Выкладываю новый листинг правил ipfw.
Не подскажете все ли нормально в нем, будет ли работать,
Посмотрел все вроде бы правильно.
Прошу Вашего разноса по нему.
Заранее спасибо
Код: Выделить всё
#!/bin/sh
cmd="/sbin/ipfw"
#peremennie
ifout="rl0"
ifin="vr0"
ipout="94.141.64.5"
ipin="192.168.0.54"
netmask="24"
netin="192.168.0.0"
netout="94.141.64.6/23"
#Flush all ipfw rules
${cmd} -f flush
${cmd} add check-state
#Loopback
${cmd} add allow ip from any to any via lo0
${cmd} add deny ip from ${netin} to any in via ${ifout}
${cmd} add deny ip from ${netout} to any in via ${ifin}
#Private netowrks via Out interfaces
${cmd} add deny ip from any to 127.0.0.0/8
${cmd} add deny ip from 127.0.0.0/8 to any
${cmd} add deny ip from any to 10.0.0.0/8 in via ${ifout}
${cmd} add deny ip from any to 172.16.0.0/12 in via ${ifout}
${cmd} add deny ip from any to 192.168.0.0/16 in via ${ifout}
${cmd} add deny ip from any to 0.0.0.0/8 in via ${ifout}
${cmd} add deny ip from any to 169.254.0.0/16 in via ${ifout}
${cmd} add deny ip from any to 240.0.0.0/4 in via ${ifout}
#ICMP pockets
${cmd} add deny icmp from any to any frag
${cmd} add deny log icmp from any to 255.255.255.255 in via ${ifout}
${cmd} add deny log icmp from any to 255.255.255.255 out via ${ifout}
#Squid forwarding
#${cmd} add fwd 127.0.0.1,3128 tcp from ${netin} to any 80 via ${ifout}
#NAT
${cmd} add divert natd ip from ${netin} to any out via ${ifout}
${cmd} add divert natd ip from any to ${ipout} in via ${ifout}
#Private networks via Out interfaces
${cmd} add deny ip from 10.0.0.0/8 to any out via ${ifout}
${cmd} add deny ip from 172.16.0.0/12 to any out via ${ifout}
${cmd} add deny ip from 192.168.0.0/16 to any out via ${ifout}
${cmd} add deny ip from 0.0.0.0/8 to any out via ${ifout}
${cmd} add deny ip from 169.254.0.0/16 to any out via ${ifout}
${cmd} add deny ip from 224.0.0.0/4 to any out via ${ifout}
${cmd} add deny ip from 240.0.0.0/4 to any out via ${ifout}
#ICMP-tarffic
${cmd} add allow icmp from any to any icmptypes 0,8,11
#Local traffic on internal interface
${cmd} add allow ip from any to ${netin} in via ${ifin}
${cmd} add allow ip from ${netin} to any out via ${ifin}
#MRIM.MAIL.RU block
${cmd} add deny tcp from any to 94.100.178.0/23 in via ${ifout}
${cmd} add deny tcp from 94.100.178.0/23 to any out via ${ifout}
${cmd} add deny tcp from any to 94.100.182.0/22 in via ${ifout}
${cmd} add deny tcp from 94.100.182.0/22 to any out via ${ifout}
${cmd} add deny tcp from any to 94.100.184.0/22 in via ${ifout}
${cmd} add deny tcp from 94.100.184.0/22 to any out via ${ifout}
${cmd} add deny tcp from any to 94.100.188.0/23 in via ${ifout}
${cmd} add deny tcp from 94.100.188.0/23 to any out via ${ifout}
${cmd} add allow tcp from any to any established
#allow ports
${cmd} add allow tcp from ${netin}/${netmask} 20 to any setup
${cmd} add allow tcp from ${netin}/${netmask} 21 to any setup
${cmd} add allow tcp from ${netin}/${netmask} 25 to any setup
${cmd} add allow tcp from ${netin}/${netmask} 53 to any setup
${cmd} add allow tcp from ${netin}/${netmask} 110 to any setup
${cmd} add allow tcp from ${netin}/${netmask} 465 to any setup
${cmd} add allow tcp from ${netin}/${netmask} 993 to any setup
${cmd} add allow tcp from ${netin}/${netmask} 995 to any setup
#SSH
${cmd} add allow tcp from any to any 22
#Bank client ports
${cmd} add allow tcp from ${netin}/${netmask} 4077 to any setup
${cmd} add allow tcp from ${netin}/${netmask} 36086 to any setup
#Portrange
${cmd} add allow tcp from any to ${ipout} 49152-65535 via ${ifout}
#Block another tcp ports with logging
${cmd} add deny log tcp from any to any in via ${ifout} setup
#DNS
${cmd} add allow udp from ${ipout} to any 53 keep-state
${cmd} add allow udp from any to ${ipout} 53 keep-state
${cmd} add allow udp from ${ipin} to ${netin}/${netmask} 53 keep-state
${cmd} add allow udp from ${netin}/${netmask} to ${ipin} 53 keep-state
#NTP
${cmd} add allow udp from ${ipout} to any 123 keep-state
${cmd} add allow udp from any to ${ipout} 123 keep-state
${cmd} add allow udp from ${ipin} to ${netin}/${netmask} 123 keep-state
${cmd} add allow udp from ${netin}/${netmask} to ${ipin} 123 keep-state
${cmd} add deny ip from any to any
1 AMD Athlon 2000+ 256 Mb RAM HDD 40 Gb
2 Celeron 2.13 1 Gb RAM HDD 160 Gb
Я вот думаю на первом поднять шлюз с проксей, на втором самбу как контроллера +файлопомойка+PostgreSQL до кучи для 1Ски(5 пользователей).
Почтовик еще надо, вот я думаю куда получше поставить на 1 или второй комп?
что подскажете?