잠시만 기다려 주세요

HOME   |  여기는?   |  바다물때표   |  여러가지 팁 (888)  |  추천 및 재미 (153)  |  자료실 (20)  |  끄적거림 (520)  |  시나리오 (760)  |  드라마 대본 (248)  |  

2020년 09월 23일
술은 변심한 애인에게 해코지를 하는 사나운 여인과 같다. - -
 




    freebsd 서버

freebsd 서버 - freebsd 방화벽 firewall pf 설정, 설치
이 름 : 바다아이   |   조회수 : 3678         짧은 주소 : https://www.bada-ie.com/su/?931591783726
따로 패키지를 설치할 필요는 없습니다. freebsd 에 이미 다 설치되어 있습니다.

여러가지 있는데 필요없는 부분은 버리시고
꼭 필요한 부분만 설정하시면 됩니다.
아래보면 trusted 파일 만들어서 ssh 접속 제한 하는 부분 있는데요
고정 아이피 이용자 아니시면 해당 부분 없애시고 그냥 any 쓰시면 됩니다.
대신 port 를 좀 바꾸시면 되겠네요...


Next, we will change our rc.conf file to look more natural:

# vi /etc/rc.conf

Change it to look like this:

#----------- NETWORKING ------------------------------------------------#
hostname="ceph.domain1.com" # replace ceph.domain1.com with your domain
ifconfig_vtnet0="dhcp"
static_routes=linklocal
route_linklocal="-net 169.254.0.0/16 -interface vtnet0"

#--------- SERVICES BSD LOCAL ----------------------------------------#
sshd_enable="YES"
ntpd_enable="YES"

pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"              
pflog_logfile="/var/log/pflog"  
pflog_flags=""    


With ee editor, create file /etc/pf.conf:

# vi /etc/pf.conf

Insert this: (replace any IP addresses with yours)

#######################################################################
me="vtnet0"                
table <bruteforcers> persist    
table <trusted> persist file "/etc/trusted"
icmp_types = "echoreq"          
junk_ports="{ 135,137,138,139,445,68,67,3222 }"
junk_ip="224.0.0.0/4"           

set loginterface vtnet0           
scrub on vtnet0 reassemble tcp no-df random-id

# ---- First rule obligatory "Pass all on loopback"
pass quick on lo0 all           

# ---- Block junk logs
block quick proto { tcp, udp } from any to $junk_ip 
block quick proto { tcp, udp } from any to any port $junk_ports

# ---- Second rule "Block all in and pass all out"
block in log all                
pass out all keep state         

############### FIREWALL ###############################################
# ---- Allow all traffic from my Home
pass quick proto {tcp, udp} from 1.2.3.4 to $me keep state

# ---- block SMTP out 
block quick proto tcp from $me to any port 25

# ---- Allow incoming Web traffic
pass quick proto tcp from any to $me port { 80, 443 } flags S/SA keep state

# ---- Allow my team member SSH access 
pass quick proto tcp from 1.2.3.5 to $me port ssh flags S/SA keep state

# ---- Block bruteforcers
block log quick from <bruteforcers>

# ---- Allow SSH from trusted sources, but block bruteforcers
pass quick proto tcp from <trusted> to $me port ssh \
flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 20/60, \
overload <bruteforcers> flush global)

# ---- Allow ICMP 
pass in inet proto icmp all icmp-type $icmp_types keep state
pass out inet proto icmp all icmp-type $icmp_types keep state

Create /etc/trusted file. In this file, we will put IPs that we "trust".

# vi /etc/trusted

Add some IP's:

# Hosting
1.2.0.0/16

# My friends
1.2.4.0/24

Now some explanation. Junk ports and junk IPs are just some ports/IPs that 
we don't want to see in logs. We have done this with this rule:

# ---- Block junk logs
block quick proto { tcp, udp } from any to $junk_ip 
block quick proto { tcp, udp } from any to any port $junk_ports

These are just defaults and you don't have to worry about it:

icmp_types = "echoreq"                                            
set loginterface vtnet0           
scrub on vtnet0 reassemble tcp no-df random-id
pass quick on lo0 all
block in log all                
pass out all keep state

This rule blocks outgoing SMTP traffic from your server (which is the default on Vultr).

