<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta name="generator" content="HTML Tidy, see www.w3.org" /><title>Firewalls</title><meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" /><link rel="HOME" title="FreeBSD 使用手冊" href="index.html" /><link rel="UP" title="安全" href="security.html" /><link rel="PREVIOUS" title="Kerberos5" href="kerberos5.html" /><link rel="NEXT" title="OpenSSL" href="openssl.html" /><link rel="STYLESHEET" type="text/css" href="docbook.css" /><meta http-equiv="Content-Type" content="text/html; charset=GB2312" /></head><body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"alink="#0000FF"><div class="NAVHEADER"><table summary="Header navigation table" width="100%" border="0" cellpadding="0"cellspacing="0"><tr><th colspan="3" align="center">FreeBSD 使用手冊</th></tr><tr><td width="10%" align="left" valign="bottom"><a href="kerberos5.html"accesskey="P">后退</a></td><td width="80%" align="center" valign="bottom">章 14. 安全</td><td width="10%" align="right" valign="bottom"><a href="openssl.html"accesskey="N">前進(jìn)</a></td></tr></table><hr align="LEFT" width="100%" /></div><div class="SECT1"><h1 class="SECT1"><a id="FIREWALLS" name="FIREWALLS">14.8. Firewalls</a></h1><i class="AUTHORGROUP"><span class="CONTRIB">Contributed by</span> Gary Palmer 和 AlexNash.</i> <p>Firewalls are an area of increasing interest for people who are connected to theInternet, and are even finding applications on private networks to provide enhancedsecurity. This section will hopefully explain what firewalls are, how to use them, andhow to use the facilities provided in the FreeBSD kernel to implement them.</p><div class="NOTE"><blockquote class="NOTE"><p><b>注:</b> People often think that having a firewall between your internal network andthe ``Big Bad Internet'' will solve all your security problems. It may help, but a poorlyset up firewall system is more of a security risk than not having one at all. A firewallcan add another layer of security to your systems, but it cannot stop a really determinedcracker from penetrating your internal network. If you let internal security lapsebecause you believe your firewall to be impenetrable, you have just made the crackers jobthat much easier.</p></blockquote></div><div class="SECT2"><h2 class="SECT2"><a id="AEN20074" name="AEN20074">14.8.1. What Is a Firewall?</a></h2><p>There are currently two distinct types of firewalls in common use on the Internettoday. The first type is more properly called a <span class="emphasis"><iclass="EMPHASIS">packet filtering router</i></span>. This type of firewall utilizes amulti-homed machine and a set of rules to determine whether to forward or blockindividual packets. A multi-homed machine is simply a device with multiple networkinterfaces. The second type, known as a <span class="emphasis"><i class="EMPHASIS">proxyserver</i></span>, relies on daemons to provide authentication and to forward packets,possibly on a multi-homed machine which has kernel packet forwarding disabled.</p><p>Sometimes sites combine the two types of firewalls, so that only a certain machine(known as a <span class="emphasis"><i class="EMPHASIS">bastion host</i></span>) isallowed to send packets through a packet filtering router onto an internal network. Proxyservices are run on the bastion host, which are generally more secure than normalauthentication mechanisms.</p><p>FreeBSD comes with a kernel packet filter (known as IPFW), which is what the rest ofthis section will concentrate on. Proxy servers can be built on FreeBSD from third partysoftware, but there is such a variety of proxy servers available that it would beimpossible to cover them in this section.</p><div class="SECT3"><h3 class="SECT3"><a id="FIREWALLS-PACKET-FILTERS"name="FIREWALLS-PACKET-FILTERS">14.8.1.1. Packet Filtering Routers</a></h3><p>A router is a machine which forwards packets between two or more networks. A packetfiltering router is programmed to compare each packet to a list of rules before decidingif it should be forwarded or not. Most modern IP routing software includes packetfiltering functionality that defaults to forwarding all packets. To enable the filters,you need to define a set of rules.