日本综合一区二区|亚洲中文天堂综合|日韩欧美自拍一区|男女精品天堂一区|欧美自拍第6页亚洲成人精品一区|亚洲黄色天堂一区二区成人|超碰91偷拍第一页|日韩av夜夜嗨中文字幕|久久蜜综合视频官网|精美人妻一区二区三区

我是從 linux 遷移過來的 FreeBSD 新用戶，Linux 中使用的是 netfilter 防火墻框架（LCTT 譯注：netfilter 是由 Rusty Russell 提出的 Linux 2.4 內(nèi)核防火墻框架）。那么在 FreeBSD 上，我該如何設(shè)置 PF 防火墻，來保護(hù)只有一個(gè)公共 IP 地址和端口的 web 服務(wù)器呢？

創(chuàng)新互聯(lián)專注為客戶提供全方位的互聯(lián)網(wǎng)綜合服務(wù)，包含不限于成都網(wǎng)站設(shè)計(jì)、網(wǎng)站制作、昭蘇網(wǎng)絡(luò)推廣、小程序制作、昭蘇網(wǎng)絡(luò)營(yíng)銷、昭蘇企業(yè)策劃、昭蘇品牌公關(guān)、搜索引擎seo、人物專訪、企業(yè)宣傳片、企業(yè)代運(yùn)營(yíng)等，從售前售中售后，我們都將竭誠(chéng)為您服務(wù)，您的肯定，是我們最大的嘉獎(jiǎng)；創(chuàng)新互聯(lián)為所有大學(xué)生創(chuàng)業(yè)者提供昭蘇建站搭建服務(wù)，24小時(shí)服務(wù)熱線：028-86922220，官方網(wǎng)址：www.cdcxhl.com

PF 是包過濾器packet filter的簡(jiǎn)稱。它是為 OpenBSD 開發(fā)的，但是已經(jīng)被移植到了 FreeBSD 以及其它操作系統(tǒng)上。PF 是一個(gè)包狀態(tài)過濾引擎。在這篇教程中，我將向你展示如何在 FreeBSD 10.x 以及 11.x 中設(shè)置 PF 防火墻，從而來保護(hù) web 服務(wù)器。

第一步：開啟 PF 防火墻

你需要把下面這幾行內(nèi)容添加到文件 /etc/rc.conf 文件中：

# echo 'pf_enable="YES"' >> /etc/rc.conf
# echo 'pf_rules="/usr/local/etc/pf.conf"' >> /etc/rc.conf
# echo 'pflog_enable="YES"' >> /etc/rc.conf
# echo 'pflog_logfile="/var/log/pflog"' >> /etc/rc.conf

在這里：

1. pf_enable="YES" - 開啟 PF 服務(wù)
2. pf_rules="/usr/local/etc/pf.conf" - 從文件 /usr/local/etc/pf.conf 中讀取 PF 規(guī)則
3. pflog_enable="YES" - 為 PF 服務(wù)打開日志支持
4. pflog_logfile="/var/log/pflog" - 存儲(chǔ)日志的文件，即日志存于文件 /var/log/pflog 中

第二步：在 /usr/local/etc/pf.conf 文件中創(chuàng)建防火墻規(guī)則

輸入下面這個(gè)命令打開文件（超級(jí)用戶模式下）：

# vi /usr/local/etc/pf.conf

在文件中添加下面這些 PF 規(guī)則集：

# vim: set ft=pf
# /usr/local/etc/pf.conf
 
## 設(shè)置公共端口 ##
ext_if="vtnet0"
 
## 設(shè)置服務(wù)器公共 IP 地址 ##
ext_if_ip="172.xxx.yyy.zzz"
 
## 設(shè)置并刪除下面這些公共端口上的 IP 范圍 ##
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
          10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
          0.0.0.0/8, 240.0.0.0/4 }"
 
