Форум системных администраторов

Код: Выделить всё

#!/bin/sh

ipfw -q -f flush

IPFW="ipfw add"
SKIP="skipto 800"
EXT="vr0"
INT="rl0"

${IPFW} 005 allow all from any to any via xl0
${IPFW} 010 allow all from any to any via lo0
${IPFW} 014 divert natd ip from any to any in via ${EXT}
${IPFW} 015 check-state
${IPFW} 16 allow ip from any to any via lo0
${IPFW} 18 allow ip from any to any via ${INT}
${IPFW} 020 ${SKIP} udp from any to any 53 via ${EXT}
${IPFW} 022 ${SKIP} udp from any 53 to any via ${EXT}
${IPFW} 040 ${SKIP} tcp from any to any 80 out via ${EXT} setup keep-state
${IPFW} 050 ${SKIP} tcp from any to any 443 out via ${EXT} setup keep-state
${IPFW} 060 ${SKIP} tcp from any to any 1433 out via ${EXT} setup keep-state
${IPFW} 060 ${SKIP} tcp from any to any 5190 out via ${EXT} setup keep-state
${IPFW} 080 ${SKIP} icmp from any to any out via ${EXT} keep-state
${IPFW} 110 ${SKIP} tcp from any to any 22 out via ${EXT} setup keep-state
${IPFW} 300 deny all from 192.168.0.0/16  to any in via ${EXT}  
${IPFW} 301 deny all from 172.16.0.0/12   to any in via ${EXT}
${IPFW} 302 deny all from 10.0.0.0/8      to any in via ${EXT}
${IPFW} 303 deny all from 127.0.0.0/8     to any in via ${EXT}
${IPFW} 304 deny all from 0.0.0.0/8       to any in via ${EXT}
${IPFW} 305 deny all from 169.254.0.0/16  to any in via ${EXT}
${IPFW} 306 deny all from 192.0.2.0/24    to any in via ${EXT}
${IPFW} 307 deny all from 204.152.64.0/23 to any in via ${EXT}
${IPFW} 308 deny all from 224.0.0.0/3     to any in via ${EXT}
${IPFW} 315 deny tcp from any to any 113 in via ${EXT}
${IPFW} 330 deny all from any to any frag in via ${EXT}
${IPFW} 332 deny tcp from any to any established in via ${EXT}
${IPFW} 380 allow tcp from any to me 22 in via ${EXT} setup limit src-addr 2
${IPFW} 400 deny log all from any to any in via ${EXT}
${IPFW} 450 deny log all from any to any out via ${EXT}
${IPFW} 800 divert natd ip from any to any out via ${EXT}
${IPFW} 801 allow ip from any to any
${IPFW} 999 deny log all from any to any

Код: Выделить всё

firewall_enable="YES"
firewall_script="/путь/конфиг"
firewall_logging="YES"
natd_enable="YES"
natd_interface="карта"

Код: Выделить всё

${IPFW} 012 nat 123 config ip ${EXT} log
${IPFW} add 013 nat 123 ip from 192.168.0.0/24 to any
${IPFW} add 014 nat 123 ip from any to ${EXT}

Код: Выделить всё

#!/bin/sh



if [ -z "${source_rc_confs_defined}" ]; then

        if [ -r /etc/defaults/rc.conf ]; then

                . /etc/defaults/rc.conf

                source_rc_confs

        elif [ -r /etc/rc.conf ]; then

                . /etc/rc.conf

        fi

fi



ipfw="/sbin/ipfw -q"



ifout="vr0"

ifuser="vr1"

ipfw -f flush

$ipfw add allow ip from any to any via lo0

$ipfw add deny icmp from any to any in icmptype 5,9,13,14,15,16,17

$ipfw add allow tcp from any to me ssh, 21

$ipfw add allow icmp from any to any icmptype 0, 8



$ipfw add allow tcp from any to me 50000-60000 in via vr0

$ipfw add allow all from any to any 3128,1433,25,80,110,9030,9032,9039,9050-9060,53,21,40000-60000 in via vr1

$ipfw add allow all from any to any out via vr1



$ipfw nat 1 config log if vr0 reset same_ports deny_in redirect_port tcp x.x.x.x:6881 6881 



$ipfw add nat 1 ip from any to any via vr0



$ipfw add deny log all from any to any