国产成人v爽在线免播放观看,日韩欧美色,久久99国产精品久久99软件,亚洲综合色网站,国产欧美日韩中文久久,色99在线,亚洲伦理一区二区

學(xué)習(xí)啦 > 學(xué)習(xí)電腦 > 電腦安全 > 防火墻知識 >

FreeBSD配置防火墻開啟SSH服務(wù)的方法是什么

時間: 加城1195 分享

  防火墻主要由服務(wù)訪問規(guī)則、驗證工具、包過濾和應(yīng)用網(wǎng)關(guān)4個部分組成,防火墻就是一個位于計算機和它所連接的網(wǎng)絡(luò)之間的軟件或硬件。這篇文章主要介紹下如何下freebsd下配置防火墻開啟SSH服務(wù)的方法,需要的朋友可以參考下

  方法步驟

  1、配置FreeBSD 防火墻

  ee /etc/rc.conf #編輯,在最后添加

  firewall_enable="yes" #開啟防火墻

  net.inet.ip.fw.verbose=1 #啟用防火墻日志功能

  net.inet.ip.fw.verbose_limit=5 #啟用防火墻日志功能

  natd_enable="YES" # 開啟防火墻NAT功能

  natd_interface="rl0"

  natd_flags="-dynamic -m"

  firewall_script="/etc/ipfw.rules" #自定義防火墻規(guī)則路徑

  按esc,回車,再按a保存配置

  2、添加防火墻規(guī)則

  ee /etc/ipfw.rules #編輯防火墻規(guī)則,添加以下代碼

  #!/bin/sh

  ################ Start of IPFW rules file ######################

  # Flush out the list before we begin.

  ipfw -q -f flush

  # Set rules command prefix

  cmd="ipfw -q add"

  skip="skipto 800"

