章 29. 防火牆

Contributed by Joseph J. Barbish.
Converted to SGML and updated by Brad Davis.
內容目錄
29.1. 概述
29.2. 防火牆概念
29.3. PF
29.4. IPFW
29.5. IPFILTER (IPF)

29.1. 概述

防火牆能夠過濾透過系統進出的流量,防火牆可使用一組或多組 規則 (Rules) 來檢查網路連線中進出的網路封包(Network packets),並且能允許或阻擋其通過。 而防火牆規則可以檢查封包中一個或數個特徵,例如通訊協定類型、來源或目的主機位址,以及來源及目地的連接埠 (Port)。

防火牆可以加強主機或網路的安全性,它可以用來完成下列事情:

  • Protect and insulate the applications, services, and machines of an internal network from unwanted traffic from the public Internet.

  • Limit or disable access from hosts of the internal network to services of the public Internet.

  • Support network address translation (NAT), which allows an internal network to use private IP addresses and share a single connection to the public Internet using either a single IP address or a shared pool of automatically assigned public addresses.

FreeBSD has three firewalls built into the base system: PF, IPFW, and IPFILTER, also known as IPF. FreeBSD also provides two traffic shapers for controlling bandwidth usage: altq(4) and dummynet(4). ALTQ has traditionally been closely tied with PF and dummynet with IPFW. Each firewall uses rules to control the access of packets to and from a FreeBSD system, although they go about it in different ways and each has a different rule syntax.

FreeBSD provides multiple firewalls in order to meet the different requirements and preferences for a wide variety of users. Each user should evaluate which firewall best meets their needs.

讀完這章,您將了解︰

  • How to define packet filtering rules.

  • The differences between the firewalls built into FreeBSD.

  • How to use and configure the PF firewall.

  • How to use and configure the IPFW firewall.

  • How to use and configure the IPFILTER firewall.

在開始閱讀這章之前,您需要︰

  • 了解 FreeBSD 基礎及網路概念。

注意:

Since all firewalls are based on inspecting the values of selected packet control fields, the creator of the firewall ruleset must have an understanding of how TCP/IP works, what the different values in the packet control fields are, and how these values are used in a normal session conversation. For a good introduction, refer to Daryl's TCP/IP Primer.

本文及其他文件,可由此下載: ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/

若有 FreeBSD 方面疑問,請先閱讀 FreeBSD 相關文件,如不能解決的話,再洽詢 <questions@FreeBSD.org>。

關於本文件的問題,請洽詢 <doc@FreeBSD.org>。