|
ru.unix.bsd
- RU.UNIX.BSD ------------------------------------------------------------------
From : Vladimir Kupriyanov 2:5080/111.16 04 Dec 2007 11:23:45
To : Evgeniy Zhavoronkov
Subject : правила для ipfw
--------------------------------------------------------------------------------
EZ> Подскажите список правил для простого гейта с 2 интерфейсами и сервисами
EZ> 21,22,80 + nat с редиректом tcp/udp
#!/bin/sh
# $FreeBSD: src/etc/rc.firewall,v 1.47.10.1 2005/11/19 06:06:59 ume Exp $
fc="/sbin/ipfw -q add"
extif="rl0" # внешний
extnet="x.x.x.x/30"
extadr="x.x.x.x"
lanif="xl0" # внутpенний
lannet="192.168.0.0/24"
lanadr="192.168.0.70"
/sbin/ipfw -f -q flush
# ANTI-SPOOFING etc
${fc} drop all from 192.168.0.0/16 to any recv ${extif}
${fc} drop all from any to 192.168.0.0/16 in recv ${extif}
${fc} drop all from 127.0.0.0/8 to any recv ${extif}
${fc} drop all from 127.0.0.0/8 to any recv ${lanif}
# NAT
${fc} divert natd all from ${lannet} to any out via ${extif}
${fc} divert natd all from any to ${extadr}
${fc} allow all from any to any via lo
${fc} check-state
# OUTGOING
${fc} allow tcp from me to any setup keep-state
${fc} allow udp from me to any keep-state
${fc} allow icmp from me to any icmptypes 0,3,4,8,11 keep-state
# INCOMING
${fc} allow tcp from any to ${extadr} 20,21,80 setup keep-state
# TO NAT
${fc} allow tcp from ${lannet} to not me 20,21,80,8080,3128,443 setup keep-state
${fc} allow icmp from ${lannet} to any icmptypes 0,3,4,8,11 keep-state
# LAN
${fc} allow udp from ${lannet} to me 53,13,37,123 keep-state
${fc} allow tcp from ${lannet} to me 53,13,37,20,21,80 setup keep-state
# finally
${fc} drop all from any to any
Успехов!
Владимир
---
* Origin: Как волка ни корми, у слона все равно больше (2:5080/111.16)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
|
правила для ipfw 
