论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2005-02-22 19:40 |只看该作者 |倒序浏览

看了剑心通明兄的ipf.conf 的规则配置，有些不明白的地方，请大家指导

#############优化ipf.conf#########################

block in quick all with ipopts
block in quick all with frag
block in quick all with short

#################################################################
# Resist the attack of the virus
#################################################################
block in quick proto tcp/udp from any to any port 134 >;< 140
block in quick proto tcp/udp from any to any port = 445
block in quick proto tcp/udp from any to any port = 593
block in quick proto tcp/udp from any to any port = 333
block in quick proto tcp/udp from any to any port = 5554
block in quick proto tcp/udp from any to any port = 9995
block in quick proto tcp/udp from any to any port = 9996
block in quick proto tcp/udp from any to any port = tftp
block in quick proto tcp/udp from any to any port = 554
block in quick proto tcp/udp from any to any port = 1434
block in quick proto tcp/udp from any to any port = 4444

#################################################################
# Loopback Interface
#################################################################

#----------------------------------------------------------------
# Allow everything to/from your loopback interface so you
# can ping yourself (e.g. ping localhost)
#----------------------------------------------------------------
pass in quick on lo0 all
pass out quick on lo0 all
################################################################

#################################################################
# Inside Interface
#################################################################
#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------
pass out quick on em1 all head 1
pass out quick on em1 proto tcp from any to any keep state group 1
pass out quick on em1 proto udp from any to any keep state group 1
pass out quick on em1 proto icmp from any to any keep state group 1
block out quick on em1 all group 1
#----------------------------------------------------------------
# Allow in all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------
pass in quick on em1 all head 2
pass in quick on em1 proto tcp from 10.0.40.0/24 to any port = 22 flags S keep state group 2
block in quick on em1 proto tcp from any to any port = 22 flags S keep state group 2
pass in quick on em1 proto tcp from any to any keep state group 2
pass in quick on em1 proto udp from any to any keep state group 2
pass in quick on em1 proto icmp from any to any keep state group 2
block in quick on em1 all group 2

#################################################################
# Outside Interface
#################################################################
#----------------------------------------------------------------
#Block out all traffic to the private address
#----------------------------------------------------------------
block out quick on em0 all head 11
block out quick on em0 from any to 192.168.0.0/16 group 11
block out quick on em0 from any to 172.16.0.0/12 group 11
block out quick on em0 from any to 10.0.0.0/8 group 11
block out quick on em0 from any to 127.0.0.0/8 group 11
block out quick on em0 from any to 0.0.0.0/8 group 11
block out quick on em0 from any to 169.254.0.0/16 group 11
block out quick on em0 from any to 192.0.2.0/24 group 11
block out quick on em0 from any to 204.152.64.0/23 group 11
block out quick on em0 from any to 224.0.0.0/3 group 11
block out quick on em0 from any to 20.20.20.0/24 group 11

#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state on it
# so that it's allowed back in.
#----------------------------------------------------------------
pass out quick on em0 proto tcp from any to any keep state group 11
pass out quick on em0 proto udp from any to any keep state group 11
pass out quick on em0 proto icmp from any to any keep state group 11
block out quick on em0 all group 11

#----------------------------------------------------------------
#Block in all traffice from the private address
#----------------------------------------------------------------
block in quick on em0 all head 12
block in quick on em0 from 192.168.0.0/16 to any group 12
block in quick on em0 from 172.16.0.0/12 to any group 12
block in quick on em0 from 10.0.0.0/8 to any group 12
block in quick on em0 from 127.0.0.0/8 to any group 12
block in quick on em0 from 0.0.0.0/8 to any group 12
block in quick on em0 from 169.254.0.0/16 to any group 12
block in quick on em0 from 192.0.2.0/24 to any group 12
block in quick on em0 from 204.152.64.0/23 to any group 12
block in quick on em0 from 224.0.0.0/3 to any group 12
block in quick on em0 from 20.20.20.0/24 to any group 12

#----------------------------------------------------------------
# Block all remaining traffic coming into the firewall
#----------------------------------------------------------------
pass in quick on em0 proto tcp from any to any port = 80 flags S keep state group 12
block in quick on em0 all group 12

#############The END############################################

问题1： group 1、 group 2、group 11、group 12 ，是什么含义
问题2： head 12 是什么含义
问题3：我定义了
pass in quick on fxp0 proto tcp from any to any port=23 flags S/SA keep state
怎么外网不能访问 23 这个端口
请指导一下。

文库|博客

levitate

白手起家

论坛徽章:: 0

2楼 [报告]

发表于 2005-02-22 20:36 |只看该作者

想详细请教ipf.conf 中的一些问题

问题已经解决
head 12 是定义组策略的标记
group 12 是应用这个组策略

pass in quick on fxp0 proto tcp from any to any port = 23 flags S/SA keep state

port=23 是不正确的中间要用空格。一点心的供大家参考