forum.opennet.ru

Составление сообщения

Исходное сообщение

"Вывод локальной сети черз раутер на FreeBSD"
Отправлено NFS, 12-Июл-05 11:17

Уважаемые,
я тут с помощью man, ваших рекомендаций и инета подготовил rc.firewall.
Что думаете?
----
fwcmd=/sbin/ipfw
oif="dco"
onet="10.x.y.0"
omask="255.255.255.0"
oip="10.x.y.2"
# Set these to your inside interface network and netmask and ip.
iif="bge0"
inet="192.168.y.0"
imask="255.255.255.0"
iip="192.168.y.15"
# Allow communications through loopback interface and deny 127.0.0.1/8
# from any other interfaces
setup_loopback

# Stop spoofing
${fwcmd} add deny log all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny log all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny log all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny log all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny log all from any to 192.168.y.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E),
# RFC 3330 nets on the outside interface
${fwcmd} add deny log all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny log all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny log all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny log all from any to 198.18.y.0/15 via ${oif}
${fwcmd} add deny log all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny log all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation.  This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules.  If for example one of your internal LAN machines had its IP
# address set to 192.168.0.2 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above.  Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd all from any to any via ${natd_interface}
fi
;;
esac
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny log all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny log all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny log all from 192.168.y.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E),
# RFC 3330 nets on the outside interface
${fwcmd} add deny log all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny log all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny log all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny log all from 198.168.y.0/15 to any via ${oif}
${fwcmd} add deny log all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny log all from 240.0.0.0/4 to any via ${oif}
# Allow anything on the internal net
${fwcmd} add allow all from any to any via ${iif}
# Allow anything outbound from this net.
${fwcmd} add allow all from ${onet}:${omask} to any out via ${oif}
# Deny anything outbound from other nets.
# ${fwcmd} add deny log all from any to any out via ${oif}  #  removed
# Allow TCP through if setup succeeded.
${fwcmd} add allow tcp from any to any established
# Allow IP fragments to pass through.
${fwcmd} add allow all from any to any frag
# Allow inbound ftp, ssh, email, tcp-dns, http, https, pop3, pop3s.
${fwcmd} add allow tcp from any to ${oip} 21 setup in via ${oif}
${fwcmd} add allow tcp from any to ${oip} 22 setup in via ${oif}
${fwcmd} add allow tcp from any to ${oip} 25 setup in via ${oif}
${fwcmd} add allow tcp from any to ${oip} 53 setup in via ${oif}
${fwcmd} add allow tcp from any to ${oip} 80 setup in via ${oif}
${fwcmd} add allow tcp from any to ${oip} 443 setup in via ${oif}
${fwcmd} add allow tcp from any to ${oip} 110 setup in via ${oif}
${fwcmd} add allow tcp from any to ${oip} 995 setup in via ${oif}
# Deny inbound auth, netbios, ldap, and Microsoft's DB protocol
# without logging.
${fwcmd} add deny tcp from any to ${oip} 113 setup in via ${oif}
${fwcmd} add deny tcp from any to ${oip} 139 setup in via ${oif}
${fwcmd} add deny tcp from any to ${oip} 389 setup in via ${oif}
${fwcmd} add deny tcp from any to ${oip} 445 setup in via ${oif}
# Deny some chatty UDP broadcast protocols without logging.
${fwcmd} add deny udp from any 137 to any in via ${oif}
${fwcmd} add deny udp from any to any 137 in via ${oif}
${fwcmd} add deny udp from any 138 to any in via ${oif}
${fwcmd} add deny udp from any 513 to any in via ${oif}
${fwcmd} add deny udp from any 525 to any in via ${oif}
# Allow inbound DNS and NTP replies.  This is somewhat of a hole,
# since we're looking at the incoming port number, which can be
# faked, but that's just the way DNS and NTP work.
${fwcmd} add allow udp from any 53 to ${oip} in via ${oif}
${fwcmd} add allow udp from any 123 to ${oip} in via ${oif}
# Allow inbound DNS queries.
${fwcmd} add allow udp from any to ${oip} 53 in via ${oif}
# Deny inbound NTP queries without logging.
${fwcmd} add deny udp from any to ${oip} 123 in via ${oif}
# Allow traceroute to function, but not to get in.
${fwcmd} add unreach port udp from any to ${oip} 33435-33524 in via ${oif}
# Allow some inbound icmps - echo reply, dest unreach, source quench,
# echo, ttl exceeded.
${fwcmd} add allow icmp from any to any in via ${oif} icmptypes 0,3,4,8,11
# Broadcasts are denied and not logged.
${fwcmd} add deny all from any to 255.255.255.255
# Everything else is denied and logged.
${fwcmd} add deny log all from any to any

