forum.lissyara.su

Код: Выделить всё

acl localnet src 10.10.1.0/24 # наша локальная сеть
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

http_access allow localhost manager
http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny to_localhost

http_access allow all

http_access allow localhost

http_access deny all

http_port 127.0.0.1:3128 intercept

forwarded_for off

cache_dir ufs /var/squid/cache/squid 100 16 256

# dns_nameservers 213.179.249.138 213.179.249.131

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

Код: Выделить всё

#!/bin/sh
cmd="ipfw -q add"
skip="skipto 500"
# pif=rl0
iif=re0
iif2=rl0
eif=ng0

# re0 local net
# rl0 nternet (ADSL)

ks="keep-state"
good_tcpo="20,21,22,25,37,43,53,80,443,110,119"

ipfw -q -f flush

$cmd 002 allow all from any to any via lo0  # exclude LAN traffic
$cmd 003 allow all from any to any via $iif  # exclude loopback traffic
$cmd 003 allow all from any to any via $iif2  # exclude loopback traffic

$cmd 100 divert natd ip from any to any in via $eif
$cmd 101 check-state

######## OUT section
$cmd 105 allow log tcp from me to any out via $eif $ks uid squid
$cmd 106 allow log tcp from any to any out via $eif $ks uid squid
$cmd 119 $skip log tcp from 10.10.1.0/24 to any $good_tcpo out setup $ks
$cmd 120 $skip udp from any to any 53 out via $eif $ks
$cmd 130 $skip icmp from any to any out via $eif $ks
$cmd 135 $skip udp from any to any 123 out via $eif $ks

############### IN section
$cmd 300 deny all from 192.168.0.0/16  to any in via $eif  #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12   to any in via $eif  #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8      to any in via $eif  #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8     to any in via $eif  #loopback
$cmd 304 deny all from 0.0.0.0/8       to any in via $eif  #loopback
$cmd 305 deny all from 169.254.0.0/16  to any in via $eif  #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24    to any in via $eif  #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $eif  #Sun cluster
$cmd 308 deny all from 224.0.0.0/3     to any in via $eif  #Class D & E multicast

# allow in
$cmd 420 allow tcp from any to me 80 in via $eif setup limit src-addr 10
$cmd 450 deny log ip from any to any

# skipto
# $cmd 500 fwd 127.0.0.1,3128 log all from any to any 80 out
$cmd 520 divert natd log ip from any to any out via $eif
$cmd 530 allow ip from any to any