Код: Выделить всё
#!/bin/sh
extif="ed0"
extnet="10.100.1.0/24"
extip="10.100.1.2"
intif="vr0"
intnet="10.100.2.0/24"
intip="10.100.2.200"
fwcmd="/sbin/ipfw "
${fwcmd} -f flush
${fwcmd} -f pipe flush
${fwcmd} -f queue flush
${fwcmd} -f table 1 flush
### Table 1 ###
${fwcmd} table 1 add 10.100.2.1
#### DUMMYNET ####
#${fwcmd} 10 add pipe 1 tcp from not ${intnet} to 192.168.0.60 41000 via ${intif}
#${fwcmd} 11 add pipe 2 tcp from 192.168.0.60 41000 to not ${intnet} out via ${extif}
#${fwcmd} pipe 1 config bw 512Kbit/s mask dst-ip 0xffffffff
#${fwcmd} pipe 2 config bw 256Kbit/s mask dst-ip 0xffffffff
### Dinamic rule ###
${fwcmd} add 50 check-state
### Standart Antispoofing ###
${fwcmd} add 100 deny ip from any to any not verrevpath in
### kill fragments ###
${fwcmd} add 150 deny ip from any to any frag
### block Petlia (127.0.0.1) lo0 ###
${fwcmd} add 160 deny ip from any to 127.0.0.0/8
${fwcmd} add 170 deny ip from 127.0.0.0/8 to any
### loopback ###
${fwcmd} add 180 allow ip from any to any via lo0
### antispoofing 2 ###
${fwcmd} add 220 deny all from ${intnet} to any in via ${extif}
${fwcmd} add 230 deny all from ${extnet} to any in via ${intif}
### block internal LAN which can`t be in internet ###
${fwcmd} add 240 deny ip from any to 192.168.0.0/16 in via ${extif}
${fwcmd} add 250 deny ip from any to 172.16.0.0/12 in via ${extif}
${fwcmd} add 260 deny ip from any to 0.0.0.0/8 in via ${extif}
${fwcmd} add 270 deny ip from any to 169.254.0.0/16 in via ${extif}
### block multicast deliver ###
${fwcmd} add 280 deny ip from any to 224.0.0.0/4 in via ${extif}
${fwcmd} add 290 deny ip from any to 240.0.0.0/4 in via ${extif}
### block fragments and undesirable icmp requests ###
${fwcmd} add 300 deny icmp from any to any frag
${fwcmd} add 310 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
### anti scaner ports ###
${fwcmd} add 320 reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg
${fwcmd} add 330 reject tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg
${fwcmd} add 340 reject tcp from any to any not established tcpflags fin
${fwcmd} add 350 reject log ip from any to any not verrevpath in
### Block ident ###
${fwcmd} add 360 deny tcp from any to any 113 in via ${extif}
### block net-bios ###
${fwcmd} add 370 deny tcp from any to any 135,136,137,138,139 in via ${extif}
#### block broadcast through icmp ###
${fwcmd} add 380 deny log icmp from any to 255.255.255.255 in via ${extif}
${fwcmd} add 390 deny log icmp from any to 255.255.255.255 out via ${extif}
### LAN traffic ###
${fwcmd} add 400 allow ip from ${intnet} to ${intnet} via ${intif}
### allow SQUID proxy ###
#${fwcmd} add 450 fwd 127.0.0.1,8080 tcp from ${intnet} to any 80 via ${extif}
# NAT
${fwcmd} add 500 divert natd ip from ${intnet} to any out via ${extif}
${fwcmd} add 510 divert natd ip from any to ${extip} in via ${extif}
### block internal LAN for NAT ###
${fwcmd} add 600 deny ip from 192.168.0.0/16 to any out via ${extif}
${fwcmd} add 610 deny ip from 172.16.0.0/12 to any out via ${extif}
${fwcmd} add 620 deny ip from 0.0.0.0/8 to any out via ${extif}
${fwcmd} add 630 deny ip from 169.254.0.0/16 to any out via ${extif}
### block multicast for NAT ###
${fwcmd} add 640 deny ip from 224.0.0.0/4 to any out via ${extif}
${fwcmd} add 650 deny ip from 240.0.0.0/4 to any out via ${extif}
### block icmp (ping, etc) on ext IP ###
#${fwcmd} add 660 deny icmp from any to ${extip}
### allow icmp (ping, tracert) ###
${fwcmd} add 670 allow icmp from any to any icmptype 0,8,11
### allow established TCP packets
${fwcmd} add 680 allow tcp from any to any established
### allow DNS requests ###
${fwcmd} add 700 allow udp from any to ${extip} 53 in via ${extif}
${fwcmd} add 710 allow udp from ${extip} 53 to any out via ${extif}
${fwcmd} add 720 allow udp from any 53 to ${extip} in via ${extif}
${fwcmd} add 730 allow udp from ${extip} to any 53 out via ${extif}
### allow tcp DNS requests over 53 tcp ###
${fwcmd} add 740 allow tcp from any to ${extip} 53 in via ${extif}
#### allow ssh from internet ###
${fwcmd} add 750 allow tcp from any to ${extip} 35665 in via ${extif} setup
### redirect_port for natd.conf ###
${fwcmd} add 800 allow udp from any to 10.100.2.1 27015 via ${extif}
${fwcmd} add 810 allow udp from any to 10.100.2.1 27015 via ${intif}
### CS ###
${fwcmd} add 900 allow udp from any 27005-27030 to ${intnet} in via ${extif}
${fwcmd} add 910 allow udp from any 27005-27030 to ${intnet} out via ${intif}
${fwcmd} add 920 allow udp from ${intnet} to any 27005-27030 in via ${intif}
${fwcmd} add 930 allow udp from ${extip} to any 27005-27030 out via ${extif}
# блок всех остальных установленных tcp соединений
${fwcmd} add 1900 deny tcp from any to ${extip} in via ${extif} setup
# разрешить установленные tcp соединения с внешнего IP на внешний интерфейс
${fwcmd} add 2000 allow tcp from ${extip} to any out via ${extif} setup
${fwcmd} add 2100 allow tcp from any to ${extip} in via ${intif} setup
################### USER INET BEGIN #################################
### allow tcp packets for all LAN ###
${fwcmd} add 2200 allow tcp from ${intnet} to any 5190 in via ${intif} setup
### allow tcp packets for inet-users ###
${fwcmd} add 2201 allow tcp from "table(1)" to any in via ${intif} setup
################ INET USERS END ########################
### block ALL ###
${fwcmd} add 65533 deny log ip from any to me
${fwcmd} add 65534 deny log ip from any to any
Код: Выделить всё
IPFIREWALL
IPFIREWALL_VERBOSE
IPFIREWALL_VERBOSE_LIMIT=100
IPFIREWALL_FORWARD
IPDIVERT
DUMMYNET
HZ=1000
IPFIREWALL_DEFAULT_TO_ACCEPT