IPFW Firewall
Gepubliceerd op 30 augustus 2008
Installeren
Eerst moet er bij de sysinstall twee programma’s geïnstalleerd worden.
/usr/sbin/sysinstall
Kies het volgende: Configure, dan Distributions, dan src, dan base en sys en dan “ok”
Configuratie
Commando om de firewall (IPFW) aan te zetten:
kldload -v ipfw.ko
Firewall automatisch bij het opstarten aanzetten:
# ee /etc/rc.conf
firewall_enable="YES" firewall_type="open"
IPFW configuratie file aanpassen: /etc/ipfw.rules
################ Start of IPFW rules file ############################### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" pif="em0" # interface name of NIC attached to Internet # Change xl0 to LAN NIC interface name $cmd 00005 allow all from any to any via xl0 # No restrictions on Loopback Interface $cmd 00010 allow all from any to any via lo0 # Allo if it matches an existing entry in the dynamic rules table $cmd 00101 check-state #loopback $cmd 00010 allow all from any to any via lo0 $cmd 00011 deny ip from any to 127.0.0.0/8 $cmd 00012 deny ip from 127.0.0.0/8 to any # ISP DNS # Replace x.x.x.x with the IP address of a public DNS server # and repeat for each DNS server in /etc/resolv.conf $cmd 00020 allow tcp from any to 80.84.224.249 53 out via $pif setup keep-state $cmd 00021 allow udp from any to 80.84.224.249 53 out via $pif keep-state $cmd 00022 allow tcp from any to 80.84.224.26 53 out via $pif setup keep-state $cmd 00023 allow udp from any to 80.84.224.26 53 out via $pif keep-state $cmd 00024 allow tcp from any to 83.96.192.26 53 out via $pif setup keep-state $cmd 00025 allow udp from any to 83.96.192.26 53 out via $pif keep-state # FTP-DATA $cmd 00040 allow tcp from any to any 20 in via $pif $cmd 00041 allow tcp from any to any 20 out via $pif # FTP $cmd 00040 allow tcp from any to any 21 in via $pif $cmd 00041 allow tcp from any to any 21 out via $pif # SSH $cmd 00030 allow tcp from any to any 22 in via $pif setup keep-state $cmd 00031 allow tcp from any to any 22 out via $pif setup keep-state # WWW $cmd 00040 allow tcp from any to any 80 in via $pif $cmd 00041 allow tcp from any to any 80 out via $pif # HTTPS $cmd 00050 allow tcp from any to any 443 in via $pif setup keep-state $cmd 00051 allow tcp from any to any 443 out via $pif setup keep-state # PLESK $cmd 00060 allow tcp from any to any 8443 in via $pif setup keep-state $cmd 00061 allow tcp from any to any 8443 out via $pif setup keep-state # POPPASSD (Plesk) $cmd 00060 allow tcp from 127.0.0.0/8 to any 106 in via $pif setup keep-state $cmd 00061 allow tcp from 127.0.0.0/8 to any 106 out via $pif setup keep-state $cmd 00060 allow udp from 127.0.0.0/8 to any 106 in via $pif setup keep-state $cmd 00061 allow udp from 127.0.0.0/8 to any 106 out via $pif setup keep-state # AUTH (Plesk) $cmd 00041 allow tcp from any to any 113 out via $pif # SMTPS (Plesk) $cmd 00070 allow tcp from any to any 465 in via $pif setup keep-state $cmd 00071 allow tcp from any to any 465 out via $pif setup keep-state $cmd 00072 allow udp from any to any 465 in via $pif setup keep-state $cmd 00073 allow udp from any to any 465 out via $pif setup keep-state # FTPS (Plesk) $cmd 00070 allow tcp from any to any 990 in via $pif setup keep-state $cmd 00071 allow tcp from any to any 990 out via $pif setup keep-state $cmd 00072 allow udp from any to any 990 in via $pif setup keep-state $cmd 00073 allow udp from any to any 990 out via $pif setup keep-state # plesk-license-update $cmd 00071 allow tcp from any to any 5224 out via $pif setup keep-state $cmd 00073 allow udp from any to any 5224 out via $pif setup keep-state # SEND & GET EMAIL $cmd 00070 allow tcp from any to any 25 in via $pif setup keep-state $cmd 00071 allow tcp from any to any 25 out via $pif setup keep-state $cmd 00072 allow tcp from any to any 110 in via $pif setup keep-state $cmd 00073 allow tcp from any to any 110 out via $pif setup keep-state $cmd 00074 allow tcp from any to any 143 in via $pif setup keep-state $cmd 00075 allow tcp from any to any 143 out via $pif setup keep-state $cmd 00076 allow tcp from any to any 993 in via $pif setup keep-state $cmd 00077 allow tcp from any to any 993 out via $pif setup keep-state $cmd 00078 allow tcp from any to any 995 in via $pif setup keep-state $cmd 00079 allow tcp from any to any 995 out via $pif setup keep-state # PING $cmd 00080 allow icmp from any to any in via $pif setup keep-state $cmd 00081 allow icmp from any to any out via $pif setup keep-state # TIME $cmd 00090 allow tcp from any to any 37 out via $pif setup keep-state # NTP $cmd 00100 allow udp from any to any 123 out via $pif setup keep-state # NNTP NEWS (i.e. news groups) $cmd 00110 allow tcp from any to any 119 in via $pif setup keep-state $cmd 00111 allow tcp from any to any 119 out via $pif setup keep-state # WHOIS $cmd 00120 allow tcp from any to any 43 in via $pif setup keep-state $cmd 00121 allow tcp from any to any 43 out via $pif setup keep-state # FBSD (make install & CVSUP) $cmd 00130 allow tcp from any to any out via $pif setup keep-state uid root # Deny all Netbios service $cmd 00140 deny tcp from any to any 137 in via $pif $cmd 00141 deny tcp from any to any 138 in via $pif $cmd 00142 deny tcp from any to any 139 in via $pif $cmd 00143 deny tcp from any to any 81 in via $pif # MYSQL $cmd 00120 allow tcp from any to any 3306 in via $pif setup keep-state $cmd 00121 allow udp from any to any 3306 in via $pif setup keep-state # PostgreSQL $cmd 00120 allow tcp from any to any 5432 in via $pif setup keep-state # TOMCAT $cmd 00120 allow tcp from any to any 8080 in via $pif setup keep-state # Coyote and Warp (Tomcat Java) connectors in Plesk $cmd 00120 allow tcp from any to any 9080 in via $pif setup keep-state $cmd 00120 allow tcp from any to any 9008 in via $pif setup keep-state $cmd 00150 deny log ip from any to any
De nieuwe firewall regels inladen:
# sh /etc/ipfw.rules
/etc/ipfw.rules.jdn
In /etc/sysctl.conf kan een instelling gemaakt worden waardoor loggen na volgende herstarts wordt ingeschakeld:
net.inet.ip.fw.verbose_limit=5
Je kunt controleren of de instellingen verwerkt zijn:
# ipfw -t list
Links
- Zie ook: IPFW (Freebsd handboek)
Over de auteur
