forum.opennet.ru - "natd и firewll ПОМОГИТЕ ПОЖАЛУЙСТА!" (1)

форумы

помощь

поиск

регистрация

майллист

ВХОД

слежка

"natd и firewll ПОМОГИТЕ ПОЖАЛУЙСТА!"

Форумы OpenNET: Виртуальная конференция (Public)
Вариант для распечатки		Архивированная нить - только для чтения! Пред. тема \| След. тема
Изначальное сообщение		[Проследить за развитием треда]

"natd и firewll ПОМОГИТЕ ПОЖАЛУЙСТА!"
Сообщение от She on 19-Сен-02, 11:25 (MSK)
Есть natd и firewall c указанынми правилами машины из внутренней сети не могут получить доступ в инет??? запускала natd -v вроде все транслирует , а доступа нет, мало того если правила с natd пересестить ниже (там сейчас оно закомментировано), так вообще ерунда получается откуда то снаржи гуляют фейковые пакеты!!!! ПОМОГИТЕ ПОЖАЛУЙСТА!!!! В ЧЕМ ТУТ ПРОБЛЕМА!!!!???? rc.firewall ----------- #!/bin/sh natd_interface=dc0 # set these to your outside interface network and netmask and ip oif="dc0" onet="...." omask="255.255.255.224" oip="..." # set these to your inside interface network and netmask and ip iif="xl0" inet="192.168.1.0" imask="255.255.255.0" iip="192.168.1.254" ${fwcmd} -f flush ${fwcmd} add divert natd all from any to any via dc0 ${fwcmd} add pass all from any to any via lo0 ${fwcmd} add deny all from any to 10.0.0.0/8 in via ${oif} ${fwcmd} add deny all from 10.0.0.0/8 to any in via ${oif} ${fwcmd} add deny log all from any to 10.0.0.0/8 out via ${oif} ${fwcmd} add deny log all from 10.0.0.0/8 to any out via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 in via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any in via ${oif} ${fwcmd} add deny log all from any to 172.16.0.0/12 out via ${oif} ${fwcmd} add deny log all from 172.16.0.0/12 to any out via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 in via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any in via ${oif} ${fwcmd} add deny log all from any to 192.168.0.0/16 out xmit ${oif} ${fwcmd} add deny log all from 192.168.0.0/16 to any out xmit ${oif} ${fwcmd} add deny all from 127.0.0.0/8 to any in via ${oif} ${fwcmd} add deny log all from 127.0.0.0/8 to any out via ${oif} ${fwcmd} add deny log all from 255.255.255.255 to any in via ${oif} ${fwcmd} add deny log all from any to 0.0.0.0 in via ${oif} ${fwcmd} add deny log all from 255.255.255.255 to any out via ${oif} ${fwcmd} add deny log all from any to 0.0.0.0 out via ${oif} ${fwcmd} add deny log all from 244.0.0.0/4 to any in via ${oif} ${fwcmd} add deny log all from any to 244.0.0.0/4 out via ${oif} ${fwcmd} add deny log all from 244.0.0.0/5 to any in via ${oif} ${fwcmd} add deny log all from any to 244.0.0.0/5 out via ${oif} #${fwcmd} add divert natd all from any to any via dc0 #${fwcmd} add pass all from any to any via lo0 # Allow DNS queries out in the world ${fwcmd} add pass udp from ${oip} to any 53 out via dc0 ${fwcmd} add pass udp from any 53 to ${oip} in via dc0 #${fwcmd} add pass udp from any 53 to any in via dc0 ${fwcmd} add pass tcp from ${oip} to any 53 out via dc0 ${fwcmd} add pass tcp from any 53 to ${oip} in via dc0 established ${fwcmd} add pass tcp from ${oip} to any auth out via dc0 ${fwcmd} add pass tcp from any to ${oip} auth in via dc0 established ${fwcmd} add pass tcp from ${oip} to any 25 out via dc0 ${fwcmd} add pass tcp from any 25 to ${oip} in via dc0 established ${fwcmd} add pass tcp from any to ${oip} 25 in via dc0 ${fwcmd} add pass tcp from ${oip} 25 to any out via dc0 established ${fwcmd} add pass tcp from any to ${oip} 110 in via dc0 ${fwcmd} add pass tcp from ${oip} 110 to any out via dc0 established ${fwcmd} add pass tcp from any to ${oip} 22 in via dc0 ${fwcmd} add pass tcp from ${oip} 22 to any out via dc0 established ${fwcmd} add pass tcp from ${oip} to any 22 out via dc0 ${fwcmd} add pass tcp from any 22 to ${oip} in via dc0 established ${fwcmd} add pass tcp from ${oip} to any 21 out via dc0 ${fwcmd} add pass tcp from any 21 to ${oip} in via dc0 established ${fwcmd} add pass tcp from any 20 to ${oip} 1024-65535 in via dc0 ${fwcmd} add pass tcp from ${oip} 1024-65535 to any 20 out via dc0 established ${fwcmd} add pass tcp from any 1024-65535 to ${oip} 1024-65535 in via dc0 ${fwcmd} add pass tcp from ${oip} 1024-65535 to any 1024-65535 out via dc0 established ${fwcmd} add pass tcp from any to ${oip} 80 in via dc0 ${fwcmd} add pass tcp from ${oip} 80 to any out via dc0 established ${fwcmd} add pass tcp from ${oip} to any 80 out via dc0 ${fwcmd} add pass tcp from any 80 to ${oip} in via dc0 established ${fwcmd} add pass tcp from ${oip} to any 443 out via dc0 ${fwcmd} add pass tcp from any 443 to ${oip} in via dc0 established ${fwcmd} add pass tcp from any to ${iip} 3128 in via xl0 ${fwcmd} add pass tcp from ${iip} 3128 to any out via xl0 established ${fwcmd} add pass tcp from any to ${oip} 3128 in via dc0 ${fwcmd} add pass tcp from ${oip} 3128 to any out via dc0 established # Allow NTP queries out in the world ${fwcmd} add pass udp from ${oip} to any 123 ${fwcmd} add pass udp from any 123 to ${oip} ${fwcmd} add pass all from 192.168.1.0/24 to any in via xl0 ${fwcmd} add pass all from any to 192.168.1.9/24 out via xl0 ${fwcmd} add pass all from any to any via ppp0
	Рекомендовать в FAQ \| Cообщить модератору \| Наверх

Оглавление

RE: natd и firewll ПОМОГИТЕ ПОЖАЛУЙСТА!, proff, 19:16 , 19-Сен-02, (1)

Индекс форумов | Темы | Пред. тема | След. тема

Сообщения по теме

1. "RE: natd и firewll ПОМОГИТЕ ПОЖАЛУЙСТА!"

Сообщение от proff on 19-Сен-02, 19:16  (MSK)

Тут есть одно и очень простое правило: располагать правила для IPFW в следующем порядке:
1. сначала идут инструкции deny и reject (если есть)
2. потом divert
3. потом allow на внутреннюю сетку(и)
4. потом allow все остальное
5. потом deny все, что осталось.
для примера, вот мой рабочий rc.firewall:
------- rc.firewall -------
# Copyright (c) 2002  Aliot SWLab, Moscow
# All rights reserved.
#
# $Id: rc.firewall,v 1.2 2002/09/07 22:30:40 proff Exp $
#
# Setup system for firewall service.
#
# Accept the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi

############
# Define the firewall type in /etc/rc.conf
#
# Valid values are:
#   open     - will allow anyone in
#   close    - disables external IP connections (internal connections allowing)
#   denyall  - totally disable IP connections except via lo0 interface
#   aliot    - will try to protect Aliot SWLab network
#   UNKNOWN  - disables the loading of firewall rules.
#   filename - will load the rules in the given filename (full path required)

############
# Global variables:
# ipfw executable name
#
fwcmd="/sbin/ipfw" # IPFW name
############
# Global variables:
# Internal and external IPs, nets, masks, interfaces
#
inip="192.168.1.1" # internal IP
innet="192.168.1.0/24" # internal net
inmask="255.255.255.0" # internal netmask
exip="внешний IP" # external IP (real inet IP)
exnet="внешняя сеть/маска" # external net
exmask="внешняя маска" # external netmask
inface="rl0" # internal interface
exface="ed0" # external interface

