Сейчас можно с любого адреса подключится.
Код: Выделить всё
$ipfw nat 123 config log if $Ext_Iface reset same_ports deny_in \
redirect_port tcp 192.168.0.30:3389 11130
$ipfw add nat 123 all from any to any via $Ext_Iface
Код: Выделить всё
$ipfw nat 123 config log if $Ext_Iface reset same_ports deny_in \
redirect_port tcp 192.168.0.30:3389 11130
$ipfw add nat 123 all from any to any via $Ext_Iface
Код: Выделить всё
ipfw="/sbin/ipfw"
# External interface
Ext_Iface="alc0"
Ext_Ip="192.168.10.3"
Ext_Net="192.168.10.0/24"
# Internal interface
Lan_Iface="re0"
Lan_Ip="192.168.0.3"
Lan_Net="192.168.0.0/24"
# VPN interface
VPN_Iface="rl0"
VPN_Ip="192.168.1.103"
VPN_Net="192.168.1.0/24"
# Sbros pravil
$ipfw -f flush
$ipfw add check-state
# deny flood traffic
$ipfw add allow all from any to any via lo0
$ipfw add deny all from any to 127.0.0.0/8
$ipfw add deny all from 127.0.0.0/8 to any
# autoban
$ipfw add deny log logamount 0 all from table\(1\) to me
# deny internal network on out interface
$ipfw add deny log logamount 0 all from $Lan_Net to any in via $Ext_Iface
# deny external on internal interface
$ipfw add deny log logamount 0 all from $Ext_Net to any in via $Lan_Iface
# deny privat network on out interface
$ipfw add deny log logamount 0 all from any to 10.0.0.0/8 in via $Ext_Iface
$ipfw add deny log logamount 0 all from any to 172.16.0.0/12 in via $Ext_Iface
$ipfw add deny log logamount 0 all from any to 0.0.0.0/8 in via $Ext_Iface
# deny autoconf privat network
$ipfw add deny log logamount 0 all from any to 169.254.0.0/16 in via $Ext_Iface
# deny multicast
$ipfw add deny log logamount 0 all from any to 224.0.0.0/4 in via $Ext_Iface
$ipfw add deny log logamount 0 all from any to 240.0.0.0/4 in via $Ext_Iface
# deny fragment icmp
$ipfw add deny log logamount 0 icmp from any to any frag
#deny multicast icmp on out interface
$ipfw add deny log logamount 0 icmp from any to 255.255.255.255 in via $Ext_Iface
$ipfw add deny log logamount 0 icmp from any to 255.255.255.255 out via $Ext_Iface
# squid
$ipfw add fwd 127.0.0.1,3128 tcp from $Lan_Net to any 80 via $Ext_Iface
# deny traffic to private network via out interface
$ipfw add deny log logamount 0 all from 10.0.0.0/8 to any out via $Ext_Iface
$ipfw add deny log logamount 0 all from 172.16.0.0/12 to any out via $Ext_Iface
$ipfw add deny log logamount 0 all from 0.0.0.0/8 to any out via $Ext_Iface
# deny autoconf privat network
$ipfw add deny log logamount 0 all from 169.254.0.0/16 to any out via $Ext_Iface
# deny multicast
$ipfw add deny log logamount 0 all from 224.0.0.0/4 to any out via $Ext_Iface
$ipfw add deny log logamount 0 all from 240.0.0.0/4 to any out via $Ext_Iface
# ICMP
$ipfw add allow icmp from any to any icmptypes 0,3,8,11
$ipfw add deny log logamount 0 icmp from any to me in via $Ext_Iface icmptypes 5,9,10,13,15,17
# NTP
$ipfw add allow udp from any to any 123 keep-state
# FTP
$ipfw add allow tcp from any to $Ext_Ip 20,21 in via $Ext_Iface setup
$ipfw add allow tcp from any to $Ext_Ip 50000-50100 via $Ext_Iface
#WWW
$ipfw add allow all from any to $Ext_Ip 80 in via $Ext_Iface
# SSH
$ipfw add deny log logamount 0 tcp from any to $Ext_Ip 22 via $Ext_Iface setup
$ipfw add allow log logamount 0 tcp from any to $Ext_Ip 2724 via $Ext_Iface setup
# allow local traffic
$ipfw add allow ip from any to any via $Lan_Iface
$ipfw add allow ip from any to any via $VPN_Iface
$ipfw add deny log logamount 0 all from any to $Ext_Ip 3389 via $Ext_Iface setup
# NAT
$ipfw nat 123 config log if $Ext_Iface reset same_ports deny_in \
redirect_port tcp 192.168.0.30:3389 11130 \
redirect_port tcp 192.168.0.2:3389 11102 \
redirect_port tcp 192.168.0.20:3389 11120 \
redirect_port tcp 192.168.0.84:3389 11184 \
redirect_port tcp 192.168.0.100:3389 11100 \
redirect_port tcp 192.168.0.22:3389 11122 \
redirect_port tcp 192.168.0.22:443 11125
$ipfw add nat 123 all from any to any via alc0
