forum.lissyara.su

Код: Выделить всё

Oct 12 02:11:57  kernel: ipfw: 11300 Deny UDP 192.164.100.61:1499 *.170.77.218:80 in via rl0
Oct 12 02:11:57  kernel: ipfw: 11300 Deny UDP 192.164.100.61:1502 *.170.77.218:80 in via rl0
Oct 12 02:11:57  kernel: ipfw: 11300 Deny UDP 192.164.100.61:1507 *.170.77.218:80 in via rl0
Oct 12 02:11:57  kernel: ipfw: 11300 Deny UDP 192.164.100.61:1497 *.170.77.218:80 in via rl0
Oct 12 02:11:57  kernel: ipfw: 11300 Deny UDP 192.164.100.61:1504 *.170.77.218:80 in via rl0
Oct 12 02:11:57  kernel: ipfw: 11300 Deny UDP 192.164.100.61:1510 *.170.77.218:80 in via rl0
Oct 12 02:11:57  kernel: ipfw: 11300 Deny UDP 192.164.100.61:1501 *.170.77.218:80 in via rl0
Oct 12 02:11:57  kernel: ipfw: 11300 Deny UDP 192.164.100.61:1498 *.170.77.218:80 in via rl0
Oct 12 02:11:57  kernel: ipfw: 11300 Deny UDP 192.164.100.61:1511 *.170.77.218:80 in via rl0
Oct 12 02:11:57  kernel: ipfw: 11300 Deny UDP 192.164.100.61:1512 *.170.77.218:80 in via rl0
Oct 12 02:11:57  kernel: ipfw: 11300 Deny UDP 192.164.100.61:1503 *.170.77.218:80 in via rl0
Oct 12 02:11:57  kernel: ipfw: 11300 Deny UDP 192.164.100.61:1500 *.170.77.218:80 in via rl0
Oct 12 02:11:57  kernel: ipfw: 11300 Deny UDP 192.164.100.61:1506 *.170.77.218:80 in via rl0
Oct 12 02:11:57  kernel: ipfw: 11300 Deny UDP 192.164.100.61:1513 *.170.77.218:80 in via rl0
Oct 12 02:11:57  kernel: ipfw: 11300 Deny UDP 192.164.100.61:1505 *.170.77.218:80 in via rl0
Oct 12 02:11:57  kernel: ipfw: 11300 Deny UDP 192.164.100.61:1508 *.170.77.218:80 in via rl0
Oct 12 02:11:57  kernel: ipfw: 11300 Deny UDP 192.164.100.61:1515 *.170.77.218:80 in via rl0

Код: Выделить всё

sysctl net.inet.ip.fw.verbose=0

Код: Выделить всё

kernel: Limiting icmp ping response from 400 to 200 packets/sec

Код: Выделить всё

gateway# ping -f 19.168.2.2
PING 19.168.2.2 (19.168.2.2): 56 data bytes
.........................................................................................................................................................^C
--- 19.168.2.2 ping statistics ---
153 packets transmitted, 0 packets received, 100% packet loss
gateway#

Логи в messages:
Oct 12 12:12:41 gateway kernel: Limiting icmp ping response from 283 to 200 packets/sec

Код: Выделить всё

13:42:36  	1192182156  	132.43.232.64  	80  	217.170.77.218  	0  	tcp  	40  	1

Код: Выделить всё

#!/bin/sh

FwCMD="/sbin/ipfw" 

#INTERFACES!!!!
LanOut="fxp0"
LanIn="rl0"    
#    

IpOut="*.*.79.253"
IpIn="192.164.100.101"
IpIn1="192.168.100.1"
IpIn2="192.168.4.250"
RealIpIn="*.245.160.113"
NetIn="192.168.100.0/24"
NetIn2="192.168.4.0/24"
NetIn3="192.164.100.0/24"
NetRealIn="87.245.160.0/24"

${FwCMD} -f flush
${FwCMD} -f pipe flush
${FwCMD} -f queue flush

${FwCMD} add check-state

#Traffic counting
${FwCMD} add divert 10001 ip from any to any via ${LanOut}
${FwCMD} add divert 10002 ip from any to any via ${LanIn}

