- 论坛徽章:
- 0
|
lsstarboy 发表于 2015-07-08 08:33 ![]()
sh啥意思?
另外你那句用在远程上,不是找死么?服务器本身是接受的,你弄了个出的,并且还是tcp的setup ...
sh是载入防火墙脚本啊,比如:
# sh /etc/ipfw.rules
我远程su到root,如何载入防火墙脚本的时候不断开? 应该如何调整? 以下是我防火墙脚本.- #!/bin/sh
- # Flush out the list before we begin.
- ipfw -q -f flush
- # Set rules command prefix
- cmd="ipfw -q add"
- ks="keep-state"
- oif="em0"
- odns1="202.96.134.133"
- odns2="8.8.8.8"
- # Change xl0 to LAN NIC interface name
- $cmd 00005 allow all from any to any via xl0
- # No restrictions on Loopback Interface
- $cmd 00010 allow all from any to any via lo0
- # allows the packet through in dynamic rules table
- $cmd 00100 check-state
- # ------------------ IPFW Rules Priority ------------------
- # Allow outbound SSH
- $cmd 00110 allow tcp from any to any 22 out via $oif setup $ks
- $cmd 00120 allow tcp from any to me 22 in via $oif setup limit src-addr 12
- # Allow out FreeBSD root operate
- $cmd 00150 allow tcp from me to any out via $oif setup $ks uid root
- # ------------------ IPFW Rules System --------------------
- # Allow access to public DNS
- $cmd 00200 allow tcp from any to $odns1 53 out via $oif setup $ks
- $cmd 00210 allow udp from any to $odns1 53 out via $oif $ks
- $cmd 00220 allow tcp from any to $odns2 53 out via $oif setup $ks
- $cmd 00230 allow udp from any to $odns2 53 out via $oif $ks
- # Allow access to ISP's DHCP server for cable/DSL configurations
- #$cmd 00300 allow log udp from any to any 67 out via $oif $ks
- #$cmd 00310 allow udp from any to x.x.x.x 67 out via $oif $ks
- #$cmd 00320 allow udp from any to x.x.x.x 67 in via $oif $ks
- # Allow ping
- $cmd 00400 allow icmp from any to any out via $oif $ks
- $cmd 00410 allow icmp from any to any in via $oif $ks
- # Allow NTP
- $cmd 00420 allow tcp from any to any 37 out via $oif setup $ks
- $cmd 00430 allow udp from any to any 123 out via $oif $ks
- # ------------------ IPFW Rules Service -------------------
- # Allow HTTP connections
- $cmd 00500 allow tcp from any to any 80 out via $oif setup $ks
- $cmd 00510 allow tcp from any to me 80 in via $oif setup limit src-addr 24
- # Allow HTTPS connections
- $cmd 00550 allow tcp from any to any 443 out via $oif setup $ks
- $cmd 00560 allow tcp from any to me 443 in via $oif setup limit src-addr 24
- # Allow out secure FTP
- $cmd 00600 allow tcp from any to any 21 out via $oif setup $ks
- $cmd 00610 allow tcp from any to me 21 in via $oif setup limit src-addr 12
- # Allow in non-secure Telnet session from public Internet
- $cmd 00650 allow tcp from any to me 23 in via $oif setup limit src-addr 12
- # Allow outbound email connections
- $cmd 00710 allow tcp from any to any 25 out via $oif setup $ks
- $cmd 00720 allow tcp from any to any 110 out via $oif setup $ks
- # Allow ident
- #$cmd 00800 allow tcp from any to any 113 in via $oif setup $ks
- # Allow out whois
- $cmd 00810 allow tcp from any to any 43 out via $oif setup $ks
- # Allow out nntp news (i.e., news groups)
- #$cmd 00820 allow tcp from any to any 119 out via $oif setup $ks
- # ------------------ IPFW Rules Deny ----------------------
- # Deny all Netbios service. 137=name, 138=datagram, 139=session, 81=hosts2
- $cmd 00910 deny tcp from any to any 137 in via $oif
- $cmd 00920 deny tcp from any to any 138 in via $oif
- $cmd 00930 deny tcp from any to any 139 in via $oif
- $cmd 00940 deny tcp from any to any 81 in via $oif
- # Deny any late arriving packets
- $cmd 00950 deny all from any to any frag in via $oif
- # Deny ACK packets that did not match the dynamic rule table
- $cmd 00960 deny tcp from any to any established in via $oif
- # deny and log all other outbound and incoming connections`
- $cmd 00991 deny log all from any to any out via $oif
- $cmd 00992 deny log all from any to any in via $oif
- # Everything else is denied by default
- $cmd 00999 deny log all from any to any
|
|
免费注册
发表于 2015-07-07 21:22
发表于 2015-07-08 08:33