Код: Выделить всё
ipfw add allow tcp from 10.0.0.11 to not 10.0.0.0/24 via rl0 setup
Код: Выделить всё
ipfw add allow tcp from 10.0.0.11 to not 10.0.0.0/24 via rl0 setup limit src-addr 10 или limit dst-addr 10
Код: Выделить всё
ipfw add allow tcp from 10.0.0.11 to not 10.0.0.0/24 via rl0 setup
Код: Выделить всё
ipfw add allow tcp from 10.0.0.11 to not 10.0.0.0/24 via rl0 setup limit src-addr 10 или limit dst-addr 10
Код: Выделить всё
ipfw -d show
Код: Выделить всё
ipfw -e show
Код: Выделить всё
00100 0 0 check-state
00150 0 0 deny ip from any to any frag
00160 0 0 deny icmp from any to any frag
00200 0 0 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00300 0 0 deny ip from any to 127.0.0.0/8
00310 0 0 deny ip from 127.0.0.0/8 to any
00400 11080 5788258 allow ip from any to any via lo0
00500 0 0 reject ip from any to any not verrevpath in
00600 0 0 reject tcp from any to any tcpflags syn,fin,ack,psh,rst,urg
00610 0 0 reject tcp from any to any tcpflags !syn,!fin,!ack,!psh,!rst,!urg
00620 0 0 reject tcp from any to any not established tcpflags fin
00700 0 0 deny ip from 10.0.0.0/24 to any in via xl0
00710 0 0 deny ip from 10.0.1.0/24 to any in via rl0
00800 0 0 deny ip from any to 192.168.0.0/16 in via xl0
00810 0 0 deny ip from any to 172.16.0.0/12 in via xl0
00820 0 0 deny ip from any to 0.0.0.0/8 in via xl0
00830 0 0 deny ip from any to 169.254.0.0/16 in via xl0
00840 0 0 deny ip from any to 224.0.0.0/4 in via xl0
00850 0 0 deny ip from any to 240.0.0.0/4 in via xl0
00900 0 0 deny icmp from any to 255.255.255.255 in via xl0
00910 0 0 deny icmp from any to 255.255.255.255 out via xl0
01000 0 0 deny tcp from any to any dst-port 113 in via xl0
01100 0 0 deny tcp from any to any dst-port 135-139 via xl0
01200 0 0 deny tcp from any to any dst-port 135-139 via rl0
01250 3 144 deny tcp from any to 10.0.1.2 dst-port 445 via xl0
01300 6 363 fwd 127.0.0.1,3128 tcp from 10.0.0.0/24 to any dst-port 80 via xl0
01400 4658 377204 divert 8668 ip from 10.0.0.0/24 to any out via xl0
01410 7404 6438865 divert 8668 ip from any to 10.0.1.2 in via xl0
01500 0 0 deny ip from 192.168.0.0/16 to any out via xl0
01510 0 0 deny ip from 172.16.0.0/12 to any out via xl0
01520 0 0 deny ip from 0.0.0.0/8 to any out via xl0
01530 0 0 deny ip from 169.254.0.0/16 to any out via xl0
01600 0 0 deny ip from 224.0.0.0/4 to any out via xl0
01610 0 0 deny ip from 240.0.0.0/4 to any out via xl0
01900 28138 14174521 allow tcp from any to any established
02000 0 0 allow icmp from any to any icmptypes 0,8,11
02100 262 20440 allow ip from any to 10.0.0.0/24 in via rl0
02110 74 11923 allow ip from 10.0.0.0/24 to any out via rl0
02200 0 0 allow udp from any to 10.0.1.2 dst-port 53 in via xl0
02210 0 0 allow udp from 10.0.1.2 53 to any out via xl0
02220 73 12845 allow udp from any 53 to 10.0.1.2 in via xl0
02230 88 6062 allow udp from 10.0.1.2 to any dst-port 53 out via xl0
02300 15 1140 allow udp from any to 10.0.1.2 dst-port 123 in via xl0
02310 15 1140 allow udp from 10.0.1.2 123 to any out via xl0
02320 0 0 allow udp from any 123 to 10.0.1.2 in via xl0
02330 0 0 allow udp from 10.0.1.2 to any dst-port 123 out via xl0
02400 0 0 allow tcp from any to 10.0.1.2 dst-port 53 in via xl0
