forum.lissyara.su

Код: Выделить всё

ifconfig vlan0 create
ifconfig vlan0 inet blabla netmask bubu vlandev rl1 vlan 1

Код: Выделить всё

cloned_interfaces="vlan0 vlan1"
ifconfig_vlan0="inet blabla netmask bubu vlandev rl1 vlan 1"

Код: Выделить всё

cat /etc/rc.firewall.main
#!/bin/sh

# vvodim peremennie:

FwCMD="/sbin/ipfw"
LanOut="xl0"
LanIn="ep0"
LanWiFi="ath0"
LanTunnel="gif0"
IpOut="10.21.64.215"
IpIn="192.168.254.254"
NetMask="24"
NetIn="192.168.254.0"
NetOut="10.21.64.0"
NetInWiFi="192.168.253.0"
# rule top for natd
TopRule="2300"
# sbrasivaem ranee ustanowlennie prawila:
${FwCMD} -f flush
${FwCMD} -f pipe flush
${FwCMD} -f queue flush
${FwCMD} -f table 0 flush

####### DUMMYNET ###################
#${FwCMD} add pipe 1 ip from me 21 to any
#${FwCMD} pipe 1 config bw 1000000
#${FwCMD} add pipe 2 ip from ${IpIn} to ${NetIn}/${NetMask}
#${FwCMD} pipe 2 config bw 1000Mbit/s
#${FwCMD} add pipe 3 ip from ${NetIn}/${NetMask} to me
#${FwCMD} pipe 3 config bw 1000Mbit/s
# `спецтруба` для мелкиз пакетов типа ack - ибо если они теряются
#${FwCMD} add pipe 4 ip from any to any tcpflags ack iplen 0-128
#${FwCMD} pipe 4 config bw 1000Mbit/s
# Пропускаем следующие трубы - чтобы мелкие пакеты не лимитировались
#${FwCMD} add skipto 39999 ip from any to any tcpflags ack iplen 0-128
# От глюков при работе с серваком изнутри по внешнему имени (траффик в трубы лезет)
#${FwCMD} add skipto 39999 ip from me to any
#${FwCMD} add skipto 39999 ip from any to me

# Рубаем самому себе инет - слишком быстно - плохо...
#${FwCMD} add pipe 5 ip from not ${NetIn}/24 to ${NetIn}/24
#${FwCMD} pipe 5 config bw 1280000bit/s


# WiFi

# proveryaem vremennie pravila:
${FwCMD} add check-state

# razreschaem vnutrenniy interfeys
${FwCMD} add allow ip from any to any via lo0

# rulezz for sshit table
${FwCMD} add deny not icmp from "table(0)" to me

# ipsec
${FwCMD} add pass esp from 192.168.253.253 to me via ${LanWiFi}
${FwCMD} add pass esp from me to 192.168.253.253 via ${LanWiFi}
${FwCMD} add pass log udp from 192.168.253.253 500 to me 500 via ${LanWiFi}
${FwCMD} add pass log udp from me 500 to 192.168.253.253 500 via ${LanWiFi}
#${FwCMD} add pass all from any to any via ${LanTunnel}



#${FwCMD} add allow ip from 80.253.9.18 to ${IpOut} via ${LanTunnel}
#${FwCMD} add allow ip from ${IpOut} to 80.253.9.18 via ${LanTunnel}
#${FwCMD} add allow ipencap from ${IpOut} to 80.253.9.18
#${FwCMD} add allow ipencap from 80.253.9.18 to ${IpOut}
#${FwCMD} add allow udp from ${IpOut} to 80.253.9.18 isakmp
#${FwCMD} add allow udp from 80.253.9.18 to ${IpOut} isakmp
#${FwCMD} add allow esp from ${IpOut} to 80.253.9.18
#${FwCMD} add allow esp from 80.253.9.18 to ${IpOut}
#${FwCMD} add allow ip from any to any via ${LanTunnel}
#${FwCMD} add allow ip from 192.168.11.0/${NetMask} to any via ${LanTunnel}
#${FwCMD} add allow ip from 192.168.0.0/16 192.168.11.0/${NetMask} via ${LanTunnel}

