[Linux]FreeBSD配置防火墙&开启SSH远程登录服务

2021年3月9日星期二 | | |

1、安装时选择上SSH,或者源码安装SSH
2、使用root登陆系统
3、使用ee编辑器编辑/etc/inetd.conf,去掉ssh前的#,按ctrl+c,再输入exit保存退出
4、编辑/etc/rc.conf,添加一行sshd_enable="YES"
5、编辑/etc/ssh/sshd_config,将
#PermitRootLogin no改为PermitRootLogin yes //允许root登陆
#PasswordAuthentication no改为PasswordAuthenticationyes//使用系统PAM认证
#PermitEmptyPasswords no改为PermitEmptyPasswords no//不允许空密码

修改端口号:/etc/ssh/sshd_config

    #port=22改为 Port=number(你想修改的数字)

保存退出
6、启动SSHD服务,/etc/rc.d/sshd start
7、查看服务是否启动,netstat -an,如果看到22端口有监听,恭喜!!!

1、配置FreeBSD 防火墙
ee /etc/rc.conf #编辑,在最后添加
firewall_enable="yes" #开启防火墙
net.inet.ip.fw.verbose=1 #启用防火墙日志功能
net.inet.ip.fw.verbose_limit=5 #启用防火墙日志功能
natd_enable="YES" # 开启防火墙NAT功能
natd_interface="rl0"
natd_flags="-dynamic -m"
firewall_script="/etc/ipfw.rules" #自定义防火墙规则路径
按esc,回车,再按a保存配置

2、添加防火墙规则
系统运维 温馨提醒:qihang01原创内容版权所有,转载请注明出处及原文链接
ee /etc/ipfw.rules #编辑防火墙规则,添加以下代码

#!/bin/sh  ################ Start of IPFW rules file ######################  # Flush out the list before we begin.  ipfw -q -f flush    # Set rules command prefix  cmd="ipfw -q add"  skip="skipto 800"  pif="rl0" # public interface name of NIC   # facing the public Internet    #################################################################  # No restrictions on Inside LAN Interface for private network  # Change xl0 to your LAN NIC interface name  #################################################################  $cmd 005 allow all from any to any via xl0    #################################################################  # No restrictions on Loopback Interface  #################################################################  $cmd 010 allow all from any to any via lo0    #################################################################  # check if packet is inbound and nat address if it is  #################################################################  $cmd 014 divert natd ip from any to any in via $pif    #################################################################  # Allow the packet through if it has previous been added to the  # the "dynamic" rules table by a allow keep-state statement.  #################################################################  $cmd 015 check-state    #################################################################  # Interface facing Public Internet (Outbound Section)  # Check session start requests originating from behind the  # firewall on the private network or from this gateway server  # destined for the public Internet.  #################################################################    # Allow out access to my ISP's Domain name server.  # x.x.x.x must be the IP address of your ISP's DNS  # Dup these lines if your ISP has more than one DNS server  # Get the IP addresses from /etc/resolv.conf file  $cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state  # Allow out access to my ISP's DHCP server for cable/DSL configurations.  $cmd 030 $skip udp from any to x.x.x.x 67 out via $pif keep-state    # Allow out non-secure standard www function  $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state    # Allow out secure www function https over TLS SSL  $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state    # Allow out send & get email function  $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state  $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state    # Allow out FreeBSD (make install & CVSUP) functions  # Basically give user root "GOD" privileges.  $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root    # Allow out ping  $cmd 080 $skip icmp from any to any out via $pif keep-state    # Allow out Time  $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state    # Allow out nntp news (i.e. news groups)  $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state    # Allow out secure FTP, Telnet, and SCP  # This function is using SSH (secure shell)  $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state    # Allow out whois  $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state    # Allow ntp time server  $cmd 130 $skip udp from any to any 123 out via $pif keep-state    #################################################################  # Interface facing Public Internet (Inbound Section)  # Check packets originating from the public Internet  # destined for this gateway server or the private network.  #################################################################    # Deny all inbound traffic from non-routable reserved address spaces  #$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP  $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP  $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP  $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback  $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback  $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config  $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs  $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster  $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast    # Deny ident  $cmd 315 deny tcp from any to any 113 in via $pif    # Deny all Netbios service. 137=name, 138=datagram, 139=session  # Netbios is MS/Windows sharing services.  # Block MS/Windows hosts2 name server requests 81  $cmd 320 deny tcp from any to any 137 in via $pif  $cmd 321 deny tcp from any to any 138 in via $pif  $cmd 322 deny tcp from any to any 139 in via $pif  $cmd 323 deny tcp from any to any 81 in via $pif    # Deny any late arriving packets  $cmd 330 deny all from any to any frag in via $pif    # Deny ACK packets that did not match the dynamic rule table  $cmd 332 deny tcp from any to any established in via $pif    # Allow traffic in from ISP's DHCP server. This rule must contain  # the IP address of your ISP's DHCP server as it's the only  # authorized source to send this packet type.  # Only necessary for cable or DSL configurations.  # This rule is not needed for 'user ppp' type connection to  # the public Internet. This is the same IP address you captured  # and used in the outbound section.  $cmd 360 allow udp from x.x.x.x to any 68 in via $pif keep-state    # Allow in standard www function because I have Apache server  $cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2    # Allow in secure FTP, Telnet, and SCP from public Internet  $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2    # Allow in non-secure Telnet session from public Internet  # labeled non-secure because ID & PW are passed over public  # Internet as clear text.  # Delete this sample group if you do not have telnet server enabled.  $cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2    # Reject & Log all unauthorized incoming connections from the public Internet  $cmd 400 deny log all from any to any in via $pif    # Reject & Log all unauthorized out going connections to the public Internet  $cmd 450 deny log all from any to any out via $pif    # This is skipto location for outbound stateful rules  $cmd 800 divert natd ip from any to any out via $pif  $cmd 801 allow ip from any to any    # Everything else is denied by default  # deny and log all packets that fell through to see what they are  $cmd 999 deny log all from any to any  ################ End of IPFW rules file ###############################    

备注:参数说明:
#$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
我的IP地址是192.168.21.173,是属于192.168.0.0/16 IP段,所以这里要注释掉这一行,允许连接外网,否则主机无法联网。
$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
是开启SSH默认端口22
3、重启网络服务,使防火墙规则生效
系统运维 温馨提醒:qihang01原创内容版权所有,转载请注明出处及原文链接
/etc/netstart #重启网络
/etc/rc.d/ipfw start #开启防火墙
ipfwdisable firewall #关闭防火墙
ipfw enable firewall #开启防火墙
/etc/rc.d/ipfw restart #重启防火墙
sh /etc/ipfw.rules #使防火墙规则生效
4、开启SSH服务
(1)ee /etc/inetd.conf #编辑,去掉sshd前面的#
ssh stream tcp nowait root /usr/sbin/sshd sshd -i -4
(2)ee /etc/rc.conf #编辑,在最后添加
sshd_enable="yes" 
(3)ee /etc/ssh/sshd_config #编辑配置文件
PermitRootLogin yes #允许root登录
PasswordAuthentication yes #使用密码验证
PermitEmptyPasswords no #不允许空密码登录
/etc/rc.d/sshd start #启动ssh服务
/etc/rc.d/sshd restart #重启ssh
配置完成,现在已经可以使用Putty等远程连接工具连接服务器了。
#####################################################
扩展阅读:

有两种加载自定义 ipfw 防火墙规则的方法。
其一是将变量 firewall_type 设为包含不带 ipfw(8) 命令行选项的 防火墙规则 文件的完整路径。
例如:
add allow in
add allow out
firewall_type="open"参数说明
open ── 允许所有流量通过。
client ── 只保护本机。
simple ── 保护整个网络。
closed ── 完全禁止除回环设备之外的全部 IP 流量。
UNKNOWN ── 禁止加载防火墙规则。
filename ── 到防火墙规则文件的绝对路径。
IPFW防火墙规则集样例在这两个文件中
/etc/rc.firewall
/etc/rc.firewall6
除此之外, 也可以将 firewall_script 变量设为包含 ipfw 命令的可执行脚本, 这样这个脚本会在启动时自动执行。
#####################################################


 参考网络:www.dedecms.com/knowledge/servers/linux-bsd/2012/0819/8376.html


0 评论:


所有文章收集于网络,如果有牵扯到版权问题请与本站站长联系。谢谢合作![email protected]