  pif="rl0" # public interface name of NIC

  # facing the public Internet

  #################################################################

  # No restrictions on Inside LAN Interface for private network

  # Change xl0 to your LAN NIC interface name

  #################################################################

  $cmd 005 allow all from any to any via xl0

  #################################################################

  # No restrictions on Loopback Interface

  #################################################################

  $cmd 010 allow all from any to any via lo0

  #################################################################

  # check if packet is inbound and nat address if it is

  #################################################################

  $cmd 014 divert natd ip from any to any in via $pif

  #################################################################

  # Allow the packet through if it has previous been added to the

  # the "dynamic" rules table by a allow keep-state statement.

  #################################################################

  $cmd 015 check-state

  #################################################################

  # Interface facing Public Internet (Outbound Section)

  # Check session start requests originating from behind the

  # firewall on the private network or from this gateway server

  # destined for the public Internet.

  #################################################################

  # Allow out access to my ISP's Domain name server.

  # x.x.x.x must be the IP address of your ISP's DNS

  # Dup these lines if your ISP has more than one DNS server

  # Get the IP addresses from /etc/resolv.conf file

  $cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state

  # Allow out access to my ISP's DHCP server for cable/DSL configurations.

  $cmd 030 $skip udp from any to x.x.x.x 67 out via $pif keep-state

  # Allow out non-secure standard www function

  $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state

  # Allow out secure www function https over TLS SSL

  $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state

  # Allow out send & get email function

  $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state

  $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state

  # Allow out FreeBSD (make install & CVSUP) functions

  # Basically give user root "GOD" privileges.

  $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root

  # Allow out ping

  $cmd 080 $skip icmp from any to any out via $pif keep-state

  # Allow out Time

  $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state

  # Allow out nntp news (i.e. news groups)

  $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state

  # Allow out secure FTP, Telnet, and SCP

  # This function is using SSH (secure shell)

  $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state

  # Allow out whois

  $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state

  # Allow ntp time server

  $cmd 130 $skip udp from any to any 123 out via $pif keep-state

  #################################################################

  # Interface facing Public Internet (Inbound Section)

  # Check packets originating from the public Internet

  # destined for this gateway server or the private network.

  #################################################################

  # Deny all inbound traffic from non-routable reserved address spaces

  #$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP

  $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP

  $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP

  $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback

  $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback

  $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config

  $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs

  $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster

  $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast

  # Deny ident

  $cmd 315 deny tcp from any to any 113 in via $pif

  # Deny all Netbios service. 137=name, 138=datagram, 139=session

  # Netbios is MS/Windows sharing services.

  # Block MS/Windows hosts2 name server requests 81

  $cmd 320 deny tcp from any to any 137 in via $pif

  $cmd 321 deny tcp from any to any 138 in via $pif

  $cmd 322 deny tcp from any to any 139 in via $pif

  $cmd 323 deny tcp from any to any 81 in via $pif

  # Deny any late arriving packets

  $cmd 330 deny all from any to any frag in via $pif

  # Deny ACK packets that did not match the dynamic rule table

  $cmd 332 deny tcp from any to any established in via $pif

  # Allow traffic in from ISP's DHCP server. This rule must contain

  # the IP address of your ISP's DHCP server as it's the only

  # authorized source to send this packet type.

  # Only necessary for cable or DSL configurations.

  # This rule is not needed for 'user ppp' type connection to

  # the public Internet. This is the same IP address you captured

  # and used in the outbound section.

  $cmd 360 allow udp from x.x.x.x to any 68 in via $pif keep-state

  # Allow in standard www function because I have Apache server

  $cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2

  # Allow in secure FTP, Telnet, and SCP from public Internet

  $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2

  # Allow in non-secure Telnet session from public Internet

  # labeled non-secure because ID & PW are passed over public

  # Internet as clear text.

  # Delete this sample group if you do not have telnet server enabled.

  $cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2

  # Reject & Log all unauthorized incoming connections from the public Internet

  $cmd 400 deny log all from any to any in via $pif

  # Reject & Log all unauthorized out going connections to the public Internet

  $cmd 450 deny log all from any to any out via $pif

  # This is skipto location for outbound stateful rules

  $cmd 800 divert natd ip from any to any out via $pif

  $cmd 801 allow ip from any to any

  # Everything else is denied by default

  # deny and log all packets that fell through to see what they are

  $cmd 999 deny log all from any to any

  ################ End of IPFW rules file ###############################

  備注:參數(shù)說明:

  #$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP

  我的IP地址是192.168.21.173,是屬于192.168.0.0/16 IP段,所以這里要注釋掉這一行,允許連接外網(wǎng),否則主機無法聯(lián)網(wǎng)。

  $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2

  是開啟SSH默認端口22

  3、重啟網(wǎng)絡(luò)服務(wù),使防火墻規(guī)則生效

  /etc/netstart #重啟網(wǎng)絡(luò)

  /etc/rc.d/ipfw start #開啟防火墻

  ipfw disable firewall #關(guān)閉防火墻

  ipfw enable firewall #開啟防火墻

  /etc/rc.d/ipfw restart #重啟防火墻

  sh /etc/ipfw.rules #使防火墻規(guī)則生效

  4、開啟SSH服務(wù)

  (1)ee /etc/inetd.conf #編輯,去掉sshd前面的#

  ssh stream tcp nowait root /usr/sbin/sshd sshd -i -4

  (2)ee /etc/rc.conf #編輯,在最后添加

  sshd_enable="yes"

  (3)ee /etc/ssh/sshd_config #編輯配置文件

  PermitRootLogin yes #允許root登錄

  PasswordAuthentication yes #使用密碼驗證

  PermitEmptyPasswords no #不允許空密碼登錄

  /etc/rc.d/sshd start #啟動ssh服務(wù)

  /etc/rc.d/sshd restart #重啟ssh

  配置完成,現(xiàn)在已經(jīng)可以使用Putty等遠程連接工具連接服務(wù)器了。

  #####################################################

  擴展閱讀:

