diff options
| author | Xin LI <delphij@FreeBSD.org> | 2006-03-15 19:38:56 +0000 |
|---|---|---|
| committer | Xin LI <delphij@FreeBSD.org> | 2006-03-15 19:38:56 +0000 |
| commit | b99e83b0a7c48690c2e6b7699bbd549e9a2c8da1 (patch) | |
| tree | 61578f2c24f19d8d92ac0907829272ba8ae92e3e /zh_CN.GB2312/books/handbook/firewalls | |
| parent | f266a6a31f7f22bbb73de28eccf694ca3317afaa (diff) | |
Notes
Diffstat (limited to 'zh_CN.GB2312/books/handbook/firewalls')
| -rw-r--r-- | zh_CN.GB2312/books/handbook/firewalls/chapter.sgml | 125 |
1 files changed, 79 insertions, 46 deletions
diff --git a/zh_CN.GB2312/books/handbook/firewalls/chapter.sgml b/zh_CN.GB2312/books/handbook/firewalls/chapter.sgml index 57e2b0482f..410748db31 100644 --- a/zh_CN.GB2312/books/handbook/firewalls/chapter.sgml +++ b/zh_CN.GB2312/books/handbook/firewalls/chapter.sgml @@ -2,7 +2,7 @@ The FreeBSD Documentation Project The FreeBSD Simplified Chinese Project - Original Revision: 1.62 + Original Revision: 1.66 $FreeBSD$ --> @@ -239,15 +239,6 @@ <para>更多的详细信息, 可以在 &os; 版本的 PF 网站上找到: <ulink url="http://pf4freebsd.love2party.net/"></ulink>。</para> - <para>OpenBSD PF 用户指南可以在这里找到:<ulink - url="http://www.openbsd.org/faq/pf/"></ulink>。</para> - - <warning> - <para>在 &os; 5.X 上的 PF 相当于 OpenBSD 3.5 版本。 以 - port 形式出现在 &os; Ports Collection 的版本相当于 OpenBSD - 的 3.4 版。 在阅读用户指南时, 请注意这样的区别。</para> - </warning> - <sect2> <title>启用 PF</title> @@ -258,11 +249,25 @@ <note> <para>这个模块假定 <literal>options - INET</literal> 和 <literal>device bpf</literal> 是存在的。 除非编译时指定了 - <literal>NOINET6</literal> (例如在 &man.make.conf.5; 中) - 则还需要 <literal>options - INET6</literal>。</para> + INET</literal> 和 <literal>device bpf</literal> 是存在的。 + 除非编译时指定了 + <literal>NOINET6</literal> (对 &os; 6.0-RELEASE 之前的版本) 或 + <literal>NO_INET6</literal> (对更新一些的版本) (例如在 + &man.make.conf.5; 中定义) 它还需要 <literal>options INET6</literal>。</para> </note> + + <para>一旦加载了这个内河模块, 或者将 PF 支持静态联编进内核, + 就可以随时通过 <command>pfctl</command> 来启用或禁用 + <application>pf</application> 了。</para> + + <para>下面的例子展示了如何启用 + <application>pf</application>:</para> + + <screen>&prompt.root; <userinput>pfctl -e</userinput></screen> + + <para><command>pfctl</command> 命令提供了一种与 + <application>pf</application> 防火墙交互的方法。 要了解进一步的信息, + 参考 &man.pfctl.8; 联机手册是一个不错的办法。</para> </sect2> <sect2> @@ -383,6 +388,33 @@ options ALTQ_NOPCC # Required for SMP build</programlisting> 如果是 <acronym>SMP</acronym> 系统, 则必须使用它。</para> </sect2> + + <sect2> + <title>建立过滤规则</title> + + <para>Packet Filter 会从 + &man.pf.conf.5; 文件中读取配置规则, 并根据那里的规则修改、 + 丢弃或让数据包通过。 默认安装的 &os; + 已经提供了一格默认的、 包含一些有用例子和注释的 + <filename>/etc/pf.conf</filename>。</para> + + <para>尽管 &os; 提供了自己的 <filename>/etc/pf.conf</filename>, + 但这个文件和 OpenBSD 中的语法是一样的。 OpenBSD + 开发团队提供了一个非常好的配置 <application>pf</application> + 资源, 它可以在 + <ulink url="http://www.openbsd.org/faq/pf/"></ulink> 找到。</para> + + <warning> + <para>在浏览 pf 用户手册时, 请时刻注意, + 在 &os; 中所包含的 pf 的版本和 OpenBSD 中是不一样的。 在 &os; 5.X 中 + <application>pf</application> 相当于 OpenBSD 3.5 中的版本, + 而 &os; 6.X 中则相当于 OpenBSD 3.7。</para> + </warning> + + <para>关于 <application>pf</application> 的配置和使用问题, + 可以在 &a.pf; 提出。 当然, 在提出问题之前, + 别忘了查阅邮件列表的存档。</para> + </sect2> </sect1> <sect1 id="firewalls-ipf"> @@ -534,6 +566,7 @@ ipmon_flags="-Ds" # D = 作为服务程序启动 # s = 使用 syslog 记录 # v = 记录 tcp 窗口大小、 ack 和顺序号(seq) # n = 将 IP 和端口映射为名字</programlisting> + <para>如果您的 LAN 在防火墙后面, 并且使用了保留的私有 IP 地址范围, 那就需要增加下面的一些选项来启用 <acronym>NAT</acronym> 功能:</para> @@ -775,7 +808,7 @@ LOG_ERR - 进一步记录含不完整的包头的数据包</screen> <listitem> <para>地址。 这实际上包括三部分: - 源地址和端口 (以逗号分开), 一个 -> + 源地址和端口 (以逗号分开), 一个 -> 符号, 以及目的地址和端口。 209.53.17.22,80 -> 198.73.220.17,1722.</para> </listitem> @@ -1316,7 +1349,7 @@ pass out quick on dc0 proto udp from any to xxx port = 53 keep state # This rule is not needed for 'user ppp' type connection to the # public Internet, so you can delete this whole group. # Use the following rule and check log for IP address. -# Then put IP address in commented out rule & delete first rule +# Then put IP address in commented out rule & delete first rule pass out log quick on dc0 proto udp from any to any port = 67 keep state #pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state @@ -1327,7 +1360,7 @@ pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state # Allow out secure www function https over TLS SSL pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state -# Allow out send & get email function +# Allow out send & get email function pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state @@ -1337,7 +1370,7 @@ pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state # Allow out nntp news pass out quick on dc0 proto tcp from any to any port = 119 flags S keep state -# Allow out gateway & LAN users non-secure FTP ( both passive & active modes) +# Allow out gateway & LAN users non-secure FTP ( both passive & active modes) # This function uses the IP<acronym>NAT</acronym> built in FTP proxy function coded in # the nat rules file to make this single rule function correctly. # If you want to use the pkg_add command to install application packages @@ -1380,7 +1413,7 @@ block in quick on dc0 from 0.0.0.0/8 to any #loopback block in quick on dc0 from 169.254.0.0/16 to any #DHCP auto-config block in quick on dc0 from 192.0.2.0/24 to any #reserved for docs block in quick on dc0 from 204.152.64.0/23 to any #Sun cluster interconnect -block in quick on dc0 from 224.0.0.0/3 to any #Class D & E multicast +block in quick on dc0 from 224.0.0.0/3 to any #Class D & E multicast ##### Block a bunch of different nasty things. ############ # That I do not want to see in the log @@ -1592,7 +1625,7 @@ block in log first quick on dc0 all <para><acronym>NAT</acronym> 规则的写法与下面的例子类似:</para> - <programlisting>map <replaceable>IF</replaceable> <replaceable>LAN_IP_RANGE</replaceable> -> <replaceable>PUBLIC_ADDRESS</replaceable></programlisting> + <programlisting>map <replaceable>IF</replaceable> <replaceable>LAN_IP_RANGE</replaceable> -> <replaceable>PUBLIC_ADDRESS</replaceable></programlisting> <para>关键词 <literal>map</literal> 出现在规则的最前面。</para> @@ -1666,7 +1699,7 @@ block in log first quick on dc0 all <para>普通的 NAT 规则类似于:</para> - <programlisting>map dc0 192.168.1.0/24 -> 0/32</programlisting> + <programlisting>map dc0 192.168.1.0/24 -> 0/32</programlisting> <para>上面的规则中, 包的源端口在包通过 IP<acronym>NAT</acronym> 时时不会发生变化的。 通过使用 portmap 关键字, 您可以要求 @@ -1674,13 +1707,13 @@ block in log first quick on dc0 all 比如说, 下面的规则将让 IP<acronym>NAT</acronym> 把源端口改为指定范围内的端口:</para> - <programlisting>map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000</programlisting> + <programlisting>map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000</programlisting> <para>使用 <literal>auto</literal> 关键字可以让配置变得更简单一些, 它会要求 IP<acronym>NAT</acronym> 自动地检测可用的端口并使用:</para> - <programlisting>map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto</programlisting> + <programlisting>map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto</programlisting> </sect3> <sect3> @@ -1690,17 +1723,17 @@ block in log first quick on dc0 all 此时 LAN 的地址会多到没办法使用一个公网地址表达的程度。 这时, 类似下面的规则需要进行修改:</para> - <programlisting>map dc0 192.168.1.0/24 -> 204.134.75.1</programlisting> + <programlisting>map dc0 192.168.1.0/24 -> 204.134.75.1</programlisting> <para>目前的这个规则, 将所有的链接都通过 <hostid role="ipaddr">204.134.75.1</hostid> 来映射。 可以把它改为一个范围:</para> - <programlisting>map dc0 192.168.1.0/24 -> 204.134.75.1-10</programlisting> + <programlisting>map dc0 192.168.1.0/24 -> 204.134.75.1-10</programlisting> <para>或者使用 CIDR 记法指定的一组地址:</para> - <programlisting>map dc0 192.168.1.0/24 -> 204.134.75.0/24</programlisting> + <programlisting>map dc0 192.168.1.0/24 -> 204.134.75.0/24</programlisting> </sect3> </sect2> @@ -1717,17 +1750,17 @@ block in log first quick on dc0 all role="ipaddr">10.0.10.25</hostid>, 而您的唯一的公网 IP 地址是 <hostid role="ipaddr">20.20.20.5</hostid>, 则可以编写这样的规则:</para> - <programlisting>rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80</programlisting> + <programlisting>rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80</programlisting> <para>或者:</para> - <programlisting>rdr dc0 0/32 port 80 -> 10.0.10.25 port 80</programlisting> + <programlisting>rdr dc0 0/32 port 80 -> 10.0.10.25 port 80</programlisting> <para>另外, 也可以让 LAN 地址 <hostid role="ipaddr">10.0.10.33</hostid> 上运行的 LAN DNS 服务器来处理公网上的 DNS 请求:</para> - <programlisting>rdr dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udp</programlisting> + <programlisting>rdr dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udp</programlisting> </sect2> <sect2> @@ -1759,15 +1792,15 @@ block in log first quick on dc0 all <para>下面的规则可以处理来自内网的 FTP 访问:</para> - <programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp</programlisting> + <programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp</programlisting> <para>这个规则能够处理来自网关的 FTP 访问:</para> - <programlisting>map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp</programlisting> + <programlisting>map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp</programlisting> <para>这个则处理所有来自内网的非 FTP 网络流量:</para> - <programlisting>map dc0 10.0.10.0/29 -> 0/32</programlisting> + <programlisting>map dc0 10.0.10.0/29 -> 0/32</programlisting> <para>FTP map 规则应该在普通的 map 规则之前出现。 