发信人: zhcharles(小传 -> 俊男)
整理人: hackerbay(2002-09-06 16:48:51), 站内信件
|
http://linuxfab.cx/indexForumData.php?FID=63&PAGE=0&DETAILTHREAD=103
Dear All
小弟前段时间用 FreeBSD 作 NAT 以便让内部的机器可以连上 Internet;但是有鉴於目前网络安全的问题,因此花了点时间设定一些安全安全防护,请各位大大帮忙看一下需要改进的地方.
: rc.conf
... 略
# network
ifconfig_vr0="inet 10.0.0.254 netmask 255.255.255.0"
gateway_enable="YES"
# security
log_in_vain="YES"
kern_securelevel_enable="YES"
kern_securelevel="2"
firewall_enable="YES"
firewall_script="/etc/ipfw.sh"
# daemons disable
inetd_enable="NO"
sendmail_enable="NO"
portmap_enable="NO"
sshd_enable="NO"
tcp_extensions="NO"
# daemon nat
natd_enable="YES"
natd_interface="tun0"
natd_flags="-dynamic -u -p 8668"
# daemon log
syslogd_enable="YES"
syslogd_flags="-s"
... 略
因为这台对外的机器不做任何服务,因此所有服务全部关闭.
: ipfw.sh
#! /bin/sh
fwcmd=/sbin/ipfw
net="10.0.0.0"
mask="255.255.255.0"
iip="10.0.0.254"
tif="tun0"
iif="vr0"
oif="vr1"
${fwcmd} -f flush
${fwcmd} add allow all from any to any via lo0
${fwcmd} add allow all from 127.0.0.1 to 127.0.0.1
${fwcmd} add deny all from any to 127.0.0.0/8
${fwcmd} add deny ip from any to any via ${tif} frag
#${fwcmd} add deny icmp from any to any in via ${tif}
${fwcmd} add reset tcp from any to any 113 in via ${tif}
${fwcmd} add reset tcp from not ${net}:${mask} to any 22,111,113,2049,1021,1022,1023,960 in via ${tif}
${fwcmd} add deny udp from not ${net}:${mask} to any 22,111,113,2049,1021,1022,1023,960 in via ${tif}
${fwcmd} add deny tcp from not ${net}:${mask} to ${net}:${mask} 137-139,445,111 via ${tif}
${fwcmd} add deny udp from not ${net}:${mask} to ${net}:${mask} 137-139,445,111 via ${tif}
${fwcmd} add deny all from any to any ipoptions ssrr,lsrr via ${tif}
${fwcmd} add deny all from ${net}:${mask} to any in via ${tif}
${fwcmd} add deny all from any to ${net}:${mask} out xmit ${tif}
${fwcmd} add deny all from any to 10.0.0.0/8 out xmit ${tif}
${fwcmd} add deny all from any to 172.16.0.0/12 out xmit ${tif}
${fwcmd} add deny all from any to 192.168.0.0/16 out xmit ${tif}
${fwcmd} add deny all from any to 10.0.0.0/8 via ${tif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${tif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${tif}
${fwcmd} add deny all from any to 0.0.0.0/8 via ${tif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${tif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${tif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${tif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${tif}
${fwcmd} add divert natd all from any to any via ${tif}
${fwcmd} add deny all from ${net}:${mask} to any in recv ${tif}
${fwcmd} add deny all from 10.0.0.0/8 to any in recv ${tif}
${fwcmd} add deny all from 172.16.0.0/12 to any in recv ${tif}
${fwcmd} add deny all from 192.168.0.0/16 to any in recv ${tif}
${fwcmd} add deny all from 10.0.0.0/8 to any via ${tif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${tif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${tif}
${fwcmd} add deny all from 0.0.0.0/8 to any via ${tif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${tif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${tif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${tif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${tif}
${fwcmd} add allow tcp from any to any established
${fwcmd} add deny tcp from any to any in via ${tif} setup
${fwcmd} add allow tcp from any to any setup
# default is pass
${fwcmd} add 65000 pass all from any to any
目前正常运行无误,且从外部做过扫埠的动作也一切没有问题,但是有时总觉得似乎不太对劲...
请诸位先进指教, Thanks!
---- 凉,我经常都冲架!
不过牛奶就太甜,油又太滚!
所以我冲泡泡浴!
--
情越真,妒越深。夜半哀音,传奇一生!
★ FreeBSD 版 和 OpenBSD 版 和 CGI 版 版主 ★
小传 ( Charles Feng ) [email protected] OICQ:17866295
|
|