欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  科技

FreeBSD配置防火墙开启SSH服务的方法

程序员文章站 2022-03-05 16:59:54
这篇文章主要介绍下如何下freebsd下配置防火墙开启SSH服务的方法,需要的朋友可以参考下... 13-06-29...
1、配置freebsd 防火墙
ee /etc/rc.conf   #编辑,在最后添加
firewall_enable="yes"  #开启防火墙
net.inet.ip.fw.verbose=1   #启用防火墙日志功能
net.inet.ip.fw.verbose_limit=5  #启用防火墙日志功能
natd_enable="yes"  # 开启防火墙nat功能
natd_interface="rl0"     
natd_flags="-dynamic -m"
firewall_script="/etc/ipfw.rules"      #自定义防火墙规则路径
按esc,回车,再按a保存配置

2、添加防火墙规则

ee /etc/ipfw.rules    #编辑防火墙规则,添加以下代码

#!/bin/sh
################ start of ipfw rules file ######################
# flush out the list before we begin.
ipfw -q -f flush

# set rules command prefix
cmd="ipfw -q add"
skip="skipto 800"
pif="rl0"     # public interface name of nic
              # facing the public internet

#################################################################
# no restrictions on inside lan interface for private network
# change xl0 to your lan nic interface name
#################################################################
$cmd 005 allow all from any to any via xl0

#################################################################
# no restrictions on loopback interface
#################################################################
$cmd 010 allow all from any to any via lo0

#################################################################
# check if packet is inbound and nat address if it is
#################################################################
$cmd 014 divert natd ip from any to any in via $pif

#################################################################
# allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 015 check-state

#################################################################
# interface facing public internet (outbound section)
# check session start requests originating from behind the
# firewall on the private network or from this gateway server
# destined for the public internet.
#################################################################

# allow out access to my isp's domain name server.
# x.x.x.x must be the ip address of your isp's dns
# dup these lines if your isp has more than one dns server
# get the ip addresses from /etc/resolv.conf file
$cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state
# allow out access to my isp's dhcp server for cable/dsl configurations.
$cmd 030 $skip udp from any to x.x.x.x 67 out via $pif keep-state

# allow out non-secure standard www function
$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state

# allow out secure www function https over tls ssl
$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state

# allow out send & get email function
$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state

# allow out freebsd (make install & cvsup) functions
# basically give user root "god" privileges.
$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root

# allow out ping
$cmd 080 $skip icmp from any to any out via $pif keep-state

# allow out time
$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state

# allow out nntp news (i.e. news groups)
$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state

# allow out secure ftp, telnet, and scp
# this function is using ssh (secure shell)
$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state

# allow out whois
$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state

# allow ntp time server
$cmd 130 $skip udp from any to any 123 out via $pif keep-state

#################################################################
# interface facing public internet (inbound section)
# check packets originating from the public internet
# destined for this gateway server or the private network.
#################################################################

# deny all inbound traffic from non-routable reserved address spaces
#$cmd 300 deny all from 192.168.0.0/16  to any in via $pif  #rfc 1918 private ip
$cmd 301 deny all from 172.16.0.0/12   to any in via $pif  #rfc 1918 private ip
$cmd 302 deny all from 10.0.0.0/8      to any in via $pif  #rfc 1918 private ip
$cmd 303 deny all from 127.0.0.0/8     to any in via $pif  #loopback
$cmd 304 deny all from 0.0.0.0/8       to any in via $pif  #loopback
$cmd 305 deny all from 169.254.0.0/16  to any in via $pif  #dhcp auto-config
$cmd 306 deny all from 192.0.2.0/24    to any in via $pif  #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif  #sun cluster
$cmd 308 deny all from 224.0.0.0/3     to any in via $pif  #class d & e multicast

