模板
教程
环境
性能
功能
管理
IP Filter Based Firewalls HOWTO(6)
3.8 合并所有规则 现在我们有了一个非常严谨的防火墙了,但是它可以更严谨。先前我们去掉的防止欺骗的规则集实际上是很有用的。建议把它加上: 3.9 用规则组优化防火墙 让我们扩展一下我们的防火墙,使我们的防火墙更有用,作为例子我们将改变一下接口名字xl0,xl1,xl2。 pass out quick on xl1 proto tcp from any to 20.20.20.64/26 port = 80 flags S keep state block out on xl2 all pass out on xl0 all block out quick on xl1 all head 10 pass in quick on xl1 proto tcp/udp from 20.20.20.64/26 to any keep state block out on xl2 all
IP Filter Based Firewalls HOWTO
3.7 日志
如果你要使用日志设备dev/ipl,记得要加入关键字log.为了要看到日志信息,你必须运行ipmon(或者其它读取/dev/ipl的软件)。一般是使用ipmon -s向syslog写入信息。以ipfilter3.3为例,你甚至可以通过关键字log level控制syslog记录的行为:
block in log level auth.info quick on tun0 from 20.20.20.0/24 to any
block in log level auth.alert quick on tun0 proto tcp from any to 20.20.20.0/24 port = 21
另外你还可以对记录的信息进行裁剪,比如你对是否有人对你的te.net扫描感兴趣,但是对有人扫描你的telnet端口多少次并不感兴趣,你可以log first关键字来记录第一个包。
log的另外一个用处是跟踪你感兴趣的包,并且记录它的头部字段。Ipfilter使用关键字log body可以记录每个包的前128个字节。你应该限制使用body log,因为它会让你的日志变得冗长。
block in on tun0
block in quick on tun0 from 192.168.0.0/16 to any
block in quick on tun0 from 172.16.0.0/12 to any
block in quick on tun0 from 10.0.0.0/8 to any
block in quick on tun0 from 127.0.0.0/8 to any
block in quick on tun0 from 0.0.0.0/8 to any
block in quick on tun0 from 169.254.0.0/16 to any
block in quick on tun0 from 192.0.2.0/24 to any
block in quick on tun0 from 204.152.64.0/23 to any
block in quick on tun0 from 224.0.0.0/3 to any
block in log quick on tun0 from 20.20.20.0/24 to any
block in log quick on tun0 from any to 20.20.20.0/32
block in log quick on tun0 from any to 20.20.20.255/32
pass out quick on tun0 proto tcp/udp from 20.20.20.1/32 to any keep state
pass out quick on tun0 proto icmp from 20.20.20.1/32 to any keep state
pass in quick on tun0 proto tcp from any to 20.20.20.1/32 port = 80 flags S keep state
xl0接外部网络20.20.20.0/26
xl1用于代理20.20.20.64/26
xl2连接受防火墙保护的网络20.20.20.128/25
我们先定义整个规则,你应该能清楚地理解它:
block in quick on xl0 from 192.168.0.0/16 to any
block in quick on xl0 from 172.16.0.0/12 to any
block in quick on xl0 from 10.0.0.0/8 to any
block in quick on xl0 from 127.0.0.0/8 to any
block in quick on xl0 from 0.0.0.0/8 to any
block in quick on xl0 from 169.254.0.0/16 to any
block in quick on xl0 from 192.0.2.0/24 to any
block in quick on xl0 from 204.152.64.0/23 to any
block in quick on xl0 from 224.0.0.0/3 to any
block in log quick on xl0 from 20.20.20.0/24 to any
block in log quick on xl0 from any to 20.20.20.0/32
block in log quick on xl0 from any to 20.20.20.63/32
block in log quick on xl0 from any to 20.20.20.64/32
block in log quick on xl0 from any to 20.20.20.127/32
block in log quick on xl0 from any to 20.20.20.128/32
block in log quick on xl0 from any to 20.20.20.255/32
pass out on xl0 all
pass out quick on xl1 proto tcp from any to 20.20.20.64/26 port = 21 flags S keep state