02500 0 0 allow tcp from any to 10.0.1.2 dst-port 35665 in via xl0 setup
02600 0 0 allow tcp from any to 10.0.0.226 dst-port 25 via xl0 setup
02610 0 0 allow tcp from any to 10.0.0.226 dst-port 25 via rl0 setup
02620 0 0 allow tcp from any to 10.0.0.226 dst-port 110 via xl0 setup
02630 0 0 allow tcp from any to 10.0.0.226 dst-port 110 via rl0 setup
02691 0 0 allow tcp from any to 10.0.0.11 dst-port 28806 via xl0 setup
02692 0 0 allow tcp from any to 10.0.0.11 dst-port 28806 via rl0 setup
02693 56 2764 allow tcp from any to 10.0.0.141 dst-port 39012 via xl0 setup
02694 51 2516 allow tcp from any to 10.0.0.141 dst-port 39012 via rl0 setup
02700 0 0 allow log logamount 100 tcp from any to 10.0.1.2 dst-port 1723 in via xl0 setup
02800 0 0 allow gre from any to any
02900 0 0 allow tcp from any to any via ng*
03100 15 2092 allow udp from any 53 to 10.0.0.4,10.0.0.14,10.0.0.15 in via xl0
03110 15 2092 allow udp from any 53 to 10.0.0.4,10.0.0.14,10.0.0.15 out via rl0
03120 15 897 allow udp from 10.0.0.4,10.0.0.14,10.0.0.15 to any dst-port 53 in via rl0
03200 0 0 deny tcp from any to 10.0.1.2 in via xl0 setup
03300 147 8448 allow tcp from 10.0.1.2 to any out via xl0 setup
03310 0 0 allow tcp from any to 10.0.1.2 in via rl0 setup
03500 0 0 allow tcp from 10.0.0.226 to not 10.0.0.0/24 dst-port 25,110 in via rl0 setup
03550 0 0 allow log logamount 100 tcp from 10.0.0.11 to not 10.0.0.0/24 in via rl0 setup
03600 35 1740 allow tcp from table(1) to not 10.0.0.0/24 in via rl0 setup
03700 3 144 allow tcp from table(2) to not 10.0.0.0/24 dst-port 5432 in via rl0 setup
Код: Выделить всё
00001 0 0 pipe 1 ip from not 10.0.0.0/24 to 10.0.0.11 out
00002 0 0 pipe 2 ip from 10.0.0.11 to not me in
00003 4280 4330393 pipe 3 ip from not 10.0.0.0/24 to 10.0.0.141 out
00004 3003 233173 pipe 4 ip from 10.0.0.141 to not me in
00100 0 0 check-state
00150 0 0 deny ip from any to any frag
00160 0 0 deny icmp from any to any frag
00200 0 0 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00300 0 0 deny ip from any to 127.0.0.0/8
00310 0 0 deny ip from 127.0.0.0/8 to any
00400 11112 5790612 allow ip from any to any via lo0
00500 0 0 reject ip from any to any not verrevpath in
00600 0 0 reject tcp from any to any tcpflags syn,fin,ack,psh,rst,urg
00610 0 0 reject tcp from any to any tcpflags !syn,!fin,!ack,!psh,!rst,!urg
00620 0 0 reject tcp from any to any not established tcpflags fin
00700 0 0 deny ip from 10.0.0.0/24 to any in via xl0
00710 0 0 deny ip from 10.0.1.0/24 to any in via rl0
00800 0 0 deny ip from any to 192.168.0.0/16 in via xl0
00810 0 0 deny ip from any to 172.16.0.0/12 in via xl0
00820 0 0 deny ip from any to 0.0.0.0/8 in via xl0
00830 0 0 deny ip from any to 169.254.0.0/16 in via xl0
00840 0 0 deny ip from any to 224.0.0.0/4 in via xl0
00850 0 0 deny ip from any to 240.0.0.0/4 in via xl0
00900 0 0 deny icmp from any to 255.255.255.255 in via xl0
00910 0 0 deny icmp from any to 255.255.255.255 out via xl0
01000 0 0 deny tcp from any to any dst-port 113 in via xl0
01100 0 0 deny tcp from any to any dst-port 135-139 via xl0
01200 0 0 deny tcp from any to any dst-port 135-139 via rl0
01250 3 144 deny tcp from any to 10.0.1.2 dst-port 445 via xl0