${FwCMD} add allow ip from any to any via lo0

# icmp
${FwCMD} add deny icmp from any to any frag
${FwCMD} add deny icmp from any to 255.255.255.255 in via ${LanOut}
${FwCMD} add deny icmp from any to 255.255.255.255 out via ${LanOut}
${FwCMD} add deny icmp from any to any in icmptype 5,9,13,14,15,16,17
${FwCMD} add deny ip from any to ${IpOut} 137-139,445 in via ${LanOut}
${FwCMD} add deny ip from any to ${IpOut} 137-139,445 in via ${LanIn}

${FwCMD} add deny ip from any to 10.0.0.0/8 in recv ${LanOut}
${FwCMD} add deny ip from any to 172.16.0.0/12 in recv ${LanOut}
${FwCMD} add deny ip from any to 0.0.0.0/8 in recv ${LanOut}
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${LanOut}

#${FwCMD} add deny tcp from any to me 5190 via ${LanOut}
${FwCMD} add deny tcp from any to me 1720 via ${LanOut}

${FwCMD} add deny tcp from any to me 3128 via ${LanOut}
${FwCMD} add deny tcp from any to me 3306 via ${LanOut}

${FwCMD} add allow ip from any to me 20 via ${LanOut}
${FwCMD} add allow ip from any to me 20 via ${LanIn}

#PIPE OUT
#ipfw -q pipe 30 config bw 512Kbit/s mask src-ip 0xffffffff
#ipfw -q add pipe 30 all from 192.164.100.0/24 to any out via ${LanOut}
#ipfw -q add pipe 30 all from 192.168.100.0/24 to any out via ${LanOut}
#ipfw -q add pipe 30 all from 192.168.4.0/24 to any out via ${LanOut}

#for ip alias
----------------/usr/local/etc/traf/rc.ip //вставка на перле
 #!/usr/bin/perl
  require ("/usr/local/##################");
  use Mysql;
  $dbh = Mysql->connect($db_host,$db_database,$db_user,$db_password);

  $sth=$dbh->Query("SELECT * FROM users_".$hostname);

  while (%hash = $sth->FetchHash) {
  if ($hash{'enabled'} eq "on") {
  if ($hash{'ip_type'} eq "real") {
    system("/sbin/ipfw add allow ip from $hash{'ip'} to any\n");
    system("/sbin/ipfw add allow ip from any to $hash{'ip'}\n");
 }
 if ($hash{'ip_type'} eq "natd") {
    system("/sbin/ipfw add divert natd ip from $hash{'ip'} to any\n");
 }
 } 

 };
------------------------------

${FwCMD} add divert natd ip from any to ${IpOut} via ${LanOut}

#PIPE IN
ipfw pipe 1 config bw 1Mbit/s queue 10
ipfw queue 1 config pipe 1 weight 100
ipfw add queue 1 all from any to 192.164.100.0/24 in via ${LanOut}
ipfw add queue 1 all from any to 192.168.100.0/24 in via ${LanOut}
ipfw add queue 1 all from any to 192.168.4.0/24 in via ${LanOut}

ipfw pipe 2 config bw 1Mbit/s queue 10
ipfw queue 2 config pipe 2 weight 100
ipfw add queue 2 all from 192.164.100.0/24 to any out via ${LanOut}
ipfw add queue 2 all from 192.168.100.0/24 to any out via ${LanOut}
ipfw add queue 2 all from 192.168.4.0/24 to any out via ${LanOut}

${FwCMD} add allow ip from any to me
${FwCMD} add allow ip from me to any


#ALLOW LAN's
------------/usr/local/etc/traf/rc_allow.ip //вставка на перле
#!/usr/bin/perl
require ("/usr/local/############");
use Mysql;
$dbh = Mysql->connect($db_host,$db_database,$db_user,$db_password);

$sth=$dbh->Query("SELECT * FROM users_".$hostname);

while (%hash = $sth->FetchHash) {
if ($hash{'enabled'} eq "on") {
 if ($hash{'ip_type'} eq "natd") {
      system("/sbin/ipfw add allow ip from $hash{'ip'} to any \n");
      system("/sbin/ipfw add allow ip from any to $hash{'ip'}\n");
 }
}

