cat /etc/sysctl.conf
Код: Выделить всё
net.inet.ip.fw.one_pass=0
Код: Выделить всё
00001: 1.536 Mbit/s 0 ms burst 0
q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
sched 65537 type FIFO flags 0x0 0 buckets 0 active
00002: 500.000 Kbit/s 0 ms burst 0
q131074 50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
sched 65538 type FIFO flags 0x0 0 buckets 0 active
00003: 1.536 Mbit/s 0 ms burst 0
q131075 50 sl. 0 flows (1 buckets) sched 65539 weight 0 lmax 0 pri 0 droptail
sched 65539 type FIFO flags 0x0 0 buckets 0 active
00004: 500.000 Kbit/s 0 ms burst 0
q131076 50 sl. 0 flows (1 buckets) sched
Код: Выделить всё
02300 4482624 3192007689 nat 123 ip from any to me in via tun0
02500 5399 437359 allow ip from any to me dst-port 22098 in via tun0
02700 3060375 2787111880 queue 1 ip from any to table(1,1) out via re0
02800 1261884 253066346 queue 2 ip from any to table(1,2) out via re0
02900 3629 2110322 allow ip from 85.94.32.244 to 192.168.30.15 dst-port 5060-5063 in via tun0
03000 1257744 250917560 allow ip from 85.94.32.244 to 192.168.30.15 dst-port 10000-20000 in via tun0
03100 8105 773041 deny log logamount 50 ip from any not 123 to 192.168.30.15 in via tun0
03400 2732309 2872293343 allow ip from any 80,8080,5190,2041,2042,110,25 to table(1) in via tun0
03500 235545 38393369 allow ip from any to table(2) in via tun0
03700 4414473 3147787981 allow ip from any to table(1) out via re0
03800 2615398 714755526 queue 3 ip from table(1,1) to any in via re0
03900 1272944 253158038 queue 4 ip from table(1,2) to any in via re0
04000 1363 65424 deny ip from 192.168.30.2 to any dst-port 80 in via re0
04200 34407 2154649 allow udp from table(1) to any dst-port 53 in via re0
04300 2316235 804025280 allow ip from table(2) to any in via re0
04400 1636538 175518637 allow ip from table(1) to any dst-port 80,8080,110,25,443,5190,2041,2042,3377,3388 in via re0
04500 3972628 980106460 nat 123 ip from table(1) to any out via tun0
04600 34407 2154649 allow udp from me to any dst-port 53 out via tun0
04700 3948575 980463890 allow ip from me to any out via tun0
04800 39262 3255262 allow icmp from any to any
04900 8678 6834870 allow tcp from any to any established
05000 53280 13664875 deny ip from any to any
65535 17848 1424648 deny ip from any to any
Код: Выделить всё
#!/bin/sh
/etc/firewall.table
fw="ipfw"
######
lanout="tun0"
lanin="re0"
NatIP="************"
ipout="***********"
ipin="***********"
netmask="24"
netin1="******30.0"
${fw} -f flush
${fw} -f pipe flush
${fw} -f queue flush
${fw} nat 123 config ip ${NatIP} log redirect_port tcp 192.168.30.15:5060-5063 5060-5063 \
redirect_port udp 192.168.30.15:5060-5063 5060-5063 \
redirect_port tcp 192.168.30.15:10000-20000 10000-20000 \
redirect_port udp 192.168.30.15:10000-20000 10000-20000
${fw} pipe 1 config bw 1536Kbit/s
${fw} pipe 2 config bw 500Kbit/s
${fw} pipe 3 config bw 1536Kbit/s
${fw} pipe 4 config bw 500Kbit/s
${fw} queue 1 config pipe 1 mask dst-ip 0xffffffff
${fw} queue 2 config pipe 2 mask dst-ip 0xffffffff
${fw} queue 3 config pipe 3 mask dst-ip 0xffffffff
${fw} queue 4 config pipe 4 mask dst-ip 0xffffffff
${fw} add allow ip from any to any via lo0
${fw} add deny ip from any to 127.0.0.0/8
${fw} add deny ip from 127.0.0.0/8 to any
${fw} add deny ip from any to 10.0.0.0/8 in via ${lanout}
${fw} add deny ip from any to 172.16.0.0/12 in via ${lanout}
${fw} add deny ip from any to 0.0.0.0/8 in via ${lanout}
${fw} add deny ip from any to 169.254.0.0/16 in via ${lanout}
${fw} add deny ip from any to 240.0.0.0/4 in via ${lanout}
${fw} add deny ip from 10.0.0.0/8 to any out via ${lanout}
${fw} add deny ip from 172.16.0.0/12 to any out via ${lanout}
${fw} add deny ip from 0.0.0.0/8 to any out via ${lanout}
${fw} add deny ip from 169.254.0.0/16 to any out via ${lanout}
${fw} add deny ip from 224.0.0.0/4 to any out via ${lanout}
${fw} add deny ip from 240.0.0.0/4 to any out via ${lanout}
${fw} add deny icmp from any to any frag
${fw} add deny icmp from any to 255.255.255.255 in via ${lanout}
${fw} add deny icmp from any to 255.255.255.255 out via ${lanout}
${fw} add deny all from any to me 113,137,138,139,81,8080,3128,443 via ${lanout}
${fw} add allow ip from any to me 22 in via ${lanin}
${fw} add allow ip from me 22 to any out via ${lanin}
${fw} add nat 123 ip from any to me in via ${lanout}
${fw} add queue 1 ip from any to table\(1,1\) out via ${lanin}
${fw} add queue 2 ip from any to table\(1,2\) out via ${lanin}
${fw} add allow ip from 85.94.32.244 to 192.168.30.15 5060-5063 in via ${lanout}
${fw} add allow ip from 85.94.32.244 to 192.168.30.15 10000-20000 in via ${lanout}
${fw} add deny log ip from any not 123 to 192.168.30.15 in via ${lanout}
${fw} add allow ip from any 80,8080,5190,2041,2042,110,25 to table\(1\) in via ${lanout}
${fw} add allow ip from any to table\(2\) in via ${lanout}
${fw} add allow ip from any to table\(1\) out via ${lanin}
${fw} add queue 3 ip from table\(1,1\) to any in via ${lanin}
${fw} add queue 4 ip from table\(1,2\) to any in via ${lanin}
${fw} add allow udp from table\(1\) to any 53 in via ${lanin}
${fw} add allow ip from table\(2\) to any in via ${lanin}
${fw} add allow ip from table\(1\) to any 80,8080,110,25,443,5190,2041,2042,3377,3388 in via ${lanin}
${fw} add nat 123 ip from table\(1\) to any out via ${lanout}
${fw} add allow udp from me to any 53 out via ${lanout}
${fw} add allow ip from me to any out via ${lanout}
${fw} add allow icmp from any to any
${fw} add allow tcp from any to any established
${fw} add deny all from any to any