Код: Выделить всё
# /bin/sh /etc/rc.fw
fwcmd="/sbin/ipfw -q"
ext_if="fxp0"
ext_ip="1.1.1.105"
ext_net="1.1.1.104"
ext_mask="29"
int_if="em0"
int_ip="10.10.100.200"
int_net="10.0.0.0"
int_mask="8"
admin="10.10.10.34,10.10.100.10"
dnsserver="10.10.10.201"
vpn_net="10.10.150.248"
vpn_mask="29"
${fwcmd} -f flush
# LOOPBACK
${fwcmd} add allow all from any to any via lo0
${fwcmd} add deny all from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any
# ANTISPOOFING
${fwcmd} add deny ip from any to any not verrevpath in
# anti-hack from outside
${fwcmd} add deny ip from me to any in via ${ext_if}
# DENY NETBIOS
${fwcmd} add deny ip from any 137-139 to any
${fwcmd} add deny ip from any to any 137-139
# SSH
#${fwcmd} add allow tcp from any to ${ext_ip} 22 in via ${ext_if}
# FTP
#${fwcmd} add allow tcp from any to ${ext_ip} 21 in via ${ext_if}
# VPN-connect
${fwcmd} add allow tcp from any to ${ext_ip} 1723 in via ${ext_if}
# GRE for MPD5
${fwcmd} add allow gre from any to any
# VPN-LAN
${fwcmd} add allow all from ${vpn_net}/${vpn_mask} to ${int_net}/${int_mask}
${fwcmd} add allow all from ${int_net}/${int_mask} to ${vpn_net}/${vpn_mask}
# Firewall Traffic OUT
${fwcmd} add allow ip from ${ext_ip} to any out via ${ext_if}
${fwcmd} add allow ip from ${int_ip} to any out via ${int_if}
# INTERNET TO LOCAL
#${fwcmd} add allow tcp from any 80 to ${admin} via ${int_if}
#${fwcmd} add allow tcp from any 443 to ${admin} via ${int_if}
#${fwcmd} add allow tcp from any 25 to ${admin} via ${int_if}
#${fwcmd} add allow tcp from any 110 to ${admin} via ${int_if}
${fwcmd} add allow tcp from any 5190,5191 to ${admin} via ${int_if}
#${fwcmd} add allow tcp from any 21 to ${admin} via ${int_if}
#${fwcmd} add allow tcp from any 22 to ${admin} via ${int_if}
#${fwcmd} add allow tcp from any 23 to ${admin} via ${int_if}
#${fwcmd} add allow tcp from any 5060 to ${admin} via ${int_if}
#${fwcmd} add allow udp from any 5060 to ${admin} via ${int_if}
# LOCAL
${fwcmd} add allow ip from ${admin} to ${int_ip} in via ${int_if}
# dns_server
${fwcmd} add allow ip from ${dnsserver} to ${int_ip} in via ${int_if}
# NAT
${fwcmd} nat 123 config ip ${ext_ip}
# vpn_nat
${fwcmd} add nat 123 ip from ${vpn_net}/${vpn_mask} to not ${int_net}/${int_mask}
# local_nat
${fwcmd} add nat 123 ip from ${admin} to any out via ${ext_if}
${fwcmd} add nat 123 ip from any to ${ext_ip} in via ${ext_if}
# ICMP
${fwcmd} add deny icmp from any to any frag
${fwcmd} add allow icmp from any to any icmptypes 0,3,4,8,10,11,30
# LOCAL TO INTERNET
${fwcmd} add allow tcp from ${admin} to any 80 setup keep-state
${fwcmd} add allow tcp from ${admin} to any 443 setup keep-state
${fwcmd} add allow tcp from ${admin} to any 25 setup keep-state
${fwcmd} add allow tcp from ${admin} to any 110 setup keep-state
${fwcmd} add allow tcp from ${admin} to any 5190,5191
#${fwcmd} add allow tcp from ${admin} to any 5190,5191 setup keep-state
${fwcmd} add allow tcp from ${admin} to any 20 setup keep-state
${fwcmd} add allow tcp from ${admin} to any 21 setup keep-state
${fwcmd} add allow tcp from ${admin} to any 22 setup keep-state
${fwcmd} add allow tcp from ${admin} to any 23 setup keep-state
${fwcmd} add allow udp from ${admin} to any 5060 keep-state
${fwcmd} add allow tcp from ${admin} to any 4899,48999 keep-state
# VPN-LAN to OUT
${fwcmd} add allow ip from any to ${vpn_net}/${vpn_mask}
# DENY ALL
${fwcmd} add deny log logamount 3000 all from any to any
