一、 網絡環境 1、主機A:安裝freebsd4.7,安裝三塊網卡fXP0、xl0和xl1。 fxp0為對外網卡,IP:x.x.x.x ISP為我提供的IP地址 xl0為對內公共區域網卡,IP:192.168.0.1 xl1為對內服務提供區域網卡,IP:192.168.80.1 2、主機B:對外提供www服務主機,ip地址為:192.168.80.80 3、主機C:對外提供FTP服務主機,ip:192.168.80.3。 4、其他工作站N台。
二、編譯內核 1、#cd /sys/i386/conf #cp GENERIC kernel_IPF 2、編譯kernel_IPF,加入一下選項: options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK 3、#/usr/sbin/config kernel_IPF #cd ../../compile/kernel_IPF #make kepend #make #make install 4、編輯/etc/rc.rc.conf,打開以下選項: defaultrouter="x.x.x.1" x.x.x.1為ISP提供的網關 gateway_enable="YES" ipfilter_enable="YES" ipnat_enable="YES" 5、重新啟動系統:reboot
三、配置防火牆 1、 設置地址轉換ipnat。在/etc下新建文件ipnat.rules,內容為: map fxp0 192.168.0.0/16 -> 0/32 proxy port ftp ftp/tcp map fxp0 192.168.0.0/24 -> 0/32 portmap tcp/udp 10000:30000 map fxp0 192.168.0.0/24 -> 0/32 map fxp0 192.168.80.0/24 -> 0/32 portmap tcp/udp 300001:60000 map fxp0 192.168.80.0/24 -> 0/32 portmap rdr fxp0 x.x.x.x/32 port 80 -> 192.168.0.2 port 80 rdr fxp0 x.x.x.x/32 port ftp -> 192.168.0.3 port ftp rdr fxp0 x.x.x.x/32 port 30001-50000 -> 192.168.80.3 port 30001 tcp 2、設置包過濾ipfilter。在/etc下新建文件ipf.rules,內容為: block in log quick all with short block in log quick all with ipopts block in log quick all with frag block in log quick all with opt lsrr block in log quick all with opt ssrr 以上五句為過濾掉可能會帶來安全問題的短數據包或具備路由信息的數據包以及防止非法掃描服務器 pass out on xl0 all pass in on xlo all pass out on xl1 all pass in on xl1 all pass out quick on lo0 all pass in quick on lo0 all 以上為內部網絡界面和loopback網絡界面可以自由發送和接受數據包 block out on fxp0 all 以上為屏蔽外部網絡界面向外發送數據包 block out log on fxp0 from any to 192.168.0.0/16 block out log quick on fxp0 from any to 0.0.0.0/8 block out log quick on fxp0 from any to 169.254.0.0/8 block out log quick on fxp0 from any to 10.0.0.0/8 block out log quick on fxp0 from any to 127.16.0.0/12 block out log quick on fxp0 from any to 127.0.0.0/8 block out log quick on fxp0 from any to 192.0.2.0/24 block out log quick on fxp0 from any to 204.152.64.0/23 block out log quick on fxp0 from any to 224.0.0.0/3 以上為屏蔽不合法地址的輸出數據 pass out log on fxp0 proto tcp/udp from any to any keep state pass out log on fxp0 proto icmp all keep state 以上為允許TCP 、UDP、ICMP數據包向外發送出去,並且允許回應數據包發送回到內部網絡 block in log on fxp0 from 192.168.0.0/16 to any block in log quick on fxp0 from 10.0.0.0/8 to any block in log quick on fxp0 from 172.16.0.0/12 to any block in log quick on fxp0 from 127.0.0.0/8 to any block in log quick on fxp0 from 192.0.2.0/24 to any block in log quick on fxp0 from 169.254.0.0/16 to any block in log quick on fxp0 from 224.0.0.0/3 to any block in log quick on fxp0 from 204.152.64.0/23 to any block in log quick on fxp0 from x.x.x.x/32 to any block in log quick on fxp0 from any to x.x.x.0/32 block in log quick on fxp0 from any to x.x.x.255/32 以上為屏蔽具備內部網絡地址的數據包被轉發到外部網絡 pass in quick on fxp0 proto tcp from any to any port = 80 flags S/SA keep state pass in quick on fxp0 proto tcp from any to any port = ftp flags S/SA keep state pass in quick on fxp0 proto tcp from any to any port = ftp-data flags S/SA keep state pass in quick on fxp0 proto tcp from any to any port 30000 >< 50001 flags S/SA keep state 以上為允許www和ftp進入,並且允許對ftp數據端口的數據進行轉發 block in quick on fxp0 all 禁止其他的連接進入fxp0 block in log quick on fxp0 proto icmp from any to any icmp-type redir block in log quick on fxp0 proto icmp from any to any block in log quick on fxp0 proto icmp from any to any icmp-type echo 以上為禁止別人ping我得網絡 block return-rst in log on fxp0 proto tcp from any to any flags S/SA block return-icmp(net-unr) in log on fxp0 proto udp from any to any 以上對其他tcp請求,防火牆回應一個RST數據包關閉連接。對UDP請求,防火牆回應網絡不可達到的ICMP包。 或者在/etc/sysctl.conf中加入: net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 能夠有效地避免端口掃描 3、然後編輯/etc/rc.conf,加入一下命令,讓ipfilter和ipnat在系統啟動的時候可以自動加載: ipfilter_enables=”YES” ipf –C –f /etc/ipf.rules ipfilter_flags=”-E” ipnat_enable=”YES” ipnat_program=”/sbin/ipnat –CF -f” ipnat_rules=”/etc/ipnat.rules” ipmon_enable=”YES” ipmon_flags=”-D /var/log/ipfilter.log” 4、在/usr/log/建立文件ipfilter.log,並更改其屬性為755,這樣你的防火牆日志就記錄到/var/log/ipfilter.log文件中,可以隨時對其進行查看。
四、設置FTP服務器,使其支持被動連接(pasv) 1.Proftpd:編輯你的proftpd的配置文件proftpd.conf,加入一下內容: MasqueradeAddress x.x.x.x PassivePorts 30001 50000 2.Pure-ftpd:編輯你的FTP配置文件,加入一下內容: PassivePortRange 30001 50000 ForcePassiveIP x.x.x.x 3.Serv-U: a、在serv-U的”本地服務器”―――”設置”―――”高級”―――”PASV端口范圍”輸入30001 50000 b、在serv-U的”域”―――”你自己建立的域”―――”設置”―――”高級”選中”允許被動模式傳送”,” 使用IP”輸入:x.x.x.x