|
ru.unix.bsd
- RU.UNIX.BSD ------------------------------------------------------------------
From : Dmitry Kolvakh 2:5054/89.1 19 May 2006 18:21:38
To : Eugene Grosbein
Subject : PPPoE & ipfw
--------------------------------------------------------------------------------
Hi Eugene!
19 May 06, Eugene Grosbein wrote to Dmitry Kolvakh:
DK>> Столкнулся с тем, что ipfw требует переустановки правил после
DK>> соединения, вписал его в ppp.linkup.
EG> У меня ничего подобного не требует.
Конфиг немного сумбурный, все никак руки не доходят поудалять лишние правила (их
наросло в процессе экспериментов).
Раньше PPPoE осуществлял роутер DI-604(?), но он конкретно достал своей
глюкавостью.
Ситуация выглядит так: после рестарта машины работает только ping, причем только
на явно заданный IP, хосты не резолвятся. После ipfw restart всё устаканивается.
=8<================== Hачало файла Windows Clipboard ====================
[...skipped...]
[Ss][Ii][Mm][Pp][Ll][Ee])
############
# This is a prototype setup for a simple firewall. Configure this
# machine as a DNS and NTP server, and point all the machines
# on the inside at this machine for those services.
############
# set these to your outside interface network and netmask and ip
# oif="rl0"
# onet="192.168.0.0"
# omask="255.255.255.0"
# oip="192.168.0.200"
oif="tun0"
onet="212.**.***.***"
omask="255.255.255.255"
oip="212.**.***.***"
# set these to your inside interface network and netmask and ip
iif="rl1"
inet="10.0.0.0"
imask="255.255.0.0"
iip="10.0.50.200"
setup_loopback
# Stop spoofing
# ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# ping
${fwcmd} add pass icmp from any to any
# all outbound **********************************
${fwcmd} add pass all from me to any
${fwcmd} add pass tcp from 195.19.***.*/19 to me 22 setup
# Allow DNS queries out in the world
# ${fwcmd} add pass udp from ${oip} to any 53 keep-state
# ${fwcmd} add pass tcp from ${oip} to any 53 setup
# Stop RFC1918 nets on the outside interface
# ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
# ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd all from any to any via
${natd_interface}
fi
;;
esac
# Open POP3, IMAP, SMTP, DNS through NAT
${fwcmd} add pass tcp from 10.0.50.0/28 to any 110,25,143,53 setup
${fwcmd} add pass udp from 10.0.50.0/28 to any 53 keep-state
# Open FTP through NAT
${fwcmd} add pass tcp from 10.0.50.0/28 to any 21,1024-65535 setup
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow SSH from PSTU's ip /keu
${fwcmd} add pass tcp from 195.19.***.*/19 to ${oip} 22 setup
# Allow SSH from internal net
${fwcmd} add pass tcp from ${inet}:${imask} to ${iip} 22 setup
# proxy
${fwcmd} add deny tcp from 10.0.254.254 to ${iip} 3128 setup
${fwcmd} add pass tcp from ${inet}:${imask} to ${iip} 3128 setup
${fwcmd} add pass tcp from 195.19.***.*** to me 3128 setup
# Allow outgoing HTTP & FTP
# ${fwcmd} add pass tcp from ${oip} to any 80 setup
# ${fwcmd} add pass tcp from ${oip} to any 21,1024-65535 setup
# ${fwcmd} add pass tcp from ${oip} to any 20 setup
# Allow setup of incoming email
# ${fwcmd} add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
${fwcmd} add pass udp from any to any 53
${fwcmd} add pass udp from any 53 to any
# Allow access to our WWW
${fwcmd} add pass tcp from any to me 80 setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from ${oip} to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from ${oip} to any 53 keep-state
# Allow NTP queries out in the world
${fwcmd} add pass udp from ${oip} to any 123 keep-state
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
[...skipped...]
=8<================== Кончало файла Windows Clipboard ===================
--
Good Luck! - Dmitry V. Kolvakh aka Keu
--- GoldED+/W32-MINGW 1.1.5-b20060326
* Origin: Я пpишел к тебе с дискетой pассказать,что сеть упала (2:5054/89.1)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
|
PPPoE & ipfw 