pozay
Newbie | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору Я точно не знаю на какое правело оно ругается но вот мой(не мой взят у людей) конфиг #!/bin/sh cmd="/sbin/ipfw -q" IfOut="em0" IpOut="192.168.0.240" NetOut="192.168.0.0/24" IfIn="em1" IpIn="192.168.1.240" NetIn="192.168.1.0/24" ################################################## # Clear ################################################## ${cmd} -f flush ${cmd} table 0 flush ${cmd} table 1 flush ################################################## # Loopback ################################################## ${cmd} add allow ip from any to any via lo0 ################################################## # Block world to private ################################################## ${cmd} add deny ip from any to 127.0.0.0/8 ${cmd} add deny ip from 127.0.0.0/8 to any ${cmd} add deny ip from any to 10.0.0.0/8 via ${IfOut} #${cmd} add deny ip from any to 172.16.0.0/12 via ${IfOut} #${cmd} add deny ip from any to 192.168.0.0/16 via ${IfOut} ${cmd} add deny ip from any to 0.0.0.0/8 via ${IfOut} ${cmd} add deny ip from any to 169.254.0.0/16 via ${IfOut} ${cmd} add deny ip from any to 192.0.2.0/24 via ${IfOut} ${cmd} add deny ip from any to 224.0.0.0/4 via ${IfOut} ${cmd} add deny ip from any to 240.0.0.0/4 via ${IfOut} ################################################## # ICMP ################################################## ${cmd} add deny icmp from any to any frag ${cmd} add deny log icmp from any to 255.255.255.255 in via ${IfOut} ${cmd} add deny log icmp from any to 255.255.255.255 out via ${IfOut} ################################################## # NAT ################################################## ${cmd} add divert 8668 ip from ${NetIn} to any via ${IfOut} ${cmd} add divert 8668 ip from any to ${IpOut} via ${IfOut} #${cmd} add divert 8668 ip from any to any via ${IfOut} ################################################## # Block private to world ################################################## ${cmd} add deny ip from 10.0.0.0/8 to any via ${IfOut} #${cmd} add deny ip from 172.16.0.0/12 to any via ${IfOut} #${cmd} add deny ip from 192.168.0.0/16 to any via ${IfOut} ${cmd} add deny ip from 0.0.0.0/8 to any via ${IfOut} ${cmd} add deny ip from 169.254.0.0/16 to any via ${IfOut} ${cmd} add deny ip from 192.0.2.0/24 to any via ${IfOut} ${cmd} add deny ip from 224.0.0.0/4 to any via ${IfOut} ${cmd} add deny ip from 240.0.0.0/4 to any via ${IfOut} ################################################## # Keep established ################################################## ${cmd} add allow tcp from any to me established ################################################## # Main ################################################## ${cmd} add allow ip from any to any frag ${cmd} add allow icmp from any to ${IpOut} icmptypes 0,8,11 # dns ${cmd} add allow tcp from any to ${IpOut} dst-port 53 setup ${cmd} add allow udp from any to ${IpOut} dst-port 53 ${cmd} add allow udp from ${IpOut} 53 to any ${cmd} add allow udp from ${IpOut} to any dst-port 53 keep-state # dns-client ${cmd} add allow tcp from any to ${NetIn} dst-port 53 setup ${cmd} add allow udp from any to ${NetIn} dst-port 53 ${cmd} add allow udp from ${NetIn} 53 to any ${cmd} add allow udp from ${NetIn} to any dst-port 53 keep-state # time ${cmd} add allow udp from ${IpOut} to any dst-port 123 keep-state # time-client ${cmd} add allow udp from ${NetIn} to any dst-port 123 keep-state # ssh-in ${cmd} add allow tcp from any to ${IpOut} 22 ${cmd} add allow tcp from ${IpOut} 22 to any # ssh-out ${cmd} add allow tcp from ${IpOut} to any 22 ${cmd} add allow tcp from any 22 to ${IpOut} # http ${cmd} add allow tcp from ${IpOut} to any dst-port 80 # http-client #${cmd} add allow tcp from ${NetIn} to any dst-port 80 #${cmd} add allow tcp from any 80 to ${NetIn} # squid ${cmd} add allow all from ${NetIn} to ${IpIn} 3128 via ${IfIn} ${cmd} add fwd ${IpIn},3128 tcp from ${NetIn} to any 80 # smtp ${cmd} add allow tcp from any to ${IpOut} dst-port 25 setup # out ${cmd} add deny log tcp from any to any in via ${IfOut} setup ################################################## # Local network ################################################## ${cmd} add allow all from any to any via ${IfIn} ################################################## # Deny All ################################################## ${cmd} add deny all from any to any |