forum.lissyara.su

Код: Выделить всё

[b]rc.conf[/b]

hostname="BSD"
ifconfig_vr0="inet 78.***.***.*** netmask 255.255.255.240"
ifconfig_vr1="inet 192.168.0.44 netmask 255.255.255.0"
ifconfig_vr2="inet 172.16.0.1 netmask 255.255.255.0"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
firewall_quiet="YES"
natd_interface="vr0"
natd_program="/sbin/natd"
natd_flags="-f /etc/natd.conf"
natd_enable="YES"
defaultrouter="78.***.***.***"
sshd_enable="YES"
moused_enable="YES"
dbus_enable="YES"
hald_enable="YES"
gdm_enable="YES"
gdm_lang="ru_RU.UTF-8"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

[b]root@BSD:/root # ifconfig[/b]
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=82808<VLAN_MTU,WOL_UCAST,WOL_MAGIC,LINKSTATE>
	ether 34:08:04:2a:1a:08
	inet 78.***.***.*** netmask 0xfffffff0 broadcast 78.***.***.***
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=82808<VLAN_MTU,WOL_UCAST,WOL_MAGIC,LINKSTATE>
	ether 1c:af:f7:7d:5a:bc
	inet 192.168.0.44 netmask 0xffffff00 broadcast 192.168.0.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
vr2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=82808<VLAN_MTU,WOL_UCAST,WOL_MAGIC,LINKSTATE>
	ether 1c:bd:b9:87:5a:c2
	inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 127.0.0.1 netmask 0xff000000 

[b]natd.conf[/b]

log	no
dynamic		yes
same_ports	yes
use_sockets	yes

[b]root@BSD:/root # ipfw show[/b]
00050 11085 1565825 divert 8668 ip4 from any to any via vr0
00100    12     600 allow ip from any to any via lo0
00200     0       0 deny ip from any to 127.0.0.0/8
00300     0       0 deny ip from 127.0.0.0/8 to any
65000 35993 4111145 allow ip from any to any
65535     0       0 allow ip from any to any
root@BSD:/root #

Код: Выделить всё

cat -n /etc/rc.conf
cat -n /etc/firewall
ifconfig -a

Код: Выделить всё

00005   56   5995 allow ip from any to any via vr1
00005   56   5995 allow ip from any to any via vr2
00010    0      0 allow ip from any to any via lo0
00014    5   2007 divert 8668 ip from any to any in via vr0
00015    0      0 check-state
00020    0      0 skipto 800 tcp from any to ***.***.***.*** dst-port 53 out via vr0 setup keep-state
00020    0      0 skipto 800 tcp from any to ***.***.***.*** dst-port 53 out via vr0 setup keep-state
00040    0      0 skipto 800 tcp from any to any dst-port 80 out via vr0 setup keep-state
00050    0      0 skipto 800 tcp from any to any dst-port 443 out via vr0 setup keep-state
00060    0      0 skipto 800 tcp from any to any dst-port 25 out via vr0 setup keep-state
00061    0      0 skipto 800 tcp from any to any dst-port 110 out via vr0 setup keep-state
00070    0      0 skipto 800 tcp from me to any out via vr0 setup uid root keep-state
00080    0      0 skipto 800 icmp from any to any out via vr0 keep-state
00090    0      0 skipto 800 tcp from any to any dst-port 37 out via vr0 setup keep-state
00110    0      0 skipto 800 tcp from any to any dst-port 22 out via vr0 setup keep-state
00120    0      0 skipto 800 tcp from any to any dst-port 43 out via vr0 setup keep-state
00130    0      0 skipto 800 udp from any to any dst-port 123 out via vr0 keep-state
00300    0      0 deny ip from 192.168.0.0/16 to any in via vr0
00301    0      0 deny ip from 172.16.0.0/12 to any in via vr0
00302    0      0 deny ip from 10.0.0.0/8 to any in via vr0
00303    0      0 deny ip from 127.0.0.0/8 to any in via vr0
00304    0      0 deny ip from 0.0.0.0/8 to any in via vr0
00305    0      0 deny ip from 169.254.0.0/16 to any in via vr0
00306    0      0 deny ip from 192.0.2.0/24 to any in via vr0
00307    0      0 deny ip from 204.152.64.0/23 to any in via vr0
00308    0      0 deny ip from 224.0.0.0/3 to any in via vr0
00315    0      0 deny tcp from any to any dst-port 113 in via vr0
00320    0      0 allow tcp from any to any dst-port 137 in via vr0
00321    0      0 allow tcp from any to any dst-port 138 in via vr0
00322    0      0 allow tcp from any to any dst-port 139 in via vr0
00323    0      0 allow tcp from any to any dst-port 81 in via vr0
00330    0      0 deny ip from any to any frag in via vr0
00332    3   1919 deny tcp from any to any established in via vr0
00380    0      0 allow tcp from any to me dst-port 22 in via vr0 setup limit src-addr 2
00390    0      0 allow tcp from any to me dst-port 23 in via vr0 setup limit src-addr 2
00400    2     88 deny log logamount 100 ip from any to any in via vr0
00450    0      0 deny log logamount 100 ip from any to any out via vr0
00800    0      0 divert 8668 ip from any to any out via vr0
00801    0      0 allow ip from any to any
00999    0      0 deny log logamount 100 ip from any to any