# ---- block SMTP out 
block quick proto tcp from $me to any port 25

Except bruteforcers the rest is pretty straight forward.

# ---- Allow SSH from trusted sources, but block bruteforcers
pass quick proto tcp from <trusted> to $me port ssh \
flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 20/60, \
overload <bruteforcers> flush global)

Bruteforcers just says: Allow from <trusted> IPs to port 22 but only 10 concurrent connections
 can be made from one source IP. If it's more than 10, block this IP and put it in table 
bruteforcers. The same goes for 20/60 rule. It means a max of 20 connections in 60 seconds.

Enable firewall:

# vi /etc/rc.conf

Uncomment these lines:

pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

Reboot:

# reboot 

If you have done everything right, then you will be able to login and the firewall will be 
enabled. You don't have to reboot every time you change the /etc/pf.conf file. Just do:

# /etc/rc.d/pf reload

See who is trying to connect to your server in real-time:

# tcpdump -n -e -ttt -i pflog0

Show history:

# tcpdump -n -e -ttt -r /var/log/pflog

See if you have someone in bruteforcers table:

# pfctl -t bruteforcers -T show

And that's it. You have successfully implemented PF firewall on FreeBSD server!


출처 : https://www.vultr.com/docs/how-to-secure-freebsd-with-pf-firewall

| |


      1 page / 2 page
번 호 카테고리 제 목 이름 조회수
34 freebsd 서버 , , , growfs, gpart, disk resize 바다아이 248
33 freebsd 서버 , ... google cloud platform time error, ntp 바다아이 244
32 freebsd 서버 ps .... 바다아이 258
31 freebsd 서버 BSD PF & DDoS 바다아이 278
30 freebsd 서버 freebsd ntp , , ntpd 바다아이 250
29 freebsd 서버 geoipupdate 401 .. .. 바다아이 530
28 freebsd 서버 freebsd vnstat , Network Traffic Monitor 바다아이 790
27 freebsd 서버 aws lightsail freebsd proftpd hostname .. 바다아이 814
26 freebsd 서버 freebsd , connect port, LISTEN and ESTABLISHED 바다아이 2119
25 freebsd 서버 freebsd , 바다아이 2015
24 freebsd 서버 freebsd linux postfix . 바다아이 2417
23 freebsd 서버 freebsd, linux postfix , 바다아이 2142
22 freebsd 서버 freebsd nginx + php + mariadb ... npm install setup 바다아이 2757
21 freebsd 서버 freebsd service , . 바다아이 2302
20 freebsd 서버 How to Install PostgreSQL and pgAdmin4 on FreeBSD 11 바다아이 3176
19 freebsd 서버 freebsd LetsEncrypt Certbot ssl 바다아이 3071
18 freebsd 서버 OS FreeBSD 바다아이 3098
17 freebsd 서버 freebsd pkg repository . mirror, , repo, Repository, , 바다아이 3257
16 freebsd 서버 freebsd ... 바다아이 3234
15 freebsd 서버 freebsd , service 바다아이 3303
14 freebsd 서버 freebsd crontab ...... 바다아이 2861
13 freebsd 서버 freebsd ll ls color 바다아이 2879
12 freebsd 서버 freebsd , pkg port update 바다아이 3050
11 freebsd 서버 freebsd pkg-config error 바다아이 3077
10 freebsd 서버 freebsd fail2ban , 바다아이 3098
9 freebsd 서버 FreeBSD IP IP Alias , 바다아이 2888
8 freebsd 서버 freebsd free -m freecolor 바다아이 3222
7 freebsd 서버 freebsd webalizer geoip 바다아이 2951
6 freebsd 서버 freebsd postgresql 9.6 바다아이 3093
현재글 freebsd 서버 freebsd firewall pf , 바다아이 3679
| |








Copyright ⓒ 2001.12. bada-ie.com. All rights reserved.
이 사이트는 리눅스에서 firefox 기준으로 작성되었습니다. 기타 브라우저에서는 다르게 보일 수 있습니다.
[ FreeBSD + GoLang + PostgreSQL ]
서버위치 : vultr.com 서울  실행시간 : 0.25602
to webmaster... gogo sea. gogo sea.