wiki:freebsd:ipfw
Различия
Показаны различия между двумя версиями страницы.
| Предыдущая версия справа и слеваПредыдущая версияСледующая версия | Предыдущая версия | ||
| wiki:freebsd:ipfw [2024/01/07 14:20] – Diman | wiki:freebsd:ipfw [2024/01/29 14:41] (текущий) – Diman | ||
|---|---|---|---|
| Строка 2: | Строка 2: | ||
| ===== Включение ipfw без пересборки ядра ===== | ===== Включение ipfw без пересборки ядра ===== | ||
| + | ==== Подготовка и настройка ОСи ==== | ||
| + | |||
| <code bash> | <code bash> | ||
| + | # russian lang for root | ||
| sysrc keymap=" | sysrc keymap=" | ||
| echo '# RUS' | echo '# RUS' | ||
| echo ' | echo ' | ||
| + | |||
| + | pw usermod -n root -L russian | ||
| + | |||
| + | echo '# RUS | ||
| + | LANG=ru_RU.UTF-8 | ||
| + | export LANG | ||
| + | MM_CHARSET=UTF-8 | ||
| + | export MM_CHARSET | ||
| + | export EDITOR=/ | ||
| + | echo ' | ||
| + | |||
| pkg update && pkg upgrade | pkg update && pkg upgrade | ||
| - | pkg install | + | |
| + | pkg install | ||
| + | |||
| + | # replace bash for root | ||
| + | chsh -s / | ||
| + | |||
| + | |||
| </ | </ | ||
| + | ==== Включение ipfw ==== | ||
| + | |||
| + | <code bash> | ||
| + | |||
| + | echo '# IPFW | ||
| + | ipfw_load=" | ||
| + | ipfw_nat_load=" | ||
| + | firewall_logif=" | ||
| + | # PIPE + dummynet | ||
| + | ipdivert_load=" | ||
| + | dummynet_load=" | ||
| + | ng_pipe_load=" | ||
| + | # SETFIB | ||
| + | net.fibs=" | ||
| + | |||
| + | </ | ||
| + | |||
| + | ==== Работающий в первый же запуск скрипт ipfw ==== | ||
| + | |||
| + | <code bash> | ||
| + | echo '# | ||
| + | |||
| + | cmd="/ | ||
| + | $cmd -f flush | ||
| + | |||
| + | $cmd disable one_pass | ||
| + | $cmd add allow all from any to any via lo0 | ||
| + | $cmd add deny all from any to 127.0.0.0/8 | ||
| + | $cmd add deny all from 127.0.0.0/8 to any | ||
| + | $cmd add deny all from any to any frag | ||
| + | |||
| + | # ssh | ||
| + | $cmd table admin create missing | ||
| + | $cmd table admin add 10.1.1.0/24 | ||
| + | $cmd table admin add 192.168.10.0/ | ||
| + | |||
| + | $cmd add check-state | ||
| + | #$cmd add allow tcp from any to any established | ||
| + | $cmd add allow all from any to any out keep-state | ||
| + | |||
| + | $cmd add allow ip from " | ||
| + | |||
| + | # Ping | ||
| + | $cmd add allow icmp from " | ||
| + | $cmd add allow icmp from me to " | ||
| + | |||
| + | $cmd add allow all from any to any | ||
| + | $cmd add deny log all from any to any' > / | ||
| + | |||
| + | sysrc firewall_enable=" | ||
| + | sysrc firewall_script="/ | ||
| + | sysrc firewall_logging=" | ||
| + | |||
| + | </ | ||
| + | |||
| + | ==== NTPd ==== | ||
| + | |||
| + | <code bash> | ||
| + | # ntpd | ||
| + | echo '# NTP | ||
| + | |||
| + | server ntp.ix.ru iburst maxpoll 9 prefer | ||
| + | server ntp2.aas.ru iburst maxpoll 9 | ||
| + | server 0.freebsd.pool.ntp.org iburst maxpoll 9 | ||
| + | server 1.freebsd.pool.ntp.org iburst maxpoll 9 | ||
| + | |||
| + | restrict default ignore | ||
| + | |||
| + | restrict 127.0.0.1 | ||
| + | restrict ntp.ix.ru | ||
| + | restrict ntp2.aas.ru | ||
| + | restrict 0.freebsd.pool.ntp.org | ||
| + | interface ignore wildcard | ||
| + | interface listen igb0 | ||
| + | |||
| + | logfile / | ||
| + | driftfile / | ||
| + | ' > / | ||
| + | |||
| + | touch / | ||
| + | touch / | ||
| + | |||
| + | sysrc ntpd_enable=" | ||
| + | sysrc ntpdate_enable=" | ||
| + | sysrc ntpdate_hosts=" | ||
| + | sysrc ntpd_sync_on_start=" | ||
| + | |||
| + | service ntpd start | ||
| + | |||
| + | </ | ||
| + | |||
| + | ==== Включение NAT ==== | ||
| + | |||
| + | |||
| + | <code bash> | ||
| + | |||
| + | sysrc gateway_enable=" | ||
| + | |||
| + | </ | ||
| + | |||
| + | |||
| + | ===== fw ===== | ||
wiki/freebsd/ipfw.1704626451.txt.gz · Последнее изменение: — Diman