FreeBSD4.8 IPFW How to!

测试机IP为211.162.77.73

网卡为：xl0

内核中加了流量管理，你可以根据实际需要增删。

uname -a

如果你用的是默认内核GENERIC则如下操作：

=============================================

cd /sys/i386/conf

cp GENERIC ./GENERIC_IPFW

---------------------------------

ee GENERIC_IPFW 添加以下内容

options IPFIREWALL

options IPDIVERT

options IPFIREWALL_VERBOSE

options IPFIREWALL_VERBOSE_LIMIT=100

options IPSTEALTH

options ACCEPT_FILTER_DATA

options ACCEPT_FILTER_HTTP

options ICMP_BANDLIM

options DUMMYNET

---------------------------------

config ./GENERIC_IPFW

cd ../../compile/GENERIC_IPFW

make depend all install

---------------------------------

ee /etc/rc.conf 添加以下内容

##########IP-firewall#################

firewall_enable="YES"

firewall_script="/etc/rc.firewall"

firewall_type="/etc/ipfw.conf"

firewall_quiet="YES"

firewall_logging_enable="YES"

---------------------------------

ee /etc/syslog.conf 添加以下内容

!ipfw

*.* /var/log/ipfw.log

---------------------------------

ee /etc/ipfw.conf 添加以下内容

add 00001 deny log ip from any to any ipopt rr

add 00002 deny log ip from any to any ipopt ts

add 00003 deny log ip from any to any ipopt ssrr

add 00004 deny log ip from any to any ipopt lsrr

add 00005 deny tcp from any to any in tcpflags syn,fin

#######tcp#########

add 10000 allow tcp from 211.162.77.77 to 211.162.77.73 22 in

add 10001 allow tcp from any to 211.162.77.73 21,25,80,110,3306,5999 in

add 19997 check-state

add 19998 allow tcp from any to any out keep-state setup

add 19999 allow tcp from any to any out

######udp##########

add 20001 allow udp from any 53 to me in recv xl0

add 20002 allow udp from any to 211.162.77.73 53 in recv xl0

add 29999 allow udp from any to any out

######icmp#########

add 30000 allow icmp from any to any icmptypes 3,4

add 30001 allow icmp from any to any icmptypes 8 out

add 30002 allow icmp from any to any icmptypes 0,11 in