- 论坛徽章:
- 0
|
Introduction
After reading this howto, a FreeBSD stateful firewall setup is
completed for either you gateway or workstation. This FreeBSD stateful
firewall setup allows traffic initiated by your workstation or network
to flow though, and denies traffic initiated from the outside. This
howto also setup the internet connection sharing with other computers
on the network. This is done by using natd and a traffic shaping
solution that ensures that each computer has a equal share of the
available bandwith. It also incorporate a dynamic traffic shaper, using
dummynet pipes and queues, that makes sure that each computer has a
equal share of the label bandwidth. Finally, the functionality can be
extended by other with my other howto's. My goal was to write an howto
about creating
traffic graphs with MRTG, IPA
and IPFW and cut in two the howto due to size.
Why have firewall protection? Computers on the internet run the risk of
being damaged or hijacked. Firewall software is a very powerful tool in
fighting this. Having firewall software doesn't mean that your safe.
You will still have to update your system in order to fix security bugs
and check for viruses. Although the later isn't much of a problem for
Unix like computers at the time of writing.
Why do traffic shaping? Computers on
the network can use the internet connection so heavy that the internet
connection sharing idea is defeated. The nat daemon still works for all
computer, but the other computers have to wait because of the load.
Traffic shaping ensures that each computer can use their fair share by
dividing the bandwidth equaly. There are a couple of different traffic
shaping configurations. The first kind is a static traffic shaper
divides the bandwidth on the computers on the network. The second kind
is a dynamic traffic shaper divides the bandwidth on the computer using
the internet connection. Finally, a priority traffic shaper is one that
gives priority to one kind of traffic over a other kind of traffic.
This howto contains a setup for a dynamic priority traffic shaping
solution that is implemented with the weighted ruby round algorithm of
dummynet. This means the final traffic shaping solution will not be a
real priority traffic shaping but it comes very close to the real
thing.
Notes
This howto is written for IPFW2. If you are use IPFW1 then the ipfw
firewall rules may need to be rewritten. FreeBSD 5.0 and above use
IPFW2 by default. The lower versions use IPFW1 either as a default or
because IPFW2 isn't supported.
Summary
The FreeBSD firewall and the natd daemon are loaded by adding the following lines to /etc/rc.conf:
firewall_enable="YES"
firewall_quiet="NO"
firewall_type="/etc/firewall.conf"
firewall_flags="-p /usr/bin/cpp"
gateway_enable="YES"
natd_enable="YES"
natd_interface="xl1"
natd_flags=""
The configuration exists out of three files, which you can download here and use. The main file
firewall.conf
uses the defined variables in
firewall.setup
(needs to be modified), to allow the same configuration file to be used in multiple situations. It then calles
firewall.users_config
(needs to be modified, if you like to change the number of users) which
in turn delicates some ipfw firewall rules to
firewall.user
in order to reuse the ipfw firewall rules it contains. These tree files
need to be copied to your /etc/ directory. Finally, a new kernel is created.
This adds some optional features (like diagnostic login) that are not
available by default. This also build certain features statically in to
the kernel which gives a little bit better response. This is done by
adding the following lines to the file /usr/src/sys/i386/conf/GENERIC. options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options DUMMYNET
And then compiling them by executing these lines:
cd /usr/src
make buildkernel KERNCONF=GENERIC
make installkernel KERNCONF=GENERIC
reboot
Loading the FreeBSD firewall rules
The first step is about loading the FreeBSD firewall rules. FreeBSD
loads the ipfw firewall rules during the boot process. It needs some
information in order to load the ipfw firewall rules. It looks for that
information in /etc/rc.conf. Open it and the following lines.
firewall_enable="YES"
firewall_quiet="NO"
firewall_type="/etc/firewall.conf"
firewall_flags="-p /usr/bin/cpp"
The FreeBSD firewall setup is done during the
next boot by loading the ipfw firewall rules with the given flags.
These particular flags tell that the files should be pre-processed with
the C pre-processor. The C pre-processor, although written for a
computer language, will allow use to have a easy configurable FreeBSD
firewall rules (assuming I implemented required functionality in to the
file).
gateway_enable="YES"
natd_enable="YES"
natd_interface="ed1"
natd_flags=""
These lines have to be added if the FreeBSD
firewall protection is configured on a gateway. Without these lines,
you will not be able to use the internet connection. These lines
configures your gateway in to a network address translation (NAT)
router. The first tells that packets may be passed between the
interfaces. The other tree causes the NAT daemon to be loaded and
configured on the external network interface controller (NIC).
C directives are pieces of code that
manipulates the file(s) before its is passed to IPFW. The FreeBSD
firewall configuration file(s) will use the following five directives:
include, define, ifdef, else and endif
. The
include
directive will copy the context of a file in the place of the
directive. The context appears to be in the file is read (
firewall.conf
in our case) for the point of view of the caller. The next directive
defines a constant. The constant is replaced with its value everywhere
it used. The one exception is when they are used in directives like
ifdef
. This directive checks if a constant is defined or not. The text between
ifdef
and
else
is added to the output if the constant is defined and otherwise the text between
else
and
endif
.
Configuring the FreeBSD firewall rules
The previous section explained that the FreeBSD firewall loads a configuration file called
firewall.conf.
This FreeBSD firewall configuration file accualy uses tree files to
load the FreeBSD firewall rules. The main script is
firewall.conf.
Some ipfw firewall rules are loaded by calling
firewall.user.
Its out of the scope of this howto to explain the workings of these two
scripts. To make it easier to configure the firewall it uses
firewall.setup.
This is all that is requered when you're fine with the default FreeBSD
firewall rules. These tree files has to be downloaded in to
/etc/
. This can be done with the following commands.
cd /etc/
fetch http://alex.kruijff.org/files/FreeBSD/firewall.conf
fetch http://alex.kruijff.org/files/FreeBSD/firewall.users_config
fetch http://alex.kruijff.org/files/FreeBSD/firewall.user
fetch http://alex.kruijff.org/files/FreeBSD/firewall.setup
Having these FreeBSD firewall configuration files
doesn't do much good until they are filled with network information.
This information need to be written down in
firewall.setup
with your editor. The requered information is what local services the
computer have and how high the available bandwidth is. The IP addresses
in the configuration file have the format: IP address/netmask. Where
netmask is the number of 1 bits.
Finally, there can be situations where
this FreeBSD firewall setup doesn't fully suit you. (Perhaps there are
more than tree users.) I've included a overview of the FreeBSD firewall
rules for during the modifications. I would still advise you to read
all the tree ipfw firewall configuration files thought one time, before
making any changes.
Compiling the firewall into the kernel
The thirty an final step is to build a specialized kernel. This can be
skipped if a triffic shaping solution is not requered. Make sure that
NO_TRAFFIC_SHAPER is defined in
firewall.setup
if you decide to skip this section. Before we go on I like a note on
the scope of this section. The scope for this section is limited. More
information can be found in the section
Configuring the FreeBSD Kernel
of the
FreeBSD handbook.
The first step is to open the kernel configuration file (the default
for the i386 architect is /usr/src/sys/i386/conf/GENERIC) and add the
following lines to it. The purpuse of most will be clear except maybe
DUMMYNET. This refers to code needed for the traffic shaper features.
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options DUMMYNET
I have added the IPFIREWALL_DEFAULT_TO_ACCEPT
option because this reduces the change of locking myself out when I'm
experimenting with my FreeBSD firewall software. This doesn't relieve
you from being near the console, because its still possible. This can
be removed in order to increse the FreeBSD firewall security.
A new kernel need to be compiled an
installed when this is done. Your working directory must be /usr/src
and you should look if and error has accord after each of the command.
If this is the case then abort the procedure and look though the kernel
configuration to see if you commented something out that is required.
If there are no error messages then the computer can reboot.
cd /usr/src
make buildkernel KERNCONF=GENERIC
make installkernel KERNCONF=GENERIC
reboot
The new kernel can be tested with the following
commands. These will give either a conformation line or no line at all.
On the other hand if your kernel installation wasn't successful then an
error message like: "ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Protocol
not available" is printed. Please continue running the following list
of commands:
/sbin/ipfw add divert natd ip from any to any
/sbin/ipfw add 1 count log ip from any to any (Note: This one won't
give an error. Instead check the file /var/log/security contains the
loging of ipfw.)
/sbin/ipfw pipe 1 config bw 100Kbit/s
/sbin/ipfw queue 1 config queue 96KByte weight 100 pipe 1 mask-all
Final notes
Using firewall protectection is important because it provides a
powerfull security that gives protection from attacks. Everyone should
have one on each computer.
I didn't go into the detail about this
FreeBSD firewall setup and it may not fully be to your liking. However,
I hope I've given enough guidance and support to make some changes for
your self.
In addition, I like to encourage you to
contact me, if you have questions or feedback about this howto. I can
be contact my though the feedback link on top.
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/8111/showart_520140.html |
|