2. Tech
  3. Set safe gateway with FreeBSD

Set safe gateway with FreeBSD

xiaoxiao2021-03-06  41

Writing Date: 2002-03-03

FreeBSD possesses a place in the field of web server, whether it is in high-end applications, or in a small business,

Doing the server using FreeBSD is a good choice, but how can you build a secure network?

First we come to do such a hypothesis, a company has two servers, need to build a platform with FreeBSD

Gateway, and also provide email, DNS, Web and other services, it seems that this is a very simple thing.

However, it is not easy to establish a high security, here I will introduce you how to do it, first of all, I with myself.

For the proficiency of FreeBSD, do the following design:

Internet

____ | ____

| | |

| GATEWAY |

---------

|

____________ | ______________

___ | ________ | ____

| | | | | |

| LAN | | WWW |

---------- ----------

The above is the network structure of the company design, first analyze this picture, because Gateway is a

The server directly connected to the Internet is also the most dangerous attack, so it is also the most dangerous. and

Since the server serves as the company's gateway, the server will also affect the whole company. For stability

Qualitative, safety, I consider the service that the server is going to run, the better. The less service, then the possible possible possible

The less nature. And the WWW server is protected by Gateway because of the protection of Gateway, so it is generally

There is less attack, so it can generally meet enough services, but how these services can make Internet

What is the person visited? This will be introduced in detail below.

First let's install Gateway, Gateway's IP IP is X.x.x.x network card is XL0, internal IP

The 192.168.0.1 network card is XL1, because Gateway acts as a gateway, for security, in this server

It is very important to do safety, freebsd has an ipfirewall firewall, since we have, we must

Used, first compile the kernel:

CD / SYS / I386 / CONF

CP generic ./kernel_IPFW

Use the editor to open the Kernel_IPFW this text file, add the following:

OptionSIPFIREWALL / / Notify the operating system's kernel checks each IP packet, bring them with rules

Set of comparison

OptionsIPDIVERT // Enables the steering IP socket used by IPFW Divert. This option needs

Use with NATD.

OptionsiPfireWall_Verbose // Sends a registration packet to the system's registration program.

OptionsipfireWall_Verbose_limit = 100 // Limits a number of times a machine registration.

OptionSIPSTEALTH / / The code that supports secret forwarding, this option is not

Tools are useful when traceroute and similar tools are found.

OptionsAccept_filter_data

OptionsAccept_filter_http // Accept static connection in the filter

Optionsicmp_bandlim // ICMP_BANDLIM generates an ICMP error based on bandwidth restrictions. generally

We need this option, it helps your system from D.O.S. attack.

Add the above parameters to save the Kernel_IPFW file.

Make depe

Cd ../../compile/kernel_IPFW

Make

Make Install (note !!!! Do not use the remote way to set up the server! Why? Wait for you can know.)

After the above is completed, you can restart the system using the new kernel.

After using the new kernel, if the system is originally connected to the network, then his network part has been completely

Loss, this means that the new kernel has already played, and the firewall also works, but because of FreeBSD's fireproof

Wall default is not allowed to access any machine access, so any network function of the machine is temporarily lost. Not

To be anxious, then look down, you will feel very interesting.

Since the server acts as a gateway, it is necessary to let the gateway start up. We now:

CD / ETC

Compile rc.conf with compiler

Add to the following parameters:

Gateway_enable = "yes" // Start the gateway

########## i p fwal #########################################

FireWall_enable = "YES" // Activate FireWall firewall

FireWall_Script = "/ etc / rc.firewall" // firewall default script

FireWall_Type = "/ etc / ipfw.conf" // firewall custom script

FireWall_quiet = "no" // Whether the rule information is displayed when the script is used. Now "no" if you

The firewall script has been set, then set it here to "yes".

FireWall_logging_enable = "yes" // Enables firem log record.

########## NATD ##############################################

NATD_INTERFACE = "XL0" // NATD service is enabled in which network card.

NATD_ENABLE = "YES" // Activate NATD service

NATD_FLAGS = "- config /etc/natd.conf" // NATD service parameter setting file.

After the setting is complete, we compile the /etc/syslog.conf file.

Add the following line:

iPFW

*. * /VAR/LOG/IPFW.log

Good Rc.conf file settings, then other files.

Create a new /etc/ipfw.conf file, write the following in the file:

Add 00400 Divert Natd ip from any to any via xl0 // NATD service startup settings

Add 00001 Deny Log IP from any to any iPopt RR

Add 00002 Deny Log ip from any to any iPopt TS

Add 00003 Deny Log ip from any to any iPopt SSRR

Add 00004 Deny Log ip from any to any iPopt LSRR

Add 00005 Deny TCP from any to any in tcpflags syn, fin // This 5 line is filtering various scanners

####### TCP #########

Add 1000 Allow TCP from xx.xx.xx.xx to x.x.x.x 22 in // To Internet

XX.xx.xx.xx This IP open SSH service. That is to trust the SSH landing of this IP.