****************************************rc.config
hostname="BSD"
ifconfig_vr0="inet ***.***.***.*** netmask 255.255.255.240"
ifconfig_vr1="inet 192.168.0.44 netmask 255.255.255.0"
ifconfig_vr2="inet 172.16.0.1 netmask 255.255.255.0"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
natd_interface="vr0"
natd_program="/sbin/natd"
natd_flags="-dynamic -m"
natd_enable="YES"
defaultrouter="***.***.***.***"
sshd_enable="YES"
moused_enable="YES"
dbus_enable="YES"
hald_enable="YES"
gdm_enable="YES"
gdm_lang="ru_RU.UTF-8"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

***************************************ipfw.rules

ipfw="/sbin/ipfw"
ipfw -q -f flush

# Задание стандартных переменных
cmd="ipfw -q add"
skip="skipto 800"
pif="vr0"		# название внешнего интерфейса,
			# принадлежащего глобальной сети


$cmd 005 allow all from any to any via vr1
$cmd 005 allow all from any to any via vr2

$cmd 010 allow all from any to any via lo0

$cmd 014 divert natd ip from any to any in via $pif

$cmd 015 check-state

$cmd 020 $skip tcp from any to ***.***.***.*** 53 out via $pif setup keep-state
$cmd 020 $skip tcp from any to ***.***.***.*** 53 out via $pif setup keep-state

$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state

$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state

$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state

$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root

$cmd 080 $skip icmp from any to any out via $pif keep-state

$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state

$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state

$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state

$cmd 130 $skip udp from any to any 123 out via $pif keep-state

$cmd 300 deny all from 192.168.0.0/16  to any in via $pif  
$cmd 301 deny all from 172.16.0.0/12   to any in via $pif  
$cmd 302 deny all from 10.0.0.0/8      to any in via $pif  
$cmd 303 deny all from 127.0.0.0/8     to any in via $pif  
$cmd 304 deny all from 0.0.0.0/8       to any in via $pif 
$cmd 305 deny all from 169.254.0.0/16  to any in via $pif  
$cmd 306 deny all from 192.0.2.0/24    to any in via $pif  
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif  
$cmd 308 deny all from 224.0.0.0/3     to any in via $pif  

$cmd 315 deny tcp from any to any 113 in via $pif

$cmd 320 allow tcp from any to any 137 in via $pif
$cmd 321 allow tcp from any to any 138 in via $pif
$cmd 322 allow tcp from any to any 139 in via $pif

$cmd 330 deny all from any to any frag in via $pif

$cmd 332 deny tcp from any to any established in via $pif

$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2

$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2

$cmd 400 deny log all from any to any in via $pif

$cmd 450 deny log all from any to any out via $pif

$cmd 800 divert natd ip from any to any out via $pif
$cmd 801 allow ip from any to any

$cmd 999 deny log all from any to any

***********************************ifconfig -a

root@BSD:/root # ifconfig -a
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=82808<VLAN_MTU,WOL_UCAST,WOL_MAGIC,LINKSTATE>
	ether 34:08:04:2a:1a:08
	inet ***.***.***.*** netmask 0xfffffff0 broadcast ***.***.***.***
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=82808<VLAN_MTU,WOL_UCAST,WOL_MAGIC,LINKSTATE>
	ether 1c:af:f7:7d:5a:bc
	inet 192.168.0.44 netmask 0xffffff00 broadcast 192.168.0.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
vr2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=82808<VLAN_MTU,WOL_UCAST,WOL_MAGIC,LINKSTATE>
	ether 1c:bd:b9:87:5a:c2
	inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 127.0.0.1 netmask 0xff000000 

