ru.unix.bsd

 
 - RU.UNIX.BSD ------------------------------------------------------------------
 From : Sergey A. Yakovets                   2:5088/50      19 Apr 2004  19:23:25
 To : All
 Subject : IPFW vs FTPD
 -------------------------------------------------------------------------------- 
 

 
 Есть скрипт. Помогите советом, куда здесь что прописать, чтобы предоставить
 доступ к моему FTPD юзерам из внешней сети. Сам пробовал, ничего толком не
 вышло. Интересует доступ в пассивном режиме. FreeBSD 5.1 Release
 
 #!/bin/sh
 
 fwcmd="/sbin/ipfw"      # FireWall execution command
 
 natdinterface="rl0"     # natd interface
 extinterface="rl0"          # External interface
 localinterface="sis0"       # Local interface
 extip="xxx.xxx.xxx.x"       # External IP-address
 localip="192.168.0.1"       # Local IP-address
 extnet="xxx.xxx.xxx.x/30"   # External network
 localnet="192.168.0.0/24"   # Local network
 
 # Reset all firewall rules
 ${fwcmd} -f flush
 
 # Allow all traffic from any to any via loopback interface
 ${fwcmd} add pass all from any to any via lo0
 
 # Deny access to loopback's network
 ${fwcmd} add deny log all from any to 127.0.0.0/8
 
 # Deny loopback network access to other networks
 ${fwcmd} add deny log all from 127.0.0.0/8 to any
 
 # Deny all incoming packets to local network appears on external interface
 ${fwcmd} add deny log all from ${localnet} to any in via ${extinterface}
 
 # Deny all incoming packets to external network appears on local interface
 ${fwcmd} add deny log all from ${extnet} to any in via ${localinterface}
 
 # Deny incoming access from other private networks via external interface
 ${fwcmd} add deny log all from any to 10.0.0.0/8 via ${extinterface}
 ${fwcmd} add deny log all from any to 172.16.0.0/12 via ${extinterface}
 
 # Deny incoming access from broadcast networks via external interface
 ${fwcmd} add deny log all from any to 0.0.0.0/8 via ${extinterface}
 ${fwcmd} add deny log all from any to 169.254.0.0/16 via ${extinterface}
 ${fwcmd} add deny log all from any to 224.0.0.0/4 via ${extinterface}
 ${fwcmd} add deny log all from any to 240.0.0.0/4 via ${extinterface}
 
 # Allow natd
 ${fwcmd} add divert natd all from ${localnet} to any via ${natdinterface}
 ${fwcmd} add divert natd all from any to 213.211.121.5 via ${natdinterface}
 
 # Deny outgoing access to other private networks via external interface
 ${fwcmd} add deny log all from 10.0.0.0/8 to any via ${extinterface}
 ${fwcmd} add deny log all from 172.16.0.0/12 to any via ${extinterface}
 
 # Deny outgoing access to broadcast networks via external interface
 ${fwcmd} add deny log all from 0.0.0.0/8 to any via ${extinterface}
 ${fwcmd} add deny log all from 169.254.0.0/16 to any via ${extinterface}
 ${fwcmd} add deny log all from 224.0.0.0/4 to any via ${extinterface}
 ${fwcmd} add deny log all from 240.0.0.0/4 to any via ${extinterface}
 
 # Allow any to any packets from local network via local interface
 ${fwcmd} add allow all from any to any via ${localinterface}
 
 # Allow exit any kind of packets from me via external interface
 ${fwcmd} add allow tcp from ${extip} to any out via ${extinterface} setup
 
 # Allow all established earlier connections
 ${fwcmd} add allow tcp from any to any established
 
 # Allow packet's fragments delivery
 ${fwcmd} add allow all from any to any frag
 
 # Allow answers from 53 port
 ${fwcmd} add allow udp from any to ${extip} 53 in via ${extinterface}
 ${fwcmd} add allow udp from ${extip} 53 to any out via ${extinterface}
 ${fwcmd} add allow tcp from any to ${extip} 53 in via ${extinterface}
 ${fwcmd} add allow tcp from ${extip} 53 to any out via ${extinterface}
 ${fwcmd} add allow udp from any 53 to any in via ${extinterface}
 ${fwcmd} add allow udp from ${extip} to any 53 keep-state
 
 # Allow some types of ICMP packets
 ${fwcmd} add allow icmp from any to any in via ${extinterface} icmptypes
 0,3,8,11
 ${fwcmd} add allow icmp from any to any out via ${extinterface}
 
 # Deny all broadcast packets
 ${fwcmd} add deny log ip from any to 255.255.255.255
 
 # Deny Windows netbios ports activity
 ${fwcmd} add deny udp from any to any 137,138 via ${extinterface}
 ${fwcmd} add deny tcp from any to any 135,139 via ${extinterface}
 ${fwcmd} add deny log udp from any to any 536,443,445,593
 ${fwcmd} add deny log tcp from any to any 536,443,445,593
 
 # Allow broadcast packets and access to dhcpd from local network
 # ${fwcmd} add allow udp from any to 255.255.255.255 67,68,69 via
 ${localinterface}
 
 # Deny ident requests
 ${fwcmd} add reset tcp from any to ${extip} 113 via ${extinterface}
 
 # Deny ICQ banners
 ${fwcmd} add unreach host tcp from 152.163.180.0/24 80 to any
 ${fwcmd} add unreach host tcp from 205.188.248.0/24 80 to any
 ${fwcmd} add unreach host tcp from 152.163.56.0/24 80 to any
 ${fwcmd} add unreach host tcp from 205.188.140.0/24 80 to any
 
 # Deny all
 ${fwcmd} add 65534 deny log ip from any to any
 
     C уважением, Sergey A. Yakovets.
     E-mail: for-transit@yandex.ru    ICQ UIN: 165641526
 
 ... FaqServer 2:5088/50.50    Subj: %HELP %LIST
 ---
  * Origin: "Емельянов" - это не фамилия, а диагноз... (2:5088/50)
 
 

Вернуться к списку тем, сортированных по: возрастание даты  уменьшение даты  тема  автор 

Тема:    Автор:    Дата:    IPFW vs FTPD   Sergey A. Yakovets   19 Apr 2004 19:23:25   IPFW vs FTPD   Ilya Kulagin   20 Apr 2004 11:45:02   Re: IPFW vs FTPD   Andrey Lugovoy   20 Apr 2004 13:03:45   Re: IPFW vs FTPD   Dmitry Miloserdov   20 Apr 2004 13:43:03   Re: IPFW vs FTPD   Andrey Lugovoy   20 Apr 2004 14:27:59   Re: IPFW vs FTPD   Dmitry Miloserdov   20 Apr 2004 15:03:21   Re: IPFW vs FTPD   Andrey Lugovoy   20 Apr 2004 15:13:29   Re: IPFW vs FTPD   Dmitry Miloserdov   20 Apr 2004 16:09:50   Re: IPFW vs FTPD   Andrey Lugovoy   20 Apr 2004 17:37:55   Re: IPFW vs FTPD   Andrey Lugovoy   20 Apr 2004 18:05:19   IPFW vs FTPD   Vladimir Kurtukov   20 Apr 2004 21:39:56   Re: IPFW vs FTPD   Dmitry Miloserdov   20 Apr 2004 20:25:14   Re: IPFW vs FTPD   Ivan Voytas   21 Apr 2004 12:24:50   IPFW vs FTPD   Ilya Kulagin   21 Apr 2004 14:00:06