############
# Global variables:
# Internal (firewalling) hosts
#
aliot="192.168.1.1" # aliot host
#
# тут идут другие хосты внутренней сети
#
############
# Global variables:
# Open/Closed ports, ICMP messages
#
UNPRIV_PORTS="1024-65535" # unprovileged ports
PRIV_PORTS="1-1023" # privileged ports
OPEN_SERVICE_PORTS="20,21,22,25,80" # FTP, FTP-DATA, SSH, SMTP, WWW
RESTRICTED_PORTS="1080,2000,2001,2049" # SOCKS, XWin, Apache<1.3.26 worm, NFS
EXT_OPEN_PORTS1="20-23,25,43,53,80" # FTP, FTP-DATA, SSH, telnet, SMTP, WHOIS, DNS, WWW
EXT_OPEN_PORTS2="110,113,119,123,143,443" # POP3, AUTH, NNTP, NTP, IMAP, SSL/HTTPS
TRACEROUTE_SRC_PORTS="32769-65535" # TRACEROUTE source portrange
TRACEROUTE_DST_PORTS="33434-33523" # TRACEROUTE destination portrange
ICQ_PORTS="5190" # ICQ (UDP and TCP posrts)
INCOMING_ICMP_MSGS="0,3,4,8,11,12" # Echo Reply, Destination Unreachable, Source Quench, Echo Request, Time-to-live exceeded, IP header bad/Parameter problem
OUTGOING_ICMP_MSGS="0,3,4,8,11,12" # Echo Reply, Destination Unreachable, Source Quench, Echo Request, Time-to-live exceeded, IP header bad/Parameter problem
############
# Set firewall type
#
if [ -n "${1}" ]; then
firewall_type="${1}"
fi

############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
fwcmd="${fwcmd} -q"
;;
*)
fwcmd="${fwcmd}"
;;
esac

############
# Flush out the ipfw rule list before we begin.
#
${fwcmd} -f flush

############
# Process ipfw rules for particular firewall types.
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
${fwcmd} add 100 allow all from any to any via lo0
############
# Allow  connection to local services (OPEN_SERVICE_PORTS)
#
${fwcmd} add 110 allow tcp from any to ${exip} ${OPEN_SERVICE_PORTS} via ${exface}
${fwcmd} add 120 allow tcp from ${exip} ${OPEN_SERVICE_PORTS} to any via ${exface}
${fwcmd} add 130 allow udp from any to ${exip} ${OPEN_SERVICE_PORTS} via ${exface}
${fwcmd} add 140 allow udp from ${exip} ${OPEN_SERVICE_PORTS} to any via ${exface}
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add 200 divert natd all from any to any via ${natd_interface}
fi
;;
esac
${fwcmd} add 300 deny all from any to 127.0.0.0/8
${fwcmd} add 400 deny all from 127.0.0.0/8 to any
${fwcmd} add 65000 allow all from any to any
;;

[Cc][Ll][Oo][Ss][Ee])
${fwcmd} add 100 allow all from any to any via lo0
${fwcmd} add 200 deny all from any to any via ${exface}
${fwcmd} add 300 deny all from any to 127.0.0.0/8 via ${inface}
${fwcmd} add 400 deny all from 127.0.0.0/8 to any via ${inface}
${fwcmd} add 65000 allow all from any to any via ${inface}
;;

[Dd][Ee][Nn][Yy][Aa][Ll][Ll])
${fwcmd} add 100 allow all from any to any via lo0
${fwcmd} add 200 deny all from any to any
;;
[Aa][Ll][Ii][Oo][Tt])
########################
# Deny rules           #
########################
#######################
# Stop spoofing
#
${fwcmd} add 1000 deny all from ${innet} to any in via ${exface}
${fwcmd} add 1010 deny all from ${exnet} to any in via ${inface}

#######################
# Stop RFC1918 nets on the outside interface
#
${fwcmd} add 1100 deny all from any to 10.0.0.0/8 via ${exface}
${fwcmd} add 1110 deny all from any to 172.16.0.0/12 via ${exface}
${fwcmd} add 1120 deny all from any to 192.168.0.0/16 via ${exface}
${fwcmd} add 1130 deny all from any to 127.0.0.0/8 via ${exface}
#######################
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
#
${fwcmd} add 1200 deny all from any to 0.0.0.0/8 via ${exface}
${fwcmd} add 1210 deny all from any to 255.255.255.255 via ${exface}
${fwcmd} add 1220 deny all from any to 169.254.0.0/16 via ${exface}
${fwcmd} add 1230 deny all from any to 192.0.2.0/24 via ${exface}
${fwcmd} add 1240 deny all from any to 224.0.0.0/4 via ${exface}
${fwcmd} add 1250 deny all from any to 240.0.0.0/4 via ${exface}

