Description :

今天在網路上看到有人受到 Worm 的攻擊，而使 firewall 垮了，發現大家解決方式就是調校 firewall ，真是不經一事不長一智，原來 firewall 是可調校，看了ipfilter how to 之後終於找到了調校方式，不過要注意的是調校過後的 firewall 並不就是刀槍不入，只是調校後的 firewall 面對攻擊承受力提高，畢竟世上沒有完美的事物。

Setp 1.

查看原本系統sysctl值  # sysctl -a | grep net.inet.ipf
net.inet.ipf.fr_flags: 0
net.inet.ipf.fr_pass: 514
net.inet.ipf.fr_active: 0
net.inet.ipf.fr_tcpidletimeout: 864000
net.inet.ipf.fr_tcpclosewait: 480
net.inet.ipf.fr_tcplastack: 480
net.inet.ipf.fr_tcptimeout: 480
net.inet.ipf.fr_tcpclosed: 120
net.inet.ipf.fr_tcphalfclosed: 14400
net.inet.ipf.fr_udptimeout: 240
net.inet.ipf.fr_udpacktimeout: 24
net.inet.ipf.fr_icmptimeout: 120
net.inet.ipf.fr_icmpacktimeout: 12
net.inet.ipf.fr_defnatage: 1200
net.inet.ipf.fr_ipfrttl: 120
net.inet.ipf.ipl_unreach: 13
net.inet.ipf.fr_running: 1
net.inet.ipf.fr_authsize: 32
net.inet.ipf.fr_authused: 0
net.inet.ipf.fr_defaultauthage: 600
net.inet.ipf.fr_chksrc: 0
net.inet.ipf.ippr_ftp_pasvonly: 0
net.inet.ipf.fr_minttl: 3
net.inet.ipf.fr_minttllog: 1

Setp 2.

使用手動更改  #sysctl net.inet.ipf.fr_tcpclosed=1
net.inet.ipf.fr_tcpclosed: 120 ->1

Setp 3.

加入開機自動更新  #vi /etc/sysctl.conf  內容如下：
net.inet.ipf.fr_flags=0
net.inet.ipf.fr_pass=514
net.inet.ipf.fr_active=0
net.inet.ipf.fr_tcpidletimeout=864000
net.inet.ipf.fr_tcpclosewait=60
net.inet.ipf.fr_tcplastack=20
net.inet.ipf.fr_tcptimeout=120
net.inet.ipf.fr_tcpclosed=1
net.inet.ipf.fr_udptimeout=120
net.inet.ipf.fr_icmptimeout=120
net.inet.ipf.fr_defnatage=1200
net.inet.ipf.fr_ipfrttl=120
net.inet.ipf.ipl_unreach=13
net.inet.ipf.ipl_inited=1
net.inet.ipf.fr_authsize=32
net.inet.ipf.fr_authused=0
net.inet.ipf.fr_defaultauthage=600