forum.lissyara.su

Код: Выделить всё

#!/bin/sh
 fwcmd="/sbin/ipfw"
 ${fwcmd} -f flush
 ${fwcmd} -f pipe flush
 ${fwcmd} -f queue flush

 ${fwcmd} add 1040 allow ip from any to any via ste0

 ${fwcmd} add 1020 allow tcp from any to any ssh
 ${fwcmd} add 1030 allow tcp from any ssh to any
 ${fwcmd} add 1050 deny ip from any to 192.168.0.0/16 in recv alc0
 ${fwcmd} add 1060 deny ip from 192.168.0.0/16 to any in recv alc0
 ${fwcmd} add 1070 deny ip from any to 172.16.0.0/12 in recv alc0
 ${fwcmd} add 1080 deny ip from 172.16.0.0/12 to any in recv alc0
 ${fwcmd} add 1090 deny ip from any to 10.0.0.0/8 in recv alc0
 ${fwcmd} add 10100 deny ip from 10.0.0.0/8 to any in recv alc0
 ${fwcmd} add 10110 deny ip from any to 169.254.0.0/16 in recv alc0
 ${fwcmd} add 10120 deny ip from 169.254.0.0/16 to any in recv alc0

 ${fwcmd} pipe 1 config bw 10Mbit/s queue 60 gred 0.002/10/30/0.1
 ${fwcmd} queue 1 config pipe 1 mask src-ip 0xffffffff queue 60 gred 0.002/10/30/0.1

 ${fwcmd} pipe 2 config bw 3Mbit/s queue 60 gred 0.002/10/30/0.1
 ${fwcmd} queue 2 config pipe 2 mask dst-ip 0xffffffff queue 60 gred 0.002/10/30/0.1
 ${fwcmd} nat 1 config log if alc0 reset same_ports  redirect_port tcp XX.XX.XX.XX:6881 6881 redirect_port udp  XX.XX.XX.XX:4444 4444


 ${fwcmd} add 10130 skipto 10160 ip from 192.168.1.221 to any
 ${fwcmd} add 10140 skipto 10160 ip from any to 192.168.1.221
 ${fwcmd} add 10131 skipto 10160 ip from 192.168.1.222 to any
 ${fwcmd} add 10141 skipto 10160 ip from any to 192.168.1.222


 ${fwcmd} add 10150 queue 1 ip from any to any out xmit alc0
 ${fwcmd} add 10160 nat 1 ip from any to any via alc0
 ${fwcmd} add 10161 allow ip from 192.168.1.221 to any
 ${fwcmd} add 10162 allow ip from any to 192.168.1.221
 ${fwcmd} add 10163 allow ip from 192.168.1.222 to any
 ${fwcmd} add 10164 allow ip from any to 192.168.1.222
 ${fwcmd} add 10170 queue 2 ip from any to any in recv alc0

