wiki:freebsd:ipfw
Различия
Показаны различия между двумя версиями страницы.
| Предыдущая версия справа и слеваПредыдущая версияСледующая версия | Предыдущая версия | ||
| wiki:freebsd:ipfw [2023/04/04 10:07] – Diman | wiki:freebsd:ipfw [2024/01/29 11:41] (текущий) – Diman | ||
|---|---|---|---|
| Строка 1: | Строка 1: | ||
| + | ====== Настройка ipfw на сервере FreeBSD. ====== | ||
| + | |||
| + | ===== Включение ipfw без пересборки ядра ===== | ||
| + | ==== Подготовка и настройка ОСи ==== | ||
| + | |||
| + | |||
| + | <code bash> | ||
| + | # russian lang for root | ||
| + | |||
| + | sysrc keymap=" | ||
| + | echo '# RUS' | ||
| + | echo ' | ||
| + | |||
| + | pw usermod -n root -L russian | ||
| + | |||
| + | echo '# RUS | ||
| + | LANG=ru_RU.UTF-8 | ||
| + | export LANG | ||
| + | MM_CHARSET=UTF-8 | ||
| + | export MM_CHARSET | ||
| + | export EDITOR=/ | ||
| + | echo ' | ||
| + | |||
| + | |||
| + | |||
| + | pkg update && pkg upgrade | ||
| + | |||
| + | pkg install -y mc nano rsync tmux bash htop bind-tools | ||
| + | |||
| + | # replace bash for root | ||
| + | chsh -s / | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | </ | ||
| + | |||
| + | ==== Включение ipfw ==== | ||
| + | |||
| + | <code bash> | ||
| + | |||
| + | echo '# IPFW | ||
| + | ipfw_load=" | ||
| + | ipfw_nat_load=" | ||
| + | firewall_logif=" | ||
| + | # PIPE + dummynet | ||
| + | ipdivert_load=" | ||
| + | dummynet_load=" | ||
| + | ng_pipe_load=" | ||
| + | # SETFIB | ||
| + | net.fibs=" | ||
| + | |||
| + | </ | ||
| + | |||
| + | ==== Работающий в первый же запуск скрипт ipfw ==== | ||
| + | |||
| + | <code bash> | ||
| + | echo '# | ||
| + | |||
| + | cmd="/ | ||
| + | $cmd -f flush | ||
| + | |||
| + | $cmd disable one_pass | ||
| + | $cmd add allow all from any to any via lo0 | ||
| + | $cmd add deny all from any to 127.0.0.0/8 | ||
| + | $cmd add deny all from 127.0.0.0/8 to any | ||
| + | $cmd add deny all from any to any frag | ||
| + | |||
| + | # ssh | ||
| + | $cmd table admin create missing | ||
| + | $cmd table admin add 10.1.1.0/24 | ||
| + | $cmd table admin add 192.168.10.0/ | ||
| + | |||
| + | $cmd add check-state | ||
| + | #$cmd add allow tcp from any to any established | ||
| + | $cmd add allow all from any to any out keep-state | ||
| + | |||
| + | $cmd add allow ip from " | ||
| + | |||
| + | # Ping | ||
| + | $cmd add allow icmp from " | ||
| + | $cmd add allow icmp from me to " | ||
| + | |||
| + | $cmd add allow all from any to any | ||
| + | $cmd add deny log all from any to any' > / | ||
| + | |||
| + | sysrc firewall_enable=" | ||
| + | sysrc firewall_script="/ | ||
| + | sysrc firewall_logging=" | ||
| + | |||
| + | </ | ||
| + | |||
| + | ==== NTPd ==== | ||
| + | |||
| + | <code bash> | ||
| + | # ntpd | ||
| + | echo '# NTP | ||
| + | |||
| + | server ntp.ix.ru iburst maxpoll 9 prefer | ||
| + | server ntp2.aas.ru iburst maxpoll 9 | ||
| + | server 0.freebsd.pool.ntp.org iburst maxpoll 9 | ||
| + | server 1.freebsd.pool.ntp.org iburst maxpoll 9 | ||
| + | |||
| + | restrict default ignore | ||
| + | |||
