Имею конфиг фаера (натд и сквид). Недавно добавил check-state keep-state правила. Всё работает. Но вот меня гложет один момент
Вот мой конфиг фаервола
Код: Выделить всё
#!/bin/sh
extif="xl0"
extnet="10.0.1.0/30"
extip="10.0.1.2"
intif="rl0"
intnet="10.0.0.0/24"
intip="10.0.0.221"
dns="10.0.0.4"
fwcmd="/sbin/ipfw "
$fwcmd -f flush
$fwcmd -f pipe flush
$fwcmd -f queue flush
#----deny fragments tcp,udp,icmp-------------
$fwcmd add 100 deny ip from any to any frag
$fwcmd add 200 deny icmp from any to any frag
#----antispoofing 1-----------------------------------------------
$fwcmd add 300 reject ip from any to not $intnet not verrevpath in
#----antiscaner ports & DDoS atack---------------------------------------------------
$fwcmd add 700 reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg
$fwcmd add 800 reject tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg
$fwcmd add 900 reject tcp from any to any not established tcpflags fin
#----allow all lo0 traffic----------------------
$fwcmd add 1000 allow ip from any to any via lo0
#----deny loopback-----------------------------
$fwcmd add 1100 deny ip from any to 127.0.0.0/8
$fwcmd add 1200 deny ip from 127.0.0.0/8 to any
#----proxy server SQUID allow------------------------------------
[b]$fwcmd add 2900 fwd 127.0.0.1,3128 tcp from "table(3)" to any 80[/b]
#----NAT----------------------------------------------------------
$fwcmd add 3000 divert natd ip from $intnet to any out via $extif
$fwcmd add 3100 divert natd ip from any to $extip in via $extif
#---check-state------------
[b]$fwcmd add 3900 check-state[/b]
#----block icmp (ping, etc) on extIP-------------
#$fwcmd add 4000 deny icmp from any to ${extip}
#----allow some icmp (ping, tracert)----------------------
$fwcmd add 4100 allow icmp from any to any icmptype 0,8,11
#---allow all LAN traffic----------------------------------
$fwcmd add 4200 allow ip from any to $intnet in via $intif
$fwcmd add 4300 allow ip from $intnet to any out via $intif
#----allow all established tcp connections-----------
[b]$fwcmd add 4400 allow tcp from any to any established[/b]
#----allow SSH-------------------------------------------------------------------------
$fwcmd add 5000 allow tcp from any to $extip 35665 in via $extif [b]limit src-addr 4[/b]
#----allow port 1723 (for mpd5 clients)------------------------------------------------
$fwcmd add 6100 allow tcp from any to $extip 1723 in via $extif[b] limit src-addr 30[/b]
#----allow GRE traffic for mpd5-----------
$fwcmd add 6200 allow gre from any to any
#----block other established tcp connections----------------------
${fwcmd} add 6600 deny tcp from any to $extip in via $extif
#----allow established tcp connections from ext IP to ext interface----------
${fwcmd} add 6700 allow tcp from $extip to any out via $extif keep-state
${fwcmd} add 6800 allow tcp from any to $extip in via $intif keep-state
#----FULL NAT USER gendir-------------------------------------------------------------------------------------------------------------
$fwcmd add 6900 allow tcp from 10.0.0.141 to not $intnet 80,443,3128,5190,5560,5432,21,8080,8000 in via $intif limit src-addr 20
Типа
Код: Выделить всё
$fwcmd add 6900 allow tcp from 10.0.0.141 to not $intnet 80,443,3128,5190,5560,5432,21,8080,8000 in via $intif setup limit src-addr 20
Код: Выделить всё
$fwcmd add 6100 allow tcp from any to $extip 1723 in via $extif setup limit src-addr 30
Заранее спасибо