FreeBSD configuration firewall to open SSH service method

1, configure FreeBSD firewall
ee/etc/rc.conf   #编辑, and then add
Firewall_ Enable= "yes"   #开启防火墙
net.inet.ip.fw.verbose=1   #启用防火墙日志功能
Net.inet.ip.fw.verbose_ limit=5  #启用防火墙日志功能
natd_enable= "YES"   # Open firewall Nat
Natd_interface= "Rl0"      &NBSP
natd_flags= "-dynamic-m"
firewall_script= "/etc/ipfw.rules"       Custom firewall rule Path
Press ESC, enter, press A to save configuration
2, add Firewall rule

ee/etc/ipfw.rules     #编辑防火墙规则, add the following code

#!/bin/sh ################ Start of IPFW rules file ###################### # Flush out the list before we begin. Ipfw-q-F Flush # Set rules command prefix cmd= "ipfw-q add" skip= "Skipto" pif= "Rl0"      # Publi C Interface Name of NIC               # facing the Public Internet ################################################################# # No restrictions on Inside LAN Interface for private network # change xl0 to your LAN NIC Interface name ################################################ ################# $cmd 005 Allow "all" to "any via xl0 ############################################################ ##### # No Restrictions on loopback Interface ################################################################# $cmd  010 allow all from the any via Lo0 ################################################################# # Check if packet is inbound and NAT address if it is ################################################################# $cmd 014 Divert natd IP from "any" via $pif ################ ################################################# # Allow The packet through if it has previous been added to the # "D"
Ynamic "Rules table by a allow keep-state statement. ################################################################# $cmd 015 check-state ########################### ###################################### # Interface facing public Internet (outbound section) # Check session start request s originating from behind the ' # Firewall on the private network or from this Gateway server # destined for the ' public inte
Rnet.
################################################################# # Allow out access to my ISP ' s Domain name server.  # x.x.x.x must is the IP address of your ISP ' s DNS # Dup This lines if your ISP has more than one DNS server # get the IP Addresses from/etc/resolv.conf file $cmd 020 $skip tcp from any to x.x.x.x via $PIF setup Keep-state # Allow out access to my ISP's DHCP server for CABLE/DSL configurations. $cmd 030 $skip UDP from ' to x.x.x.x ' via $pif keep-state # Allow out non-secure standard www function $cmd 040 $ Skip TCP from "any" via $PIF Setup Keep-state # Allow out secure www function https over TLS SSL $cmd 050 $sk IP tcp from "any" 443 out via $pif the Setup Keep-state # Allow out Send & get Email function $cmd 060 $skip TCP fro M any to any of the Via $PIF the setup keep-state $cmd 061 $skip TCP from the "any" via $PIF Setup Keep-state # Allo
W out FreeBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges.  $cmd 070 $skip TCP from I to no out via $PIF the setup keep-state uid root # Allow out ping $cmd 080 $skip ICMP from ' to Any out via $pif keep-state # Allow out $cmd the 090 $skip TCP from the "any" to "any" via $PIF Setup Keep-state # Allo W out NNTP News (i.e. news groups) $cmd $skip the TCP from the to any 119 out via $PIFSetup Keep-state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (Secure Shell) $cmd $skip TCP F Rom any to any of the Via $PIF Setup keep-state # Allow out whois $cmd a $skip tcp from any to any of the Via $pif Setu P keep-state # Allow NTP time server $cmd 130 $skip UDP ' from ' to any ' 123 out via $pif keep-state #################### ############################################# # Interface facing public Internet (Inbound section) # Check packets Origin
Ating from the public Internet # destined to this gateway server or the private network. ################################################################# # Deny All inbound traffic from non-routable Reserved address spaces # $cmd $pif   #RFC 1918 private IP $cmd 30 1 deny all from 172.16.0.0/12   to any in via $pif   #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8& nbsp;     to No in via $pif   #RFC 1918 PRIvate IP $cmd 303 deny all from 127.0.0.0/8     to any in via $pif   #loopback $cmd 304 deny all F Rom 0.0.0.0/8       to any on via $pif   #loopback $cmd 305 deny all from 169.254.0.0/16   to No in via $pif   #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24    to any in via $PIF   #reserved for Docs $cmd 307 deny all from 204.152.64.0/23 to any in via $PIF   #Sun cluster $cmd 308 deny all F Rom 224.0.0.0/3     to No in via $pif   #Class D & E Multicast # deny ident $cmd 315 deny TC p from, any, 113 in via $pif # Deny all Netbios service.
137=name, 138=datagram, 139=session # Netbios is ms/windows sharing services.  # block Ms/windows hosts2 Name server requests I-$cmd $ i-$pif $cmd 321 deny TCP from the ' to ' any 137 Any of the 138 in via $PIF $cmd the 322 deny TCP from the "any" to "139" via $PIF $cmd 323 deny TCP from the any. 81  i N via $PIF # deny any late arriving packets $cmd the Frag in via $PIF # deny ACK packets this did no T match the dynamic rule table $cmd 332 deny TCP from all to no established in via $PIF # Allow traffic at from ISP ' s DH CP server.  This is must contain # The IP address of the your ISP's DHCP server as it ' s the only # authorized source to send this packet
Type.
# only necessary for cable or DSL configurations. # This rule isn't needed for ' user PPP ' type connection to # the public Internet.
This is the same IP address for you captured # and used in the outbound section. $cmd 360 allow UDP from x.x.x.x to any $pif keep-state # allow in standard WWW function because I have Apache s  Erver $cmd 370 allow TCP from ' to me ' via $PIF setup limit src-addr 2 # Allow in secure FTP, Telnet, and SCP from Public Internet $cmd 380 allow TCP/I via $PIF setup limit src-addr 2 # allow in Non-secure Telnet ses Sion from Public Internet # labeled non-Secure because ID & PW are passed over public # Internet as clear text.
# Delete This sample group if ' not have Telnet server enabled. $cmd 390 allow TCP from ' to me ' via $PIF setup limit src-addr 2 # Reject & Log all unauthorized Incoming conn Ections from the public Internet $cmd/deny log all by $PIF # Reject & log All unauthorized OU T going connections to the public Internet $cmd 450 deny log all from any to any out via $pif # This is Skipto location F Or outbound stateful rules $cmd divert NATD IP from the to any $PIF $cmd 801 allow IP from all to any # Every Thing else is denied by default # deny and log all packets the fell through to the what they are $cmd 999 deny log all FR Om any to any ################ end of IPFW rules file ###############################   

