Step # 1: Enabling IPFW
Open /etc/rc.conf file# vi /etc/rc.conf
Append following settings:firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
Save and close the file..
Step # 2 Write a Firewall Rule Script
You need to place a firewall rules in a script called /usr/local/etc/ipfw.rule:# vi /usr/local/etc/ipfw.rules
Append following code:
IPF="ipfw -q add" ipfw -q -f flush #loopback $IPF 10 allow all from any to any via lo0 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 30 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag # statefull $IPF 50 check-state $IPF 60 allow tcp from any to any established $IPF 70 allow all from any to any out keep-state $IPF 80 allow icmp from any to any # open port ftp (20,21), ssh (22), mail (25) # http (80), dns (53) etc $IPF 110 allow tcp from any to any 21 in $IPF 120 allow tcp from any to any 21 out $IPF 130 allow tcp from any to any 22 in $IPF 140 allow tcp from any to any 22 out $IPF 150 allow tcp from any to any 25 in $IPF 160 allow tcp from any to any 25 out $IPF 170 allow udp from any to any 53 in $IPF 175 allow tcp from any to any 53 in $IPF 180 allow udp from any to any 53 out $IPF 185 allow tcp from any to any 53 out $IPF 200 allow tcp from any to any 80 in $IPF 210 allow tcp from any to any 80 out # deny and log everything $IPF 500 deny log all from any to any
Save and close the file.
Step # 3: Start a firewall
You can reboot the box or you could reload these rules by entering on the command line.# sh /usr/local/etc/ipfw.rules
Task: List all the rules in sequence
Type the following command:# ipfw list
IPF="ipfw -q add" ipfw -q -f flush #loopback $IPF 10 allow from any to any via lo0 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 30 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag #statefull $IPF 50 check-state $IPF 60 allow tcp from any to any established $IPF 70 allow all from any to any out keep-state $IPF 80 allow icmp from any to any #open port ftp(20,2),ssh(22),mail(25),http(80),dns(53) $IPF 110 allow tcp from any to any 21 in $IPF 120 allow tcp from any to any 21 out $IPF 130 allow tcp from any to any 22 in $IPF 140 allow tcp from any to any 22 out $IPF 150 allow tcp from any to any 25 in $IPF 160 allow tcp from any to any 25 out $IPF 170 allow udp from any to any 53 in $IPF 175 allow tcp from any to any 53 in $IPF 180 allow udp from any to any 53 out $IPF 185 allow tcp from any to any 53 out $IPF 200 allow tcp from any to any 80 in $IPF 210 allow tcp from any to any 80 out #deny and log everything $IPF 500 deny log all from any to any
修改/etc/rc.conf
Append following settings
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
/etc/rc.d/ipfw restart
相对针对debian及Centos 系统 的初始化一个系统的 时候设置的iptables shell (仅放行 22 (或是被修改为别的端口)and 80) 以建立的连接ping 等
#!/bin/bash iptables -F iptables -X /etc/rc.d/init.d/iptables save service iptables restart iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP #iptables -A INPUT -p tcp --dport 22 -j ACCEPT #iptables -A INPUT -p tcp --dport 25158 -j ACCEPT iptables -A INPUT -p tcp --dport 19258 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT #from out hosts ping #iptables -A OUTPUT -p icmp -j ACCEPT #iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT # ping Internet iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Dns 53 #iptables -A OUTPUT -p tcp --sport 53 -j ACCEPT #iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
