|
ru.unix.bsd
- RU.UNIX.BSD ------------------------------------------------------------------
From : Andrey Lugovoy 2:5020/400 26 Jan 2005 12:08:48
To : Alexey Pirogov
Subject : Re: Hастpоить...
--------------------------------------------------------------------------------
Hello, Alexey!
You wrote to All on Tue, 25 Jan 2005 19:35:31 +0300:
AP> НН[ю]НННННННННННННННННННННН[ Hello All! ]НННННННННННННННННННННН[ю]НН
AP> Интеpесyют пpимеpы конфигов pаботающих для всего этого дела...
реальные конфиги.
сам в свое время очень искал именно реальные. спасибо всем, кто помог. очень
просветило и прочистило мозги именно на реальных примерах.
+ проксей стоит oops на 3128
- --- /etc/rc.conf ---
natd_program="/sbin/natd" # path to natd, if you want a different one.
natd_enable="YES" # Enable natd (if firewall_enable == YES).
natd_interface="vr0" # Public interface or IPaddress to use.
natd_flags="-f /etc/natd.conf"
firewall_enable="YES"
firewall_script="/etc/firewall.conf"
- ---
guru(root):~#>cat /etc/natd.conf
same_ports yes
use_sockets yes
guru(root):~#>cat /etc/firewall.conf
#
# 440hz was here
#
fwcmd="/sbin/ipfw -q"
extnet="213.159.108.128/29"
extip="213.159.108.130"
ext="vr0"
locnet="192.168.0.0/24"
locip="192.168.0.1"
loc="vr1"
sa="192.168.0.208"
${fwcmd} -f flush
# SECURITY
${fwcmd} add check-state
##############################################
${fwcmd} add pass tcp from any to me ssh
${fwcmd} add pass tcp from me ssh to any
# NAT
${fwcmd} add divert natd all from any to any via ${ext}
#
${fwcmd} add pass tcp from 192.168.0.191 to any
${fwcmd} add pass tcp from any to 192.168.0.191
# ICMP
${fwcmd} add pass icmp from any to any
# LOOPBACK
${fwcmd} add pass all from any to any via lo0
${fwcmd} add deny all from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any
# SA
${fwcmd} add pass tcp from ${sa} to any 4899
${fwcmd} add pass tcp from any 4899 to ${sa}
# 244
${fwcmd} add pass tcp from 192.168.0.244 to any 3389
${fwcmd} add pass tcp from any 3389 to 192.168.0.244
# 192.168.1.2
${fwcmd} add pass all from any to 192.168.1.2
${fwcmd} add pass all from 192.168.1.2 to any
${fwcmd} add pass tcp from any 1494 to any
${fwcmd} add pass tcp from any to any 1494
${fwcmd} add pass udp from any 1604 to any
${fwcmd} add pass udp from any to any 1604
# Stop spoofing
${fwcmd} add deny log logamount 0 all from ${locnet} to any in via ${ext}
${fwcmd} add deny log logamount 0 all from ${extnet} to any in via ${loc}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from ${locnet} to ${locip} 3128 established
${fwcmd} add pass tcp from me to any established
${fwcmd} add pass tcp from any to me established
${fwcmd} add deny tcp from any to any established
# Allow setup of outgoing TCP connections only
# Почта SMTP (отправка/получение)
${fwcmd} add pass tcp from any to me smtp setup
# Почта (забор)
${fwcmd} add pass tcp from any to me pop3 setup
# WWW
${fwcmd} add pass tcp from any to me http
# FTP
${fwcmd} add pass tcp from any to me 21
# Allow access to our DNS
${fwcmd} add pass tcp from any to me domain setup
${fwcmd} add pass udp from any to me domain
${fwcmd} add pass udp from me domain to any
# Allow DNS queries out in the world
${fwcmd} add pass udp from me to any domain keep-state
# ME
${fwcmd} add pass tcp from me to any 80 setup
${fwcmd} add pass tcp from me to any 81 setup
${fwcmd} add pass tcp from me to any 443 setup
${fwcmd} add pass tcp from me to any setup
${fwcmd} add pass udp from me to any keep-state
${fwcmd} add pass all from me to any keep-state
#OOPS
${fwcmd} add pass tcp from ${locnet} to ${locip} 3128 setup
${fwcmd} add pass all from any to me keep-state
# FUCK SOMEBODY ELSE !!!
${fwcmd} add deny tcp from any to any setup
${fwcmd} add reject udp from any to any 135,137,138
${fwcmd} add reject udp from any to me 1900
${fwcmd} add deny all from any to any
guru(root):~#>ipfw sh
00100 0 0 check-state
00200 377 19856 allow tcp from any to me 22
00300 323 52144 allow tcp from me 22 to any
00400 77305 18355587 divert 8668 ip from any to any via vr0
00500 0 0 allow tcp from 192.168.0.191 to any
00600 0 0 allow tcp from any to 192.168.0.191
00700 249 14296 allow icmp from any to any
00800 77806 13609958 allow ip from any to any via lo0
00900 0 0 deny ip from any to 127.0.0.0/8
01000 0 0 deny ip from 127.0.0.0/8 to any
01100 0 0 allow tcp from 192.168.0.208 to any 4899
01200 0 0 allow tcp from any 4899 to 192.168.0.208
01300 0 0 allow tcp from 192.168.0.244 to any 3389
01400 0 0 allow tcp from any 3389 to 192.168.0.244
01500 0 0 allow ip from any to 192.168.1.2
01600 0 0 allow ip from 192.168.1.2 to any
01700 37978 5022574 allow tcp from any 1494 to any
01800 43106 2047490 allow tcp from any to any 1494
01900 8 608 allow udp from any 1604 to any
02000 5 290 allow udp from any to any 1604
02100 0 0 deny log ip from 192.168.0.0/24 to any in recv vr0
02200 0 0 deny log ip from 213.159.108.128/29 to any in recv vr1
02300 12487 1319403 allow tcp from 192.168.0.0/24 to 192.168.0.1 3128
established
02400 32093 14508036 allow tcp from me to any established
02500 16504 8486474 allow tcp from any to me established
02600 0 0 deny tcp from any to any established
02700 132 6648 allow tcp from any to me 25 setup
02800 218 10632 allow tcp from any to me 110 setup
02900 47 2580 allow tcp from any to me 80
03000 0 0 allow tcp from any to me 21
03100 0 0 allow tcp from any to me 53 setup
03200 1130 80086 allow udp from any to me 53
03300 1130 167692 allow udp from me 53 to any
03400 6941 802747 allow udp from me to any 53 keep-state
03500 953 57164 allow tcp from me to any 80 setup
03600 0 0 allow tcp from me to any 81 setup
03700 0 0 allow tcp from me to any 443 setup
03800 301 18060 allow tcp from me to any setup
03900 0 0 allow udp from me to any keep-state
04000 0 0 allow ip from me to any keep-state
04100 2068 99264 allow tcp from 192.168.0.0/24 to 192.168.0.1 3128 setup
04200 553 33912 allow ip from any to me keep-state
04300 282 13536 deny tcp from any to any setup
04400 1444 224917 unreach host udp from any to any 135,137,138
04500 0 0 unreach host udp from any to me 1900
04600 112 22839 deny ip from any to any
65535 0 0 allow ip from any to any
- ---
ядро
#########################################
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=500
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
#########################################
With best regards, Andrey Lugovoy. E-mail: andrey.lugovoy@billing.ru
--- ifmail v.2.15dev5.3
* Origin: Demos online service (2:5020/400)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
|