01300 6 363 fwd 127.0.0.1,3128 tcp from 10.0.0.0/24 to any dst-port 80 via xl0
01400 6260 565993 divert 8668 ip from 10.0.0.0/24 to any out via xl0
01410 9697 8102023 divert 8668 ip from any to 10.0.1.2 in via xl0
01500 0 0 deny ip from 192.168.0.0/16 to any out via xl0
01510 0 0 deny ip from 172.16.0.0/12 to any out via xl0
01520 0 0 deny ip from 0.0.0.0/8 to any out via xl0
01530 0 0 deny ip from 169.254.0.0/16 to any out via xl0
01600 0 0 deny ip from 224.0.0.0/4 to any out via xl0
01610 0 0 deny ip from 240.0.0.0/4 to any out via xl0
01900 36561 18044954 allow tcp from any to any established
02000 0 0 allow icmp from any to any icmptypes 0,8,11
02100 368 29522 allow ip from any to 10.0.0.0/24 in via rl0
02110 109 17392 allow ip from 10.0.0.0/24 to any out via rl0
02200 0 0 allow udp from any to 10.0.1.2 dst-port 53 in via xl0
02210 0 0 allow udp from 10.0.1.2 53 to any out via xl0
02220 101 17524 allow udp from any 53 to 10.0.1.2 in via xl0
02230 122 8358 allow udp from 10.0.1.2 to any dst-port 53 out via xl0
02300 15 1140 allow udp from any to 10.0.1.2 dst-port 123 in via xl0
02310 15 1140 allow udp from 10.0.1.2 123 to any out via xl0
02320 0 0 allow udp from any 123 to 10.0.1.2 in via xl0
02330 0 0 allow udp from 10.0.1.2 to any dst-port 123 out via xl0
02400 0 0 allow tcp from any to 10.0.1.2 dst-port 53 in via xl0
02500 0 0 allow tcp from any to 10.0.1.2 dst-port 35665 in via xl0 setup
02600 0 0 allow tcp from any to 10.0.0.226 dst-port 25 via xl0 setup
02610 0 0 allow tcp from any to 10.0.0.226 dst-port 25 via rl0 setup
02620 0 0 allow tcp from any to 10.0.0.226 dst-port 110 via xl0 setup
02630 0 0 allow tcp from any to 10.0.0.226 dst-port 110 via rl0 setup
02691 0 0 allow tcp from any to 10.0.0.11 dst-port 28806 via xl0 setup
02692 0 0 allow tcp from any to 10.0.0.11 dst-port 28806 via rl0 setup
02693 76 3776 allow tcp from any to 10.0.0.141 dst-port 39012 via xl0 setup
02694 71 3512 allow tcp from any to 10.0.0.141 dst-port 39012 via rl0 setup
02700 0 0 allow log logamount 100 tcp from any to 10.0.1.2 dst-port 1723 in via xl0 setup
02800 0 0 allow gre from any to any
02900 0 0 allow tcp from any to any via ng*
03100 20 3011 allow udp from any 53 to 10.0.0.4,10.0.0.14,10.0.0.15 in via xl0
03110 20 3011 allow udp from any 53 to 10.0.0.4,10.0.0.14,10.0.0.15 out via rl0
03120 20 1200 allow udp from 10.0.0.4,10.0.0.14,10.0.0.15 to any dst-port 53 in via rl0
03200 0 0 deny tcp from any to 10.0.1.2 in via xl0 setup
03300 206 11792 allow tcp from 10.0.1.2 to any out via xl0 setup
03310 0 0 allow tcp from any to 10.0.1.2 in via rl0 setup
03500 0 0 allow tcp from 10.0.0.226 to not 10.0.0.0/24 dst-port 25,110 in via rl0 setup
03550 0 0 allow log logamount 100 tcp from 10.0.0.11 to not 10.0.0.0/24 in via rl0 setup
03600 37 1836 allow tcp from table(1) to not 10.0.0.0/24 in via rl0 setup
03700 4 192 allow tcp from table(2) to not 10.0.0.0/24 dst-port 5432 in via rl0 setup
65535 562574 40394817 deny ip from any to any
30.6.5.7 An Example NAT and Stateful Ruleset
Код: Выделить всё
ipfw add tcp from 10.0.0.11 to any in via rl0 setup keep-state limit src-addr 2
Код: Выделить всё
ipfw: only one of keep-state and limit is allowed
Here's the short story for getting up and running quickly with ipfw:
