Код: Выделить всё
#!/bin/sh
cmd="ipfw -q add"
skip="skipto 500"
pif="ste0"
ks="keep-state"
good_tcpo="13,20,21,22,23,25,5190,53,80,443,110,1723"
vpn1="192.168.10.50,192.168.10.51,192.168.10.52"
ipfw -q flush
$cmd 002 allow all from any to any via vr0 # exclude LAN traffic
$cmd 003 allow all from any to any via lo0 # exclude loopback traffic
#$cmd 005 deny ip from 127.0.0.0/8 to any
#$cmd 006 deny ip from any to 127.0.0.0/8
$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state
# Authorized outbound packets
$cmd 120 $skip udp from any to any 53 #out via $pif $ks
$cmd 121 allow udp from any 53 to any
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from me to any out via $pif $ks
$cmd 200 allow tcp from any to me 21 in via $pif setup $ks
$cmd 210 allow tcp from any to me 20 in via $pif setup $ks
###VPN##########
$cmd 350 allow tcp from any to me 1723
$cmd 351 allow tcp from me 1723 to any
$cmd 352 allow gre from any to any
$cmd 354 allow ip from any to any via ng
$cmd 356 allow ip from $vpn1 to any
$cmd 355 allow ip from any to $vpn1
###############
$cmd 400 allow tcp from any to any 445 via $pif
$cmd 401 allow tcp from any 445 to any via $pif
$cmd 410 allow icmp from any to any
$cmd 450 deny log ip from any to any
######################## skipto
$cmd 500 divert natd ip from any to any out via $pif
$cmd 510 allow ip from any to any
Код: Выделить всё
# ipfw show
00002 1209 118033 allow ip from any to any via vr0
00003 50 4898 allow ip from any to any via lo0
00100 461 26600 divert 8668 ip from any to any in via ste0
00101 0 0 check-state
00120 38 2428 skipto 500 udp from any to any dst-port 53
00121 38 3429 allow udp from any 53 to any
00125 0 0 skipto 500 tcp from any to any dst-port 13,20,21,22,23,25,5190,53,80,443,110,1723 out via ste0 setup keep-state
00126 8 640 skipto 500 icmp from any to any out via ste0 keep-state
00130 0 0 skipto 500 icmp from me to any out via ste0 keep-state
00200 150 8843 allow tcp from any to me dst-port 21 in via ste0 setup keep-state
00210 0 0 allow tcp from any to me dst-port 20 in via ste0 setup keep-state
00350 0 0 allow tcp from any to me dst-port 1723
00351 0 0 allow tcp from me 1723 to any
00352 0 0 allow gre from any to any
00354 0 0 allow ip from any to any via ng
00355 0 0 allow ip from any to 192.168.10.50,192.168.10.51,192.168.10.52
00356 0 0 allow ip from 192.168.10.50,192.168.10.51,192.168.10.52 to any
00400 0 0 allow tcp from any to any dst-port 445 via ste0
00401 0 0 allow tcp from any 445 to any via ste0
00410 2 152 allow icmp from any to any
00450 348 19594 deny log ip from any to any
00500 43 2824 divert 8668 ip from any to any out via ste0
00510 46 3068 allow ip from any to any
65535 2 156 deny ip from any to any