есть Freebsd 8.0 (ядерный ipfw + pf до кучи)
Код: Выделить всё
# Adding ipfw, also can be loaded as modules
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_FORWARD
# Adding kernel NAT
options IPFIREWALL_NAT
options LIBALIAS
# Traffic shaping
options DUMMYNET
# Divert, i.e. for userspace NAT
options IPDIVERT
# This is for OpenBSD's pf firewall.
device pf
device pflog
# pf's QoS - ALTQ
options ALTQ
options ALTQ_CBQ # Class Bases Queuing (CBQ).
options ALTQ_RED # Random Early Detection (RED).
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC).
options ALTQ_PRIQ # Priority Queuing (PRIQ).
options ALTQ_NOPCC # Required for SMP build.
# Useful network interfaces
device vlan
device tap #Virtual Ethernet driver.
device gre #IP over IP tunneling.
#device if_bridge #Bridge interface.
device pfsync #synchronization interface for PF.
device carp #Common Address Redundancy Protocol.
device enc #IPsec interface.
device lagg #Link aggregation interface.
#device stf #IPv4-IPv6 port.есть желание сруктурировать хождение пакетов по блокам согласно интерфейса
1) нужно-ли правило над 2000, если options IPFIREWALL_DEFAULT_TO_ACCEPT --- возможно лучший вариант буден не allow а deny
2) куда вставить 1000 - 1010 или там им и место
3) нужныли все еще 1020 - 1060
4) есть ли у кого подобные примеры конфигов ipfw для подобного
Код: Выделить всё
#!/bin/sh
ipfw="/sbin/ipfw -q"
${ipfw} flush
#===============================================================#
ethlan="em0"
ethwan="xl0"
ethwar="em1"
ethdef="vlan0"
eth1="vlan1"
eth2="vlan2"
eth3="vlan3"
eth4="vlan4"
eth5="vlan5"
eth6="vlan6"
eth7="vlan7"
eth8="vlan8"
#===============================================================#
ipadmin="ип адреса с которых будет подключаться админ"
sibnets="тут будут перечислены все сети которые не должны приходить снаружи, скорее всего будет таблица"
#===============================================================#
# общение компьютера с самим собой #
${ipfw} 1000 add allow all from any to any via lo0
${ipfw} 1005 add deny ip from any to 127.0.0.0/8
${ipfw} 1010 add deny ip from 127.0.0.0/8 to any
#===============================================================#
# Проверка соответствия пакета динамическим правилам #
#${ipfw} 1020 add check-state
# Запрет X-сканирования #
${ipfw} 1030 add reject log tcp from any to any tcpflags fin, syn, rst, psh, ack, urg
# Запрет N-сканирования #
${ipfw} 1040 add reject log tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg
# Запрет FIN-сканирования #
${ipfw} 1044 add reject log tcp from any to any not established tcpflags fin
# Ограничение числа одновременных соединений #
#${ipfw} 1046 allow ip from any to any setup limit src-addr 10
# Стандартное средство защиты от спуффинга #
${ipfw} 1050 add deny ip from any to any not verrevpath in
# Убьем фрагменты #
${ipfw} 1060 add deny ip from any to any frag
#===============================================================#
${ipfw} add set 1 skipto 2000 ip from any to me in
${ipfw} add set 2 skipto 2500 ip from me to any out
${ipfw} add set 3 skipto 3000 ip from any to any in via ${ethwan}
${ipfw} add set 4 skipto 3500 ip from any to any out via ${ethwan}
${ipfw} add set 5 skipto 4000 ip from any to any in via ${ethwar}
${ipfw} add set 6 skipto 4500 ip from any to any out via ${ethwar}
${ipfw} add set 7 skipto 5000 ip from any to any in via vlan0
${ipfw} add set 8 skipto 5500 ip from any to any out via vlan0
${ipfw} add set 9 skipto 6000 ip from any to any in via vlan1
${ipfw} add set 10 skipto 6500 ip from any to any out via vlan1
${ipfw} add set 11 skipto 7000 ip from any to any in via vlan2
${ipfw} add set 12 skipto 7500 ip from any to any out via vlan2
${ipfw} add set 13 skipto 8000 ip from any to any in via vlan3
${ipfw} add set 14 skipto 8500 ip from any to any out via vlan3
${ipfw} add set 15 skipto 9000 ip from any to any in via vlan4
${ipfw} add set 16 skipto 9500 ip from any to any out via vlan4
${ipfw} add set 17 skipto 10000 ip from any to any in via vlan5
${ipfw} add set 18 skipto 10500 ip from any to any out via vlan5
${ipfw} add set 19 skipto 11000 ip from any to any in via vlan6
${ipfw} add set 20 skipto 11500 ip from any to any out via vlan6
${ipfw} add set 21 skipto 12000 ip from any to any in via vlan7
${ipfw} add set 22 skipto 12500 ip from any to any out via vlan7
${ipfw} add set 23 skipto 13000 ip from any to any in via vlan8
${ipfw} add set 24 skipto 13500 ip from any to any out via vlan8
${ipfw} add set 25 skipto 14000 ip from any to any in via ${ethlan}
${ipfw} add set 26 skipto 14500 ip from any to any out via ${ethlan}
# ??? allow ??? deny ???
${ipfw} add allow ip from any to any
#===============================================================#
# local host - in #
${ipfw} add 2000 set 1 count ip from any to any
${ipfw} add 2010 deny not icmp from "table(0)" to me
${ipfw} add 2020 allow udp from any to me 123,161
${ipfw} add 2030 allow tcp from ${ipadmin} to me 20,21,80
${ipfw} add 2040 allow tcp from ${ipadmin} to me 22
${ipfw} add 2050 allow udp from any to me domain
${ipfw} add set 1 deny ip from any to any
# local host - out
${ipfw} add 2500 set 2 count ip from any to any
${ipfw} add set 2 allow ip from any to any keep-state
#===============================================================#
# ethwan - in (xl0) Исходящий в интернет #
${ipfw} add 3000 set 3 count ip from any to any
${ipfw} add 3010 reject ip from ${sibnets} to any
${ipfw} add set 3 deny ip from any to any
# ethwan - out (xl0) Исходящий в интернет
${ipfw} add 3500 set 4 count ip from any to any
${ipfw} add set 4 allow ip from any to any keep-state
#===============================================================#
# (em1) ethwar - in Приземление всех виланов #
${ipfw} add 4000 set 5 count ip from any to any
${ipfw} add set 5 deny ip from any to any
# (em1) ethwar - out Приземление всех виланов
${ipfw} add 4500 set 6 count ip from any to any
${ipfw} add set 6 allow ip from any to any keep-state
#===============================================================#
# vlan0 - in вилан управления свитчами L2 #
${ipfw} add 5000 set 7 count ip from any to any
${ipfw} add set 7 deny ip from any to any
# vlan0 - out вилан управления свитчами L2
${ipfw} add 5500 set 8 count ip from any to any
${ipfw} add set 8 allow ip from any to any keep-state
#===============================================================#
# vlan1 - in #
${ipfw} add 6000 set 9 count ip from any to any
${ipfw} add set 9 deny ip from any to any
# vlan1 - out
${ipfw} add 6500 set 10 count ip from any to any
${ipfw} add set 10 allow ip from any to any keep-state
#===============================================================#
# vlan2 - in #
${ipfw} add 7000 set 11 count ip from any to any
${ipfw} add set 11 deny ip from any to any
# vlan2 - out
${ipfw} add 7500 set 12 count ip from any to any
${ipfw} add set 12 allow ip from any to any keep-state
#===============================================================#
# vlan3 - in #
${ipfw} add 8000 set 13 count ip from any to any
${ipfw} add set 13 deny ip from any to any
# vlan3 - out
${ipfw} add 8500 set 14 count ip from any to any
${ipfw} add set 14 allow ip from any to any keep-state
#===============================================================#
# vlan4 - in #
${ipfw} add 9000 set 15 count ip from any to any
${ipfw} add set 15 deny ip from any to any
# vlan4 - out
${ipfw} add 9500 set 16 count ip from any to any
${ipfw} add set 16 allow ip from any to any keep-state
#===============================================================#
# vlan5 - in #
${ipfw} add 10000 set 17 count ip from any to any
${ipfw} add set 17 deny ip from any to any
# vlan5 - out
${ipfw} add 10500 set 18 count ip from any to any
${ipfw} add set 18 allow ip from any to any keep-state
#===============================================================#
# vlan6 - in #
${ipfw} add 11000 set 19 count ip from any to any
${ipfw} add set 19 deny ip from any to any
# vlan6 - out
${ipfw} add 11500 set 20 count ip from any to any
${ipfw} add set 20 allow ip from any to any keep-state
#===============================================================#
# vlan7 - in #
${ipfw} add 12000 set 21 count ip from any to any
${ipfw} add set 21 deny ip from any to any
# vlan7 - out
${ipfw} add 12500 set 22 count ip from any to any
${ipfw} add set 22 allow ip from any to any keep-state
#===============================================================#
# vlan8 - in #
${ipfw} add 13000 set 23 count ip from any to any
${ipfw} add set 23 deny ip from any to any
# vlan8 - out
${ipfw} add 13500 set 24 count ip from any to any
${ipfw} add set 24 allow ip from any to any keep-state
#===============================================================#
# Локальная сеть (em0) ethlan - in #
${ipfw} add 14000 set 25 count ip from any to any
# Локальная сеть (em0) ethlan - out
${ipfw} add 14500 set 26 count ip from any to any
#===============================================================#
.