Note: Parameter description:


# $cmd The #RFC 1918 private IP $pif
My IP address is 192.168.21.173, is a 192.168.0.0/16 IP segment, so here to comment out this line, allow the connection outside the network, otherwise the host can not be networked.
$cmd 380 allow TCP from ' to me ' via $PIF setup limit src-addr 2


is to turn on the SSH default port


3, restart the Network service to enable firewall rules to take effect



/etc/netstart #重启网络


/ETC/RC.D/IPFW start #开启防火墙


ipfw Disable firewall #关闭防火墙


IPFW Enable firewall #开启防火墙


/ETC/RC.D/IPFW Restart #重启防火墙


sh/etc/ipfw.rules #使防火墙规则生效


4, open SSH service


(1) ee/etc/inetd.conf #编辑, remove the #
in front of sshd

ssh stream TCP nowait root/usr/sbin/sshd sshd-i-4


(2) ee/etc/rc.conf #编辑, add
at the end

sshd_enable= "yes"


(3) ee/etc/ssh/sshd_config #编辑配置文件


permitrootlogin Yes #允许root登录


passwordauthentication Yes #使用密码验证


permitemptypasswords no #不允许空密码登录


/etc/rc.d/sshd start #启动ssh服务


/etc/rc.d/sshd Restart #重启ssh
configuration complete, you can now connect to the server using remote connection tools such as putty.
#####################################################
extended reading:


There are two ways to load a custom ipfw firewall rule.


one is to set the variable Firewall_type as the full path to a firewall rule file that contains no IPFW (8) command-line options.


For example:


add allow in


add allow out
Firewall_type= "Open" parameter description
open── allows all traffic to pass.


client── only protects this machine.


simple── protects the entire network.


closed── completely disables all IP traffic except the loopback device.


unknown── prevents firewall rules from loading.


filename── to the absolute path of the firewall rule file.


IPFW Firewall rule Set example in these two files


/etc/rc.firewall


/etc/rc.firewall6


In addition, you can set the Firewall_script variable to be an executable script that contains the IPFW command, so that the script will execute automatically at startup.


#####################################################