Исходное сообщение
"Вывод локальной сети черз раутер на FreeBSD" Отправлено NFS, 12-Июл-05 11:17
Уважаемые, я тут с помощью man, ваших рекомендаций и инета подготовил rc.firewall. Что думаете? ---- fwcmd=/sbin/ipfw oif="dco" onet="10.x.y.0" omask="255.255.255.0" oip="10.x.y.2" # Set these to your inside interface network and netmask and ip. iif="bge0" inet="192.168.y.0" imask="255.255.255.0" iip="192.168.y.15" # Allow communications through loopback interface and deny 127.0.0.1/8 # from any other interfaces setup_loopback # Stop spoofing ${fwcmd} add deny log all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny log all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny log all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny log all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny log all from any to 192.168.y.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E), # RFC 3330 nets on the outside interface ${fwcmd} add deny log all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny log all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny log all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny log all from any to 198.18.y.0/15 via ${oif} ${fwcmd} add deny log all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny log all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP # address set to 192.168.0.2 then an incoming packet for it after being # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet originated from it before being translated would # match the `deny' rule below. case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add divert natd all from any to any via ${natd_interface} fi ;; esac # Stop RFC1918 nets on the outside interface ${fwcmd} add deny log all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny log all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny log all from 192.168.y.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E), # RFC 3330 nets on the outside interface ${fwcmd} add deny log all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny log all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny log all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny log all from 198.168.y.0/15 to any via ${oif} ${fwcmd} add deny log all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny log all from 240.0.0.0/4 to any via ${oif} # Allow anything on the internal net ${fwcmd} add allow all from any to any via ${iif} # Allow anything outbound from this net. ${fwcmd} add allow all from ${onet}:${omask} to any out via ${oif} # Deny anything outbound from other nets. # ${fwcmd} add deny log all from any to any out via ${oif} # removed # Allow TCP through if setup succeeded. ${fwcmd} add allow tcp from any to any established # Allow IP fragments to pass through. ${fwcmd} add allow all from any to any frag # Allow inbound ftp, ssh, email, tcp-dns, http, https, pop3, pop3s. ${fwcmd} add allow tcp from any to ${oip} 21 setup in via ${oif} ${fwcmd} add allow tcp from any to ${oip} 22 setup in via ${oif} ${fwcmd} add allow tcp from any to ${oip} 25 setup in via ${oif} ${fwcmd} add allow tcp from any to ${oip} 53 setup in via ${oif} ${fwcmd} add allow tcp from any to ${oip} 80 setup in via ${oif} ${fwcmd} add allow tcp from any to ${oip} 443 setup in via ${oif} ${fwcmd} add allow tcp from any to ${oip} 110 setup in via ${oif} ${fwcmd} add allow tcp from any to ${oip} 995 setup in via ${oif} # Deny inbound auth, netbios, ldap, and Microsoft's DB protocol # without logging. ${fwcmd} add deny tcp from any to ${oip} 113 setup in via ${oif} ${fwcmd} add deny tcp from any to ${oip} 139 setup in via ${oif} ${fwcmd} add deny tcp from any to ${oip} 389 setup in via ${oif} ${fwcmd} add deny tcp from any to ${oip} 445 setup in via ${oif} # Deny some chatty UDP broadcast protocols without logging. ${fwcmd} add deny udp from any 137 to any in via ${oif} ${fwcmd} add deny udp from any to any 137 in via ${oif} ${fwcmd} add deny udp from any 138 to any in via ${oif} ${fwcmd} add deny udp from any 513 to any in via ${oif} ${fwcmd} add deny udp from any 525 to any in via ${oif} # Allow inbound DNS and NTP replies. This is somewhat of a hole, # since we're looking at the incoming port number, which can be # faked, but that's just the way DNS and NTP work. ${fwcmd} add allow udp from any 53 to ${oip} in via ${oif} ${fwcmd} add allow udp from any 123 to ${oip} in via ${oif} # Allow inbound DNS queries. ${fwcmd} add allow udp from any to ${oip} 53 in via ${oif} # Deny inbound NTP queries without logging. ${fwcmd} add deny udp from any to ${oip} 123 in via ${oif} # Allow traceroute to function, but not to get in. ${fwcmd} add unreach port udp from any to ${oip} 33435-33524 in via ${oif} # Allow some inbound icmps - echo reply, dest unreach, source quench, # echo, ttl exceeded. ${fwcmd} add allow icmp from any to any in via ${oif} icmptypes 0,3,4,8,11 # Broadcasts are denied and not logged. ${fwcmd} add deny all from any to 255.255.255.255 # Everything else is denied and logged. ${fwcmd} add deny log all from any to any