Add 10001 Allow TCP from any to x.x.x.x 80 in // Open HTTP service throughout the Internet. Add 10002 Allow TCP from any to x.x.x.x 25 in / / Open SMTP service throughout the Internet.

Add 10003 Allow TCP from any to x.x.x.x 110 in // Open POP3 service to the entire Internet.

Add 19997 Check-State

Add 19998 Allow TCP from Any To Any Out Keep-State Setup

Add 19999 Allow TCP from any to any out // These three combinations are allowed intranet

Visual access, if you want the server you don't talk to the Internet, you can go out of 19997 and 19998.

Drop. (Does not affect Internet access to the server)

###### udp ##########

Add 20001 Allow UDP from ANY 53 To Me in Recv XL0 // Allows other DNS servers

Information enters the server because you have to perform DNS analysis ~

Add 20002 allow udp from any to x.x.x.x 53 in Recv XL0 / / Open to the entire Internet

Put DNS service.

Add 29999 Allow UDP from any to any out // Allows your UDP to external transmission.

###### ICMP #########

Add 30000 Allow ICMP from Any To Any ICMPTYPES 3

Add 30001 Allow ICMP from Any To Any Icmptypes 4

Add 30002 Allow ICMP from Any To Any Icmptypes 8 OUT

Add 30003 Allow ICMP from Any To Any ICMPTYPES 0 in

Add 30004 Allow ICMP from any to any icmptypes 11 in // Allow yourself ping others

server. The internal network is also allowed to use the router command for routing.

####### LAN ##########

Add 40000 allow all from 192.168.0.0.0/16 to any

Add 40001 Allow All from any to 192.168.0.0/16 // Allow internal networks to access Internet.

Ok, there is NATD that is not set, we add /etc/natd.conf again, and the content is as follows:

Log Yes // Start the NATD log record.

Redirect_port TCP 192.168.0.2:25 x.x.x.x: 25 // SMTP for server IP is x.x.x.x

Access is transferred to 25 of 192.168.0.2.

Redirect_port TCP 192.168.0.2:80 x.x.x.x: 80 // HTTP for server IP is X.x.x.x

Access to 80 of 192.168.0.2.

Redirect_port TCP 192.168.0.2:110 x.x.x.x: 110 // Pop3 for server IP is X.x.x.x

Access to 110 of 192.168.0.2.

Ok, NATD is also set up ~ Restart the system to take effect for the firewall and NATD, now the service is not

Pooled, although the firewall has made these services.

We now install DNS service on Gateway, I choose BIND 9.2.0, the installation process is not our

Focus, so I will not introduce it here. I only make a note on the security settings of Bind, assuming that the bind's work directory is / etc / namedb now we set up, because Bind's most versions have problems,

Although there is no current, but it is still good, I recommend using Chroot technology to enhance Bind.

Safe, suppose we set the Chroot directory in / chroot, we do the following:

PW useradd bind -g 53 -u 53 -d / nologin -s / nologin

Mkdir / chroot

MKDIR / Chroot / ETC

MKDIR / ChROOT / VAR

Mkdir / chroot / var / run

CP -RP / etc / namedb ////> Create a Bind's work environment and directory.

Then run

$ PATH / SBIN / NAMED -T / Chroot -u Bind

After doing this, run PS -AX | GREP NAMED will find bind to run with Bind this permissions,

Let's go to the / chroot / var / run directory, you will find named.pid file, indicating that Bind is already

Song's Chroot is in / chroot, even if it is "hacker", it is used to invade, due to the bottom,

And it is limited to / chroot, and there is no shell inside, and does not give "hacker" anything.

Bad condition. So, Bind is quite safe.

The entire Gateway server has been fully set up.

Now is the internal server, and the internal server is protected by Gateway and the firewall, so it is installed.

Without how big, just pay attention to the mail service software and whether the HTTP service software has a vulnerability,

For example, don't use old versions of Sendmail, because each version of Sendmail exists a certain security issue.

I recommend using qmail, and I can download the QMAIL installation package I offer with QMail installation.

http://www.linuxAid.com.cn/training/tips/showtip.jsp?i=245, and on HTTP

Be careful not to use a press release system with a vulnerability, forum, etc.

Ok, the entire server is already installed, and I have tested on two freebsd 4.5 machines.

by. With FreeBSD 4.5 friends, if you press the above method to set your own server, basics

Can guarantee normal work.

转载请注明原文地址:https://www.9cbs.com/read-65933.html

9cbs

New Post(0)