forum.lissyara.su

Код: Выделить всё

ipfw="/sbin/ipfw" 
#Внешний интерфейс
ext_if="xl0"
#Внутренний интерфейс
int_if="xl1"
#Интерфейс VPN
vpn_if="ng0"
#Внутр IP сервака
int_ip="92.10.1.244"
#Внешний IP
ext_ip="67.112.12.50"
#Локалка
int_net="92.10.1.0/24"
#Внешняя сеть
ext_net="67.112.12.50/30"

${ipfw} -f flush

# Разрешаем весь траффик по внутреннему интерфейсу (петле)
${ipfw} add 100 allow all from any to any via lo0
# Разрешаем трафик на внутреннем интерфейсе
${ipfw} add 1900 allow all from ${int_net} to any in recv ${int_if}
${ipfw} add 2000 allow all from any to ${int_net} out xmit ${int_if}
# Всех на squid
${ipfw} add 2100 fwd 127.0.0.1,3128 tcp from ${int_net} to any not 21,22,25,110,123,993,,5190,1723,5999 via ${ext_if}
# Делаем NAT
${ipfw} add 2200 divert natd all from ${int_net} to not ${int_net} out xmit ${ext_if}
${ipfw} add 2300 divert natd all from any to ${ext_ip} in recv  ${ext_if}
# Allow VPN
${ipfw} add 3000 allow gre from any to ${ext_ip} in recv ${ext_if}
${ipfw} add 3100 allow tcp from any to ${ext_ip} 1723 in recv ${ext_if}
${ipfw} add 3200 allow gre from ${ext_ip} to any out xmit ${ext_if}
${ipfw} add 3300 allow tcp from ${ext_ip} 1723 to any out xmit ${ext_if}
${ipfw} add 3400 allow ip from any to any via ng*
# Разрешаем трафик tcp на внешнем интерфейсе от нас
${ipfw} add 3550 allow tcp from ${ext_ip} to any via ${ext_if}
# Разрешаем входящий трафик tcp с внешнего интерфейса для внутренней сети по уже установленным соединениям
${ipfw} add 3600 allow tcp from any to ${int_net} in recv ${ext_if} established
# Разрешаем трафик tcp на внешнем интерфейсе по уже установленным соединениям
${ipfw} add 3700 allow log logamount 500 tcp from any to ${ext_ip} in recv ${ext_if} established
# DNS
${ipfw} add 3800 allow udp from any 53 to ${ext_ip} in recv ${ext_if}
${ipfw} add 3900 allow udp from ${ext_ip} to any 53 out xmit ${ext_if}
# разрешаем UDP (для синхронизации времени - 123 порт)
${ipfw} add 4000 allow udp from any to any 123 via ${ext_if}
# Разрешаем подключаться на внешний IP по SSH, SMTP, POP, HTML, IMAP
${ipfw} add 4100 allow tcp from any to ${ext_ip} 21 in via ${ext_if} setup
${ipfw} add 4100 allow tcp from any to ${ext_ip} 22 in via ${ext_if} setup
${ipfw} add 4200 allow tcp from any to ${ext_ip} 25 in via ${ext_if} setup
${ipfw} add 4310 allow tcp from any to ${ext_ip} 80 in via ${ext_if} setup
${ipfw} add 4320 allow tcp from any to ${ext_ip} 8000 in via ${ext_if} setup
${ipfw} add 4340 allow tcp from any to ${ext_ip} 9091 in via ${ext_if} setup
${ipfw} add 4350 allow tcp from any to ${ext_ip} 110 in via ${ext_if} setup
${ipfw} add 4380 allow tcp from any to ${ext_ip} 143 in via ${ext_if} setup
${ipfw} add 4400 allow tcp from any to ${ext_ip} 443 in via ${ext_if} setup
${ipfw} add 4500 allow tcp from any to ${ext_ip} 993 in via ${ext_if} setup
${ipfw} add 4550 allow tcp from any to ${ext_ip} 1723 in via ${ext_if} setup
# разрешаем некоторые типы ICMP траффика
${ipfw} add 4600 allow icmp from any to ${ext_ip} in via ${ext_if} icmptype 0,3,4,11,12
${ipfw} add 4700 allow icmp from any to ${int_net} in via ${ext_if} icmptype 0,3,4,11,12
${ipfw} add 4800 allow icmp from ${ext_ip} to any out via ${ext_if} icmptypes 3,8,12
${ipfw} add 4900 allow icmp from ${ext_ip} to any out via ${ext_if} frag
# Блокируем все остальные попытки соединения с занесением в логи
${ipfw} add 5500 deny log tcp from any to ${ext_ip} in via ${ext_if} setup
${ipfw} add 5600 deny log all from any to any via ${ext_if}
${ipfw} add 5700 deny log all from any to any

Код: Выделить всё

/sbin/ipfw add allow ipencap from any to any
/sbin/ipfw add allow gre from any to any