FreeBSD > IPFW
найбільш вдали набір правил який мені доволдилось використувавти для захисту сервера.
############# Stateful firewall #####################
wan=”rl0″ # public interface facing the Internet
lan=”rl1″ # local network interface
ext_ip=”xxx.xxx.xxx.xxx” # main external IP
cmd=”ipfw -q add” # Set rules command prefix
# Flush out the list before starting
ipfw -q -f flush
# Traffic counters
$cmd 1 count all from any to any in via $wan
$cmd 2 count all from any to any out via $wan
# No restrictions on Inside LAN Interface for private network
$cmd 020 allow all from any to any via $lan
# No restrictions on Loopback Interface
$cmd 030 allow all from any to any via lo0
# check if packet is inbound and nat address if it is
$cmd 060 divert natd ip from any to any in via $wan
# Allow the packet through if it has previous been added to the
# the “dynamic” rules table by a allow keep-state statement.
$cmd 070 check-state
############################ #####
# Interface facing Public Internet (Outbound Section)
############################## #####
# Allow out ssh response from here
# It prevents terminal session disconnecting after ipfw flushing
$cmd 100 allow tcp from me 22 to any out via $wan
# Allow out FreeBSD all network functions
$cmd 140 skipto 900 tcp from me to any out via $wan setup keep-state
$cmd 145 skipto 900 udp from me to any out via $wan keep-state
# Allow out ping
$cmd 150 skipto 900 icmp from any to any out via $wan keep-state
# Allow out full access from LAN to all net services except WEB
$cmd 160 skipto 900 tcp from any to any out via $wan setup keep-state
$cmd 165 skipto 900 udp from any to any out via $wan keep-state
################################ #####
# Interface facing Public Internet (Inbound Section)
################################### #####
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16 to any in via $wan #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $wan #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $wan #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $wan #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $wan #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $wan #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $wan #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $wan #Sun cluster
$cmd 308 deny all from 224.0.0.0/3 to any in via $wan #Class D & E multicast
# Deny any late arriving packets
$cmd 310 deny log all from any to any frag in via $wan
# Allow in SSH from public Internet (static rule)
$cmd 320 allow tcp from any to $ext_ip 22 in via $wan
# Deny ACK packets that did not match the dynamic rule table,
$cmd 350 deny log tcp from any to any established in via $wan
# Allow in ping
$cmd 360 allow icmp from any to me in via $wan keep-state
# Allow in WEB
$cmd 370 allow tcp from any to $ext_ip 80 in via $wan setup keep-state
# Allow in MAIL
$cmd 380 allow tcp from any to $ext_ip 25 in via $wan setup keep-state
$cmd 381 allow tcp from any to $ext_ip 110 in via $wan setup keep-state
# Allow in DNS
$cmd 390 allow tcp from any to $ext_ip 53 in via $wan setup keep-state
$cmd 391 allow udp from any to $ext_ip 53 in via $wan keep-state
# Allow in FTP (active mode)
$cmd 400 allow tcp from any to $ext_ip 20-21 in via $wan setup keep-state
# Allow in FTP (passive mode for IANA registered ephemental port range)
#$cmd 405 allow tcp from any to $ext_ip 49152-65534 in via $wan setup keep-state
# Allow in traceroute
$cmd 410 allow udp from any to me 33434-33523 in via $wan keep-state
################################### #####
# Reject & Log all unauthorized incoming connections from the public Internet
$cmd 800 deny log all from any to any in via $wan
# Reject & Log all unauthorized out going connections to the public Internet
$cmd 850 deny log all from any to any out via $wan
# This is skipto location for outbound stateful rules
$cmd 900 divert natd ip from any to any out via $wan
################################### #####
# EVERYTHING ELSE IS ACCEPT BY DEFAULT
###################################### #####
echo “IPFW rules has been loaded.”