forum.lissyara.su

Код: Выделить всё

nc0 10.65.1.1/18 - inside
lnc1 192.168.0.1/24 - outside

Код: Выделить всё

#!/bin/sh
 
/sbin/ipfw -q add 1000 allow all from any to any via lo0
/sbin/ipfw -q add 2000 allow all from 10.65.1.0/18 to any keep-state
/sbin/ipfw -q add 3000 allow icmp from 192.168.0.1/24 to me
/sbin/ipfw -q add 4000 allow all from me to any keep-state
/sbin/ipfw -q add 65535 deny all from any to any

Код: Выделить всё

/etc/ipnat.rules
MAP lnc1 10.65.1.0/18 -> 192.168.168.0.1/32 proxy port ftp ftp/tcp
MAP lnc1 10.65.1.0/18 -> 192.168.168.0.1/32 portmap tcp/udp 40000:65000
MAP lnc1 10.65.1.0/18 -> 192.168.168.0.1/32

Код: Выделить всё

pnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"

Код: Выделить всё

18:45:09.790447 IP 192.168.0.1 > 192.168.0.10: ICMP echo request, id 512, seq 48896, length 40

Код: Выделить всё

tcpdump -i lnc0 -n

Код: Выделить всё

18:50:18.460087 IP 192.168.0.10 > 10.65.1.100: ICMP echo reply, id 512, seq 62209, length 40

Код: Выделить всё

###############Tables############
table <ipblock> persist file "/etc/ipblock.txt"
table <fuck> persist
################Sets's###########
set skip on lo0
set optimization aggressive
set block-policy drop
set limit { states 20000, frags 20000, src-nodes 20000 }
set state-policy floating
set timeout { frag 10, tcp.established 3600 }
scrub in all fragment reassemble
################Block all fucking sime bad packets 
block all
antispoof log quick for { lo0, $ext_if }
block in log quick on $ext_if proto tcp from any to any flags /S
block in log quick on $ext_if proto tcp from any to any flags /SFRA
block in log quick on $ext_if proto tcp from any to any flags /SFRAU
block in log quick on $ext_if proto tcp from any to any flags A/A
block in log quick on $ext_if proto tcp from any to any flags F/SFRA
block in log quick on $ext_if proto tcp from any to any flags U/SFRAU
block in log quick on $ext_if proto tcp from any to any flags SF/SF
block in log quick on $ext_if proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if proto tcp from any to any flags SR/SR
block in log quick on $ext_if proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if proto tcp from any to any flags FUP/SFRAUPEW
block in log quick on $ext_if proto tcp from any to any flags SFRAU/SFRAU
block in log quick on $ext_if proto tcp from any to any flags SFRAUP/SFRAUP
block return in log quick on $ext_if from any to <AdWare>
block in log quick on $ext_if from { <RFC1918>, <AdWare> } to any
block out log quick on $ext_if from any to { <RFC1918>, <AdWare> }
block in quick from any os NMAP
block in inet proto icmp all icmp-type $icmp_types
block in quick log on $ext_if from <ipblock> to any
block drop in log quick on $ext_if from $non_route_nets_inet to any
block drop log quick from <fuck>
###############Allow's###########################
pass in on $ext_if  proto tcp from any to $ext_if  port $httpd  queue ( qssh, qack ) synproxy state ( max-src-conn 50, max-src-conn-rate 100/2, overload <fuck> flush global )

Код: Выделить всё

gateway_enable="YES" 
forward_ipv4="YES"
inetd_enable="YES"
firewall_type="/etc/firewall.conf
ipnat_enable="YES"
ipnat_program="/sbin/ipnat -CF -f"
ipnat_rules="/etc/ipnat.rules"
ipnat_flags =""