The translation is temporarily closed for contributions due to maintenance, please come back later.

Translation

(itstool) path: sect2/para
English
The next set of rules controls connections from Internet hosts to the internal network. It starts by denying packets typically associated with attacks and then explicitly allows specific types of connections. All the authorized services that originate from the Internet use <literal>limit</literal> to prevent flooding.
110/3190 · 319
Context English Chinese (Simplified) (zh_CN) State
The dynamic rules facility is vulnerable to resource depletion from a SYN-flood attack which would open a huge number of dynamic rules. To counter this type of attack with <application>IPFW</application>, use <literal>limit</literal>. This option limits the number of simultaneous sessions by checking the open dynamic rules, counting the number of times this rule and <acronym>IP</acronym> address combination occurred. If this count is greater than the value specified by <literal>limit</literal>, the packet is discarded. 动态规则工具很容易遭受SYN洪水攻击,消耗大量资源,这将打开大量动态规则。 要使用<application> IPFW</application>应对此类攻击,请使用<literal> limit</literal>。 此选项通过检查打开的动态规则,计算此规则和<acronym> IP</acronym>地址组合发生的次数来限制同时进行的会话数。 如果此计数大于<literal> limit</literal>,则丢弃该数据包。
Dozens of OPTIONS are available. Refer to <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry> for a description of each available option. 有许多可用的 OPTIONS,详情请见<citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>。
Example Ruleset 规则集示例
This section demonstrates how to create an example stateful firewall ruleset script named <filename>/etc/ipfw.rules</filename>. In this example, all connection rules use <literal>in</literal> or <literal>out</literal> to clarify the direction. They also use <literal>via</literal> <replaceable>interface-name</replaceable> to specify the interface the packet is traveling over. 本节演示创建名为<filename>/etc/ipfw.rules</filename>的有状态防火墙规则集脚本。在此示例中,所有连接规则都使用<literal>in</literal> 或 <literal>out</literal>来阐明方向。它们还<literal>通过</literal><replaceable>interface-name</replaceable>来指定数据包经过的接口。
When first creating or testing a firewall ruleset, consider temporarily setting this tunable: 若您第一次创建防火墙规则,请把下面这个 sysctl 变量暂时设为 1:
net.inet.ip.fw.default_to_accept="1" net.inet.ip.fw.default_to_accept="1"
This sets the default policy of <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry> to be more permissive than the default <literal>deny ip from any to any</literal>, making it slightly more difficult to get locked out of the system right after a reboot. <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>的默认规则是<literal>deny ip from any to any</literal>。将变量设为此值可以让规则宽松一点,以防系统重启后用户被挡在外头。
The firewall script begins by indicating that it is a Bourne shell script and flushes any existing rules. It then creates the <literal>cmd</literal> variable so that <literal>ipfw add</literal> does not have to be typed at the beginning of every rule. It also defines the <literal>pif</literal> variable which represents the name of the interface that is attached to the Internet. 防火墙脚本的开头指明了这是一个 Bourne shell 脚本,并在规则载入之前刷新现有规则。它创建了<literal>cmd</literal>变量,这样就不用在每条规则开头输入<literal>ipfw add</literal>。同时还定义了<literal>pif</literal>变量,该变量表示连接到 Internet 接口的名称。
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="dc0" # interface name of NIC attached to Internet 		#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="dc0" # interface name of NIC attached to Internet
The first two rules allow all traffic on the trusted internal interface and on the loopback interface: 前两个规则允许受信任内部接口和环回接口上的所有流量:
# Change xl0 to LAN NIC interface name
$cmd 00005 allow all from any to any via xl0

# No restrictions on Loopback Interface
$cmd 00010 allow all from any to any via lo0 		# Change xl0 to LAN NIC interface name
$cmd 00005 allow all from any to any via xl0

# No restrictions on Loopback Interface
$cmd 00010 allow all from any to any via lo0
The next rule allows the packet through if it matches an existing entry in the dynamic rules table: 这条规则表示允许所有符合规则的流量通过:
$cmd 00101 check-state $cmd 00101 check-state
The next set of rules defines which stateful connections internal systems can create to hosts on the Internet: 下一条规则说明系统中的哪些服务能与 Internet 创建有状态连接:
# Allow access to public DNS
# Replace x.x.x.x with the IP address of a public DNS server
# and repeat for each DNS server in /etc/resolv.conf
$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state

# Allow access to ISP's DHCP server for cable/DSL configurations.
# Use the first rule and check log for IP address.
# Then, uncomment the second rule, input the IP address, and delete the first rule
$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state

# Allow outbound HTTP and HTTPS connections
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow outbound email connections
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow outbound ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow outbound NTP
$cmd 00260 allow udp from any to any 123 out via $pif keep-state