1. Read the ipfw maual.
2. Read the ipfw maual.
3. Remember that you were warned twice about reading the ipfw maual.
Код: Выделить всё
#!/bin/sh
extif="sk0"
extnet="83.170.210.0/30"
extip="83.170.210.38"
intif="sk1"
intnet="192.168.0.0/24"
intip="192.168.0.108"
fwcmd="/sbin/ipfw "
${fwcmd} -f flush
${fwcmd} -f pipe flush
${fwcmd} -f queue flush
${fwcmd} -f table 1 flush
${fwcmd} -f table 2 flush
${fwcmd} -f table 3 flush
${fwcmd} -f table 4 flush
#----Table 1-------------------------
${fwcmd} table 1 add 192.168.0.60
${fwcmd} table 1 add 192.168.0.61
${fwcmd} table 1 add 192.168.0.62
${fwcmd} table 1 add 192.168.0.63
#----Table 2 access nod32------------
${fwcmd} table 2 add 94.178.0.0/16
${fwcmd} table 2 add 92.113.0.0/16
${fwcmd} table 2 add 195.182.194.202
${fwcmd} table 2 add 94.179.0.0/16
${fwcmd} table 2 add 95.134.0.0/16
${fwcmd} table 2 add 62.149.28.124
${fwcmd} table 2 add 195.182.194.194
${fwcmd} table 2 add 212.115.225.38
${fwcmd} table 2 add 212.115.225.39
#----Table 3------------------------
${fwcmd} table 3 add 192.168.0.24
${fwcmd} table 3 add 192.168.0.114
${fwcmd} table 3 add 192.168.0.100
${fwcmd} table 3 add 192.168.0.123
${fwcmd} table 3 add 192.168.0.211
${fwcmd} table 3 add 192.168.0.11
${fwcmd} table 3 add 192.168.0.223
${fwcmd} table 3 add 192.168.0.218
${fwcmd} table 3 add 192.168.0.222
#----Table 4-----------------------
${fwcmd} table 4 add 192.168.0.80
${fwcmd} table 4 add 192.168.0.20
${fwcmd} table 4 add 192.168.0.150
${fwcmd} table 4 add 192.168.0.5
${fwcmd} table 4 add 192.168.0.149
${fwcmd} table 4 add 192.168.0.215
${fwcmd} table 4 add 192.168.0.151
${fwcmd} table 4 add 192.168.0.240
${fwcmd} table 4 add 192.168.0.152
${fwcmd} table 4 add 192.168.0.153
#----DUMMYNET-------------------------------------------------
${fwcmd} add 1 pipe 1 ip from not ${intnet} to "table(1)" out
${fwcmd} pipe 1 config bw 256Kbit/s mask dst-ip 0xffffffff
${fwcmd} add 2 pipe 2 ip from "table(1)" to not me in
${fwcmd} pipe 2 config bw 256Kbit/s mask src-ip 0xffffffff
#----allow all LAN traffic----------------------------
${fwcmd} add 100 allow ip from any to any via ${intif}
#----allow all lo0 traffic------------------------
${fwcmd} add 200 allow ip from any to any via lo0
#----deny fragments tcp,udp,icmp-------------------------------
${fwcmd} add 300 deny ip from any to any frag in via ${extif}
${fwcmd} add 400 deny icmp from any to any frag in via ${extif}
#----block undesirable icmp requests-------------------------------------
${fwcmd} add 500 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
#----antispoofing 1------------------------------------------------------
${fwcmd} add 600 reject ip from any to any not verrevpath in via ${extif}
#----antiscaner ports------------------------------------------------------------------
${fwcmd} add 700 reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg
${fwcmd} add 800 reject tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg
${fwcmd} add 900 reject tcp from any to any not established tcpflags fin
#----antispoofing 2--------------------------------------------
${fwcmd} add 1000 deny ip from ${intnet} to any in via ${extif}
${fwcmd} add 1100 deny ip from ${extnet} to any in via ${intif}
#----deny loopback-----------------------------------------------
${fwcmd} add 1200 deny ip from 127.0.0.0/8 to any in via ${extif}
${fwcmd} add 1300 deny ip from 0.0.0.0/8 to any in via ${extif}
#----block inside LAN which can`t be in internet-----------------
${fwcmd} add 1400 deny ip from 10.0.0.0/8 to any in via ${extif}
${fwcmd} add 1500 deny ip from 172.16.0.0/12 to any in via ${extif}
${fwcmd} add 1600 deny ip from 169.254.0.0/16 to any in via ${extif}
#----block multicast delivers-----------------------------------
${fwcmd} add 1700 deny ip from 224.0.0.0/3 to any in via ${extif}
${fwcmd} add 1800 deny ip from 240.0.0.0/4 to any in via ${extif}
#----block broadcast through icmp------------------------------------------
${fwcmd} add 1900 deny icmp from any to 255.255.255.255 in via ${extif}
${fwcmd} add 2000 deny icmp from 255.255.255.255 to any out via ${extif}
#----block ident---------------------------------------------
${fwcmd} add 2100 deny tcp from any to any 113 in via ${extif}
#----block net-bios-----------------------------------------------
${fwcmd} add 2200 deny tcp from any to any 137-139 in via ${extif}
${fwcmd} add 2300 deny tcp from any to any 137-139 in via ${intif}
#---block microsoft share-------------------------------------
${fwcmd} add 2400 deny tcp from any to any 445 in via ${extif}
#----proxy server SQUID allow------------------------------------------------
${fwcmd} add 2500 fwd 127.0.0.1,8080 tcp from ${intnet} to any 80 via ${extif}
#----NAT--------------------------------------------------------------
${fwcmd} add 2600 divert natd ip from ${intnet} to any out via ${extif}
${fwcmd} add 2700 divert natd ip from any to ${extip} in via ${extif}
#----block inside LAN for NAT-------------------------------------
${fwcmd} add 2800 deny ip from 10.0.0.0/8 to any out via ${extif}
${fwcmd} add 2900 deny ip from 172.16.0.0/12 to any out via ${extif}
${fwcmd} add 3000 deny ip from 0.0.0.0/8 to any out via ${extif}
${fwcmd} add 3100 deny ip from 169.254.0.0/16 to any out via ${extif}
#----block multicast for NAT-------------------------------------
${fwcmd} add 3200 deny ip from 224.0.0.0/3 to any out via ${extif}
${fwcmd} add 3300 deny ip from 240.0.0.0/4 to any out via ${extif}
#----block icmp (ping, etc) on extIP-----------
#${fwcmd} add 3400 deny icmp from any to ${extip}
#----allow all established tcp connections-------------
${fwcmd} add 3400 allow tcp from any to any established
#----allow some icmp (ping, tracert)-----------------------
${fwcmd} add 3500 allow icmp from any to any icmptype 0,8,11
#----allow DNS requests on extiface (53 port)-----------------------
${fwcmd} add 3600 allow udp from any to ${extip} 53 in via ${extif}
${fwcmd} add 3700 allow udp from ${extip} 53 to any out via ${extif}
${fwcmd} add 3800 allow udp from any 53 to ${extip} in via ${extif}
${fwcmd} add 3900 allow udp from ${extip} to any 53 out via ${extif}
#----allow DNS requests on tcp 53 from inet to firewall (TCP DNS)--
${fwcmd} add 4000 allow tcp from any to ${extip} 53 in via ${extif}
#----allow SSH-------------------------------------------------------------
