либо:table\(1\)
"table(1)"
Модератор: terminus
либо:table\(1\)
"table(1)"
Много раз писал и ещё раз напишу, даже если твоя статья(неважно о чём) не будет востребована (облаяна тролями и т.п.), то ты сам лично приобретёшь опыт и сделаешь себе же закладку. Потом к ней обращаешься по мере надобности. (у меня самого такое уже бывало, чё там говорить о лиссяре)Dimon писал(а):ААА Спасибо огромное за сегодняшний день мозг атрофировался))
Экранировать нада
Я вот посмотрел вроде нигде не написано как установить snort на freebsd может статью написать?
Да, всё СУПЕР понял. Всё так. И вообще всё классно подробненько описал . Спасибо !!Morty писал(а):на всех конфах где ты видел меняешь статически забитый внешний
ип на "автоопределение" и юзаешь потом этот ип как переменную
---------
по дхцп когда ты получаешь у тебя точно первая цыфра не меняеться напрмер ты получаешь 65.х.х.х
пишешь в скрипт внешний ип как переменную**************************Код: Выделить всё
ifconfig | grep "inet 65" | awk '{print $2}'
ЗЫ: это вариант решения той пробелмы как я понял , если правильно понял
Так ведь все в точности именно так и делаю. Goooooogle от меня уже наверное плохо ся чувствует.dikens3 писал(а):1. С задачей определись сначала.
2. Документации по IPFW в интернете полно. Google знает ооооооооочень много.
3. Пытаешься сам реализовать задуманное в п.1 и что не получается пишешь на форум (лучше не сразу, а на след. день)
pf прощеhizel писал(а): хоть и говорят, что во фре этот самый простой фаервол, но на основании моего опыта это далеко не так
особенно если хочешь странного
Вот Спасибо! Очень интересный проэкт.lissyara писал(а):http://www.lissyara.su/?id=1313
А чем проще то ??3t0n писал(а):Pf проще
Код: Выделить всё
#!/bin/sh
FwCMD="/sbin/ipfw" # собственно где лежит бинарник ipfw
oif="rl0" # внешний интерфейс
oip="x.x.67.174" # внешний IP адрес машины
onet="x.x.67.160/28"
iif="sk0" # внутренний интерфейс
iip="192.98.98.1" # внутренний IP машины
inet="192.98.98.0/24"
ip_lan="192.98.98"
${FwCMD} -f flush
${FwCMD} -f queue flush
${FwCMD} add check-state
${FwCMD} add allow ip from any to any via lo0
${FwCMD} add deny ip from any to 127.0.0.0/8
${FwCMD} add deny ip from 127.0.0.0/8 to any
${FwCMD} add deny ip from ${inet} to any in via ${oif}
${FwCMD} add deny ip from ${onet} to any in via ${iif}
${FwCMD} add deny ip from any to 10.0.0.0/8 in via ${oif}
${FwCMD} add deny ip from any to 172.16.0.0/12 in via ${oif}
${FwCMD} add deny ip from any to 192.168.0.0/16 in via ${oif}
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${oif}
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${oif}
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${oif}
#${FwCMD} add deny icmp from any to any frag
${FwCMD} add deny log icmp from any to 255.255.255.255 in via ${oif}
${FwCMD} add deny log icmp from any to 255.255.255.255 out via ${oif}
${FwCMD} add divert natd ip from ${inet} to any out via ${oif}
${FwCMD} add divert natd ip from any to ${oip} in via ${oif}
${FwCMD} add deny ip from 10.0.0.0/8 to any out via ${oif}
${FwCMD} add deny ip from 172.16.0.0/12 to any out via ${oif}
${FwCMD} add deny ip from 192.168.0.0/16 to any out via ${oif}
${FwCMD} add deny ip from 0.0.0.0/8 to any out via ${oif}
${FwCMD} add deny ip from 169.254.0.0/16 to any out via ${oif}
${FwCMD} add deny ip from 224.0.0.0/4 to any out via ${oif}
${FwCMD} add deny ip from 240.0.0.0/4 to any out via ${oif}
${FwCMD} add allow icmp from any to any icmptypes 0,8,11
${FwCMD} add allow ip from any to ${inet} in via ${iif}
${FwCMD} add allow ip from ${inet} to any out via ${iif}
${FwCMD} add allow tcp from any to any established
#${FwCMD} add allow ip from ${oip} to any out xmit ${oif}
${FwCMD} add allow udp from any 53 to any via ${oif}
${FwCMD} add allow udp from any to ${oip} 53 in via ${oif}