Код: Выделить всё
ipfw="/sbin/ipfw"
# Priveleged ip
$ipfw table 2 flush
$ipfw table 2 add whitehouse.gov
# External interface
Ext_Iface="alc0"
Ext_Ip="192.168.10.3"
Ext_Net="192.168.10.0/24"
# Internal interface
Lan_Iface="re0"
Lan_Ip="192.168.0.3"
Lan_Net="192.168.0.0/24"
# VPN interface
VPN_Iface="rl0"
VPN_Ip="192.168.1.103"
VPN_Net="192.168.1.0/24"
# Sbros pravil
$ipfw -f flush
$ipfw add check-state
# deny flood traffic
$ipfw add allow all from any to any via lo0
$ipfw add deny all from any to 127.0.0.0/8
$ipfw add deny all from 127.0.0.0/8 to any
# autoban
$ipfw add deny log logamount 0 all from table\(1\) to me
# deny internal network on out interface
$ipfw add deny log logamount 0 all from $Lan_Net to any in via $Ext_Iface
# deny external on internal interface
$ipfw add deny log logamount 0 all from $Ext_Net to any in via $Lan_Iface
# deny privat network on out interface
$ipfw add deny log logamount 0 all from any to 10.0.0.0/8 in via $Ext_Iface
$ipfw add deny log logamount 0 all from any to 172.16.0.0/12 in via $Ext_Iface
$ipfw add deny log logamount 0 all from any to 0.0.0.0/8 in via $Ext_Iface
# deny autoconf privat network
$ipfw add deny log logamount 0 all from any to 169.254.0.0/16 in via $Ext_Iface
# deny multicast
$ipfw add deny log logamount 0 all from any to 224.0.0.0/4 in via $Ext_Iface
$ipfw add deny log logamount 0 all from any to 240.0.0.0/4 in via $Ext_Iface
# deny fragment icmp
$ipfw add deny log logamount 0 icmp from any to any frag
#deny multicast icmp on out interface
$ipfw add deny log logamount 0 icmp from any to 255.255.255.255 in via $Ext_Iface
$ipfw add deny log logamount 0 icmp from any to 255.255.255.255 out via $Ext_Iface
# squid
$ipfw add fwd 127.0.0.1,3128 tcp from $Lan_Net to any 80 via $Ext_Iface
# deny traffic to private network via out interface
$ipfw add deny log logamount 0 all from 10.0.0.0/8 to any out via $Ext_Iface
$ipfw add deny log logamount 0 all from 172.16.0.0/12 to any out via $Ext_Iface
$ipfw add deny log logamount 0 all from 0.0.0.0/8 to any out via $Ext_Iface
# deny autoconf privat network
$ipfw add deny log logamount 0 all from 169.254.0.0/16 to any out via $Ext_Iface
# deny multicast
$ipfw add deny log logamount 0 all from 224.0.0.0/4 to any out via $Ext_Iface
$ipfw add deny log logamount 0 all from 240.0.0.0/4 to any out via $Ext_Iface
# ICMP
$ipfw add allow icmp from any to any icmptypes 0,3,8,11
$ipfw add deny log logamount 0 icmp from any to me in via $Ext_Iface icmptypes 5,9,10,13,15,17
# NTP
$ipfw add allow udp from any to any 123 keep-state
# FTP
$ipfw add allow tcp from any to $Ext_Ip 20,21 in via $Ext_Iface setup
$ipfw add allow tcp from any to $Ext_Ip 50000-50100 via $Ext_Iface
#WWW
$ipfw add allow all from any to $Ext_Ip 80 in via $Ext_Iface
# SSH
$ipfw add deny log logamount 0 tcp from any to $Ext_Ip 22 via $Ext_Iface setup
$ipfw add allow log logamount 0 tcp from any to $Ext_Ip 2724 via $Ext_Iface setup
# allow local traffic
$ipfw add allow ip from any to any via $Lan_Iface
$ipfw add allow ip from any to any via $VPN_Iface
$ipfw add deny log logamount 0 all from any to $Ext_Ip 3389 via $Ext_Iface setup
# NAT
$ipfw nat 1 config log if $Ext_Iface reset same_ports deny_in
$ipfw nat 2 config log if $Ext_Iface reset same_ports deny_in \
redirect_port tcp 192.168.0.30:3389 11130 \
redirect_port tcp 192.168.0.2:3389 11102 \
redirect_port tcp 192.168.0.20:3389 11120 \
redirect_port tcp 192.168.0.84:3389 11184 \
redirect_port tcp 192.168.0.100:3389 11100 \
redirect_port tcp 192.168.0.22:3389 11122 \
redirect_port tcp 192.168.0.22:443 11125
$ipfw add nat 2 all from table\(2\) to me via alc0
$ipfw add nat 2 all from any to table\(2\) via alc0
$ipfw add nat 1 all from any to any via alc0
Код: Выделить всё
ipfw="/sbin/ipfw"
#Priveleged ip
$ipfw table 2 flush
cat /путь/до/файла/с/адресами | while read ip;
$ipfw table 2 add $ip
done;