forum.lissyara.su

#!/bin/sh
#####################################################################
##################FreeBDS 9.0 firewall script########################
#####################################################################
fw="/sbin/ipfw -q add"
inif="vr0" #local interface
outif="ng0" #inet interface
lopi="lo0" #loopback
inip="192.168.5.250" #loc addres
outip="xx.xxx.xx.xx" #net addres
innet="192.168.5.0/24" #local prefix
dnsR="212.96.120.5,212.96.96.38"
udp_ports="53,123" #ports udp
#####################################################################
clsA="10.0.0.0/8" #RFC 1918 private IP
DHCPA="169.254.0.0/16" #DHCP auto-config
clsB="172.16.0.0/12" #RFC 1918 private IP
clsC="192.168.0.0/16" #RFC 1918 private IP
mulD="224.0.0.0/4" #multicast class D address
resE="240.0.0.0/4" #reserv class E address
THL="0.0.0.0/8" #'This' Network (loopback)
TNet="192.0.2.0/24" #reserved for docs
bsrc="0.0.0.0" #broadcast source addres
bdst="255.255.255.255" #broadcast destination addres
loop="127.0.0.0/8" #loopback
sunC="204.152.64.0/23" #Sun cluster
#####################################################################
gameports="1513,1514,2900,4000,6112,6200,7456,8688,9000-9500,32768-65000"

#####################################################################
prvp='0:1023' # privilegion ports
uprv='1024:65535' # unprivilegion ports
#####################################################################
/sbin/ipfw -q -f flush
/sbin/ipfw -q -f pipe flush
/sbin/ipfw -q -f queue flush
#####################################################################
/sbin/ipfw pipe 1 config bw 1Mbit/s
/sbin/ipfw pipe 2 config bw 2Mbit/s
/sbin/ipfw pipe 3 config bw 3Mbit/s
/sbin/ipfw pipe 4 config bw 4Mbit/s
/sbin/ipfw pipe 5 config bw 5Mbit/s
/sbin/ipfw pipe 6 config bw 6Mbit/s
/sbin/ipfw pipe 7 config bw 7Mbit/s
/sbin/ipfw pipe 8 config bw 8Mbit/s
/sbin/ipfw pipe 9 config bw 9Mbit/s
/sbin/ipfw pipe 10 config bw 10Mbit/s
#privileged rate
/sbin/ipfw pipe 15 config bw 15Mbit/s
/sbin/ipfw pipe 20 config bw 20Mbit/s
#####################################################################
$fw 100 allow all from any to any via $lopi
#####################################################################
$fw 200 deny log all from any to $loop
$fw 250 deny log all from $loop to any
# Deny all inbound traffic from non-routable reserved address spaces
$fw 300 deny log ip from any to $DHCPA in via $outif
$fw 310 deny log ip from any to $THL in via $outif
$fw 320 deny log ip from any to $clsC in via $outif
$fw 330 deny log ip from any to $clsB in via $outif
$fw 340 deny log ip from any to $clsA in via $outif
$fw 350 deny log ip from any to $resE in via $outif
$fw 360 deny log ip from any to $TNet in via $outif
$fw 370 deny log ip from any to $sunC in via $outif
$fw 380 deny log ip from any to $mulD in via $outif
####################################################################
$fw 400 deny tcp from any to any 137 in via $outif
$fw 420 deny tcp from any to any 138 in via $outif
$fw 440 deny tcp from any to any 139 in via $outif
$fw 460 deny tcp from any to any 81 in via $outif
$fw 480 deny log icmp from any to any frag
$fw 500 deny log icmp from any to any in icmptype 5,9,13,14,15,16,17
$fw 520 deny log icmp from any to 255.255.255.255 in via $outif
$fw 540 deny log icmp from any to 255.255.255.255 out via $outif
####################################################################
$fw 600 divert natd all from $innet to any out via $outif
$fw 700 divert natd all from any to $outip in via $outif

$fw 710 deny log ip from $DHCPA to any out via $outif
$fw 712 deny log ip from $THL to any out via $outif
$fw 714 deny log ip from $clsC to any out via $outif
$fw 716 deny log ip from $clsB to any out via $outif
$fw 718 deny log ip from $clsA to any out via $outif
$fw 720 deny log ip from $resE to any out via $outif
$fw 722 deny log ip from $TNet to any out via $outif
$fw 724 deny log ip from $sunC to any out via $outif
$fw 726 deny log ip from $mulD to any out via $outif

$fw 800 allow tcp from any to any via $outif established

$fw 900 allow tcp from $inip,$outip to any out xmit $outif setup
$fw 920 allow tcp from me to any out xmit $outif setup uid root

$fw 1020 allow all from $innet to any out via $inif
$fw 1040 allow all from any to $innet in via $inif


$fw 1100 allow icmp from any to any icmptypes 0,3,8,11
$fw 1120 reset log tcp from any to any 113 in recv $outif

$fw 1200 allow udp from any 123 to $outip in via $outif
$fw 1220 allow udp from $innet to any 123
$fw 1240 allow udp from any 123 to $innet

