歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Unix知識 >> Unix基礎知識

FreeBSD配置防火牆開啟SSH服務的方法

1、配置FreeBSD 防火牆
ee /etc/rc.conf   #編輯,在最後添加
firewall_enable="yes"  #開啟防火牆
net.inet.ip.fw.verbose=1   #啟用防火牆日志功能
net.inet.ip.fw.verbose_limit=5  #啟用防火牆日志功能
natd_enable="YES"  # 開啟防火牆NAT功能
natd_inter     
natd_flags="-dynamic -m"
firewall_script="/etc/ipfw.rules"      #自定義防火牆規則路徑
按esc,回車,再按a保存配置
2、添加防火牆規則

ee /etc/ipfw.rules    #編輯防火牆規則,添加以下代碼

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

#!/bin/sh

################ Start of IPFW rules file ######################

# Flush out the list before we begin.

ipfw -q -f flush

 

# Set rules command prefix

cmd="ipfw -q add"

skip="skipto 800"

pif="rl0"     # public interface name of NIC

              # facing the public Internet

 

#################################################################

# No restrictions on Inside LAN Interface for private network

# Change xl0 to your LAN NIC interface name

#################################################################

$cmd 005 allow all from any to any via xl0

 

#################################################################

# No restrictions on Loopback Interface

#################################################################

$cmd 010 allow all from any to any via lo0

 

#################################################################

# check if packet is inbound and nat address if it is

#################################################################

$cmd 014 divert natd ip from any to any in via $pif

 

#################################################################

# Allow the packet through if it has previous been added to the

# the "dynamic" rules table by a allow keep-state statement.

#################################################################

$cmd 015 check-state

 

#################################################################

# Interface facing Public Internet (Outbound Section)

# Check session start requests originating from behind the

# firewall on the private network or from this gateway server

# destined for the public Internet.

#################################################################

 

# Allow out access to my ISP's Domain name server.

# x.x.x.x must be the IP address of your ISP's DNS

# Dup these lines if your ISP has more than one DNS server

# Get the IP addresses from /etc/resolv.conf file

$cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state

# Allow out access to my ISP's DHCP server for cable/DSL configurations.

$cmd 030 $skip udp from any to x.x.x.x 67 out via $pif keep-state

 

# Allow out non-secure standard www function

$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state

 

# Allow out secure www function https over TLS SSL

$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state

 

# Allow out send & get email function

$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state

$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state

 

# Allow out FreeBSD (make install & CVSUP) functions

# Basically give user root "GOD" privileges.

$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root

 

# Allow out ping

$cmd 080 $skip icmp from any to any out via $pif keep-state

 

# Allow out Time

$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state

 

# Allow out nntp news (i.e. news groups)

$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state

 

# Allow out secure FTP, Telnet, and SCP

# This function is using SSH (secure shell)

$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state

 

# Allow out whois

$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state

 

# Allow ntp time server

$cmd 130 $skip udp from any to any 123 out via $pif keep-state

 

#################################################################

# Interface facing Public Internet (Inbound Section)

# Check packets originating from the public Internet

# destined for this gateway server or the private network.

#################################################################

 

# Deny all inbound traffic from non-routable reserved address spaces

#$cmd 300 deny all from 192.168.0.0/16  to any in via $pif  #RFC 1918 private IP

$cmd 301 deny all from 172.16.0.0/12   to any in via $pif  #RFC 1918 private IP

$cmd 302 deny all from 10.0.0.0/8      to any in via $pif  #RFC 1918 private IP

$cmd 303 deny all from 127.0.0.0/8     to any in via $pif  #loopback

$cmd 304 deny all from 0.0.0.0/8       to any in via $pif  #loopback

$cmd 305 deny all from 169.254.0.0/16  to any in via $pif  #DHCP auto-config

$cmd 306 deny all from 192.0.2.0/24    to any in via $pif  #reserved for docs

$cmd 307 deny all from 204.152.64.0/23 to any in via $pif  #Sun cluster

$cmd 308 deny all from 224.0.0.0/3     to any in via $pif  #Class D & E multicast

 

# Deny ident

$cmd 315 deny tcp from any to any 113 in via $pif

 