 ${fwcmd} add 10180 allow all from any to any

 ${fwcmd} add 10230 allow all from any to any

 ${fwcmd} add 65534 deny all from any to any 

Код: Выделить всё

00001:  10.000 Mbit/s    0 ms   60 sl. 0 queues (1 buckets)
          GRED w_q 0.001999 min_th 10 max_th 30 max_p 0.099991
00002:   3.000 Mbit/s    0 ms   60 sl. 0 queues (1 buckets)
          GRED w_q 0.001999 min_th 10 max_th 30 max_p 0.099991
q00001: weight 1 pipe 1   60 sl. 12 queues (64 buckets)
          GRED w_q 0.001999 min_th 10 max_th 30 max_p 0.099991
    mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
 16 ip     192.168.1.220/0             0.0.0.0/0     33979  2148439  0    0   0
 27 ip     94.251.99.112/0             0.0.0.0/0      114   210326  0    0   0
 36 ip     192.168.1.230/0             0.0.0.0/0     318139 346719363  0    0   5
 40 ip     192.168.1.224/0             0.0.0.0/0     124089 12542337  0    0   0
 42 ip     192.168.1.225/0             0.0.0.0/0     18939  2304553  0    0   0
 46 ip     192.168.1.227/0             0.0.0.0/0     27131  1834468  0    0   0
 50 ip     192.168.1.205/0             0.0.0.0/0     82296  5897385  0    0   0
 52 ip     192.168.1.238/0             0.0.0.0/0     205494 204818936  0    0 394
 56 ip     192.168.1.200/0             0.0.0.0/0      760    63276  0    0   0
 58 ip     192.168.1.201/0             0.0.0.0/0        9     3105  0    0   0
 60 ip     192.168.1.234/0             0.0.0.0/0     2882   279474  0    0   0
 62 ip     192.168.1.203/0             0.0.0.0/0     6906   321331  0    0   0
q00002: weight 1 pipe 2   60 sl. 20 queues (64 buckets)
          GRED w_q 0.001999 min_th 10 max_th 30 max_p 0.099991
    mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
  0 ip           0.0.0.0/0     255.255.255.255/0      454    77037  0    0   0
  1 ip           0.0.0.0/0           224.0.0.1/0        4      112  0    0   0
  6 ip           0.0.0.0/0       94.251.99.112/0     69208  4130715  0    0   0
  9 ip           0.0.0.0/0       94.251.99.255/0     2868   295656  0    0   0
 12 ip           0.0.0.0/0       192.168.1.220/0     54995 76280025  0    0 166
 24 ip           0.0.0.0/0       192.168.1.200/0     24492 20428908  0    0 216
 25 ip           0.0.0.0/0       192.168.1.201/0     3309  2208652  0    0  26
 26 ip           0.0.0.0/0       192.168.1.202/0     1641   825764  0    0   0
 27 ip           0.0.0.0/0       192.168.1.203/0     11759  1948690  0    0   0
 29 ip           0.0.0.0/0       192.168.1.205/0     219623 268908256  7 6386 9145
 48 ip           0.0.0.0/0       192.168.1.224/0     119868 15185327  0    0   0
 49 ip           0.0.0.0/0       192.168.1.225/0     26542 32268042  0    0 1425
 51 ip           0.0.0.0/0       192.168.1.227/0     24861  6019805  0    0   0
 54 ip           0.0.0.0/0       192.168.1.230/0     287268 239740494 29 39608 1223
 56 ip           0.0.0.0/0       192.168.1.232/0     48312 57500883  0    0 368
 57 ip           0.0.0.0/0       192.168.1.233/0     10962  8344755  0    0 108
 58 ip           0.0.0.0/0       192.168.1.234/0     6269  2370089  0    0   0
 59 ip           0.0.0.0/0       192.168.1.235/0       73    15611  0    0   0
 61 ip           0.0.0.0/0       192.168.1.237/0        1      149  0    0   0
 62 ip           0.0.0.0/0       192.168.1.238/0     176518 138426804  0    0 5713

Код: Выделить всё

limiting icmp unreach response from 230 to 200 packets / s

Код: Выделить всё

net.inet.tcp.blackhole=2 
net.inet.udp.blackhole=1 
net.inet.icmp.drop_redirect=1 
net.inet.icmp.maskrepl=0 
net.inet.icmp.icmplim=100 
net.icmp.bmcastecho=0

