pozay
Newbie | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору
Я точно не знаю на какое правело оно ругается но вот мой(не мой взят у людей) конфиг
#!/bin/sh
cmd="/sbin/ipfw -q"
IfOut="em0"
IpOut="192.168.0.240"
NetOut="192.168.0.0/24"
IfIn="em1"
IpIn="192.168.1.240"
NetIn="192.168.1.0/24"
##################################################
# Clear
##################################################
${cmd} -f flush
${cmd} table 0 flush
${cmd} table 1 flush
##################################################
# Loopback
##################################################
${cmd} add allow ip from any to any via lo0
##################################################
# Block world to private
##################################################
${cmd} add deny ip from any to 127.0.0.0/8
${cmd} add deny ip from 127.0.0.0/8 to any
${cmd} add deny ip from any to 10.0.0.0/8 via ${IfOut}
#${cmd} add deny ip from any to 172.16.0.0/12 via ${IfOut}
#${cmd} add deny ip from any to 192.168.0.0/16 via ${IfOut}
${cmd} add deny ip from any to 0.0.0.0/8 via ${IfOut}
${cmd} add deny ip from any to 169.254.0.0/16 via ${IfOut}
${cmd} add deny ip from any to 192.0.2.0/24 via ${IfOut}
${cmd} add deny ip from any to 224.0.0.0/4 via ${IfOut}
${cmd} add deny ip from any to 240.0.0.0/4 via ${IfOut}
##################################################
# ICMP
##################################################
${cmd} add deny icmp from any to any frag
${cmd} add deny log icmp from any to 255.255.255.255 in via ${IfOut}
${cmd} add deny log icmp from any to 255.255.255.255 out via ${IfOut}
##################################################
# NAT
##################################################
${cmd} add divert 8668 ip from ${NetIn} to any via ${IfOut}
${cmd} add divert 8668 ip from any to ${IpOut} via ${IfOut}
#${cmd} add divert 8668 ip from any to any via ${IfOut}
##################################################
# Block private to world
##################################################
${cmd} add deny ip from 10.0.0.0/8 to any via ${IfOut}
#${cmd} add deny ip from 172.16.0.0/12 to any via ${IfOut}
#${cmd} add deny ip from 192.168.0.0/16 to any via ${IfOut}
${cmd} add deny ip from 0.0.0.0/8 to any via ${IfOut}
${cmd} add deny ip from 169.254.0.0/16 to any via ${IfOut}
${cmd} add deny ip from 192.0.2.0/24 to any via ${IfOut}
${cmd} add deny ip from 224.0.0.0/4 to any via ${IfOut}
${cmd} add deny ip from 240.0.0.0/4 to any via ${IfOut}
##################################################
# Keep established
##################################################
${cmd} add allow tcp from any to me established
##################################################
# Main
##################################################
${cmd} add allow ip from any to any frag
${cmd} add allow icmp from any to ${IpOut} icmptypes 0,8,11
# dns
${cmd} add allow tcp from any to ${IpOut} dst-port 53 setup
${cmd} add allow udp from any to ${IpOut} dst-port 53
${cmd} add allow udp from ${IpOut} 53 to any
${cmd} add allow udp from ${IpOut} to any dst-port 53 keep-state
# dns-client
${cmd} add allow tcp from any to ${NetIn} dst-port 53 setup
${cmd} add allow udp from any to ${NetIn} dst-port 53
${cmd} add allow udp from ${NetIn} 53 to any
${cmd} add allow udp from ${NetIn} to any dst-port 53 keep-state
# time
${cmd} add allow udp from ${IpOut} to any dst-port 123 keep-state
# time-client
${cmd} add allow udp from ${NetIn} to any dst-port 123 keep-state
# ssh-in
${cmd} add allow tcp from any to ${IpOut} 22
${cmd} add allow tcp from ${IpOut} 22 to any
# ssh-out
${cmd} add allow tcp from ${IpOut} to any 22
${cmd} add allow tcp from any 22 to ${IpOut}
# http
${cmd} add allow tcp from ${IpOut} to any dst-port 80
# http-client
#${cmd} add allow tcp from ${NetIn} to any dst-port 80
#${cmd} add allow tcp from any 80 to ${NetIn}
# squid
${cmd} add allow all from ${NetIn} to ${IpIn} 3128 via ${IfIn}
${cmd} add fwd ${IpIn},3128 tcp from ${NetIn} to any 80
# smtp
${cmd} add allow tcp from any to ${IpOut} dst-port 25 setup
# out
${cmd} add deny log tcp from any to any in via ${IfOut} setup
##################################################
# Local network
##################################################
${cmd} add allow all from any to any via ${IfIn}
##################################################
# Deny All
##################################################
${cmd} add deny all from any to any
|
