Столкнулся с этой проблемой, правда у меня два отдельных интерфейса, решил следующим образом:
Код: Выделить всё
#!/bin/sh
##############################################################################
if [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
###############################################################################
# Our inside interface, ip, netmask and network
inside_if="em0"
inside_ip_prefix="192.168.0"
inside_ip="${inside_ip_prefix}.9"
inside_mask="255.255.255.0"
lan="${inside_ip_prefix}.0/24"
outside_if="em1"
outside_ip="x.x.x.x"
outside_mask="255.255.255.252"
outside="x.x.x.x/30"
reserve_if="em2"
reserve_ip="y.y.y.y"
reserve_mask="255.255.255.252"
reserve="y.y.y.y/30"
# Other server & LAN IP:
lan_servers="{ ${inside_ip_prefix}.0/29"
lan_admins="{ ${inside_ip_prefix}.124 }"
ftp_users="{ ${inside_ip_prefix}.1 or ${inside_ip_prefix}.2 or ${inside_ip_prefix}.4 or ${inside_ip_prefix}.5 or ${inside_ip_prefix}.6 }"
no_routing_net="{ 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 0.0.0.0/8 or 169.254.0.0/16 or 192.0.2.0/24 or 224.0.0.0/4 or 240.0.0.0/4 }"
tserver="{ ${inside_ip_prefix}.2 or ${inside_ip_prefix}.5 or ${inside_ip_prefix}.8 or ${inside_ip_prefix}.11 }"
# Start list number
rule_num=1000
step=10
###############################################################################
# Internal commands
case ${firewall_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
# For testing
fwcmd="/sbin/ipfw"
;;
esac
# For testing
if [ "$1" = "echo" ]; then
fwcmd="/bin/echo"
fi
#addcmd () { ${fwcmd} add ${rule_num} $* ; rule_num=`expr ${rule_num} + ${step}`; }
addcmd () { ${fwcmd} add ${rule_num} $* ; rule_num=$((${rule_num}+${step})); }
pass () { ${fwcmd} add ${rule_num} pass $@ ; rule_num=$((${rule_num}+${step})); }
deny () { ${fwcmd} add ${rule_num} deny $@ ; rule_num=$((${rule_num}+${step})); }
reset () { ${fwcmd} add ${rule_num} reset $@ ; rule_num=$((${rule_num}+${step})); }
reject () { ${fwcmd} add ${rule_num} reject $@ ; rule_num=$((${rule_num}+${step})); }
divert () { ${fwcmd} add ${rule_num} divert $@ ; rule_num=$((${rule_num}+${step})); }
tee () { ${fwcmd} add ${rule_num} tee $@ ; rule_num=$((${rule_num}+${step})); }
forward () { ${fwcmd} add ${rule_num} forward $@ ; rule_num=$((${rule_num}+${step})); }
skipto () { ${fwcmd} add ${rule_num} skipto $@ ; rule_num=$((${rule_num}+${step})); }
count () { ${fwcmd} add ${rule_num} count $@ ; rule_num=$((${rule_num}+${step})); }
###############################################################################
# Flush out the list before we begin.
${fwcmd} -f flush
${fwcmd} -f pipe flush
############################# Firewall rules ##################################
rule_num=1000
# Allow loopbacks, deny imposters
pass all from any to any via lo0
deny all from any to 127.0.0.0/8
deny ip from 127.0.0.0/8 to any
###############################################################################
${fwcmd} nat 1 delete
${fwcmd} nat 2 delete
sleep 1
в локалке есть терминальный сервер, который должен быть доступен с основного канала и с резервного
${fwcmd} nat 1 config log if ${reserve_if} reset same_ports\
redirect_port tcp 192.168.0.2:3389 3391\
redirect_port tcp 192.168.0.5:3389 3392
${fwcmd} nat 2 config log if ${outside_if} reset same_ports\
redirect_port tcp 192.168.0.11:5222 5222\
redirect_port tcp 192.168.0.11:5233 5223\
redirect_port tcp 192.168.0.11:9090 9090\
redirect_port tcp 192.168.0.11:9091 9091\
redirect_port tcp 192.168.0.2:3389 3391\
redirect_port tcp 192.168.0.5:3389 3392\
redirect_port tcp 192.168.0.11:3389 3393\
redirect_port tcp 192.168.0.8:3389 3394\
redirect_port tcp 192.168.0.10:443 443\
redirect_port tcp 192.168.0.10:80 80\
redirect_port tcp 192.168.0.10:902 902\
redirect_port tcp 192.168.0.10:903 903\
redirect_port tcp 192.168.0.254:5000 5000
для каждого прова своя таблица маршрутизации, default route можно вообще не указывать
setfib 1 route add default x.x.x.x
setfib 2 route add default y.y.y.y
##############################################################################
трафик от интерфейсов раскидывается по блокам правил (мой метод, мне кажется удобнее)
# for inside interface (not NAT)
skipto 10000 ip from any to any via ${inside_if}
# for reserve interface
skipto 20000 ip from any to any via ${reserve_if}
# for outside interface
skipto 30000 ip from any to any via ${outside_if}
##############################################################################
deny log all from any to any
rule_num=10000
# deny not LAN connections
deny log ip from not ${lan} to any in
# Deny fragmeted ICMP-packetes
deny icmp from any to any frag
# allow IP fragments to pass through
pass all from any to any frag
addcmd check-state
# set routing table for same interface
!!! здесь самая суть. Устанавливаются ДИНАМИЧЕСКИЕ правила для для пакетов, пришедших с разных внешних интерфейсов и уходящих в локалку,
у обратных пакетов будет установлена та же таблица маршрутизации (check-state)
addcmd setfib 1 tagged 1 keep-state
addcmd setfib 2 tagged 2 keep-state
# Allow established connections from LAN to me & from me to LAN
pass tcp from ${lan} to me established
pass tcp from me to ${lan} established
# From server to LAN
pass tcp from me to ${lan} out setup
pass udp from me to ${lan} out
pass icmp from me to ${lan} keep-state
# DHCP
pass udp from any to any 67,68,69
pass udp from any 68 to any 67
pass udp from any 67 to any 68
deny log udp from any 67,68 to any
deny log udp from any to any 67,68
# DNS
pass udp from ${lan} to ${dns} 53 in
pass tcp from ${lan} to ${dns} 53 in setup
# NTP & Time-server
pass udp from ${lan} to ${ntp} 123 in
pass tcp from ${lan} to ${ntp} 525 in setup
pass tcp from ${lan} to ${mail} 25,${mailclient_ports} in setup
pass tcp from ${lan} to ${www} 80 in setup
pass tcp from ${lan} to ${ftp} 20,21 in setup
pass tcp from ${lan} to me ${unregister_ports} in setup
pass udp from ${lan} to me ${unregister_ports} in
# Deny all other incomming connections from LAN
deny log tcp from ${lan} to me
############################ From internet to LAN ##############################
# For transparent proxy: from SQUID&frox to users
pass tcp from any 20,21 to ${lan} established
pass tcp from any ${http_ports} to ${lan} established
# For services from Internet to LAN
# RDP
pass tcp from ${remote_users} to ${lan} 3389 keep-state
# VmWARE client
pass tcp from ${remote_users} to ${vmware} ${vmware_ports} keep-state
# OpenFire server
pass tcp from ${remote_users} to ${openfire} ${openfire_ports} keep-state
# Radmin
pass tcp from ${remote_admins} to ${tserver} ${radmin_ports} keep-state
############################ From LAN to internet ##############################
# Transparent proxy
forward ${proxy},3128 tcp from ${lan} to not me ${http_ports} in
forward ${proxy},3128 tcp from ${lan} to not me 3128 in
pass tcp from ${lan} to any 110,143,993,995,443,1024,1025 keep-state
# ICQ
pass tcp from ${lan} to any 5190 keep-state
# Jabber
pass tcp from ${lan} to any ${openfire_ports} keep-state
#pass tcp from ${lan_admins} to any ${sshd_port} keep-state
pass tcp from ${lan} to any ${sshd_port} keep-state
# Next rule - only if transparent proxy is not used
pass tcp from ${lan} to any 21,20 keep-state
# Next rule - only if transparent proxy is not used
pass tcp from ${lan} to any ${http_ports} keep-state
# Reject all setup of other incoming connections from the inside
deny log tcp from any to any in
############################ Other UDP rules ###################################
# TRACEROUTE - Allow outgoing
pass udp from ${lan} to any 33434-33523 keep-state
pass udp from me to ${lan} out
deny log udp from ${lan} to any
# Deny & log all other connections
deny log udp from any to any
############################ Other ICMP rules ##################################
pass icmp from ${lan_admins} to me keep-state
# Allow ICMP packets from our LAN
#pass icmp from ${lan} to ${inside_ip} keep-state
pass icmp from ${lan_admins} to any keep-state
#pass icmp from ${lan} to any keep-state
#0 - echo reply
#3 - destination unreachable
#4 - source quench
#5 - redirect
#8 - echo request
#9 - router adver-tisement
#10 - router solicitation
#11 - time-to-live exceeded
#12 - IP header bad
#13 - timestamp request
#14 - timestamp reply
#15 - information request
#16 - information reply
#17 - address mask request
#18 - and address mask reply
# Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Header
pass icmp from any to any icmptypes 0,3,4,8,11,12