# Allow outbound SSH
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# deny and log all other outbound connections
$cmd 00299 deny log all from any to any out via $pif 		# Allow access to public DNS
# Replace x.x.x.x with the IP address of a public DNS server
# and repeat for each DNS server in /etc/resolv.conf
$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state

# Allow access to ISP's DHCP server for cable/DSL configurations.
# Use the first rule and check log for IP address.
# Then, uncomment the second rule, input the IP address, and delete the first rule
$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state

# Allow outbound HTTP and HTTPS connections
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow outbound email connections
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow outbound ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow outbound NTP
$cmd 00260 allow udp from any to any 123 out via $pif keep-state

# Allow outbound SSH
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# deny and log all other outbound connections
$cmd 00299 deny log all from any to any out via $pif
The next set of rules controls connections from Internet hosts to the internal network. It starts by denying packets typically associated with attacks and then explicitly allows specific types of connections. All the authorized services that originate from the Internet use <literal>limit</literal> to prevent flooding. 下一组规则控制 Internet 到内部网络的连接。它首先拒绝可能发起攻击的数据包,然后显式允许特定类型的连接。源自 Internet 的所有授权服务都使用<literal>limit</literal>来防止洪水攻击。
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D &amp; E multicast

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios services.
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny fragments
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow traffic from ISP's DHCP server.
# Replace x.x.x.x with the same IP address used in rule 00120.
#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state

# Allow HTTP connections to internal web server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow inbound SSH connections
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Reject and log all other incoming connections
$cmd 00499 deny log all from any to any in via $pif 		# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D &amp; E multicast

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios services.
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny fragments
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow traffic from ISP's DHCP server.
# Replace x.x.x.x with the same IP address used in rule 00120.
#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state