所有的包会从最上面的第一个规则开始进行检查。 @@ -1793,7 +1826,7 @@ block in log first quick on dc0 all pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state # Allow out passive mode data channel high order port numbers -pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep state +pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep state # Active mode let data channel in from FTP server pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</programlisting> @@ -2550,7 +2583,7 @@ pif="dc0" # public interface name of NIC # This rule is not needed for .user ppp. connection to the public Internet. # so you can delete this whole group. # Use the following rule and check log for IP address. -# Then put IP address in commented out rule & delete first rule +# Then put IP address in commented out rule & delete first rule $cmd 00120 allow log udp from any to any 67 out via $pif keep-state #$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state @@ -2560,11 +2593,11 @@ pif="dc0" # public interface name of NIC # Allow out secure www function https over TLS SSL $cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state -# Allow out send & get email function +# Allow out send & get email function $cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state -# Allow out FBSD (make install & CVSUP) functions +# Allow out FBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. $cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root @@ -2603,7 +2636,7 @@ pif="dc0" # public interface name of NIC $cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect -$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast +$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Deny public pings $cmd 00310 deny icmp from any to any in via $pif @@ -2641,12 +2674,12 @@ pif="dc0" # public interface name of NIC $cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Allow in non-secure Telnet session from public Internet -# labeled non-secure because ID & PW are passed over public +# labeled non-secure because ID & PW are passed over public # Internet as clear text. # Delete this sample group if you do not have telnet server enabled. $cmd 00420 allow tcp from any to me 23 in via $pif setup limit src-addr 2 -# Reject & Log all incoming connections from the outside +# Reject & Log all incoming connections from the outside $cmd 00499 deny log all from any to any in via $pif # Everything else is denied by default @@ -2773,7 +2806,7 @@ ipfw -q -f flush $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster -$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast +$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Authorized inbound packets $cmd 400 allow udp from xx.70.207.54 to any 68 in $ks @@ -2850,11 +2883,11 @@ pif="rl0" # public interface name of NIC # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state -# Allow out send & get email function +# Allow out send & get email function $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state -# Allow out FreeBSD (make install & CVSUP) functions +# Allow out FreeBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root @@ -2892,7 +2925,7 @@ pif="rl0" # public interface name of NIC $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster -$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast +$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Deny ident $cmd 315 deny tcp from any to any 113 in via $pif @@ -2927,15 +2960,15 @@ pif="rl0" # public interface name of NIC $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Allow in non-secure Telnet session from public Internet -# labeled non-secure because ID & PW are passed over public +# labeled non-secure because ID & PW are passed over public # Internet as clear text. # Delete this sample group if you do not have telnet server enabled. $cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2 -# Reject & Log all unauthorized incoming connections from the public Internet +# Reject & Log all unauthorized incoming connections from the public Internet $cmd 400 deny log all from any to any in via $pif -# Reject & Log all unauthorized out going connections to the public Internet +# Reject & Log all unauthorized out going connections to the public Internet $cmd 450 deny log all from any to any out via $pif # This is skipto location for outbound stateful rules |