</p><p>To decide whether a packet should be passed on, the firewall looks through its set ofrules for a rule which matches the contents of the packet's headers. Once a match isfound, the rule action is obeyed. The rule action could be to drop the packet, to forwardthe packet, or even to send an ICMP message back to the originator. Only the first matchcounts, as the rules are searched in order. Hence, the list of rules can be referred toas a ``rule chain''.</p><p>The packet-matching criteria varies depending on the software used, but typically youcan specify rules which depend on the source IP address of the packet, the destination IPaddress, the source port number, the destination port number (for protocols which supportports), or even the packet type (UDP, TCP, ICMP, etc).</p></div><div class="SECT3"><h3 class="SECT3"><a id="FIREWALLS-PROXY-SERVERS"name="FIREWALLS-PROXY-SERVERS">14.8.1.2. Proxy Servers</a></h3><p>Proxy servers are machines which have had the normal system daemons (<bclass="APPLICATION">telnetd</b>, <b class="APPLICATION">ftpd</b>, etc) replaced withspecial servers. These servers are called <span class="emphasis"><iclass="EMPHASIS">proxy servers</i></span>, as they normally only allow onward connectionsto be made. This enables you to run (for example) a proxy <bclass="APPLICATION">telnet</b> server on your firewall host, and people can <bclass="APPLICATION">telnet</b> in to your firewall from the outside, go through someauthentication mechanism, and then gain access to the internal network (alternatively,proxy servers can be used for signals coming from the internal network and headingout).</p><p>Proxy servers are normally more secure than normal servers, and often have a widervariety of authentication mechanisms available, including ``one-shot'' password systemsso that even if someone manages to discover what password you used, they will not be ableto use it to gain access to your systems as the password expires immediately after thefirst use. As they do not actually give users access to the host machine, it becomes alot more difficult for someone to install backdoors around your security system.</p><p>Proxy servers often have ways of restricting access further, so that only certainhosts can gain access to the servers. Most will also allow the administrator to specifywhich users can talk to which destination machines. Again, what facilities are availabledepends largely on what proxy software you choose.</p></div></div><div class="SECT2"><h2 class="SECT2"><a id="AEN20099" name="AEN20099">14.8.2. What Does IPFW Allow Me toDo?</a></h2><p>IPFW, the software supplied with FreeBSD, is a packet filtering and accounting systemwhich resides in the kernel, and has a user-land control utility, <spanclass="CITEREFENTRY"><span class="REFENTRYTITLE">ipfw</span>(8)</span>. Together, theyallow you to define and query the rules used by the kernel in its routing decisions.</p><p>There are two related parts to IPFW. The firewall section performs packet filtering.There is also an IP accounting section which tracks usage of the router, based on rulessimilar to those used in the firewall section. This allows the administrator to monitorhow much traffic the router is getting from a certain machine, or how much WWW traffic itis forwarding, for example.</p><p>As a result of the way that IPFW is designed, you can use IPFW on non-router machinesto perform packet filtering on incoming and outgoing connections. This is a special caseof the more general use of IPFW, and the same commands and techniques should be used inthis situation.</p></div><div class="SECT2"><h2 class="SECT2"><a id="AEN20110" name="AEN20110">14.8.3. Enabling IPFW onFreeBSD</a></h2><p>As the main part of the IPFW system lives in the kernel, you will need to add one ormore options to your kernel configuration file, depending on what facilities you want,and recompile your kernel. See "Reconfiguring your Kernel" (<ahref="kernelconfig.html">&#181;&#218; 8 章</a>) for more details on how to recompile yourkernel.