freebsd9.1 防火墙不生效问题求解 ipfw.rule

netsnails

个人pc机器安装freebsd9.0  服务器正常运行 跑着wordpress博客 ，我添加一条指令
ipfw add 10001 deny all from 192.168.1.6 to any

ipfw show 显示这条规则 ，防火墙正常运行
本人用192.168.1.6这台电脑还是可以访问服务器，也可操作， 求指点




/etc/ipfw.rule文件内容如下

#!/bin/sh
ipfw -q -f flush
IPF="ipfw -q add"
ip="192.168.1.251"
ipfw -q -f flush
pif="em0"
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 15 allow all from $ip to any via $pif
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

#statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
#$IPF 80 allow icmp from 192.168.3.0/24 to any via $pif
# open port ftp (21,22), ssh (22), mail (25)

#http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow tcp from any to any 53 in
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in setup limit src-addr 150
$IPF 210 allow tcp from any to any 80 out
$IPF 211 allow tcp from any to any 3306 in
$IPF 212 allow tcp from any to any 3306 out
$IPF 213 allow tcp from any to any 1186 in
$IPF 214 allow tcp from any to any 1186 out
$IPF 215 allow tcp from any to any 11211
$IPF 220 allow tcp from any to any 10000-65535 in
$IPF 221 allow tcp from any to any 10000-65535 out

$IPF 320 deny tcp from any to any 137 in via $pif
$IPF 321 deny tcp from any to any 138 in via $pif
$IPF 322 deny tcp from any to any 139 in via $pif
$IPF 323 deny tcp from any to any 81 in via $pif

$IPF 400 allow udp from $ip to any
$IPF 401 allow icmp from any to $ip
$IPF 402 allow icmp from $ip to any 8
$IPF 403 allow icmp from $ip to any 0
$IPF 404 allow icmp from $ip to any 11
$IPF 405 allow icmp from $ip to any 3

#$IPF 800 pipe 1 ip from 192.168.3.10 to any in
#$IPF 900 pipe 2 ip from any to 192.168.3.10 out
#ipfw pipe 1 config bw 200Kbit/s queue 150Kbit
#ipfw pipe 2 config bw 300Kbit/s queue 20

# deny and log everything
$IPF 500 deny log all from any to any


开机启动文件rc.conf 防火墙文件如下

firewall_enable="YES"
firewall_script="/etc/ipfw.rule"
firewall_quiet="NO"
#open ipfw function

cyc_828

ipfw list 贴完整的信息出来看下！直接贴配置看不出你系统实际生效的规则是什么样子的！有可能是在你的10001 rule前面有其他的rule给pass了！

netsnails

回复 2# cyc_828

你好  这是我的 ipfw list显示的规则

    root@192:/root # ipfw list
00010 allow ip from any to any via lo0
00015 allow ip from 192.168.1.251 to any via em0
00020 deny ip from any to 127.0.0.0/8
00030 deny ip from 127.0.0.0/8 to any
00040 deny tcp from any to any frag
00050 check-state
00060 allow tcp from any to any established
00070 allow ip from any to any out keep-state
00110 allow tcp from any to any dst-port 21 in
00120 allow tcp from any to any dst-port 21 out
00130 allow tcp from any to any dst-port 22 in
00140 allow tcp from any to any dst-port 22 out
00150 allow tcp from any to any dst-port 25 in
00160 allow tcp from any to any dst-port 25 out
00170 allow tcp from any to any dst-port 53 in
00185 allow tcp from any to any dst-port 53 out
00200 allow tcp from any to any dst-port 80 in setup limit src-addr 150
00210 allow tcp from any to any dst-port 80 out
00211 allow tcp from any to any dst-port 3306 in
00212 allow tcp from any to any dst-port 3306 out
00213 allow tcp from any to any dst-port 1186 in
00214 allow tcp from any to any dst-port 1186 out
00215 allow tcp from any to any dst-port 11211
00220 allow tcp from any to any dst-port 10000-65535 in
00221 allow tcp from any to any dst-port 10000-65535 out
00320 deny tcp from any to any dst-port 137 in via em0
00321 deny tcp from any to any dst-port 138 in via em0
00322 deny tcp from any to any dst-port 139 in via em0
00323 deny tcp from any to any dst-port 81 in via em0
00400 allow udp from 192.168.1.251 to any
00401 allow icmp from any to 192.168.1.251
00402 allow icmp from 192.168.1.251 to any dst-port 8
00403 allow icmp from 192.168.1.251 to any dst-port 0
00404 allow icmp from 192.168.1.251 to any dst-port 11
00405 allow icmp from 192.168.1.251 to any dst-port 3
00500 deny log logamount 10 ip from any to any
10001 deny ip from 192.168.1.6 to any
10001 deny ip from 192.168.1.6 to 192.168.1.251
10001 deny ip from 192.168.1.6 to 192.168.1.251
10001 deny ip from any to any
10001 deny ip from any to any
65535 deny ip from any to any

netsnails

回复 2# cyc_828


    一句惊醒啊 醍醐灌顶啊