• 企业400电话
  • 微网小程序
  • AI电话机器人
  • 电商代运营
  • 全 部 栏 目

    企业400电话 网络优化推广 AI电话机器人 呼叫中心 网站建设 商标✡知产 微网小程序 电商运营 彩铃•短信 增值拓展业务
    FreeBSD配置防火墙开启SSH服务的方法
    1、配置FreeBSD 防火墙
    ee /etc/rc.conf   #编辑,在最后添加
    firewall_enable="yes"  #开启防火墙
    net.inet.ip.fw.verbose=1   #启用防火墙日志功能
    net.inet.ip.fw.verbose_limit=5  #启用防火墙日志功能
    natd_enable="YES"  # 开启防火墙NAT功能
    natd_interface="rl0"     
    natd_flags="-dynamic -m"
    firewall_script="/etc/ipfw.rules"      #自定义防火墙规则路径
    按esc,回车,再按a保存配置

    2、添加防火墙规则

    ee /etc/ipfw.rules    #编辑防火墙规则,添加以下代码

    #!/bin/sh
    ################ Start of IPFW rules file ######################
    # Flush out the list before we begin.
    ipfw -q -f flush
    
    # Set rules command prefix
    cmd="ipfw -q add"
    skip="skipto 800"
    pif="rl0"     # public interface name of NIC
                  # facing the public Internet
    
    #################################################################
    # No restrictions on Inside LAN Interface for private network
    # Change xl0 to your LAN NIC interface name
    #################################################################
    $cmd 005 allow all from any to any via xl0
    
    #################################################################
    # No restrictions on Loopback Interface
    #################################################################
    $cmd 010 allow all from any to any via lo0
    
    #################################################################
    # check if packet is inbound and nat address if it is
    #################################################################
    $cmd 014 divert natd ip from any to any in via $pif
    
    #################################################################
    # Allow the packet through if it has previous been added to the
    # the "dynamic" rules table by a allow keep-state statement.
    #################################################################
    $cmd 015 check-state
    
    #################################################################
    # Interface facing Public Internet (Outbound Section)
    # Check session start requests originating from behind the
    # firewall on the private network or from this gateway server
    # destined for the public Internet.
    #################################################################
    
    # Allow out access to my ISP's Domain name server.
    # x.x.x.x must be the IP address of your ISP's DNS
    # Dup these lines if your ISP has more than one DNS server
    # Get the IP addresses from /etc/resolv.conf file
    $cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state
    # Allow out access to my ISP's DHCP server for cable/DSL configurations.
    $cmd 030 $skip udp from any to x.x.x.x 67 out via $pif keep-state
    
    # Allow out non-secure standard www function
    $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state
    
    # Allow out secure www function https over TLS SSL
    $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state
    
    # Allow out send  get email function
    $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
    $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state
    
    # Allow out FreeBSD (make install  CVSUP) functions
    # Basically give user root "GOD" privileges.
    $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root
    
    # Allow out ping
    $cmd 080 $skip icmp from any to any out via $pif keep-state
    
    # Allow out Time
    $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state
    
    # Allow out nntp news (i.e. news groups)
    $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state
    
    # Allow out secure FTP, Telnet, and SCP
    # This function is using SSH (secure shell)
    $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state
    
    # Allow out whois
    $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state
    
    # Allow ntp time server
    $cmd 130 $skip udp from any to any 123 out via $pif keep-state
    
    #################################################################
    # Interface facing Public Internet (Inbound Section)
    # Check packets originating from the public Internet
    # destined for this gateway server or the private network.
    #################################################################
    
    # Deny all inbound traffic from non-routable reserved address spaces
    #$cmd 300 deny all from 192.168.0.0/16  to any in via $pif  #RFC 1918 private IP
    $cmd 301 deny all from 172.16.0.0/12   to any in via $pif  #RFC 1918 private IP
    $cmd 302 deny all from 10.0.0.0/8      to any in via $pif  #RFC 1918 private IP
    $cmd 303 deny all from 127.0.0.0/8     to any in via $pif  #loopback
    $cmd 304 deny all from 0.0.0.0/8       to any in via $pif  #loopback
    $cmd 305 deny all from 169.254.0.0/16  to any in via $pif  #DHCP auto-config
    $cmd 306 deny all from 192.0.2.0/24    to any in via $pif  #reserved for docs
    $cmd 307 deny all from 204.152.64.0/23 to any in via $pif  #Sun cluster
    $cmd 308 deny all from 224.0.0.0/3     to any in via $pif  #Class D  E multicast
    
