?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152
#!/bin/sh
################ Start of IPFW rules file ######################
#
Flush
out the list before we begin.
ipfw -q -f
flush
# Set rules command prefix
cmd=
"ipfw -q add"
skip=
"skipto 800"
pif=
"rl0"
#
public
interface
name of NIC
# facing the
public
Internet
#################################################################
# No restrictions on Inside LAN Interface
for
private
network
# Change xl0 to your LAN NIC
interface
name
#################################################################
$cmd
005 allow all from any to any via xl0
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd
010 allow all from any to any via lo0
#################################################################
# check
if
packet is inbound
and
nat address
if
it is
#################################################################
$cmd
014 divert natd ip from any to any in via
$pif
#################################################################
# Allow the packet through
if
it has previous been added to the
# the
"dynamic"
rules table by a allow keep-state statement.
#################################################################
$cmd
015 check-state
#################################################################
# Interface facing Public Internet (Outbound Section)
# Check session start requests originating from behind the
# firewall on the
private
network
or
from this gateway server
# destined
for
the
public
Internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP's DNS
# Dup these lines
if
your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd
020
$skip
tcp from any to x.x.x.x 53 out via
$pif
setup keep-state
# Allow out access to my ISP's DHCP server
for
cable/DSL configurations.
$cmd
030
$skip
udp from any to x.x.x.x 67 out via
$pif
keep-state
# Allow out non-secure standard www
function
$cmd
040
$skip
tcp from any to any 80 out via
$pif
setup keep-state
# Allow out secure www
function
https over TLS SSL
$cmd
050
$skip
tcp from any to any 443 out via
$pif
setup keep-state
# Allow out send & get email
function
$cmd
060
$skip
tcp from any to any 25 out via
$pif
setup keep-state
$cmd
061
$skip
tcp from any to any 110 out via
$pif
setup keep-state
# Allow out FreeBSD (make install & CVSUP) functions
# Basically give user root
"GOD"
privileges.
$cmd
070
$skip
tcp from me to any out via
$pif
setup keep-state uid root
# Allow out ping
$cmd
080
$skip
icmp from any to any out via
$pif
keep-state
# Allow out Time
$cmd
090
$skip
tcp from any to any 37 out via
$pif
setup keep-state
# Allow out nntp news (i.e. news groups)
$cmd
100
$skip
tcp from any to any 119 out via
$pif
setup keep-state
# Allow out secure FTP, Telnet,
and
SCP
# This
function
is using SSH (secure shell)
$cmd
110
$skip
tcp from any to any 22 out via
$pif
setup keep-state
# Allow out whois
$cmd
120
$skip
tcp from any to any 43 out via
$pif
setup keep-state
# Allow ntp time server
$cmd
130
$skip
udp from any to any 123 out via
$pif
keep-state
#################################################################
# Interface facing Public Internet (Inbound Section)
# Check packets originating from the
public
Internet
# destined
for
this gateway server
or
the
private
network.
#################################################################
# Deny all inbound traffic from non-routable reserved address spaces
#
$cmd
300 deny all from 192.168.0.0/16 to any in via
$pif
#RFC 1918
private
IP
$cmd
301 deny all from 172.16.0.0/12 to any in via
$pif
#RFC 1918
private
IP
$cmd
302 deny all from 10.0.0.0/8 to any in via
$pif
#RFC 1918
private
IP
$cmd
303 deny all from 127.0.0.0/8 to any in via
$pif
#loopback
$cmd
304 deny all from 0.0.0.0/8 to any in via
$pif
#loopback
$cmd
305 deny all from 169.254.0.0/16 to any in via
$pif
#DHCP auto-config
$cmd
306 deny all from 192.0.2.0/24 to any in via
$pif
#reserved
for
docs
$cmd
307 deny all from 204.152.64.0/23 to any in via
$pif
#Sun cluster
$cmd
308 deny all from 224.0.0.0/3 to any in via
$pif
#Class D & E multicast
# Deny ident
$cmd
315 deny tcp from any to any 113 in via
$pif
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd
320 deny tcp from any to any 137 in via
$pif
$cmd
321 deny tcp from any to any 138 in via
$pif
$cmd
322 deny tcp from any to any 139 in via
$pif
$cmd
323 deny tcp from any to any 81 in via
$pif
# Deny any late arriving packets
$cmd
330 deny all from any to any frag in via
$pif
# Deny ACK packets that did not match the dynamic rule table
$cmd
332 deny tcp from any to any established in via
$pif
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP
's DHCP server as it'
s the only
# authorized source to send this packet type.
# Only necessary
for
cable
or
DSL configurations.
# This rule is not needed
for
'user ppp'
type connection to
# the
public
Internet. This is the same IP address you captured
#
and
used in the outbound section.
$cmd
360 allow udp from x.x.x.x to any 68 in via
$pif
keep-state
# Allow in standard www
function
because I have Apache server
$cmd
370 allow tcp from any to me 80 in via
$pif
setup limit src-addr 2
# Allow in secure FTP, Telnet,
and
SCP from
public
Internet
$cmd
380 allow tcp from any to me 22 in via
$pif
setup limit src-addr 2
# Allow in non-secure Telnet session from
public
Internet
# labeled non-secure because ID & PW are passed over
public
# Internet
as
clear text.
#
Delete
this sample group
if
you
do
not have telnet server enabled.
$cmd
390 allow tcp from any to me 23 in via
$pif
setup limit src-addr 2
# Reject & Log all unauthorized incoming connections from the
public
Internet
$cmd
400 deny log all from any to any in via
$pif
# Reject & Log all unauthorized out going connections to the
public
Internet
$cmd
450 deny log all from any to any out via
$pif
# This is skipto location
for
outbound stateful rules
$cmd
800 divert natd ip from any to any out via
$pif
$cmd
801 allow ip from any to any
# Everything
else
is denied by
default
# deny
and
log all packets that fell through to see what they are
$cmd
999 deny log all from any to any
################
End
of IPFW rules file ###############################
備注:參數說明:
#$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
我的IP地址是192.168.21.173,是屬於192.168.0.0/16 IP段,所以這裡要注釋掉這一行,允許連接外網,否則主機無法聯網。
$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
是開啟SSH默認端口22
3、重啟網絡服務,使防火牆規則生效