第二十八章 DragonFlyBSD
第三节 IPFW

介绍说明:

IPFIREWALL (IPFW) 是一个由 FreeBSD 发起的防火墙应用软件, 它由 FreeBSD 的志愿者成员编写和维护。
在 FreeBSD 12 中,ipfw 已经默认被编译进内核了,它默认会有一条规则,规则号为 65536,是不可以删除的,这条规则会把所有流量都切断,所以还没配置好之前,千万不要随意启动 ipfw,否则就会面临无法连上远程 FreeBSD 的问题。
图形化配置工具:
1
#pkg install fwbuilder
Copied!

配置ipfw:

  1. 1.
    执行以下命令:
1
# sysrc firewall_enable="YES" # 允许防火墙开机自启
2
# sysrc firewall_type="open" # 让系统把流量通过,这样就可以使用防火墙
3
# sysrc firewall_script="/etc/ipfw.rules" # 制定ipfw规则的路径,我们待会儿在这里编辑规则
4
# sysrc firewall_logging="YES" # 这样ipfw就可以打日志
5
# sysrc firewall_logif="YES" # 把日志打到 `ipfw0` 这个设备里
Copied!
  1. 1.
    编辑 /etc/ipfw.rules 文件:
1
# ee /etc/ipfw.rules
2
3
IPF="ipfw -q add"
4
ipfw -q -f flush
5
6
# loopback
7
$IPF 10 allow all from any to any via lo0
8
$IPF 20 deny all from any to 127.0.0.0/8
9
$IPF 30 deny all from 127.0.0.0/8 to any
10
$IPF 40 deny tcp from any to any frag
11
12
# statefull
13
$IPF 50 check-state
14
$IPF 60 allow tcp from any to any established
15
$IPF 70 allow all from any to any out keep-state
16
$IPF 80 allow icmp from any to any
17
18
# open port for ssh
19
$IPF 110 allow tcp from any to any 22 out
20
$IPF 120 allow tcp from any to any 22 in
21
22
# open port for samba
23
$IPF 130 allow tcp from any to any 139 out
24
$IPF 140 allow tcp from any to any 139 in
25
$IPF 150 allow tcp from any to any 445 out
26
$IPF 160 allow tcp from any to any 445 in
27
$IPF 170 allow udp from any to any 137 out
28
$IPF 180 allow udp from any to any 137 in
29
$IPF 190 allow udp from any to any 138 out
30
$IPF 200 allow udp from any to any 138 in
31
32
33
# deny and log everything
34
$IPF 500 deny log all from any to any
Copied!
额外说明: samba 开放 tcp/139,445 端口,udp/137,138 端口
  1. 1.
    启动 ipfw:
1
# service ipfw start
2
3
Firewall rules loaded.
4
Firewall logging enabled.
5
ifconfig: interface ipfw0 already exists
6
Firewall logging pseudo-interface (ipfw0) created.
Copied!
  1. 1.
    查看 ipfw 状态:
1
# service ipfw status
2
3
ipfw is enabled
Copied!
  1. 1.
    查看 ipfw 规则条目
1
# ipfw list
2
3
00010 allow ip from any to any via lo0
4
00020 deny ip from any to 127.0.0.0/8
5
00030 deny ip from 127.0.0.0/8 to any
6
00040 deny tcp from any to any frag
7
00050 check-state :default
8
00060 allow tcp from any to any established
9
00070 allow ip from any to any out keep-state :default
10
00080 allow icmp from any to any
11
00110 allow tcp from any to any 22 out
12
00120 allow tcp from any to any 22 in
13
00500 deny log ip from any to any
14
65535 deny ip from any to any
Copied!
Copy link
Edit on GitHub