From b99e83b0a7c48690c2e6b7699bbd549e9a2c8da1 Mon Sep 17 00:00:00 2001 From: Xin LI Date: Wed, 15 Mar 2006 19:38:56 +0000 Subject: Mass synchnorization to the English revisions: Makefile 1.95 -> 1.97 book.sgml 1.162 -> 1.164 chapters.ent 1.32 -> 1.33 advanced-networking/chapter.sgml 1.367 -> 1.380 audit/chapter.sgml 1.5 -> 1.13 basics/chapter.sgml 1.137 -> 1.143 [1] boot/chapter.sgml 1.59 -> 1.64 config/chapter.sgml 1.212 -> 1.216 [2] cutting-edge/chapter.sgml 1.217 -> 1.222 [3] [4] [5] desktop/chapter.sgml 1.56 -> 1.64 disks/chapter.sgml 1.241 -> 1.251 eresources/chapter.sgml 1.174 -> 1.175 firewalls/chapter.sgml 1.62 -> 1.66 geom/chapter.sgml 1.7 -> 1.22 install/chapter.sgml 1.329 -> 1.331 [6] [7] [8] [1] introduction/chapter.sgml 1.110 -> 1.111 kernelconfig/chapter.sgml 1.158 -> 1.163 [1] l10n/chapter.sgml 1.111 -> 1.118 linuxemu/chapter.sgml 1.124 -> 1.129 mac/chapter.sgml 1.47 -> 1.49 mail/chapter.sgml 1.129 -> 1.133 mirrors/Makefile (add proper original revision) mirrors/chapter.sgml 1.386 -> 1.411 multimedia/chapter.sgml 1.110 -> 1.115 network-servers/chapter.sgml 1.69 -> 1.78 [9] [10] pgpkeys/chapter.sgml 1.270 -> 1.286 ports/chapter.sgml 1.243 -> 1.253 [8] ppp-and-slip/Makefile (correct original revision) ppp-and-slip/chapter.sgml 1.170 -> 1.172 preface/preface.sgml 1.29 -> 1.30 printing/chapter.sgml 1.93 -> 1.95 security/chapter.sgml 1.281 -> 1.292 serialcomms/chapter.sgml 1.100 -> 1.112 users/chapter.sgml 1.52 -> 1.54 x11/chapter.sgml 1.166 -> 1.169 [8] Obtained from: The FreeBSD Simplified Chinese Project Merging work done by: delphij, intron with language suggestions from: alakee [1], Qiang LI [2], liushk@gmail.com [3], Ye ZHANG [4], zhaoyongjie [5], sharkwang at gmail.com [6], Heng DUANMU [7], [8], mengkezhi [9], [10] --- zh_CN.GB2312/books/handbook/firewalls/chapter.sgml | 125 +++++++++++++-------- 1 file changed, 79 insertions(+), 46 deletions(-) (limited to 'zh_CN.GB2312/books/handbook/firewalls') diff --git a/zh_CN.GB2312/books/handbook/firewalls/chapter.sgml b/zh_CN.GB2312/books/handbook/firewalls/chapter.sgml index 57e2b0482f..410748db31 100644 --- a/zh_CN.GB2312/books/handbook/firewalls/chapter.sgml +++ b/zh_CN.GB2312/books/handbook/firewalls/chapter.sgml @@ -2,7 +2,7 @@ The FreeBSD Documentation Project The FreeBSD Simplified Chinese Project - Original Revision: 1.62 + Original Revision: 1.66 $FreeBSD$ --> @@ -239,15 +239,6 @@ 更多的详细信息, 可以在 &os; 版本的 PF 网站上找到: - OpenBSD PF 用户指南可以在这里找到: - - - 在 &os; 5.X 上的 PF 相当于 OpenBSD 3.5 版本。 以 - port 形式出现在 &os; Ports Collection 的版本相当于 OpenBSD - 的 3.4 版。 在阅读用户指南时, 请注意这样的区别。 - - 启用 PF @@ -258,11 +249,25 @@ 这个模块假定 options - INETdevice bpf 是存在的。 除非编译时指定了 - NOINET6 (例如在 &man.make.conf.5; 中) - 则还需要 options - INET6 + INET 和 device bpf 是存在的。 + 除非编译时指定了 + NOINET6 (对 &os; 6.0-RELEASE 之前的版本) 或 + NO_INET6 (对更新一些的版本) (例如在 + &man.make.conf.5; 中定义) 它还需要 options INET6 + + 一旦加载了这个内河模块, 或者将 PF 支持静态联编进内核, + 就可以随时通过 pfctl 来启用或禁用 + pf 了。 + + 下面的例子展示了如何启用 + pf + + &prompt.root; pfctl -e + + pfctl 命令提供了一种与 + pf 防火墙交互的方法。 要了解进一步的信息, + 参考 &man.pfctl.8; 联机手册是一个不错的办法。 @@ -383,6 +388,33 @@ options ALTQ_NOPCC # Required for SMP build 如果是 SMP 系统, 则必须使用它。 + + + 建立过滤规则 + + Packet Filter 会从 + &man.pf.conf.5; 文件中读取配置规则, 并根据那里的规则修改、 + 丢弃或让数据包通过。 默认安装的 &os; + 已经提供了一格默认的、 包含一些有用例子和注释的 + /etc/pf.conf + + 尽管 &os; 提供了自己的 /etc/pf.conf, + 但这个文件和 OpenBSD 中的语法是一样的。 OpenBSD + 开发团队提供了一个非常好的配置 pf + 资源, 它可以在 + 找到。 + + + 在浏览 pf 用户手册时, 请时刻注意, + 在 &os; 中所包含的 pf 的版本和 OpenBSD 中是不一样的。 在 &os; 5.X 中 + pf 相当于 OpenBSD 3.5 中的版本, + 而 &os; 6.X 中则相当于 OpenBSD 3.7。 + + + 关于 pf 的配置和使用问题, + 可以在 &a.pf; 提出。 当然, 在提出问题之前, + 别忘了查阅邮件列表的存档。 + @@ -534,6 +566,7 @@ ipmon_flags="-Ds" # D = # s = 使用 syslog 记录 # v = 记录 tcp 窗口大小、 ack 和顺序号(seq) # n = 将 IP 和端口映射为名字 + 如果您的 LAN 在防火墙后面, 并且使用了保留的私有 IP 地址范围, 那就需要增加下面的一些选项来启用 NAT 功能: @@ -775,7 +808,7 @@ LOG_ERR - 地址。 这实际上包括三部分: - 源地址和端口 (以逗号分开), 一个 -> + 源地址和端口 (以逗号分开), 一个 -> 符号, 以及目的地址和端口。 