</p><div class="WARNING"><blockquote class="WARNING"><p><b>警告</b>IPFW defaults to a policy of <var class="LITERAL">deny ip from any toany</var>. If you do not add other rules during startup to allow access, <spanclass="emphasis"><i class="EMPHASIS">you will lock yourself out</i></span> of the serverupon rebooting into a firewall-enabled kernel. We suggest that you set <varclass="LITERAL">firewall_type=open</var> in your <tt class="FILENAME">/etc/rc.conf</tt>file when first enabling this feature, then refining the firewall rules in <ttclass="FILENAME">/etc/rc.firewall</tt> after you have tested that the new kernel featureworks properly. To be on the safe side, you may wish to consider performing the initialfirewall configuration from the local console rather than via <bclass="APPLICATION">ssh</b>. Another option is to build a kernel using both the <varclass="LITERAL">IPFIREWALL</var> and <varclass="LITERAL">IPFIREWALL_DEFAULT_TO_ACCEPT</var> options. This will change the defaultrule of IPFW to <var class="LITERAL">allow ip from any to any</var> and avoid thepossibility of a lockout.</p></blockquote></div><p>There are currently four kernel configuration options relevant to IPFW:</p><div class="VARIABLELIST"><dl><dt><var class="LITERAL">options IPFIREWALL</var></dt><dd><p>Compiles into the kernel the code for packet filtering.</p></dd><dt><var class="LITERAL">options IPFIREWALL_VERBOSE</var></dt><dd><p>Enables code to allow logging of packets through <span class="CITEREFENTRY"><spanclass="REFENTRYTITLE">syslogd</span>(8)</span>. Without this option, even if you specifythat packets should be logged in the filter rules, nothing will happen.</p></dd><dt><var class="LITERAL">options IPFIREWALL_VERBOSE_LIMIT=10</var></dt><dd><p>Limits the number of packets logged through <span class="CITEREFENTRY"><spanclass="REFENTRYTITLE">syslogd</span>(8)</span> on a per entry basis. You may wish to usethis option in hostile environments in which you want to log firewall activity, but donot want to be open to a denial of service attack via syslog flooding.</p><p>When a chain entry reaches the packet limit specified, logging is turned off for thatparticular entry. To resume logging, you will need to reset the associated counter usingthe <span class="CITEREFENTRY"><span class="REFENTRYTITLE">ipfw</span>(8)</span>utility:</p><pre class="SCREEN"><samp class="PROMPT">#</samp> <kbd class="USERINPUT">ipfw zero 4500</kbd></pre><p>Where 4500 is the chain entry you wish to continue logging.</p></dd><dt><var class="LITERAL">options IPFIREWALL_DEFAULT_TO_ACCEPT</var></dt><dd><p>This changes the default rule action from ``deny'' to ``allow''. This avoids thepossibility of locking yourself out if you happen to boot a kernel with <varclass="LITERAL">IPFIREWALL</var> support but have not configured your firewall yet. It isalso very useful if you often use <span class="CITEREFENTRY"><spanclass="REFENTRYTITLE">ipfw</span>(8)</span> as a filter for specific problems as theyarise. Use with care though, as this opens up the firewall and changes the way itworks.</p></dd></dl></div><div class="NOTE"><blockquote class="NOTE"><p><b>注:</b> Previous versions of FreeBSD contained an <varclass="LITERAL">IPFIREWALL_ACCT</var> option. This is now obsolete as the firewall codeautomatically includes accounting facilities.</p></blockquote></div></div><div class="SECT2"><h2 class="SECT2"><a id="AEN20174" name="AEN20174">14.8.4. Configuring IPFW</a></h2><p>The configuration of the IPFW software is done through the <spanclass="CITEREFENTRY"><span class="REFENTRYTITLE">ipfw</span>(8)</span> utility. Thesyntax for this command looks quite complicated, but it is relatively simple once youunderstand its structure.</p><p>There are currently four different command categories used by the utility:addition/deletion, listing, flushing, and clearing. Addition/deletion is used to buildthe rules that control how packets are accepted, rejected, and logged. Listing is used toexamine the contents of your rule set (otherwise known as the chain) and packet counters(accounting). Flushing is used to remove all entries from the chain. Clearing is used tozero out one or more accounting entries.</p><div class="SECT3"><h3 class="SECT3"><a id="AEN20185" name="AEN20185">14.8.4.1. Altering the IPFWRules</a></h3><p>The syntax for this form of the command is:</p><p><tt class="COMMAND">ipfw</tt> [-N] command [index] action [log] protocol addresses[options]</p><br /><br /><p>There is one valid flag when using this form of the command:</p><div class="VARIABLELIST"><dl><dt>-N</dt><dd><p>Resolve addresses and service names in output.</p></dd></dl></div><p>The <span class="emphasis"><i class="EMPHASIS">command</i></span> given can be