firewall.sh
Код: Выделить всё
#!/bin/sh
extif="sk0"
extnet="192.168.1.0/24"
extip="192.168.1.2"
intif="sk1"
intnet="192.168.0.0/24"
intip="192.168.0.108"
fwcmd="/sbin/ipfw "
${fwcmd} -f flush
${fwcmd} -f pipe flush
${fwcmd} -f queue flush
${fwcmd} add 50 check-state
${fwcmd} add 100 allow ip from any to any via lo0
${fwcmd} add 200 deny ip from any to 127.0.0.0/8
${fwcmd} add 250 deny ip from 127.0.0.0/8 to any
${fwcmd} add 300 deny all from ${intnet} to any in via ${extif}
${fwcmd} add 350 deny all from ${extnet} to any in via ${intif}
${fwcmd} add 400 deny ip from any to 10.0.0.0/8 in via ${extif}
${fwcmd} add 410 deny ip from any to 172.16.0.0/12 in via ${extif}
${fwcmd} add 420 deny ip from any to 0.0.0.0/8 in via ${extif}
${fwcmd} add 430 deny ip from any to 169.254.0.0/16 in via ${extif}
${fwcmd} add 500 deny ip from any to 224.0.0.0/4 in via ${extif}
${fwcmd} add 510 deny ip from any to 240.0.0.0/4 in via ${extif}
${fwcmd} add 600 deny icmp from any to any frag
${fwcmd} add 610 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
${fwcmd} add 700 reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg
${fwcmd} add 710 reject tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg
${fwcmd} add 720 reject tcp from any to any not established tcpflags fin
${fwcmd} add 800 deny tcp from any to any 113 in via ${extif}
${fwcmd} add 900 deny tcp from any to any 137 in via ${extif}
${fwcmd} add 910 deny tcp from any to any 138 in via ${extif}
${fwcmd} add 920 deny tcp from any to any 139 in via ${extif}
${fwcmd} add 1000 deny log icmp from any to 255.255.255.255 in via ${extif}
${fwcmd} add 1010 deny log icmp from any to 255.255.255.255 out via ${extif}
${fwcmd} add 1100 divert natd ip from ${intnet} to any out via ${extif}
${fwcmd} add 1110 divert natd ip from any to ${extip} in via ${extif}
${fwcmd} add 1200 deny ip from 10.0.0.0/8 to any out via ${extif}
${fwcmd} add 1210 deny ip from 172.16.0.0/12 to any out via ${extif}
${fwcmd} add 1220 deny ip from 0.0.0.0/8 to any out via ${extif}
${fwcmd} add 1230 deny ip from 169.254.0.0/16 to any out via ${extif}
${fwcmd} add 1300 deny ip from 224.0.0.0/4 to any out via ${extif}
${fwcmd} add 1310 deny ip from 240.0.0.0/4 to any out via ${extif}
${fwcmd} add 1400 allow icmp from any to any icmptype 0,8,11
${fwcmd} add 1500 allow ip from any to ${intnet} in via ${intif}
${fwcmd} add 1550 allow ip from ${intnet} to any out via ${intif}
${fwcmd} add 1600 allow tcp from any to any established
${fwcmd} add 1700 allow udp from any to ${extip} 53 in via ${extif}
${fwcmd} add 1710 allow udp from ${extip} 53 to any out via ${extif}
${fwcmd} add 1800 allow tcp from any to ${extip} 53 in via ${extif}
${fwcmd} add 1900 allow tcp from any to ${extip} 22 in via ${extif} setup
#${fwcmd} add 1700 allow udp from any 27015-27025 to ${intnet} in via ${extif}
#${fwcmd} add 1710 allow udp from any 27015-27025 to ${intnet} out via ${intif}
#${fwcmd} add 1720 allow udp from ${intnet} to any 27015-27025 in via ${intif}
#${fwcmd} add 1730 allow udp from ${extip} to any 27015-27025 out via ${extif}
${fwcmd} add 2000 deny log tcp from any to ${extip} in via ${extif} setup
# allow setup conections from external IP to all interfaces
${fwcmd} add 2100 allow tcp from ${extip} to any out via ${extif} setup
${fwcmd} add 2110 allow tcp from any to ${extip} in via ${intif} setup
${fwcmd} add 2200 allow tcp from any to 192.168.0.1 8181 via ${extif}
${fwcmd} add 2205 allow tcp from any to 192.168.0.1 8181 via ${intif}
${fwcmd} add 2210 allow tcp from any to 192.168.0.123 8282 via ${extif}
${fwcmd} add 2215 allow tcp from any to 192.168.0.123 8282 via ${intif}
${fwcmd} add 2300 allow tcp from ${intnet} to any 20,21,25,80,110,443,587,993,5190,5222,5223,7014 in via ${intif} setup
${fwcmd} add 2400 allow tcp from 192.168.0.1,192.168.0.20,192.168.0.123 to not ${intnet} in via ${intif} setup
${fwcmd} add 65534 deny ip from any to any
Код: Выделить всё
hostname="inet.pie.com"
firewall_enable="YES"
firewall_script="/etc/firewall.sh"
natd_enable="YES"
natd_interface="sk0"
natd_flags="-m -u -f /etc/natd.conf"
gateway_enable="YES"
ifconfig_sk0="inet 192.168.1.2 netmask 255.255.255.0"
ifconfig_sk1="inet 192.168.0.108 netmask 255.255.255.0"
defaultrouter="192.168.1.1"
named_enable="YES"
linux_enable="YES"
sshd_enable="YES"