使用IP Filter设置小型企业防火墙

#cd /sys/i386/conf #cp GENERIC kernel_IPF

options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK 3、 <CENTER><ccid_nobr><table width="400" border="1" cellspacing="0" cellpadding="2"  bordercolorlight = "black" bordercolordark = "#FFFFFF" align="center"><tr>    <td bgcolor="e6e6e6" class="code" style="font-size:9pt">    <pre><ccid_code>#/usr/sbin/config kernel_IPF #cd ../../compile/kernel_IPF #make kepend #make #make install

defaultrouter="x.x.x.1" x.x.x.1为ISP提供的网关 gateway_enable="YES" ipfilter_enable＝"YES" ipnat_enable="YES"

map fxp0 192.168.0.0/16 -> 0/32 proxy port ftp ftp/tcp map fxp0 192.168.0.0/24 -> 0/32 portmap tcp/udp 10000:30000 map fxp0 192.168.0.0/24 -> 0/32 map fxp0 192.168.80.0/24 -> 0/32 portmap tcp/udp 300001:60000 map fxp0 192.168.80.0/24 -> 0/32 portmap rdr fxp0 x.x.x.x/32 port 80 -> 192.168.0.2 port 80 rdr fxp0 x.x.x.x/32 port ftp -> 192.168.0.3 port ftp rdr fxp0 x.x.x.x/32 port 30001-50000 -> 192.168.80.3 port 30001 tcp

block in log quick all with short block in log quick all with ipopts block in log quick all with frag block in log quick all with opt lsrr block in log quick all with opt ssrr

pass out on xl0 all pass in on xlo all pass out on xl1 all pass in on xl1 all pass out quick on lo0 all pass in quick on lo0 all

block out log on fxp0 from any to 192.168.0.0/16 block out log quick on fxp0 from any to 0.0.0.0/8 block out log quick on fxp0 from any to 169.254.0.0/8 block out log quick on fxp0 from any to 10.0.0.0/8 block out log quick on fxp0 from any to 127.16.0.0/12 block out log quick on fxp0 from any to 127.0.0.0/8 block out log quick on fxp0 from any to 192.0.2.0/24 block out log quick on fxp0 from any to 204.152.64.0/23 block out log quick on fxp0 from any to 224.0.0.0/3

pass out log on fxp0 proto tcp/udp from any to any keep state pass out log on fxp0 proto icmp all keep state 以上为允许TCP 、UDP、ICMP数据包向外发送出去，并且允许回应数据包发送回到内部网络 <CENTER><ccid_nobr><table width="400" border="1" cellspacing="0" cellpadding="2"  bordercolorlight = "black" bordercolordark = "#FFFFFF" align="center"><tr>    <td bgcolor="e6e6e6" class="code" style="font-size:9pt">    <pre><ccid_code>block in log on fxp0 from 192.168.0.0/16 to any block in log quick on fxp0 from 10.0.0.0/8 to any block in log quick on fxp0 from 172.16.0.0/12 to any block in log quick on fxp0 from 127.0.0.0/8 to any block in log quick on fxp0 from 192.0.2.0/24 to any block in log quick on fxp0 from 169.254.0.0/16 to any block in log quick on fxp0 from 224.0.0.0/3 to any block in log quick on fxp0 from 204.152.64.0/23 to any block in log quick on fxp0 from x.x.x.x/32 to any block in log quick on fxp0 from any to x.x.x.0/32 block in log quick on fxp0 from any to x.x.x.255/32

pass in quick on fxp0 proto tcp from any to any port = 80 flags S/SA keep statepass in quick on fxp0 proto tcp from any to any port = ftp flags S/SA keep state pass in quick on fxp0 proto tcp from any to any port = ftp-data flags S/SA keep state pass in quick on fxp0 proto tcp from any to any port 30000 >< 50001 flags S/SA keep state

block in log quick on fxp0 proto icmp from any to any icmp-type redir block in log quick on fxp0 proto icmp from any to any block in log quick on fxp0 proto icmp from any to any icmp-type echo

block return-rst in log on fxp0 proto tcp from any to any flags S/SA block return-icmp(net-unr) in log on fxp0 proto udp from any to any

net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1

ipfilter_enables=”YES” ipf –C –f /etc/ipf.rules ipfilter_flags=”-E” ipnat_enable=”YES” ipnat_program=”/sbin/ipnat –CF -f” ipnat_rules=”/etc/ipnat.rules” ipmon_enable=”YES” ipmon_flags=”-D /var/log/ipfilter.log”

MasqueradeAddress x.x.x.x PassivePorts 30001 50000

PassivePortRange 30001 50000 ForcePassiveIP x.x.x.x