第 15.4 节 ipfirewall(IPFW)
IPFIREWALL (IPFW,IP 防火墙) 是一款由 FreeBSD 发起的防火墙应用软件,它由 FreeBSD 项目编写和维护。
ipfw 在基本系统的内核(GENERIC)作为可加载模块而存在。它默认会有一条规则,规则号为 65535,是不可以删除的:这条规则会把所有流量都切断。故在未配置好防火墙钱,请勿启动 ipfw,否则就会面临被阻挡在防火墙之外的麻烦。
服务项
开机自动启动防火墙相应的内核模块:
# sysrc firewall_enable="YES" # 参见 https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/rc.d/routing#L387或者
# service ipfw enable # 须重启后生效启动 ipfw:
# service ipfw start
Firewall rules loaded.
Firewall logging enabled.
ifconfig: interface ipfw0 already exists
Firewall logging pseudo-interface (ipfw0) created.查看 ipfw 状态:
# service ipfw status
ipfw is enabled其他 RC 配置
# sysrc firewall_type="open" # 允许任何访问。如果不这么做,会调用默认规则 65535——deny ip from any to any,拒绝所有 IP。你就只能去物理机上再操作了。基本等同于 net.inet.ip.fw.default_to_accept="1"
# sysrc firewall_script="/usr/local/etc/ipfw.rules" # 指定 ipfw 规则的路径,在此处编辑规则
# sysrc firewall_logging="YES" # 这样 ipfw 就可以打印日志
# sysrc firewall_logif="YES" # 把日志打印到 `ipfw0` 这个设备里按上面的配置后的规则:
# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
65000 allow ip from any to any # 注意此处
65535 deny ip from any to any编辑 /usr/local/etc/ipfw.rules 文件:
/usr/local/etc/ipfw.rules 文件:注意
ipfw 命令是一次性的,它会在执行时即时生效,但不会永久保存规则。你须写入指定的规则文件。
指定防火墙规则:
cmd="ipfw -q add" # 定义一个变量 cmd,用于简化后续添加规则的命令。
ipfw -q -f flush # -q 选项表示静默模式,避免输出冗余信息。
# loopback
$cmd 10 allow all from any to any via lo0 # 允许所有通过回环接口 lo0 的流量。
$cmd 20 deny all from any to 127.0.0.0/8 # 拒绝任何试图访问本地回环地址范围(127.0.0.0/8)的外部流量,防止伪造的回环地址通信。
$cmd 30 deny all from 127.0.0.0/8 to any # 拒绝来自回环地址范围的任何流量离开本地主机,进一步确保回环地址的安全性。
$cmd 40 deny tcp from any to any frag # 拒绝所有分片的 TCP 数据包,有助于防范某些类型的攻击。
# statefull
$cmd 50 check-state # 检查现有的会话状态,允许已建立的会话继续通信。
$cmd 60 allow tcp from any to any established # 允许所有已建立的 TCP 连接的数据包通过。
$cmd 70 allow all from any to any out keep-state # 允许所有向外的流量,并对其创建状态记录,以便响应流量能够自动通过。
$cmd 80 allow icmp from any to any # 允许所有 ICMP 数据包,支持网络诊断和错误报告功能。
# open port for ssh
$cmd 110 allow tcp from any to any 22 out # 允许所有向外的 SSH 流量
$cmd 120 allow tcp from any to any 22 in # 确保可以通过 SSH 访问该主机。
# open port for samba # 允许与 Samba 文件共享服务相关的端口(137-139 和 445)的进出流量,确保 Samba 服务正常运行。
$cmd 130 allow tcp from any to any 139 out
$cmd 140 allow tcp from any to any 139 in
$cmd 150 allow tcp from any to any 445 out
$cmd 160 allow tcp from any to any 445 in
$cmd 170 allow udp from any to any 137 out
$cmd 180 allow udp from any to any 137 in
$cmd 190 allow udp from any to any 138 out
$cmd 200 allow udp from any to any 138 in
# deny and log everything # 拒绝所有未明确允许的流量,并将其记录到日志中,便于审计和故障排查。
$cmd 500 deny log all from any to any我们可以把默认拒绝的规则
65535 deny ip from any to any改成默认允许
# echo net.inet.ip.fw.default_to_accept="1" >> /boot/loader.conf查看 ipfw 规则
# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
65535 allow ip from any to any # 注意此处是默认允许了,后面没了最后更新于