## 設(shè)置 http(80)/https (443) 端口 ##
webports = "{http, https}"
 
## 啟用下面這些服務(wù) ##
int_tcp_services = "{domain, ntp, smtp, www, https, ftp, ssh}"
int_udp_services = "{domain, ntp}"
 
## 跳過回環(huán)端口 - 跳過端口上的所有 PF 處理 ##
set skip on lo
 
## 設(shè)置 PF 應(yīng)該統(tǒng)計(jì)的端口信息，如發(fā)送/接收字節(jié)數(shù)，通過/禁止的包的數(shù)目 ##
set loginterface $ext_if
 
## 設(shè)置默認(rèn)策略 ##
block return in log all
block out all
 
# 基于 IP 分片的錯(cuò)誤處理來防御攻擊 
scrub in all
 
# 刪除所有不可達(dá)路由地址
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
 
## 禁止欺騙包
antispoof quick for $ext_if
 
# 打開 SSH 端口，SSH 服務(wù)僅從 VPN IP 139.xx.yy.zz 監(jiān)聽 22 號(hào)端口
# 出于安全原因，我不允許/接收 SSH 流量
pass in quick on $ext_if inet proto tcp from 139.xxx.yyy.zzz to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 139.xxx.yyy.zzz"
## 使用下面這些規(guī)則來為所有來自任何 IP 地址的用戶開啟 SSH 服務(wù) #
## pass in inet proto tcp to $ext_if port ssh
### [ OR ] ###
## pass in inet proto tcp to $ext_if port 22 
 
# Allow Ping-Pong stuff. Be a good sysadmin 
pass inet proto icmp icmp-type echoreq
 
# All access to our Nginx/Apache/Lighttpd Webserver ports 
pass proto tcp from any to $ext_if port $webports
 
# 允許重要的發(fā)送流量
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services
 
# 在下面添加自定義規(guī)則

保存并關(guān)閉文件。歡迎來參考我的規(guī)則集。如果要檢查語法錯(cuò)誤，可以運(yùn)行：

# service pf check

或

/etc/rc.d/pf check

或

# pfctl -n -f /usr/local/etc/pf.conf

第三步：開始運(yùn)行 PF 防火墻

命令如下。請(qǐng)小心，如果是基于 SSH 的會(huì)話，你可能會(huì)和服務(wù)器斷開連接。

開啟 PF 防火墻：

# service pf start

停用 PF 防火墻：

# service pf stop

檢查語法錯(cuò)誤：

# service pf check

重啟服務(wù)：

# service pf restart

查看 PF 狀態(tài)：

# service pf status

示例輸出：

Status: Enabled for 0 days 00:02:18           Debug: Urgent
 
Interface Stats for vtnet0            IPv4             IPv6
  Bytes In                           19463                0
  Bytes Out                          18541                0
  Packets In
    Passed                             244                0
    Blocked                              3                0
  Packets Out
    Passed                             136                0
    Blocked                             12                0
 
State Table                          Total             Rate
  current entries                        1               
  searches                             395            2.9/s
  inserts                                4            0.0/s
  removals                               3            0.0/s
Counters
  match                                 19            0.1/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s

開啟/關(guān)閉/重啟 pflog 服務(wù)的命令

輸入下面這些命令：

# service pflog start
# service pflog stop
# service pflog restart

第四步：pfctl 命令的簡(jiǎn)單介紹

你需要使用 pfctl 命令來查看 PF 規(guī)則集和參數(shù)配置，包括來自包過濾器packet filter的狀態(tài)信息。讓我們來看一下所有常見命令：

顯示 PF 規(guī)則信息

# pfctl -s rules

示例輸出：

block return in log all
block drop out all
block drop in quick on ! vtnet0 inet from 172.xxx.yyy.zzz/24 to any
block drop in quick inet from 172.xxx.yyy.zzz/24 to any
pass in quick on vtnet0 inet proto tcp from 139.aaa.ccc.ddd to 172.xxx.yyy.zzz/24 port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 139.aaa.ccc.ddd"
pass inet proto icmp all icmp-type echoreq keep state
pass out quick on vtnet0 proto tcp from any to any port = domain flags S/SA keep state
pass out quick on vtnet0 proto tcp from any to any port = ntp flags S/SA keep state
pass out quick on vtnet0 proto tcp from any to any port = smtp flags S/SA keep state
pass out quick on vtnet0 proto tcp from any to any port = http flags S/SA keep state
pass out quick on vtnet0 proto tcp from any to any port = https flags S/SA keep state
pass out quick on vtnet0 proto tcp from any to any port = ftp flags S/SA keep state
pass out quick on vtnet0 proto tcp from any to any port = ssh flags S/SA keep state
pass out quick on vtnet0 proto udp from any to any port = domain keep state
pass out quick on vtnet0 proto udp from any to any port = ntp keep state

顯示每條規(guī)則的詳細(xì)內(nèi)容

# pfctl -v -s rules

在每條規(guī)則的詳細(xì)輸出中添加規(guī)則編號(hào)：

# pfctl -vvsr show

顯示狀態(tài)信息

# pfctl -s state
# pfctl -s state | more
# pfctl -s state | grep 'something'

如何在命令行中禁止 PF 服務(wù)

# pfctl -d

如何在命令行中啟用 PF 服務(wù)