| + | restrict 127.0.0.1 | ||
| + | restrict ntp.ix.ru | ||
| + | restrict ntp2.aas.ru | ||
| + | restrict 0.freebsd.pool.ntp.org | ||
| + | interface ignore wildcard | ||
| + | interface listen igb0 | ||
| + | |||
| + | logfile / | ||
| + | driftfile / | ||
| + | ' > / | ||
| + | |||
| + | touch / | ||
| + | touch / | ||
| + | |||
| + | sysrc ntpd_enable=" | ||
| + | sysrc ntpdate_enable=" | ||
| + | sysrc ntpdate_hosts=" | ||
| + | sysrc ntpd_sync_on_start=" | ||
| + | |||
| + | service ntpd start | ||
| + | |||
| + | </ | ||
| + | |||
| + | ==== Включение NAT ==== | ||
| + | |||
| + | |||
| + | <code bash> | ||
| + | |||
| + | sysrc gateway_enable=" | ||
| + | |||
| + | </ | ||
| + | |||
| + | |||
| + | ===== fw ===== | ||
| + | |||
| + | |||
| <file bash ipfw.sh> | <file bash ipfw.sh> | ||
| # | # | ||
| Строка 45: | Строка 186: | ||
| #$cmd add allow tcp from any to me 443 in limit src-addr 80 | #$cmd add allow tcp from any to me 443 in limit src-addr 80 | ||
| #$cmd add allow tcp from any to me 80 in limit src-addr 80 | #$cmd add allow tcp from any to me 80 in limit src-addr 80 | ||
| + | |||
| + | # Ping | ||
| + | $cmd add allow icmp from " | ||
| + | $cmd add allow icmp from me to " | ||
| + | |||
| + | # allow ping | ||
| + | $cmd add allow icmp from me to any out icmptype 0,8 | ||
| + | $cmd add allow icmp from any to me in icmptype 0,8 | ||
| + | |||
| + | # NAT | ||
| + | # ssh in | ||
| + | $cmd add nat 1 tcp from any to any 22022 in via ${WAN} | ||
| + | # TCP 163.172.255.167: | ||
| + | $cmd add nat 1 tcp from ${ToIP} to ${IP} in via ${WAN} | ||
| + | |||
| + | $cmd add nat 1 tcp from any to any 29000 in limit src-addr ${LIM} via ${WAN} | ||
| + | $cmd add nat 1 tcp from any to any 29001 in limit src-addr ${LIM} via ${WAN} | ||
| + | $cmd add nat 1 tcp from any to any 29002 in limit src-addr ${LIM} via ${WAN} | ||
| + | $cmd add nat 1 tcp from any to any 29003 in limit src-addr ${LIM} via ${WAN} | ||
| + | $cmd add nat 1 tcp from any to any 32550 in limit src-addr ${LIM} via ${WAN} | ||
| + | |||
| + | # Собственно - редирект портов | ||
| + | $cmd nat 1 config log if ${WAN} same_ports reset \ | ||
| + | redirect_port tcp ${ToIP}:22 22022 \ | ||
| + | redirect_port tcp ${ToIP}: | ||
| + | redirect_port tcp ${ToIP}: | ||
| + | redirect_port tcp ${ToIP}: | ||
| + | redirect_port tcp ${ToIP}: | ||
| + | redirect_port tcp ${ToIP}: | ||
| + | |||
| + | |||
| + | #Deny TCP 46.160.11.108: | ||
| + | $cmd add allow tcp from any to any 29000 in via ${WAN} | ||
| + | |||
| + | # TCP 195.3.134.136: | ||
| + | $cmd add nat 1 tcp from any to any out via ${WAN} | ||
| + | |||
| + | # 188.191.23.31: | ||
| + | $cmd add nat 1 ip from any to ${ToIP} 22 out via ${WAN} | ||
| + | |||
| + | # TCP 51.159.5.135: | ||
| + | $cmd add nat 1 ip from ${IP}, | ||
| + | #TCP 163.172.255.167: | ||
| + | #$cmd add nat 1 ip from ${ToIP} 22 to any out via ${WAN} | ||
| + | |||
| + | # | ||
| + | # nat - debug | ||
| + | # $cmd add nat 1 log tcp from any to any via ${WAN} | ||
| + | # | ||
| </ | </ | ||
wiki/freebsd/ipfw.1680602826.txt.gz · Последнее изменение: — Diman