};


----------------

${FwCMD} add deny log all from any to any

Код: Выделить всё

${FwCMD} add deny tcp from any to me 1720 via ${LanOut}

${FwCMD} add deny tcp from any to me 3128 via ${LanOut}
${FwCMD} add deny tcp from any to me 3306 via ${LanOut}

${FwCMD} add allow ip from any to me 20 via ${LanOut}
${FwCMD} add allow ip from any to me 20 via ${LanIn}

Код: Выделить всё

${FwCMD} add deny tcp from any to me 20,1720,3306,3128 via ${LanOut}

Код: Выделить всё

${FwCMD} add deny ip from any to 10.0.0.0/8 in recv ${LanOut}
${FwCMD} add deny ip from any to 172.16.0.0/12 in recv ${LanOut}
${FwCMD} add deny ip from any to 0.0.0.0/8 in recv ${LanOut}
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${LanOut}

Код: Выделить всё

${FwCMD} add deny ip from any to 0.0.0.0/8,10.0.0.0/8,172.16.0.0/12,169.254.0.0/16,240.0.0.0/3 in via ${LanOut}

Код: Выделить всё

00100      0        0 check-state
00200   1830   773997 divert 10001 ip from any to any via fxp0
00300   1706   752368 divert 10002 ip from any to any via rl0
00400  17364  3995020 allow ip from any to any via lo0
00500      0        0 deny icmp from any to any frag
00600      0        0 deny icmp from any to 255.255.255.255 in via fxp0
00700      0        0 deny icmp from any to 255.255.255.255 out via fxp0
00800      0        0 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00900      0        0 deny ip from any to 77.108.79.253 dst-port 137-139,445 in via fxp0
01000      0        0 deny ip from any to 77.108.79.253 dst-port 137-139,445 in via rl0
01100      0        0 deny ip from any to 0.0.0.0/8,10.0.0.0/8,172.16.0.0/12,169.254.0.0/16,224.0.0.0/3 in via fxp0
01200      0        0 deny tcp from any to me dst-port 1720,3306,3128 via fxp0
01300     45     3204 allow ip from any to me dst-port 20 via fxp0
01400      0        0 allow ip from any to me dst-port 20 via rl0
01500      0        0 divert 8668 ip from 192.168.100.41 to any
-------------------ЗДЕСЬ МНОГО АНАЛОГИЧНЫХ ПРАВИЛ ДЛЯ РАЗРЕШЕННЫХ IP---------------------------
09700      0      0 divert 8668 ip from 192.164.100.116 to any
09800    877   641611 divert 8668 ip from any to 77.108.79.253 via fxp0
09900    680   521624 queue 1 ip from any to 192.164.100.0/24 in via fxp0
10000     31     3623 queue 1 ip from any to 192.168.100.0/24 in via fxp0
10100      0        0 queue 1 ip from any to 192.168.4.0/24 in via fxp0
10200      4      496 queue 2 ip from 192.164.100.0/24 to any out via fxp0
10300      0        0 queue 2 ip from 192.168.100.0/24 to any out via fxp0
10400      0        0 queue 2 ip from 192.168.4.0/24 to any out via fxp0
10500    281   129185 allow ip from any to me
10600    994   235025 allow ip from me to any
10700      0        0 allow ip from 192.168.100.41 to any
-------------------ЗДЕСЬ МНОГО АНАЛОГИЧНЫХ ПРАВИЛ ДЛЯ РАЗРЕШЕННЫХ IP---------------------------
26300      0        0 allow ip from 192.164.100.116 to any
26400      0        0 allow ip from any to 192.164.100.116
26500     53    14565 deny log logamount 100 ip from any to any
65535 153752 76823424 deny ip from any to any

Код: Выделить всё

13:42:36     1192182156     132.43.232.64     80     217.170.77.218     0     tcp     40     1

Код: Выделить всё

04101 allow ip from 192.168.10.0/25 to any in via ng*
04102 divert 8668 ip from 192.168.10.0/25 to any out via ${ext_int}
04103 divert 8668 ip from any to ${ext_ip} in via ${ext_int}
04104 allow ip from any to 192.168.10.0/25 in via ${ext_int}