правила у меня такие
Код: Выделить всё
#!/bin/sh
extif="sk0"
extnet="83.xx.xxx.0/30"
extip="xx.xxx.xxx.xxx"
intif="sk1"
intnet="192.168.0.0/24"
intip="192.168.0.108"
fwcmd="/sbin/ipfw "
${fwcmd} -f flush
${fwcmd} -f pipe flush
${fwcmd} -f queue flush
# dynamic rules
${fwcmd} add 50 check-state
# loopback
${fwcmd} add 100 allow ip from any to any via lo0
# sshit
${fwcmd} add 150 deny not icmp from "table(0)" to me
${fwcmd} add 200 deny ip from any to 127.0.0.0/8
${fwcmd} add 250 deny ip from 127.0.0.0/8 to any
${fwcmd} add 300 deny all from ${intnet} to any in via ${extif}
${fwcmd} add 350 deny all from ${extnet} to any in via ${intif}
${fwcmd} add 400 deny ip from any to 10.0.0.0/8 in via ${extif}
${fwcmd} add 410 deny ip from any to 172.16.0.0/12 in via ${extif}
${fwcmd} add 420 deny ip from any to 0.0.0.0/8 in via ${extif}
${fwcmd} add 430 deny ip from any to 169.254.0.0/16 in via ${extif}
${fwcmd} add 500 deny ip from any to 224.0.0.0/4 in via ${extif}
${fwcmd} add 510 deny ip from any to 240.0.0.0/4 in via ${extif}
${fwcmd} add 600 deny icmp from any to any frag
${fwcmd} add 610 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
${fwcmd} add 700 reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg
${fwcmd} add 710 reject tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg
${fwcmd} add 720 reject tcp from any to any not established tcpflags fin
${fwcmd} add 800 deny tcp from any to any 113 in via ${extif}
${fwcmd} add 900 deny tcp from any to any 137 in via ${extif}
${fwcmd} add 910 deny tcp from any to any 138 in via ${extif}
${fwcmd} add 920 deny tcp from any to any 139 in via ${extif}
${fwcmd} add 1000 deny log icmp from any to 255.255.255.255 in via ${extif}
${fwcmd} add 1010 deny log icmp from any to 255.255.255.255 out via ${extif}
${fwcmd} add 1050 fwd 127.0.0.1,3128 tcp from ${intnet} to any 80 via ${extif}
${fwcmd} add 1100 divert natd ip from ${intnet} to any out via ${extif}
${fwcmd} add 1110 divert natd ip from any to ${extip} in via ${extif}
${fwcmd} add 1200 deny ip from 10.0.0.0/8 to any out via ${extif}
${fwcmd} add 1210 deny ip from 172.16.0.0/12 to any out via ${extif}
${fwcmd} add 1220 deny ip from 0.0.0.0/8 to any out via ${extif}
${fwcmd} add 1230 deny ip from 169.254.0.0/16 to any out via ${extif}
${fwcmd} add 1300 deny ip from 224.0.0.0/4 to any out via ${extif}
${fwcmd} add 1310 deny ip from 240.0.0.0/4 to any out via ${extif}
${fwcmd} add 1400 allow icmp from any to any icmptype 0,8,11
${fwcmd} add 1500 allow ip from any to ${intnet} in via ${intif}
${fwcmd} add 1550 allow ip from ${intnet} to any out via ${intif}
${fwcmd} add 1600 allow tcp from any to any established
${fwcmd} add 1700 allow udp from any to ${extip} 53 in via ${extif}
${fwcmd} add 1710 allow udp from ${extip} 53 to any out via ${extif}
${fwcmd} add 1720 allow udp from any 53 to ${extip} in via ${extif}
${fwcmd} add 1730 allow udp from ${extip} to any 53 out via ${extif}
${fwcmd} add 1800 allow tcp from any to ${extip} 53 in via ${extif}
${fwcmd} add 1900 allow tcp from any to ${extip} 22 in via ${extif} setup
#${fwcmd} add 1700 allow udp from any 27015-27025 to ${intnet} in via ${extif}
#${fwcmd} add 1710 allow udp from any 27015-27025 to ${intnet} out via ${intif}
#${fwcmd} add 1720 allow udp from ${intnet} to any 27015-27025 in via ${intif}
#${fwcmd} add 1730 allow udp from ${extip} to any 27015-27025 out via ${extif}
${fwcmd} add 2000 deny log tcp from any to ${extip} in via ${extif} setup
${fwcmd} add 2200 allow tcp from ${extip} to any out via ${extif} setup
${fwcmd} add 2210 allow tcp from any to ${extip} in via ${intif} setup
${fwcmd} add 2300 allow tcp from any to 192.168.0.1 8181 via ${extif}
${fwcmd} add 2305 allow tcp from any to 192.168.0.1 8181 via ${intif}
${fwcmd} add 2310 allow tcp from any to 192.168.0.123 8282 via ${extif}
${fwcmd} add 2315 allow tcp from any to 192.168.0.123 8282 via ${intif}
${fwcmd} add 2400 allow tcp from ${intnet} to any 25,110,443,5190 in via ${intif} setup
########################## USERS INET ###############################
${fwcmd} add 2500 allow tcp from 192.168.0.1 to any in via ${intif} setup
${fwcmd} add 2505 allow tcp from 192.168.0.20 to any in via ${intif} setup
${fwcmd} add 2510 allow tcp from 192.168.0.150 to any 20,21,80 in via ${intif} setup
${fwcmd} add 2515 allow tcp from 192.168.0.5 to any in via ${intif} setup
${fwcmd} add 2520 allow tcp from 192.168.0.24 to any 20,21,80 in via ${intif} setup
${fwcmd} add 2525 allow tcp from 192.168.0.114 to any 20,21,80 in via ${intif} setup
${fwcmd} add 2530 allow tcp from 192.168.0.100 to any 20,21,80 in via ${intif} setup
${fwcmd} add 2535 allow tcp from 192.168.0.12 to any in via ${intif} setup
${fwcmd} add 2540 allow tcp from 192.168.0.123 to any in via ${intif} setup
${fwcmd} add 2545 allow tcp from 192.168.0.211 to any 20,21,80 in via ${intif} setup
${fwcmd} add 2550 allow tcp from 192.168.0.11 to any 20,21,80 in via ${intif} setup
${fwcmd} add 2555 allow tcp from 192.168.0.223 to any in via ${intif} setup
${fwcmd} add 2560 allow tcp from 192.168.0.215 to any 20,21,80 in via ${intif} setup
${fwcmd} add 2565 allow tcp from 192.168.0.151 to any 20,21,80 in via ${intif} setup
${fwcmd} add 2570 allow tcp from 192.168.0.240 to any 20,21,80 in via ${intif} setup
${fwcmd} add 2575 allow tcp from 192.168.0.153 to any 20,21,80 in via ${intif} setup
${fwcmd} pipe 1 config bw 10KBytes/s
${fwcmd} add 65534 deny ip from any to any
ipfw pipe show пишет
Код: Выделить всё
00001: 80.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
0 tcp 192.168.0.123/3662 81.176.230.239/80 18 864 0 0 0