# Deny all Netbios service. 137=name, 138=datagram, 139=session

# Netbios is MS/Windows sharing services.

# Block MS/Windows hosts2 name server requests 81

$cmd 320 deny tcp from any to any 137 in via $pif

$cmd 321 deny tcp from any to any 138 in via $pif

$cmd 322 deny tcp from any to any 139 in via $pif

$cmd 323 deny tcp from any to any 81  in via $pif

 

# Deny any late arriving packets

$cmd 330 deny all from any to any frag in via $pif

 

# Deny ACK packets that did not match the dynamic rule table

$cmd 332 deny tcp from any to any established in via $pif

 

# Allow traffic in from ISP's DHCP server. This rule must contain

# the IP address of your ISP's DHCP server as it's the only

# authorized source to send this packet type.

# Only necessary for cable or DSL configurations.

# This rule is not needed for 'user ppp' type connection to

# the public Internet. This is the same IP address you captured

# and used in the outbound section.

$cmd 360 allow udp from x.x.x.x to any 68 in via $pif keep-state

 

# Allow in standard www function because I have Apache server

$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2

 

# Allow in secure FTP, Telnet, and SCP from public Internet

$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2

 

# Allow in non-secure Telnet session from public Internet

# labeled non-secure because ID & PW are passed over public

# Internet as clear text.

# Delete this sample group if you do not have telnet server enabled.

$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2

 

# Reject & Log all unauthorized incoming connections from the public Internet

$cmd 400 deny log all from any to any in via $pif

 

# Reject & Log all unauthorized out going connections to the public Internet

$cmd 450 deny log all from any to any out via $pif

 

# This is skipto location for outbound stateful rules

$cmd 800 divert natd ip from any to any out via $pif

$cmd 801 allow ip from any to any

 

# Everything else is denied by default

# deny and log all packets that fell through to see what they are

$cmd 999 deny log all from any to any

################ End of IPFW rules file ###############################

 

   

備注:參數說明:
#$cmd 300 deny all from 192.168.0.0/16  to any in via $pif  #RFC 1918 private IP
我的IP地址是192.168.21.173,是屬於192.168.0.0/16 IP段,所以這裡要注釋掉這一行,允許連接外網,否則主機無法聯網。
$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
是開啟SSH默認端口22

3、重啟網絡服務,使防火牆規則生效

/etc/netstart  #重啟網絡
/etc/rc.d/ipfw start     #開啟防火牆
ipfw disable firewall    #關閉防火牆
ipfw enable firewall   #開啟防火牆
/etc/rc.d/ipfw  restart   #重啟防火牆
sh /etc/ipfw.rules     #使防火牆規則生效
4、開啟SSH服務
(1)ee  /etc/inetd.conf  #編輯,去掉sshd前面的#
ssh     stream  tcp     nowait  root    /usr/sbin/sshd          sshd -i -4
(2)ee  /etc/rc.conf   #編輯,在最後添加
sshd_enable="yes"  
(3)ee  /etc/ssh/sshd_config  #編輯配置文件
PermitRootLogin yes   #允許root登錄
PasswordAuthentication yes    #使用密碼驗證
PermitEmptyPasswords no   #不允許空密碼登錄
/etc/rc.d/sshd start  #啟動ssh服務
/etc/rc.d/sshd restart    #重啟ssh
配置完成,現在已經可以使用Putty等遠程連接工具連接服務器了。
#####################################################
擴展閱讀:

有兩種加載自定義 ipfw 防火牆規則的方法。
其一是將變量 firewall_type 設為包含不帶 ipfw(8) 命令行選項的 防火牆規則 文件的完整路徑。
例如:
add allow in
add allow out
firewall_type="open"參數說明
open ── 允許所有流量通過。
client ── 只保護本機。
simple ── 保護整個網絡。
closed ── 完全禁止除回環設備之外的全部 IP 流量。
UNKNOWN ── 禁止加載防火牆規則。
filename ── 到防火牆規則文件的絕對路徑。
IPFW防火牆規則集樣例在這兩個文件中
/etc/rc.firewall
/etc/rc.firewall6
除此之外, 也可以將 firewall_script 變量設為包含 ipfw 命令的可執行腳本, 這樣這個腳本會在啟動時自動執行。
Copyright © Linux教程網 All Rights Reserved