人人妻人人澡人人爽欧美精品,天天爽夜夜爽人人爽一区二区 ,国产在线一区二区三区在线

使用IPFILTER設(shè)置小型企業(yè)防火墻系統(tǒng)
作者：peijun.jiang
一、網(wǎng)絡(luò)環(huán)境
1、主機(jī)A：安裝FreeBSD4.7，安裝三塊網(wǎng)卡fxp0、xl0和xl1 。
fxp0為對(duì)外網(wǎng)卡，IP：x.x.x.x ISP為我提供的IP地址
xl0為對(duì)內(nèi)公共區(qū)域網(wǎng)卡，IP：192.168.0.1
xl1為對(duì)內(nèi)服務(wù)提供區(qū)域網(wǎng)卡，IP：192.168.80.1
2、主機(jī)B：對(duì)外提供www服務(wù)主機(jī)，ip地址為：192.168.80.80
3、主機(jī)C：對(duì)外提供ftp服務(wù)主機(jī)，ip：192.168.80.3 。
4、其他工作站N臺(tái) 。
二、編譯內(nèi)核

1、#cd /sys/i386/conf
#cp GENERIC kernel_IPF

2、編譯kernel_IPF,加入一下選項(xiàng)：
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK

3、#/usr/sbin/config kernel_IPF
#cd ../../compile/kernel_IPF
#make kepend
#make
#make install

4、編輯/etc/rc.rc.conf,打開(kāi)以下選項(xiàng)：
defaultrouter="x.x.x.1" x.x.x.1為ISP提供的網(wǎng)關(guān)
gateway_enable="YES"
ipfilter_enable＝"YES"
ipnat_enable="YES"
5、重新啟動(dòng)系統(tǒng)：reboot
三、配置防火墻

1、設(shè)置地址轉(zhuǎn)換ipnat 。在/etc下新建文件ipnat.rules,內(nèi)容為：
map fxp0 192.168.0.0/16 -> 0/32 proxy port ftp ftp/tcp
map fxp0 192.168.0.0/24 -> 0/32 portmap tcp/udp 10000:30000
map fxp0 192.168.0.0/24 -> 0/32
map fxp0 192.168.80.0/24 -> 0/32 portmap tcp/udp 300001:60000
map fxp0 192.168.80.0/24 -> 0/32 portmap
rdr fxp0 x.x.x.x/32 port 80 -> 192.168.0.2 port 80
rdr fxp0 x.x.x.x/32 port ftp -> 192.168.0.3 port ftp
rdr fxp0 x.x.x.x/32 port 30001-50000 -> 192.168.80.3 port 30001 tcp

2、設(shè)置包過(guò)濾ipfilter 。在/etc下新建文件ipf.rules,內(nèi)容為：
block in log quick all with short
block in log quick all with ipopts
block in log quick all with frag
block in log quick all with opt lsrr
block in log quick all with opt ssrr

以上五句為過(guò)濾掉可能會(huì)帶來(lái)安全問(wèn)題的短數(shù)據(jù)包或具備路由信息的數(shù)據(jù)包以及防止非法掃描服務(wù)器

pass out on xl0 all
pass in on xlo all
pass out on xl1 all
pass in on xl1 all
pass out quick on lo0 all
pass in quick on lo0 all
以上為內(nèi)部網(wǎng)絡(luò)界面和loopback網(wǎng)絡(luò)界面可以自由發(fā)送和接受數(shù)據(jù)包

block out on fxp0 all
以上為屏蔽外部網(wǎng)絡(luò)界面向外發(fā)送數(shù)據(jù)包

block out log on fxp0 from any to 192.168.0.0/16
block out log quick on fxp0 from any to 0.0.0.0/8
block out log quick on fxp0 from any to 169.254.0.0/8
block out log quick on fxp0 from any to 10.0.0.0/8
block out log quick on fxp0 from any to 127.16.0.0/12
block out log quick on fxp0 from any to 127.0.0.0/8
block out log quick on fxp0 from any to 192.0.2.0/24
block out log quick on fxp0 from any to 204.152.64.0/23
block out log quick on fxp0 from any to 224.0.0.0/3
以上為屏蔽不合法地址的輸出數(shù)據(jù)

pass out log on fxp0 proto tcp/udp from any to any keep state
pass out log on fxp0 proto icmp all keep state
以上為允許TCP 、UDP、ICMP數(shù)據(jù)包向外發(fā)送出去，并且允許回應(yīng)數(shù)據(jù)包發(fā)送回到內(nèi)部網(wǎng)絡(luò)

block in log on fxp0 from 192.168.0.0/16 to any
block in log quick on fxp0 from 10.0.0.0/8 to any
block in log quick on fxp0 from 172.16.0.0/12 to any
block in log quick on fxp0 from 127.0.0.0/8 to any
block in log quick on fxp0 from 192.0.2.0/24 to any
block in log quick on fxp0 from 169.254.0.0/16 to any
block in log quick on fxp0 from 224.0.0.0/3 to any
block in log quick on fxp0 from 204.152.64.0/23 to any
block in log quick on fxp0 from x.x.x.x/32 to any
block in log quick on fxp0 from any to x.x.x.0/32
block in log quick on fxp0 from any to x.x.x.255/32
以上為屏蔽具備內(nèi)部網(wǎng)絡(luò)地址的數(shù)據(jù)包被轉(zhuǎn)發(fā)到外部網(wǎng)絡(luò)

pass in quick on fxp0 proto tcp from any to any port = 80 flags S/SA keep state
pass in quick on fxp0 proto tcp from any to any port = ftp flags S/SA keep state
pass in quick on fxp0 proto tcp from any to any port = ftp-data flags S/SA keep state

使用IPFILTER設(shè)置小型企業(yè)防火墻系統(tǒng)

推薦閱讀

武則天的祖籍

車輛識(shí)別代號(hào)是不是車架號(hào) 你知道嗎？

清明上河圖的作者清明上河圖的作者簡(jiǎn)介

ubuntu下如何安裝qq ubuntu下如何安裝cmake

買超張嘉倪唱的什么歌

掌握施肥規(guī)律防止冬小麥長(zhǎng)勢(shì)差

怎么判別翡翠觀音，翡翠玉觀音怎么看真假

肋骨鼻手術(shù)幾天拆線

被隔離會(huì)沒(méi)收電話嗎

劉伯溫為何反對(duì)朱元璋在“鳳陽(yáng)”定都？“殷家澗”的名字怎么來(lái)的？

什么叫專業(yè)志愿優(yōu)先,什么是分?jǐn)?shù)優(yōu)先

戰(zhàn)國(guó)有什么,481年春秋戰(zhàn)國(guó)史

狗狗幾歲停月經(jīng)

什么是世界格局兩極化

xt4和xt5的區(qū)別是什么

BTD如何出售金幣