forum.lissyara.su

Код: Выделить всё

...
firewall_nat_enable="YES"
firewall_nat_interface="xl1"
...

Код: Выделить всё

...
${fwcmd} add nat 275 ip from ${NET_Int} to any out via ${IF_Ext}
${fwcmd} add nat 275 ip from any to ${IP_Ext} in via ${IF_Ext}

${FwCMD} nat 275 config ip ${IP_Ext} log ${firewall_nat_flags}\
                        redirect_port tcp 192.168.1.59:5900 7559
...

Код: Выделить всё

11:09:31.121858 IP xxx.xxx.xxx.xxx.3619 > 192.168.1.59.5900: S 3498433560:3498433560(0) win 65535 <mss 1460,nop,nop,sackOK>
11:09:34.071148 IP xxx.xxx.xxx.xxx.3619 > 192.168.1.59.5900: S 3498433560:3498433560(0) win 65535 <mss 1460,nop,nop,sackOK>
11:09:40.206275 IP xxx.xxx.xxx.xxx.3619 > 192.168.1.59.5900: S 3498433560:3498433560(0) win 65535 <mss 1460,nop,nop,sackOK>

Код: Выделить всё

Внешний:
12:01:11.808397 IP 123.456.789.012.2109 > xxx.xxx.xxx.xxx.7559: S 176312708:176312708(0) win 65535 <mss 1460,nop,nop,sackOK>
12:01:14.764365 IP 123.456.789.012.2109 > xxx.xxx.xxx.xxx.7559: S 176312708:176312708(0) win 65535 <mss 1460,nop,nop,sackOK>
12:01:20.780351 IP 123.456.789.012.2109 > xxx.xxx.xxx.xxx.7559: S 176312708:176312708(0) win 65535 <mss 1460,nop,nop,sackOK>

Внутренний:
12:03:19.638099 IP 123.456.789.012.2112 > 192.168.1.59.5900: S 421340541:421340541(0) win 65535 <mss 1460,nop,nop,sackOK>
12:03:22.522260 IP 123.456.789.012.2112 > 192.168.1.59.5900: S 421340541:421340541(0) win 65535 <mss 1460,nop,nop,sackOK>
12:03:28.538249 IP 123.456.789.012.2112 > 192.168.1.59.5900: S 421340541:421340541(0) win 65535 <mss 1460,nop,nop,sackOK>

Код: Выделить всё

01900 allow tcp from any to me dst-port 7559

Код: Выделить всё

gw# tcpdump -i lo0 -n port 7559
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
15:39:34.000978 IP xxx.xxx.xxx.xxx.50867 > xxx.xxx.xxx.xxx.7559: S 1623307630:1623307630(0) win 65535 <mss 16344,nop,wscale 3,sackOK,timestamp 8095418 0>
15:39:34.000995 IP xxx.xxx.xxx.xxx.7559 > xxx.xxx.xxx.xxx.50867: R 0:0(0) ack 1623307631 win 0
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel

Код: Выделить всё

#!/bin/sh
fwcmd="/sbin/ipfw -q"

IF_Int="xl0"
IP_Int="192.168.1.1"
NET_Int="192.168.1.0/24"

IF_Ext="xl1"
IP_Ext="xxx.xxx.xxx.xxx"
NET_Ext="xxx.xxx.xxx.xxx/28"

IF_pptp="ng0"

# Сбрасываем все правила:
${fwcmd} -f flush

# Проверяем - соответствует ли пакет динамическим правилам:
${fwcmd} add check-state

# Bruteblock
${fwcmd} add deny ip from table\(1\) to any

# Разрешаем весь траффик по внутреннему интерфейсу
${fwcmd} add allow ip from any to any via lo0

# рубим попытки lo0 куда-то лезть и откуда-то лезть на lo0
${fwcmd} add deny ip from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any

# режем частные сети на внешнем интерфейсе,etc
${fwcmd} add deny ip from any to 10.0.0.0/8 in via ${IF_Ext}
${fwcmd} add deny ip from any to 172.16.0.0/12 in via ${IF_Ext}
${fwcmd} add deny ip from any to 192.168.0.0/16 in via ${IF_Ext}
${fwcmd} add deny ip from any to 0.0.0.0/8 in via ${IF_Ext}
${fwcmd} add deny ip from any to 169.254.0.0/16 in via ${IF_Ext}
${fwcmd} add deny ip from any to 240.0.0.0/4 in via ${IF_Ext}
${fwcmd} add deny icmp from any to any frag
${fwcmd} add deny log icmp from any to 255.255.255.255 in via ${IF_Ext}
${fwcmd} add deny log icmp from any to 255.255.255.255 out via ${IF_Ext}

#squid
${fwcmd} add fwd 127.0.0.1,3128 tcp from ${NET_Int} to any 80 via ${IF_Ext}

${fwcmd} add allow tcp from any to any 7559
##### Запускаем NAT #####
${fwcmd} add nat 67 all from ${NET_Int} to any out via ${IF_Ext}
${fwcmd} add nat 67 all from any to ${IP_Ext} in via ${IF_Ext}
${fwcmd} nat 67 config ip ${IP_Ext} log redirect_port tcp 192.168.1.59:5900 7559

##### VPN-connect - это порт для даемона MPD, на него поступают запросы на авторизацию
${fwcmd} add allow tcp from any to me 1723 keep-state
${fwcmd} add allow gre from any to any via ${IF_Ext}
${fwcmd} add allow ip from any to any via ng0

# рубим траффик к частным сетям через внешний интерфейс, etc.
${fwcmd} add deny ip from 10.0.0.0/8 to any out via ${IF_Ext}
${fwcmd} add deny ip from 172.16.0.0/12 to any out via ${IF_Ext}
${fwcmd} add deny ip from 192.168.0.0/16 to any out via ${IF_Ext}
${fwcmd} add deny ip from 0.0.0.0/8 to any out via ${IF_Ext}
${fwcmd} add deny ip from 169.254.0.0/16 to any out via ${IF_Ext}
${fwcmd} add deny ip from 224.0.0.0/4 to any out via ${IF_Ext}
${fwcmd} add deny ip from 240.0.0.0/4 to any out via ${IF_Ext}

# разрешаем все установленные соединения
${fwcmd} add allow tcp from any to any established

${fwcmd} add allow ip from ${IP_Ext} to any out xmit ${IF_Ext}

#DNS снаружи
${fwcmd} add allow udp from any 53 to any via ${IF_Ext}
# DNS для bind
${fwcmd} add allow udp from any to any 53 via ${IF_Ext}
# разрешаем UDP (для синхронизации времени - 123 порт)
${fwcmd} add allow udp from any to any 123 via ${IF_Ext}

${fwcmd} add allow icmp from any to any icmptypes 0,8,11
# открываем снаружи 25 порт (SMTP)
${fwcmd} add allow tcp from any to ${IP_Ext} 25 via ${IF_Ext}
# открываем снаружи 143 порт (IMAP)
${fwcmd} add allow tcp from any to ${IP_Ext} 143 via ${IF_Ext}
# открываем снаружи 110 порт (POP)
${fwcmd} add allow tcp from any to ${IP_Ext} 110 via ${IF_Ext}

${fwcmd} add allow ip from any to any via ${IF_Int}
${fwcmd} add deny log ip from any to any