Нужна помощь в блокировки соц сетей в IPFW

Простые/общие вопросы по UNIX системам. Спросите здесь, если вы новичок

Модераторы: vadim64, terminus

Правила форума
Убедительная просьба юзать теги [cоde] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
Heckfys
проходил мимо
Сообщения: 2
Зарегистрирован: 2014-06-04 10:58:56

Нужна помощь в блокировки соц сетей в IPFW

Непрочитанное сообщение Heckfys » 2014-06-04 11:12:55

Нужна помощь в блокировки соц сетей в IPFW

/etc/rc.firewall

Код: Выделить всё

#!/bin/sh -

if [ -z "${source_rc_confs_defined}" ]; then
        if [ -r /etc/defaults/rc.conf ]; then
                . /etc/defaults/rc.conf
                source_rc_confs
        elif [ -r /etc/rc.conf ]; then
                . /etc/rc.conf
        fi
fi

setup_loopback () {

        ${fwcmd} add 100 pass all from any to any via lo0
        ${fwcmd} add 200 deny all from any to 127.0.0.0/8
        ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
        if [ $ipv6_available -eq 0 ]; then
                ${fwcmd} add 400 deny all from any to ::1
                ${fwcmd} add 500 deny all from ::1 to any
        fi
}

setup_ipv6_mandatory () {
        [ $ipv6_available -eq 0 ] || return 0

        ${fwcmd} add pass ipv6-icmp from :: to ff02::/16
        ${fwcmd} add pass ipv6-icmp from fe80::/10 to fe80::/10
        ${fwcmd} add pass ipv6-icmp from fe80::/10 to ff02::/16

        ${fwcmd} add pass ipv6-icmp from any to any icmp6types 1

        ${fwcmd} add pass ipv6-icmp from any to any icmp6types 2,135,136
}

if [ -n "${1}" ]; then
        firewall_type="${1}"
fi

. /etc/rc.subr
. /etc/network.subr
afexists inet6
ipv6_available=$?

case ${firewall_quiet} in
[Yy][Ee][Ss])
        fwcmd="/sbin/ipfw -q"
        ;;
*)
        fwcmd="/sbin/ipfw"
        ;;
esac

${fwcmd} -f flush

setup_loopback
setup_ipv6_mandatory

case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
        case ${natd_enable} in
        [Yy][Ee][Ss])
                if [ -n "${natd_interface}" ]; then

                fi
                ;;
        esac
        case ${firewall_nat_enable} in
        [Yy][Ee][Ss])
                if [ -n "${firewall_nat_interface}" ]; then
                        if echo "${firewall_nat_interface}" | \
                                grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
                                firewall_nat_flags="ip ${firewall_nat_interface} ${firewall_nat_flags}"
                        else
                                firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}"
                        fi
                        ${fwcmd} nat 123 config log ${firewall_nat_flags}
                        ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
                fi
                ;;
        esac
esac

case ${firewall_type} in
[Oo][Pp][Ee][Nn])
        ${fwcmd} add 65000 pass all from any to any
        ;;

[Vv][Ii][Tt][Yy][Uu][Kk])
        /etc/fw.sh
        ;;


[Cc][Ll][Ii][Ee][Nn][Tt])

        net="$firewall_client_net"
        net6="$firewall_client_net_ipv6"

        ${fwcmd} add pass all from ${net} to 255.255.255.255
.
        ${fwcmd} add pass all from me to ${net}
        ${fwcmd} add pass all from ${net} to me
        if [ -n "$net6" ]; then
                ${fwcmd} add pass all from me to ${net6}
                ${fwcmd} add pass all from ${net6} to me
        fi

        if [ -n "$net6" ]; then

                ${fwcmd} add pass all from fe80::/10 to ff02::/16
                ${fwcmd} add pass all from ${net6} to ff02::/16

                ${fwcmd} add pass udp from fe80::/10 to me 546
        fi


        ${fwcmd} add pass tcp from any to any established


        ${fwcmd} add pass all from any to any frag


        ${fwcmd} add pass tcp from any to me 25 setup

        ${fwcmd} add pass tcp from me to any setup

        ${fwcmd} add deny tcp from any to any setup

        ${fwcmd} add pass udp from me to any 53 keep-state

        ${fwcmd} add pass udp from me to any 123 keep-state

        ;;

[Ss][Ii][Mm][Pp][Ll][Ee])

        oif="$firewall_simple_oif"
        onet="$firewall_simple_onet"
       oif6="${firewall_simple_oif_ipv6:-$firewall_simple_oif}"
        onet6="$firewall_simple_onet_ipv6"

        iif="$firewall_simple_iif"
        inet="$firewall_simple_inet"
        iif6="${firewall_simple_iif_ipv6:-$firewall_simple_iif}"
        inet6="$firewall_simple_inet_ipv6"