# zapres4aem:
${FwCMD} add deny log ip from 192.168.0.0/16 to any in via ${LanOut}
${FwCMD} add deny log ip from 172.16.0.0/12 to any in via ${LanOut}
#${FwCMD} add deny ip from 10.0.0.0/8 to any in via ${LanOut}
#${FwCMD} add deny ip from any to ${NetIn}/${NetMask} via ${LanOut}
${FwCMD} add deny log tcp from any to any 135-140 via ${LanOut}
${FwCMD} add deny log tcp from any 135-140 to any via ${LanOut}
${FwCMD} add deny log tcp from any 445 to any via ${LanOut}
#${FwCMD} add deny tcp from any to ${IpOut} 21 via ${LanOut}
${FwCMD} add deny log tcp from any to ${IpOut} 144-1026 via ${LanOut}
${FwCMD} add deny log tcp from any 3000-3001 to any via ${LanOut}
${FwCMD} add deny log tcp from any to any 3000-3001 via ${LanOut}
${FwCMD} add deny log tcp from any to ${IpOut} 3306 via ${LanOut}

# established connections on external interface
${FwCMD} add allow tcp from me to any established via ${LanOut}


# otprawlyaem vseh na SQUID:
#${FwCMD} add fwd 192.168.254.254,2121 tcp from ${NetIn}/${NetMask} to any 21 via ${LanOut}
${FwCMD} add fwd 127.0.0.1,3128 tcp from ${NetIn}/${NetMask} to any 80 via ${LanOut}
${FwCMD} add fwd 127.0.0.1,3128 tcp from ${NetInWiFi}/${NetMask} to any 80 via ${LanOut}
#${FwCMD} add fwd 127.0.0.1,3128 tcp from 192.168.252.253 to any 90 via ${LanOut}

##########  NATD #########
# пропускаем - может прокатит для ftp...
#${FwCMD} add skipto ${TopRule} tcp from me 21 to any out via ${LanOut}
${FwCMD} add divert natd ip from ${NetIn}/${NetMask} to any out via ${LanOut}
${FwCMD} add divert natd ip from ${NetInWiFi}/${NetMask} to any out via ${LanOut}
${FwCMD} add divert natd ip from 192.168.252.0/24 to any out via ${LanOut}
${FwCMD} add divert natd ip from any to ${IpOut} in via ${LanOut}

# разрешаем инет посторонним
${FwCMD} add allow ip from any to not me via ${LanWiFi}
${FwCMD} add allow ip from not me to any via ${LanWiFi}
${FwCMD} add allow udp from any to me 53 via ${LanWiFi}
${FwCMD} add allow udp from me 53 to any via ${LanWiFi}
${FwCMD} add allow tcp from any to not me via ${LanWiFi}
${FwCMD} add allow tcp from not me to any via ${LanWiFi}

########## VPN ###################
#${FwCMD} add allow tcp from any to any 1723 # ампутировано, т.к. мешает
#${FwCMD} add allow tcp from any 1723 to any # работе VPN изнутри
${FwCMD} add allow gre from any to any via ${LanOut}
${FwCMD} add allow gre from any to any via ${LanIn}
${FwCMD} add allow gre from any to any via ${LanTunnel}

#############################################################################
${FwCMD} add allow tcp from any to any established      # on all interfaces
${FwCMD} add allow ip from me to any out xmit ${LanOut}
${FwCMD} add allow udp from any 53 to any via ${LanOut}
${FwCMD} add allow udp from any 123 to any via ${LanOut}
${FwCMD} add allow icmp from any to any icmptypes 0,8,11
#${FwCMD} add allow tcp from any to ${IpOut} 80 via ${LanOut}
#${FwCMD} add allow tcp from any to ${IpOut} 25 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 22 via ${LanOut}
#${FwCMD} add allow tcp from any to ${IpOut} 143 via ${LanOut}
#${FwCMD} add allow tcp from any to ${IpOut} 110 via ${LanOut}
${FwCMD} add allow tcp from any to any via ${LanIn}
${FwCMD} add allow tcp from any to any via ${LanTunnel}
${FwCMD} add allow udp from any to any via ${LanIn}
${FwCMD} add allow udp from any to any via ${LanTunnel}
${FwCMD} add allow icmp from any to any via ${LanIn}
${FwCMD} add allow icmp from any to any via ${LanTunnel}
#${FwCMD} add allow tcp from any to ${IpOut} 21 via ${LanOut}
#${FwCMD} add allow tcp from any to ${IpOut} 40000-65534 via ${LanOut}

# добавлено для ipnat
#${FwCMD} add allow tcp from ${NetIn}/${NetMask} to any setup

${FwCMD} add 65534 deny log all from any to any

Код: Выделить всё

ifconfig_interface_alias="inet Ip netmask mask"