Код: Выделить всё

# ipfw show
01020    3669     272181 allow tcp from any to any dst-port 22
01030    7126    1327324 allow tcp from any 22 to any
01040 2898058 2042226321 allow ip from any to any via ste0
01050       0          0 deny ip from any to 192.168.0.0/16 in recv alc0
01060      26        728 deny ip from 192.168.0.0/16 to any in recv alc0
01070       0          0 deny ip from any to 172.16.0.0/12 in recv alc0
01080       0          0 deny ip from 172.16.0.0/12 to any in recv alc0
01090       0          0 deny ip from any to 10.0.0.0/8 in recv alc0
10100       0          0 deny ip from 10.0.0.0/8 to any in recv alc0
10110       0          0 deny ip from any to 169.254.0.0/16 in recv alc0
10120       0          0 deny ip from 169.254.0.0/16 to any in recv alc0
10130  146570   87415426 skipto 10160 ip from 192.168.1.221 to any
10131       0          0 skipto 10160 ip from 192.168.1.222 to any
10140       0          0 skipto 10160 ip from any to 192.168.1.221
10141       0          0 skipto 10160 ip from any to 192.168.1.222
10150 1300768  757885667 queue 1 ip from any to any out xmit alc0
10160 3019858 2074919672 nat 1 ip from any to any via alc0
10161       0          0 allow ip from 192.168.1.221 to any
10162   81182    7953151 allow ip from any to 192.168.1.221
10163       0          0 allow ip from 192.168.1.222 to any
10164       0          0 allow ip from any to 192.168.1.222
10170 1490321 1222719518 queue 2 ip from any to any in recv alc0
10180 2910553 2038883527 allow ip from any to any
10230       0          0 allow ip from any to any
65534       0          0 deny ip from any to any
65535     361      26525 deny ip from any to any

Код: Выделить всё

pipe 2 config bw 6Mbit/s mask dst-ip 0xffffffff gred 0.002/10/30/0.1

Код: Выделить всё

#!/bin/sh
# начнем-с
fwcmd="/sbin/ipfw"

# самоопределимся
ExtIF="alc0"
ExtIP=`ifconfig $ExtIF | grep inet | awk '{print $2}'`

IntIF="ste0"
IntIP=`ifconfig $IntIF | grep inet | awk '{print $2}'`
IntMaskLen=24

IntLan=${IntIP}/${IntMaskLen}

VIP="{ 192.168.1.221 , 192.168.1.222 }

# очистимся
${fwcmd} -f flush
${fwcmd} -f pipe flush
${fwcmd} -f queue flush

# внутреннее сообщение + антиспуфинг
${fwcmd} add allow all from any to any via lo0
${fwcmd} add deny all from 127.0.0.0/8 to any
${fwcmd} add deny all from any to 127.0.0.0/8 

# всегда сохраняй контроль над собой
# и своим сервером
${fwcmd} add allow tcp from any to me ssh
${fwcmd} add allow tcp from me ssh to any


# Скажи НЕТ автонастроенной сети!
# и вообще, перестань разговаривать с сетями
${fwcmd} add 10110 deny ip from any to 169.254.0.0/16 in recv alc0
${fwcmd} add 10120 deny ip from 169.254.0.0/16 to any in recv alc0

# Здесь настраиваем медные трубы
# настройку огня и воды доверьте специалистам
${fwcmd} pipe 1 config bw 10Mbit/s queue 60 gred 0.002/10/30/0.1 
${fwcmd} queue 1 config pipe 1 mask src-ip 0xffffffff queue 60 gred 0.002/10/30/0.1
${fwcmd} pipe 2 config bw 3Mbit/s queue 60 gred 0.002/10/30/0.1
${fwcmd} queue 2 config pipe 2 mask dst-ip 0xffffffff queue 60 gred 0.002/10/30/0.1

# just for fun
# мы не будем использовать NAT
# не настроив его
${fwcmd} nat 1 config if ${ExtIF} reset same_ports deny_in

# Посторонись!
${fwcmd} add skipto 5000 ip from ${VIP} to any
${fwcmd} add skipto 5000 ip from any to ${VIP}

${fwcmd} add queue 1 ip from $IntLan  to any out recv $IntIF xmit $ExtIF

${fwcmd} add 5000 nat 1 ip from any to any via $ExtIF
${fwcmd} add allow ip from ${VIP} to any in
${fwcmd} add allow ip from any to ${VIP} out

${fwcmd} add queue 2 ip from any to $IntLan out recv $ExtIF xmit $IntIF

# локальная сеть + антиспуфинг на внутреннем интерфейсе
${fwcmd} add allow ip from $IntLan to any in via $IntIF
${fwcmd} add allow ip from any to $IntLan out via $IntIF

${fwcmd} add allow ip from any to me
${fwcmd} add allow ip from me to any