forum.lissyara.su

Код: Выделить всё

LanOut="em1"            # внешний интерфейс
LanIn="em0"            # внутренний интерфейс
IpOut="xxx.xx.xxx.xx" # внешний IP адрес машины
IpIn="192.168.52.1"   # внутренний IP машины
NetMask="24"            # маска сети
NetIn="192.168.52.0"    # Внутренняя сеть
ip_lan="192.168.52"
ipfw -f flush
ipfw add check-state
ipfw add allow ip from any to any via lo0
ipfw add deny ip from any to 127.0.0.0/8
ipfw add deny ip from 127.0.0.0/8 to any


ipfw add fwd 127.0.0.1,3128 tcp from ${NetIn}/${NetMask} to any 80 via ${LanOut}

ipfw add divert natd ip from ${NetIn}/${NetMask} to any out via ${LanOut}
ipfw add divert natd ip from any to ${IpOut} in via ${LanOut}

ipfw add deny ip from 10.0.0.0/8 to any out via ${LanOut}
ipfw add deny ip from 172.16.0.0/12 to any out via ${LanOut}
#ipfw add deny ip from 192.168.0.0/16 to any out via ${LanOut}
ipfw add deny ip from 0.0.0.0/8 to any out via ${LanOut}
ipfw add deny ip from 169.254.0.0/16 to any out via ${LanOut}
ipfw add deny ip from 224.0.0.0/4 to any out via ${LanOut}
ipfw add deny ip from 240.0.0.0/4 to any out via ${LanOut}

ipfw add allow icmp from any to any icmptypes 0,8,11

ipfw add allow ip from any to ${NetIn} in via ${LanIn}
ipfw add allow ip from ${NetIn} to any out via ${LanIn}

ipfw add allow tcp from any to any established

ipfw add allow ip from ${IpOut} to any out xmit ${LanOut}

ipfw add allow udp from any 53 to any via ${LanIn}
ipfw add allow tcp from any to ${IpOut} 80 via ${LanOut}
ipfw add allow tcp from any to ${IpOut} 22 via ${LanOut}
ipfw add allow ip from any to any 3389
ipfw add allow ip from any to any 80
ipfw add allow ip from any to ${IpIn}

ipfw add allow udp from ${IpOut} 53 to any out via ${LanOut}
ipfw add allow udp from ${IpOut} to any 53 out via ${LanOut}

ipfw add allow udp from any to ${IpOut} 53 in via ${LanOut}
ipfw add allow udp from any 53 to ${IpOut} in via ${LanOut}

ipfw add allow udp from any to any 123 via ${LanOut}

# разрешаем снаружи соединяться с 53 портом (TCP DNS)
ipfw add allow tcp from any to ${IpOut} 53 in via ${LanOut} setup
#ipfw add allow tcp from any to ${IpOut} 80 in via ${LanOut} setup
#ipfw add allow ip from any to ${IpOut} 3389 in via ${LanOut} setup
ipfw add allow tcp from any to ${IpOut} 22 in via ${LanOut} setup
ipfw add deny log tcp from any to ${IpOut} in via ${LanOut} setup
ipfw add allow tcp from ${IpOut} to any out via ${LanOut} setup
ipfw add allow tcp from any to ${IpOut} in via ${LanIn} setup

# only web
####### разрешаем WEB для дипазона 192.168.52.220-192.168.52.254
i=240
while [ $i != 255 ]
do
ipfw add $i allow tcp from 192.168.52.$i to not ${NetIn} 80,443 in via ${LanIn} setup
i=$(($i+1))
done

ipfw add allow tcp from ${ip_lan}.233 to not ${NetIn} 80,443 in via ${LanIn} setup
# full inet
# разрешаем инет для дипазона 192.168.52.220-192.168.52.254
i=240
while [ $i != 255 ]
do
ipfw add $i allow tcp from 192.168.52.$i to not ${NetIn} in via ${LanIn} setup
i=$(($i+1))
done
ipfw add allow tcp from ${ip_lan}.129 to not ${NetIn} in via ${LanIn} setup
ipfw add allow tcp from ${ip_lan}.16 to not ${NetIn} in via ${LanIn} setup
ipfw add deny ip from any to any

Код: Выделить всё

defaultrouter="xxx.xx.xxx.x" # шлюз провайдера
#defaultrouter="192.168.52.1"
font8x14="cp866-8x14"
font8x16="cp866b-8x16"
font8x8="cp866-8x8"
hostname="gt.int.lemz.spb.ru"
ifconfig_em0="inet 192.168.52.1  netmask 255.255.255.0"
ifconfig_em1="inet xxx.xx.xxx.xx  netmask 255.255.255.248"
keymap="ru.koi8-r"
scrnmap="koi8-r2cp866"
sshd_enable="YES"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
#inetd_enable="YES"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="/etc/rc.firewall"
#firewall_logging="YES"
natd_enable="YES"
natd_interface="em1"
natd_flags="-m -u"
#winbindd_enable="YES"
squid_enable="YES"
rinetd_enable="YES"

Код: Выделить всё

domain  xxx.x.ru
nameserver      xxx.xx.xxx.xx # dns провайдера
nameserver      192.168.52.129