[原创]FreeBSD下防火墙设置

蔡忠义

FreeBSD下防火墙设置。

IPFW 的无状态规则语法， 是由一种提供复杂的选择能力的技术支持的， 这种技术远远超出了一般的防火墙安装人员的知识水平。 IPFW 是为满足专业用户， 以及掌握先进技术的电脑爱好者们对于高级的包选择需求而设计的。 要完全释放 IPFW 的规则所拥有的强大能力， 需要对不同的协议的细节有深入的了解， 并根据它们独特的包头信息来编写规则。 这一级别的详细阐述超出了这本手册的范围。

　　IPFW 由七个部分组成， 其主要组件是内核的防火墙过滤规则处理器， 及其集成的数据包记帐工具、 日志工具、 用以触发 NAT 工具的 'divert' (转发) 规则、 高级特殊用途工具、 dummynet 流量整形机制， 'fwd rule' 转发工具， 桥接工具， 以及 ipstealth 工具。 IPFW 支持 IPv4 和 IPv6。

以上为Freebsd手册上的说法。之所以选择Freebsd作为实验小学的网站服务器，其中一个关键原因就是IPFW的强大功能。windows和linux的一些防火墙基本上没有它严厉。不用担心系统被人家拿下的危险了。

废话不说了。
一、开机启动IPFW防火墙
ee /etc/rc.conf
加入以下代码：
firewall_type="open"
firewall_script="/etc/ipfw.rules"       //   ipfw.rules 是防火墙规则文件

二、建立防火墙规则

ee /etc/ipfw.rules

################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="bge0"     # public interface name of NIC      //bge0是我的网卡的系统名称。
# facing the public Internet

#################################################################
# No restrictions on Inside LAN Interface for private network
# Not needed unless you have LAN.
# Change xl0 to your LAN NIC interface name
#################################################################
#$cmd 00005 allow all from any to any via xl0

#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 00010 allow all from any to any via lo0

#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 00015 check-state

#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public Internet.
#################################################################

# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP.s DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 00110 allow tcp from any to 192.168.1.240 53 out via $pif setup keep-state   
$cmd 00111 allow udp from any to 192.168.1.240 53 out via $pif keep-state                   //这两行是允许DNS访问我的系统。

$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state            //80口不开还做什么WEB服务器啊，你要改成8838也没人不同意。

# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state         //适用于https://之类的网站。

# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root

# Allow out ping
# $cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow out nntp news (i.e. news groups)
$cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state                               //远程加密通讯
$cmd 00285 allow tcp from any to any 21 out via $pif setup keep-state
# Allow out whois
$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state

# deny and log everything else that.s trying to get out.
# This rule enforces the block all by default logic.
$cmd 00299 deny log all from any to any out via $pif

#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################

# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif          #RFC 1918 private IP
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif   #DHCP auto-config
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif  #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif         #Class D & E multicast
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny any late arriving packets
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2
# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2
$cmd 00420 allow tcp from any to me 21 in via $pif setup limit src-addr 2


# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $pif

# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 00999 deny log all from any to any
################ End of IPFW rules file ###############################

保存，重起，OL。