|
发信人: zhcharles(小传 -> 俊男) 整理人: hackerbay(2002-09-06 16:48:51), 站内信件 |
|
http://linuxfab.cx/indexForumData.php?FID=63&PAGE=0&DETAILTHREAD=103 Dear All 小弟前段时间用 FreeBSD 作 NAT 以便让内部的机器可以连上 Internet;但是有鉴於目前网络安全的问题,因此花了点时间设定一些安全安全防护,请各位大大帮忙看一下需要改进的地方. : rc.conf ... 略 # network ifconfig_vr0="inet 10.0.0.254 netmask 255.255.255.0" gateway_enable="YES" # security log_in_vain="YES" kern_securelevel_enable="YES" kern_securelevel="2" firewall_enable="YES" firewall_script="/etc/ipfw.sh" # daemons disable inetd_enable="NO" sendmail_enable="NO" portmap_enable="NO" sshd_enable="NO" tcp_extensions="NO" # daemon nat natd_enable="YES" natd_interface="tun0" natd_flags="-dynamic -u -p 8668" # daemon log syslogd_enable="YES" syslogd_flags="-s" ... 略 因为这台对外的机器不做任何服务,因此所有服务全部关闭. : ipfw.sh #! /bin/sh fwcmd=/sbin/ipfw net="10.0.0.0" mask="255.255.255.0" iip="10.0.0.254" tif="tun0" iif="vr0" oif="vr1" ${fwcmd} -f flush ${fwcmd} add allow all from any to any via lo0 ${fwcmd} add allow all from 127.0.0.1 to 127.0.0.1 ${fwcmd} add deny all from any to 127.0.0.0/8 ${fwcmd} add deny ip from any to any via ${tif} frag #${fwcmd} add deny icmp from any to any in via ${tif} ${fwcmd} add reset tcp from any to any 113 in via ${tif} ${fwcmd} add reset tcp from not ${net}:${mask} to any 22,111,113,2049,1021,1022,1023,960 in via ${tif} ${fwcmd} add deny udp from not ${net}:${mask} to any 22,111,113,2049,1021,1022,1023,960 in via ${tif} ${fwcmd} add deny tcp from not ${net}:${mask} to ${net}:${mask} 137-139,445,111 via ${tif} ${fwcmd} add deny udp from not ${net}:${mask} to ${net}:${mask} 137-139,445,111 via ${tif} ${fwcmd} add deny all from any to any ipoptions ssrr,lsrr via ${tif} ${fwcmd} add deny all from ${net}:${mask} to any in via ${tif} ${fwcmd} add deny all from any to ${net}:${mask} out xmit ${tif} ${fwcmd} add deny all from any to 10.0.0.0/8 out xmit ${tif} ${fwcmd} add deny all from any to 172.16.0.0/12 out xmit ${tif} ${fwcmd} add deny all from any to 192.168.0.0/16 out xmit ${tif} ${fwcmd} add deny all from any to 10.0.0.0/8 via ${tif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${tif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${tif} ${fwcmd} add deny all from any to 0.0.0.0/8 via ${tif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${tif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${tif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${tif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${tif} ${fwcmd} add divert natd all from any to any via ${tif} ${fwcmd} add deny all from ${net}:${mask} to any in recv ${tif} ${fwcmd} add deny all from 10.0.0.0/8 to any in recv ${tif} ${fwcmd} add deny all from 172.16.0.0/12 to any in recv ${tif} ${fwcmd} add deny all from 192.168.0.0/16 to any in recv ${tif} ${fwcmd} add deny all from 10.0.0.0/8 to any via ${tif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${tif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${tif} ${fwcmd} add deny all from 0.0.0.0/8 to any via ${tif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${tif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${tif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${tif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${tif} ${fwcmd} add allow tcp from any to any established ${fwcmd} add deny tcp from any to any in via ${tif} setup ${fwcmd} add allow tcp from any to any setup # default is pass ${fwcmd} add 65000 pass all from any to any 目前正常运行无误,且从外部做过扫埠的动作也一切没有问题,但是有时总觉得似乎不太对劲... 请诸位先进指教, Thanks! ---- 凉,我经常都冲架! 不过牛奶就太甜,油又太滚! 所以我冲泡泡浴! -- 
情越真,妒越深。夜半哀音,传奇一生! ★ FreeBSD 版 和 OpenBSD 版 和 CGI 版 版主 ★ 小传 ( Charles Feng ) [email protected] OICQ:17866295 |
|
[关闭][返回] |