    # Deny ident
    $cmd 315 deny tcp from any to any 113 in via $pif
    
    # Deny all Netbios service. 137=name, 138=datagram, 139=session
    # Netbios is MS/Windows sharing services.
    # Block MS/Windows hosts2 name server requests 81
    $cmd 320 deny tcp from any to any 137 in via $pif
    $cmd 321 deny tcp from any to any 138 in via $pif
    $cmd 322 deny tcp from any to any 139 in via $pif
    $cmd 323 deny tcp from any to any 81  in via $pif
    
    # Deny any late arriving packets
    $cmd 330 deny all from any to any frag in via $pif
    
    # Deny ACK packets that did not match the dynamic rule table
    $cmd 332 deny tcp from any to any established in via $pif
    
    # Allow traffic in from ISP's DHCP server. This rule must contain
    # the IP address of your ISP's DHCP server as it's the only
    # authorized source to send this packet type.
    # Only necessary for cable or DSL configurations.
    # This rule is not needed for 'user ppp' type connection to
    # the public Internet. This is the same IP address you captured
    # and used in the outbound section.
    $cmd 360 allow udp from x.x.x.x to any 68 in via $pif keep-state
    
    # Allow in standard www function because I have Apache server
    $cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2
    
    # Allow in secure FTP, Telnet, and SCP from public Internet
    $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
    
    # Allow in non-secure Telnet session from public Internet
    # labeled non-secure because ID  PW are passed over public
    # Internet as clear text.
    # Delete this sample group if you do not have telnet server enabled.
    $cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2
    
    # Reject  Log all unauthorized incoming connections from the public Internet
    $cmd 400 deny log all from any to any in via $pif
    
    # Reject  Log all unauthorized out going connections to the public Internet
    $cmd 450 deny log all from any to any out via $pif
    
    # This is skipto location for outbound stateful rules
    $cmd 800 divert natd ip from any to any out via $pif
    $cmd 801 allow ip from any to any
    
    # Everything else is denied by default
    # deny and log all packets that fell through to see what they are
    $cmd 999 deny log all from any to any
    ################ End of IPFW rules file ###############################
    
      

    备注:参数说明:
    #$cmd 300 deny all from 192.168.0.0/16  to any in via $pif  #RFC 1918 private IP
    我的IP地址是192.168.21.173,是属于192.168.0.0/16 IP段,所以这里要注释掉这一行,允许连接外网,否则主机无法联网。
    $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
    是开启SSH默认端口22
    3、重启网络服务,使防火墙规则生效

    /etc/netstart  #重启网络
    /etc/rc.d/ipfw start     #开启防火墙
    ipfw disable firewall    #关闭防火墙
    ipfw enable firewall   #开启防火墙
    /etc/rc.d/ipfw  restart   #重启防火墙
    sh /etc/ipfw.rules     #使防火墙规则生效
    4、开启SSH服务
    (1)ee  /etc/inetd.conf  #编辑,去掉sshd前面的#
    ssh     stream  tcp     nowait  root    /usr/sbin/sshd          sshd -i -4
    (2)ee  /etc/rc.conf   #编辑,在最后添加
    sshd_enable="yes"  
    (3)ee  /etc/ssh/sshd_config  #编辑配置文件
    PermitRootLogin yes   #允许root登录
    PasswordAuthentication yes    #使用密码验证
    PermitEmptyPasswords no   #不允许空密码登录
    /etc/rc.d/sshd start  #启动ssh服务
    /etc/rc.d/sshd restart    #重启ssh
    配置完成,现在已经可以使用Putty等远程连接工具连接服务器了。
    #####################################################
    扩展阅读:

    有两种加载自定义 ipfw 防火墙规则的方法。
    其一是将变量 firewall_type 设为包含不带 ipfw(8) 命令行选项的 防火墙规则 文件的完整路径。
    例如:
    add allow in
    add allow out
    firewall_type="open"参数说明
    open ── 允许所有流量通过。
    client ── 只保护本机。
    simple ── 保护整个网络。
    closed ── 完全禁止除回环设备之外的全部 IP 流量。
    UNKNOWN ── 禁止加载防火墙规则。
    filename ── 到防火墙规则文件的绝对路径。
    IPFW防火墙规则集样例在这两个文件中
    /etc/rc.firewall
    /etc/rc.firewall6
    除此之外, 也可以将 firewall_script 变量设为包含 ipfw 命令的可执行脚本, 这样这个脚本会在启动时自动执行。
    #####################################################

    上一篇:FreeBSD下修改安装源的方法
    下一篇:FreeBSD设置IP地址、网关、DNS的方法
  • 相关文章
  • 

    © 2016-2020 巨人网络通讯 版权所有

    《增值电信业务经营许可证》 苏ICP备15040257号-8

    FreeBSD配置防火墙开启SSH服务的方法 FreeBSD,配置,防火墙,开启,