IPFW and IPF
First, ipfwipfw meaning can be understood as IP firewall, the main role is to intercept the set of rules outside the IP packet. You can think of this as iptables under Linux, but IPFW is easier to use than iptables. The FreeBSD system does not install IPFW or IPF by default, you need to enable and recompile the kernel in the kernel configuration file. So, you need to run sysinstall-->distribution->src-> Select Base,sys, then install the system kernel source. Then take the following steps #cd/usr/src/sys/amd64/conf #cp GENERIC IPFW #vi IPFW
At the bottom of the section, add the following
Options ipfirewall options Ipfirewall_verbose Options ipfirewall_verbose_limit=10
Options Ipfirewall_default_to_acceptBold is very important, if you do not add, IPFW will turn off all links by default, equivalent to physical isolation, you will not be able to telnet maintenance. Then compile the kernel. Note that you must install base in the source code, otherwise you will not be able to compile anything #cd/usr/src #make buildkernel kernconf=ipfw #make installkernel KERNCONF=IPFW then enter/etc #vi rc.conf Add the following content
Firewall_enable= "YES" firewall_type= "open" #open或规则文件绝对路径 after waiting for compilation and installation to complete. The IPFW is enabled and then restarted to begin configuring the IPFW rules. Your past kernel will be placed in/boot/kernel.old, if you have any startup problems after compiling, you can select the Load prompt option from the Select menu you just started, and then boot kernel.old to start the kernel you didn't have a problem with. The IPFW configuration is closer to the human language than the command line of the-m-d option in Iptables. In fact, there are many firewalls or flow control systems are based on FreeBSD IPFW or IPF, just made a page interface, easy to use the command-line operation of people, such as Panabit or M0n0wall. But I think the command line is actually more flexible and easy. IPFW the rules and external rules, when setting rules, you need to give the rule number, 10000 within the rule, the above is the outside rule. Of course you can also give 10000 or less, as long as you understand the line, a rule ID can be assigned more than one rule to use. With respect to the rule ID, it should be easier to understand if you have learned the route switching and Cisco ACLs. In fact, Cisco's iOS is based on the BSD system to do embedded development. If there is no concept, you can interpret the rule ID as key, and the content of the rule is the value corresponding to the key. IPFW basic syntax is as follows
IPFW Action (add | delete) Rule number action (Allow | deny) address (all) the From address (ip| Any) to address (ip| Any) port numberExamples such as the following
#ipfw Add 10001 deny all from any to 192.168.1.10
note, do not put this line of code in your server, otherwise you will not be able to access. According to the description of human language,
IPFW Add 10001 deny all 22 ports from any address to 192.168.1.10。 If you need to get rid of this rule, add the DELETE,IPFW to the use of the method written out to have several pages, you can check the FreeBSD Chinese manual, BSD this is very good, the manual is very detailed. You can also use IPFW to do NAT forwarding, as shown below #ipfw Nat 1 config redirect_addr 10.0.0.1 10.0.0.66 #ipfw Nat 2 config redirect_port tcp 192.168.0.1: #ipfw Nat 3 config redirect_proto udp 192.168.1.43 192.168.1.1 So, IPFW can do a lot of things, not worse than iptables, and because tcp/ The IP protocol is implemented first in BSD, so it is more efficient. And the syntax is simpler and clearer. You can also access control on a two-tier address (MAC). Use IPFW list to view current rules two, IPF IPFW and IPF are two completely different things, but the function and performance is very close, no one who is good who bad, look at the use of habits, but also need to recompile the kernel to take effect. The previous steps are the same as IPFW. #cp GENERIC IPF #vi IPF
Insert the following content
Options IPFILTER Options Ipfilter_log Edit/etc/rc.conf #vi/E Tc/rc.conf
Join
Ipfilter_enable= "yes" #打开ipfilter ipfilter_rules= "/etc/ipf.rules" #ipfilter规则文件绝对路径 gateway_enable= "yes" #作为网关使用 Ipnat_enable= "YES" #nat转发打开 ipnat_rules= "/etc/ipnat.rules" #nat the absolute path of the rule file and then recompile, install the kernel, reboot. The typical commands are as follows #ipf-L pass in quick on Lo0 all #ipf-L block in quick on em0 for 192.168.0.0/16 explanation: IPF allows access at Lo0 (loopback address) All IPF locks into the em0 from any to 192.168.0.0/16 (class B) Very simple ipnat is a tool that can do NAT forwarding under IPF, I generally write NAT rules to a file, so that when the boot time will automatically load many rules, not one to execute. Typical file content is as follows map Bce1 192.168.10.0/25, 211.103.xxx.xx1/32# forwarding Bce1 address 192.168.10.0/25 (VLSM) to 211.103.XXX.XX1/32 (fixed address)
Map Bce1 192.168.20.111/32-211.103.xxx.xx2/32# forwarding Bce1 address 192.168.20.111/32 (fixed address) to 211.103.XXX.XX2/32 (fixed address)
RDR Bce1 192.168.10.2/32 Port 211.103.xxx.xx2/32 Port 8100 tcp# port Forwarding (RDR) Bce1 address 192.168.10.2/32 (fixed address) 80 ports forwarded to The 8100 port of the 211.103.XXX.XX2/32. IPFW and IPF are basically like this, there is a filter tool called PF, all called packet filter, that is not very familiar, will not write. Any questions can be found in the BSD manual, explained in great detail. Increase
fsck_yAvailable kernel options accept_filter_data options accept_filter_http Options accept_filter_dn S
FreeBSD starts from scratch---post-installation configuration (iii)
