Translation

(itstool) path: listitem/para
English
Several keywords can follow the source and destination. As the name suggests, OPTIONS are optional. Commonly used options include <literal>in</literal> or <literal>out</literal>, which specify the direction of packet flow, <literal>icmptypes</literal> followed by the type of <acronym>ICMP</acronym> message, and <literal>keep-state</literal>.
186/3430
Context English Chinese (Simplified) (zh_CN) State
Additional actions are available. Refer to <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details. 更多可用的 ACTION 请参考<citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>。
LOG_AMOUNT LOG_AMOUNT
When a packet matches a rule with the <literal>log</literal> keyword, a message will be logged to <citerefentry><refentrytitle>syslogd</refentrytitle><manvolnum>8</manvolnum></citerefentry> with a facility name of <literal>SECURITY</literal>. Logging only occurs if the number of packets logged for that particular rule does not exceed a specified LOG_AMOUNT. If no LOG_AMOUNT is specified, the limit is taken from the value of <varname>net.inet.ip.fw.verbose_limit</varname>. A value of zero removes the logging limit. Once the limit is reached, logging can be re-enabled by clearing the logging counter or the packet counter for that rule, using <command>ipfw resetlog</command>. 当数据包与带 <literal>log</literal> 关键字的规则匹配时, 将通过名为 SECURITY 的 facility 来把消息记录到 <citerefentry><refentrytitle>syslogd</refentrytitle><manvolnum>8</manvolnum></citerefentry>。 只有在记录的次数没有超过 logamount 参数所指定的次数时, 才会记录日志。 如果没有指定 <literal>logamount</literal>, 则会以 sysctl 变量 <literal>net.inet.ip.fw.verbose_limit</literal> 所指定的限制为准。 如果将这两种限制值之一指定为零, 则表示不作限制。 如果达到了限制数, 可以通过将规则的日志计数或包计数清零来重新启用日志, 请参见 <command>ipfw resetlog</command> 命令来了解细节。
Logging is done after all other packet matching conditions have been met, and before performing the final action on the packet. The administrator decides which rules to enable logging on. 日志是在所有其他匹配条件都验证成功之后, 在针对包实施最终动作 (accept, deny) 之前进行的。 您可以自行决定哪些规则应启用日志。
PROTO PROTO
This optional value can be used to specify any protocol name or number found in <filename>/etc/protocols</filename>. 也可以指定在 <filename>/etc/protocols</filename> 中所定义的协议。 这个值定义的是匹配的协议, 在规则中必须指定它。
SRC SRC
The <literal>from</literal> keyword must be followed by the source address or a keyword that represents the source address. An address can be represented by <literal>any</literal>, <literal>me</literal> (any address configured on an interface on this system), <literal>me6</literal>, (any <acronym>IPv6</acronym> address configured on an interface on this system), or <literal>table</literal> followed by the number of a lookup table which contains a list of addresses. When specifying an <acronym>IP</acronym> address, it can be optionally followed by its <acronym>CIDR</acronym> mask or subnet mask. For example, <literal>1.2.3.4/25</literal> or <literal>1.2.3.4:255.255.255.128</literal>. <literal>from</literal>关键字后面必须有源地址或代表源地址的关键字。地址可以用<literal>any</literal>、<literal>me</literal>(在此系统的接口上配置的任何地址)、<literal>me6</literal>、(在此系统的接口上配置的任何<acronym>IPv6</acronym>地址)或<literal>table</literal>后面的包含地址列表的查找表的编号。当指定一个<acronym>IP</acronym>地址时,可以选择在它的<acronym>CIDR</acronym>掩码或子网掩码后面加上它的<acronym>CIDR</acronym>掩码或子网掩码。例如,<literal>1.2.3.3.4/25</literal>或<literal>1.2.3.4:255.255.255.255.255.128</literal>。
SRC_PORT SRC_PORT
An optional source port can be specified using the port number or name from <filename>/etc/services</filename>. 这个参数主要用于那些支持端口号的协议 (例如 <acronym>TCP</acronym> 和 <acronym>UDP</acronym>)。 如果要通过端口号匹配某个协议, 就必须指定这个参数。 此外, 也可以通过服务的名字 (根据 <filename>/etc/services</filename>) 来指定服务, 这样会比使用数字指定端口号直观一些。
DST DST
The <literal>to</literal> keyword must be followed by the destination address or a keyword that represents the destination address. The same keywords and addresses described in the SRC section can be used to describe the destination. <literal>to</literal>关键字必须后跟目标地址或表示目标地址的关键字。SRC中描述的相同关键字和地址可用于描述目的地。
DST_PORT DST_PORT
An optional destination port can be specified using the port number or name from <filename>/etc/services</filename>. 可以使用<filename>/etc/services</filename>中的端口号或名称指定可选的目标端口。
OPTIONS OPTIONS
Several keywords can follow the source and destination. As the name suggests, OPTIONS are optional. Commonly used options include <literal>in</literal> or <literal>out</literal>, which specify the direction of packet flow, <literal>icmptypes</literal> followed by the type of <acronym>ICMP</acronym> message, and <literal>keep-state</literal>. 源和目标后面可以有几个关键字。顾名思义,OPTIONS 是可选的。常用的选项包括<literal>in</literal>或<literal>out</literal>,它们指定数据包流的方向、<literal>icmptypes</literal>后跟<acronym>ICMP</acronym>消息的类型和<literal>keep-state</literal>。
When a <parameter>keep-state</parameter> rule is matched, the firewall will create a dynamic rule which matches bidirectional traffic between the source and destination addresses and ports using the same protocol. 当匹配<parameter> keep-state </parameter>规则时,防火墙将创建一个动态规则,该规则匹配使用相同协议的源地址和目标地址以及端口之间的双向流量。
The dynamic rules facility is vulnerable to resource depletion from a SYN-flood attack which would open a huge number of dynamic rules. To counter this type of attack with <application>IPFW</application>, use <literal>limit</literal>. This option limits the number of simultaneous sessions by checking the open dynamic rules, counting the number of times this rule and <acronym>IP</acronym> address combination occurred. If this count is greater than the value specified by <literal>limit</literal>, the packet is discarded. 动态规则工具很容易遭受SYN洪水攻击,消耗大量资源,这将打开大量动态规则。 要使用<application> IPFW</application>应对此类攻击,请使用<literal> limit</literal>。 此选项通过检查打开的动态规则,计算此规则和<acronym> IP</acronym>地址组合发生的次数来限制同时进行的会话数。 如果此计数大于<literal> limit</literal>,则丢弃该数据包。
Dozens of OPTIONS are available. Refer to <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry> for a description of each available option. 有许多可用的 OPTIONS,详情请见<citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>。
Example Ruleset 规则集示例
This section demonstrates how to create an example stateful firewall ruleset script named <filename>/etc/ipfw.rules</filename>. In this example, all connection rules use <literal>in</literal> or <literal>out</literal> to clarify the direction. They also use <literal>via</literal> <replaceable>interface-name</replaceable> to specify the interface the packet is traveling over. 本节演示创建名为<filename>/etc/ipfw.rules</filename>的有状态防火墙规则集脚本。在此示例中,所有连接规则都使用<literal>in</literal> 或 <literal>out</literal>来阐明方向。它们还<literal>通过</literal><replaceable>interface-name</replaceable>来指定数据包经过的接口。
When first creating or testing a firewall ruleset, consider temporarily setting this tunable: 若您第一次创建防火墙规则,请把下面这个 sysctl 变量暂时设为 1:
net.inet.ip.fw.default_to_accept="1" net.inet.ip.fw.default_to_accept="1"
This sets the default policy of <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry> to be more permissive than the default <literal>deny ip from any to any</literal>, making it slightly more difficult to get locked out of the system right after a reboot. <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>的默认规则是<literal>deny ip from any to any</literal>。将变量设为此值可以让规则宽松一点,以防系统重启后用户被挡在外头。
The firewall script begins by indicating that it is a Bourne shell script and flushes any existing rules. It then creates the <literal>cmd</literal> variable so that <literal>ipfw add</literal> does not have to be typed at the beginning of every rule. It also defines the <literal>pif</literal> variable which represents the name of the interface that is attached to the Internet. 防火墙脚本的开头指明了这是一个 Bourne shell 脚本,并在规则载入之前刷新现有规则。它创建了<literal>cmd</literal>变量,这样就不用在每条规则开头输入<literal>ipfw add</literal>。同时还定义了<literal>pif</literal>变量,该变量表示连接到 Internet 接口的名称。
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="dc0" # interface name of NIC attached to Internet
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="dc0" # interface name of NIC attached to Internet
The first two rules allow all traffic on the trusted internal interface and on the loopback interface: 前两个规则允许受信任内部接口和环回接口上的所有流量:
# Change xl0 to LAN NIC interface name
$cmd 00005 allow all from any to any via xl0