209.53.17.22,80 -> 198.73.220.17,1722. @@ -1316,7 +1349,7 @@ pass out quick on dc0 proto udp from any to xxx port = 53 keep state # This rule is not needed for 'user ppp' type connection to the # public Internet, so you can delete this whole group. # Use the following rule and check log for IP address. -# Then put IP address in commented out rule & delete first rule +# Then put IP address in commented out rule & delete first rule pass out log quick on dc0 proto udp from any to any port = 67 keep state #pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state @@ -1327,7 +1360,7 @@ pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state # Allow out secure www function https over TLS SSL pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state -# Allow out send & get email function +# Allow out send & get email function pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state @@ -1337,7 +1370,7 @@ pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state # Allow out nntp news pass out quick on dc0 proto tcp from any to any port = 119 flags S keep state -# Allow out gateway & LAN users non-secure FTP ( both passive & active modes) +# Allow out gateway & LAN users non-secure FTP ( both passive & active modes) # This function uses the IPNAT built in FTP proxy function coded in # the nat rules file to make this single rule function correctly. # If you want to use the pkg_add command to install application packages @@ -1380,7 +1413,7 @@ block in quick on dc0 from 0.0.0.0/8 to any #loopback block in quick on dc0 from 169.254.0.0/16 to any #DHCP auto-config block in quick on dc0 from 192.0.2.0/24 to any #reserved for docs block in quick on dc0 from 204.152.64.0/23 to any #Sun cluster interconnect -block in quick on dc0 from 224.0.0.0/3 to any #Class D & E multicast +block in quick on dc0 from 224.0.0.0/3 to any #Class D & E multicast ##### Block a bunch of different nasty things. ############ # That I do not want to see in the log @@ -1592,7 +1625,7 @@ block in log first quick on dc0 all NAT 规则的写法与下面的例子类似: - map IF LAN_IP_RANGE -> PUBLIC_ADDRESS + map IF LAN_IP_RANGE -> PUBLIC_ADDRESS 关键词 map 出现在规则的最前面。 @@ -1666,7 +1699,7 @@ block in log first quick on dc0 all 普通的 NAT 规则类似于: - map dc0 192.168.1.0/24 -> 0/32 + map dc0 192.168.1.0/24 -> 0/32 上面的规则中, 包的源端口在包通过 IPNAT 时时不会发生变化的。 通过使用 portmap 关键字, 您可以要求 @@ -1674,13 +1707,13 @@ block in log first quick on dc0 all 比如说, 下面的规则将让 IPNAT 把源端口改为指定范围内的端口: - map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000 + map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000 使用 auto 关键字可以让配置变得更简单一些, 它会要求 IPNAT 自动地检测可用的端口并使用: - map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto + map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto @@ -1690,17 +1723,17 @@ block in log first quick on dc0 all 此时 LAN 的地址会多到没办法使用一个公网地址表达的程度。 这时, 类似下面的规则需要进行修改: - map dc0 192.168.1.0/24 -> 204.134.75.1 + map dc0 192.168.1.0/24 -> 204.134.75.1 目前的这个规则, 将所有的链接都通过 204.134.75.1 来映射。 可以把它改为一个范围: - map dc0 192.168.1.0/24 -> 204.134.75.1-10 + map dc0 192.168.1.0/24 -> 204.134.75.1-10 或者使用 CIDR 记法指定的一组地址: - map dc0 192.168.1.0/24 -> 204.134.75.0/24 + map dc0 192.168.1.0/24 -> 204.134.75.0/24 @@ -1717,17 +1750,17 @@ block in log first quick on dc0 all role="ipaddr">10.0.10.25, 而您的唯一的公网 IP 地址是 20.20.20.5, 则可以编写这样的规则: - rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80 + rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80 或者: - rdr dc0 0/32 port 80 -> 10.0.10.25 port 80 + rdr dc0 0/32 port 80 -> 10.0.10.25 port 80 另外, 也可以让 LAN 地址 10.0.10.33 上运行的 LAN DNS 服务器来处理公网上的 DNS 请求: - rdr dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udp + rdr dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udp @@ -1759,15 +1792,15 @@ block in log first quick on dc0 all 下面的规则可以处理来自内网的 FTP 访问: - map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp + map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp 这个规则能够处理来自网关的 FTP 访问: - map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp + map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp 这个则处理所有来自内网的非 FTP 网络流量: - map dc0 10.0.10.0/29 -> 0/32 + map dc0 10.0.10.0/29 -> 0/32 FTP map 规则应该在普通的 map 规则之前出现。 所有的包会从最上面的第一个规则开始进行检查。 @@ -1793,7 +1826,7 @@ block in log first quick on dc0 all pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state # Allow out passive mode data channel high order port numbers -pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep state +pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep state # Active mode let data channel in from FTP server pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state @@ -2550,7 +2583,7 @@ pif="dc0" # public interface name of NIC # This rule is not needed for .user ppp. connection to the public Internet. # so you can delete this whole group. # Use the following rule and check log for IP address. -# Then put IP address in commented out rule & delete first rule +# Then put IP address in commented out rule & delete first rule $cmd 00120 allow log udp from any to any 67 out via $pif keep-state #$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state @@ -2560,11 +2593,11 @@ pif="dc0" # public interface name of NIC # Allow out secure www function https over TLS SSL $cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state -# Allow out send & get email function +# Allow out send & get email function $cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state -# Allow out FBSD (make install & CVSUP) functions +# Allow out FBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. $cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root @@ -2603,7 +2636,7 @@ pif="dc0" # public interface name of NIC $cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect -$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast +$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Deny public pings $cmd 00310 deny icmp from any to any in via $pif @@ -2641,12 +2674,12 @@ pif="dc0" # public interface name of NIC $cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Allow in non-secure Telnet session from public Internet -# labeled non-secure because ID & PW are passed over public +# labeled non-secure because ID & PW are passed over public # Internet as clear text. # Delete this sample group if you do not have telnet server enabled. $cmd 00420 allow tcp from any to me 23 in via $pif setup limit src-addr 2 -# Reject & Log all incoming connections from the outside +# Reject & Log all incoming connections from the outside $cmd 00499 deny log all from any to any in via $pif # Everything else is denied by default @@ -2773,7 +2806,7 @@ ipfw -q -f flush $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster -$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast +$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Authorized inbound packets $cmd 400 allow udp from xx.70.207.54 to any 68 in $ks @@ -2850,11 +2883,11 @@ pif="rl0" # public interface name of NIC # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state -# Allow out send & get email function +# Allow out send & get email function $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state -# Allow out FreeBSD (make install & CVSUP) functions +# Allow out FreeBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root @@ -2892,7 +2925,7 @@ pif="rl0" # public interface name of NIC $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster -$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast +$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Deny ident $cmd 315 deny tcp from any to any 113 in via $pif @@ -2927,15 +2960,15 @@ pif="rl0" # public interface name of NIC $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Allow in non-secure Telnet session from public Internet -# labeled non-secure because ID & PW are passed over public +# labeled non-secure because ID & PW are passed over public # Internet as clear text. # Delete this sample group if you do not have telnet server enabled. $cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2 -# Reject & Log all unauthorized incoming connections from the public Internet +# Reject & Log all unauthorized incoming connections from the public Internet $cmd 400 deny log all from any to any in via $pif -# Reject & Log all unauthorized out going connections to the public Internet +# Reject & Log all unauthorized out going connections to the public Internet $cmd 450 deny log all from any to any out via $pif # This is skipto location for outbound stateful rules -- cgit v1.2.3