Здравствуйте. Подскажите как на основе примера №2 правильно добавить ограничения на доступ пользователям сети к определенным сервисам + открыть нужные порты снаружи.
Есть набор рабочих правил по портам, но вот резать скорость никак не выходит.
Система FreeBSD 7.2 RELEASE под VMWare для проверки.
Ядро собрано с опциями (указываю только то что добавил/удалил):
Код: Выделить всё
cpu I686_CPU
ident GENERIC
# makeoptions DEBUG=-g
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=50
options IPFIREWALL_NAT
options LIBALIAS
options ROUTETABLES=2
options DUMMYNET
options HZ="1000"
options IPFIREWALL_FORWARD
options NETGRAPH
options NETGRAPH_ETHER
options NETGRAPH_SOCKET
options NETGRAPH_TEE
options NETGRAPH_MPPC_ENCRYPTION
Правило firewall
Код: Выделить всё
#!/bin/sh
# /etc/firewall
WAN="le1"
WAN_IP="1.2.3.254"
LAN="le0"
LAN_IP="192.168.1.254"
lan_net="192.168.1.0/24"
vpn="192.168.1.240"
mailserv="25,143,465,993,995"
fwcmd="/sbin/ipfw"
${fwcmd} -f flush
${fwcmd} -f pipe flush
${fwcmd} -f queue flush
${fwcmd} add check-state
##################### Deny
# lo
${fwcmd} add allow ip from 127.0.0.0/8 to any via lo0
${fwcmd} add allow ip from any to 127.0.0.0/8 via lo0
${fwcmd} add allow ip from any to any via lo0
${fwcmd} add deny ip from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any
# боимся непонятного
${fwcmd} add deny ip from any to 192.168.0.0/16 in recv ${WAN}
${fwcmd} add deny ip from 192.168.0.0/16 to any in recv ${WAN}
${fwcmd} add deny ip from any to 172.16.0.0/12 in recv ${WAN}
${fwcmd} add deny ip from 172.16.0.0/12 to any in recv ${WAN}
${fwcmd} add deny ip from any to 10.0.0.0/8 in recv ${WAN}
${fwcmd} add deny ip from 10.0.0.0/8 to any in recv ${WAN}
${fwcmd} add deny ip from any to 169.254.0.0/16 in recv ${WAN}
${fwcmd} add deny ip from 169.254.0.0/16 to any in recv ${WAN}
${fwcmd} add deny ip from any to 0.0.0.0/8 in recv ${WAN}
${fwcmd} add deny ip from 0.0.0.0/8 to any in recv ${WAN}
${fwcmd} add deny ip from any to 240.0.0.0/4 in recv ${WAN}
${fwcmd} add deny ip from 240.0.0.0/4 to any in recv ${WAN}
# anti-hack from outside
${fwcmd} add deny ip from me to any in recv ${WAN}
${fwcmd} add deny ip from any to any not antispoof in
# deny icmp
${fwcmd} add deny icmp from any to any frag
${fwcmd} add deny log icmp from any to 255.255.255.255 in via ${WAN}
${fwcmd} add deny log icmp from any to 255.255.255.255 out via ${WAN}
#${fwcmd} add deny icmp from any to any in recv le1 icmptypes 5,9,13,14,15,16,17
# deny netbios MS SQL
${fwcmd} add deny ip from any 137-139,445,1433 to any
${fwcmd} add deny ip from any to any 137-139,445,1433
#################### End Deny
#Transparent proxy
${fwcmd} add fwd 127.0.0.1,3128 tcp from ${lan_net} to not me dst-port 80
${fwcmd} add allow icmp from any to any icmptypes 0,3,4,8,10,11,30
${fwcmd} add allow tcp from any to any established
#################### WAN - me
# SSH
${fwcmd} add allow tcp from any to ${WAN_IP} 22 in via ${WAN}
# DNS только если держим зону
${fwcmd} add allow tcp from any to any 53 via ${WAN} limit src-addr 30
${fwcmd} add allow udp from any to any 53 via ${WAN} limit src-addr 30
# Ответ на запрос открываем всегда
${fwcmd} add allow udp from any 53 to ${WAN_IP} via ${WAN}
# UDP
${fwcmd} add allow udp from any to any 123 via ${WAN}
# FTP
${fwcmd} add allow tcp from any to ${WAN_IP} 20,21 in via ${WAN} setup
${fwcmd} add allow tcp from any to ${WAN_IP} 49152-65535 via ${WAN}
# Mail
${fwcmd} add allow tcp from any to ${WAN_IP} ${mailserv} in via ${WAN} setup limit src-addr 20