${fwcmd} add 4100 allow tcp from any to ${extip} 35665 in via ${extif} setup
#----mirror NOD server update----------------------------------------------------
${fwcmd} add 4200 allow tcp from "table(2)" to ${extip} 5700 in via ${extif} setup
#----redirect_port for natd.conf----------------------------------------------
${fwcmd} add 5800 allow tcp from any to 192.168.0.109 80 via ${extif} setup
${fwcmd} add 5900 allow tcp from any to 192.168.0.109 80 via ${intif} setup
#----allow port 1723 (for mpd5 clients)------------------------------------
${fwcmd} add 6000 allow tcp from any to ${extip} 1723 in via ${extif} setup
#----allow GRE traffic for mpd5-------------
${fwcmd} add 6100 allow gre from any to any
#----open traffic for mpd5 through ng0,ng1 etc----
${fwcmd} add 6200 allow ip from any to any via ng*
#----allow some traffic OpenVPN from VPN to LAN--------------------------------
#${fwcmd} add 6500 allow tcp from ${vpnnet} to ${intnet} 445 via ${intif} setup
#----example allow udp from NET to firewall (teamspeak)--------------------
${fwcmd} add 6600 allow udp from any to ${extip} 8767,51234 in via ${extif}
${fwcmd} add 6700 allow udp from ${extip} 8767,51234 to any out via ${extif}
#----Status TeamSpeak------------------------------------------------------------
${fwcmd} add 6800 allow tcp from any to ${extip} 8767,51234 in via ${extif} setup
#----example allow udp ports in LAN (DNS server in LAN)--------------------------------
#${fwcmd} add 6900 allow udp from any 53 to ${intnet} in via ${extif}
#${fwcmd} add 7000 allow udp from any 53 to ${intnet} out via ${intif}
#${fwcmd} add 7100 allow udp from ${intnet} to any 53 in via ${intif}
#${fwcmd} add 7200 allow udp from ${extip} to any 53 out via ${extif}
#----block other established tcp connections-------------------------
${fwcmd} add 7300 deny tcp from any to ${extip} in via ${extif} setup
#----allow established tcp connections from ext IP to ext interface----
${fwcmd} add 7400 allow tcp from ${extip} to any out via ${extif} setup
${fwcmd} add 7500 allow tcp from any to ${extip} in via ${intif} setup
###################### ALLOW USERS INET #########################################
#----allow some tcp connections to all LAN (icq)----------------------------
${fwcmd} add 7600 allow tcp from ${intnet} to any 5190 in via ${intif} setup
#----reserve ip-------------------------------------------------------------------
${fwcmd} add 7700 allow tcp from "table(1)" to not ${intnet} in via ${intif} setup
#----room 310---------------------------------------------------------------------
${fwcmd} add 7800 allow tcp from "table(3)" to not ${intnet} in via ${intif} setup
#----room 602---------------------------------------------------------------------
${fwcmd} add 7900 allow tcp from "table(4)" to not ${intnet} in via ${intif} setup
Код: Выделить всё
ipfw show
Код: Выделить всё
00100 480635 291617351 allow ip from any to any via rl0
00150 0 0 deny ip from any to any frag in via xl0
00160 0 0 deny icmp from any to any frag in via xl0
00200 334354 504658528 allow ip from any to any via lo0
00200 0 0 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00500 0 0 reject ip from any to any not verrevpath in via xl0
00600 0 0 reject tcp from any to any tcpflags syn,fin,ack,psh,rst,urg
00610 0 0 reject tcp from any to any tcpflags !syn,!fin,!ack,!psh,!rst,!urg
00620 0 0 reject tcp from any to any not established tcpflags fin
00700 0 0 deny ip from 10.0.0.0/24 to any in via xl0
00710 0 0 deny ip from 10.0.1.0/24 to any in via rl0
00800 0 0 deny ip from 192.168.0.0/16 to any in via xl0
00810 0 0 deny ip from 172.16.0.0/12 to any in via xl0
00820 0 0 deny ip from 0.0.0.0/8 to any in via xl0
00825 0 0 deny ip from 127.0.0.0/8 to any in via xl0
00830 0 0 deny ip from 169.254.0.0/16 to any in via xl0
00840 0 0 deny ip from 224.0.0.0/3 to any in via xl0
00850 0 0 deny ip from 240.0.0.0/4 to any in via xl0
00900 0 0 deny icmp from any to 255.255.255.255 in via xl0
00910 0 0 deny icmp from 255.255.255.255 to any out via xl0
01000 0 0 deny tcp from any to any dst-port 113 in via xl0
01100 44 2144 deny tcp from any to any dst-port 137-139 in via xl0
01200 0 0 deny tcp from any to any dst-port 137-139 in via rl0
01250 237 11604 deny tcp from any to any dst-port 445 in via xl0
01300 2462 169193 fwd 127.0.0.1,3128 tcp from 10.0.0.0/24 to any dst-port 80 via xl0
01400 36813 1845171 divert 8668 ip from 10.0.0.0/24 to any out via xl0
01410 232261 279612620 divert 8668 ip from any to 10.0.1.2 in via xl0
01500 0 0 deny ip from 192.168.0.0/16 to any out via xl0
01510 0 0 deny ip from 172.16.0.0/12 to any out via xl0
01520 0 0 deny ip from 0.0.0.0/8 to any out via xl0
01530 0 0 deny ip from 169.254.0.0/16 to any out via xl0
01600 0 0 deny ip from 224.0.0.0/4 to any out via xl0
01610 0 0 deny ip from 240.0.0.0/4 to any out via xl0
01900 401162 291307370 allow tcp from any to any established
02000 40 2512 allow icmp from any to any icmptypes 0,8,11
02200 0 0 allow udp from any to 10.0.1.2 dst-port 53 in via xl0
02210 0 0 allow udp from 10.0.1.2 53 to any out via xl0
02220 1394 226014 allow udp from any 53 to 10.0.1.2 in via xl0
02230 3270 213994 allow udp from 10.0.1.2 to any dst-port 53 out via xl0
02300 1075 81700 allow udp from any to 10.0.1.2 dst-port 123 in via xl0
02310 1081 82156 allow udp from 10.0.1.2 123 to any out via xl0
02320 0 0 allow udp from any 123 to 10.0.1.2 in via xl0
02330 0 0 allow udp from 10.0.1.2 to any dst-port 123 out via xl0
02400 0 0 allow tcp from any to 10.0.1.2 dst-port 53 in via xl0
02500 1 48 allow tcp from any to 10.0.1.2 dst-port 35665 in via xl0 setup
02600 0 0 allow tcp from any to 10.0.0.226 dst-port 25 via xl0 setup
02610 0 0 allow tcp from any to 10.0.0.226 dst-port 25 via rl0 setup
02620 0 0 allow tcp from any to 10.0.0.226 dst-port 110 via xl0 setup
02630 0 0 allow tcp from any to 10.0.0.226 dst-port 110 via rl0 setup
02691 0 0 allow tcp from any to 10.0.0.11 dst-port 28806 via xl0 setup
02692 0 0 allow tcp from any to 10.0.0.11 dst-port 28806 via rl0 setup
02693 0 0 allow tcp from any to 10.0.0.141 dst-port 39012 via xl0 setup
02694 0 0 allow tcp from any to 10.0.0.141 dst-port 39012 via rl0 setup
02700 0 0 allow log logamount 100 tcp from any to 10.0.1.2 dst-port 1723 in via xl0 setup
02800 0 0 allow gre from any to any