Код: Выделить всё

hostname="BSD"
ifconfig_vr0="inet ***.***.***.*** netmask 255.255.255.240"
ifconfig_vr1="inet 192.168.0.44 netmask 255.255.255.0"
ifconfig_vr2="inet 172.16.0.1 netmask 255.255.255.0"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_nat_enable="YEW"
defaultrouter="***.***.***.***"
sshd_enable="YES"
moused_enable="YES"
dbus_enable="YES"
hald_enable="YES"
gdm_enable="YES"
gdm_lang="ru_RU.UTF-8"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

Код: Выделить всё

add 1040 allow ip from any to any via vr1
add 1041 allow ip from any to any via vr2

# боимся непонятного
add 1050 deny ip from any to 192.168.0.0/16 in recv vr0
add 1060 deny ip from 192.168.0.0/16 to any in recv vr0
add 1070 deny ip from any to 172.16.0.0/12 in recv vr0
add 1080 deny ip from 172.16.0.0/12 to any in recv vr0
add 1090 deny ip from any to 10.0.0.0/8 in recv vr0
add 10100 deny ip from 10.0.0.0/8 to any in recv vr0
add 10110 deny ip from any to 169.254.0.0/16 in recv vr0
add 10120 deny ip from 169.254.0.0/16 to any in recv vr0

# настройка ната.
# опции переноса строк "\" надо убрать все должно быть в одну строчку
# опции redirect_port приведены для примера - как делать "проброс портов"
nat 1 config log if vr0 reset same_ports deny_in \
redirect_port tcp 1.2.3.4:6881 6881 \
redirect_port udp 1.2.3.4:4444 4444 \
redirect_port tcp 192.168.1.24:25 25

# заварачиваем все что проходит через внешний интерфейс в нат
add 10130 nat 1 ip from any to any via vr0

# боимся непонятного
add 65534 deny all from any to any

Код: Выделить всё

net.inet.ip.fw.one_pass=1

Код: Выделить всё

firewall_nat_enable="YEW"

Код: Выделить всё

sysctl -a | grep one_pass
ipfw show
ipfw nat 1 show config
ifconfig

Код: Выделить всё

pf_enable="YES"                 # Enable PF (load module if required)
pf_rules="/etc/pf.conf"         # rules definition file for pf

Код: Выделить всё

ext_if="vr0"

nat on $ext_if inet from vr1:network  to any -> ($ext_if:0)
nat on $ext_if inet from vr2:network to any -> ($ext_if:0)


block all

pass out on $ext_if

pass on vr1
pass on vr2

Код: Выделить всё

hostname="BSD"
ifconfig_vr0="inet ***.***.***.*** netmask 255.255.255.240"
ifconfig_vr1="inet 192.168.0.44 netmask 255.255.255.0"
ifconfig_vr2="inet 172.16.0.1 netmask 255.255.255.0"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_nat_enable="YES"
defaultrouter="***.***.***.***"
sshd_enable="YES"
moused_enable="YES"
dbus_enable="YES"
hald_enable="YES"
gdm_enable="YES"
gdm_lang="ru_RU.UTF-8"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

Код: Выделить всё

#!/bin/sh

 fwcmd="/sbin/ipfw"
 ${fwcmd} -f flush

# VAR

if_inet="vr0"
if_lan1="vr1"
if_lan2="vr2"

# Для себя

 ${fwcmd} add check-state
 ${fwcmd} add allow ip from me to any keep-state via ${if_inet}
 ${fwcmd} add allow ip from me to any keep-state via ${if_lan1}
 ${fwcmd} add allow ip from me to any keep-state via ${if_lan2}
 ${fwcmd} add allow ip from me to any

# Для локалок

${fwcmd} add allow ip from any to any via ${if_lan1}
${fwcmd} add allow ip from any to any via ${if_lan2}

# SSH

 ${fwcmd} add allow ip from any to any 22

# Nat

 ${fwcmd} nat 1 config log if ${if_inet} reset same_ports deny_in
 ${fwcmd} add nat 1 ip from any to any via ${if_inet}

${fwcmd} add deny all from any to any