# pfctl -e

如何在命令行中刷新 PF 規(guī)則/NAT/路由表

# pfctl -F all

示例輸出：

rules cleared
nat cleared
0 tables deleted.
2 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset

如何在命令行中僅刷新 PF 規(guī)則

# pfctl -F rules

如何在命令行中僅刷新隊(duì)列

# pfctl -F queue

如何在命令行中刷新統(tǒng)計(jì)信息（它不是任何規(guī)則的一部分）

# pfctl -F info

如何在命令行中清除所有計(jì)數(shù)器

# pfctl -z clear

第五步：查看 PF 日志

PF 日志是二進(jìn)制格式的。使用下面這一命令來查看：

# tcpdump -n -e -ttt -r /var/log/pflog

示例輸出：

Aug 29 15:41:11.757829 rule 0/(match) block in on vio0: 86.47.225.151.55806 > 45.FOO.BAR.IP.23: S 757158343:757158343(0) win 52206 [tos 0x28]
Aug 29 15:41:44.193309 rule 0/(match) block in on vio0: 5.196.83.88.25461 > 45.FOO.BAR.IP.26941: S 2224505792:2224505792(0) ack 4252565505 win 17520 (DF) [tos 0x24]
Aug 29 15:41:54.628027 rule 0/(match) block in on vio0: 45.55.13.94.50217 > 45.FOO.BAR.IP.465: S 3941123632:3941123632(0) win 65535
Aug 29 15:42:11.126427 rule 0/(match) block in on vio0: 87.250.224.127.59862 > 45.FOO.BAR.IP.80: S 248176545:248176545(0) win 28200  (DF)
Aug 29 15:43:04.953537 rule 0/(match) block in on vio0: 77.72.82.22.47218 > 45.FOO.BAR.IP.7475: S 1164335542:1164335542(0) win 1024
Aug 29 15:43:05.122156 rule 0/(match) block in on vio0: 77.72.82.22.47218 > 45.FOO.BAR.IP.7475: R 1164335543:1164335543(0) win 1200
Aug 29 15:43:37.302410 rule 0/(match) block in on vio0: 94.130.12.27.18080 > 45.FOO.BAR.IP.64857: S 683904905:683904905(0) ack 4000841729 win 16384 
Aug 29 15:44:46.574863 rule 0/(match) block in on vio0: 77.72.82.22.47218 > 45.FOO.BAR.IP.7677: S 3451987887:3451987887(0) win 1024
Aug 29 15:44:46.819754 rule 0/(match) block in on vio0: 77.72.82.22.47218 > 45.FOO.BAR.IP.7677: R 3451987888:3451987888(0) win 1200
Aug 29 15:45:21.194752 rule 0/(match) block in on vio0: 185.40.4.130.55910 > 45.FOO.BAR.IP.80: S 3106068642:3106068642(0) win 1024
Aug 29 15:45:32.999219 rule 0/(match) block in on vio0: 185.40.4.130.55910 > 45.FOO.BAR.IP.808: S 322591763:322591763(0) win 1024
Aug 29 15:46:30.157884 rule 0/(match) block in on vio0: 77.72.82.22.47218 > 45.FOO.BAR.IP.6511: S 2412580953:2412580953(0) win 1024 [tos 0x28]
Aug 29 15:46:30.252023 rule 0/(match) block in on vio0: 77.72.82.22.47218 > 45.FOO.BAR.IP.6511: R 2412580954:2412580954(0) win 1200 [tos 0x28]
Aug 29 15:49:44.337015 rule 0/(match) block in on vio0: 189.219.226.213.22640 > 45.FOO.BAR.IP.23: S 14807:14807(0) win 14600 [tos 0x28]
Aug 29 15:49:55.161572 rule 0/(match) block in on vio0: 5.196.83.88.25461 > 45.FOO.BAR.IP.40321: S 1297217585:1297217585(0) ack 1051525121 win 17520 (DF) [tos 0x24]
Aug 29 15:49:59.735391 rule 0/(match) block in on vio0: 36.7.147.209.2545 > 45.FOO.BAR.IP.3389: SWE 3577047469:3577047469(0) win 8192  (DF) [tos 0x2 (E)]
Aug 29 15:50:00.703229 rule 0/(match) block in on vio0: 36.7.147.209.2546 > 45.FOO.BAR.IP.3389: SWE 1539382950:1539382950(0) win 8192  (DF) [tos 0x2 (E)]
Aug 29 15:51:33.880334 rule 0/(match) block in on vio0: 45.55.22.21.53510 > 45.FOO.BAR.IP.2362: udp 14