${FwCMD} add allow udp from ${oip} 53 to any out via ${oif}
${FwCMD} add allow tcp from any to ${oip} 53 in via ${oif} setup
${FwCMD} add allow tcp from any to ${iip} 53 out via ${iif} setup
${FwCMD} add allow udp from any to any 53 via ${oif}
${FwCMD} add allow udp from any to any 123 via ${oif}
${FwCMD} add allow tcp from any to ${oip} 22 via ${oif}
${FwCMD} add allow tcp from any to ${oip} 21 via ${oif}
${FwCMD} add allow tcp from any to ${oip} 49152-65535 via ${oif}
${FwCMD} add deny log tcp from any to ${oip} in via ${oif} setup
${FwCMD} add allow tcp from ${oip} to any out via ${oif} setup
${FwCMD} add allow tcp from any to ${oip} in via ${iif} setup
${FwCMD} add allow tcp from ${inet} to any 5190 in via ${iif} setup
${FwCMD} add allow tcp from ${ip_lan}.47 to not ${inet} in via ${iif} setup
${FwCMD} add allow tcp from ${ip_lan}.153 to not ${inet} in via ${iif} setup
${FwCMD} add allow tcp from ${ip_lan}.154 to not ${inet} in via ${iif} setup
${FwCMD} add deny ip from any to any
Код: Выделить всё
00100 0 0 check-state
00200 0 0 allow ip from any to any via lo0
00300 0 0 deny ip from any to 127.0.0.0/8
00400 0 0 deny ip from 127.0.0.0/8 to any
00500 0 0 deny ip from 192.98.98.0/24 to any in via rl0
00600 0 0 deny ip from x.x.67.160/28 to any in via sk0
00700 0 0 deny ip from any to 10.0.0.0/8 in via rl0
00800 0 0 deny ip from any to 172.16.0.0/12 in via rl0
00900 0 0 deny ip from any to 192.168.0.0/16 in via rl0
01000 0 0 deny ip from any to 0.0.0.0/8 in via rl0
01100 0 0 deny ip from any to 169.254.0.0/16 in via rl0
01200 2 226 deny ip from any to 240.0.0.0/4 in via rl0
01300 0 0 deny log logamount 10 icmp from any to 255.255.255.255 in via rl0
01400 0 0 deny log logamount 10 icmp from any to 255.255.255.255 out via rl0
01500 0 0 divert 8668 ip from 192.98.98.0/24 to any out via rl0
01600 162 15555 divert 8668 ip from any to 79.132.67.174 in via rl0
01700 0 0 deny ip from 10.0.0.0/8 to any out via rl0
01800 0 0 deny ip from 172.16.0.0/12 to any out via rl0
01900 0 0 deny ip from 192.168.0.0/16 to any out via rl0
02000 0 0 deny ip from 0.0.0.0/8 to any out via rl0
02100 0 0 deny ip from 169.254.0.0/16 to any out via rl0
02200 0 0 deny ip from 224.0.0.0/4 to any out via rl0
02300 0 0 deny ip from 240.0.0.0/4 to any out via rl0
02400 20 1680 allow icmp from any to any icmptypes 0,8,11
02500 3 234 allow ip from any to 192.98.98.0/24 in via sk0
02600 0 0 allow ip from 192.98.98.0/24 to any out via sk0
02700 263 36394 allow tcp from any to any established
02800 18 2228 allow udp from any 53 to any via rl0
02900 0 0 allow udp from any to x.x.67.174 dst-port 53 via rl0
03000 0 0 allow tcp from any to x.x.67.174 dst-port 53 in via rl0 setup
03100 0 0 allow tcp from any to 192.98.98.1 dst-port 53 out via sk0 setup
03200 18 1159 allow udp from any to any dst-port 53 via rl0
03300 0 0 allow udp from any to any dst-port 123 via rl0
03400 1 48 allow tcp from any to x.x.67.174 dst-port 22 via rl0
03500 0 0 allow tcp from any to x.x.67.174 dst-port 21 via rl0
03600 0 0 allow tcp from any to x.x.67.174 dst-port 49152-65535 via rl0
03700 0 0 allow udp from any 27015-27025 to 192.98.98.0/24 in via rl0
03800 0 0 allow udp from any 27015-27025 to 192.98.98.0/24 out via sk0
03900 0 0 allow udp from 192.98.98.0/24 to any dst-port 27015-27025 in via sk0
04000 0 0 allow udp from x.x.67.160/28 to any dst-port 27015-27025 out via rl0
04100 0 0 deny log logamount 10 tcp from any to x.x.67.174 in via rl0 setup
04200 0 0 allow tcp from x.x.67.174 to any out via rl0 setup
04300 0 0 allow tcp from any to x.x.67.174 in via sk0 setup
04400 0 0 allow tcp from 192.98.98.0/24 to any dst-port 5190 in via sk0 setup
04500 0 0 allow tcp from 192.98.98.47 to not 192.98.98.0/24 in via sk0 setup
04600 0 0 allow tcp from 192.98.98.153 to not 192.98.98.0/24 in via sk0 setup