$fw 1300 allow udp from $innet to any 53
$fw 1320 allow udp from any 53 to $innet
$fw 1340 allow log udp from $innet to any $gameports
$fw 1360 allow log udp from any $gameports to $innet
##################################################################################

КАКОЕ ИЗ ЭТИХ ПРАВИЛ НЕОБХОДИМО ДЛЯ РАБОТЫ КЕШИРУЮЩЕГО DNS
$fw 1365 allow udp from any to 192.168.5.250 53
$fw 1370 allow udp from 192.168.5.250 53 to any

$fw 1375 allow all from any to me domain в одной документации читал что для работы dns cache необходима эта строчка, но с ней ничего не работает

$fw 1385 allow udp from $innet 53,1024-65535 to any 53
$fw 1390 allow udp from any 53 to $innet 53,1024-65535

$fw 1400 allow udp from $outip to any out via $outif
$fw 1420 allow udp from any to $dnsR $udp_ports out via $outif
$fw 1440 allow udp from $dnsR $udp_ports to any in via $outif


####################################################################

$fw 2000 pipe 1 ip from any to 192.168.5.15 out via $inif
$fw 2020 pipe 1 ip from 192.168.5.15 to any in via $inif
$fw 2040 pipe 5 ip from any to 192.168.5.115 out via $inif
$fw 2060 pipe 5 ip from 192.168.5.115 to any in via $inif
$fw 2040 pipe 3 ip from any to 192.168.5.222 out via $inif
$fw 2060 pipe 2 ip from 192.168.5.222 to any in via $inif

####################################################################
$fw 3000 allow tcp from $innet to any in via $inif
$fw 3020 allow tcp from any to $innet out via $inif

$fw 65534 deny log all from any to any

server:
verbosity: 0
num-threads: 4
interface: 0.0.0.0
# interface: 192.168.5.250
# interface: 192.0.2.154@5003
# interface: 2001:DB8::5
interface-automatic: no
port: 53
outgoing-interface: xx.xxx.xx.xx
outgoing-range: 4096
outgoing-port-permit: 32768
outgoing-port-avoid: "3200-3208"
so-rcvbuf: 4m
so-sndbuf: 4m
edns-buffer-size: 4096
msg-buffer-size: 65552
msg-cache-size: 16m
msg-cache-slabs: 4
num-queries-per-thread: 1024
rrset-cache-size: 32m
rrset-cache-slabs: 4
cache-max-ttl: 86400
infra-host-ttl: 60
infra-lame-ttl: 120
infra-cache-slabs: 4
infra-cache-numhosts: 10000
infra-cache-lame-size: 10k

# Enable IPv4, "yes" or "no".
do-ip4: yes

# Enable IPv6, "yes" or "no".
do-ip6: no

# Enable UDP, "yes" or "no".
do-udp: yes

# Enable TCP, "yes" or "no".
do-tcp: yes

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 192.168.5.0/24 allow
access-control: ::0/0 refuse
access-control: ::1 allow
access-control: ::ffff:127.0.0.1 allow

# if given, a chroot(2) is done to the given directory.
# i.e. you can chroot to the working directory, for example,
# for extra security, but make sure all files are in that directory.
#
# If chroot is enabled, you should pass the configfile (from the
# commandline) as a full path from the original root. After the
# chroot has been performed the now defunct portion of the config
# file path is removed to be able to reread the config after a reload.
#
# All other file paths (working dir, logfile, roothints, and
# key files) can be specified in several ways:
# o as an absolute path relative to the new root.
# o as a relative path to the working directory.
# o as an absolute path relative to the original root.
# In the last case the path is adjusted to remove the unused portion.
#
# The pid file can be absolute and outside of the chroot, it is
# written just prior to performing the chroot and dropping permissions.
#
# Additionally, unbound may need to access /dev/random (for entropy).
# How to do this is specific to your OS.
#
# If you give "" no chroot is performed. The path must not end in a /.
chroot: "/usr/local/etc/unbound"
directory: "/usr/local/etc/unbound"
logfile: ""
use-syslog: yes
pidfile: "/usr/local/etc/unbound/unbound.pid"
root-hints: "/usr/local/etc/unbound/named.cache"
hide-identity: yes
hide-version: yes
identity: "DNS"
version: "1.0"
harden-glue: yes
do-not-query-address: 127.0.0.1/8
do-not-query-address: ::1
do-not-query-localhost: yes
module-config: "iterator"

remote-control:
control-enable: yes
control-port: 8953
server-key-file: "/usr/local/etc/unbound/unbound_server.key"
server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
control-key-file: "/usr/local/etc/unbound/unbound_control.key"
control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"

#security.bsd.see_other_uids=0
kern.polling.enable=1
kern.polling.user_frac=10
net.inet.ip.fw.one_pass=0
kern.maxfiles=20328
kern.maxfilesperproc=20095
kern.ipc.maxsockets=20328
kern.ipc.maxsockbuf=16777216 не могу понять почему после перезагрузки этот параметр устанавливает значение по умолчанию

nameserver 127.0.0.1
nameserver 192.168.5.250

#nslookup
>server 127.0.0.1
Default server : 127.0.0.1
Address : 127.0.0.1#53
>www.mail.ru
;; connection timed out; no servers could be reached