  有兩種加載自定義 ipfw 防火墻規(guī)則的方法。

  其一是將變量 firewall_type 設(shè)為包含不帶 ipfw(8) 命令行選項的 防火墻規(guī)則 文件的完整路徑。

  例如:

  add allow in

  add allow out

  firewall_type="open"參數(shù)說明

  open ── 允許所有流量通過。

  client ── 只保護本機。

  simple ── 保護整個網(wǎng)絡(luò)。

  closed ── 完全禁止除回環(huán)設(shè)備之外的全部 IP 流量。

  UNKNOWN ── 禁止加載防火墻規(guī)則。

  filename ── 到防火墻規(guī)則文件的絕對路徑。

  IPFW防火墻規(guī)則集樣例在這兩個文件中

  /etc/rc.firewall

  /etc/rc.firewall6

  除此之外, 也可以將 firewall_script 變量設(shè)為包含 ipfw 命令的可執(zhí)行腳本, 這樣這個腳本會在啟動時自動執(zhí)行。

  補充閱讀:防火墻主要使用技巧

  一、所有的防火墻文件規(guī)則必須更改。

  盡管這種方法聽起來很容易,但是由于防火墻沒有內(nèi)置的變動管理流程,因此文件更改對于許多企業(yè)來說都不是最佳的實踐方法。如果防火墻管理員因為突發(fā)情況或者一些其他形式的業(yè)務(wù)中斷做出更改,那么他撞到槍口上的可能性就會比較大。但是如果這種更改抵消了之前的協(xié)議更改,會導(dǎo)致宕機嗎?這是一個相當高發(fā)的狀況。

  防火墻管理產(chǎn)品的中央控制臺能全面可視所有的防火墻規(guī)則基礎(chǔ),因此團隊的所有成員都必須達成共識,觀察誰進行了何種更改。這樣就能及時發(fā)現(xiàn)并修理故障,讓整個協(xié)議管理更加簡單和高效。

  二、以最小的權(quán)限安裝所有的訪問規(guī)則。

  另一個常見的安全問題是權(quán)限過度的規(guī)則設(shè)置。防火墻規(guī)則是由三個域構(gòu)成的:即源(IP地址),目的地(網(wǎng)絡(luò)/子網(wǎng)絡(luò))和服務(wù)(應(yīng)用軟件或者其他目的地)。為了確保每個用戶都有足夠的端口來訪問他們所需的系統(tǒng),常用方法是在一個或者更多域內(nèi)指定打來那個的目標對象。當你出于業(yè)務(wù)持續(xù)性的需要允許大范圍的IP地址來訪問大型企業(yè)的網(wǎng)絡(luò),這些規(guī)則就會變得權(quán)限過度釋放,因此就會增加不安全因素。服務(wù)域的規(guī)則是開放65535個TCP端口的ANY。防火墻管理員真的就意味著為黑客開放了65535個攻擊矢量?

  三、根據(jù)法規(guī)協(xié)議和更改需求來校驗每項防火墻的更改。

  在防火墻操作中,日常工作都是以尋找問題,修正問題和安裝新系統(tǒng)為中心的。在安裝最新防火墻規(guī)則來解決問題,應(yīng)用新產(chǎn)品和業(yè)務(wù)部門的過程中,我們經(jīng)常會遺忘防火墻也是企業(yè)安全協(xié)議的物理執(zhí)行者。每項規(guī)則都應(yīng)該重新審核來確保它能符合安全協(xié)議和任何法規(guī)協(xié)議的內(nèi)容和精神,而不僅是一篇法律條文。

  四、當服務(wù)過期后從防火墻規(guī)則中刪除無用的規(guī)則。

  規(guī)則膨脹是防火墻經(jīng)常會出現(xiàn)的安全問題,因為多數(shù)運作團隊都沒有刪除規(guī)則的流程。業(yè)務(wù)部門擅長讓你知道他們了解這些新規(guī)則,卻從來不會讓防火墻團隊知道他們不再使用某些服務(wù)了。了解退役的服務(wù)器和網(wǎng)絡(luò)以及應(yīng)用軟件更新周期對于達成規(guī)則共識是個好的開始。運行無用規(guī)則的報表是另外一步。黑客喜歡從來不刪除規(guī)則的防火墻團隊。


防火墻開啟SSH服務(wù)的方法是什么相關(guān)文章:

1.阿里云防火墻配置

2.sonicwall防火墻設(shè)置主要方法有哪些

3.如何解決端口映射之后還有訪問不了內(nèi)網(wǎng)的服務(wù)器

4.linux防火墻設(shè)置命令是什么

5.ssh防火墻連不上怎么辦

4041994