本文介绍在MacOSX系统中使用ipfw防火墙的方法,包括配置规则、启动服务等步骤,适用于个人Web服务器管理和远程SSH登录。
ipfw是BSD系统中重要的防火墙和通信控制工具,在MacOSX中也很好用。先简单贴几个用法,有空再补上:
列出配置表
[code]
ipfw list
[/code]
禁用ping,即ICMP协议
[code]
ipfw add 3333 deny icmp from any to any via en0
[/code]
取消,则用
[code]
ipfw del 3333
[/code]
* 续
ipfw重启之后就失效了,为了使每次开机都有效,需要加入到启动服务器中,下面是MacOSX下的一个配置例子:
1. 将ipfw规则写入自定的配置文件,例如/etc/rc.firewall
[code]
#!/bin/sh
IPFW='/sbin/ipfw -q'
$IPFW -f flush
$IPFW add 2000 allow ip from any to any via lo*
$IPFW add 2010 deny log ip from 127.0.0.0/8 to any in
$IPFW add 2020 deny log ip from any to 127.0.0.0/8 in
$IPFW add 2030 deny log ip from 224.0.0.0/3 to any in
$IPFW add 2040 deny log tcp from any to 224.0.0.0/3 in
$IPFW add 2050 allow log tcp from any to any out
$IPFW add 2060 allow log tcp from any to any established
$IPFW add 2070 allow log tcp from any to any 22 in
$IPFW add 2080 allow log tcp from any to any 80 in
$IPFW add 2090 allow log tcp from any to any 427 in
$IPFW add 12190 deny log tcp from any to any
[/code]
以上配置规则适合个人web服务器管理,并开启远程ssh登录管理端口。摘自:
[url]http://www.macdevcenter.com/pub/a/mac/2005/03/15/firewall.html[/url]
2. 建立目录/Library/StartupItems/Firewall,并在Firewall中创建两个文件:Firewall和StartupParameters.plist。设置属性:
[code]
chmod ug+x Firewall StartupParameters.plist
[/code]
Firewall脚本内容如下:
[code]
. /etc/rc.common
StartService ()
{
if [ "${FIREWALL:=-NO-}" = "-YES-" ]
then
ConsoleMessage "Starting Firewall"
sh /etc/rc.firewall > /dev/null
fi
}
StopService ()
{
ConsoleMessage "Stopping Firewall"
/sbin/ipfw -f -q flush
}
RestartService ()
{
StopService
StartService
}
RunService "${1:-start}" #默认参数为-start
[/code]
StartupParameters.plist配置内容如下:
[code]
{
Description = "Firewall";
Provides = ("Firewall");
Requires = ("Network");
OrderPreference = "None";
Messages =
{
start = "Starting NAT/Firewall";
stop = "Stopping NAT/Firewall";
};
}
[/code]
3. 设置/etc/hostconfig,在最底下增加一行:
[code]
FIREWALL=-YES-
[/code]
使/Library/StartupItems/Firewall/Firewall的启动脚本能执行启动ipfw服务。
4. 测试
[code]
/Library/StartupItems/Firewall/Firewall start
[/code]
列出配置表
[code]
ipfw list
[/code]
禁用ping,即ICMP协议
[code]
ipfw add 3333 deny icmp from any to any via en0
[/code]
取消,则用
[code]
ipfw del 3333
[/code]
* 续
ipfw重启之后就失效了,为了使每次开机都有效,需要加入到启动服务器中,下面是MacOSX下的一个配置例子:
1. 将ipfw规则写入自定的配置文件,例如/etc/rc.firewall
[code]
#!/bin/sh
IPFW='/sbin/ipfw -q'
$IPFW -f flush
$IPFW add 2000 allow ip from any to any via lo*
$IPFW add 2010 deny log ip from 127.0.0.0/8 to any in
$IPFW add 2020 deny log ip from any to 127.0.0.0/8 in
$IPFW add 2030 deny log ip from 224.0.0.0/3 to any in
$IPFW add 2040 deny log tcp from any to 224.0.0.0/3 in
$IPFW add 2050 allow log tcp from any to any out
$IPFW add 2060 allow log tcp from any to any established
$IPFW add 2070 allow log tcp from any to any 22 in
$IPFW add 2080 allow log tcp from any to any 80 in
$IPFW add 2090 allow log tcp from any to any 427 in
$IPFW add 12190 deny log tcp from any to any
[/code]
以上配置规则适合个人web服务器管理,并开启远程ssh登录管理端口。摘自:
[url]http://www.macdevcenter.com/pub/a/mac/2005/03/15/firewall.html[/url]
2. 建立目录/Library/StartupItems/Firewall,并在Firewall中创建两个文件:Firewall和StartupParameters.plist。设置属性:
[code]
chmod ug+x Firewall StartupParameters.plist
[/code]
Firewall脚本内容如下:
[code]
. /etc/rc.common
StartService ()
{
if [ "${FIREWALL:=-NO-}" = "-YES-" ]
then
ConsoleMessage "Starting Firewall"
sh /etc/rc.firewall > /dev/null
fi
}
StopService ()
{
ConsoleMessage "Stopping Firewall"
/sbin/ipfw -f -q flush
}
RestartService ()
{
StopService
StartService
}
RunService "${1:-start}" #默认参数为-start
[/code]
StartupParameters.plist配置内容如下:
[code]
{
Description = "Firewall";
Provides = ("Firewall");
Requires = ("Network");
OrderPreference = "None";
Messages =
{
start = "Starting NAT/Firewall";
stop = "Stopping NAT/Firewall";
};
}
[/code]
3. 设置/etc/hostconfig,在最底下增加一行:
[code]
FIREWALL=-YES-
[/code]
使/Library/StartupItems/Firewall/Firewall的启动脚本能执行启动ipfw服务。
4. 测试
[code]
/Library/StartupItems/Firewall/Firewall start
[/code]
扫一扫
1744
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
