ipfirewall (IPFW)

$ service ipfw enable # 设置 rc 变量并尝试立即启动

$ sysrc firewall_type="open"

$ sysrc firewall_script="/etc/ipfw.rules"

$ sysrc firewall_logging="YES"

$ echo "net.inet.ip.fw.verbose_limit=5" >> /etc/sysctl.conf

$ sysrc firewall_logif="YES"

$ tcpdump -t -n -i ipfw0

$ service ipfw start
$ sysctl net.inet.ip.fw.verbose_limit=5

$ service ipfw status

#!/bin/sh
# 清空现有规则
ipfw -q -f flush

# 设置规则命令前缀变量
cmd="ipfw -q add"
pif="em0"     # 连接到互联网的外部网卡接口名称

# 将 em1 改为实际的局域网网卡接口名称
$cmd 00005 allow all from any to any via em1

# 允许回环接口上的所有流量
$cmd 00010 allow all from any to any via lo0

$cmd 00101 check-state

# 允许访问公共 DNS 服务
# 将 x.x.x.x 替换为公共 DNS 服务器的 IP 地址，
# 并为 /etc/resolv.conf 中列出的每个 DNS 服务器重复此规则
$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state

# 允许访问 ISP 的 DHCP 服务器，适用于电缆调制解调器或 ADSL 等宽带连接
# 默认使用记录日志的通用规则；确认 DHCP 服务器地址后，可将 x.x.x.x 填入下一条规则并启用它
$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state

# 允许外发 HTTP 和 HTTPS 连接
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# 允许外发 SMTP 邮件提交连接
$cmd 00230 allow tcp from any to any 587 out via $pif setup keep-state

# 允许外发 ICMP（如 ping）
$cmd 00250 allow icmp from any to any out via $pif keep-state

# 允许外发 NTP 时间同步
$cmd 00260 allow udp from any to any 123 out via $pif keep-state

# 允许外发 SSH 连接
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# 拒绝并记录所有其他外发连接
$cmd 00299 deny log all from any to any out via $pif

# 拒绝所有来自不可路由保留地址空间的入站流量
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif     # RFC 1918 私有地址
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif      # RFC 1918 私有地址
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif         # RFC 1918 私有地址
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif        # 回环地址
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif          # 本网络地址
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif     # 链路本地地址（APIPA）
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif       # 文档示例保留地址
$cmd 00307 deny all from 224.0.0.0/3 to any in via $pif        # D 类组播与 E 类保留

# 拒绝来自外部的 ICMP 回显请求（禁止外部 ping 本机）
$cmd 00310 deny icmp from any to any in via $pif

# 拒绝 NetBIOS/SMB 相关端口的入站访问
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 445 in via $pif
$cmd 00324 deny udp from any to any 137 in via $pif
$cmd 00325 deny udp from any to any 138 in via $pif

# 拒绝分片数据包
$cmd 00330 deny all from any to any frag in via $pif

# 拒绝未匹配动态规则表的 ACK 包
$cmd 00332 deny tcp from any to any established in via $pif

# 允许来自 ISP DHCP 服务器的入站流量
# 将 x.x.x.x 替换为规则 00120 中使用的 DHCP 服务器 IP 地址
#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state

# 允许到内部 Web 服务器的 HTTP 连接，并限制同一源地址的同时连接数
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# 允许入站 SSH 连接，并限制同一源地址的同时连接数
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# 拒绝并记录所有其他入站连接
$cmd 00499 deny log all from any to any in via $pif

# 拒绝并记录所有其他流量
$cmd 00999 deny log all from any to any

gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"

#!/bin/sh
# 清空现有规则
ipfw -q -f flush
# 规则命令前缀
cmd="ipfw -q add"
# 出站有状态规则匹配后跳转到规则 1000 执行 NAT
skip="skipto 1000"
# 连接到互联网的外部网卡接口
pif=em0
# 启用有状态跟踪
ks="keep-state"
# 允许出站的 TCP 端口列表
good_tcpo="22,53,80,443,587"

# 允许经过 NAT 处理的数据包重新注入防火墙继续匹配后续规则
ipfw disable one_pass
# 配置 NAT 实例 1：使用指定外部接口，保持端口号一致，仅处理私有地址，IP 变化时重置
ipfw -q nat 1 config if $pif same_ports unreg_only reset

$cmd 005 allow all from any to any via em1  # 允许局域网流量直通
$cmd 010 allow all from any to any via lo0  # 允许回环接口流量
$cmd 099 reass all from any to any in       # 重新组装入站数据包，便于 NAT 处理
$cmd 100 nat 1 ip from any to any in via $pif # 对入站到外部接口的流量执行 NAT
# 检查动态规则表，如已存在会话则直接通过
$cmd 101 check-state

# 允许出站的 DNS 查询（TCP 与 UDP）
$cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks
# 允许出站的 DHCP 请求
$cmd 121 $skip udp from any to x.x.x.x 67 out via $pif $ks
# 合并允许的出站 TCP 端口（SSH、SMTP、DNS、HTTP、HTTPS），使用 skipto 跳转至 NAT 规则
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
# 允许出站的 ICMP（如 ping 与 traceroute）
$cmd 130 $skip icmp from any to any out via $pif $ks

# 拒绝并记录所有未匹配规则的流量
$cmd 999 deny log all from any to any
# 出站流量 skipto 的目标：对所有未匹配到具体规则的出站流量执行 NAT
$cmd 1000 nat 1 ip from any to any out via $pif
# 允许经过 NAT 转换后的流量通过
$cmd 1001 allow ip from any to any

$ ipfw list

$ ipfw -t list

$ ipfw -a list

$ ipfw -d list

$ ipfw -d -e list

$ ipfw zero

$ ipfw zero NUM