Translation

(itstool) path: note/para
This sets the default policy of <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry> to be more permissive than the default <literal>deny ip from any to any</literal>, making it slightly more difficult to get locked out of the system right after a reboot.
169/2910
Context English Chinese (Simplified) (zh_CN) State
SRC_PORT SRC_PORT
An optional source port can be specified using the port number or name from <filename>/etc/services</filename>. 这个参数主要用于那些支持端口号的协议 (例如 <acronym>TCP</acronym> 和 <acronym>UDP</acronym>)。 如果要通过端口号匹配某个协议, 就必须指定这个参数。 此外, 也可以通过服务的名字 (根据 <filename>/etc/services</filename>) 来指定服务, 这样会比使用数字指定端口号直观一些。
DST DST
The <literal>to</literal> keyword must be followed by the destination address or a keyword that represents the destination address. The same keywords and addresses described in the SRC section can be used to describe the destination. <literal>to</literal>关键字必须后跟目标地址或表示目标地址的关键字。SRC中描述的相同关键字和地址可用于描述目的地。
DST_PORT DST_PORT
An optional destination port can be specified using the port number or name from <filename>/etc/services</filename>. 可以使用<filename>/etc/services</filename>中的端口号或名称指定可选的目标端口。
OPTIONS OPTIONS
Several keywords can follow the source and destination. As the name suggests, OPTIONS are optional. Commonly used options include <literal>in</literal> or <literal>out</literal>, which specify the direction of packet flow, <literal>icmptypes</literal> followed by the type of <acronym>ICMP</acronym> message, and <literal>keep-state</literal>. 源和目标后面可以有几个关键字。顾名思义,OPTIONS 是可选的。常用的选项包括<literal>in</literal>或<literal>out</literal>,它们指定数据包流的方向、<literal>icmptypes</literal>后跟<acronym>ICMP</acronym>消息的类型和<literal>keep-state</literal>。
When a <parameter>keep-state</parameter> rule is matched, the firewall will create a dynamic rule which matches bidirectional traffic between the source and destination addresses and ports using the same protocol. 当匹配<parameter> keep-state </parameter>规则时,防火墙将创建一个动态规则,该规则匹配使用相同协议的源地址和目标地址以及端口之间的双向流量。
The dynamic rules facility is vulnerable to resource depletion from a SYN-flood attack which would open a huge number of dynamic rules. To counter this type of attack with <application>IPFW</application>, use <literal>limit</literal>. This option limits the number of simultaneous sessions by checking the open dynamic rules, counting the number of times this rule and <acronym>IP</acronym> address combination occurred. If this count is greater than the value specified by <literal>limit</literal>, the packet is discarded. 动态规则工具很容易遭受SYN洪水攻击,消耗大量资源,这将打开大量动态规则。 要使用<application> IPFW</application>应对此类攻击,请使用<literal> limit</literal>。 此选项通过检查打开的动态规则,计算此规则和<acronym> IP</acronym>地址组合发生的次数来限制同时进行的会话数。 如果此计数大于<literal> limit</literal>,则丢弃该数据包。
Dozens of OPTIONS are available. Refer to <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry> for a description of each available option. 有许多可用的 OPTIONS,详情请见<citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>。
Example Ruleset 规则集示例
This section demonstrates how to create an example stateful firewall ruleset script named <filename>/etc/ipfw.rules</filename>. In this example, all connection rules use <literal>in</literal> or <literal>out</literal> to clarify the direction. They also use <literal>via</literal> <replaceable>interface-name</replaceable> to specify the interface the packet is traveling over. 本节演示创建名为<filename>/etc/ipfw.rules</filename>的有状态防火墙规则集脚本。在此示例中,所有连接规则都使用<literal>in</literal> 或 <literal>out</literal>来阐明方向。它们还<literal>通过</literal><replaceable>interface-name</replaceable>来指定数据包经过的接口。
When first creating or testing a firewall ruleset, consider temporarily setting this tunable: 若您第一次创建防火墙规则,请把下面这个 sysctl 变量暂时设为 1:
net.inet.ip.fw.default_to_accept="1" net.inet.ip.fw.default_to_accept="1"
This sets the default policy of <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry> to be more permissive than the default <literal>deny ip from any to any</literal>, making it slightly more difficult to get locked out of the system right after a reboot. <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>的默认规则是<literal>deny ip from any to any</literal>。将变量设为此值可以让规则宽松一点,以防系统重启后用户被挡在外头。
The firewall script begins by indicating that it is a Bourne shell script and flushes any existing rules. It then creates the <literal>cmd</literal> variable so that <literal>ipfw add</literal> does not have to be typed at the beginning of every rule. It also defines the <literal>pif</literal> variable which represents the name of the interface that is attached to the Internet. 防火墙脚本的开头指明了这是一个 Bourne shell 脚本,并在规则载入之前刷新现有规则。它创建了<literal>cmd</literal>变量,这样就不用在每条规则开头输入<literal>ipfw add</literal>。同时还定义了<literal>pif</literal>变量,该变量表示连接到 Internet 接口的名称。
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="dc0" # interface name of NIC attached to Internet
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="dc0" # interface name of NIC attached to Internet
The first two rules allow all traffic on the trusted internal interface and on the loopback interface: 前两个规则允许受信任内部接口和环回接口上的所有流量:
# Change xl0 to LAN NIC interface name
$cmd 00005 allow all from any to any via xl0

