zoukankan      html  css  js  c++  java

  • FREEBSD+PF 在6.2上的架设

    现网站和外挂经常带arp和ddos攻击,本来用ros做网吧路由器顶不住ddos,只能换FB6.2+pf,前几天用FB6.1+PF,人多时出watchdog timeout,老大说用FB6.2可能不会出了,那就装起测测看,下面是安装步骤,操作一个写一个,
    cd /usr/src/sys/i386/conf
    cp GERENIC PFOK
    ee FFOK
    修改并加入下面东东
    ident           PFOK
    device pf
    device pflog
    device pfsync
    options ALTQ
    options ALTQ_CBQ
    options ALTQ_RED
    options ALTQ_RIO
    options ALTQ_HFSC
    options ALTQ_PRIQ
    options ALTQ_NOPCC
    options PANIC_REBOOT_WAIT_TIME=0
    options DEVICE_POLLING
    options HZ=2000
    options IPSTEALTH
    # options RANDOM_IP_ID
    options TCP_DROP_SYNFIN

    config PFOK
    cd /usr/src/sys/i386/compile/PFOK
    make depend
    make
    make install
    reboot
     
    ee /etc/sysctl.conf
    net.inet.ip.forwarding=1
    net.inet.ip.fastforwarding=1
    net.inet.tcp.drop_synfin=1
    net.inet.tcp.sendspace=65536
    net.inet.tcp.recvspace=65536
    #net.inet.udp.sendspace=65535
    net.inet.udp.maxdgram=65535
    net.local.stream.sendspace=65535
    net.inet.tcp.rfc1323=1
    #net.inet.tcp.rfc1644=1
    net.inet.tcp.rfc3042=1
    net.inet.tcp.rfc3390=1
    kern.ipc.maxsockbuf=2097152
    kern.maxfiles=65536
    kern.maxfilesperproc=32768
    kern.polling.enable=1
    kern.polling.burst_max=500
    kern.ipc.somaxconn=2048
    kern.ipc.nmbclusters=32768
    net.inet.tcp.delayed_ack=0
    net.inet.icmp.icmplim=100
    net.inet.icmp.icmplim_output=0
    net.inet.tcp.drop_synfin=1

    ee /boot/loader.conf
    autobootdelay="2"
     
    ee /etc/rc.conf
    sendmail_enable="NONE"
    sendmail_submit_enable="NO"
    sendmail_outbound_enable="NO"
    sendmail_msp_queue_enable="NO"
    clear_tmp_enable="YES"
    update_motd="NO"
    tcp_drop_synfin="YES"
    #icmp_drop_redirect="YES"
    #icmp_log_redirect="YES"
    #log_in_vain="YES"
    #accounting_enable="YES"
    pf_enable="YES"
    pf_rules="/etc/pf.conf"
    pf_flags=""
    #pflog_enable="YES"
    #pflog_logfile="/var/log/pflog"

    这里我就加了句pf_enable="YES"
    uname -a
    FreeBSD pf.com 6.2-RC1 FreeBSD 6.2-RC1 #0: Thu Nov 23 04:20:46 CST 2006     sshpf@pf.com:/usr/src/sys/i386/compile/PFOK  i386
     

    我的pf.conf

    #pfctl -e -F all -f /etc/pf.conf

    #只重新load过滤规则
    #pfctl -F rules -Rf /etc/pf.conf

    #pfctl -f /etc/pf.conf # 重新加载pf.conf 设定档
    #pfctl -nf /etc/pf.conf # 确认语法有无符合,但不载入
    #pfctl -Nf /etc/pf.conf # 只加载 NAT 的设定档
    #pfctl -Rf /etc/pf.conf # 只加载防火墙的过滤设定档

