Re: IPF 等 firewall 的 rule

看板FreeBSD作者goaway.時間20年前 (2005/09/05 17:32)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串3/3 (看更多)

sorry, 有誤, 改進了 0.2 版 : 請幫我看一眼, 可行不可行, 有沒有該加該減該改的 ... 謝謝 :) ### /etc/ipf.rules for ipfilter #### # myip="192.168.0.100" # <-- freeBSD landhcpserver="192.168.0.1" #<-- router/gateway + intranet dhcp server ks="keep state" fks="flags S keep state" # 疑問: 是 "flags S keep state" 就好呢? # 因還有看到有人寫 "flags S keep state keep frags" /sbin/ipf -Fa -f - << EOF #---------- # ftp pass out quick on rl0 proto tcp from any to any port = 20 $fks pass out quick on rl0 proto tcp from any to any port = 21 $fks # ssh pass out quick on rl0 proto tcp from any to any port = 22 $fks # smtp pass out quick on rl0 proto tcp from any to any port = 25 $fks # DNS pass out quick on rl0 proto tcp from any to any port = 53 $fks # httpd pass out quick on rl0 proto tcp from any to any port = 80 $fks # pop3 pass out quick on rl0 proto tcp from any to any port = 110 $fks # IMAP pass out quick on rl0 proto tcp from any to any port = 143 $fks # smux pass out quick on rl0 proto tcp from any to any port = 199 $fks # https pass out quick on rl0 proto tcp from any to any port = 443 $fks # smtps pass out quick on rl0 proto tcp from any to any port = 465 $fks # submission pass out quick on rl0 proto tcp from any to any port = 587 $fks # hp-alarm-mgr pass out quick on rl0 proto tcp from any to any port = 787 $fks # rndc pass out quick on rl0 proto tcp from any to any port = 953 $fks # imaps pass out quick on rl0 proto tcp from any to any port = 993 $fks # pop3s pass out quick on rl0 proto tcp from any to any port = 995 $fks # webmin pass out quick on rl0 proto tcp from any to any port = 10000 $fks #---------- pass out quick on rl0 proto icmp from any to any $ks block out quick on rl0 all #---------- block in log quick on rl0 from 172.16.0.0/12 to any block in log quick on rl0 from 10.0.0.0/8 to any block in log quick on rl0 from 127.0.0.0/8 to any block in log quick on rl0 from 0.0.0.0/8 to any block in log quick on rl0 from 169.254.0.0/16 to any block in log quick on rl0 from 192.0.2.0/24 to any block in log quick on rl0 from 204.152.64.0/23 to any block in quick on rl0 from 224.0.0.0/3 to any #---------- pass in quick on rl0 proto udp from $landhcpserver to any port = 68 keep state #---------- # ftp pass in quick on rl0 proto tcp from any to any port = 20 $fks pass in quick on rl0 proto tcp from any to any port = 21 $fks # ssh pass in quick on rl0 proto tcp from any to any port = 22 $fks # smtp pass in quick on rl0 proto tcp from any to any port = 25 $fks # DNS pass in quick on rl0 proto tcp from any to any port = 53 $fks # httpd pass in quick on rl0 proto tcp from any to any port = 80 $fks # pop3 pass in quick on rl0 proto tcp from any to any port = 110 $fks # IMAP pass in quick on rl0 proto tcp from any to any port = 143 $fks # smux pass in quick on rl0 proto tcp from any to any port = 199 $fks # https pass in quick on rl0 proto tcp from any to any port = 443 $fks # smtps pass in quick on rl0 proto tcp from any to any port = 465 $fks # submission pass in quick on rl0 proto tcp from any to any port = 587 $fks # hp-alarm-mgr pass in quick on rl0 proto tcp from any to any port = 787 $fks # rndc pass in quick on rl0 proto tcp from any to any port = 953 $fks # imaps pass in quick on rl0 proto tcp from any to any port = 993 $fks # pop3s pass in quick on rl0 proto tcp from any to any port = 995 $fks # webmin pass in quick on rl0 proto tcp from any to any port = 10000 $fks #---------- block return-rst in log quick on rl0 proto tcp from any to any block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp from any to any block in log quick on rl0 all #---------- pass in quick on lo0 all pass out quick on lo0 all EOF ### end of /etc/ipf.rules #### 謝謝 <: 老音學生 :> === "老音學生 Old Student" <goaway@nowhere.not> 撰寫於郵件新聞:WLSSe.380065$s54.18347@pd7tw2no... > 這是烤來的第 0.1 版 /etc/ipf.rules , 純 ipfilter rules - 還沒有 AltQ 或其他高手級功能. > 能不能請幫我看一眼, 可行不可行, 有沒有該加該減該改的 ... > 謝謝 :) > > ### /etc/ipf.rules