FreeBSD configuration firewall to open SSH service method

Source: Internet
Author: User
Tags flush reserved rfc domain name server ssh

1, configure FreeBSD firewall
ee/etc/rc.conf   #编辑, and then add
Firewall_ Enable= "yes"   #开启防火墙
net.inet.ip.fw.verbose=1   #启用防火墙日志功能
Net.inet.ip.fw.verbose_ limit=5  #启用防火墙日志功能
natd_enable= "YES"   # Open firewall Nat
Natd_interface= "Rl0"      &NBSP
natd_flags= "-dynamic-m"
firewall_script= "/etc/ipfw.rules"       Custom firewall rule Path
Press ESC, enter, press A to save configuration
2, add Firewall rule

ee/etc/ipfw.rules     #编辑防火墙规则, add the following code

#!/bin/sh ################ Start of IPFW rules file ###################### # Flush out the list before we begin. Ipfw-q-F Flush # Set rules command prefix cmd= "ipfw-q add" skip= "Skipto" pif= "Rl0"      # Publi C Interface Name of NIC               # facing the Public Internet ################################################################# # No restrictions on Inside LAN Interface for private network # change xl0 to your LAN NIC Interface name ################################################ ################# $cmd 005 Allow "all" to "any via xl0 ############################################################ ##### # No Restrictions on loopback Interface ################################################################# $cmd  010 allow all from the any via Lo0 ################################################################# # Check if packet is inbound and NAT address if it is ################################################################# $cmd 014 Divert natd IP from "any" via $pif ################ ################################################# # Allow The packet through if it has previous been added to the # "D"
Ynamic "Rules table by a allow keep-state statement. ################################################################# $cmd 015 check-state ########################### ###################################### # Interface facing public Internet (outbound section) # Check session start request s originating from behind the ' # Firewall on the private network or from this Gateway server # destined for the ' public inte
Rnet.
################################################################# # Allow out access to my ISP ' s Domain name server.  # x.x.x.x must is the IP address of your ISP ' s DNS # Dup This lines if your ISP has more than one DNS server # get the IP Addresses from/etc/resolv.conf file $cmd 020 $skip tcp from any to x.x.x.x via $PIF setup Keep-state # Allow out access to my ISP's DHCP server for CABLE/DSL configurations. $cmd 030 $skip UDP from ' to x.x.x.x ' via $pif keep-state # Allow out non-secure standard www function $cmd 040 $ Skip TCP from "any" via $PIF Setup Keep-state # Allow out secure www function https over TLS SSL $cmd 050 $sk IP tcp from "any" 443 out via $pif the Setup Keep-state # Allow out Send & get Email function $cmd 060 $skip TCP fro M any to any of the Via $PIF the setup keep-state $cmd 061 $skip TCP from the "any" via $PIF Setup Keep-state # Allo
W out FreeBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges.  $cmd 070 $skip TCP from I to no out via $PIF the setup keep-state uid root # Allow out ping $cmd 080 $skip ICMP from ' to Any out via $pif keep-state # Allow out $cmd the 090 $skip TCP from the "any" to "any" via $PIF Setup Keep-state # Allo W out NNTP News (i.e. news groups) $cmd $skip the TCP from the to any 119 out via $PIFSetup Keep-state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (Secure Shell) $cmd $skip TCP F Rom any to any of the Via $PIF Setup keep-state # Allow out whois $cmd a $skip tcp from any to any of the Via $pif Setu P keep-state # Allow NTP time server $cmd 130 $skip UDP ' from ' to any ' 123 out via $pif keep-state #################### ############################################# # Interface facing public Internet (Inbound section) # Check packets Origin
Ating from the public Internet # destined to this gateway server or the private network. ################################################################# # Deny All inbound traffic from non-routable Reserved address spaces # $cmd $pif   #RFC 1918 private IP $cmd 30 1 deny all from 172.16.0.0/12   to any in via $pif   #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8& nbsp;     to No in via $pif   #RFC 1918 PRIvate IP $cmd 303 deny all from 127.0.0.0/8     to any in via $pif   #loopback $cmd 304 deny all F Rom 0.0.0.0/8       to any on via $pif   #loopback $cmd 305 deny all from 169.254.0.0/16   to No in via $pif   #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24    to any in via $PIF   #reserved for Docs $cmd 307 deny all from 204.152.64.0/23 to any in via $PIF   #Sun cluster $cmd 308 deny all F Rom 224.0.0.0/3     to No in via $pif   #Class D & E Multicast # deny ident $cmd 315 deny TC p from, any, 113 in via $pif # Deny all Netbios service.
137=name, 138=datagram, 139=session # Netbios is ms/windows sharing services.  # block Ms/windows hosts2 Name server requests I-$cmd $ i-$pif $cmd 321 deny TCP from the ' to ' any 137 Any of the 138 in via $PIF $cmd the 322 deny TCP from the "any" to "139" via $PIF $cmd 323 deny TCP from the any. 81  i N via $PIF # deny any late arriving packets $cmd the Frag in via $PIF # deny ACK packets this did no T match the dynamic rule table $cmd 332 deny TCP from all to no established in via $PIF # Allow traffic at from ISP ' s DH CP server.  This is must contain # The IP address of the your ISP's DHCP server as it ' s the only # authorized source to send this packet
Type.
# only necessary for cable or DSL configurations. # This rule isn't needed for ' user PPP ' type connection to # the public Internet.
This is the same IP address for you captured # and used in the outbound section. $cmd 360 allow UDP from x.x.x.x to any $pif keep-state # allow in standard WWW function because I have Apache s  Erver $cmd 370 allow TCP from ' to me ' via $PIF setup limit src-addr 2 # Allow in secure FTP, Telnet, and SCP from Public Internet $cmd 380 allow TCP/I via $PIF setup limit src-addr 2 # allow in Non-secure Telnet ses Sion from Public Internet # labeled non-Secure because ID & PW are passed over public # Internet as clear text.
# Delete This sample group if ' not have Telnet server enabled. $cmd 390 allow TCP from ' to me ' via $PIF setup limit src-addr 2 # Reject & Log all unauthorized Incoming conn Ections from the public Internet $cmd/deny log all by $PIF # Reject & log All unauthorized OU T going connections to the public Internet $cmd 450 deny log all from any to any out via $pif # This is Skipto location F Or outbound stateful rules $cmd divert NATD IP from the to any $PIF $cmd 801 allow IP from all to any # Every Thing else is denied by default # deny and log all packets the fell through to the what they are $cmd 999 deny log all FR Om any to any ################ end of IPFW rules file ###############################   

