ru.unix.bsd

 
 - RU.UNIX.BSD ------------------------------------------------------------------
 From : Timur Sabirzyanov                    2:5080/197.197 22 Mar 2002  00:45:10
 To : All
 Subject : ipfw+natd=trouble
 -------------------------------------------------------------------------------- 
 

 
 изнутри всё работает. даже аська.
 а вот извне ни пинг ни http не работают.
 
 мож диверт не там стоит?
 
 ###
 # $FreeBSD: /etc/rc.firewall
 #
 
 fwcmd="/sbin/ipfw -q"
 ${fwcmd} -f flush
 
 # локальная сеть
 
 iif="vr0"
 inet="192.168.1.0"
 imask="255.255.255.0"
 iip="192.168.1.7"
 
 # внешняя сеть
 
 oif="vr1"
 onet="x.x.x.0"
 omask="255.255.255.128"
 oip="x.x.x.x"
 
 # стандартные правила
 
 ${fwcmd} add 00100 allow all from any to any via lo0
 ${fwcmd} add 00200 reject all from any to 127.0.0.0/8
 ${fwcmd} add 00300 reject ip from 127.0.0.0/8 to any
 
 # netbios
 
 ${fwcmd} add 00400 unreach protocol tcp from any to any 136-139 via vr1
 ${fwcmd} add 00500 unreach protocol udp from any to any 136-139 via vr1
 
 # anti-spoofing
 
 ${fwcmd} add 01000 deny all from ${inet}:${imask} to any in via ${oif}
 ${fwcmd} add 01100 deny all from ${onet}:${omask} to any in via ${iif}
 
 # rfc сети
 
 ${fwcmd} add 02000 deny all from any to 0.0.0.0/8 via ${oif}
 ${fwcmd} add 02100 deny all from any to 10.0.0.0/8 via ${oif}
 ${fwcmd} add 02200 deny all from any to 169.254.0.0/16 via ${oif}
 ${fwcmd} add 02300 deny all from any to 172.16.0.0/12 via ${oif}
 ${fwcmd} add 02400 deny all from any to 192.0.2.0/24 via ${oif}
 ${fwcmd} add 02500 deny all from any to 192.168.0.0/16 via ${oif}
 ${fwcmd} add 02600 deny all from any to 224.0.0.0/4 via ${oif}
 ${fwcmd} add 02700 deny all from any to 240.0.0.0/4 via ${oif}
 
 # NAT
 
 ${fwcmd} add 03000 divert natd all from any to any via ${oif}
 
 # опять rfc сети
 
 ${fwcmd} add 04000 deny all from 0.0.0.0/8 to any via ${oif}
 ${fwcmd} add 04100 deny all from 10.0.0.0/8 to any via ${oif}
 ${fwcmd} add 04200 deny all from 169.254.0.0/16 to any via ${oif}
 ${fwcmd} add 04300 deny all from 172.16.0.0/12 to any via ${oif}
 ${fwcmd} add 04400 deny all from 192.0.2.0/24 to any via ${oif}
 ${fwcmd} add 04500 deny all from 192.168.0.0/16 to any via ${oif}
 ${fwcmd} add 04600 deny all from 224.0.0.0/4 to any via ${oif}
 ${fwcmd} add 04700 deny all from 240.0.0.0/4 to any via ${oif}
 
 # считаем траффик
 
 ${fwcmd} add 05000 count ip from not 192.168.1.0/24 to 192.168.1.0/24
 ${fwcmd} add 05100 count ip from 192.168.1.0/24 to not 192.168.1.0/24
 ${fwcmd} add 05200 count ip from not 192.168.1.0/24 to 192.168.1.1
 ${fwcmd} add 05300 count ip from 192.168.1.1 to not 192.168.1.0/24
 ${fwcmd} add 05400 count ip from not 192.168.1.0/24 to 192.168.1.3
 ${fwcmd} add 05500 count ip from 192.168.1.3 to not 192.168.1.0/24
 ${fwcmd} add 05600 count ip from not 192.168.1.0/24 to 192.168.1.4
 ${fwcmd} add 05700 count ip from 192.168.1.4 to not 192.168.1.0/24
 ${fwcmd} add 05800 count ip from not 192.168.1.0/24 to 192.168.1.5
 ${fwcmd} add 05900 count ip from 192.168.1.5 to not 192.168.1.0/24
 
 # разрешаем хождение TCP если коннект успешен
 
 ${fwcmd} add 06000 allow tcp from any to any established
 
 # локалка
 
 ${fwcmd} add 06500 allow tcp from ${inet}:${imask} to ${inet}:${imask} via
 ${iif} setup
 ${fwcmd} add 06600 allow udp from ${inet}:${imask} to ${inet}:${imask} via
 ${iif}
 ${fwcmd} add 06700 allow tcp from any to any in  via ${iif} setup
 ${fwcmd} add 06800 allow tcp from any to any out via ${iif} setup
 
 # разрешаем только нефрагментированные ICMP
 
 ${fwcmd} add 07000 deny  icmp from any to any frag
 ${fwcmd} add 07100 allow icmp from any to any
 
 # нужные сервисы к нам
 
 ${fwcmd} add 08000 allow tcp from any to ${oip} 21,22,25,53,80,110,443 setup
 ${fwcmd} add 08400 allow udp from any to ${oip} 53
 
 # нужные сервисы от нас
 
 ${fwcmd} add 09000 allow tcp from ${oip} 21,22,25,53,80,110,443 to any setup
 ${fwcmd} add 09200 allow udp from ${oip} 53 to any
 
 # все исходящие
 
 ${fwcmd} add 10000 allow tcp from any to any out via ${oif} setup
 
 # остальное низзя
 
 ${fwcmd} add 65000 deny log logamount 1000 all from any to any
 
 ### EOF
 
 p.s. freebsd 4.4r
 
                                                             WBR, Tim.
 ... cooler's song
 --- Колесо мог изобрести только круглый идиот.
  * Origin: mailto:youaskme@mail.ru (2:5080/197.197)
 
 

Вернуться к списку тем, сортированных по: возрастание даты  уменьшение даты  тема  автор 

Тема:    Автор:    Дата:    ipfw+natd=trouble   Timur Sabirzyanov   22 Mar 2002 00:45:10   ipfw+natd=trouble   Alexandr Oskolkov   07 Apr 2002 17:17:08