Re: IPF 等 firewall 的 rule

看板FreeBSD作者goaway.時間20年前 (2005/09/05 16:01)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串2/3 (看更多)

這是烤來的第 0.1 版 /etc/ipf.rules , 純 ipfilter rules - 還沒有 AltQ 或其他高手級功能. 能不能請幫我看一眼, 可行不可行, 有沒有該加該減該改的 ... 謝謝 :) ### /etc/ipf.rules for ipfilter #### myip="192.168.0.100" ks="keep state" fks="flags S keep state" # 疑問: 是 "flags S keep state" 就好呢? # 因還有看到有人寫 "flags S keep state keep frags" /sbin/ipf -Fa -f - << EOF #----- # ftp pass out quick on rl0 proto tcp from any to any port = 20 $fks pass out quick on rl0 proto tcp from any to any port = 21 $fks # ssh pass out quick on rl0 proto tcp from any to any port = 22 $fks # smtp pass out quick on rl0 proto tcp from any to any port = 25 $fks # DNS pass out quick on rl0 proto tcp from any to any port = 53 $fks # httpd pass out quick on rl0 proto tcp from any to any port = 80 $fks # pop3 pass out quick on rl0 proto tcp from any to any port = 110 $fks # IMAP pass out quick on rl0 proto tcp from any to any port = 143 $fks # smux pass out quick on rl0 proto tcp from any to any port = 199 $fks # https pass out quick on rl0 proto tcp from any to any port = 443 $fks # smtps pass out quick on rl0 proto tcp from any to any port = 465 $fks # submission pass out quick on rl0 proto tcp from any to any port = 587 $fks # hp-alarm-mgr pass out quick on rl0 proto tcp from any to any port = 787 $fks # rndc # 疑問: rndc 須要 pass in/out 嗎? 或是只要保留給 127.0.0.1 自用? pass out quick on rl0 proto tcp from any to any port = 953 $fks # imaps pass out quick on rl0 proto tcp from any to any port = 993 $fks # pop3s pass out quick on rl0 proto tcp from any to any port = 995 $fks # webmin pass out quick on rl0 proto tcp from any to any port = 10000 $fks pass out quick on rl0 proto icmp from any to any $ks block out quick on rl0 all #----- pass in quick on rl0 proto udp from 192.168.0.1 to any port = 68 keep state #----- # ftp pass in quick on rl0 proto tcp from any to any port = 20 $fks pass in quick on rl0 proto tcp from any to any port = 21 $fks # ssh pass in quick on rl0 proto tcp from any to any port = 22 $fks # smtp pass in quick on rl0 proto tcp from any to any port = 25 $fks # DNS pass in quick on rl0 proto tcp from any to any port = 53 $fks # httpd pass in quick on rl0 proto tcp from any to any port = 80 $fks # pop3 pass in quick on rl0 proto tcp from any to any port = 110 $fks # IMAP pass in quick on rl0 proto tcp from any to any port = 143 $fks # smux pass in quick on rl0 proto tcp from any to any port = 199 $fks # https pass in quick on rl0 proto tcp from any to any port = 443 $fks # smtps pass in quick on rl0 proto tcp from any to any port = 465 $fks # submission pass in quick on rl0 proto tcp from any to any port = 587 $fks # hp-alarm-mgr pass in quick on rl0 proto tcp from any to any port = 787 $fks # rndc pass in quick on rl0 proto tcp from any to any port = 953 $fks # imaps pass in quick on rl0 proto tcp from any to any port = 993 $fks # pop3s pass in quick on rl0 proto tcp from any to any port = 995 $fks # webmin pass in quick on rl0 proto tcp from any to any port = 10000 $fks #----- block return-rst in log quick on rl0 proto tcp from any to any block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp from any to any block in log quick on rl0 all #----- pass in quick on lo0 all pass out quick on lo0 all EOF ### end of /etc/ipf.rules #### <: 老音學生 :> === "老音學生 Old Student" <goaway@nowhere.not> 撰寫於郵件新聞:L5RSe.85079$Hk.11007@pd7tw1no... > 請教, > 我的 server (freeBSD) 本在 router (的 firewall) 後面, 只有一張網卡 (ip 譬如:192.168.1.2) 接 router (ip 譬如 192.168.1.1) 有 NAT 至此 freeBSD server. > 我想在 fBSD 上開始用 firewall - > 以便限制 webserver 的頻寬尤其好多 spider 一天來數次 - 不然每到時 ISP 每個月又要哇哇叫. > 及擋掉一下沒事跑來亂試 id/password 的壞 ip > 或甚據說有些其他防護. > > 看了 freeBSD 的 firewalls > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html > 想說, 是否用 ipfilter ( 或並 ipfirewall - 聽說兩個不衝突可一起用) 再加 > AltQ > 據說對新手, 他們的 rule 較易上手 ? > > 請問: > 1. > 這樣是否有當? > 2. > 哪邊有類似的 rule 可以抄的? > 就是說: 只有一張卡的 intranet ip (192.168.x.x) 的 server 適用的 IPF (及 > IPFW 或及 AltQ ) 的 rule > > > 新手上路 > 請不吝多指教 > 謝謝 > > <: 老音學生 :>