# sysrc firewall_enable="YES"# service ipfw enable # 须重启后生效# service ipfw start
Firewall rules loaded.
Firewall logging enabled.
ifconfig: interface ipfw0 already exists
Firewall logging pseudo-interface (ipfw0) created./usr/local/etc/ipfw.rules 文件最后更新于
# service ipfw status
ipfw is enabled/
├── etc
│ └── ipfw.rules
├── usr
│ └── local
│ └── etc
│ └── ipfw.rules
└── boot
└── loader.confsysrc firewall_type="open"sysctl net.inet.ip.fw.default_to_accept=1sysrc firewall_script="/usr/local/etc/ipfw.rules"sysrc firewall_logging="YES"sysrc firewall_logif="YES"# ipfw list # 显示当前 IPFW 防火墙规则列表
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
65000 allow ip from any to any # 注意此处,允许所有其他 IP 流量
65535 deny ip from any to any # 拒绝所有未匹配流量cmd="ipfw -q add" # 定义一个变量 cmd,用于简化后续添加规则的命令
ipfw -q -f flush # -q 选项表示静默模式,避免输出冗余信息
# loopback
$cmd 10 allow all from any to any via lo0 # 允许所有通过回环接口 lo0 的流量
$cmd 20 deny all from any to 127.0.0.0/8 # 拒绝任何来自外部的访问回环地址范围(127.0.0.0/8)的流量,防止伪造的回环地址通信
$cmd 30 deny all from 127.0.0.0/8 to any # 拒绝来自回环地址范围的任何流量离开本地主机,进一步确保回环地址的安全性
$cmd 40 deny tcp from any to any frag # 拒绝所有分片的 TCP 数据包,有助于防范某些类型的攻击
# statefull
$cmd 50 check-state # 检查现有会话状态,允许已建立的连接继续通信
$cmd 60 allow tcp from any to any established # 允许所有已建立的 TCP 连接的数据包通过
$cmd 70 allow all from any to any out keep-state # 允许所有向外的流量,并对其创建状态记录,以便响应流量能够自动通过
$cmd 80 allow icmp from any to any # 允许所有 ICMP 数据包,支持网络诊断和错误报告功能
# open port for ssh
$cmd 110 allow tcp from any to any 22 out # 允许所有向外的 SSH 流量
$cmd 120 allow tcp from any to any 22 in # 确保可以通过 SSH 访问该主机
# open port for samba
$cmd 130 allow tcp from any to any 139 out # 允许 TCP 端口 139 的出站流量
$cmd 140 allow tcp from any to any 139 in # 允许 TCP 端口 139 的入站流量
$cmd 150 allow tcp from any to any 445 out # 允许 TCP 端口 445 的出站流量
$cmd 160 allow tcp from any to any 445 in # 允许 TCP 端口 445 的入站流量
$cmd 170 allow udp from any to any 137 out # 允许 UDP 端口 137 的出站流量
$cmd 180 allow udp from any to any 137 in # 允许 UDP 端口 137 的入站流量
$cmd 190 allow udp from any to any 138 out # 允许 UDP 端口 138 的出站流量
$cmd 200 allow udp from any to any 138 in # 允许 UDP 端口 138 的入站流量
# deny and log everything
$cmd 500 deny log all from any to any # 拒绝并记录所有流量的规则 500# ipfw add [规则编号] ① [动作] [协议] from [源地址] to [目标地址] [其他条件]$cmd 500 deny log all from any to any# ipfw add 500 deny log all from any to any# echo 'net.inet.ip.fw.default_to_accept="1"' >> /boot/loader.conf# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
65535 allow ip from any to any # 默认最后一条规则,放行任何来源到任何目标的所有 IP 流量