[packet filter] Freebsd PF 방화벽

by ·0 Comments

Freebsd PF 방화벽 (Packet filter)

feebsd 문서:https://www.freebsd.org/doc/handbook/firewalls-pf.html

참고페이지: https://www.cyberciti.biz/faq/how-to-set-up-a-firewall-with-pf-on-freebsd-to-protect-a-web-server/

 

방화벽 테스트를 위하여 pure-ftpd 와 sshd_config 의 port 변경이 필요 합니다.

pure-ftpd 설치는 아래 링크를 참고하시면 됩니다.

[ftp-server] FreeBSD pure-ftpd 설치

 

/etc/rc.conf 수정

root@bsd11:~ # vi /etc/rc.conf

#PF setting
pf_enable="YES"
pflog_enable="YES"
pf_rules="/etc/pf.conf"
pflog_logfile="/var/log/pflog"

 

/etc/pf.conf 파일 생성

root@bsd11:~ # vi /etc/pf.conf
ext_if="em0"

set limit { states 80000, frags 5000 }

set block-policy drop

set skip on vnet1

set skip on lo0

scrub in all

antispoof for $ext_if

block in all

block out all

table <bruteforce> persist

table <sshbruteforce> persist

table <ftp> persist

block in quick log proto tcp from <bruteforce> to port 80

block in quick log proto tcp from <sshbruteforce> to port 2424

block in quick log proto tcp from <ftp> to port 21

pass in log proto tcp from any to port 21 keep state

pass in log proto tcp from any to port 30000:50000 keep state

pass in log proto tcp from any to port 2424 keep state

pass in on $ext_if proto tcp from any to $ext_if port 2424 \
            flags S/SA keep state \
            (max-src-conn-rate 10/30, overload <sshbruteforce> flush global)

pass in on $ext_if proto tcp from any to $ext_if port 80 \
        flags S/SA synproxy state

pass in on $ext_if proto tcp from any to $ext_if port 80 \
        flags S/SA keep state \
        (max-src-conn 100, max-src-conn-rate 300/10, \
        overload <bruteforce> flush global)

 

sshd_config 설정변경

root@bsd11:~ # vi /etc/ssh/sshd_config
#Port 22
Port 2424

 

 

pure-ftpd.conf 설정변경

PassivePortRange 주석을 제거 하여 설정값을 활성하 시키고 사용할 포트 Range 를 지정합니다.

root@bsd11:~ # vi /usr/local/etc/pure-ftpd.conf

PassivePortRange             30000 50000

 

시스템 리부팅

root@bsd11:~ # init 6

 

pf commands

pf config check 

root@bsd11:~ # service pf check
Checking pf rules.

 

pf status 확인

root@bsd11:~ # service pf status
Status: Enabled for 0 days 00:01:01           Debug: Urgent

State Table                          Total             Rate
  current entries                        0
  searches                             227            3.7/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                                227            3.7/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s
root@bsd11:~ #

 

 

 

pf.conf 설정내용 설명

— 차후 작성

 

 

답글 남기기