Хотелось бы грамотных рекомендаций по настройке правил для IPFW.
Во-вторых:
Возможно мои мытарства пойдут кому-то на пользу.
В-третьих:
Читайте оригинальные man-ы, поскольку там был пример решения данной проблемы.
Собственно предыстория:
Стоял и нормально работал на роутере ipfw+natd со статическим правилом
соответственно были статические правила для UDP и ICMP, и все бы хорошо но почитал статейки по безопасности решился построить IPFW c "Stateful filtering" или проще говоря с использованием "keep-state". А вот тут оказалось не все так просто.ipfw add allow tcp from any to any established
Итак, для справки, был примерно следующий rc.firewall переделанный из стандартной поставки
Код: Выделить всё
oif="fxp1"
onet="x.x.x.x"
omask="255.255.255.0"
oip="x.x.x.x"
# set these to your inside interface network and netmask and ip
iif="fxp0"
inet="192.168.0.0"
imask="255.255.255.0"
iip="192.168.0.9"
pdc="192.168.0.1,192.168.0.101"
setup_loopback
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
#Tranparent ftp-proxy
${fwcmd} add forward ${iip},2121 tcp from ${inet}:${imask} to not ${inet}:${imask} 21 via ${iif}
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd all from any to any via ${natd_interface}
fi
;;
esac
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
#Deny IP fragments to pass through
${fwcmd} add deny all from any to any frag
#Allow anything internal interface for localnet
${fwcmd} add allow all from ${inet}:${imask} to ${inet}:${imask} via ${iif}
#Allow tcp, DNS for PDC
${fwcmd} add allow tcp from ${pdc} to any setup via ${iif}
${fwcmd} add allow udp from any 53 to ${pdc}
${fwcmd} add allow udp from ${pdc} to any 53
# Allow setup out TCP connection from router
${fwcmd} add allow tcp from ${oip} to any setup out via ${oif}
# Allow access to our FTP, SMTP, WWW, POP, IMAP
${fwcmd} add allow tcp from any to ${oip} 21,49152-65535 setup in via ${oif}
${fwcmd} add allow tcp from any to ${oip} 25 setup in via ${oif}
${fwcmd} add allow tcp from any to ${oip} 80,443 setup in via ${oif}
${fwcmd} add allow tcp from any to ${oip} 110,995 setup in via ${oif}
${fwcmd} add allow tcp from any to ${oip} 143,993 setup in via ${oif}
#Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow access to our DNS-server
${fwcmd} add allow udp from any to ${oip} 53 in via ${oif}
${fwcmd} add allow udp from ${oip} 53 to any out via ${oif}
# Allow DNS, NTP queries out in the world
${fwcmd} add allow udp from any 53,123 to ${oip} in via ${oif}
${fwcmd} add allow udp from ${oip} to any 53,123 out via ${oif}
# Allow some ICMP queries - echo reply, dest unreach,
#source quech, echo, ttl exceed
${fwcmd} add allow icmp from any to ${oip} in via ${oif} icmptype 0,3,8,11 limit src-addr 10
${fwcmd} add allow icmp from ${oip} to any out via ${oif}
# Deny broadcast
${fwcmd} add deny all from any to 255.255.255.255
# Deny and log all
${fwcmd} add deny log logamount 1000 all from any to any
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
Код: Выделить всё
${fwcmd} add pass tcp from any to any established
Код: Выделить всё
${fwcmd} add cheek-state
Оказалось что весь траффик который идет напрямую через NATD где-то пропадал, при том что через PROXY все работало замечательно, но к сожалению Windows- сервер "это который PDC в конфиге" постоянно хотел вылезти в интернет чтобы разрешить какие-то свои DNS-проблемы чем уж-его FreeBSD не устаивала, тяжело понять. Однако самое плохое - это был клиент банка, он не умеет работать через PROXY. Вобщем при внешней видимости работы бухгалтерия денюжки отправить не могла.
После танцев с бубном и ласковых слов во все возможные адреса и первую очередь к себе конфиг приобрёл следующий вид:
Код: Выделить всё
# set these to your outside interface network and netmask and ip
oif="fxp1"
onet="*.*.*.*"
omask="255.255.255.0"
oip="*.*.*.*"
# set these to your inside interface network and netmask and ip
iif="fxp0"
inet="192.168.0.0"
imask="255.255.255.0"
iip="192.168.0.9"
pdc="192.168.0.1,192.168.0.101"
setup_loopback
#Allow anything internal interface
${fwcmd} add allow all from ${inet}:${imask} to any via ${iif}
#Tranparent ftp-proxy
${fwcmd} add forward ${iip},2121 tcp from ${inet}:${imask} to not ${inet}:${imask} 21 via ${iif}
# Network Address Translation.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd all from any to any in via ${natd_interface}
fi
;;
esac
${fwcmd} add check-state
#Allow all for PDC
${fwcmd} add skipto 65000 all from ${pdc} to any out via ${oif} keep-state
# Allow all out from router
${fwcmd} add allow all from ${oip} to any out via ${oif} keep-state
# Allow access to our FTP, SMTP, WWW, POP, IMAP
${fwcmd} add allow tcp from any to ${oip} 21,49152-65535 in via ${oif} keep-state
${fwcmd} add allow tcp from any to ${oip} 25 in via ${oif} keep-state
${fwcmd} add allow tcp from any to ${oip} 80,443 in via ${oif} keep-state
${fwcmd} add allow tcp from any to ${oip} 110,995 in via ${oif} keep-state
${fwcmd} add allow tcp from any to ${oip} 143,993 in via ${oif} keep-state
# Allow access to our DNS-server
${fwcmd} add allow udp from any to ${oip} 53 in via ${oif} keep-state
# Allow some ICMP queries - echo reply, dest unreach,
#source quech, echo, ttl exceed
${fwcmd} add allow icmp from any to ${oip} in via ${oif} icmptype 0,3,8,11,12 limit src-addr 10
#Deny broadcast
${fwcmd} add deny all from any to 255.255.255.255
#Deny and log all
${fwcmd} add deny log all from any to any
# Network Address Translation for outbound statefull rules
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add 65000 divert natd all from any to any out via ${natd_interface}
fi
;;
esac
${fwcmd} add allow all from any to any
#Deny and log all
${fwcmd} add deny log all from any to any
;;
Собственно вопрос к гуру чем второй лучше первого и какие дырки остались.
PS. Спасибо уже за то что сумели прочитать сие творение