Материал из Wiki.X-news.org
Пример конфигурационного файла rc.conf
fwcmd="/sbin/ipfw -q"
#vneshnaa set LanOut="xl0" IPOut="94.158.98.14" NetOut="30" MaskOut="255.255.240.0"
#localnaya set LanIn="vr0" IPIn="192.168.0.10" NetInIP="192.168.0.0" NetInMask="24" MaskIn="255.255.255.0"
#Izbranny
MyIP1="192.168.0.5"
MyIP2="192.168.0.3"
MyIP3="192.168.0.2"
dns1="94.158.96.2"
dns2="94.158.96.4"
dns3="62.117.97.2"
dns3="195.34.32.116"
# sbros pravil
${fwcmd} -f flush
# O4en nado!!!!
${fwcmd} add 10 pass all from any to any via lo
${fwcmd} add 40 check-state
${fwcmd} add 60 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
${fwcmd} add 61 allow icmp from any to any
${fwcmd} add 70 allow tcp from me to any keep-state via ${LanOut}
${fwcmd} add 72 allow tcp from any to me 20,21,49152-65535
${fwcmd} add 78 pass utp from any to me 20,21 via ${LanOut}
${fwcmd} add 79 pass tcp from any to me 20,21 via ${LanOut}
${fwcmd} add 80 allow ip from me to any
${fwcmd} add 81 deny tcp from any to me 21,3306,20001,135,136,137,138,139,445 via ${LanOut}
${fwcmd} add 90 allow tcp from any to me ssh,80,53
#${fwcmd} add 90 allow tcp from any to me 80
# Stop private networks (RFC1918) from entering the outside interface.
${fwcmd} add 200 deny ip from ${NetInIP}/${NetInMask} to any in via ${LanOut}
# prinuditelny proxy!
#${fwcmd} add fwd 127.0.0.1,3128 tcp from ${NetInIP}/${NetInMask} to any http,https,ftp via ${LanIn}
# Obrabotka NAT
#${fwcmd} add 300 divert natd ip from ${NetInIP}/${NetInMask} to any out via ${LanOut}
#${fwcmd} add 310 divert natd ip from any to ${IPOut} in via ${LanOut}
${fwcmd} add 300 divert 8668 all from any to any via ${LanOut}
${fwcmd} add 308 allow udp from any 8767 to ${NetInIP}/${NetInMask} in via xl0
#propuskaem vse soedinenia s ustanovlennym bitom RST ili ACK
# propuskaem ustanovlennye soedinenia
${fwcmd} add 400 pass tcp from any to any established
# razreshaem ishodyashi traffic
${fwcmd} add 410 pass ip from ${IPOut} to any out xmit ${LanOut}
# izbrannym- no limit traffic
${fwcmd} add 490 pass tcp from ${NetInIP}/${NetInMask} to me 8010,8100 via xl0
${fwcmd} add 500 pass tcp from ${MyIP1} to any 20,21,22,23,80,4000,25,110,443
${fwcmd} add 510 pass tcp from any 20,21,22,23,80,4000,25,110,443 to ${MyIP1}
${fwcmd} add 520 pass tcp from ${MyIP2} to any 20,21,22,23,80,4000,25,110,443
${fwcmd} add 530 pass tcp from any 20,21,22,23,80,4000,25,110,443 to ${MyIP2}
${fwcmd} add 540 pass tcp from ${MyIP3} to any 20,21,22,23,80,4000,25,110,443
${fwcmd} add 550 pass tcp from any 20,21,22,23,80,4000,25,110,443 to ${MyIP3}
#${fwcmd} add 520 pass tcp from ${MyIP2} to any 20,21,22,23,80,443,4000
#${fwcmd} add 530 pass tcp from any 20,21,22,23,80,443,4000 to ${MyIP2}
#${fwcmd} add 540 pass tcp from ${MyIP3} to any 20,21,22,23,80,443,4000
#${fwcmd} add 550 pass tcp from any 20,21,22,23,80,443,4000 to ${MyIP3}
# zapreshaem ? FTP, Squid ? snaruzhi
${fwcmd} add 700 deny tcp from any to any 20,21,23,3128 in via ${LanOut}
# zapreshaem ? www, FTP ? iznutri
${fwcmd} add 710 deny tcp from any to any 20,21,23,80,443 in via ${LanIn}
${fwcmd} add 720 deny tcp from any to any 8000?8104 in via ${LanIn}
# razreshaem DNS
#${fwcmd} add 800 pass tcp from any to any 25,110 via ${LanOut}
#${fwcmd} add 810 pass tcp from any 25,110 to any via ${LanOut}
${fwcmd} add 830 pass udp from any to any 53 via ${LanOut}
${fwcmd} add 840 pass udp from any 53 to any via ${LanOut}
${fwcmd} add 850 pass ip from ${NetInIP}/${NetInMask} to me via ${LanIn}
${fwcmd} add 851 pass ip from me to ${NetInIP}/${NetInMask} via ${LanIn}
#?
${fwcmd} 900 add pass all from any to any via ${LanIn}
# Dostupen nash WWW server iz vneshnego mira
#${fwcmd} add pass tcp from ${IPOut} 80 to any via ${LanOut}
#${fwcmd} add pass tcp from any to ${IPOut} 80 via ${LanOut}
#ICMP
#${fwcmd} 1000 add allow icmp from any to ${IPOut} in via ${LanOut} icmptype 0,3,4,11,12
#${fwcmd} 1010 add allow icmp from any to ${NetInIP}/${NetInMask} in via ${LanOut} icmptype 0,3,4,11,12
#${fwcmd} 1020 add allow icmp from ${IPOut} to any out via ${LanOut} icmptype 3,8,12
#${fwcmd} 1030 add allow icmp from ${IPOut} to any out via ${LanOut} frag
${fwcmd} 1100 add deny log all from any to any via ${LanOut}
${fwcmd} 1200 add deny log ip from any to any