# No restrictions on Loopback Interface
$cmd 00010 allow all from any to any via lo0
# Change xl0 to LAN NIC interface name
$cmd 00005 allow all from any to any via xl0

# No restrictions on Loopback Interface
$cmd 00010 allow all from any to any via lo0
The next rule allows the packet through if it matches an existing entry in the dynamic rules table: 这条规则表示允许所有符合规则的流量通过:
$cmd 00101 check-state $cmd 00101 check-state
The next set of rules defines which stateful connections internal systems can create to hosts on the Internet: 下一条规则说明系统中的哪些服务能与 Internet 创建有状态连接:

Loading…

Several keywords can follow the source and destination. As the name suggests, OPTIONS are optional. Commonly used options include <literal>in</literal> or <literal>out</literal>, which specify the direction of packet flow, <literal>icmptypes</literal> followed by the type of <acronym>ICMP</acronym> message, and <literal>keep-state</literal>.
源和目标后面可以有几个关键字。顾名思义,OPTIONS 是可选的。常用的选项包括<literal>in</literal>或<literal>out</literal>,它们指定数据包流的方向、<literal>icmptypes</literal>后跟<acronym>ICMP</acronym>消息的类型和<literal>keep-state</literal>。
a year ago
Browse all component changes

Glossary

English Chinese (Simplified) (zh_CN)
No related strings found in the glossary.

Source information

Source string comment
(itstool) path: listitem/para
Source string location
book.translate.xml:61737
String age
a year ago
Source string age
a year ago
Translation file
books/zh_CN/handbook.po, string 10153