Aug 29 15:51:34.006656 rule 0/(match) block in on vio0: 77.72.82.22.47218 > 45.FOO.BAR.IP.6491: S 151489102:151489102(0) win 1024 [tos 0x28]
Aug 29 15:51:34.274654 rule 0/(match) block in on vio0: 77.72.82.22.47218 > 45.FOO.BAR.IP.6491: R 151489103:151489103(0) win 1200 [tos 0x28]
Aug 29 15:51:36.393019 rule 0/(match) block in on vio0: 60.191.38.78.4249 > 45.FOO.BAR.IP.8000: S 3746478095:3746478095(0) win 29200 (DF)
Aug 29 15:51:57.213051 rule 0/(match) block in on vio0: 24.137.245.138.7343 > 45.FOO.BAR.IP.5358: S 14134:14134(0) win 14600
Aug 29 15:52:37.852219 rule 0/(match) block in on vio0: 122.226.185.125.51128 > 45.FOO.BAR.IP.23: S 1715745381:1715745381(0) win 5840  (DF)
Aug 29 15:53:31.309325 rule 0/(match) block in on vio0: 189.218.148.69.377 > 45.FOO.BAR.IP5358: S 65340:65340(0) win 14600 [tos 0x28]
Aug 29 15:53:31.809570 rule 0/(match) block in on vio0: 13.93.104.140.53184 > 45.FOO.BAR.IP.1433: S 39854048:39854048(0) win 1024
Aug 29 15:53:32.138231 rule 0/(match) block in on vio0: 13.93.104.140.53184 > 45.FOO.BAR.IP.1433: R 39854049:39854049(0) win 1200
Aug 29 15:53:41.459088 rule 0/(match) block in on vio0: 77.72.82.22.47218 > 45.FOO.BAR.IP.6028: S 168338703:168338703(0) win 1024
Aug 29 15:53:41.789732 rule 0/(match) block in on vio0: 77.72.82.22.47218 > 45.FOO.BAR.IP.6028: R 168338704:168338704(0) win 1200
Aug 29 15:54:34.993594 rule 0/(match) block in on vio0: 212.47.234.50.5102 > 45.FOO.BAR.IP.5060: udp 408 (DF) [tos 0x28]
Aug 29 15:54:57.987449 rule 0/(match) block in on vio0: 51.15.69.145.5100 > 45.FOO.BAR.IP.5060: udp 406 (DF) [tos 0x28]
Aug 29 15:55:07.001743 rule 0/(match) block in on vio0: 190.83.174.214.58863 > 45.FOO.BAR.IP.23: S 757158343:757158343(0) win 27420
Aug 29 15:55:51.269549 rule 0/(match) block in on vio0: 142.217.201.69.26112 > 45.FOO.BAR.IP.22: S 757158343:757158343(0) win 22840 
Aug 29 15:58:41.346028 rule 0/(match) block in on vio0: 169.1.29.111.29765 > 45.FOO.BAR.IP.23: S 757158343:757158343(0) win 28509
Aug 29 15:59:11.575927 rule 0/(match) block in on vio0: 187.160.235.162.32427 > 45.FOO.BAR.IP.5358: S 22445:22445(0) win 14600 [tos 0x28]
Aug 29 15:59:37.826598 rule 0/(match) block in on vio0: 94.74.81.97.54656 > 45.FOO.BAR.IP.3128: S 2720157526:2720157526(0) win 1024 [tos 0x28]stateful
Aug 29 15:59:37.991171 rule 0/(match) block in on vio0: 94.74.81.97.54656 > 45.FOO.BAR.IP.3128: R 2720157527:2720157527(0) win 1200 [tos 0x28]
Aug 29 16:01:36.990050 rule 0/(match) block in on vio0: 182.18.8.28.23299 > 45.FOO.BAR.IP.445: S 1510146048:1510146048(0) win 16384

如果要查看實(shí)時(shí)日志，可以運(yùn)行：

# tcpdump -n -e -ttt -i pflog0

如果你想了解更多信息，可以訪問 PF FAQ 和 FreeBSD HANDBOOK 以及下面這些 man 頁面：

# man tcpdump
# man pfctl
# man pf

關(guān)于作者

我是 nixCraft 的創(chuàng)立者，一個(gè)經(jīng)驗(yàn)豐富的系統(tǒng)管理員，同時(shí)也是一位 Linux 操作系統(tǒng)/Unix shell 腳本培訓(xùn)師。我在不同的行業(yè)與全球客戶工作過，包括 IT、教育、國(guó)防和空間研究、以及非營(yíng)利組織。你可以在 Twitter、Facebook 或 Google+ 上面關(guān)注我。