FreeBSD IPFilter Firewall Installation and Settings September 23, 2001 In fact, how to set up a freeBSD firewall is a relatively simple matter. In line with your own practical experience and some online information, I will introduce you to the specific setting method. This article includes: 1. Maximize security settings 2. Setting up network card 3. Setting KERNEL4. Open Pack Forwarding, Firewall and NAT5. Configure the machine behind the NAT / firewall 6. Familiar with IPFilter7.QOS8. Reference 1. Maximize security settings lock one The first step in the computer used as a NAT firewall is to stop all services that are not required to install. Edit /etc/rc.conf and confirm that inetd, portmap, Sendmail These guardians are banned. In addition to setting inetd_enable = "no" portmap_enable = "no", in order to prevent the settings of /etc/inetd.conf about these services in the case of preventing the settings of /etc/inetd.conf. If you really need to log in remote, you should install SSH and hoshd_enable = "yes" to /etc/rc.conf. Once you disable all unwanted services, you can go to http://www.unixcircle.com/memberonly/portscan.php3 to make a remote scan for confirmation settings. Be careful not to make such a scan in the firewall, otherwise the result you get will be your firewall safe! If there is no condition going abroad, you can also use the tools such as NetScantools, but you must use the computer outside the current subnet when you scan it. Getting a CVSUP is also very important to get the latest stable version (-stable) FreeBSD source code is also very important, because FREEBSD needs to play frequent patches as Windows. 2. Set the network card for easy explanation, we assume that your computer is using two 3com 509b network cards, and their corresponding FreeBSD drivers are EP0 and EP1, respectively. Of course, if you don't like 3COM, or if you don't have much, if you don't have much like this, you will change the following corresponding EP0, EP1 to your name. The first block will use the RFC1918 to use the ineffected private address, while the second block can make a static or dynamic DHCP address. In order to facilitate your settings, here is here a private address: 10.0.0.1 - 10.255.255.254 Mask 255.0.0.0172.16.0.1 - 172.31.0192.168.0.1 - 192.168 .255.255.0.0 Here we choose 192.168.0.1 (Many people do this), set ifconfig_ep0 = "inet 192.168.1.1 netmask 255.255.255.0" in /etc/rc.conf used. If the second block is intended to use a static IP, then in /etc/rc.conf is configured in /etc/rc.conf: ifconfig_ep1 = "inet xxx.xxx.xx.xxx netmask xxx.xx.xxx.xxx" IP and mask here ( The XXX section) can be set according to your actual situation. Instead, use dynamic IP (DHCP): ifconfig_ep1 = "dhcp" and to set the ip /dhclient.conf as needed to confirm that you use the correct IP and mask on the two network cards, and once confirmed the internal network Do not change the IP range. The IP address of the first network card will be the default gateway address of the internal network.
3. Set Kernel to compile new kernel, first need source code (usually this is part of the release version you got). If you don't have it, then run / stand / sysinstall to install it. Then do the following command # cd / sys / i386 / conf # CP generic firewall, of course, I am so named because the machine called FireWall, so that you can also use other names. Edit the kernel configuration file: # vi firewall to join in the options section the following lines: # Add IPFilter, record support options IPFILTERoptions IPFILTER_LOG # default disables all packet delivery options IPFILTER_DEFAULT_BLOCK # use RANDOM_IP_ID prevent the outside world to understand the situation gateway generates package options RANDOM_IP_ID remove all Unrelated hardware related to your hardware. A relatively effective determination method is to observe the DMESG output. View and kernel files in the same directory can help you understand all available settings. Modify the configuration file, re-install, installation kernel: # cd / usr / src # make buildkernel kernconf = firewall (Output result of Kernel Compile) # make installkernel kernconf = firewall # reboot This compilation method will keep the original kernel to kernel. Old, so if you do something wrong, you have the opportunity to enter kernel.old when you pass boot: appear. 