FreeBSD配置防火墻開啟SSH服務的方法是什么
防火墻主要由服務訪問規則、驗證工具、包過濾和應用網關4個部分組成,防火墻就是一個位于計算機和它所連接的網絡之間的軟件或硬件。這篇文章主要介紹下如何下freebsd下配置防火墻開啟SSH服務的方法,需要的朋友可以參考下
方法步驟
1、配置FreeBSD 防火墻
ee /etc/rc.conf #編輯,在最后添加
firewall_enable="yes" #開啟防火墻
net.inet.ip.fw.verbose=1 #啟用防火墻日志功能
net.inet.ip.fw.verbose_limit=5 #啟用防火墻日志功能
natd_enable="YES" # 開啟防火墻NAT功能
natd_interface="rl0"
natd_flags="-dynamic -m"
firewall_script="/etc/ipfw.rules" #自定義防火墻規則路徑
按esc,回車,再按a保存配置
2、添加防火墻規則
ee /etc/ipfw.rules #編輯防火墻規則,添加以下代碼
#!/bin/sh
################ Start of IPFW rules file ######################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
skip="skipto 800"
pif="rl0" # public interface name of NIC
# facing the public Internet
#################################################################
# No restrictions on Inside LAN Interface for private network
# Change xl0 to your LAN NIC interface name
#################################################################
$cmd 005 allow all from any to any via xl0
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 010 allow all from any to any via lo0
#################################################################
# check if packet is inbound and nat address if it is
#################################################################
$cmd 014 divert natd ip from any to any in via $pif
#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 015 check-state
#################################################################
# Interface facing Public Internet (Outbound Section)
# Check session start requests originating from behind the
# firewall on the private network or from this gateway server
# destined for the public Internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP's DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state
# Allow out access to my ISP's DHCP server for cable/DSL configurations.
$cmd 030 $skip udp from any to x.x.x.x 67 out via $pif keep-state
# Allow out non-secure standard www function
$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state
# Allow out secure www function https over TLS SSL
$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state
# Allow out send & get email function
$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state
# Allow out FreeBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root
# Allow out ping
$cmd 080 $skip icmp from any to any out via $pif keep-state
# Allow out Time
$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state
# Allow out nntp news (i.e. news groups)
$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state
# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state
# Allow out whois
$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state
# Allow ntp time server
$cmd 130 $skip udp from any to any 123 out via $pif keep-state
#################################################################
# Interface facing Public Internet (Inbound Section)
# Check packets originating from the public Internet
# destined for this gateway server or the private network.
#################################################################
# Deny all inbound traffic from non-routable reserved address spaces
#$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
# Deny ident
$cmd 315 deny tcp from any to any 113 in via $pif
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 320 deny tcp from any to any 137 in via $pif
$cmd 321 deny tcp from any to any 138 in via $pif
$cmd 322 deny tcp from any to any 139 in via $pif
$cmd 323 deny tcp from any to any 81 in via $pif
# Deny any late arriving packets
$cmd 330 deny all from any to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 332 deny tcp from any to any established in via $pif
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for 'user ppp' type connection to
# the public Internet. This is the same IP address you captured
# and used in the outbound section.
$cmd 360 allow udp from x.x.x.x to any 68 in via $pif keep-state
# Allow in standard www function because I have Apache server
$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2
# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public
# Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2
# Reject & Log all unauthorized incoming connections from the public Internet
$cmd 400 deny log all from any to any in via $pif
# Reject & Log all unauthorized out going connections to the public Internet
$cmd 450 deny log all from any to any out via $pif
# This is skipto location for outbound stateful rules
$cmd 800 divert natd ip from any to any out via $pif
$cmd 801 allow ip from any to any
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 999 deny log all from any to any
################ End of IPFW rules file ###############################
備注:參數說明:
#$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
我的IP地址是192.168.21.173,是屬于192.168.0.0/16 IP段,所以這里要注釋掉這一行,允許連接外網,否則主機無法聯網。
$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
是開啟SSH默認端口22
3、重啟網絡服務,使防火墻規則生效
/etc/netstart #重啟網絡
/etc/rc.d/ipfw start #開啟防火墻
ipfw disable firewall #關閉防火墻
ipfw enable firewall #開啟防火墻
/etc/rc.d/ipfw restart #重啟防火墻
sh /etc/ipfw.rules #使防火墻規則生效
4、開啟SSH服務
(1)ee /etc/inetd.conf #編輯,去掉sshd前面的#
ssh stream tcp nowait root /usr/sbin/sshd sshd -i -4
(2)ee /etc/rc.conf #編輯,在最后添加
sshd_enable="yes"
(3)ee /etc/ssh/sshd_config #編輯配置文件
PermitRootLogin yes #允許root登錄
PasswordAuthentication yes #使用密碼驗證
PermitEmptyPasswords no #不允許空密碼登錄
/etc/rc.d/sshd start #啟動ssh服務
/etc/rc.d/sshd restart #重啟ssh
配置完成,現在已經可以使用Putty等遠程連接工具連接服務器了。
#####################################################
擴展閱讀:
有兩種加載自定義 ipfw 防火墻規則的方法。
其一是將變量 firewall_type 設為包含不帶 ipfw(8) 命令行選項的 防火墻規則 文件的完整路徑。
例如:
add allow in
add allow out
firewall_type="open"參數說明
open ── 允許所有流量通過。
client ── 只保護本機。
simple ── 保護整個網絡。
closed ── 完全禁止除回環設備之外的全部 IP 流量。
UNKNOWN ── 禁止加載防火墻規則。
filename ── 到防火墻規則文件的絕對路徑。
IPFW防火墻規則集樣例在這兩個文件中
/etc/rc.firewall
/etc/rc.firewall6
除此之外, 也可以將 firewall_script 變量設為包含 ipfw 命令的可執行腳本, 這樣這個腳本會在啟動時自動執行。
補充閱讀:防火墻主要使用技巧
一、所有的防火墻文件規則必須更改。
盡管這種方法聽起來很容易,但是由于防火墻沒有內置的變動管理流程,因此文件更改對于許多企業來說都不是最佳的實踐方法。如果防火墻管理員因為突發情況或者一些其他形式的業務中斷做出更改,那么他撞到槍口上的可能性就會比較大。但是如果這種更改抵消了之前的協議更改,會導致宕機嗎?這是一個相當高發的狀況。
防火墻管理產品的中央控制臺能全面可視所有的防火墻規則基礎,因此團隊的所有成員都必須達成共識,觀察誰進行了何種更改。這樣就能及時發現并修理故障,讓整個協議管理更加簡單和高效。
二、以最小的權限安裝所有的訪問規則。
另一個常見的安全問題是權限過度的規則設置。防火墻規則是由三個域構成的:即源(IP地址),目的地(網絡/子網絡)和服務(應用軟件或者其他目的地)。為了確保每個用戶都有足夠的端口來訪問他們所需的系統,常用方法是在一個或者更多域內指定打來那個的目標對象。當你出于業務持續性的需要允許大范圍的IP地址來訪問大型企業的網絡,這些規則就會變得權限過度釋放,因此就會增加不安全因素。服務域的規則是開放65535個TCP端口的ANY。防火墻管理員真的就意味著為黑客開放了65535個攻擊矢量?
三、根據法規協議和更改需求來校驗每項防火墻的更改。
在防火墻操作中,日常工作都是以尋找問題,修正問題和安裝新系統為中心的。在安裝最新防火墻規則來解決問題,應用新產品和業務部門的過程中,我們經常會遺忘防火墻也是企業安全協議的物理執行者。每項規則都應該重新審核來確保它能符合安全協議和任何法規協議的內容和精神,而不僅是一篇法律條文。
四、當服務過期后從防火墻規則中刪除無用的規則。
規則膨脹是防火墻經常會出現的安全問題,因為多數運作團隊都沒有刪除規則的流程。業務部門擅長讓你知道他們了解這些新規則,卻從來不會讓防火墻團隊知道他們不再使用某些服務了。了解退役的服務器和網絡以及應用軟件更新周期對于達成規則共識是個好的開始。運行無用規則的報表是另外一步。黑客喜歡從來不刪除規則的防火墻團隊。
防火墻開啟SSH服務的方法是什么相關文章:
1.阿里云防火墻配置