《NetBSD指南-23.9.10.开通穿越IPFilter防火墙的隧道》
发表于 : 2010-03-08 0:48
6to4协议把IPv6数据包封装进IPv4里, 并且保持它们自己的IP类型, 多数防火墙会因不识别这些IP类型而阻止它们, 因为它们的负载类型直接为"TCP", "UDP" 或 "ICMP". 通常, 你想将6to4网关设置在同一台直接连接到(IPv4)Internet的机器上, 而它上面通常运行着防火墙. 如果你想在防火墙后面运行一个6to4网关, 你需要在防火墙上钻一个孔, 以便让6to4数据包通过. 这里教你怎样做!
本例中假设你在防火墙上使用"ppp0"接口连接Internet。
将下面的行放进 /etc/ipf.conf 以允许IPFilter防火墙放行所有的6to4数据包( \ 表示因空间限制换行,实际是一行内容):
现在你网络上的所有主机全可以发送("out"规则)和接收("in"规则)v4-封装的IPv6数据, 你可以将任何一台设置为6to4网关. 当然你只想在一台主机上设置,并且在本地主机间使用原生的IPv6, 而且你可能想使用限制性规则强制执行这个策略, 请参看 ipf.conf(5) 了解IPFilter规则的更多信息.
你的防火墙放行封装的IPv6数据包后, 你可能想设置你的6to4网关来监视IPv6通讯, 甚至是限制它们. 要这样做, 你也需要设置在6to4网关上的IPFilter. 要实现一个简单的监视, 在/etc/rc.conf 里启用 "ipfilter=yes" ,并且将下列内容添加到 /etc/ipf6.conf:
它将记录"stf0"隧道接口上的所有的进站和出站(IPv6)通讯。如果需要你可以同时添加过滤规则.
如果你更想知道流量统计而非网络通信的简要报告, 推荐你使用"net-snmp"软件包内MRTG代替分析IPFilter日志文件.
本例中假设你在防火墙上使用"ppp0"接口连接Internet。
将下面的行放进 /etc/ipf.conf 以允许IPFilter防火墙放行所有的6to4数据包( \ 表示因空间限制换行,实际是一行内容):
代码: 全选
# Handle traffic by different rulesets
block in quick on ppp0 all head 1
block out quick on ppp0 all head 2
### Incoming packets:
# allow some IPv4:
pass in log quick on ppp0 proto tcp from any to any \
port = www flags S keep state keep frags group 1
pass in quick on ppp0 proto tcp from any to any \
port = ssh keep state group 1
pass in quick on ppp0 proto tcp from any to any \
port = mail keep state group 1
pass in log quick on ppp0 proto tcp from any to any \
port = ftp keep state group 1
pass in log quick on ppp0 proto tcp from any to any \
port = ftp-data keep state group 1
pass in log quick on ppp0 proto icmp from any to any group 1
# allow all IPv6:
pass in quick on ppp0 proto ipv6 from any to any group 1
pass in log quick on ppp0 proto ipv6-route from any to any group 1
pass in log quick on ppp0 proto ipv6-frag from any to any group 1
pass in log quick on ppp0 proto ipv6-icmp from any to any group 1
pass in log quick on ppp0 proto ipv6-nonxt from any to any group 1
pass in log quick on ppp0 proto ipv6-opts from any to any group 1
# block rest:
blockin log quick on ppp0 all group 1
### Outgoing packets:
# allow usual stuff:
pass out quick on ppp0 proto tcp from any to any flags S \
keep state keep frags group 2
pass out quick on ppp0 proto udp from any to any \
keep state keep frags group 2
pass out quick on ppp0 proto icmp from any to any \
keep state group 2
# allow all IPv6:
pass out quick on ppp0 proto ipv6 from any to any group 2
pass out log quick on ppp0 proto ipv6-route from any to any group 2
pass out log quick on ppp0 proto ipv6-frag from any to any group 2
pass out log quick on ppp0 proto ipv6-icmp from any to any group 2
pass out log quick on ppp0 proto ipv6-nonxt from any to any group 2
pass out log quick on ppp0 proto ipv6-opts from any to any group 2
# block rest:
block out log quick on ppp0 all group 2
现在你网络上的所有主机全可以发送("out"规则)和接收("in"规则)v4-封装的IPv6数据, 你可以将任何一台设置为6to4网关. 当然你只想在一台主机上设置,并且在本地主机间使用原生的IPv6, 而且你可能想使用限制性规则强制执行这个策略, 请参看 ipf.conf(5) 了解IPFilter规则的更多信息.
你的防火墙放行封装的IPv6数据包后, 你可能想设置你的6to4网关来监视IPv6通讯, 甚至是限制它们. 要这样做, 你也需要设置在6to4网关上的IPFilter. 要实现一个简单的监视, 在/etc/rc.conf 里启用 "ipfilter=yes" ,并且将下列内容添加到 /etc/ipf6.conf:
代码: 全选
pass in log quick on stf0 from any to any
pass out log quick on stf0 from any to any
它将记录"stf0"隧道接口上的所有的进站和出站(IPv6)通讯。如果需要你可以同时添加过滤规则.
如果你更想知道流量统计而非网络通信的简要报告, 推荐你使用"net-snmp"软件包内MRTG代替分析IPFilter日志文件.