Код: Выделить всё
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=50
options IPFIREWALL_FORWARD
options IPFIREWALL_NAT
options LIBALIAS
options DUMMYNET
Код: Выделить всё
FreeBSD 7.2-RELEASE-p4 FreeBSD 7.2-RELEASE-p4 #2: Thu Oct 15 03:17:17 MSD 2009 i386
Код: Выделить всё
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/rc.fire"
firewall_logging="YES"
firewall_nat_enable="YES"
firewall_nat_interface="fxp0"
natd_enable="NO"
Код: Выделить всё
#!/bin/sh
#
cmd="/sbin/ipfw -q "
ext_if="fxp0"
ext_ip="x.x.x.x"
int_if="sk0"
int_ip="10.0.0.1"
inf_net="10.0.0.0/24"
win_serv="10.0.0.5"
${cmd} -f flush
${cmd} -f pipe flush
${cmd} -f queue flush
${cmd} add check-state
${cmd} add allow ip from any to any via lo0
${cmd} add deny ip from any to 127.0.0.0/8
${cmd} add deny ip from 127.0.0.0/8 to any
${cmd} add deny ip from any to 172.16.0.0/12 in via ${ext_if}
${cmd} add deny ip from any to 192.168.0.0/16 in via ${ext_if}
${cmd} add deny ip from any to 0.0.0.0/8 in via ${ext_if}
${cmd} add deny ip from any to 169.254.0.0/16 in via ${ext_if}
${cmd} add deny ip from any to 240.0.0.0/4 in via ${ext_if}
${cmd} add deny ip from 172.16.0.0/12 to any out via ${int_if}
${cmd} add deny ip from 192.168.0.0/16 to any out via ${int_if}
${cmd} add deny ip from 0.0.0.0/8 to any out via ${int_if}
${cmd} add deny ip from 169.254.0.0/16 to any out via ${int_if}
${cmd} add deny ip from 224.0.0.0/4 to any out via ${int_if}
${cmd} add deny ip from 240.0.0.0/4 to any out via ${int_if}
${cmd} add deny icmp from any to any frag
${cmd} add deny log icmp from any to 255.255.255.255 in via ${ext_if}
${cmd} add deny log icmp from any to 255.255.255.255 out via ${ext_if}
${cmd} add allow icmp from any to any icmptypes 0,8,11
${cmd} nat 1 config log if ${ext_if} reset same_ports redirect_port tcp 10.0.0.5:3777 5321
${cmd} add nat 1 ip from any to any via ${ext_if}
${cmd} add allow tcp from any to any dst-port 5321 via ${ext_if}
${cmd} add allow tcp from any to any dst-port 3777 via ${ext_if}
${cmd} add fwd ${int_ip},2121 tcp from ${inf_net} to any 21 via ${int_if}
${cmd} add fwd 127.0.0.1,3128 tcp from ${inf_net} to any 80 via ${int_if}
${cmd} add allow tcp from any to any established
${cmd} add allow ip from ${ext_ip} to any out xmit ${int_if}
${cmd} add allow ip from any to any via ${int_if}
${cmd} add deny ip from any to any