论坛徽章:: 0

61楼 [报告]

发表于 2006-09-03 20:34 |只看该作者

1) "gateway_enable="YES" # 启动网关" is not necessary unless your system is multi-homed.
2) "firewall_enable="YES" # 激活firewall防火墙; firewall_script="/etc/rc.firewall" # firewall防火墙的默认; firewall_type="/etc/ipfw.conf" # firewall自定义脚本; firewall_quiet="YES" ; firewall_logging_enable="YES" # 启用firewall的log记录" are not needed if you compile the firewall into kernel (16楼 are for kernel only). you obviously used both kernel version of ipfw and module version of ipfw simultaneously. in fact, kernel version ipfw will be preferred over module version of ipfw. those in rc.conf will have no effect.
3) with "options IPFIREWALL_DEFAULT_TO_ACCEPT" in your customized kernel, 65535 automatically defined as "open for all". by default, 65535 should be "deny for all".

my suggestion:

1) recompiled that kernel with no 16楼 statements.
2) keep everything in the rc.conf file
3) if you only need port 22 and 80. here is something will work for sure:

ipfw -q add 1000 check-state
ipfw -q add 1100 allow log tcp from any to {interface} 22 setup keep-state
ipfw -q add 1200 allow log tcp from any to {interface} 80 setup keep-state
ipfw -q add 1300 allow all from me to any

the statement of 65535 will always be there with default of "deny for all"

good luck!

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

yyf_007

白手起家

论坛徽章:: 0

62楼 [报告]

发表于 2006-11-10 10:15 |只看该作者

$ ipfw list
50000 allow ip from 192.168.0.254 to any
50001 allow ip from any to 192.168.0.254
50002 queue 7 tcp from any 6881-6999 to any in via fxp0
50003 queue 7 tcp from any to any dst-port 6881-6999 in via fxp0
50004 queue 5 tcp from any 6881-6999 to any out via fxp0
50005 queue 5 tcp from any to any dst-port 6881-6999 out via fxp0
50006 queue 7 ip from any 412 to any in via fxp0
50007 queue 7 ip from any to any dst-port 412 in via fxp0
50008 queue 5 ip from any 412 to any out via fxp0
50009 queue 5 ip from any to any dst-port 412 out via fxp0
50010 queue 7 ip from any 1044-1045 to any in via fxp0
50011 queue 7 ip from any to any dst-port 1044-1045 in via fxp0
50012 queue 5 ip from any 1044-1045 to any out via fxp0
50013 queue 5 ip from any to any dst-port 1044-1045 out via fxp0
50014 queue 7 ip from any 1214 to any in via fxp0
50015 queue 7 ip from any to any dst-port 1214 in via fxp0
50016 queue 5 ip from any 1214 to any out via fxp0
50017 queue 5 ip from any to any dst-port 1214 out via fxp0
50018 queue 7 ip from any 2340 to any in via fxp0
50019 queue 7 ip from any to any dst-port 2340 in via fxp0
50020 queue 5 ip from any 2340 to any out via fxp0
50021 queue 5 ip from any to any dst-port 2340 out via fxp0
50022 queue 7 ip from any 4329 to any in via fxp0
50023 queue 7 ip from any to any dst-port 4329 in via fxp0
50024 queue 5 ip from any 4329 to any out via fxp0
50025 queue 5 ip from any to any dst-port 4329 out via fxp0
50026 queue 7 ip from any 4661-4665 to any in via fxp0
50027 queue 7 ip from any to any dst-port 4661-4665 in via fxp0
50028 queue 5 ip from any 4661-4665 to any out via fxp0
50029 queue 5 ip from any to any dst-port 4661-4665 out via fxp0
50030 queue 7 ip from any 5190 to any in via fxp0
50031 queue 7 ip from any to any dst-port 5190 in via fxp0
50032 queue 5 ip from any 5190 to any out via fxp0
50033 queue 5 ip from any to any dst-port 5190 out via fxp0
50034 queue 7 ip from any 5500-5503 to any in via fxp0
50035 queue 7 ip from any to any dst-port 5500-5503 in via fxp0
50036 queue 5 ip from any 5500-5503 to any out via fxp0
50037 queue 5 ip from any to any dst-port 5500-5503 out via fxp0
50038 queue 7 ip from any 6346 to any in via fxp0
50039 queue 7 ip from any to any dst-port 6346 in via fxp0
50040 queue 5 ip from any 6346 to any out via fxp0
50041 queue 5 ip from any to any dst-port 6346 out via fxp0
50042 queue 7 ip from any 6666-6668 to any in via fxp0
50043 queue 7 ip from any to any dst-port 6666-6668 in via fxp0
50044 queue 5 ip from any 6666-6668 to any out via fxp0
50045 queue 5 ip from any to any dst-port 6666-6668 out via fxp0
50046 queue 7 ip from any 6699-6701 to any in via fxp0
50047 queue 7 ip from any to any dst-port 6699-6701 in via fxp0
50048 queue 5 ip from any 6699-6701 to any out via fxp0
50049 queue 5 ip from any to any dst-port 6699-6701 out via fxp0
50050 queue 7 ip from any 7668 to any in via fxp0
50051 queue 7 ip from any to any dst-port 7668 in via fxp0
50052 queue 5 ip from any 7668 to any out via fxp0
50053 queue 5 ip from any to any dst-port 7668 out via fxp0
50054 queue 7 ip from any 7788 to any in via fxp0
50055 queue 7 ip from any to any dst-port 7788 in via fxp0
50056 queue 5 ip from any 7788 to any out via fxp0
50057 queue 5 ip from any to any dst-port 7788 out via fxp0
50058 queue 7 ip from any 8311 to any in via fxp0
50059 queue 7 ip from any to any dst-port 8311 in via fxp0
50060 queue 5 ip from any 8311 to any out via fxp0
50061 queue 5 ip from any to any dst-port 8311 out via fxp0
50062 queue 7 ip from any 8888-8889 to any in via fxp0
50063 queue 7 ip from any to any dst-port 8888-8889 in via fxp0
50064 queue 5 ip from any 8888-8889 to any out via fxp0
50065 queue 5 ip from any to any dst-port 8888-8889 out via fxp0
50066 queue 7 ip from any 28864-28865 to any in via fxp0
50067 queue 7 ip from any to any dst-port 28864-28865 in via fxp0
50068 queue 5 ip from any 28864-28865 to any out via fxp0
50069 queue 5 ip from any to any dst-port 28864-28865 out via fxp0
50070 queue 3 tcp from any to any iplen 0-80 tcpflags ack out via fxp0
50071 queue 1 ip from any to any iplen 0-100 out via fxp0
50072 queue 1 udp from any to any dst-port 53 out via fxp0
50073 queue 1 ah from any to any out via fxp0
50074 queue 1 esp from any to any out via fxp0
50075 queue 1 gre from any to any out via fxp0
50076 queue 2 icmp from any to any out via fxp0
50077 queue 4 ip from any to any out via fxp0
50078 queue 8 icmp from any to any in via fxp0
50079 queue 8 ip from any to any iplen 0-100 in via fxp0
50080 queue 8 ah from any to any in via fxp0
50081 queue 8 esp from any to any in via fxp0
50082 queue 8 gre from any to any in via fxp0
50083 queue 6 ip from any to any in via fxp0
50180 deny ip from any to any dst-port 2004
50181 deny ip from any to any dst-port 3076-3078
50281 allow tcp from 192.168.0.0/23 to any setup limit src-addr 200
50381 allow tcp from any to me setup limit src-addr 200
65535 allow ip from any to any