    #pfctl -sn # 显示现阶段 NAT 的规则
    #pfctl -sr # 显示现阶段过滤的规则
    #pfctl -ss # 显示现阶段封包运作状态
    #pfctl -si # 显示现阶段过滤封包的统计资料
    #pfctl -sa # 显示现阶段所有统计的数据

    ext_if="rl0"
    #edu_if=""
    int_if="fxp0"

    ext_addr="192.168.1.51"

    int_net="172.16.0.0/16"
    ext_net = "192.168.0.0/16"
    loop = "{lo0, 127.0.0.1}"
    OpenPorts = "{21, 22, 80, 88, 4899}"
    InsideManagerIPs = "{172.16.0.100}"
    InsiteManagerOpenPorts = "{21, 22, 23, 24, 25, 80, 4899}"
    priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12}"    #  定義符合 RFC 1918 私有IP 部份
    tcp_services = "{ 22, 88, 4899, 123 }"    #  定義 port 22, 113 服務
    icmp_types = "echoreq"    #  定義 tcmp 回應狀態      


    ## down inactive connection quickly
    set optimization aggressive

    # Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
    scrub in all

    nat on $ext_if from $int_net to any -> ($ext_if)
    #nat on $ext_if from $int_net to $ext_net -> ($ext_if)

    #web server map
    #rdr pass on $ext_if proto tcp from any to $ext_if port {www,3389,4899,7745} -> $web_server


    #----------------------------以下防DOS攻击--------------------------------
    #每个IP最大可以有120个非并发的连接(为局域网用户访问本站考虑)
    #每个IP最大连接建立的速率小于每秒8个
    #单个IP的最大持续连接数 30
    #违反以上规则,把这个ip添加到<abusive_hosts>表中
    table <abusive_hosts> persist          #维持一个持续的表
    block in quick from <abusive_hosts>    #阻止表中的ip
    pass in on $int_if inet proto tcp from any to $int_if flags S/SA keep state \
    (source-track rule,max-src-conn 100, max-src-conn-rate 15/3,max-src-states 30,overload <abusive_hosts> flush, src.track 1)

    LSassVirusPort = "{445, 135, 139, 593, 512, 5554, 9996, 9995}"
    block quick on $int_if inet proto tcp from any to any port $LSassVirusPort

    BitTorrentPort= "{ 512, 2049, 4662, 6880, 6881, 6882, 6883, 6884, 6885, 6886, 6887, 6888, 6889, \
    6890, 8880, 8881, 8882, 8883, 8884, 8885, 8886, 8887, 8888, 8889, 8890, 6969, 10700, 21881}" 
    block quick on $int_if inet proto tcp from any to any port $BitTorrentPort
    block quick on $int_if inet proto tcp from any port $BitTorrentPort to any
    block quick on $ext_if inet proto tcp from any to any port $BitTorrentPort
    block quick on $ext_if inet proto tcp from any port $BitTorrentPort to any

    #gameClientPorts = "{4002, 2000, 3838, 4410, 4210, 4230, 5005, 4290, 10010 }"
    #GameDenyClients ="{192.168.128.0/24, 192.168.132.0/24}"
    #GameServerIps = "{204.251.15.167, 61.152.93.145}"
    #block quick on $int_if inet proto tcp from $GameDenyClients to any port $gameClientPorts
    #block quick on $ext_if from $GameServerIps to $GameDenyClients
    #block quick on $int_if from $GameDenyClients to $GameServerIps

    denyserverips = "{202.108.193.21}"
    block quick on $int_if from any to $denyserverips

    #LSassVirusIp ="{192.168.1.194}"
    #block quick on $int_if from $LSassVirusIp to any
  • 相关阅读:
    Verilog HDL刷题笔记(06)(Circuit-Combinational Logic-Arithmetic Circuit)
    Verilog HDL刷题笔记(05)(Circuit-Combinational Logic-Multiplexers)
    Verilog HDL刷题笔记(04)(Circuit-Combinational Logic-Basic Gates)
    Verilog HDL刷题笔记(03)
    Verilog HDL刷题笔记(02)
    Verilog HDL刷题笔记(01)
    某点评 手机验证码自动登录
    线程锁实现多线程读取mongo 数据库库
    Python mongo 快速读取
    正方教務管理系統RSA 加密
  • 原文地址:https://www.cnblogs.com/studio313/p/635855.html
Copyright © 2011-2022 走看看