04700 0 0 allow tcp from 192.98.98.154 to not 192.98.98.0/24 in via sk0 setup
04800 0 0 deny ip from any to any
65535 0 0 allow ip from any to any
Код: Выделить всё
in via sk0 setup
Код: Выделить всё
allow tcp from 192.98.98.47 to not 192.98.98.0/24 in via sk0
Код: Выделить всё
00100 0 0 check-state
00200 0 0 allow ip from any to any via lo0
00300 0 0 deny ip from any to 127.0.0.0/8
00400 0 0 deny ip from 127.0.0.0/8 to any
00500 0 0 deny ip from 192.98.98.0/24 to any in via rl0
00600 0 0 deny ip from x.x.67.160/28 to any in via sk0
00700 0 0 deny ip from any to 10.0.0.0/8 in via rl0
00800 0 0 deny ip from any to 172.16.0.0/12 in via rl0
00900 0 0 deny ip from any to 192.168.0.0/16 in via rl0
01000 0 0 deny ip from any to 0.0.0.0/8 in via rl0
01100 0 0 deny ip from any to 169.254.0.0/16 in via rl0
01200 6 678 deny ip from any to 240.0.0.0/4 in via rl0
01300 0 0 deny icmp from any to any frag
01400 0 0 deny log logamount 10 icmp from any to 255.255.255.255 in via rl0
01500 0 0 deny log logamount 10 icmp from any to 255.255.255.255 out via rl0
01600 189 11340 divert 8668 ip from 192.98.98.0/24 to any out via rl0
01700 204 12600 divert 8668 ip from any to x.x.67.174 in via rl0
01800 0 0 deny ip from 10.0.0.0/8 to any out via rl0
01900 0 0 deny ip from 172.16.0.0/12 to any out via rl0
02000 0 0 deny ip from 192.168.0.0/16 to any out via rl0
02100 0 0 deny ip from 0.0.0.0/8 to any out via rl0
02200 0 0 deny ip from 169.254.0.0/16 to any out via rl0
02300 0 0 deny ip from 224.0.0.0/4 to any out via rl0
02400 0 0 deny ip from 240.0.0.0/4 to any out via rl0
02500 786 47880 allow icmp from any to any icmptypes 0,8,11
02600 11 1166 allow ip from any to 192.98.98.0/24 in via sk0
02700 0 0 allow ip from 192.98.98.0/24 to any out via sk0
02800 802 196548 allow tcp from any to any established
02900 0 0 allow udp from any 53 to any via rl0
03000 0 0 allow udp from any to x.x.67.174 dst-port 53 via rl0
03100 0 0 allow tcp from any to x.x.67.174 dst-port 53 in via rl0 setup
03200 0 0 allow tcp from any to 192.98.98.1 dst-port 53 out via sk0 setup
03300 0 0 allow udp from any to any dst-port 53 via rl0
03400 0 0 allow udp from any to any dst-port 123 via rl0
03500 0 0 allow tcp from any to x.x.67.174 dst-port 22 via rl0
03600 0 0 allow tcp from any to x.x.67.174 dst-port 21 via rl0
03700 0 0 allow tcp from any to x.x.67.174 dst-port 49152-65535 via rl0
03800 0 0 allow udp from any 27015-27025 to 192.98.98.0/24 in via rl0
03900 0 0 allow udp from any 27015-27025 to 192.98.98.0/24 out via sk0
04000 0 0 allow udp from 192.98.98.0/24 to any dst-port 27015-27025 in via sk0
04100 0 0 allow udp from x.x.67.160/28 to any dst-port 27015-27025 out via rl0
04200 0 0 deny log logamount 10 tcp from any to x.x.67.174 in via rl0 setup
04300 0 0 allow tcp from x.x.67.174 to any out via rl0 setup
04400 0 0 allow tcp from any to x.x.67.174 in via sk0 setup
04500 0 0 allow tcp from 192.98.98.0/24 to any dst-port 5190 in via sk0
04600 0 0 allow tcp from 192.98.98.47 to not 192.98.98.0/24 in via sk0
04700 0 0 allow tcp from 192.98.98.153 to not 192.98.98.0/24 in via sk0 setup
04800 0 0 allow tcp from 192.98.98.154 to not 192.98.98.0/24 in via sk0 setup
04900 43 2868 deny ip from any to any
65535 0 0 allow ip from any to any
замените на04600 0 0 allow tcp from 192.98.98.47 to not 192.98.98.0/24 in via sk0
и я имел ввиду абрать не setup04600 0 0 allow all from 192.98.98.47 to not 192.98.98.0/24
Код: Выделить всё
in via sk0
а то правило оставь что я говрилipfw add 4810 pass all from not 192.98.98.0/24 to 192.98.98.0/24
04600 0 0 allow all from 192.98.98.47 to not 192.98.98.0/24
04600 0 0 allow all from 192.98.98.47 to not 192.98.98.0/24
файерволл больше не выпускает 192.98.98.4704600 0 0 allow all from 192.98.98.47 to not 192.98.98.0/24