写accept方法,要不在RuleBasedIpFilter, 添加一个rejectAll,并将该rejectAll放在数组的最后。 1.1 源码-net...
freebsd关闭防火墙
最新发布
06-20
FreeBSD 中的防火墙通常指的是 pf(Packet Filter防火墙,它是 FreeBSD 操作系统中的内建包过滤防火墙。如果你想要关闭pf防火墙,你可以按照以下步骤操作: 1. **登录到FreeBSD服务器**: 使用SSH登录到你的...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值