- 论坛徽章:
- 0
|
[这个贴子最后由韦小宝在 2002/10/16 10:09pm 编辑]
1.下载后解包、安装
# gunzip –cd ip_fil3.4.28.tar.gz | tar xvf -
# cd ip_fil3.4.28
# make solaris注意不能使用GNU make来编译
# cd SunOS5
#make package
ipf软件会被安装在/opt/ipf目录下,并同时在/etc/opt/ipf目录形成一个空文件ipf.conf
2.网络结构:
DMZ:10.0.0.0/8
PRIVATE:172.16.0.0/24
INTERNAT:由isp提供
3.Ipfilter可以分为两个模块:网络地址转换(network address translator)简称NAT,和数据包过滤器(packet filter)。第一个是用于伪装(隐藏单个外部IP地址后面的内部IP地址)和重定向主机和端口之间的数据包。包过滤器会检查被NAT修改过的数据包是否可以允许通过防火墙后的网络。
NAT与应用程序代理工作在TCP/IP的不同层次上,前者的好处是对应用程序基本透明,后者的好处是能够进行基于内容的过滤,但是需要应用程序支持代理并进行正确的设置,并且系统开销比较大,对服务器的配置要求比较高。
4. vi ipf.conf
#
# The following routes should be configured, if not already:
#
# route add 10.0.0.1 localhost 0
# route add 172.16.0.1 localhost 0
#
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
pass out on sppp0 all head 150
block out from 127.0.0.0/8 to any group 150
block out from any to 127.0.0.0/8 group 150
block out from any to 218.108.173.134/32 group 150
pass in on sppp0 all head 100
block in from 127.0.0.0/8 to any group 100
block in from 218.108.173.134/32 to any group 100
block in from 10.0.0.1/0xff000000 to any group 100
block in from 172.16.0.1/0xffff0000 to any group 100
pass out on elxl0 all head 350
block out from 127.0.0.0/8 to any group 350
block out from any to 127.0.0.0/8 group 350
block out from any to 10.0.0.1/32 group 350
pass in on elxl0 all head 300
block in from 127.0.0.0/8 to any group 300
block in from 10.0.0.1/32 to any group 300
block in from 218.108.173.134/0xffffff00 to any group 300
block in from 172.16.0.1/0xffff0000 to any group 300
pass out on elxl1 all head 450
block out from 127.0.0.0/8 to any group 450
block out from any to 127.0.0.0/8 group 450
block out from any to 172.16.0.1/32 group 450
pass in on elxl1 all head 400
block in from 127.0.0.0/8 to any group 400
block in from 172.16.0.1/32 to any group 400
block in from 218.108.173.134/0xffffff00 to any group 400
block in from 10.0.0.1/0xff000000 to any group 400
pass out quick on sppp0 proto tcp from 172.16.0.0/16 to any keep state
pass out quick on sppp0 proto udp from 172.16.0.0/16 to any keep state
pass out quick on sppp0 proto icmp from 172.16.0.0/16 to any keep state
pass in quick on sppp0 proto icmp from any to any icmp-type echorep
block in quick on sppp0 proto icmp from any to any icmp-type redir
block in quick on sppp0 proto icmp from any to any
block in quick on sppp0 proto icmp from any to any icmp-type echo
pass in from any to any
pass out from any to any
5.vi ipnat.rules
map sppp0 172.16.0.0/16 ->; 0/32 proxy port ftp ftp/tcp
map sppp0 172.16.0.0/16 ->; 0/32 portmap tcp/udp 10000:40000
map sppp0 172.16.0.0/16 ->; 0/32
6.vi /etc/rc2.d/S66ipf
/sbin/ipnat -CF -f /etc/opt/ipf/ipnat.rules
7.vi /etc/rc2.d/S65ipfboot
#!/bin/sh
#
PIDFILE=/etc/opt/ipf/ipmon.pid
id=`/usr/sbin/modinfo 2>;&1 | awk '/ipf/ { print $1 } ' - 2>;/dev/null`
if [ -f $PIDFILE ] ; then
pid=`cat $PIDFILE 2>;/dev/null`
else
pid=`/bin/ps -e 2>;&1 | awk '/ipmon/ { print $1 } ' - 2>;/dev/null`
fi
PATH=${PATH}:/sbin:/opt/ipf/bin
IPFILCONF=/etc/opt/ipf/ipf.conf
IP6FILCONF=/etc/opt/ipf/ipf6.conf
IPNATCONF=/etc/opt/ipf/ipnat.conf
block_default_workaround() {
ipf -F a
echo "constructing minimal name resolution rules..."
NAMESERVERS=`cat /etc/resolv.conf 2>;/dev/null| \
nawk '/nameserver/ {printf "%s ", $2}' 2>;/dev/null`
if [ -z "$NAMESERVERS" ] ; then
return
fi
for NS in $NAMESERVERS ; do
IF_TO_NS=`/usr/sbin/route -n get $NS 2>;/dev/null| \
nawk '$1 == "interface:" { print $NF ; exit }' \
2>;/dev/null`
if [ -z "$IF_TO_NS" ] ; then
continue
fi
IP_TO_NS=`ifconfig $IF_TO_NS 2>;/dev/null| \
nawk 'NR == "2" { print $2 ; exit }' 2>;/dev/null`
if [ -z "$IP_TO_NS" ] ; then
continue
fi
echo "pass out quick on $IF_TO_NS proto udp from $IP_TO_NS to $NS port = 53 keep state" | \
ipf -f -
done
}
case "$1" in
start)
if [ x"$pid" != x ] ; then
kill -TERM $pid 2>;/dev/null
fi
if [ x$id != x ] ; then
modunload -i $id 2>;/dev/null
fi
modload /usr/kernel/drv/ipf
if [ -r ${IPFILCONF} ]; then
if `/sbin/ipf -V | \
nawk '$1 == "Default:" && $2 == "pass" { exit 1 }'` ; then
block_default_workaround
fi
ipf -IFa -f ${IPFILCONF}
if [ $? != 0 ]; then
echo "$0: load of ${IPFILCONF} into alternate set failed"
else
ipf -s
fi
fi
ipf -y
if [ -r ${IP6FILCONF} ]; then
ipf -IFa -6f ${IP6FILCONF}
if [ $? != 0 ]; then
echo "$0: load of ${IPFILCONF} into alternate set failed"
else
ipf -IF a
ipf -6f ${IP6FILCONF}
fi
fi
if [ -r ${IPNATCONF} ]; then
ipnat -CF -f ${IPNATCONF}
if [ $? != 0 ]; then
echo "$0: load of ${IPNATCONF} failed"
fi
fi
ipmon -Ds
;;
stop)
if [ x"$pid" != x ] ; then
kill -TERM $pid
fi
if [ x$id != x ] ; then
modunload -i $id
fi
;;
reload)
if [ -r ${IPFILCONF} ]; then
ipf -I -Fa -f ${IPFILCONF}
if [ $? != 0 ]; then
echo "$0: reload of ${IPFILCONF} into alternate set failed"
else
ipf -s
fi
fi
if [ -r ${IPNATCONF} ]; then
ipnat -CF -f ${IPNATCONF}
if [ $? != 0 ]; then
echo "$0: reload of ${IPNATCONF} failed"
fi
fi
;;
reipf)
if [ -r ${IPFILCONF} ]; then
ipf -I -Fa -f ${IPFILCONF}
if [ $? != 0 ]; then
echo "$0: reload of ${IPFILCONF} into alternate set failed"
else
ipf -s
fi
fi
;;
*)
echo "Usage: $0 (start|stop|reload)" >;&2
exit 1
;;
esac
exit 0
|
|