forum.lissyara.su

Код: Выделить всё

defaultrouter="80.111.333.65"
gateway_enable="YES"
hostname="router.dialin.kz"
ifconfig_bce0="inet 80.111.333.70  netmask 255.255.255.248"
ifconfig_bce1="inet 172.168.1.102  netmask 255.255.255.0"
ifconfig_em0="inet 10.10.0.1 netmask 255.255.255.0"
ifconfig_em1="inet 192.168.10.111  netmask 255.255.255.0"
ifconfig_em2="inet 192.168.20.111  netmask 255.255.255.0"
ifconfig_em3="inet 192.168.30.111  netmask 255.255.255.0"

gif_interfaces="YES"
gif_interfaces="gif0"
static_routes="vpn1"
ifconfig_gif0="inet 192.168.10.111 192.168.0.100 netmask 255.255.255.0"
gifconfig_gif0="80.111.333.70 212.111.333.166"
route_vpn1="-net 192.168.0.0/24 -interface gif0"
export route_vpn1

Код: Выделить всё

## dukat


## dukat
ext_if1="bce0" #основной провайдер и шлюз по умолчанию его

ext_if0="bce1"
ext_gateway0="172.168.1.1" 

## к AD  и local Dialin
ad_if="em1"

## к Diasy и Mobitex
int_if="em2"

## к dmz  www, ftp,mail,backup ( идет через ext_if1 в DMZ на маил сервер)
dmz_if="em0"

#vpn="gif0"

## ip-адреса хостов, которые нам понадобятся
web_server="10.10.0.3" # он же mail, www, dns2
#backup_server="10.10.0.4" #просто бакап
activ="192.168.10.254" # AD, proxy, Exchange, radmin, acq, sgds,
admin="192.168.10.1" # мои копрутер
#cheef="192.168.0.196" # привелигированный компутер

## табличка с хостами, которым разрешен доступ в обход прокси. Стоящей на роутере ))
table <servers> const { $activ, $admin }
## отбрасывать пакеты будем тихо, чтобы никто не догадался.. ))
set block-policy drop
## Игнорируем петлевой интерфейс
set skip on lo0
## нормализуем входящий трафик
scrub in all fragment reassemble

## пакеты, пришедшие на внешний интерфейс ext_if1 на порт 80, 21, 23, 799-radmin.
## отправляем внутрь сети и метим их
rdr on $ext_if1 inet proto tcp to $ext_if1 port 80 tag WEB_SERVER -> $web_server port 80
rdr on $ext_if1 inet proto tcp to $ext_if1 port 13579 tag SSH_WEBSERVER -> $web_server port 22
rdr on $ext_if1 inet proto tcp to $ext_if1 port 25 tag MAIL -> $web_server port 25
rdr on $ext_if1 inet proto tcp to $ext_if1 port 110 tag MAIL -> $web_server port 110

#rdr on $ext_if1 inet proto tcp to $ext_if1 port 21 tag FTP_SERVER  -> $backup_server port ftp
#rdr on $ext_if1 inet proto tcp to $ext_if1 port 4899 tag RADMIN -> $admin port 4899

## Отдаем proxe пакеты идущие к внешним ftp от наших сетей
##rdr pass on $ad_if inet proto tcp from $ad_if:network to !$web_server port ftp -> 127.0.0.1 port 3128
##rdr pass on $int_if inet proto tcp from $int_if:network to {!$web_server, !$backup_server } port ftp -> 127.0.0.1 port 3128

########################################

## натим все пакеты на внешнем(exp-if1) интерфейсе, которые помечены
#nat on $ext_if1 from $dmz_if:network -> ($ext_if1)
#nat on $ext_if0 from $dmz_if:network -> ($ext_if0)
nat on $ext_if1 from $ad_if:network -> ($ext_if1)

nat on $ext_if1 inet proto tcp tagged SSH -> ($ext_if1)
#nat on $ext_if1 inet proto tcp tagged ADMIN  -> ($ext_if1)
#nat on $ext_if1 inet proto tcp tagged RADMIN -> ($ext_if1)
#nat on $ext_if1 inet proto tcp tagged ICQ -> ($ext_if1)
nat on $ext_if1 inet proto tcp tagged SSH_WEBSERVER -> ($ext_if1)

## Наш ftp сервер сможет работать только в активном режиме, поэтому натим пакеты идущие от его 20 порта
#nat on $ext_if1 inet proto tcp from $backup_server port 20 to any -> ($ext_if1)

## натим пакеты на интерфейсе основного провайдера (exp-if0),  идущие от прокси сервера (одной из сетей)
#nat on $ext_if0 inet proto tcp from $activ to !$web_server port www -> ($ext_if0)

############################### (ext-if1 то есть казтел)
block in on $ext_if1
#pass in on $ext_if1 reply-to ($ext_if1 $ext_gateway1) inet proto tcp tag SSH_WEBSERVER keep state
#pass in on $ext_if1 reply-to ($ext_if1 $ext_gateway) inet proto tcp tagged FTP_SERVER keep state
#pass in on $ext_if1 reply-to ($ext_if1 $ext_gateway1) inet proto tcp tag SSH keep state