Ваше сообщение

Имя*:

EMail:

Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.

Заголовок*:

Сообщение*:

> Уважаемые,

> я тут с помощью man, ваших рекомендаций и инета подготовил rc.firewall.
> Что думаете?

> ---- 
> fwcmd=/sbin/ipfw

> oif="dco" 
> onet="10.x.y.0" 
> omask="255.255.255.0" 
> oip="10.x.y.2"

> # Set these to your inside interface network and netmask and ip. 
 
> iif="bge0" 
> inet="192.168.y.0" 
> imask="255.255.255.0" 
> iip="192.168.y.15"

> # Allow communications through loopback interface and deny 127.0.0.1/8 
> # from any other interfaces 
> setup_loopback

> # Stop spoofing 
> ${fwcmd} add deny log all from ${inet}:${imask} to any in via ${oif} 
 
> ${fwcmd} add deny log all from ${onet}:${omask} to any in via ${iif}

> # Stop RFC1918 nets on the outside interface 
> ${fwcmd} add deny log all from any to 10.0.0.0/8 via ${oif} 
> ${fwcmd} add deny log all from any to 172.16.0.0/12 via ${oif} 
> ${fwcmd} add deny log all from any to 192.168.y.0/16 via ${oif}

> # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, 
> # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E), 
> # RFC 3330 nets on the outside interface 
> ${fwcmd} add deny log all from any to 0.0.0.0/8 via ${oif} 
> ${fwcmd} add deny log all from any to 169.254.0.0/16 via ${oif} 
> ${fwcmd} add deny log all from any to 192.0.2.0/24 via ${oif} 
> ${fwcmd} add deny log all from any to 198.18.y.0/15 via ${oif} 
> ${fwcmd} add deny log all from any to 224.0.0.0/4 via ${oif} 
> ${fwcmd} add deny log all from any to 240.0.0.0/4 via ${oif}

> # Network Address Translation.  This rule is placed here deliberately 
> # so that it does not interfere with the surrounding address-checking 
> # rules.  If for example one of your internal LAN machines 
> had its IP 
> # address set to 192.168.0.2 then an incoming packet for it after 
> being 
> # translated by natd(8) would match the `deny' rule above.  Similarly 
 
> # an outgoing packet originated from it before being translated would 
> # match the `deny' rule below.
> case ${natd_enable} in 
> [Yy][Ee][Ss]) 
> if [ -n "${natd_interface}" ]; then 
> ${fwcmd} add divert natd all from any to any via ${natd_interface} 
> fi 
> ;; 
> esac

> # Stop RFC1918 nets on the outside interface 
> ${fwcmd} add deny log all from 10.0.0.0/8 to any via ${oif} 
> ${fwcmd} add deny log all from 172.16.0.0/12 to any via ${oif} 
> ${fwcmd} add deny log all from 192.168.y.0/16 to any via ${oif}

> # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, 
> # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E), 
> # RFC 3330 nets on the outside interface 
> ${fwcmd} add deny log all from 0.0.0.0/8 to any via ${oif} 
> ${fwcmd} add deny log all from 169.254.0.0/16 to any via ${oif} 
> ${fwcmd} add deny log all from 192.0.2.0/24 to any via ${oif} 
> ${fwcmd} add deny log all from 198.168.y.0/15 to any via ${oif} 
> ${fwcmd} add deny log all from 224.0.0.0/4 to any via ${oif} 
> ${fwcmd} add deny log all from 240.0.0.0/4 to any via ${oif}

> # Allow anything on the internal net 
> ${fwcmd} add allow all from any to any via ${iif}

> # Allow anything outbound from this net.
> ${fwcmd} add allow all from ${onet}:${omask} to any out via ${oif}

> # Deny anything outbound from other nets.
> # ${fwcmd} add deny log all from any to any out via 
> ${oif}  #  removed

> # Allow TCP through if setup succeeded.
> ${fwcmd} add allow tcp from any to any established

> # Allow IP fragments to pass through.
> ${fwcmd} add allow all from any to any frag

> # Allow inbound ftp, ssh, email, tcp-dns, http, https, pop3, pop3s.
> ${fwcmd} add allow tcp from any to ${oip} 21 setup in via 
> ${oif} 
> ${fwcmd} add allow tcp from any to ${oip} 22 setup in via 
> ${oif} 
> ${fwcmd} add allow tcp from any to ${oip} 25 setup in via 
> ${oif} 
> ${fwcmd} add allow tcp from any to ${oip} 53 setup in via 
> ${oif} 
> ${fwcmd} add allow tcp from any to ${oip} 80 setup in via 
> ${oif} 
> ${fwcmd} add allow tcp from any to ${oip} 443 setup in via 
> ${oif} 
> ${fwcmd} add allow tcp from any to ${oip} 110 setup in via 
> ${oif} 
> ${fwcmd} add allow tcp from any to ${oip} 995 setup in via 
> ${oif}

> # Deny inbound auth, netbios, ldap, and Microsoft's DB protocol 
> # without logging.
> ${fwcmd} add deny tcp from any to ${oip} 113 setup in via 
> ${oif} 
> ${fwcmd} add deny tcp from any to ${oip} 139 setup in via 
> ${oif} 
> ${fwcmd} add deny tcp from any to ${oip} 389 setup in via 
> ${oif} 
> ${fwcmd} add deny tcp from any to ${oip} 445 setup in via 
> ${oif}

> # Deny some chatty UDP broadcast protocols without logging.
> ${fwcmd} add deny udp from any 137 to any in via ${oif} 
 
> ${fwcmd} add deny udp from any to any 137 in via ${oif} 
 
> ${fwcmd} add deny udp from any 138 to any in via ${oif} 
 
> ${fwcmd} add deny udp from any 513 to any in via ${oif} 
 
> ${fwcmd} add deny udp from any 525 to any in via ${oif}

> # Allow inbound DNS and NTP replies.  This is somewhat of 
> a hole, 
> # since we're looking at the incoming port number, which can be 
 
> # faked, but that's just the way DNS and NTP work.
> ${fwcmd} add allow udp from any 53 to ${oip} in via ${oif} 
 
> ${fwcmd} add allow udp from any 123 to ${oip} in via ${oif}

> # Allow inbound DNS queries.
> ${fwcmd} add allow udp from any to ${oip} 53 in via ${oif}

> # Deny inbound NTP queries without logging.
> ${fwcmd} add deny udp from any to ${oip} 123 in via ${oif}

> # Allow traceroute to function, but not to get in.
> ${fwcmd} add unreach port udp from any to ${oip} 33435-33524 in via 
> ${oif}

> # Allow some inbound icmps - echo reply, dest unreach, source quench, 
 
> # echo, ttl exceeded.
> ${fwcmd} add allow icmp from any to any in via ${oif} icmptypes 
> 0,3,4,8,11

> # Broadcasts are denied and not logged.
> ${fwcmd} add deny all from any to 255.255.255.255

> # Everything else is denied and logged.
> ${fwcmd} add deny log all from any to any

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру