看了精华帖子,但是FreeBSD＋IPFILTER 还是没有弄明白!

wallace888

本人用的是BSD5.4系统,我看了剑心通明兄弟的FreeBSD＋IPFILTER实现整网
的文章,首先我编译内核.改动如下:
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
编译核心后成功从新启动,由于"options IPFILTER_DEFAULT_BLOCK"默认拒绝了所有的收发包,我现在要允许我的内部可以SSH,而且允许这个BSD可以上网络.
/etc/rc.conf里面的设置:
ipfilter_enable="YES"
ipfilter_program="/sbin/ipf"
ipfilter_rules="/etc/ipf.conf"
ipfilter_flags=""
ipnat_enable="YES"
ipnat_program="/sbin/ipnat -CF -f"
ipnat_rules="/etc/ipnat.conf"
ipmon_enable="YES"
ipmon_flags="-D /var/log/ipf.log"

/etc/ipf.conf内容:
block in quick all with ipopts
block in quick all with frag
block in quick all with short

pass in quick on lo0 all
pass out quick on lo0 all

# Inside Interface
pass out quick on rl0 all head 1
pass out quick on rl0 proto tcp from any to any keep state group 1
pass out quick on rl0 proto udp from any to any keep state group 1
pass out quick on rl0 proto icmp from any to any keep state group 1
block out quick on rl0 all group 1

# Allow in all TCP, UDP, and ICMP traffic & keep state
pass in quick on em1 all head 2
pass in quick on em1 proto tcp from 192.168.201.0/24 to any port = 22 flags S keep state group 2
block in quick on em1 proto tcp from any to any port = 22 flags S keep state group 2
pass in quick on rl0 proto tcp from any to any keep state group 2
pass in quick on rl0 proto udp from any to any keep state group 2
pass in quick on rl0 proto icmp from any to any keep state group 2
block in quick on rl0 all group 2

从新启动!
我的BSD还是上不了INTERNET呀,而且内部网络PING不通BSD机器,在BSD机器PING内部机器也不通讯
ping www.163.com 或者ping 192.168.201.1
提示:
ping : sendto: No route to host

剑心通明

外网网卡哪？

剑心通明

options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
你到底用ipfilter还是ipfw？

剑心通明

如果要ipf和ipfw同时使用，切记要将ipf编译到内核里面，然后再kld ipfw。如果将两者都编译进内核会导致系统启动的时候卡在一个检测网络接口的地方。
http://bbs.chinaunix.net/viewthr ... &extra=page%3D1

wallace888

那,我在编译一次内核,把IPFW的去掉!

wallace888

内核我已经从新编译了,去掉了ptions IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
但是还是和以前问题一样

HonestQiao

请参考：
http://www.freebsd.org.cn/snap/d ... /firewalls-ipf.html

hongzjx

/etc/ipnat.conf的问题吧!

剑心通明

首先你得确定你的内外网网卡到底是哪个？ip设置等是否正确？没有用防火墙之前是否都可以正常使用？

剑心通明

看你的规则，上不去网很正常啊，em1？怎么会是em1哪？根本就没有pass out on em1的规则，当然不行了，内核里面默认的是block了