##### ping
#pass in on $ext_if1 inet proto icmp from $ext_if1:network keep state
pass in on $ext_if1 inet proto icmp from any to $ext_if1 keep state
#pass in on $ext_if1 inet proto tcp from any to <servers> keep state

pass out on $ext_if1 keep state

##################################################################
block in on $ad_if
pass in on $ad_if inet proto tcp from $ad_if:network to { $ad_if, $int_if, $web_server } port 22 keep state
#pass in on $ad_if inet proto udp from $ad_if:network to $ad_if port 53 keep state
pass in on $ad_if inet proto udp from $ad_if:network to any port 53 keep state
pass in on $ad_if inet proto tcp from $ad_if:network to any port { smtp, pop3 } keep state
pass in on $ad_if inet proto tcp from <servers> to any port http keep state
pass in on $ad_if inet proto tcp from <servers> to any port https keep state
pass in on $ad_if inet proto tcp from $ad_if:network to any keep state
pass in on $ad_if inet proto tcp from $ad_if:network to any port 5190 tag ICQ keep state
pass in on $ad_if inet proto tcp from $ad_if:network to any port ftp keep state
pass in on $ad_if inet proto icmp from $ad_if:network to any keep state
pass out on $ad_if keep state

########################## на интерфейсе DMZ
## Запрещаем все соединения
block in on $dmz_if

## серверам в DMZ нужно общаться с dns
pass in quick on $dmz_if inet proto udp from $web_server to $dmz_if keep state
#pass in on $dmz_if reply-to ($ext_if1 $ext_gateway1) proto udp keep state
pass in on $dmz_if route-to ($ext_if0 $ext_gateway0) proto udp keep state
#pass in on $dmz_if inet proto udp from $dmz_if:network to $dmz_if keep state
#pass in on $dmz_if route-to ($ext_if1 $ext_gateway1) inet proto {tcp,udp} from $web_server to any keep state

## отправляем пакеты, идущие к внешним ssh серверам, по другому маршруту
pass in on $dmz_if route-to ($ext_if0 $ext_gateway0) inet proto tcp from $web_server to any port {22, 13579} modulate state
#pass in on $dmz_if route-to ($ext_if1 $ext_gateway1) inet proto udp from $web_server to any keep state
## разрешаем соединения по SSH
###pass in on $dmz_if inet proto tcp from $dmz_if:network to $dmz_if port 22 keep state
### ping
pass in on $dmz_if inet proto icmp from $dmz_if:network to $dmz_if keep state
## разрешаем все исходящие соединения
pass out on $dmz_if keep state

Код: Выделить всё

ifconfig_gif0="inet 192.168.10.111 192.168.0.100 netmask 255.255.255.0"

Код: Выделить всё

ns# ping 192.168.10.111
PING 192.168.10.111 (192.168.10.111): 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied

Код: Выделить всё

ifconfig gif0
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 212.1111.333.166 --> 82.111.333.70
        inet 192.168.0.100 --> 192.168.10.111 netmask 0xffffffff

Код: Выделить всё

ns# ipfw show
00050  4464 1012622 divert 8668 ip4 from any to any via rl0
00100   770   96024 allow ip from any to any via lo0
00200    19    1645 deny ip from any to 127.0.0.0/8
00300     0       0 deny ip from 127.0.0.0/8 to any
65000 17516 4258730 allow ip from any to any
65535  2316  778250 deny ip from any to any

[/codde]
не могу же я 200 правило убрать совсем?

Код: Выделить всё

ns# ipfw show
00005  10   884 allow ip from 212.111.333.166 to 82.111.333.70
00010 314 33776 allow ip from 192.168.0.0/16 to 192.168.0.0/16
00010   3   252 allow ip from 82.111.333.70 to 212.111.333.166
00050  29  2447 divert 8668 ip4 from any to any via rl0
00100   4   604 allow ip from any to any via lo0
00200   0     0 deny ip from any to 127.0.0.0/8
00300   0     0 deny ip from 127.0.0.0/8 to any
65000 151 47492 allow ip from any to any
65535   0     0 deny ip from any to any

Код: Выделить всё

deny ip from any to 127.0.0.0/8

Код: Выделить всё

deny log ip from any to 127.0.0.0/8

Код: Выделить всё

options IPFIREWALL_VERBOSE # поддержка логирования
у меня она стоит -->>>  options IPFIREWALL_VERBOSE_LIMIT=15 

Код: Выделить всё

ns# tail /var/log/security
Mar  5 12:14:37 ns kernel: ipfw: 100 Accept UDP 212.154.146.166:53 212.154.146.166:64605 out via lo0
Mar  5 12:14:37 ns kernel: ipfw: 100 Accept UDP 212.154.146.166:53 212.154.146.166:64605 in via lo0
Mar  5 12:15:52 ns kernel: ipfw: 400 Accept ICMP:8.0 192.168.10.111 192.168.0.100 in via gif0
Mar  5 12:15:52 ns kernel: ipfw: 400 Accept ICMP:0.0 192.168.0.100 192.168.10.111 out via gif0
Mar  5 12:15:53 ns kernel: ipfw: 400 Accept ICMP:8.0 192.168.10.111 192.168.0.100 in via gif0
Mar  5 12:15:53 ns kernel: ipfw: 400 Accept ICMP:0.0 192.168.0.100 192.168.10.111 out via gif0
Mar  5 12:15:54 ns kernel: ipfw: 400 Accept ICMP:8.0 192.168.10.111 192.168.0.100 in via gif0
Mar  5 12:15:54 ns kernel: ipfw: 400 Accept ICMP:0.0 192.168.0.100 192.168.10.111 out via gif0
Mar  5 12:15:55 ns kernel: ipfw: 400 Accept ICMP:8.0 192.168.10.111 192.168.0.100 in via gif0

Код: Выделить всё

ipfw add pass ip from any to any via gif0
ipfw add pass ip from 111.222.333.444 to 555.666.777.888
ipfw add pass ip from 555.666.777.888 to 111.222.333.444  

Код: Выделить всё

Mar  5 12:56:22 ns kernel: ipfw: 400 Accept ICMP:8.0 0.0.0.0 192.168.0.16 in via gif0