# Deny the rest of them
deny log icmp from any to any
deny log all from any to any
skipto 65534 ip from any to any
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
rule_num=20000
# Stop spoofing
deny log all from any to not me in
rule_num=21000
pass tcp from ${reserve_ip} to any out
addcmd nat 1 tag 10 ip from not me to any
##########################################################################
# Stop RFC1918 nets on the outside interface
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
deny all from ${no_routing_net} to any
# Allow access for remote admins
pass tcp from ${remote_admins} to me ${sshd_port} in
pass tcp from ${remote_admins} to me ${apache_ports},${webmin_port} in
pass tcp from any to me established
addcmd check-state
# From server to internet
заначенные пакеты выпускаются без образования динамических правил
pass ip from me to any tagged 10
pass tcp from me to any keep-state
pass udp from me to any keep-state
pass icmp from me to any keep-state
########################## From remote users to LAN ############################
здесь метятся пакеты, пришедшие на внешний интерфейс и заначенные в локалку
pass tag 2 { tcp or udp } from not me to ${lan} in
# Reject all setup of other incoming connections from the outside
deny log tcp from any to any in
# Deny & log all other connections
deny log udp from any to any
############################ Other ICMP rules ##################################
pass icmp from ${remote_admins} to me keep-state
#0 - echo reply
#3 - destination unreachable
#4 - source quench
#5 - redirect
#8 - echo request
#9 - router adver-tisement
#10 - router solicitation
#11 - time-to-live exceeded
#12 - IP header bad
#13 - timestamp request
#14 - timestamp reply
#15 - information request
#16 - information reply
#17 - address mask request
#18 - and address mask reply
# Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Header
pass icmp from any to any icmptypes 0,3,4,8,11,12
# ICMP from outside
#pass icmp from any to ${outside_ip} in icmptypes 0,3,4,11,12
#pass icmp from ${outside_ip} to any out icmptypes 0,3,8,12
# Deny the rest of them
deny log icmp from any to any
deny log all from any to any
skipto 65534 ip from any to any
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
rule_num=30000
два внешних интерфейса аналогичны, вся фольтрация на внутреннем, на внешнем можно настроить шейпинг
##########################################################################
# Stop RFC1918 nets on the outside interface
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
deny all from ${no_routing_net} to any
# Allow access for remote admins
pass tcp from ${remote_admins} to me ${sshd_port} in
pass tcp from ${remote_admins} to me ${apache_ports},${webmin_port} in
pass tcp from any to me established
addcmd check-state
# From server to internet
pass ip from me to any tagged 20
pass tcp from me to any keep-state
pass udp from me to any keep-state
pass icmp from me to any keep-state
########################## From remote users to LAN ############################
аналогично 1-му интерфейсу
pass tag 1 { tcp or udp } from not me to ${lan} in
# Reject all setup of other incoming connections from the outside
deny log tcp from any to any in
# Deny & log all other connections
deny log udp from any to any
############################ Other ICMP rules ##################################
pass icmp from ${remote_admins} to me keep-state
#0 - echo reply
#3 - destination unreachable
#4 - source quench
#5 - redirect
#8 - echo request
#9 - router adver-tisement
#10 - router solicitation
#11 - time-to-live exceeded
#12 - IP header bad
#13 - timestamp request
#14 - timestamp reply
#15 - information request
#16 - information reply
#17 - address mask request
#18 - and address mask reply
# Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Header
pass icmp from any to any icmptypes 0,3,4,8,11,12
# ICMP from outside
#pass icmp from any to ${outside_ip} in icmptypes 0,3,4,11,12
#pass icmp from ${outside_ip} to any out icmptypes 0,3,8,12
# Deny the rest of them
deny log icmp from any to any
deny log all from any to any
#skipto 65534 ip from any to any
Конфиг с боевого сервера, много чего я вырезал, если скопипастить, может не заработать