1. Configure FreeBSD firewall ee/etc/rc. conf # edit. Add firewall_enable = & quot; yes & quot; # Enable Firewall net. inet. ip. fw. verbose = 1 # enable the firewall log function. net. inet. ip. fw. verbose_limit = 5 & nbsp
1. Configure FreeBSD Firewall
Ee/etc/rc. conf # edit and add
Firewall_enable = "yes" # Enable Firewall
Net. inet. ip. fw. verbose = 1 # enable the firewall log function
Net. inet. ip. fw. verbose_limit = 5 # enable the firewall log function
Natd_enable = "YES" # enable the NAT Function of the firewall
Natd_interface = "rl0"
Natd_flags = "-dynamic-m"
Firewall_script = "/etc/ipfw. rules" # customize the firewall rule path
Press esc, press enter, and then press a to save the configuration.
2. Add firewall rules
Ee/etc/ipfw. rules # edit firewall rules and add the following code
#!/bin/sh################ Start of IPFW rules file ####################### Flush out the list before we begin.ipfw -q -f flush# Set rules command prefixcmd="ipfw -q add"skip="skipto 800"pif="rl0" # public interface name of NIC # facing the public Internet################################################################## No restrictions on Inside LAN Interface for private network# Change xl0 to your LAN NIC interface name#################################################################$cmd 005 allow all from any to any via xl0################################################################## No restrictions on Loopback Interface#################################################################$cmd 010 allow all from any to any via lo0################################################################## check if packet is inbound and nat address if it is#################################################################$cmd 014 divert natd ip from any to any in via $pif################################################################## Allow the packet through if it has previous been added to the# the "dynamic" rules table by a allow keep-state statement.#################################################################$cmd 015 check-state################################################################## Interface facing Public Internet (Outbound Section)# Check session start requests originating from behind the# firewall on the private network or from this gateway server# destined for the public Internet.################################################################## Allow out access to my ISP's Domain name server.# x.x.x.x must be the IP address of your ISP's DNS# Dup these lines if your ISP has more than one DNS server# Get the IP addresses from /etc/resolv.conf file$cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state# Allow out access to my ISP's DHCP server for cable/DSL configurations.$cmd 030 $skip udp from any to x.x.x.x 67 out via $pif keep-state# Allow out non-secure standard www function$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state# Allow out secure www function https over TLS SSL$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state# Allow out send & get email function$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state# Allow out FreeBSD (make install & CVSUP) functions# Basically give user root "GOD" privileges.$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root# Allow out ping$cmd 080 $skip icmp from any to any out via $pif keep-state# Allow out Time$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state# Allow out nntp news (i.e. news groups)$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state# Allow out secure FTP, Telnet, and SCP# This function is using SSH (secure shell)$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state# Allow out whois$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state# Allow ntp time server$cmd 130 $skip udp from any to any 123 out via $pif keep-state################################################################## Interface facing Public Internet (Inbound Section)# Check packets originating from the public Internet# destined for this gateway server or the private network.################################################################## Deny all inbound traffic from non-routable reserved address spaces#$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast# Deny ident$cmd 315 deny tcp from any to any 113 in via $pif# Deny all Netbios service. 137=name, 138=datagram, 139=session# Netbios is MS/Windows sharing services.# Block MS/Windows hosts2 name server requests 81$cmd 320 deny tcp from any to any 137 in via $pif$cmd 321 deny tcp from any to any 138 in via $pif$cmd 322 deny tcp from any to any 139 in via $pif$cmd 323 deny tcp from any to any 81 in via $pif# Deny any late arriving packets$cmd 330 deny all from any to any frag in via $pif# Deny ACK packets that did not match the dynamic rule table$cmd 332 deny tcp from any to any established in via $pif# Allow traffic in from ISP's DHCP server. This rule must contain# the IP address of your ISP's DHCP server as it's the only# authorized source to send this packet type.# Only necessary for cable or DSL configurations.# This rule is not needed for 'user ppp' type connection to# the public Internet. This is the same IP address you captured# and used in the outbound section.$cmd 360 allow udp from x.x.x.x to any 68 in via $pif keep-state# Allow in standard www function because I have Apache server$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2# Allow in secure FTP, Telnet, and SCP from public Internet$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2# Allow in non-secure Telnet session from public Internet# labeled non-secure because ID & PW are passed over public# Internet as clear text.# Delete this sample group if you do not have telnet server enabled.$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2# Reject & Log all unauthorized incoming connections from the public Internet$cmd 400 deny log all from any to any in via $pif# Reject & Log all unauthorized out going connections to the public Internet$cmd 450 deny log all from any to any out via $pif# This is skipto location for outbound stateful rules$cmd 800 divert natd ip from any to any out via $pif$cmd 801 allow ip from any to any# Everything else is denied by default# deny and log all packets that fell through to see what they are$cmd 999 deny log all from any to any################ End of IPFW rules file ###############################
Note: parameter description:
# $ Cmd 300 deny all from 192.168.0.0/16 to any in via $ pif # RFC 1918 private IP
My IP address is 192.168.21.173, which belongs to the IP address segment 192.168.0.0/16. Therefore, comment out this line to allow Internet connection. Otherwise, the host cannot be connected to the Internet.
$ Cmd 380 allow tcp from any to me 22 in via $ pif setup limit src-addr 2
Yes. The default SSH port 22 is enabled.
3. Restart the network service to make the firewall rules take effect.
System O & M www.osyunwei.com reminder: qihang01 original content is copyrighted. For more information, see the source and original article links.
/Etc/netstart # restart the network
/Etc/rc. d/ipfw start # Enable Firewall
Ipfw disable firewall # disable firewall
Ipfw enable firewall # enable firewall
/Etc/rc. d/ipfw restart # restart the Firewall
Sh/etc/ipfw. rules # Enable Firewall rules to take effect
4. Enable the SSH service
(1) ee/etc/inetd. conf # edit, remove #
Ssh stream tcp nowait root/usr/sbin/sshd-I-4
(2) ee/etc/rc. conf # edit and add
Sshd_enable = "yes"
(3) ee/etc/ssh/sshd_config # edit the configuration file
PermitRootLogin yes # Allow root Login
PasswordAuthentication yes # password verification
PermitEmptyPasswords no # empty password login not allowed
/Etc/rc. d/sshd start # start the ssh service
/Etc/rc. d/sshd restart # restart ssh
After the configuration is complete, you can use Putty and other remote connection tools to connect to the server.
######################################## #############
Additional reading:
There are two ways to load custom ipfw firewall rules.
The first is to set the variable firewall_type to include without ipfw (8)CommandThe complete path of the firewall rule file.
For example:
Add allow in
Add allow out
Firewall_type = "open" parameter description
Open ── allow all traffic to pass.
Client -- only protects the local machine.
Simple ── protect the entire network.
Closed-completely disables all IP traffic except the loopback device.
UNKNOWN-Disable loading firewall rules.
Filename ── the absolute path to the firewall rule file.
The IPFW firewall rule set example is in the two files.
/Etc/rc. firewall
/Etc/rc. firewall6
In addition, you can set the firewall_script variable to an executable script containing the ipfw command, which will be automatically executed at startup.
######################################## #############