# HTTP
${fwcmd} add allow tcp from any to ${WAN_IP} 80 in via ${WAN} setup
#OpenVPN
${fwcmd} add allow udp from any to ${WAN_IP} 1194 via ${WAN} limit src-addr 30
####################
#################### me -WAN
# разрешаем весь исходящий траффик
#${fwcmd} add allow ip from ${WAN_IP} to any out xmit ${WAN}
# SSH
${fwcmd} add allow tcp from me 22 to any
# DNS transfers to world
${fwcmd} add allow udp from me 53 to any
# DNS, NTP
${fwcmd} add allow udp from me to any 53,123
# FTP, HTTP
${fwcmd} add allow tcp from me to any 20,21,80,443,49151-65534 keep-state
####################
#################### from LAN to me
# FTP, SSH
${fwcmd} add allow tcp from ${lan_net},${vpn} to me 20,21,22,1024-65534
# DNS
${fwcmd} add allow udp from ${lan_net} to me domain via ${LAN}
${fwcmd} add allow udp from me domain to ${lan_net} via ${LAN}
# NTP
${fwcmd} add allow udp from ${lan_net} to me ntp keep-state
# HTTP
${fwcmd} add allow udp from ${lan_net},${vpn} to me http keep-state
# icmp
${fwcmd} add allow icmp from any to any via ${LAN}
################### from me to LAN
# FTP, HTTP to LAN
${fwcmd} add allow tcp from ${LAN_IP} 20,21,80,443,1024-65534 to ${lan_net} via ${LAN} keep-state
###################
#################### LAN -WAN
# MAIL, ICQ
${fwcmd} add allow tcp from ${lan_net} to any 25,80,110,143,443,465,587,993,995,5190 out via ${WAN}
${fwcmd} add allow tcp from any 25,80,110,143,443,465,587,993,995,5190 to ${lan_net} via ${WAN}
# FTP
${fwcmd} add allow tcp from ${lan_net} to any 20,21,1024-65535 via ${LAN} keep-state
${fwcmd} add allow tcp from ${lan_net} to any 1024-65535 via ${LAN}
${fwcmd} add allow tcp from any 20,21,1024-65535 to ${lan_net} 1024-65535 via ${LAN}
# SSH, RDP, Radmin
${fwcmd} add allow tcp from ${lan_net} to any 22,3389,4899 via ${LAN} keep-state
${fwcmd} add allow tcp from any 22,3389,4899 to ${lan_net} via ${LAN}
${fwcmd} pipe 1 config bw 1Mbit/s queue 60 gred 0.002/10/30/0.1
${fwcmd} queue 1 config pipe 1 mask src-ip 0xffffffff queue 60 gred 0.002/10/30/0.1
${fwcmd} pipe 2 config bw 1Mbit/s queue 60 gred 0.002/10/30/0.1
${fwcmd} queue 2 config pipe 2 mask dst-ip 0xffffffff queue 60 gred 0.002/10/30/0.1
# NAT
${fwcmd} nat 1 config log if ${WAN} reset same_ports deny_in
${fwcmd} add queue 1 ip from any to any out xmit ${WAN}
${fwcmd} add nat 1 ip from any to any via ${WAN}
${fwcmd} add queue 2 ip from any to any in recv ${WAN}
${fwcmd} add deny log all from any to any
Значение /etc/sysctl.conf net.inet.ip.fw.one_pass=0
Вывод правил:
Код: Выделить всё
#ipfw show
00100 0 0 check-state
00200 0 0 allow ip from 127.0.0.0/8 to any via lo0
00300 0 0 allow ip from any to 127.0.0.0/8 via lo0
00400 0 0 allow ip from any to any via lo0
00500 0 0 deny ip from any to 127.0.0.0/8
00600 0 0 deny ip from 127.0.0.0/8 to any
00700 0 0 deny ip from any to 192.168.0.0/16 in recv le1
00800 0 0 deny ip from 192.168.0.0/16 to any in recv le1
00900 0 0 deny ip from any to 172.16.0.0/12 in recv le1
01000 0 0 deny ip from 172.16.0.0/12 to any in recv le1
01100 0 0 deny ip from any to 10.0.0.0/8 in recv le1
01200 0 0 deny ip from 10.0.0.0/8 to any in recv le1
01300 0 0 deny ip from any to 169.254.0.0/16 in recv le1
01400 0 0 deny ip from 169.254.0.0/16 to any in recv le1
01500 0 0 deny ip from any to 0.0.0.0/8 in recv le1
01600 0 0 deny ip from 0.0.0.0/8 to any in recv le1
01700 0 0 deny ip from any to 240.0.0.0/4 in recv le1
01800 0 0 deny ip from 240.0.0.0/4 to any in recv le1
