免费注册 查看新帖 |

ChinaUnix.net

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 2683 | 回复: 3

freebsd9.1 防火墙不生效问题求解 ipfw.rule [复制链接]

论坛徽章:
0
发表于 2013-07-22 16:47 |显示全部楼层

个人pc机器安装freebsd9.0  服务器正常运行 跑着wordpress博客 ,我添加一条指令
ipfw add 10001 deny all from 192.168.1.6 to any

ipfw show 显示这条规则 ,防火墙正常运行
本人用192.168.1.6这台电脑还是可以访问服务器,也可操作, 求指点




/etc/ipfw.rule文件内容如下

#!/bin/sh
ipfw -q -f flush
IPF="ipfw -q add"
ip="192.168.1.251"
ipfw -q -f flush
pif="em0"
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 15 allow all from $ip to any via $pif
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

#statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
#$IPF 80 allow icmp from 192.168.3.0/24 to any via $pif
# open port ftp (21,22), ssh (22), mail (25)

#http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow tcp from any to any 53 in
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in setup limit src-addr 150
$IPF 210 allow tcp from any to any 80 out
$IPF 211 allow tcp from any to any 3306 in
$IPF 212 allow tcp from any to any 3306 out
$IPF 213 allow tcp from any to any 1186 in
$IPF 214 allow tcp from any to any 1186 out
$IPF 215 allow tcp from any to any 11211
$IPF 220 allow tcp from any to any 10000-65535 in
$IPF 221 allow tcp from any to any 10000-65535 out

$IPF 320 deny tcp from any to any 137 in via $pif
$IPF 321 deny tcp from any to any 138 in via $pif
$IPF 322 deny tcp from any to any 139 in via $pif
$IPF 323 deny tcp from any to any 81 in via $pif

$IPF 400 allow udp from $ip to any
$IPF 401 allow icmp from any to $ip
$IPF 402 allow icmp from $ip to any 8
$IPF 403 allow icmp from $ip to any 0
$IPF 404 allow icmp from $ip to any 11
$IPF 405 allow icmp from $ip to any 3

#$IPF 800 pipe 1 ip from 192.168.3.10 to any in
#$IPF 900 pipe 2 ip from any to 192.168.3.10 out
#ipfw pipe 1 config bw 200Kbit/s queue 150Kbit
#ipfw pipe 2 config bw 300Kbit/s queue 20

# deny and log everything
$IPF 500 deny log all from any to any


开机启动文件rc.conf 防火墙文件如下

firewall_enable="YES"
firewall_script="/etc/ipfw.rule"
firewall_quiet="NO"
#open ipfw function


论坛徽章:
0
发表于 2013-07-22 18:53 |显示全部楼层
ipfw list 贴完整的信息出来看下!直接贴配置看不出你系统实际生效的规则是什么样子的!有可能是在你的10001 rule前面有其他的rule给pass了!

论坛徽章:
0
发表于 2013-07-23 10:21 |显示全部楼层
回复 2# cyc_828

你好  这是我的 ipfw list显示的规则

    root@192:/root # ipfw list
00010 allow ip from any to any via lo0
00015 allow ip from 192.168.1.251 to any via em0
00020 deny ip from any to 127.0.0.0/8
00030 deny ip from 127.0.0.0/8 to any
00040 deny tcp from any to any frag
00050 check-state
00060 allow tcp from any to any established
00070 allow ip from any to any out keep-state
00110 allow tcp from any to any dst-port 21 in
00120 allow tcp from any to any dst-port 21 out
00130 allow tcp from any to any dst-port 22 in
00140 allow tcp from any to any dst-port 22 out
00150 allow tcp from any to any dst-port 25 in
00160 allow tcp from any to any dst-port 25 out
00170 allow tcp from any to any dst-port 53 in
00185 allow tcp from any to any dst-port 53 out
00200 allow tcp from any to any dst-port 80 in setup limit src-addr 150
00210 allow tcp from any to any dst-port 80 out
00211 allow tcp from any to any dst-port 3306 in
00212 allow tcp from any to any dst-port 3306 out
00213 allow tcp from any to any dst-port 1186 in
00214 allow tcp from any to any dst-port 1186 out
00215 allow tcp from any to any dst-port 11211
00220 allow tcp from any to any dst-port 10000-65535 in
00221 allow tcp from any to any dst-port 10000-65535 out
00320 deny tcp from any to any dst-port 137 in via em0
00321 deny tcp from any to any dst-port 138 in via em0
00322 deny tcp from any to any dst-port 139 in via em0
00323 deny tcp from any to any dst-port 81 in via em0
00400 allow udp from 192.168.1.251 to any
00401 allow icmp from any to 192.168.1.251
00402 allow icmp from 192.168.1.251 to any dst-port 8
00403 allow icmp from 192.168.1.251 to any dst-port 0
00404 allow icmp from 192.168.1.251 to any dst-port 11
00405 allow icmp from 192.168.1.251 to any dst-port 3
00500 deny log logamount 10 ip from any to any
10001 deny ip from 192.168.1.6 to any
10001 deny ip from 192.168.1.6 to 192.168.1.251
10001 deny ip from 192.168.1.6 to 192.168.1.251
10001 deny ip from any to any
10001 deny ip from any to any
65535 deny ip from any to any

论坛徽章:
0
发表于 2013-07-23 10:31 |显示全部楼层
回复 2# cyc_828


    一句惊醒啊 醍醐灌顶啊  
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

基于案例的 SQL 优化实战训练营

讲师:中电福富特级专家梁敬彬,参与本次课程培训,你将收获:
1. 能编写出较为高效的 SQL;
2. 能解决70%以上的数据库常见优化问题;
3. 能得到老师提供的高效的相关工具和解决方案;
4. 能举一反三,收获不仅仅是 SQL 优化。
现在购票享受8.8折优惠!
----------------------------------------
优惠时间:2019年3月20日前

大会官网>>
  

北京盛拓优讯信息技术有限公司. 版权所有 16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122
中国互联网协会会员  联系我们:huangweiwei@it168.com
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP