《NetBSD指南-23.9.10.开通穿越IPFilter防火墙的隧道》

NetBSD用户指南中文版、NetBSD pkgsrc指南中文版...

版主: lionux

主题已锁定
头像
leo
帖子: 2465
注册时间: 2010-01-21 3:27

《NetBSD指南-23.9.10.开通穿越IPFilter防火墙的隧道》

帖子 leo » 2010-03-08 0:48

6to4协议把IPv6数据包封装进IPv4里, 并且保持它们自己的IP类型, 多数防火墙会因不识别这些IP类型而阻止它们, 因为它们的负载类型直接为"TCP", "UDP" 或 "ICMP". 通常, 你想将6to4网关设置在同一台直接连接到(IPv4)Internet的机器上, 而它上面通常运行着防火墙. 如果你想在防火墙后面运行一个6to4网关, 你需要在防火墙上钻一个孔, 以便让6to4数据包通过. 这里教你怎样做!

本例中假设你在防火墙上使用"ppp0"接口连接Internet。


将下面的行放进 /etc/ipf.conf 以允许IPFilter防火墙放行所有的6to4数据包( \ 表示因空间限制换行,实际是一行内容):

代码: 全选

# Handle traffic by different rulesets
block in  quick on ppp0 all head 1
block out quick on ppp0 all head 2

### Incoming packets:
# allow some IPv4:
pass  in  log quick on ppp0 proto tcp from any to any \
port = www flags S keep state keep frags  group 1
pass  in      quick on ppp0 proto tcp from any to any \
port = ssh keep state         group 1
pass  in      quick on ppp0 proto tcp from any to any \
port = mail keep state        group 1
pass  in  log quick on ppp0 proto tcp from any to any \
port = ftp keep state       group 1
pass  in  log quick on ppp0 proto tcp from any to any \
port = ftp-data keep state      group 1
pass  in  log quick on ppp0 proto icmp from any to any        group 1
# allow all IPv6:
pass in       quick on ppp0 proto ipv6       from any to any  group 1
pass in  log  quick on ppp0 proto ipv6-route from any to any  group 1
pass in  log  quick on ppp0 proto ipv6-frag  from any to any  group 1
pass in  log  quick on ppp0 proto ipv6-icmp  from any to any  group 1
pass in  log  quick on ppp0 proto ipv6-nonxt from any to any  group 1
pass in  log  quick on ppp0 proto ipv6-opts  from any to any  group 1
# block rest:
blockin  log  quick on ppp0 all                               group 1

### Outgoing packets:
# allow usual stuff:
pass  out     quick on ppp0 proto  tcp from any to any flags S \
keep state keep frags group 2
pass  out     quick on ppp0 proto  udp from any to any         \
keep state keep frags group 2
pass  out     quick on ppp0 proto icmp from any to any         \
keep state            group 2
# allow all IPv6:
pass out      quick on ppp0 proto ipv6       from any to any  group 2
pass out log  quick on ppp0 proto ipv6-route from any to any  group 2
pass out log  quick on ppp0 proto ipv6-frag  from any to any  group 2
pass out log  quick on ppp0 proto ipv6-icmp  from any to any  group 2
pass out log  quick on ppp0 proto ipv6-nonxt from any to any  group 2
pass out log  quick on ppp0 proto ipv6-opts  from any to any  group 2
# block rest:
block out log quick on ppp0 all             group 2

现在你网络上的所有主机全可以发送("out"规则)和接收("in"规则)v4-封装的IPv6数据, 你可以将任何一台设置为6to4网关. 当然你只想在一台主机上设置,并且在本地主机间使用原生的IPv6, 而且你可能想使用限制性规则强制执行这个策略, 请参看 ipf.conf(5) 了解IPFilter规则的更多信息.

你的防火墙放行封装的IPv6数据包后, 你可能想设置你的6to4网关来监视IPv6通讯, 甚至是限制它们. 要这样做, 你也需要设置在6to4网关上的IPFilter. 要实现一个简单的监视, 在/etc/rc.conf 里启用 "ipfilter=yes" ,并且将下列内容添加到 /etc/ipf6.conf:

代码: 全选

pass in  log quick on stf0 from any to any
pass out log quick on stf0 from any to any

它将记录"stf0"隧道接口上的所有的进站和出站(IPv6)通讯。如果需要你可以同时添加过滤规则.

如果你更想知道流量统计而非网络通信的简要报告, 推荐你使用"net-snmp"软件包内MRTG代替分析IPFilter日志文件.

主题已锁定

在线用户

正浏览此版面之用户: 没有注册用户 和 1 访客