        ${fwcmd} add deny all from ${inet} to any in via ${oif}
        ${fwcmd} add deny all from ${onet} to any in via ${iif}
        if [ -n "$inet6" ]; then
                ${fwcmd} add deny all from ${inet6} to any in via ${oif6}
                if [ -n "$onet6" ]; then
                        ${fwcmd} add deny all from ${onet6} to any in \
                            via ${iif6}
                fi
        fi

        ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
        ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
        ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

        ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
        ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
        ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
        ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
        ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

        case ${natd_enable} in
        [Yy][Ee][Ss])
                if [ -n "${natd_interface}" ]; then
                        ${fwcmd} add divert natd ip4 from any to any via ${natd_interface}
                fi
                ;;
        esac

        ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
        ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
        ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

        ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
        ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
        ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
        ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
        ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}

        if [ -n "$inet6" ]; then

                ${fwcmd} add deny all from fc00::/7 to any via ${oif6}
                ${fwcmd} add deny all from any to fc00::/7 via ${oif6}

                ${fwcmd} add deny all from fec0::/10 to any via ${oif6}
                ${fwcmd} add deny all from any to fec0::/10 via ${oif6}

                ${fwcmd} add deny all from ::ffff:0.0.0.0/96 to any \
                    via ${oif6}
                ${fwcmd} add deny all from any to ::ffff:0.0.0.0/96 \
                    via ${oif6}

                ${fwcmd} add deny all from ::224.0.0.0/100 to any via ${oif6}
                ${fwcmd} add deny all from any to ::224.0.0.0/100 via ${oif6}
                ${fwcmd} add deny all from ::127.0.0.0/104 to any via ${oif6}
                ${fwcmd} add deny all from any to ::127.0.0.0/104 via ${oif6}
                ${fwcmd} add deny all from ::0.0.0.0/104 to any via ${oif6}
                ${fwcmd} add deny all from any to ::0.0.0.0/104 via ${oif6}
                ${fwcmd} add deny all from ::255.0.0.0/104 to any via ${oif6}
                ${fwcmd} add deny all from any to ::255.0.0.0/104 via ${oif6}

                ${fwcmd} add deny all from ::0.0.0.0/96 to any via ${oif6}
                ${fwcmd} add deny all from any to ::0.0.0.0/96 via ${oif6}

                ${fwcmd} add deny all from 2002:e000::/20 to any via ${oif6}
                ${fwcmd} add deny all from any to 2002:e000::/20 via ${oif6}
                ${fwcmd} add deny all from 2002:7f00::/24 to any via ${oif6}
                ${fwcmd} add deny all from any to 2002:7f00::/24 via ${oif6}
                ${fwcmd} add deny all from 2002:0000::/24 to any via ${oif6}
                ${fwcmd} add deny all from any to 2002:0000::/24 via ${oif6}
                ${fwcmd} add deny all from 2002:ff00::/24 to any via ${oif6}
                ${fwcmd} add deny all from any to 2002:ff00::/24 via ${oif6}

                ${fwcmd} add deny all from 2002:0a00::/24 to any via ${oif6}
                ${fwcmd} add deny all from any to 2002:0a00::/24 via ${oif6}
                ${fwcmd} add deny all from 2002:ac10::/28 to any via ${oif6}
                ${fwcmd} add deny all from any to 2002:ac10::/28 via ${oif6}
                ${fwcmd} add deny all from 2002:c0a8::/32 to any via ${oif6}
                ${fwcmd} add deny all from any to 2002:c0a8::/32 via ${oif6}

                ${fwcmd} add deny all from ff05::/16 to any via ${oif6}
                ${fwcmd} add deny all from any to ff05::/16 via ${oif6}
        fi

        ${fwcmd} add pass tcp from any to any established

        ${fwcmd} add pass all from any to any frag

        ${fwcmd} add pass tcp from any to me 25 setup

        ${fwcmd} add pass tcp from any to me 53 setup
        ${fwcmd} add pass udp from any to me 53
        ${fwcmd} add pass udp from me 53 to any

        ${fwcmd} add pass tcp from any to me 80 setup

        ${fwcmd} add deny log ip4 from any to any in via ${oif} setup proto tcp
        if [ -n "$inet6" ]; then
                ${fwcmd} add deny log ip6 from any to any in via ${oif6} \
                    setup proto tcp

        fi

        ${fwcmd} add pass tcp from any to any setup

        ${fwcmd} add pass udp from me to any 53 keep-state

        ${fwcmd} add pass udp from me to any 123 keep-state

        ;;

[Ww][Oo][Rr][Kk][Ss][Tt][Aa][Tt][Ii][Oo][Nn])