# Allow HTTP connections to internal web server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow inbound SSH connections
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Reject and log all other incoming connections
$cmd 00499 deny log all from any to any in via $pif
The last rule logs all packets that do not match any of the rules in the ruleset: 最后一条规则拒绝所有不符合规则的流量:
# Everything else is denied and logged
$cmd 00999 deny log all from any to any 		# Everything else is denied and logged
$cmd 00999 deny log all from any to any
In-kernel <acronym>NAT</acronym> In-kernel <acronym>NAT</acronym>
<personname> <firstname>Dries</firstname> <surname>Michiels</surname> </personname> <contrib>Rewritten and updated by </contrib> <personname> <firstname>Dries</firstname> <surname>Michiels</surname> </personname> <contrib>Rewritten and updated by </contrib>
<primary>NAT</primary> <secondary>and <application>IPFW</application></secondary> <primary>NAT</primary> <secondary>和<application>IPFW</application></secondary>
FreeBSD's <application>IPFW</application> firewall has two implementations of <acronym>NAT</acronym>: the userland implementation <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry>, and the more recent in-kernel <acronym>NAT</acronym> implementation. Both work in conjunction with <application>IPFW</application> to provide network address translation. This can be used to provide an Internet Connection Sharing solution so that several internal computers can connect to the Internet using a single public <acronym>IP</acronym> address. FreeBSD 的<application>IPFW</application>防火墙有两个<acronym>NAT</acronym>实现:一个是用户态<citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry>实现,另一个是最新的内核内<acronym>NAT</acronym>实现。两者都可与<application>IPFW</application>配合使用,提供网络地址转换。这可用于提供 Internet 连接共享解决方案,以便多个内部计算机可以使用单个公网<acronym>IP</acronym>地址连接到 Internet。
To do this, the FreeBSD machine connected to the Internet must act as a gateway. This system must have two <acronym>NIC</acronym>s, where one is connected to the Internet and the other is connected to the internal <acronym>LAN</acronym>. Each machine connected to the <acronym>LAN</acronym> should be assigned an <acronym>IP</acronym> address in the private network space, as defined by <link xlink:href="https://www.ietf.org/rfc/rfc1918.txt">RFC 1918</link>. 为此,连接到 Internet 的 FreeBSD 计算机必须充当网关。此系统必须具有两个<acronym>NIC(网口)</acronym>,其中一个连接到互联网,另一个连接到内部<acronym>LAN(本地网络)</acronym>。在LAN后面的每一台机子和接口应该被分配私有地址空间(由<link xlink:href="https://www.ietf.org/rfc/rfc1918.txt">RFC 1918</link>定义)里的 IP 地址。
Some additional configuration is needed in order to enable the in-kernel <acronym>NAT</acronym> facility of <application>IPFW</application>. To enable in-kernel <acronym>NAT</acronym> support at boot time, the following must be set in <filename>/etc/rc.conf</filename>: 为了启用<application>IPFW</application>的 in-kernel<acronym>NAT</acronym>功能,需要进行一些额外的配置。要在启动时启用内核内<acronym>NAT</acronym>支持,必须在<filename>/etc/rc.conf</filename>中设置以下内容:
gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES" 		gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
When <literal>firewall_nat_enable</literal> is set but <literal>firewall_enable</literal> is not, it will have no effect and do nothing. This is because the in-kernel <acronym>NAT</acronym> implementation is only compatible with <application>IPFW</application>. 当<literal>firewall_nat_enable</literal>已设置,但<literal>firewall_enable</literal>未设置时,它将没有效果,不执行任何操作,因为 in-kernel<acronym>NAT</acronym>实现仅与<application>IPFW</application>兼容。
When the ruleset contains stateful rules, the positioning of the <acronym>NAT</acronym> rule is critical and the <literal>skipto</literal> action is used. The <literal>skipto</literal> action requires a rule number so that it knows which rule to jump to. The example below builds upon the firewall ruleset shown in the previous section. It adds some additional entries and modifies some existing rules in order to configure the firewall for in-kernel <acronym>NAT</acronym>. It starts by adding some additional variables which represent the rule number to skip to, the <literal>keep-state</literal> option, and a list of <acronym>TCP</acronym> ports which will be used to reduce the number of rules. 当规则集包含有状态的规则时,<acronym>NAT</acronym>规则的定位非常关键,并使用<literal>skipto</literal>动作。<literal>skipto</literal>动作需要一个规则编号,以便知道要跳转到哪个规则。下面的示例基于上一节中所示的防火墙规则集。它添加了一些条目并修改了一些现有规则,以便为 in-kernel <acronym>NAT</acronym>配置防火墙。它首先添加一些表示要跳到的规则编号、<literal>keep-state</literal> 选项和用于减少规则数的<acronym>TCP</acronym>端口列表。
#!/bin/sh
ipfw -q -f flush
cmd="ipfw -q add"
skip="skipto 1000"
pif=dc0
ks="keep-state"
good_tcpo="22,25,37,53,80,443,110" 		#!/bin/sh
ipfw -q -f flush
cmd="ipfw -q add"
skip="skipto 1000"
pif=dc0
ks="keep-state"
good_tcpo="22,25,37,53,80,443,110"
With in-kernel <acronym>NAT</acronym> it is necessary to disable TCP segmentation offloading (<acronym>TSO</acronym>) due to the architecture of <citerefentry><refentrytitle>libalias</refentrytitle><manvolnum>3</manvolnum></citerefentry>, a library implemented as a kernel module to provide the in-kernel <acronym>NAT</acronym> facility of <application>IPFW</application>. <acronym>TSO</acronym> can be disabled on a per network interface basis using <citerefentry><refentrytitle>ifconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry> or on a system wide basis using <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>. To disable <acronym>TSO</acronym> system wide, the following must be set it <filename>/etc/sysctl.conf</filename>: 由于<citerefentry><refentrytitle>libalias</refentrytitle><manvolnum>3</manvolnum></citerefentry>的体系结构,作为用于<application>IPFW</application>的 in-kernel <acronym>NAT</acronym>工具的内核模块实现的库,有必要禁用 TCP 分段卸载,(<acronym>TSO</acronym>)。使用<citerefentry><refentrytitle>ifconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry>为某个网口禁用 TSO 或使用<citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry> 为系统内的所有网卡禁用 <acronym>TSO</acronym>。要在系统范围禁用<acronym>TSO</acronym>,必须在<filename>/etc/sysctl.conf</filename>中设置以下内容:
net.inet.tcp.tso="0" net.inet.tcp.tso="0"

Loading…

User avatar bhy

Translation uploaded

FreeBSD Doc (Archived) / books_handbookChinese (Simplified) (zh_CN)

The next set of rules controls connections from Internet hosts to the internal network. It starts by denying packets typically associated with attacks and then explicitly allows specific types of connections. All the authorized services that originate from the Internet use <literal>limit</literal> to prevent flooding.
下一组规则控制 Internet 到内部网络的连接。它首先拒绝可能发起攻击的数据包,然后显式允许特定类型的连接。源自 Internet 的所有授权服务都使用<literal>limit</literal>来防止洪水攻击。
a year ago
Browse all component changes

Glossary

English Chinese (Simplified) (zh_CN)
No related strings found in the glossary.

Source information

Source string comment
(itstool) path: sect2/para
Source string location
book.translate.xml:61861
String age
a year ago
Source string age
a year ago
Translation file
books/zh_CN/handbook.po, string 10170