标签:
Open /etc/rc.conf file
# vi /etc/rc.conf
Append following settings:
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
Save and close the file..
You need to place a firewall rules in a script called /usr/local/etc/ipfw.rule:
# vi /usr/local/etc/ipfw.rules
Append following code:
IPF="ipfw -q add" ipfw -q -f flush #loopback $IPF 10 allow all from any to any via lo0 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 30 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag # statefull $IPF 50 check-state $IPF 60 allow tcp from any to any established $IPF 70 allow all from any to any out keep-state $IPF 80 allow icmp from any to any # open port ftp (20,21), ssh (22), mail (25) # http (80), dns (53) etc $IPF 110 allow tcp from any to any 21 in $IPF 120 allow tcp from any to any 21 out $IPF 130 allow tcp from any to any 22 in $IPF 140 allow tcp from any to any 22 out $IPF 150 allow tcp from any to any 25 in $IPF 160 allow tcp from any to any 25 out $IPF 170 allow udp from any to any 53 in $IPF 175 allow tcp from any to any 53 in $IPF 180 allow udp from any to any 53 out $IPF 185 allow tcp from any to any 53 out $IPF 200 allow tcp from any to any 80 in $IPF 210 allow tcp from any to any 80 out # deny and log everything $IPF 500 deny log all from any to any
Save and close the file.
You can reboot the box or you could reload these rules by entering on the command line.
# sh /usr/local/etc/ipfw.rules
Type the following command:
# ipfw list
IPF="ipfw -q add" ipfw -q -f flush #loopback $IPF 10 allow from any to any via lo0 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 30 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag #statefull $IPF 50 check-state $IPF 60 allow tcp from any to any established $IPF 70 allow all from any to any out keep-state $IPF 80 allow icmp from any to any #open port ftp(20,2),ssh(22),mail(25),http(80),dns(53) $IPF 110 allow tcp from any to any 21 in $IPF 120 allow tcp from any to any 21 out $IPF 130 allow tcp from any to any 22 in $IPF 140 allow tcp from any to any 22 out $IPF 150 allow tcp from any to any 25 in $IPF 160 allow tcp from any to any 25 out $IPF 170 allow udp from any to any 53 in $IPF 175 allow tcp from any to any 53 in $IPF 180 allow udp from any to any 53 out $IPF 185 allow tcp from any to any 53 out $IPF 200 allow tcp from any to any 80 in $IPF 210 allow tcp from any to any 80 out #deny and log everything $IPF 500 deny log all from any to any
修改/etc/rc.conf
Append following settings
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
/etc/rc.d/ipfw restart
相对针对debian及Centos 系统 的初始化一个系统的 时候设置的iptables shell (仅放行 22 (或是被修改为别的端口)and 80) 以建立的连接ping 等
#!/bin/bash iptables -F iptables -X /etc/rc.d/init.d/iptables save service iptables restart iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP #iptables -A INPUT -p tcp --dport 22 -j ACCEPT #iptables -A INPUT -p tcp --dport 25158 -j ACCEPT iptables -A INPUT -p tcp --dport 19258 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT #from out hosts ping #iptables -A OUTPUT -p icmp -j ACCEPT #iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT # ping Internet iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Dns 53 #iptables -A OUTPUT -p tcp --sport 53 -j ACCEPT #iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
标签:
原文地址:http://www.cnblogs.com/ruiy/p/4586326.html