        ${fwcmd} add check-state

        ${fwcmd} add pass tcp  from me to any established

        ${fwcmd} add pass tcp  from me to any setup keep-state
        ${fwcmd} add pass udp  from me to any       keep-state
        ${fwcmd} add pass icmp from me to any       keep-state
        if [ $ipv6_available -eq 0 ]; then

                ${fwcmd} add pass ipv6-icmp from me to any keep-state
        fi

        ${fwcmd} add pass udp  from 0.0.0.0 68 to 255.255.255.255 67 out
        ${fwcmd} add pass udp  from any 67     to me 68 in
        ${fwcmd} add pass udp  from any 67     to 255.255.255.255 68 in
        if [ $ipv6_available -eq 0 ]; then
                ${fwcmd} add pass udp from fe80::/10 to me 546 in
        fi

        ${fwcmd} add pass icmp from any to any icmptype 8
        if [ $ipv6_available -eq 0 ]; then
                ${fwcmd} add pass ipv6-icmp from any to any icmp6type 128,129
        fi

        ${fwcmd} add pass icmp from any to any icmptype 3,4,11
        if [ $ipv6_available -eq 0 ]; then
                ${fwcmd} add pass ipv6-icmp from any to any icmp6type 3
        fi

        for i in ${firewall_allowservices} ; do
          for j in ${firewall_myservices} ; do
            ${fwcmd} add pass tcp from $i to me $j
          done
        done

        for i in ${firewall_trusted} ; do
          ${fwcmd} add pass ip from $i to me
        done
        ${fwcmd} add 65000 count ip from any to any

        for i in ${firewall_nologports} ; do
          ${fwcmd} add deny { tcp or udp } from any to any $i in
        done

        ${fwcmd} add deny ip  from any to 255.255.255.255
        ${fwcmd} add deny ip  from any to 224.0.0.0/24 in 
        
        ${fwcmd} add deny udp from any to any 520 in

        ${fwcmd} add deny tcp from any 80,443 to any 1024-65535 in

        log=""
        if [ ${firewall_logdeny:-x} = "YES" -o ${firewall_logdeny:-x} = "yes" ] ; then
          log="log logamount 500" 
          sysctl net.inet.ip.fw.verbose=1 >/dev/null
        fi
        ${fwcmd} add deny $log ip from any to any
        ;;

[Cc][Ll][Oo][Ss][Ee][Dd])
        ${fwcmd} add 65000 deny ip from any to any
        ;;
[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
        ;;
*)
        if [ -r "${firewall_type}" ]; then
                ${fwcmd} ${firewall_flags} ${firewall_type}
        fi
        ;;
esac
Последний раз редактировалось f_andrey 2014-06-04 22:45:59, всего редактировалось 1 раз.
Причина: Автору. пожалуйста, выбирайте соответствующий раздел форума.

Хостинговая компания Host-Food.ru
Хостинг HostFood.ru
 

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

Аватара пользователя
kharkov_max
капитан
Сообщения: 1811
Зарегистрирован: 2008-10-03 14:56:40

Re: Нужна помощь в блокировки соц сетей в IPFW

Непрочитанное сообщение kharkov_max » 2014-06-06 19:51:04

Запаритесь через ipfw
Ставте squid и подгружайте в него имена доменов соцсетей, подобных списков (постоянно обновляемых) куча.

Думаю что по другому ни как ...

Heckfys
проходил мимо
Сообщения: 2
Зарегистрирован: 2014-06-04 10:58:56

Re: Нужна помощь в блокировки соц сетей в IPFW

Непрочитанное сообщение Heckfys » 2014-06-10 12:12:10

Спасиба за ответ
squid стоит и настроин на блокировку соц сетей но задача била заблокирувать через IPFW.
Просто настройка IPFW производилась з одельного файла sh а не з rc.firewall в етом и била проблема.
Тему можна закривать.

Аватара пользователя
kharkov_max
капитан
Сообщения: 1811
Зарегистрирован: 2008-10-03 14:56:40

Re: Нужна помощь в блокировки соц сетей в IPFW

Непрочитанное сообщение kharkov_max » 2014-06-10 12:37:38

Heckfys писал(а):Спасиба за ответ
squid стоит и настроин на блокировку соц сетей но задача била заблокирувать через IPFW.
Просто настройка IPFW производилась з одельного файла sh а не з rc.firewall в етом и била проблема.
Тему можна закривать.
Не совсем понял при чем тут конфиг ipfw...

Вы поймите, у соц сетей периодически появляются новые IP и домены, это нужно постоянно мониторить и добавлять в правило.
Через IPFW по IP это делать сложнее чем через squid...