#######################
# Stop incoming TCP & ICMP fragments via ${exface}
#
${fwcmd} add 1300 deny tcp from any to any via ${exface} frag
${fwcmd} add 1310 deny icmp from any to any via ${exface} frag

#######################
# Deny & Log all setup of incoming connections from outside
# to unprivileged and restricted ports (UNPRIV_PORTS + RESTRICTED_PORTS);
#
${fwcmd} add 1400 deny log tcp from any to any ${UNPRIV_PORTS} in via ${exface} setup
${fwcmd} add 1410 deny log udp from any to any ${RESTRICTED_PORTS} in via ${exface}
########################
# Deny badhost rules   #
########################
########################
# Reject rules         #
########################
########################
# Internal connections #
# and divert rules     #
########################

############
# Enable NAT
#
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add 4000 divert natd all from any to any via ${natd_interface}
fi
;;
esac

############
# Enable internal connections
#
${fwcmd} add 4100 allow all from any to any via lo0
${fwcmd} add 4110 allow all from any to any via ${inface}
${fwcmd} add 4120 allow all from any to ${innet} via ${exface}
########################
# Allow rules          #
########################
############
# Allow external TCP connection if setup succeeded
#
${fwcmd} add 5000 allow tcp from any to any via ${exface} established

############
# Allow setup connection to local services (OPEN_SERVICE_PORTS)
#
${fwcmd} add 5100 allow tcp from any to ${exip} ${OPEN_SERVICE_PORTS} via ${exface} setup
${fwcmd} add 5110 allow tcp from ${exip} ${OPEN_SERVICE_PORTS} to any via ${exface} setup
${fwcmd} add 5120 allow udp from any to ${exip} ${OPEN_SERVICE_PORTS} via ${exface}
${fwcmd} add 5130 allow udp from ${exip} ${OPEN_SERVICE_PORTS} to any via ${exface}

############
# Allow setup external connections (EXT_OPEN_PORTS1 + EXT_OPEN_PORTS2 + UNPRIV_PORTS)
#
${fwcmd} add 5200 allow tcp from ${exip} ${UNPRIV_PORTS} to any ${EXT_OPEN_PORTS1} via ${exface} setup
${fwcmd} add 5210 allow tcp from ${exip} ${UNPRIV_PORTS} to any ${EXT_OPEN_PORTS2} via ${exface} setup
${fwcmd} add 5220 allow tcp from ${exip} ${UNPRIV_PORTS} to any ${UNPRIV_PORTS} via ${exface} setup
${fwcmd} add 5230 allow udp from ${exip} ${UNPRIV_PORTS} to any ${EXT_OPEN_PORTS1} via ${exface}
${fwcmd} add 5240 allow udp from ${exip} ${UNPRIV_PORTS} to any ${EXT_OPEN_PORTS2} via ${exface}
${fwcmd} add 5250 allow udp from any ${EXT_OPEN_PORTS1} to ${exip} ${UNPRIV_PORTS} via ${exface}
${fwcmd} add 5260 allow udp from any ${EXT_OPEN_PORTS2} to ${exip} ${UNPRIV_PORTS} via ${exface}

############
# Allow TRACEROUTE queries out in the world (TRACEROUTE_SRC_PORTS + TRACEROUTE_DST_PORTS)
#
${fwcmd} add 5300 allow udp from any ${TRACEROUTE_DST_PORTS} to ${exip} ${TRACEROUTE_SRC_PORTS} via ${exface} keep-state
${fwcmd} add 5310 allow udp from ${exip} ${TRACEROUTE_SRC_PORTS} to any ${TRACEROUTE_DST_PORTS} via ${exface} keep-state

