FreeBSD配置PF防火墙保护您的服务器
安装配置完成FreeBSD之后,我们需要配置一个防火墙来保护我们的服务器。在这里,隆重向大家推荐我们的PF防火墙。
PF防火墙是OpenBSD的一个项目,在此,向OpenBSD开发团队表示感谢,虽然从来没有用过OpenBSD,但是OpenSSH天天用,现在PF也在用了。
第一步,我们编辑pf的规则文件vim /etc/pf.conf
#Macrosmy_int = \"em0\" # Let's just trust localhost set skip on lo # By default, we will block everyone and everything coming inblock in log all # accept ssh sessionspass in on $my_int proto tcp from any to any port 22 keep state # accept http sessionspass in on $my_int proto tcp from any to any port 80 keep state # accept icmp sessionspass in quick on $my_int proto icmp all keep state # Outgoing traffic is OK, here we keep state so returning packets# are accepted too.pass out log proto { tcp, udp, icmp } all keep state第二步,编辑rc.conf文件vim /etc/rc.conf增加
pf_enable=\"YES\"pf_rules=\"/etc/pf.conf\"pflog_enable=\"YES\"pflog_logfile=\"/var/log/pf.log\"
第三步,启动pf
service pf restart一般FreeBSD已经加载了pf.ko模块,但pflog.ko没有,我们可以手动加载 kldload pflog.ko
当然了。确认一切都正常之后,我们可以重启系统,执行reboot
下面是一些常用的命令,查看pf规则,查看当前连接等。
# pfctl -sr Show the current ruleset # pfctl -ss Show the current state table # pfctl -si Show filter stats and counters # pfctl -sa Show EVERYTHING it can show
pf日志文件,我们可以用两种方式查看
查看日志文件中的日志:# tcpdump -n -e -ttt -r /var/log/pf.log观察实时的日志# tcpdump -n -e -ttt -i pflog0
上面只是基本的配置,实际在我们应用环境中,我们还需要限制并发连接数,来减轻DDOS攻击的危害
my_int = \"em0\"# Let's just trust localhostset skip on lo# By default, we will block everyone and everything coming inblock in log all# accept ssh sessionspass in on $my_int proto tcp from any to any port 22 keep state# accept http sessionstable <abusive_hosts> persistblock in log quick from <abusive_hosts>pass in on $my_int proto tcp to any \\ port 80 keep state \\ (max-src-conn 128, max-src-conn-rate 256/2, overload <abusive_hosts> flush)pass in on $my_int proto tcp to any \\ port 443 keep state \\ (max-src-conn 128, max-src-conn-rate 256/2, overload <abusive_hosts> flush) # accept icmp sessionspass in quick on $my_int proto icmp from any to any keep state# Outgoing traffic is OK, here we keep state so returning packets# are accepted too.pass out log proto { tcp, udp, icmp } all keep state
参考资料:
http://www.openbsd.org/faq/pf/filter.html
http://www.freebsd.org/doc/handbook/firewalls-pf.html
http://www.openbsd.org/faq/pf/index.html
http://tech.mansurovs.com/simple-freebsd-pf-firewall/
http://pf4freebsd.love2party.net/
分类: 默认 标签: 发布于: 2013, 点击数: