Главная страница
О проекте Навигация Контакт
Поиск


ru.unix.bsd

 
 - RU.UNIX.BSD ------------------------------------------------------------------
 From : Igor Nikolaev                        2:5030/266     26 May 2006  19:00:21
 To : Alex Loginov
 Subject : Re: rc.ipfw
 -------------------------------------------------------------------------------- 
 
 Alex Loginov <Alex_Loginov@p4.f80.n5040.z2.fidonet.org> wrote:
 
 > Hе бyдет ли кто любезен кинyть в меня своим РЕАЛЬHО pаботающим
 > сабжем.
 
 У нас вот так. Это firefall для *внутренней* сети.
 ip сетей я поменял/поубирал. Мочить солить по вкусу.
 Каждый конкретный роутер в каталоге
 /usr/local/etc/ipfw/
 имеет свой файл с конкретизацией по машинам.
 
 #!/bin/sh
 # United firewall configuration
 # v 1.15
 # Copyleft 1992..2006 www.spb.edu
  
 # Errors mailto
 mailto="igor@hq.pu.ru"
  
 # VTC control network
 vtc="сеть/24"
 vtcbb="другая_сеть/24"
 
 # Hosts
 gw="айпи"
 xi="айпи"
 noc="айпи"
 pay="айпи"
 unikassa_www="айпи"
 unikassa_oper="айпи"
 mail_ports="23,25,110,540"
 
 # Nameservers
 ns1="айпи"
 ns2="айпи"
  
 # Router name
 rules=/usr/local/etc/ipfw/`/bin/hostname -s`
  
 if [ "${1}" = "echo" ]
   then ipfw="/bin/echo"
   else ipfw="/sbin/ipfw -q"
 fi
  
 # Interface ip number by name
 ip () { /sbin/ifconfig $1 | grep inet | awk '{ print $2; }'; }
 
 # Start list number
 rule0_num=100
 rule0_step=5
 rule_num=1000
 rule_step=10
 rule2_num=20000
 rule2_step=1
 rule3_num=30000
 rule3_step=1
 
 # Pass and deny rules
 add0 () { rule0_num=$(($rule0_num+$rule0_step)); $ipfw add $rule0_num $*; }
 add () { rule_num=$(($rule_num+$rule_step)); $ipfw add $rule_num $*; }
 add2 () { rule2_num=$(($rule2_num+$rule2_step)); $ipfw add $rule2_num $*; }
 add3 () { rule3_num=$(($rule3_num+$rule3_step)); $ipfw add $rule3_num $*; }
 pass () { add pass $*; }
 pass2 () { add2 pass $*; }
 pass3 () { add3 pass $*; }
 deny () { add deny $*; }
 deny2 () { add2 deny $*; }
 divert () { add0 divert $*; }
 
 # Backbone segment
 backbone () { pass all from any to any via $1; }
 
 # Client segment
 segment () { 
   pass ip from `ip $1` to any out xmit $1
   pass ip from any to `ip $1` in recv $1
 }
 
 # Any access
 any () {
   pass all from $1 to any
   pass all from any to $1
 }
 
 # Free acces from any interface from list to any
 lan () {
   local i j
   for i in $*; do
     pass ip from `ip $i` to any via $i
     pass ip from any to `ip $i` via $i
     for j in $*; do
       if [ $i != $j ]; then
         pass all from any to any out recv $i xmit $j
       fi
     done
   done
 }
 
 # Pipe $ip $speed: pipe incoming speed limitation, [K|M]{bit/s|Byte/s}
 pipe () {
   rule_num=$(($rule_num+10))
   $ipfw pipe $rule_num config bw $2
   $ipfw add $rule_num pipe $rule_num ip from any to $1 out
 }
 
 # Client workstation: only outgoing tcp
 client () {
   pass2 tcp from any to $1 established
   deny2 tcp from any to $1
   pass3 tcp from $1 to any
 }
 
 # Only mail workstation
 mailws () {
   pass tcp from $1 to $gw $mail_ports
   pass tcp from $gw $mail_ports to $1
 }
 
 # Server: only incoming tcp on port list + control snmp
 server () {
   local ip port
   ip=$1
   shift
   for port in $* 
   do
     pass tcp from any to $ip $port
     pass tcp from $ip $port to any established
   done
 }
 
 # SIP phone, access to vtc backbone only
 sip () {
   pass ip from $vtcbb to $1
   pass ip from $1 to $vtcbb
   pass udp from $1 41000 to any 41000
   pass udp from any 41000 to $1 41000
 }
 
 $ipfw -f flush
 
 # Test and idiotic
 pass all from any to any via lo0
 deny log all from any to 127.0.0.0/8
 deny log all from 127.0.0.0/8 to any
 
 deny log all from any to 10.0.0.0/8
 deny log all from 10.0.0.0/8 to any
 deny log all from any to 172.16.0.0/12
 deny log all from 172.16.0.0/12 to any
 deny log all from any to 192.168.0.0/16
 deny log all from 192.168.0.0/16 to any
 
 # SSH
 #pass tcp from any to any 22 in
 #pass tcp from any 22 to any out established
 # OSPF
 pass all from any to 224.0.0.5
 pass all from any to 224.0.0.6
 
 # Emergency hole
 pass all from $noc to any
 pass all from any to $noc
 
 # Default - deny
 #$ipfw add 65000 deny log all from any to any
 $ipfw add 65000 deny all from any to any
 
 # Main rules
 pass all from any to any via lo0
 deny all from any to 127.0.0.0/8
 
 # Traceroute
 $ipfw add 64950 pass udp from any to any 33434-33523
 
 #pass all from $vtc to any
 #pass all from any to $vtc
 #pass tcp from any to any established
 
 # Multicast (with ospf!)
 pass all from any to 224.0.0.0/3
 
 # Named (old)
 pass tcp from $vtc to any 53
 pass tcp from any 53 to $vtc
 pass udp from $vtc to any 53
 pass udp from any 53 to $vtc
 pass udp from any to $vtc 53
 pass udp from $vtc 53 to any
 
 # Named (new)
 pass tcp from $ns1 to any 53
 pass tcp from any 53 to $ns1
 pass udp from $ns1 to any 53
 pass udp from any 53 to $ns1
 pass udp from any to $ns1 53
 pass udp from $ns1 53 to any
 pass tcp from $ns2 to any 53
 pass tcp from any 53 to $ns2
 pass udp from $ns2 to any 53
 pass udp from any 53 to $ns2
 pass udp from any to $ns2 53
 pass udp from $ns2 53 to any
 
 # Pay (http & https)
 pass tcp from any to $pay 80
 pass tcp from $pay 80 to any established
 pass tcp from any to $pay 443
 pass tcp from $pay 443 to any established
 
 # Unikassa (http & https)
 pass tcp from any to $unikassa_www 80
 pass tcp from $unikassa_www 80 to any established
 pass tcp from any to $unikassa_www 443
 pass tcp from $unikassa_www 443 to any established
 pass tcp from any to $unikassa_oper 80
 pass tcp from $unikassa_oper 80 to any established
 pass tcp from any to $unikassa_oper 443
 pass tcp from $unikassa_oper 443 to any established
 
 # SNMP
 pass udp from any 161 to $vtc
 pass udp from $vtc to any 161
 
 # Time
 pass udp from any to $vtc 123
 pass udp from $vtc 123 to any
 pass udp from any to $vtcbb 123
 pass udp from $vtcbb 123 to any
 
 # ICMP
 deny icmp from any to any frag
 pass icmp from any to any
 
 # DHCP (а хрен знает как оно работает)
 #pass udp from any to any 67
 #pass udp from any to any 68
 
 # smb to xi
 pass udp from any to $xi 137
 pass udp from any to $xi 139
 pass udp from $xi to any 137
 pass udp from $xi to any 139
 # Router rules
 if grep -q backbone $rules;
   then . $rules
   else echo "$rules" | mail -s "$rules conf bug!" $mailto
 fi
 
 # end
 
 -- 
 И
 --- ifmail v.2.12.os.sensi
  * Origin: Что молчишь, не поймал?! (2:5030/266@fidonet)

Вернуться к списку тем, сортированных по: возрастание даты  уменьшение даты  тема  автор 

 Тема:    Автор:    Дата:  
 rc.ipfw   Alex Loginov   20 May 2006 09:31:42 
 rc.ipfw   Mikhail_Malikov   20 May 2006 21:21:00 
 rc.ipfw   Leizer A. Karabin   20 May 2006 23:15:51 
 Re: rc.ipfw   Igor Nikolaev   26 May 2006 19:00:21 
Архивное /ru.unix.bsd/13416d80c7abd.html, оценка 2 из 5, голосов 10
Яндекс.Метрика
Valid HTML 4.01 Transitional