Ipfilter experience set

zhaozj2021-02-16  60

First, compile the kernel, add the following two lines:

Options ipfilter

Options ipfilter_log

## 另: Options ipfilter_default_block, but I personally think that there is nothing.

Then, modify your /etc/rc.conf file, add:

#################################################

Gateway_enable = "yes"

ipfilter_enable = "yes"

ipfilter_program = "/ sbin / ipf"

ipfilter_rules = "/ etc / ipf.rules"

ipfilter_flags = "" "

## Start Packing Filtering Fillation

IPNAT_ENABLE = "YES"

IPNAT_PROGRAM = "/ sbin / ipnat"

IPnat_Rules = "/ etc / ipnat.rules"

ipnat_flags = "cf"

## Startup address translation function

IPMON_ENABLE = "YES"

IPMON_PROGRAM = "/ sbin / ipmon"

IPMON_FLAGS = "- DS"

## Start logging function

###############################################################

Then establish two files for IPF.Rules iPnat.Rules in the / etc directory

Two files established under / etc are IPFilter rule files now start modifying rule files

Let me say: My outer network card: rl0 *. *. *. 45/24

My Net Card: DC0 192.168.0.1/24

First ipf.rules:

Block in Quick All with Short # Discard a short package

Block in quick all with ipopts # Discarders themselves with routing features

Pass in Quick on LO0

Pass Out Quick On Lo0 All # on the top of the loop locally,

###############

# And give your own network card group #

###############

Block in Quick On DC0 All Head 100 # If the packet 100 is not allowed, the block is block

Block Out Quick ON DC0 All Head 150 # If the packet 150 is not allowed, the block is block

Block in Quick On RL0 All Head 200 # If the packet 200 is not allowed, the block is block

Block Out Quick On RL0 All Head 250 # If the packet 250 is not allowed, the block is block

# In in the intranet card is group 100

# OUT in the intranet card is a packet 150

# In in the outer network card is group 200

# OUT in the outer network card is a packet 250

####################

# First, edit the Inner NICs in the rules

####################

Pass in Quick Proto Tcp from 192.168.0.0.0.04 to any Keep State Group 100

Pass in Quick Proto Udp from 192.168.0.0.0.0.0.0.0.04 to any Keep State Group 100

Pass in Quick Proto Icms 192.168.0.0.0.0.0.0.0.0.0.0.0.0.0.0 TO ANY Keep State Group 100

PSSS in Quick Proto Esp from 192.168.0.0.0.04 to any Keep State Keep Flags Group 100Pass in Quick Proto Gre from 192.168.0.0.0/24 to any Keep State Group 100

# Also allow TCP, UDP, ICMP, ESP (IPSEC), and GRE (PPTP) protocols.

#######################################################################################################################################################################################################################################################################################################

.

.

.

Edit other groups according to similar rules

.

.

.

#######################################################################################################################################################################################################################################################################################################

# Finally, there should be a rule of 10.0.0.0/8 127.0.0.0.0.0.0.0 192.168.0.0/16

Block in Quick from 10.0.0.0.0.0 to any group 200

Block in Quick from 127.0.0.0.0.0.0 to any group 200

Block in Quick from 172.16.0.0.0.0/12 to any group 200

Block in Quick from 192.168.0.0/16 to any group 200

#######################################################################################################################################################################################################################################################################################################

# 终 终 阻 阻

Blocl in Quick All

Block Out Quick All

#######################################################################################################################################################################################################################################################################################################

Then, look at IPNAT.Rules rules

#############

Map RL0 192.168.0.0/24 -> *. *. *. 45/32 Proxy Port FTP FTP / TCP

# 作 是 代 代 代 代 代 代 代 代 代 需要 代 代 代 代 代 代

Map RL0 192.168.0.0/24 -> *. *. *. 45/32 Portmap TCP / UDP 10000: 65000

Map RL0 192.168.0.0.0/24 -> *. *. *. 45/32 # Conversion to ICMP Protocol

RDR rl0 *. *. *. 45 port -> 192.168.0.2 port 80

# For port mappings for web services, other, such as FTP, DNS protest, refer to this

###################################################################################

At this way, IPFilter uses ipfilter to complete the firewall settings.

I think, first of all, to plan your own network, usually have two IF (maybe you have a third DMZ), but the principle is the same, first, group your IF, in the group, set your own rules This is not that chaos, first pass, final, everything is blocked, this is a general practice, but sometimes you have to make this, first stop, then through everything, but the final purpose is the same.

Then plan yourself to provide services, this requires iPnat.Rules rules to divide in detail. If you have a third network card, you can provide non-military districts to yourself, but to the final principle is still the same, one Map, an RDR, this file is actually there is not much thing that can be controlled.

The biggest role of the firewall is to access control, simply, is how you set up in IPF.Rules. In PASS, block, like Flags S / Safp, etc., I haven't used it yet, so my specific usage is not very clear, use practical words, give you. ############

There will be several commands: ipnat, ipf, their specific use can see Man, but if you want to see the current status table, then #ipfstat -t must be given to satisfy your requirements.

转载请注明原文地址:https://www.9cbs.com/read-12757.html

New Post(0)