使用IP Filter设置小型企业防火墙

#cd /sys/i386/conf 
#cp GENERIC kernel_IPF

options IPFILTER 
options IPFILTER_LOG 
options IPFILTER_DEFAULT_BLOCK 
3、 
<CENTER><ccid_nobr>
<table width="400" border="1" cellspacing="0" cellpadding="2" 
 bordercolorlight = "black" bordercolordark = "#FFFFFF" align="center">
<tr>
    <td bgcolor="e6e6e6" class="code" style="font-size:9pt">
    <pre><ccid_code>
#/usr/sbin/config kernel_IPF 
#cd ../../compile/kernel_IPF 
#make kepend 
#make 
#make install

defaultrouter="x.x.x.1" x.x.x.1为ISP提供的网关 
gateway_enable="YES" 
ipfilter_enable＝"YES" 
ipnat_enable="YES"

map fxp0 192.168.0.0/16 -> 0/32 proxy port ftp ftp/tcp 
map fxp0 192.168.0.0/24 -> 0/32 portmap tcp/udp 10000:30000 
map fxp0 192.168.0.0/24 -> 0/32 
map fxp0 192.168.80.0/24 -> 0/32 portmap tcp/udp 300001:60000 
map fxp0 192.168.80.0/24 -> 0/32 portmap 
rdr fxp0 x.x.x.x/32 port 80 -> 192.168.0.2 port 80 
rdr fxp0 x.x.x.x/32 port ftp -> 192.168.0.3 port ftp 
rdr fxp0 x.x.x.x/32 port 30001-50000 -> 192.168.80.3 port 30001 tcp

block in log quick all with short 
block in log quick all with ipopts 
block in log quick all with frag 
block in log quick all with opt lsrr 
block in log quick all with opt ssrr

pass out on xl0 all 
pass in on xlo all 
pass out on xl1 all 
pass in on xl1 all 
pass out quick on lo0 all 
pass in quick on lo0 all

block out log on fxp0 from any to 192.168.0.0/16 
block out log quick on fxp0 from any to 0.0.0.0/8 
block out log quick on fxp0 from any to 169.254.0.0/8 
block out log quick on fxp0 from any to 10.0.0.0/8 
block out log quick on fxp0 from any to 127.16.0.0/12 
block out log quick on fxp0 from any to 127.0.0.0/8 
block out log quick on fxp0 from any to 192.0.2.0/24 
block out log quick on fxp0 from any to 204.152.64.0/23 
block out log quick on fxp0 from any to 224.0.0.0/3

pass out log on fxp0 proto tcp/udp from any to any keep state 
pass out log on fxp0 proto icmp all keep state 

以上为允许TCP 、UDP、ICMP数据包向外发送出去，并且允许回应数据包发送回到内部网络 
<CENTER><ccid_nobr>
<table width="400" border="1" cellspacing="0" cellpadding="2" 
 bordercolorlight = "black" bordercolordark = "#FFFFFF" align="center">
<tr>
    <td bgcolor="e6e6e6" class="code" style="font-size:9pt">
    <pre><ccid_code>
block in log on fxp0 from 192.168.0.0/16 to any 
block in log quick on fxp0 from 10.0.0.0/8 to any 
block in log quick on fxp0 from 172.16.0.0/12 to any 
block in log quick on fxp0 from 127.0.0.0/8 to any 
block in log quick on fxp0 from 192.0.2.0/24 to any 
block in log quick on fxp0 from 169.254.0.0/16 to any 
block in log quick on fxp0 from 224.0.0.0/3 to any 
block in log quick on fxp0 from 204.152.64.0/23 to any 
block in log quick on fxp0 from x.x.x.x/32 to any 
block in log quick on fxp0 from any to x.x.x.0/32 
block in log quick on fxp0 from any to x.x.x.255/32

pass in quick on fxp0 proto tcp from any to any port = 80 flags S/SA keep state
pass in quick on fxp0 proto tcp from any to any port = ftp flags S/SA keep state 
pass in quick on fxp0 proto tcp from any to any port = ftp-data flags S/SA keep state 
pass in quick on fxp0 proto tcp from any to any port 30000 >< 50001 flags S/SA keep state

block in log quick on fxp0 proto icmp from any to any icmp-type redir 
block in log quick on fxp0 proto icmp from any to any 
block in log quick on fxp0 proto icmp from any to any icmp-type echo

block return-rst in log on fxp0 proto tcp from any to any flags S/SA 
block return-icmp(net-unr) in log on fxp0 proto udp from any to any

net.inet.tcp.blackhole=2 
net.inet.udp.blackhole=1

ipfilter_enables=”YES” 
ipf –C –f /etc/ipf.rules 
ipfilter_flags=”-E” 
ipnat_enable=”YES” 
ipnat_program=”/sbin/ipnat –CF -f” 
ipnat_rules=”/etc/ipnat.rules” 
ipmon_enable=”YES” 
ipmon_flags=”-D /var/log/ipfilter.log”

MasqueradeAddress x.x.x.x 
PassivePorts 30001 50000

PassivePortRange 30001 50000 
ForcePassiveIP x.x.x.x