forum.lissyara.su

Код: Выделить всё

#----allow all lo0 traffic----------------------

$fwcmd add 1000 allow ip from any to any via lo0

#----Kernell NAT----------------------------------------------

ipfw nat 1 config log ip $extip reset same_ports redirect_port tcp 10.0.0.9:8888 8888
$fwcmd add 2800 nat 1 ip from "table(7)" to any out via $extif
$fwcmd add 2900 nat 1 ip from any to $extip in via $extif

#---check-state------------

$fwcmd add 3900 check-state

#---allow all LAN traffic----------------------------------

$fwcmd add 4200 allow ip from any to $intnet in via $intif
$fwcmd add 4300 allow ip from $intnet to any out via $intif

#----allow all established tcp connections-----------

$fwcmd add 4400 allow tcp from any to any established

#----allow DNS requests on extiface (53 port)----------------------------

$fwcmd add 4500 allow udp from any to $extip 53 in via $extif
$fwcmd add 4600 allow udp from $extip 53 to any out via $extif keep-state
$fwcmd add 4700 allow udp from any 53 to $extip in via $extif
$fwcmd add 4800 allow udp from $extip to any 53 out via $extif keep-state

#----block other established tcp connections-------------------

$fwcmd add 6600 deny tcp from any to $extip in via $extif setup

#----allow established tcp connections from ext IP to ext interface---------

$fwcmd add 6700 allow tcp from $extip to any out via $extif setup keep-state
$fwcmd add 6800 allow tcp from any to $extip in via $intif setup

#----FULL TCP INET Table 1--------------------------------------------------------------------------

$fwcmd add 6900 allow tcp from "table(1)" to not $intnet in via $intif setup limit src-addr 500

Код: Выделить всё

allow tcp from any to any established

Код: Выделить всё

deny tcp from any to $extip in via $extif setup

Код: Выделить всё

Dynamic rules will be checked at the first check-state,keep-state or limit occurrence, and the action performed upon a match will be the same as in the parent rule.

Код: Выделить всё

  DYNAMIC RULES
     In order to protect a site from flood attacks involving fake TCP packets,
     it is safer to use dynamic rules:

	   ipfw add check-state
	   ipfw add deny tcp from any to any established
	   ipfw add allow tcp from my-net to any setup keep-state

     This will let the firewall install dynamic rules only for those connec-
     tion which start with a regular SYN packet coming from the inside of our
     network.  Dynamic rules are checked when encountering the first
     check-state or keep-state rule.  A check-state rule should usually be
     placed near the beginning of the ruleset to minimize the amount of work
     scanning the ruleset.  Your mileage may vary.

Код: Выделить всё

#----block other established tcp connections-------------------

$fwcmd add 6600 deny tcp from any to $extip in via $extif setup

#----allow established tcp connections from ext IP to ext interface---------

$fwcmd add 6700 allow tcp from $extip to any out via $extif setup keep-state
$fwcmd add 6800 allow tcp from any to $extip in via $intif setup

Код: Выделить всё

ipfw add check-state
ipfw add deny tcp from any to any established
ipfw add allow tcp from my-net to any setup keep-state

Код: Выделить всё

$fwcmd add 6900 allow tcp from "table(1)" to not $intnet in via $intif setup limit src-addr 500

Код: Выделить всё

ipfw add allow ip from me to any via ${extif} keep-state

Код: Выделить всё

#---check-state------------

$fwcmd add 100 check-state

#----allow all lo0 traffic----------------------

$fwcmd add 1000 allow ip from any to any via lo0

#----Kernell NAT----------------------------------------------

ipfw nat 1 config log ip $extip reset same_ports redirect_port tcp 10.0.0.9:8888 8888
$fwcmd add 2800 nat 1 ip from "table(7)" to any out via $extif
$fwcmd add 2900 nat 1 ip from any to $extip in via $extif

#---allow all LAN traffic----------------------------------

$fwcmd add 4200 allow ip from any to $intnet in via $intif
$fwcmd add 4300 allow ip from $intnet to any out via $intif

#----allow all established tcp connections-----------

$fwcmd add 4400 deny tcp from any to any established

#----allow DNS requests on extiface (53 port)----------------------------

$fwcmd add 4500 allow udp from any to $extip 53 in via $extif
$fwcmd add 4600 allow udp from $extip 53 to any out via $extif keep-state
$fwcmd add 4700 allow udp from any 53 to $extip in via $extif
$fwcmd add 4800 allow udp from $extip to any 53 out via $extif keep-state

#----FULL TCP INET Table 1--------------------------------------------------------------------------

$fwcmd add 6900 allow tcp from "table(1)" to not $intnet in via $intif setup limit src-addr 500

Код: Выделить всё

$fwcmd add 1100 check-state
...
$fwcmd add 4450 allow ip from me to any out via $extif keep-state

Код: Выделить всё

me - matches any IP address configured on an interface in the system.

Код: Выделить всё

$fwcmd add 6900 allow ip from "table(1)" to not $intnet in via $intif setup limit src-addr 500