# deny ident
$cmd 315 deny tcp from any to any 113 in via $pif

# deny all netbios service. 137=name, 138=datagram, 139=session
# netbios is ms/windows sharing services.
# block ms/windows hosts2 name server requests 81
$cmd 320 deny tcp from any to any 137 in via $pif
$cmd 321 deny tcp from any to any 138 in via $pif
$cmd 322 deny tcp from any to any 139 in via $pif
$cmd 323 deny tcp from any to any 81  in via $pif

# deny any late arriving packets
$cmd 330 deny all from any to any frag in via $pif

# deny ack packets that did not match the dynamic rule table
$cmd 332 deny tcp from any to any established in via $pif

# allow traffic in from isp's dhcp server. this rule must contain
# the ip address of your isp's dhcp server as it's the only
# authorized source to send this packet type.
# only necessary for cable or dsl configurations.
# this rule is not needed for 'user ppp' type connection to
# the public internet. this is the same ip address you captured
# and used in the outbound section.
$cmd 360 allow udp from x.x.x.x to any 68 in via $pif keep-state

# allow in standard www function because i have apache server
$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# allow in secure ftp, telnet, and scp from public internet
$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# allow in non-secure telnet session from public internet
# labeled non-secure because id & pw are passed over public
# internet as clear text.
# delete this sample group if you do not have telnet server enabled.
$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2

# reject & log all unauthorized incoming connections from the public internet
$cmd 400 deny log all from any to any in via $pif

# reject & log all unauthorized out going connections to the public internet
$cmd 450 deny log all from any to any out via $pif

# this is skipto location for outbound stateful rules
$cmd 800 divert natd ip from any to any out via $pif
$cmd 801 allow ip from any to any

# everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 999 deny log all from any to any
################ end of ipfw rules file ###############################

  

备注:参数说明:
#$cmd 300 deny all from 192.168.0.0/16  to any in via $pif  #rfc 1918 private ip
我的ip地址是192.168.21.173,是属于192.168.0.0/16 ip段,所以这里要注释掉这一行,允许连接外网,否则主机无法联网。
$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
是开启ssh默认端口22
3、重启网络服务,使防火墙规则生效

/etc/netstart  #重启网络
/etc/rc.d/ipfw start     #开启防火墙
ipfw disable firewall    #关闭防火墙
ipfw enable firewall   #开启防火墙
/etc/rc.d/ipfw  restart   #重启防火墙
sh /etc/ipfw.rules     #使防火墙规则生效
4、开启ssh服务
(1)ee  /etc/inetd.conf  #编辑,去掉sshd前面的#
ssh     stream  tcp     nowait  root    /usr/sbin/sshd          sshd -i -4
(2)ee  /etc/rc.conf   #编辑,在最后添加
sshd_enable="yes"  
(3)ee  /etc/ssh/sshd_config  #编辑配置文件
permitrootlogin yes   #允许root登录
passwordauthentication yes    #使用密码验证
permitemptypasswords no   #不允许空密码登录
/etc/rc.d/sshd start  #启动ssh服务
/etc/rc.d/sshd restart    #重启ssh
配置完成,现在已经可以使用putty等远程连接工具连接服务器了。
#####################################################
扩展阅读:

有两种加载自定义 ipfw 防火墙规则的方法。
其一是将变量 firewall_type 设为包含不带 ipfw(8) 命令行选项的 防火墙规则 文件的完整路径。
例如:
add allow in
add allow out
firewall_type="open"参数说明
open ── 允许所有流量通过。
client ── 只保护本机。
simple ── 保护整个网络。
closed ── 完全禁止除回环设备之外的全部 ip 流量。
unknown ── 禁止加载防火墙规则。
filename ── 到防火墙规则文件的绝对路径。
ipfw防火墙规则集样例在这两个文件中
/etc/rc.firewall
/etc/rc.firewall6
除此之外, 也可以将 firewall_script 变量设为包含 ipfw 命令的可执行脚本, 这样这个脚本会在启动时自动执行。
#####################################################