Материал из Wiki.X-news.org
Перейти к: навигация, поиск

Пример конфигурационного файла rc.conf

fwcmd="/sbin/ipfw -q"
#vneshnaa set
LanOut="xl0"
IPOut="94.158.98.14"
NetOut="30"
MaskOut="255.255.240.0"
#localnaya set
LanIn="vr0"
IPIn="192.168.0.10"
NetInIP="192.168.0.0"
NetInMask="24"
MaskIn="255.255.255.0"



 #Izbranny
 MyIP1="192.168.0.5"
 MyIP2="192.168.0.3"
 MyIP3="192.168.0.2"
 
 dns1="94.158.96.2"
 dns2="94.158.96.4"
 dns3="62.117.97.2"
 dns3="195.34.32.116"
 
 # sbros pravil
 ${fwcmd} -f flush
 
 # O4en nado!!!!
 ${fwcmd} add 10 pass all from any to any via lo
 
 ${fwcmd} add 40 check-state
 ${fwcmd} add 60 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
 ${fwcmd} add 61 allow icmp from any to any
 ${fwcmd} add 70 allow tcp from me to any keep-state via ${LanOut}
 ${fwcmd} add 72 allow tcp from any to me 20,21,49152-65535
 
 ${fwcmd} add 78 pass utp from any to me 20,21 via ${LanOut}
 ${fwcmd} add 79 pass tcp from any to me 20,21 via ${LanOut}
 ${fwcmd} add 80 allow ip from me to any
 ${fwcmd} add 81 deny tcp from any to me 21,3306,20001,135,136,137,138,139,445 via ${LanOut}
 ${fwcmd} add 90 allow tcp from any to me ssh,80,53
 #${fwcmd} add 90 allow tcp from any to me 80
 
 # Stop private networks (RFC1918) from entering the outside interface.
 ${fwcmd} add 200 deny ip from ${NetInIP}/${NetInMask} to any in via ${LanOut}
 
 # prinuditelny proxy!
 #${fwcmd} add fwd 127.0.0.1,3128 tcp from ${NetInIP}/${NetInMask} to any http,https,ftp via ${LanIn}
 
 # Obrabotka NAT
 #${fwcmd} add 300 divert natd ip from ${NetInIP}/${NetInMask} to any out via ${LanOut}
 #${fwcmd} add 310 divert natd ip from any to ${IPOut} in via ${LanOut}
 ${fwcmd} add 300 divert 8668 all from any to any via ${LanOut}
 ${fwcmd} add 308 allow udp from any 8767 to ${NetInIP}/${NetInMask} in via xl0
 
 
 #propuskaem vse soedinenia s ustanovlennym bitom RST ili ACK
 # propuskaem ustanovlennye soedinenia
 ${fwcmd} add 400 pass tcp from any to any established
 # razreshaem ishodyashi traffic
 ${fwcmd} add 410 pass ip from ${IPOut} to any out xmit ${LanOut}
 
 # izbrannym- no limit traffic
 ${fwcmd} add 490 pass tcp from ${NetInIP}/${NetInMask} to me 8010,8100 via xl0
 
 ${fwcmd} add 500 pass tcp from ${MyIP1} to any 20,21,22,23,80,4000,25,110,443
 ${fwcmd} add 510 pass tcp from any 20,21,22,23,80,4000,25,110,443 to ${MyIP1}
 
 ${fwcmd} add 520 pass tcp from ${MyIP2} to any 20,21,22,23,80,4000,25,110,443
 ${fwcmd} add 530 pass tcp from any 20,21,22,23,80,4000,25,110,443 to ${MyIP2}
 ${fwcmd} add 540 pass tcp from ${MyIP3} to any 20,21,22,23,80,4000,25,110,443
 ${fwcmd} add 550 pass tcp from any 20,21,22,23,80,4000,25,110,443 to ${MyIP3}
 
 
 #${fwcmd} add 520 pass tcp from ${MyIP2} to any 20,21,22,23,80,443,4000
 #${fwcmd} add 530 pass tcp from any 20,21,22,23,80,443,4000 to ${MyIP2}
 #${fwcmd} add 540 pass tcp from ${MyIP3} to any 20,21,22,23,80,443,4000
 #${fwcmd} add 550 pass tcp from any 20,21,22,23,80,443,4000 to ${MyIP3}
 
 # zapreshaem ? FTP, Squid ? snaruzhi
 ${fwcmd} add 700 deny tcp from any to any 20,21,23,3128 in via ${LanOut}
 # zapreshaem ? www, FTP ? iznutri
 ${fwcmd} add 710 deny tcp from any to any 20,21,23,80,443 in via ${LanIn}
 ${fwcmd} add 720 deny tcp from any to any 8000?8104 in via ${LanIn}
 
 # razreshaem DNS
 #${fwcmd} add 800 pass tcp from any to any 25,110 via ${LanOut}
 #${fwcmd} add 810 pass tcp from any 25,110 to any via ${LanOut}
 ${fwcmd} add 830 pass udp from any to any 53 via ${LanOut}
 ${fwcmd} add 840 pass udp from any 53 to any via ${LanOut}
 
 
 ${fwcmd} add 850 pass ip from ${NetInIP}/${NetInMask} to me via ${LanIn}
 ${fwcmd} add 851 pass ip from me to ${NetInIP}/${NetInMask} via ${LanIn}
 
 
 #?
 ${fwcmd} 900 add pass all from any to any via ${LanIn}
 
 # Dostupen nash WWW server iz vneshnego mira
 #${fwcmd} add pass tcp from ${IPOut} 80 to any via ${LanOut}
 #${fwcmd} add pass tcp from any to ${IPOut} 80 via ${LanOut}
 
 #ICMP
 #${fwcmd} 1000 add allow icmp from any to ${IPOut} in via ${LanOut} icmptype 0,3,4,11,12
 #${fwcmd} 1010 add allow icmp from any to ${NetInIP}/${NetInMask} in via ${LanOut} icmptype 0,3,4,11,12
 #${fwcmd} 1020 add allow icmp from ${IPOut} to any out via ${LanOut} icmptype 3,8,12
 #${fwcmd} 1030 add allow icmp from ${IPOut} to any out via ${LanOut} frag
 
 ${fwcmd} 1100 add deny log all from any to any via ${LanOut}
 
 ${fwcmd} 1200 add deny log ip from any to any