First, kernel configuration / USR / SRC / SYS / I386 / CONF / HQ_SUPERSERVER
Code: options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT # IPDIVERT enables the divert IP sockets, used by '' ipfw divert '' options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT = 30 #options IPFILTER #ipfilter support #options IPFILTER_LOG #ipfilter logging # traffic shaper, bandwidth manager and delay emulator options dUMMYNET # enables the "dummynet" bandwidth limiter. You need IPFIREWALL as well. # Statically Link in accept filters for a web server on this box options ACCEPT_FILTER_DATA options ACCEPT_FILTER_HTTP options ICMP_BANDLIM # DOS protection options IPSTEALTH #To hide firewall from traceroute options TCP_DROP_SYNFIN #To hide from nmap OS FingerPrint, Remove if create Web Server
Second, rc.conf configuration /etc/rc.conf
Code: firewall_enable = "YES" firewall_logging = "YES" firewall_script = "/ etc / rc.firewall" firewall_quiet = "NO" #change to YES once happy with rules firewall_logging_enable = "YES" #extra firewalling options log_in_vain = "YES" # This option prevents something known as OS fingerprinting, must have TCP_DROP_SYNFIN compiled into kernel to use tcp_drop_synfin = "NO" #change to NO if create webserver tcp_restrict_rst = "YES" icmp_drop_redirect = "YES"
Third, IPFW is used
Code: IPFW add allow TCP from To in Recv
Add and remove the rules:
Code: $ sudo ipfw address deny tcp from 61.49.203.115 to 61.49.203.114 22 in Recv fxp0 $ sudo ipfw -t list $ sudo upfw delete 00100
No ICMP
Code: $ sudo ipfw address deny icmp from any to any in recv fxp0 Display Rules
Code: $ SUDO IPFW Show
Display rules according to serial number
Code: $ sudo ipfw -t list
List the number of packets and matching rules corresponding to them
Code: $ sudo ipfw -a list
Fourth, / etc / ipfw.rules rule file
Code: Allow 00010 udp from any to me 67 in via $ IIF allow 00020 udp from me 68 to any out via $ IIF
V. / etc / rc.firewall script
Code: # mv /etc/rc.firewall /etc/rc.firewall.orig # touch /etc/rc.firewall # chmod u = rx, og = -rwx /etc/ipfw.rules
/etc/rc.firewall
Code: #! / Bin / sh # this will flush the existing rules - sudo ipfw -f flush # you can execute this script without dropping existing connections / stats fwcmd = "/ sbin / ipfw -q" extif = "fxp0" myip = "10.1.8.114" Mybcast = "10.1.8.119" MyNetwork = "10.1.8.112/29" DNS_SERVER = "10.1.8.1" # Reset All Rules in case Script Run multiple Times $ {fwcmd} -f flush $ {fwcmd} add 200 Check-State # Block RFC 1918 Networks - The, Syntax Only Works in IPFW2 $ {fwcmd} add 210 deny all from 0.0.0.0/7, 1.0.0.0.0.0.0.0/8, 5.0.0.0/8, 10.0.0.0/8, 23.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0, 96.0 .0.0 / 3,127.0.0.0 / 8, / 128.0.0.0/16,128.66.0.0/16,169.254.0.0/16,172.16.0.0/12,191.255.0.0/16,192.0.0.0/16,/ 192.168.0.0/16,197.0.0.0/8,201.0.0.0/8,204.152 .64.0 / 23,224.0.0.0 / 3,240.0.0.0 / 8 to any # Allow via loopback all to loopback $ {fwcmd} add 220 allow all from any to any via lo0 # Allow from me to anywhere $ {fwcmd} add 240 allow tcp from $ {myip} to any setup keep-state $ {fwcmd} add 260 allow udp from $ { Myip} to any key keep-state $ {fwcmd} add 280 allow icmp from $ {myip} to any # allow local lan to connection us $ {fwcmd} add 300 allow ip from $ {mynetwork} to $ {mynetwork} # allow INCOMING SSH, SMTP, HTTP from anywhere on the internet $ {fwcmd} add 320 allow log tcp from any to $ {myip} 22,25,80 in keep-state setup # Disable icmp $ {fwcmd} add 340 allow icmp from any To any ICMPTYPE 0,3,11 # block all other traffic and log in $ {fwcmd} Add 360 deny log all from any to any # end of /etc/rc.firewall 6, IPFW log record configuration /etc/syslog.conf
Code:! Ipfw *. * /VAR/LOG/IPFW.log
Code: $ sudo touch /var/log/ipfw.log $ sudo killall -hup syslogd
