FreeBSD配置PF防火墙保护您的服务器

安装配置完成FreeBSD之后,我们需要配置一个防火墙来保护我们的服务器。在这里,隆重向大家推荐我们的PF防火墙。

PF防火墙OpenBSD的一个项目,在此,向OpenBSD开发团队表示感谢,虽然从来没有用过OpenBSD,但是OpenSSH天天用,现在PF也在用了。

第一步,我们编辑pf的规则文件vim /etc/pf.conf


#Macrosmy_int = \"em0\" # Let's just trust localhost set skip on lo # By default, we will block everyone and everything coming inblock in log all # accept ssh sessionspass in on $my_int proto tcp from any to any port 22 keep state # accept http sessionspass in on $my_int proto tcp from any to any port 80 keep state # accept icmp sessionspass in quick on $my_int proto icmp all keep state # Outgoing traffic is OK, here we keep state so returning packets# are accepted too.pass out log proto { tcp, udp, icmp } all keep state
第二步,编辑rc.conf文件vim /etc/rc.conf增加



pf_enable=\"YES\"pf_rules=\"/etc/pf.conf\"pflog_enable=\"YES\"pflog_logfile=\"/var/log/pf.log\"


第三步,启动pf


service pf restart
一般FreeBSD已经加载了pf.ko模块,但pflog.ko没有,我们可以手动加载  kldload pflog.ko


当然了。确认一切都正常之后,我们可以重启系统,执行reboot

下面是一些常用的命令,查看pf规则,查看当前连接等。


# pfctl -sr                 Show the current ruleset     # pfctl -ss                 Show the current state table     # pfctl -si                 Show filter stats and counters     # pfctl -sa                 Show EVERYTHING it can show

pf日志文件,我们可以用两种方式查看


查看日志文件中的日志:# tcpdump -n -e -ttt -r /var/log/pf.log观察实时的日志# tcpdump -n -e -ttt -i pflog0

上面只是基本的配置,实际在我们应用环境中,我们还需要限制并发连接数,来减轻DDOS攻击的危害


my_int = \"em0\"# Let's just trust localhostset skip on lo# By default, we will block everyone and everything coming inblock in log all# accept ssh sessionspass in on $my_int proto tcp from any to any port 22 keep state# accept http sessionstable <abusive_hosts> persistblock in log quick from <abusive_hosts>pass in on $my_int proto tcp to any \\    port 80 keep state \\    (max-src-conn 128, max-src-conn-rate 256/2, overload <abusive_hosts> flush)pass in on $my_int proto tcp to any \\    port 443 keep state \\    (max-src-conn 128, max-src-conn-rate 256/2, overload <abusive_hosts> flush) # accept icmp sessionspass in quick on $my_int proto icmp from any to any keep state# Outgoing traffic is OK, here we keep state so returning packets# are accepted too.pass out log proto { tcp, udp, icmp } all keep state


参考资料:

http://www.openbsd.org/faq/pf/filter.html

http://www.freebsd.org/doc/handbook/firewalls-pf.html

http://www.openbsd.org/faq/pf/index.html

http://tech.mansurovs.com/simple-freebsd-pf-firewall/

http://pf4freebsd.love2party.net/


分类: 默认 标签: 发布于: 2013, 点击数: