测试机IP为211.162.77.73
网卡为:xl0
内核中加了流量管理,你可以根据实际需要增删。
uname -a
如果你用的是默认内核GENERIC则如下操作:
=============================================
cd /sys/i386/conf
cp GENERIC ./GENERIC_IPFW
---------------------------------
ee GENERIC_IPFW 添加以下内容
options IPFIREWALL
options IPDIVERT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPSTEALTH
options ACCEPT_FILTER_DATA
options ACCEPT_FILTER_HTTP
options ICMP_BANDLIM
options DUMMYNET
---------------------------------
config ./GENERIC_IPFW
cd ../../compile/GENERIC_IPFW
make depend all install
---------------------------------
ee /etc/rc.conf 添加以下内容
##########IP-firewall#################
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="/etc/ipfw.conf"
firewall_quiet="YES"
firewall_logging_enable="YES"
---------------------------------
ee /etc/syslog.conf 添加以下内容
!ipfw
*.* /var/log/ipfw.log
---------------------------------
ee /etc/ipfw.conf 添加以下内容
add 00001 deny log ip from any to any ipopt rr
add 00002 deny log ip from any to any ipopt ts
add 00003 deny log ip from any to any ipopt ssrr
add 00004 deny log ip from any to any ipopt lsrr
add 00005 deny tcp from any to any in tcpflags syn,fin
#######tcp#########
add 10000 allow tcp from 211.162.77.77 to 211.162.77.73 22 in
add 10001 allow tcp from any to 211.162.77.73 21,25,80,110,3306,5999 in
add 19997 check-state
add 19998 allow tcp from any to any out keep-state setup
add 19999 allow tcp from any to any out
######udp##########
add 20001 allow udp from any 53 to me in recv xl0
add 20002 allow udp from any to 211.162.77.73 53 in recv xl0
add 29999 allow udp from any to any out
######icmp#########
add 30000 allow icmp from any to any icmptypes 3,4
add 30001 allow icmp from any to any icmptypes 8 out
add 30002 allow icmp from any to any icmptypes 0,11 in