4. Open Package Forward, DHCP, Firewall and NAT Functions Open Pack Pack Function: Add Net.Inet.ip.Forwarding = 1 to /etc/sysctl.conf = 1 Strengthen Forwarding Security: Being in /etc/sysctl.conf Modification can be implemented: Defense based on RFC1948 serial number attack, method is to use random initial number net.inet.tcp.strict_rfc1948 = 1 to verify the entry of the destination address correctness NET.INET.IP.CHECK_ITERFACE = 1 Enhancement Performance: Net. INET.TCP.RECVSPACE = 65535NET.INET.TCP.SENDSPACE = 65535 Filtering Rules: If you don't know what to ban, you should open them. Add: Pass IN AllPass Out All Nat (Network Address Translation) Rules: In order to make NAT and FTP can work normally, add: # in "Practice" in /etc/ipnat.rules Use IPfilter FTP Proxymap EP1 192.168.1.0/24 -> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2168.1.0/24 maps all TCPs and UDP connections from 192.168.1.0/24 to external IP # and change the port number to The number of uncovering of 40000 to 60000 (if you monitor OICQ port, you will find many people) Map EP1 192.168.1.0/24 -> 0.0.0.0.0.0.0.0.0.0.0.0.0.000: 60000 # 把 i 包 外 外IP address MAP EP1 192.168.1.0/24 -> 0.0.0.0/32 Note that all proxy lines should be placed before the General Portmap, because only first match rows. Transparent agent: If there is a mail server with an address of 192.168.1.2 in the internal network, you need to use RDR to perform a transparent agent.
Since NAT takes effect before RDR, you need to add a Pass IN rule to /etc/ipf.rules, so you can send the translated package to the mail server. /etc/ipnat.conf: # Redirects the entrant SMTP data to the mail server in NAT. RDR EP1 0.0.0.0.0 Port 25 -> 192.168.1.2 Port 25 /etc/ipf.rules: # Allows the fragmentation and The SYN logo enters the translated package. Pass in quick on ep1 proto tcp from any to any port = 25 Flags S Keep State Keep Frags Balanced Load: Balanced Loads in the 6 mirror web servers behind NAT, use the round-robin statement. IPFilter will assign load balancing to these servers, even in a certain DOWN. RDR EP1 0.0.0.0.0 Port 80 -> 192.1.2 Port 80 TCP Round-Robinrdr EP1 0.0.0.0.0 Port 80 -> 192.168.1.3, 192.168.1.4 Port 80 TCP Round-Robinrdr EP1 0.0. 0.0 / 0 Port 80 -> 192.168.1.5, 192.168.1.6 Port 80 TCP Round-Robin Now opens NAT / firewall function in /etc/rc.conf: ipfilter_enable = "yes" # Open firewall ipfilter_flags = "" #ipfilter As a Kernel, not as a module ipnat_enable = "yes" # natipmon_enable = "yes" # p 信息 信息 信息 信息 信息 i i i 程序 程序 程序 程序 程序 程序 程序 程序 程序 程序 程序 程序 程序 程序 程序 程序 程序 作为 加 加 加 加 作为 加 加 程序 加The address and port number are mapped as hostname and service name -s: send the information of the package to syslogd instead of saving into file 5. Configuring all internal networks of the machine after NAT must configure, with the internal IP of the FreeBSD gateway As the default gateway. Suppose our gateway address is 192.168.1.254, then: FreeBSD: Join defaultRouter = "192.168.1.254" in /etc/rc.conf> Linux Redhat: Join Gateway = 192.168.1.254Netbsd: Echo "192.168.1.254"> / etc / mygateopenbsd: echo "192.168.1.254"> / etc / mygatesolaris: echo "192.168.1.254"> / etc / defaultrouterwin2k: Start - Set -> Control Panel -> Network and Dial -> LAN -> Properties -> Internet Protocol (TCP / IP) -> Default Gateway -> 192.168.1.254 6. Be familiar with IPFilter Once the NAT / firewall is connected to the Internet, you should look at http://www.unixcircle.com/ipf IPFilter-howto this article, and add some forbidden rules in /etc/ipf.rules. Some useful information can be found at www.ipfilter.org homepage. Every time you modify /etc/ipf.rules or /etc/ipnat.rules, you need to take effect. The reloading rules will disconnect all existing connections.