Note: Parameter description:


# $cmd The #RFC 1918 private IP $pif
My IP address is 192.168.21.173, is a 192.168.0.0/16 IP segment, so here to comment out this line, allow the connection outside the network, otherwise the host can not be networked.
$cmd 380 allow TCP from ' to me ' via $PIF setup limit src-addr 2


is to turn on the SSH default port


3, restart the Network service to enable firewall rules to take effect



/etc/netstart #重启网络


/ETC/RC.D/IPFW start #开启防火墙


ipfw Disable firewall #关闭防火墙


IPFW Enable firewall #开启防火墙


/ETC/RC.D/IPFW Restart #重启防火墙


sh/etc/ipfw.rules #使防火墙规则生效


4, open SSH service


(1) ee/etc/inetd.conf #编辑, remove the #
in front of sshd

ssh stream TCP nowait root/usr/sbin/sshd sshd-i-4


(2) ee/etc/rc.conf #编辑, add
at the end

sshd_enable= "yes"


(3) ee/etc/ssh/sshd_config #编辑配置文件


permitrootlogin Yes #允许root登录


passwordauthentication Yes #使用密码验证


permitemptypasswords no #不允许空密码登录


/etc/rc.d/sshd start #启动ssh服务


/etc/rc.d/sshd Restart #重启ssh
configuration complete, you can now connect to the server using remote connection tools such as putty.
#####################################################
extended reading:



There are two ways to load a custom ipfw firewall rule.


one is to set the variable Firewall_type as the full path to a firewall rule file that contains no IPFW (8) command-line options.


For example:


add allow in


add allow out
Firewall_type= "Open" parameter description
open── allows all traffic to pass.


client── only protects this machine.


simple── protects the entire network.


closed── completely disables all IP traffic except the loopback device.


unknown── prevents firewall rules from loading.


filename── to the absolute path of the firewall rule file.


IPFW Firewall rule Set example in these two files


/etc/rc.firewall


/etc/rc.firewall6


In addition, you can set the Firewall_script variable to be an executable script that contains the IPFW command, so that the script will execute automatically at startup.


#####################################################

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.