wiki:freebsd:ipfw
Различия
Показаны различия между двумя версиями страницы.
Предыдущая версия справа и слеваПредыдущая версияСледующая версия | Предыдущая версия | ||
wiki:freebsd:ipfw [2023/04/04 13:08] – Diman | wiki:freebsd:ipfw [2024/01/29 14:41] (текущий) – Diman | ||
---|---|---|---|
Строка 1: | Строка 1: | ||
====== Настройка ipfw на сервере FreeBSD. ====== | ====== Настройка ipfw на сервере FreeBSD. ====== | ||
+ | |||
+ | ===== Включение ipfw без пересборки ядра ===== | ||
+ | ==== Подготовка и настройка ОСи ==== | ||
+ | |||
+ | |||
+ | <code bash> | ||
+ | # russian lang for root | ||
+ | |||
+ | sysrc keymap=" | ||
+ | echo '# RUS' | ||
+ | echo ' | ||
+ | |||
+ | pw usermod -n root -L russian | ||
+ | |||
+ | echo '# RUS | ||
+ | LANG=ru_RU.UTF-8 | ||
+ | export LANG | ||
+ | MM_CHARSET=UTF-8 | ||
+ | export MM_CHARSET | ||
+ | export EDITOR=/ | ||
+ | echo ' | ||
+ | |||
+ | |||
+ | |||
+ | pkg update && pkg upgrade | ||
+ | |||
+ | pkg install -y mc nano rsync tmux bash htop bind-tools | ||
+ | |||
+ | # replace bash for root | ||
+ | chsh -s / | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | </ | ||
+ | |||
+ | ==== Включение ipfw ==== | ||
+ | |||
+ | <code bash> | ||
+ | |||
+ | echo '# IPFW | ||
+ | ipfw_load=" | ||
+ | ipfw_nat_load=" | ||
+ | firewall_logif=" | ||
+ | # PIPE + dummynet | ||
+ | ipdivert_load=" | ||
+ | dummynet_load=" | ||
+ | ng_pipe_load=" | ||
+ | # SETFIB | ||
+ | net.fibs=" | ||
+ | |||
+ | </ | ||
+ | |||
+ | ==== Работающий в первый же запуск скрипт ipfw ==== | ||
+ | |||
+ | <code bash> | ||
+ | echo '# | ||
+ | |||
+ | cmd="/ | ||
+ | $cmd -f flush | ||
+ | |||
+ | $cmd disable one_pass | ||
+ | $cmd add allow all from any to any via lo0 | ||
+ | $cmd add deny all from any to 127.0.0.0/8 | ||
+ | $cmd add deny all from 127.0.0.0/8 to any | ||
+ | $cmd add deny all from any to any frag | ||
+ | |||
+ | # ssh | ||
+ | $cmd table admin create missing | ||
+ | $cmd table admin add 10.1.1.0/24 | ||
+ | $cmd table admin add 192.168.10.0/ | ||
+ | |||
+ | $cmd add check-state | ||
+ | #$cmd add allow tcp from any to any established | ||
+ | $cmd add allow all from any to any out keep-state | ||
+ | |||
+ | $cmd add allow ip from " | ||
+ | |||
+ | # Ping | ||
+ | $cmd add allow icmp from " | ||
+ | $cmd add allow icmp from me to " | ||
+ | |||
+ | $cmd add allow all from any to any | ||
+ | $cmd add deny log all from any to any' > / | ||
+ | |||
+ | sysrc firewall_enable=" | ||
+ | sysrc firewall_script="/ | ||
+ | sysrc firewall_logging=" | ||
+ | |||
+ | </ | ||
+ | |||
+ | ==== NTPd ==== | ||
+ | |||
+ | <code bash> | ||
+ | # ntpd | ||
+ | echo '# NTP | ||
+ | |||
+ | server ntp.ix.ru iburst maxpoll 9 prefer | ||
+ | server ntp2.aas.ru iburst maxpoll 9 | ||
+ | server 0.freebsd.pool.ntp.org iburst maxpoll 9 | ||
+ | server 1.freebsd.pool.ntp.org iburst maxpoll 9 | ||
+ | |||
+ | restrict default ignore | ||
