//firewall_rules.sh
Код: Выделить всё
#!/bin/sh
cmd="ipfw -q add"
skip="skipto 65500"
pif=xl0
ks="keep-state"
ipfw -q -f flush
$cmd 002 allow all from any to any via rl0 # exclude LAN traffic
$cmd 003 allow all from any to any via lo0 # exclude loopback traffic
$cmd 004 allow tcp from any to 10.25.27.2 22 via rl0
$cmd 005 allow tcp from 10.25.27.2 to any via rl0
$cmd 006 allow tcp from any to 195.*.*.140 22 via xl0
$cmd 010 allow tcp from any to 10.25.27.2 5555 via rl0
$cmd 015 allow udp from any to 10.25.27.2 5555 via rl0
$cmd 020 allow udp from 10.25.27.2 to any via rl0
$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicas t
# Authorized packets
$cmd 20000 $skip all from 10.25.25.10 to any via $pif $ks
$cmd 20001 allow all from any to 10.25.25.10
$cmd 65450 deny log ip from any to any
# This is skipto location for outbound stateful rules
$cmd 65500 divert natd ip from any to any out via $pif
$cmd 65510 allow ip from any to any
Код: Выделить всё
00002 82 20871 allow ip from any to any via rl0
00003 0 0 allow ip from any to any via lo0
00004 0 0 allow tcp from any to 10.25.27.2 dst-port 22 via rl0
00005 0 0 allow tcp from 10.25.27.2 to any via rl0
00006 0 0 allow tcp from any to 195.*.*.140 dst-port 22 via xl0
00010 0 0 allow tcp from any to 10.25.27.2 dst-port 5555 via rl0
00015 0 0 allow udp from any to 10.25.27.2 dst-port 5555 via rl0
00020 0 0 allow udp from 10.25.27.2 to any via rl0
00100 0 0 divert 8668 ip from any to any in via xl0
00101 0 0 check-state
00300 0 0 deny ip from 192.168.0.0/16 to any in via xl0
00301 0 0 deny ip from 172.16.0.0/12 to any in via xl0
00302 0 0 deny ip from 10.0.0.0/8 to any in via xl0
00303 0 0 deny ip from 127.0.0.0/8 to any in via xl0
00304 0 0 deny ip from 0.0.0.0/8 to any in via xl0
00305 0 0 deny ip from 169.254.0.0/16 to any in via xl0
00306 0 0 deny ip from 192.0.2.0/24 to any in via xl0
00307 0 0 deny ip from 204.152.64.0/23 to any in via xl0
00308 0 0 deny ip from 224.0.0.0/3 to any in via xl0
[b]30025[/b] 0 0 skipto 65500 ip from 10.25.25.10 to any via xl0 keep-state
[b]30026[/b] 0 0 allow ip from any to 10.25.25.10
65450 1 92 deny log ip from any to any
65500 0 0 divert 8668 ip from any to any out via xl0
65510 0 0 allow ip from any to any
65535 12009148 1365715044 allow ip from any to any
Все работает, для клиента 10.25.25.10 интернет работает через нат, трассировка работает. Все замечательно.
Встала другая задача, как ограничить скорость клиенту 10.25.25.10
Не могу понять куда правила вставлять...
Код: Выделить всё
cmd="/sbin/ipfw -q"
#skip="skipto 65500"
$cmd pipe 120 config bw 128Kbit/s
$cmd add [b]30015[/b] pipe 120 ip from $IP to any via $pif
$cmd add [b]30016[/b] pipe 120 ip from any to $IP via $pif
если правила поставить после 30025-26 то интернет работает, а пайп не работает.
Помогите, плз...Заранее благодарен.