for ipfilter #### > myip="192.168.0.100" > ks="keep state" > fks="flags S keep state" > # 疑問: 是 "flags S keep state" 就好呢? > # 因還有看到有人寫 "flags S keep state keep frags" > /sbin/ipf -Fa -f - << EOF > #----- > # ftp > pass out quick on rl0 proto tcp from any to any port = 20 $fks > pass out quick on rl0 proto tcp from any to any port = 21 $fks > # ssh > pass out quick on rl0 proto tcp from any to any port = 22 $fks > # smtp > pass out quick on rl0 proto tcp from any to any port = 25 $fks > # DNS > pass out quick on rl0 proto tcp from any to any port = 53 $fks > # httpd > pass out quick on rl0 proto tcp from any to any port = 80 $fks > # pop3 > pass out quick on rl0 proto tcp from any to any port = 110 $fks > # IMAP > pass out quick on rl0 proto tcp from any to any port = 143 $fks > # smux > pass out quick on rl0 proto tcp from any to any port = 199 $fks > # https > pass out quick on rl0 proto tcp from any to any port = 443 $fks > # smtps > pass out quick on rl0 proto tcp from any to any port = 465 $fks > # submission > pass out quick on rl0 proto tcp from any to any port = 587 $fks > # hp-alarm-mgr > pass out quick on rl0 proto tcp from any to any port = 787 $fks > # rndc # 疑問: rndc 須要 pass in/out 嗎? 或是只要保留給 127.0.0.1 自用? > pass out quick on rl0 proto tcp from any to any port = 953 $fks > # imaps > pass out quick on rl0 proto tcp from any to any port = 993 $fks > # pop3s > pass out quick on rl0 proto tcp from any to any port = 995 $fks > # webmin > pass out quick on rl0 proto tcp from any to any port = 10000 $fks > pass out quick on rl0 proto icmp from any to any $ks > block out quick on rl0 all > #----- > pass in quick on rl0 proto udp from 192.168.0.1 to any port = 68 keep > state > #----- > # ftp > pass in quick on rl0 proto tcp from any to any port = 20 $fks > pass in quick on rl0 proto tcp from any to any port = 21 $fks > # ssh > pass in quick on rl0 proto tcp from any to any port = 22 $fks > # smtp > pass in quick on rl0 proto tcp from any to any port = 25 $fks > # DNS > pass in quick on rl0 proto tcp from any to any port = 53 $fks > # httpd > pass in quick on rl0 proto tcp from any to any port = 80 $fks > # pop3 > pass in quick on rl0 proto tcp from any to any port = 110 $fks > # IMAP > pass in quick on rl0 proto tcp from any to any port = 143 $fks > # smux > pass in quick on rl0 proto tcp from any to any port = 199 $fks > # https > pass in quick on rl0 proto tcp from any to any port = 443 $fks > # smtps > pass in quick on rl0 proto tcp from any to any port = 465 $fks > # submission > pass in quick on rl0 proto tcp from any to any port = 587 $fks > # hp-alarm-mgr > pass in quick on rl0 proto tcp from any to any port = 787 $fks > # rndc > pass in quick on rl0 proto tcp from any to any port = 953 $fks > # imaps > pass in quick on rl0 proto tcp from any to any port = 993 $fks > # pop3s > pass in quick on rl0 proto tcp from any to any port = 995 $fks > # webmin > pass in quick on rl0 proto tcp from any to any port = 10000 $fks > #----- > block return-rst in log quick on rl0 proto tcp from any to any > block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp from any > to any > block in log quick on rl0 all > #----- > pass in quick on lo0 all > pass out quick on lo0 all > > EOF > ### end of /etc/ipf.rules #### > > > > <: 老音學生 :> > > === > > "老音學生 Old Student" <goaway@nowhere.not> 撰寫於郵件新聞:L5RSe.85079$Hk.11007@pd7tw1no... >> 請教, >> 我的 server (freeBSD) 本在 router (的 firewall) 後面, 只有一張網卡 (ip 譬如:192.168.1.2) 接 router (ip 譬如 192.168.1.1) 有 NAT 至此 freeBSD server. >> 我想在 fBSD 上開始用 firewall - >> 以便限制 webserver 的頻寬尤其好多 spider 一天來數次 - 不然每到時 ISP 每個月又要哇哇叫. >> 及擋掉一下沒事跑來亂試 id/password 的壞 ip >> 或甚據說有些其他防護. >> >> 看了 freeBSD 的 firewalls >> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html >> 想說, 是否用 ipfilter ( 或並 ipfirewall - 聽說兩個不衝突可一起用) 再加 >> AltQ >> 據說對新手, 他們的 rule 較易上手 ? >> >> 請問: >> 1. >> 這樣是否有當? >> 2. >> 哪邊有類似的 rule 可以抄的? >> 就是說: 只有一張卡的 intranet ip (192.168.x.x) 的 server 適用的 IPF (及 >> IPFW 或及 AltQ ) 的 rule >> >> >> 新手上路 >> 請不吝多指教 >> 謝謝 >> >> <: 老音學生 :> > >