pass out quick on xl1 proto tcp from any to 20.20.20.64/26 port = 20 flags S keep state
pass out quick on xl1 proto tcp from any to 20.20.20.65/32 port = 53 flags S keep state
pass out quick on xl1 proto udp from any to 20.20.20.65/32 port = 53 keep state
pass out quick on xl1 proto tcp from any to 20.20.20.66/32 port = 53 flags S keep state
pass out quick on xl1 proto udp from any to 20.20.20.66/32 port = 53 keep state
block out on xl1 all
pass in quick on xl1 proto tcp/udp from 20.20.20.64/26 to any keep state
pass in quick on xl2 proto tcp/udp from 20.20.20.128/25 to any keep state
从这个例子中,我们可以看出我的规则集变得越来越臃肿了。如果我们加入跟多的规则时,情况会变得更严重。影响到xl0与xl2之间通信的性能。如果你建立这样的防火墙,你会浪费大量的带宽和cpu时间,你可以通过建立规则分组来优化防火墙的性能。规则组允许你的规则写成树状结构而不是线形结构。树状结构将原来的规则按某种方式(如接口,ip地址)分成不同的组,而每个组有一条组规则,当一个包进入防火墙的时候先检查组规则,如果不符合则跳过整个规则组,这看起来就像一台机器上有好几个防火墙。
我们先从简单的例子开始:
block out quick on xl1 all head 10
pass out quick proto tcp from any to 20.20.20.64/26 port = 80 flags S keep state group 10
block out on xl2 all
在这个简单的例子中,我们可以看出规则组的作用。当一个数据包的目标接口不是xl1的时候,不匹配规则组10组,并跳过第10组,当数据包的目标接口是xl1时匹配规则组10组其它规则短路(不起作用)。用这种方法我们重写上面的规则提高防火墙的性能。
block in quick on xl0 all head 1
block in quick on xl0 from 192.168.0.0/16 to any group 1
block in quick on xl0 from 172.16.0.0/12 to any group 1
block in quick on xl0 from 10.0.0.0/8 to any group 1
block in quick on xl0 from 127.0.0.0/8 to any group 1
block in quick on xl0 from 0.0.0.0/8 to any group 1
block in quick on xl0 from 169.254.0.0/16 to any group 1
block in quick on xl0 from 192.0.2.0/24 to any group 1
block in quick on xl0 from 204.152.64.0/23 to any group 1
block in quick on xl0 from 224.0.0.0/3 to any group 1
block in log quick on xl0 from 20.20.20.0/24 to any group 1
block in log quick on xl0 from any to 20.20.20.0/32 group 1
block in log quick on xl0 from any to 20.20.20.63/32 group 1
block in log quick on xl0 from any to 20.20.20.64/32 group 1
block in log quick on xl0 from any to 20.20.20.127/32 group 1
block in log quick on xl0 from any to 20.20.20.128/32 group 1
block in log quick on xl0 from any to 20.20.20.255/32 group 1
pass in on xl0 all group 1
pass out quick on xl1 proto tcp from any to 20.20.20.64/26 port = 80 flags S keep state group 10
pass out quick on xl1 proto tcp from any to 20.20.20.64/26 port = 21 flags S keep state group 10
pass out quick on xl1 proto tcp from any to 20.20.20.64/26 port = 20 flags S keep state group 10
pass out quick on xl1 proto tcp from any to 20.20.20.65/32 port = 53 flags S keep state group 10
pass out quick on xl1 proto udp from any to 20.20.20.65/32 port = 53 keep state group 10
pass out quick on xl1 proto tcp from any to 20.20.20.66/32 port = 53 flags S keep state
pass out quick on xl1 proto udp from any to 20.20.20.66/32 port = 53 keep state group 10
pass in quick on xl2 proto tcp/udp from 20.20.20.128/25 to any keep state
