ipfw 配置好后为啥没有远程sh防火墙规则的权限?
远程root来sh防火墙规则的时候提示:dev sshd: fatal: Write failed: Permission denied
加入: net.inet.ip.fw.default_to_accept="1" 也不行.
远程编译内核也提示没权限.
是不是规则要加入什么?
我规则已经加入下面的了:
# Allow out FreeBSD root operate
$cmd 00150 allow tcp from me to any out via $oif setup $ks uid root 远程root sh规则的时候提示上述信息并且会断开. sh啥意思?
另外你那句用在远程上,不是找死么?服务器本身是接受的,你弄了个出的,并且还是tcp的setup,你是让服务器连接你呢还是你连接服务器呢? lsstarboy 发表于 2015-07-08 08:33 static/image/common/back.gif
sh啥意思?
另外你那句用在远程上,不是找死么?服务器本身是接受的,你弄了个出的,并且还是tcp的setup ...
sh是载入防火墙脚本啊,比如:
# sh /etc/ipfw.rules
我远程su到root,如何载入防火墙脚本的时候不断开? 应该如何调整? 以下是我防火墙脚本.#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
ks="keep-state"
oif="em0"
odns1="202.96.134.133"
odns2="8.8.8.8"
# Change xl0 to LAN NIC interface name
$cmd 00005 allow all from any to any via xl0
# No restrictions on Loopback Interface
$cmd 00010 allow all from any to any via lo0
# allows the packet through in dynamic rules table
$cmd 00100 check-state
# ------------------ IPFW Rules Priority ------------------
# Allow outbound SSH
$cmd 00110 allow tcp from any to any 22 out via $oif setup $ks
$cmd 00120 allow tcp from any to me 22 in via $oif setup limit src-addr 12
# Allow out FreeBSD root operate
$cmd 00150 allow tcp from me to any out via $oif setup $ks uid root
# ------------------ IPFW Rules System --------------------
# Allow access to public DNS
$cmd 00200 allow tcp from any to $odns1 53 out via $oif setup $ks
$cmd 00210 allow udp from any to $odns1 53 out via $oif $ks
$cmd 00220 allow tcp from any to $odns2 53 out via $oif setup $ks
$cmd 00230 allow udp from any to $odns2 53 out via $oif $ks
# Allow access to ISP's DHCP server for cable/DSL configurations
#$cmd 00300 allow log udp from any to any 67 out via $oif $ks
#$cmd 00310 allow udp from any to x.x.x.x 67 out via $oif $ks
#$cmd 00320 allow udp from any to x.x.x.x 67 in via $oif $ks
# Allow ping
$cmd 00400 allow icmp from any to any out via $oif $ks
$cmd 00410 allow icmp from any to any in via $oif $ks
# Allow NTP
$cmd 00420 allow tcp from any to any 37 out via $oif setup $ks
$cmd 00430 allow udp from any to any 123 out via $oif $ks
# ------------------ IPFW Rules Service -------------------
# Allow HTTP connections
$cmd 00500 allow tcp from any to any 80 out via $oif setup $ks
$cmd 00510 allow tcp from any to me 80 in via $oif setup limit src-addr 24
# Allow HTTPS connections
$cmd 00550 allow tcp from any to any 443 out via $oif setup $ks
$cmd 00560 allow tcp from any to me 443 in via $oif setup limit src-addr 24
# Allow out secure FTP
$cmd 00600 allow tcp from any to any 21 out via $oif setup $ks
$cmd 00610 allow tcp from any to me 21 in via $oif setup limit src-addr 12
# Allow in non-secure Telnet session from public Internet
$cmd 00650 allow tcp from any to me 23 in via $oif setup limit src-addr 12
# Allow outbound email connections
$cmd 00710 allow tcp from any to any 25 out via $oif setup $ks
$cmd 00720 allow tcp from any to any 110 out via $oif setup $ks
# Allow ident
#$cmd 00800 allow tcp from any to any 113 in via $oif setup $ks
# Allow out whois
$cmd 00810 allow tcp from any to any 43 out via $oif setup $ks
# Allow out nntp news (i.e., news groups)
#$cmd 00820 allow tcp from any to any 119 out via $oif setup $ks
# ------------------ IPFW Rules Deny ----------------------
# Deny all Netbios service. 137=name, 138=datagram, 139=session, 81=hosts2
$cmd 00910 deny tcp from any to any 137 in via $oif
$cmd 00920 deny tcp from any to any 138 in via $oif
$cmd 00930 deny tcp from any to any 139 in via $oif
$cmd 00940 deny tcp from any to any 81 in via $oif
# Deny any late arriving packets
$cmd 00950 deny all from any to any frag in via $oif
# Deny ACK packets that did not match the dynamic rule table
$cmd 00960 deny tcp from any to any established in via $oif
# deny and log all other outbound and incoming connections`
$cmd 00991 deny log all from any to any out via $oif
$cmd 00992 deny log all from any to any in via $oif
# Everything else is denied by default
$cmd 00999 deny log all from any to any
回复 4# bleakwind
1、ipfw.rule的开头已经有#!sh了,就不需要再sh /etc/ipfw.rule
2、重载规则不被锁,要么crontab定时重启,要么set 31。
3、你从哪儿抄的规则?
lsstarboy 发表于 2015-07-15 15:03 static/image/common/back.gif
回复 4# bleakwind
1、ipfw.rule的开头已经有#!sh了,就不需要再sh /etc/ipfw.rule
官方手册 那只是示例,要根据你自己的具体情况修改。 本帖最后由 bleakwind 于 2015-10-19 05:42 编辑
lsstarboy 发表于 2015-07-20 09:00 static/image/common/back.gif
那只是示例,要根据你自己的具体情况修改。
想问下那个规则哪里有不合理的地方?
还有set 31如何设定? 是否下面这样? 还有其他方法吗?
ipfw -q add 00110 set 31 allow tcp from any to any 22 out via em0 setup keep-state
ipfw -q add 00120 set 31 allow tcp from any to me 22 in via em0 setup limit src-addr 12
ipfw -q add 00150 set 31 allow tcp from me to any out via em0 setup keep-state uid root 建议先学一下协议,再把ipfw的man多读几遍,然后再配防火墙,否则最多只能算是照本宣科。
既使给你说了答案,又有什么用呢?下次遇到仍然是不会,况且你连你的需求都不是很明确。 lsstarboy 发表于 2015-10-19 09:24 static/image/common/back.gif
建议先学一下协议,再把ipfw的man多读几遍,然后再配防火墙,否则最多只能算是照本宣科。
既使给你说了答 ...
手册上,包括你的那篇翻译都没有明确set number的应用场合.
我自己试出来了,并为了不重载导致重复规则写了个判断, 不知道对不对:
if [ -z "`ipfw -S list 00110`" ]; then
$cmd 00110 set 31 allow tcp from any to any 22 out via $oif setup $ks
fi
if [ -z "`ipfw -S list 00120`" ]; then
$cmd 00120 set 31 allow tcp from any to me 22 in via $oif setup limit src-addr 12
fi
页:
[1]
2