wiki:freebsd:ipfw
Различия
Показаны различия между двумя версиями страницы.
| Предыдущая версия справа и слеваПредыдущая версияСледующая версия | Предыдущая версия | ||
| wiki:freebsd:ipfw [2024/01/07 11:59] – [Включение ipfw] Diman | wiki:freebsd:ipfw [2026/03/25 12:26] (текущий) – [Работающий в первый же запуск скрипт ipfw] Diman | ||
|---|---|---|---|
| Строка 6: | Строка 6: | ||
| <code bash> | <code bash> | ||
| + | # | ||
| + | # Установим кое-какие пакеты | ||
| + | # | ||
| + | pkg update && pkg upgrade | ||
| + | pkg install -y mc nano rsync tmux bash htop bind-tools | ||
| + | |||
| + | # replace bash for root | ||
| + | chsh -s / | ||
| + | |||
| # russian lang for root | # russian lang for root | ||
| Строка 24: | Строка 33: | ||
| - | pkg update && pkg upgrade | ||
| - | |||
| - | pkg install -y mc nano rsync screen tmux bash htop | ||
| - | |||
| - | # replace bash for root | ||
| - | chsh -s / | ||
| Строка 40: | Строка 43: | ||
| <code bash> | <code bash> | ||
| - | echo '# IPFW | + | # |
| + | # Перейти в BASH | ||
| + | # | ||
| + | bash | ||
| + | |||
| + | cat <<EOF >> / | ||
| + | |||
| + | # IPFW | ||
| ipfw_load=" | ipfw_load=" | ||
| ipfw_nat_load=" | ipfw_nat_load=" | ||
| firewall_logif=" | firewall_logif=" | ||
| + | # PIPE + dummynet | ||
| ipdivert_load=" | ipdivert_load=" | ||
| dummynet_load=" | dummynet_load=" | ||
| ng_pipe_load=" | ng_pipe_load=" | ||
| + | |||
| # SETFIB | # SETFIB | ||
| - | net.fibs=" | + | net.fibs=" |
| + | EOF | ||
| + | </ | ||
| + | |||
| + | ==== Работающий в первый же запуск скрипт ipfw ==== | ||
| + | |||
| + | <code bash> | ||
| echo '# | echo '# | ||
| Строка 61: | Строка 79: | ||
| $cmd add deny all from 127.0.0.0/8 to any | $cmd add deny all from 127.0.0.0/8 to any | ||
| $cmd add deny all from any to any frag | $cmd add deny all from any to any frag | ||
| - | + | ||
| - | $cmd add check-state | + | |
| - | $cmd add allow tcp from any to any established | + | |
| - | $cmd add allow all from any to any out keep-state | + | |
| - | + | ||
| # ssh | # ssh | ||
| $cmd table admin create missing | $cmd table admin create missing | ||
| $cmd table admin add 10.1.1.0/24 | $cmd table admin add 10.1.1.0/24 | ||
| $cmd table admin add 192.168.10.0/ | $cmd table admin add 192.168.10.0/ | ||
| + | |||
| + | $cmd add check-state | ||
| + | #$cmd add allow tcp from any to any established | ||
| + | $cmd add allow all from any to any out keep-state | ||
| $cmd add allow ip from " | $cmd add allow ip from " | ||
| - | |||
| - | # HTTP && HTTPS | ||
| - | $cmd add allow tcp from any to me 443 in limit src-addr 50 | ||
| - | $cmd add allow tcp from any to me 80 in limit src-addr 20 | ||
| - | |||
| - | |||
| - | $cmd add allow tcp from me to any 25 out | ||
| - | $cmd add allow tcp from any 25 to me in | ||
| # Ping | # Ping | ||
| $cmd add allow icmp from " | $cmd add allow icmp from " | ||
| $cmd add allow icmp from me to " | $cmd add allow icmp from me to " | ||
| + | |||
| $cmd add allow all from any to any | $cmd add allow all from any to any | ||
| - | + | $cmd add deny log all from any to any' > /etc/fw-script.sh | |
| - | $cmd add deny log all from any to any' > /etc/ipfw.script | + | |
| sysrc firewall_enable=" | sysrc firewall_enable=" | ||
| - | sysrc firewall_script="/ | + | sysrc firewall_script="/ |
| sysrc firewall_logging=" | sysrc firewall_logging=" | ||
| + | </ | ||
| + | |||
| + | ==== NTPd ==== | ||
| + | |||
| + | <code bash> | ||
| + | # ntpd | ||
| + | echo '# NTP | ||
| + | |||
| + | server ntp.ix.ru iburst maxpoll 9 prefer | ||
| + | server ntp2.aas.ru iburst maxpoll 9 | ||
| + | server 0.freebsd.pool.ntp.org iburst maxpoll 9 | ||
| + | server 1.freebsd.pool.ntp.org iburst maxpoll 9 | ||
| + | |||
| + | restrict default ignore | ||
| + | |||
| + | restrict 127.0.0.1 | ||
| + | restrict ntp.ix.ru | ||
| + | restrict ntp2.aas.ru | ||
| + | restrict 0.freebsd.pool.ntp.org | ||
| + | interface ignore wildcard | ||
| + | interface listen igb0 | ||
| + | |||
| + | logfile / | ||
| + | driftfile / | ||
| + | ' > / | ||
| + | |||
| + | touch / | ||
| + | touch / | ||
| + | |||
| + | sysrc ntpd_enable=" | ||
| + | sysrc ntpdate_enable=" | ||
| + | sysrc ntpdate_hosts=" | ||
| + | sysrc ntpd_sync_on_start=" | ||
| + | |||
| + | service ntpd start | ||
| </ | </ | ||
| + | ==== Включение NAT ==== | ||
| + | |||
| + | |||
| + | <code bash> | ||
| + | |||
| + | sysrc gateway_enable=" | ||
| + | |||
| + | </ | ||
wiki/freebsd/ipfw.1704628784.txt.gz · Последнее изменение: — Diman