| Article Index |
|---|
| Gateway FreeBSD Using ipfw + natd |
| Page 2 |
| All Pages |
mari kita lanjutkan.
pindah ke /usr/src directory.
# cd /usr/src
Compile kernel.
# make buildkernel KERNCONF=INDOFREEBSD
Install kernel baru.
# make installkernel KERNCONF=INDOFREEBSD
sampe tahap ini anda telah berhasil mengkompile kernel.
tahap selanjutnya adalah mengenablekan firewall melalui rc.conf
#pico /etc/rc.conf
router_enable="YES"
router="/sbin/routed"
router_flags="-q"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
natd_enable="YES" # Enable NATD function
natd_interface="rl0" # interface name of public Internet NIC
natd_flags="-dynamic -m" # -m = preserve port numbers if possible
lalu save...
tahap selanjut nya editlah sysctl
#pico /etc/sysctl.conf
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=100
lalu save ....
tahap selanjut nya adalah membuat firewall rules
#pico /etc/ipfw.rules
#!/bin/sh
cmd="ipfw -q add"
skip="skipto 500"
pif=rl0
ks="keep-state"
good_tcpo="22,25,37,43,53,80,443,110,119,5050,5051,5100"
ipfw -q -f flush
$cmd 002 allow all from any to any via xl0 # exclude LAN traffic
$cmd 003 allow all from any to any via lo0 # exclude loopback traffic
$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state
# Authorized outbound packets
$cmd 120 $skip udp from any to xx.168.240.2 53 out via $pif $ks
$cmd 121 $skip udp from any to xx.168.240.5 53 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks
$cmd 135 $skip udp from any to any 123 out via $pif $ks
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
# Authorized inbound packets
$cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1
$cmd 450 deny log ip from any to any
# This is skipto location for outbound stateful rules
$cmd 500 divert natd ip from any to any out via $pif
$cmd 510 allow ip from any to any
######################## end of rules ##################
lalu save........
tahap selanjutnya adalah mereboot dan mencoba gateway anda.
#reboot
---------------selesai----------------
| < Prev | Next > |
|---|
Comments