# No restrictions on Loopback Interface
$cmd 00010 allow all from any to any via lo0
# Change xl0 to LAN NIC interface name
$cmd 00005 allow all from any to any via xl0

# No restrictions on Loopback Interface
$cmd 00010 allow all from any to any via lo0
The next rule allows the packet through if it matches an existing entry in the dynamic rules table: 这条规则表示允许所有符合规则的流量通过:
$cmd 00101 check-state $cmd 00101 check-state
The next set of rules defines which stateful connections internal systems can create to hosts on the Internet: 下一条规则说明系统中的哪些服务能与 Internet 创建有状态连接:
# Allow access to public DNS
# Replace x.x.x.x with the IP address of a public DNS server
# and repeat for each DNS server in /etc/resolv.conf
$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state

# Allow access to ISP's DHCP server for cable/DSL configurations.
# Use the first rule and check log for IP address.
# Then, uncomment the second rule, input the IP address, and delete the first rule
$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state

# Allow outbound HTTP and HTTPS connections
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow outbound email connections
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow outbound ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow outbound NTP
$cmd 00260 allow udp from any to any 123 out via $pif keep-state

# Allow outbound SSH
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# deny and log all other outbound connections
$cmd 00299 deny log all from any to any out via $pif
# Allow access to public DNS
# Replace x.x.x.x with the IP address of a public DNS server
# and repeat for each DNS server in /etc/resolv.conf
$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state

# Allow access to ISP's DHCP server for cable/DSL configurations.
# Use the first rule and check log for IP address.
# Then, uncomment the second rule, input the IP address, and delete the first rule
$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state

# Allow outbound HTTP and HTTPS connections
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow outbound email connections
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow outbound ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow outbound NTP
$cmd 00260 allow udp from any to any 123 out via $pif keep-state

# Allow outbound SSH
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# deny and log all other outbound connections
$cmd 00299 deny log all from any to any out via $pif
The next set of rules controls connections from Internet hosts to the internal network. It starts by denying packets typically associated with attacks and then explicitly allows specific types of connections. All the authorized services that originate from the Internet use <literal>limit</literal> to prevent flooding. 下一组规则控制 Internet 到内部网络的连接。它首先拒绝可能发起攻击的数据包,然后显式允许特定类型的连接。源自 Internet 的所有授权服务都使用<literal>limit</literal>来防止洪水攻击。
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D &amp; E multicast

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios services.
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny fragments
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow traffic from ISP's DHCP server.
# Replace x.x.x.x with the same IP address used in rule 00120.
#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state

# Allow HTTP connections to internal web server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow inbound SSH connections
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Reject and log all other incoming connections
$cmd 00499 deny log all from any to any in via $pif
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D &amp; E multicast

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios services.
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny fragments
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow traffic from ISP's DHCP server.
# Replace x.x.x.x with the same IP address used in rule 00120.
#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state

# Allow HTTP connections to internal web server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow inbound SSH connections
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Reject and log all other incoming connections
$cmd 00499 deny log all from any to any in via $pif
The last rule logs all packets that do not match any of the rules in the ruleset: 最后一条规则拒绝所有不符合规则的流量:
# Everything else is denied and logged
$cmd 00999 deny log all from any to any
# Everything else is denied and logged
$cmd 00999 deny log all from any to any
In-kernel <acronym>NAT</acronym> In-kernel <acronym>NAT</acronym>
<personname> <firstname>Dries</firstname> <surname>Michiels</surname> </personname> <contrib>Rewritten and updated by </contrib> <personname> <firstname>Dries</firstname> <surname>Michiels</surname> </personname> <contrib>Rewritten and updated by </contrib>
<primary>NAT</primary> <secondary>and <application>IPFW</application></secondary> <primary>NAT</primary> <secondary>和<application>IPFW</application></secondary>

Loading…

This sets the default policy of <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry> to be more permissive than the default <literal>deny ip from any to any</literal>, making it slightly more difficult to get locked out of the system right after a reboot.
<citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>的默认规则是<literal>deny ip from any to any</literal>。将变量设为此值可以让规则宽松一点,以防系统重启后用户被挡在外头。
a year ago
Browse all component changes

Glossary

English Chinese (Simplified) (zh_CN)
No related strings found in the glossary.

Source information

Source string comment
(itstool) path: note/para
Source string location
book.translate.xml:61790
String age
a year ago
Source string age
a year ago
Translation file
books/zh_CN/handbook.po, string 10161