+ | |||
+ | restrict 127.0.0.1 | ||
+ | restrict ntp.ix.ru | ||
+ | restrict ntp2.aas.ru | ||
+ | restrict 0.freebsd.pool.ntp.org | ||
+ | interface ignore wildcard | ||
+ | interface listen igb0 | ||
+ | |||
+ | logfile / | ||
+ | driftfile / | ||
+ | ' > / | ||
+ | |||
+ | touch / | ||
+ | touch / | ||
+ | |||
+ | sysrc ntpd_enable=" | ||
+ | sysrc ntpdate_enable=" | ||
+ | sysrc ntpdate_hosts=" | ||
+ | sysrc ntpd_sync_on_start=" | ||
+ | |||
+ | service ntpd start | ||
+ | |||
+ | </ | ||
+ | |||
+ | ==== Включение NAT ==== | ||
+ | |||
+ | |||
+ | <code bash> | ||
+ | |||
+ | sysrc gateway_enable=" | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | ===== fw ===== | ||
Строка 48: | Строка 186: | ||
#$cmd add allow tcp from any to me 443 in limit src-addr 80 | #$cmd add allow tcp from any to me 443 in limit src-addr 80 | ||
#$cmd add allow tcp from any to me 80 in limit src-addr 80 | #$cmd add allow tcp from any to me 80 in limit src-addr 80 | ||
+ | |||
+ | # Ping | ||
+ | $cmd add allow icmp from " | ||
+ | $cmd add allow icmp from me to " | ||
+ | |||
+ | # allow ping | ||
+ | $cmd add allow icmp from me to any out icmptype 0,8 | ||
+ | $cmd add allow icmp from any to me in icmptype 0,8 | ||
+ | |||
+ | # NAT | ||
+ | # ssh in | ||
+ | $cmd add nat 1 tcp from any to any 22022 in via ${WAN} | ||
+ | # TCP 163.172.255.167: | ||
+ | $cmd add nat 1 tcp from ${ToIP} to ${IP} in via ${WAN} | ||
+ | |||
+ | $cmd add nat 1 tcp from any to any 29000 in limit src-addr ${LIM} via ${WAN} | ||
+ | $cmd add nat 1 tcp from any to any 29001 in limit src-addr ${LIM} via ${WAN} | ||
+ | $cmd add nat 1 tcp from any to any 29002 in limit src-addr ${LIM} via ${WAN} | ||
+ | $cmd add nat 1 tcp from any to any 29003 in limit src-addr ${LIM} via ${WAN} | ||
+ | $cmd add nat 1 tcp from any to any 32550 in limit src-addr ${LIM} via ${WAN} | ||
+ | |||
+ | # Собственно - редирект портов | ||
+ | $cmd nat 1 config log if ${WAN} same_ports reset \ | ||
+ | redirect_port tcp ${ToIP}:22 22022 \ | ||
+ | redirect_port tcp ${ToIP}: | ||
+ | redirect_port tcp ${ToIP}: | ||
+ | redirect_port tcp ${ToIP}: | ||
+ | redirect_port tcp ${ToIP}: | ||
+ | redirect_port tcp ${ToIP}: | ||
+ | |||
+ | |||
+ | #Deny TCP 46.160.11.108: | ||
+ | $cmd add allow tcp from any to any 29000 in via ${WAN} | ||
+ | |||
+ | # TCP 195.3.134.136: | ||
+ | $cmd add nat 1 tcp from any to any out via ${WAN} | ||
+ | |||
+ | # 188.191.23.31: | ||
+ | $cmd add nat 1 ip from any to ${ToIP} 22 out via ${WAN} | ||
+ | |||
+ | # TCP 51.159.5.135: | ||
+ | $cmd add nat 1 ip from ${IP}, | ||
+ | #TCP 163.172.255.167: | ||
+ | #$cmd add nat 1 ip from ${ToIP} 22 to any out via ${WAN} | ||
+ | |||
+ | # | ||
+ | # nat - debug | ||
+ | # $cmd add nat 1 log tcp from any to any via ${WAN} | ||
+ | # | ||
</ | </ |
wiki/freebsd/ipfw.1680602900.txt.gz · Последнее изменение: 2023/04/04 13:08 — Diman