先將kernel複製出來
mkdir /usr/local/etc/FreeBSD
cd /usr/src/sys/i386/conf
cp GENERIC /usr/local/etc/FreeBSD/MYKERNEL
ln -s /usr/local/etc/FreeBSD/MYKERNEL
vi /usr/local/etc/FreeBSD/MYKERNEL
加入
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_FORWARD #packet destination changes
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
cd /usr/src;make kernel
完成後開始設定
vi /etc/rc.conf
加入
#firewall
firewall_enable="YES"
firewall_logging="YES"
firewall_script="/etc/rc.firewall"
vi /etc/rc.firewall
將內容全部刪除改為
#!/bin/sh
fwcmd="/sbin/ipfw"
Trust_IP1="127.0.0.1" #這裡要換成server本身的IP
Trust_IP2="120.119.1.0/24" #可通過的網段
UnTrust_IP1="192.83.191.0/24"
Allowed_TCP_In_1="22,25,53,80,443"
#you want to open port
Traceroute="33433-33499"
Allowed_UDP_Out="20,21,53,113"
Allowed_UDP_In="20,21,53,113"
Allowed_UDP_ftp_Out="65000-65500"
Allowed_UDP_ftp_In="65000-65500"
Allowed_TCP_ftp_Out="65000-65500"
Allowed_TCP_ftp_In="65000-65500"
#ipfw [add/del/fwd] [serial] [allow/deny] [protocol] [from] [ports] to [destation] [ports]
$fwcmd -f flush
#flush ipfw tables
$fwcmd add 1 allow ipv6 from any to any
$fwcmd add 00010 allow tcp from me to any setup keep-state
$fwcmd add 00021 check-state
$fwcmd add 00030 allow ip from ${Trust_IP1} to any
$fwcmd add 00031 allow ip from ${Trust_IP2} to any
$fwcmd add 00060 allow icmp from any to any
$fwcmd add 00061 allow udp from any to any $Traceroute
$fwcmd add 00120 deny ip from ${UnTrust_IP1} to me
$fwcmd add 00121 deny tcp from ${UnTrust_IP1} to me 25
$fwcmd add 56000 allow tcp from any to any ${Allowed_TCP_In_1}
$fwcmd add 56003 allow udp from any ${Allowed_UDP_In} to any
$fwcmd add 56004 allow udp from any to any ${Allowed_UDP_ftp_Out}
$fwcmd add 56005 allow tcp from any to any ${Allowed_TCP_ftp_Out}
$fwcmd add 65534 deny log ip from any to any
#deny all ip
$fwcmd zero
#clean counter
sh /etc/rc.firewall &
reboot