Главная страница
О проекте Навигация Контакт
Поиск


ru.unix.bsd

 
 - RU.UNIX.BSD ------------------------------------------------------------------
 From : Aleksey Makeev                       2:5023/20.7    16 Mar 2002  21:02:56
 To : All
 Subject : ipfw
 -------------------------------------------------------------------------------- 
 
 
 Помогите, пожалуйста, извините за глупый вопрос.
 Покажите пальцем ошибку.
 
 Связка ipfw+ipnat. NAT без firewall'а все транслирует.
 Почему это не работает, и, в частности, 50-е правило?
 Все оседает на 65535-ом.
 Что я забыл открыть?
 
 Мой конфиг:
 
 =================================
 fwcmd="/sbin/ipfw"
 
 # local net settings
 lif="rl0"
 lnet="192.168.0.0/16"
 lip="192.168.1.1"
 
 # external net (internet) settings
 eif="ed0"
 enet="xxx.xxx.xxx.xxx/28"
 eip="xxx.xxx.xxx.yyy"
 
 # from me
 $fwcmd add 50 allow all from $eip to any via $eif
 $fwcmd add 60 allow all from $lip to $lnet via $lif
 
 # loopback
 $fwcmd add 100 allow all from any to any via lo0
 $fwcmd add 110 deny all from any to 127.0.0.0/8
 $fwcmd add 120 deny all from 127.0.0.0/8 to any
 
 # stop spoofing
 $fwcmd add 200 deny all from $lnet to any in via $eif
 $fwcmd add 210 deny all from $enet to any in via $lif
 
 # stop RFC1918 nets on the outside interface
 $fwcmd add 220 deny all from any to 10.0.0.0/8 via $eif
 $fwcmd add 230 deny all from any to 172.16.0.0/12 via $eif
 $fwcmd add 240 deny all from any to 192.168.0.0/16 via $eif
 
 # stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
 # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
 # on the outside interface
 $fwcmd add 250 deny all from any to 0.0.0.0/8 via $eif
 $fwcmd add 260 deny all from any to 169.254.0.0/16 via $eif
 $fwcmd add 270 deny all from any to 192.0.2.0/24 via $eif
 $fwcmd add 280 deny all from any to 224.0.0.0/4 via $eif
 $fwcmd add 290 deny all from any to 240.0.0.0/4 via $eif
 
 # allow ping
 $fwcmd add 300 allow icmp from any to $eip via $eif icmptypes 0
 $fwcmd add 310 allow icmp from any to $eip via $eif icmptypes 8
 $fwcmd add 315 allow icmp from $lnet to $lip via $lif icmptypes 8
 
 # allow traceroute
 $fwcmd add 320 allow udp from $eip to any 33434-33534
 $fwcmd add 325 allow udp from $lip to any 33434-33534
 #*************************
 # Access to local services
 
 # allow access to our mail (SMTP, POP, IMAP)
 $fwcmd add 400 allow tcp from any to $eip 25
 $fwcmd add 410 allow tcp from any to $eip 110
 $fwcmd add 420 allow tcp from any to $eip 143
 
 # allow access to our DNS
 $fwcmd add 430 allow tcp from any to $eip 53
 $fwcmd add 440 allow udp from any to $eip 53
 
 # allow access to our WWW
 $fwcmd add 460 allow tcp from any to $eip 80,8080
 
 # allow access to our FTP
 $fwcmd add 470 allow tcp from any to $eip 20,21
 
 # allow access to SSH
 $fwcmd add 480 allow tcp from any to $eip 22
 
 # send RESET to all ident packets.
 $fwcmd add 490 reset tcp from any to any 113
 
 # allow access to time server
 $fwcmd add 500 allow udp from any ntp to $eip ntp
 $fwcmd add 510 allow udp from $lip ntp to any ntp
 ########################################################
 # Users records
 ########################################################
 
 $fwcmd add 10002 allow all from 192.168.1.2 to any
 $fwcmd add 10003 allow all from 192.168.1.3 to any
 ...
 $fwcmd add 65535 deny all from any to any
 ===============================
 
 Спасибо.
 
 Счастливо!
 
 --- ICQ: 28365228  e-mail: a_makeev@mail.ru
  * Origin: FAQs&Docs Station (2:5023/20.7)

Вернуться к списку тем, сортированных по: возрастание даты  уменьшение даты  тема  автор 

 Тема:    Автор:    Дата:  
 ipfw   Aleksey Makeev   16 Mar 2002 21:02:56 
Архивное /ru.unix.bsd/27433c937e36.html, оценка 2 из 5, голосов 10
Яндекс.Метрика
Valid HTML 4.01 Transitional