02900 0 0 allow tcp from any to any via ng*
03100 1864 326788 allow udp from any 53 to 10.0.0.4,10.0.0.14,10.0.0.15 in via xl0
03110 0 0 allow udp from any 53 to 10.0.0.4,10.0.0.14,10.0.0.15 out via rl0
03120 0 0 allow udp from 10.0.0.4,10.0.0.14,10.0.0.15 to any dst-port 53 in via rl0
03200 993 52352 deny tcp from any to 10.0.1.2 in via xl0 setup
03300 3087 180632 allow tcp from 10.0.1.2 to any out via xl0 setup
03310 0 0 allow tcp from any to 10.0.1.2 in via rl0 setup
03500 0 0 allow tcp from 10.0.0.226 to not 10.0.0.0/24 dst-port 25,110 in via rl0 setup
03550 0 0 allow log logamount 100 tcp from 10.0.0.11 to not 10.0.0.0/24 in via rl0 setup
03600 0 0 allow tcp from table(1) to not 10.0.0.0/24 in via rl0 setup
03700 0 0 allow tcp from table(2) to not 10.0.0.0/24 dst-port 5432 in via rl0 setup
03800 0 0 allow tcp from table(3) to not 10.0.0.0/24 dst-port 5560 in via rl0 setup
65535 1167280 84676527 deny ip from any to any
Код: Выделить всё
#----DUMMYNET-------------------------------------------------
${fwcmd} add 1 pipe 1 ip from not ${intnet} to "table(1)" out
${fwcmd} pipe 1 config bw 256Kbit/s mask dst-ip 0xffffffff
${fwcmd} add 2 pipe 2 ip from "table(1)" to not me in setup limit src-addr 10
${fwcmd} pipe 2 config bw 256Kbit/s mask src-ip 0xffffffff
Код: Выделить всё
ipfw -d show
Код: Выделить всё
03300 963 199836 divert 8668 ip from 10.2.2.0/24 to any out via vr0
03400 1220 905206 divert 8668 ip from any to 10.1.1.2 in via vr0
03450 0 0 check-state
03500 16 960 allow icmp from any to any icmptypes 0,8,11
03600 330 20210 allow ip from any to 10.2.2.0/24 in via rl0
03700 437 110555 allow ip from 10.2.2.0/24 to any out via rl0
03800 910 198900 allow tcp from any to any established
03900 0 0 allow udp from any to 10.1.1.2 dst-port 53 in via vr0
04000 0 0 allow udp from 10.1.1.2 53 to any out via vr0
04100 85 22193 allow udp from any 53 to 10.1.1.2 in via vr0
04200 94 6777 allow udp from 10.1.1.2 to any dst-port 53 out via vr0
04300 0 0 allow tcp from any to 10.1.1.2 dst-port 53 in via vr0
04400 0 0 allow tcp from any to 10.1.1.2 dst-port 35665 in via vr0 setup
04800 0 0 allow tcp from any to 10.1.1.2 dst-port 1723 in via vr0 setup
04900 0 0 allow gre from any to any
05000 0 0 allow ip from any to any via ng*
05400 2 96 deny tcp from any to 10.1.1.2 in via vr0 setup
05500 95 4608 allow tcp from 10.1.1.2 to any out via vr0 setup
05600 0 0 allow tcp from any to 10.1.1.2 in via rl0 setup
05700 3260 1950000 allow tcp from table(1) to not 10.2.2.0/24 in via rl0 setup limit src-addr 10
65535 1442 154340 deny ip from any to any
## Dynamic rules (11):
05700 0 0 (8s) PARENT 10 tcp 10.2.2.1 0 <-> 0.0.0.0 0
05700 12 2941 (117s) LIMIT tcp 10.2.2.1 3548 <-> 74.125.39.138 80
05700 47 40403 (118s) LIMIT tcp 10.2.2.1 3542 <-> 79.174.65.215 80
05700 12 1721 (118s) LIMIT tcp 10.2.2.1 3546 <-> 79.174.65.215 80
05700 12 1738 (118s) LIMIT tcp 10.2.2.1 3544 <-> 79.174.65.215 80
05700 14 1469 (1s) LIMIT tcp 10.2.2.1 3556 <-> 87.118.86.125 80
05700 131 136843 (119s) LIMIT tcp 10.2.2.1 3558 <-> 92.43.104.163 80
05700 73 63938 (109s) LIMIT tcp 10.2.2.1 3540 <-> 77.221.149.162 80
05700 47 40911 (1s) LIMIT tcp 10.2.2.1 3550 <-> 95.169.186.88 80