FreeBSD ipfw App配置Examples

Step # 1: Enabling IPFW

Open /etc/rc.conf file
# vi /etc/rc.conf
Append following settings:
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

Save and close the file..

Step # 2 Write a Firewall Rule Script

You need to place a firewall rules in a script called /usr/local/etc/ipfw.rule:
# vi /usr/local/etc/ipfw.rules
Append following code:

IPF="ipfw -q add"

ipfw -q -f flush

#loopback

$IPF 10 allow all from any to any via lo0

$IPF 20 deny all from any to 127.0.0.0/8

$IPF 30 deny all from 127.0.0.0/8 to any

$IPF 40 deny tcp from any to any frag

# statefull

$IPF 50 check-state

$IPF 60 allow tcp from any to any established

$IPF 70 allow all from any to any out keep-state

$IPF 80 allow icmp from any to any

# open port ftp (20,21), ssh (22), mail (25)

# http (80), dns (53) etc

$IPF 110 allow tcp from any to any 21 in

$IPF 120 allow tcp from any to any 21 out

$IPF 130 allow tcp from any to any 22 in

$IPF 140 allow tcp from any to any 22 out

$IPF 150 allow tcp from any to any 25 in

$IPF 160 allow tcp from any to any 25 out

$IPF 170 allow udp from any to any 53 in

$IPF 175 allow tcp from any to any 53 in

$IPF 180 allow udp from any to any 53 out

$IPF 185 allow tcp from any to any 53 out

$IPF 200 allow tcp from any to any 80 in

$IPF 210 allow tcp from any to any 80 out

# deny and log everything

$IPF 500 deny log all from any to any

Save and close the file.

Step # 3: Start a firewall

You can reboot the box or you could reload these rules by entering on the command line.
# sh /usr/local/etc/ipfw.rules

Task: List all the rules in sequence

Type the following command:
# ipfw list

IPF="ipfw -q add"

ipfw -q -f flush



#loopback

$IPF 10 allow from any to any via lo0

$IPF 20 deny all from any to 127.0.0.0/8

$IPF 30 deny all from 127.0.0.0/8 to any

$IPF 40 deny tcp from any to any frag



#statefull

$IPF 50 check-state

$IPF 60 allow tcp from any to any established

$IPF 70 allow all from any to any out keep-state

$IPF 80 allow icmp from any to any



#open port ftp(20,2),ssh(22),mail(25),http(80),dns(53)

$IPF 110 allow tcp from any to any 21 in

$IPF 120 allow tcp from any to any 21 out

$IPF 130 allow tcp from any to any 22 in

$IPF 140 allow tcp from any to any 22 out

$IPF 150 allow tcp from any to any 25 in

$IPF 160 allow tcp from any to any 25 out

$IPF 170 allow udp from any to any 53 in

$IPF 175 allow tcp from any to any 53 in

$IPF 180 allow udp from any to any 53 out

$IPF 185 allow tcp from any to any 53 out



$IPF 200 allow tcp from any to any 80 in

$IPF 210 allow tcp from any to any 80 out



#deny and log everything

$IPF 500 deny log all from any to any

View Code

修改/etc/rc.conf
Append following settings
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

/etc/rc.d/ipfw restart

相对针对debian及Centos 系统 的初始化一个系统的 时候设置的iptables shell (仅放行 22 （或是被修改为别的端口）and 80) 以建立的连接ping 等

#!/bin/bash



iptables -F

iptables -X

/etc/rc.d/init.d/iptables save

service iptables restart





iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP



#iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#iptables -A INPUT -p tcp --dport 25158 -j ACCEPT

iptables -A INPUT -p tcp --dport 19258 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT

#from out hosts ping

#iptables -A OUTPUT -p icmp -j ACCEPT

#iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT 



# ping Internet 

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



#Dns 53

#iptables -A OUTPUT -p tcp --sport 53 -j ACCEPT

#iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT

View Code