【IT168 服务器学院】7. 防火墙设置
防火墙是用户访问服务器的第一道屏障,简单有效的规则设计是防火墙设置的基本要求。在BSD系统中常用的防火墙有IPFILTER、IPFW、PF,现在PF防火墙在FREEBSD、OPENBSD、NETBSD中都可以运行了。之所以大家都用PF防火墙,我想是和PF防火墙不俗的表现有必然的联系。下面列出我的PF防火墙规则,供大家参考。
# vi /etc/pf.conf
===========+===========+===========+============
ext_if = "{ fxp0 }"
loop = "lo0"
noroute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"
ports = "{ 20, 21, 22, 25, 53, 80, 110 }"
web = "{127.0.0.1}"
set block-policy return
set optimization aggressive
set loginterface fxp0
set skip on lo0
scrub in all
rdr on $ext_if proto tcp from any to $ext_if port 80 -> $web port 80
antispoof for $ext_if inet
block all
block return
block in quick on $ext_if os NMAP
block in quick on $ext_if from $noroute to any
block out quick on $ext_if from any to $noroute
pass in on $ext_if proto tcp from any to $web port 80 flags S/SA synproxy state
pass quick on $loop all
pass in quick on $ext_if proto {tcp,udp} from any to any port $ports keep state
pass in quick proto tcp from any to any port 55000 >< 56000 keep state
pass out quick on $ext_if all keep state
===========+===========+===========+============
FREEBSD系统给我们提供了一个很好用的PF服务启动教本
# /etc/rc.d/pf start | stop | reload | restart
但是在OPENBSD系统上没有这样一个教本,启动PF服务是有/etc/rc这个公用教本实现的,用户在管理PF服务是就不是很方便了,下面给出一个独立PF启动教本:
# /etc/rc.d/pf.sh
===========+===========+===========+============
#!/bin/sh
# made by llzqq
# 02/08/ 2005
# pf startup scripts
case "$1" in
start)
if ifconfig pflog0 >/dev/null 2>&1; then
ifconfig pflog0 up
pflogd ${pflogd_flags}
fi
if [ -f /etc/pf.conf ]; then
/sbin/pfctl -e -F all -f /etc/pf.conf
fi
;;
stop)
/sbin/pfctl -d -F all
/usr/bin/pkill pflogd
/sbin/ifconfig pflog0 down
;;
*)
echo "$0 start | stop"
;;
esac
exit 0
===========+===========+===========+============
# chmod 555 /etc/rc.d/pf.sh
# /etc/rc.d/pf.sh start | stop
在上面的规则中我把外面访问的80端口定向到了本机回环地址(127.0.0.1),当服务器器遭到DOS攻击时不会使APACHE服务因处理大量连接而崩溃。那些不正常的半连接都由PF防火墙来处理。这样在对付DOS时效率上会高一些。
另外在高负载服务器上,可以考虑关闭防火墙的日志服务(pflog),这样可以显著降低服务器负担。
关注我们