01900 0 0 deny ip from me to any in recv le1
02000 0 0 deny ip from any to any not antispoof in
02100 0 0 deny icmp from any to any frag
02200 0 0 deny log logamount 50 icmp from any to 255.255.255.255 in via le1
02300 0 0 deny log logamount 50 icmp from any to 255.255.255.255 out via le1
02400 1 229 deny ip from any 137-139,445,1433 to any
02500 0 0 deny ip from any to any dst-port 137-139,445,1433
02600 0 0 fwd 127.0.0.1,3128 tcp from 192.168.1.0/24 to not me dst-port 80
02700 0 0 allow icmp from any to any icmptypes 0,3,4,8,10,11,30
02800 228 29854 allow tcp from any to any established
02900 0 0 allow tcp from any to 1.2.3.254 dst-port 22 in via le1
03000 0 0 allow tcp from any to any dst-port 53 via le1 limit src-addr 30
03100 2 140 allow udp from any to any dst-port 53 via le1 limit src-addr 30
03200 0 0 allow udp from any 53 to 1.2.3.254 via le1
03300 0 0 allow udp from any to any dst-port 123 via le1
03400 0 0 allow tcp from any to 1.2.3.254 dst-port 20,21 in via le1 setup
03500 0 0 allow tcp from any to 1.2.3.254 dst-port 49152-65535 via le1
03600 0 0 allow tcp from any to 1.2.3.254 dst-port 25,143,465,993,995 in via le1 setup limit src-addr 20
03700 0 0 allow tcp from any to 1.2.3.254 dst-port 80 in via le1 setup
03800 0 0 allow udp from any to 1.2.3.254 dst-port 1194 via le1 limit src-addr 30
03900 0 0 allow tcp from me 22 to any
04000 0 0 allow udp from me 53 to any
04100 0 0 allow udp from me to any dst-port 53,123
04200 0 0 allow tcp from me to any dst-port 20,21,80,443,49151-65534 keep-state
04300 2 128 allow tcp from 192.168.1.0/24,192.168.1.240 to me dst-port 20,21,22,1024-65534
04400 0 0 allow udp from 192.168.1.0/24 to me dst-port 53 via le0
04500 0 0 allow udp from me 53 to 192.168.1.0/24 via le0
04600 0 0 allow udp from 192.168.1.0/24 to me dst-port 123 keep-state
04700 0 0 allow udp from 192.168.1.0/24,192.168.1.240 to me dst-port 80 keep-state
04800 0 0 allow icmp from any to any via le0
04900 11 1050 allow tcp from 192.168.1.254 20,21,80,443,1024-65534 to 192.168.1.0/24 via le0 keep-state
05000 0 0 allow tcp from 192.168.1.0/24 to any dst-port 25,80,110,143,443,465,587,993,995,5190 out via le1
05100 0 0 allow tcp from any 25,80,110,143,443,465,587,993,995,5190 to 192.168.1.0/24 via le1
05200 26187 25583298 allow tcp from 192.168.1.0/24 to any dst-port 20,21,1024-65535 via le0 keep-state
05300 0 0 allow tcp from 192.168.1.0/24 to any dst-port 1024-65535 via le0
05400 0 0 allow tcp from any 20,21,1024-65535 to 192.168.1.0/24 dst-port 1024-65535 via le0
05500 0 0 allow tcp from 192.168.1.0/24 to any dst-port 22,3389,4899 via le0 keep-state
05600 0 0 allow tcp from any 22,3389,4899 to 192.168.1.0/24 via le0
05700 0 0 queue 1 ip from any to any out xmit le1
05800 0 0 nat 1 ip from any to any via le1
05900 0 0 queue 2 ip from any to any in recv le1
06000 0 0 deny log logamount 50 ip from any to any
65535 0 0 deny ip from any to any
Проверка правил pipe
Код: Выделить всё
#ipfw pipe show
00001: 1.000 Mbit/s 0 ms 60 sl. 0 queues (1 buckets)
GRED w_q 0.001999 min_th 10 max_th 30 max_p 0.099991
00002: 1.000 Mbit/s 0 ms 60 sl. 0 queues (1 buckets)
GRED w_q 0.001999 min_th 10 max_th 30 max_p 0.099991
q00001: weight 1 pipe 1 60 sl. 0 queues (64 buckets)
GRED w_q 0.001999 min_th 10 max_th 30 max_p 0.099991
q00002: weight 1 pipe 2 60 sl. 0 queues (64 buckets)
GRED w_q 0.001999 min_th 10 max_th 30 max_p 0.099991
Подскажите как правильно указать правила.
СПС