############
# Allow ICQ (over UDP)
#
#${fwcmd} add 5400 allow udp from ${exip} to any ${ICQ_PORTS} via ${exface}
#${fwcmd} add 5410 allow udp from any ${ICQ_PORTS} to ${exip} via ${exface}

############
# Allow ICMP:
# Echo Reply (0),
# Destination Unreachable (3),
# Source Quench (4),
# Echo Request (8),
# Time-to-live exceeded (11),
# IP header bad/Parameter problem (12)
#
${fwcmd} add 5500 allow icmp from ${exip} to any via ${exface} icmptypes ${OUTGOING_ICMP_MSGS}
${fwcmd} add 5510 allow icmp from any to ${exip} via ${exface} icmptypes ${INCOMING_ICMP_MSGS}
########################
# Accounting rules     #
########################
########################
# DEBUG section        #
########################
########################
# Logging other denying packets
#
#${fwcmd} add 65000 deny log all from any to any via ${exface}
#${fwcmd} add 65100 deny log all from any to any via ${inface}

;;
[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
;;
*)
if [ -r "${firewall_type}" ]; then
${fwcmd} ${firewall_flags} ${firewall_type}
fi
;;
esac

Рекомендовать в FAQ | Cообщить модератору | Наверх

Удалить

Индекс форумов | Темы | Пред. тема | След. тема

Пожалуйста, прежде чем написать сообщение, ознакомьтесь с данными рекомендациями.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру

1. "RE: natd и firewll ПОМОГИТЕ ПОЖАЛУЙСТА!"
Сообщение от proff on 19-Сен-02, 19:16 (MSK)
Тут есть одно и очень простое правило: располагать правила для IPFW в следующем порядке: 1. сначала идут инструкции deny и reject (если есть) 2. потом divert 3. потом allow на внутреннюю сетку(и) 4. потом allow все остальное 5. потом deny все, что осталось. для примера, вот мой рабочий rc.firewall: ------- rc.firewall ------- # Copyright (c) 2002 Aliot SWLab, Moscow # All rights reserved. # # $Id: rc.firewall,v 1.2 2002/09/07 22:30:40 proff Exp $ # # Setup system for firewall service. # # Accept the configuration variables. if [ -z "${source_rc_confs_defined}" ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fi ############ # Define the firewall type in /etc/rc.conf # # Valid values are: # open - will allow anyone in # close - disables external IP connections (internal connections allowing) # denyall - totally disable IP connections except via lo0 interface # aliot - will try to protect Aliot SWLab network # UNKNOWN - disables the loading of firewall rules. # filename - will load the rules in the given filename (full path required) ############ # Global variables: # ipfw executable name # fwcmd="/sbin/ipfw" # IPFW name ############ # Global variables: # Internal and external IPs, nets, masks, interfaces # inip="192.168.1.1" # internal IP innet="192.168.1.0/24" # internal net inmask="255.255.255.0" # internal netmask exip="внешний IP" # external IP (real inet IP) exnet="внешняя сеть/маска" # external net exmask="внешняя маска" # external netmask inface="rl0" # internal interface exface="ed0" # external interface ############ # Global variables: # Internal (firewalling) hosts # aliot="192.168.1.1" # aliot host # # тут идут другие хосты внутренней сети # ############ # Global variables: # Open/Closed ports, ICMP messages # UNPRIV_PORTS="1024-65535" # unprovileged ports PRIV_PORTS="1-1023" # privileged ports OPEN_SERVICE_PORTS="20,21,22,25,80" # FTP, FTP-DATA, SSH, SMTP, WWW RESTRICTED_PORTS="1080,2000,2001,2049" # SOCKS, XWin, Apache<1.3.26 worm, NFS EXT_OPEN_PORTS1="20-23,25,43,53,80" # FTP, FTP-DATA, SSH, telnet, SMTP, WHOIS, DNS, WWW EXT_OPEN_PORTS2="110,113,119,123,143,443" # POP3, AUTH, NNTP, NTP, IMAP, SSL/HTTPS TRACEROUTE_SRC_PORTS="32769-65535" # TRACEROUTE source portrange TRACEROUTE_DST_PORTS="33434-33523" # TRACEROUTE destination portrange ICQ_PORTS="5190" # ICQ (UDP and TCP posrts) INCOMING_ICMP_MSGS="0,3,4,8,11,12" # Echo Reply, Destination Unreachable, Source Quench, Echo Request, Time-to-live exceeded, IP header bad/Parameter problem OUTGOING_ICMP_MSGS="0,3,4,8,11,12" # Echo Reply, Destination Unreachable, Source Quench, Echo Request, Time-to-live exceeded, IP header bad/Parameter problem ############ # Set firewall type # if [ -n "${1}" ]; then firewall_type="${1}" fi ############ # Set quiet mode if requested # case ${firewall_quiet} in [Yy][Ee][Ss]) fwcmd="${fwcmd} -q" ;; ) fwcmd="${fwcmd}" ;; esac ############ # Flush out the ipfw rule list before we begin. # ${fwcmd} -f flush ############ # Process ipfw rules for particular firewall types. # case ${firewall_type} in [Oo][Pp][Ee][Nn]) ${fwcmd} add 100 allow all from any to any via lo0 ############ # Allow connection to local services (OPEN_SERVICE_PORTS) # ${fwcmd} add 110 allow tcp from any to ${exip} ${OPEN_SERVICE_PORTS} via ${exface} ${fwcmd} add 120 allow tcp from ${exip} ${OPEN_SERVICE_PORTS} to any via ${exface} ${fwcmd} add 130 allow udp from any to ${exip} ${OPEN_SERVICE_PORTS} via ${exface} ${fwcmd} add 140 allow udp from ${exip} ${OPEN_SERVICE_PORTS} to any via ${exface} case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add 200 divert natd all from any to any via ${natd_interface} fi ;; esac ${fwcmd} add 300 deny all from any to 127.0.0.0/8 ${fwcmd} add 400 deny all from 127.0.0.0/8 to any ${fwcmd} add 65000 allow all from any to any ;; [Cc][Ll][Oo][Ss][Ee]) ${fwcmd} add 100 allow all from any to any via lo0 ${fwcmd} add 200 deny all from any to any via ${exface} ${fwcmd} add 300 deny all from any to 127.0.0.0/8 via ${inface} ${fwcmd} add 400 deny all from 127.0.0.0/8 to any via ${inface} ${fwcmd} add 65000 allow all from any to any via ${inface} ;; [Dd][Ee][Nn][Yy][Aa][Ll][Ll]) ${fwcmd} add 100 allow all from any to any via lo0 ${fwcmd} add 200 deny all from any to any ;; [Aa][Ll][Ii][Oo][Tt]) ######################## # Deny rules # ######################## ####################### # Stop spoofing # ${fwcmd} add 1000 deny all from ${innet} to any in via ${exface} ${fwcmd} add 1010 deny all from ${exnet} to any in via ${inface} ####################### # Stop RFC1918 nets on the outside interface # ${fwcmd} add 1100 deny all from any to 10.0.0.0/8 via ${exface} ${fwcmd} add 1110 deny all from any to 172.16.0.0/12 via ${exface} ${fwcmd} add 1120 deny all from any to 192.168.0.0/16 via ${exface} ${fwcmd} add 1130 deny all from any to 127.0.0.0/8 via ${exface} ####################### # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface # ${fwcmd} add 1200 deny all from any to 0.0.0.0/8 via ${exface} ${fwcmd} add 1210 deny all from any to 255.255.255.255 via ${exface} ${fwcmd} add 1220 deny all from any to 169.254.0.0/16 via ${exface} ${fwcmd} add 1230 deny all from any to 192.0.2.0/24 via ${exface} ${fwcmd} add 1240 deny all from any to 224.0.0.0/4 via ${exface} ${fwcmd} add 1250 deny all from any to 240.0.0.0/4 via ${exface} ####################### # Stop incoming TCP & ICMP fragments via ${exface} # ${fwcmd} add 1300 deny tcp from any to any via ${exface} frag ${fwcmd} add 1310 deny icmp from any to any via ${exface} frag ####################### # Deny & Log all setup of incoming connections from outside # to unprivileged and restricted ports (UNPRIV_PORTS + RESTRICTED_PORTS); # ${fwcmd} add 1400 deny log tcp from any to any ${UNPRIV_PORTS} in via ${exface} setup ${fwcmd} add 1410 deny log udp from any to any ${RESTRICTED_PORTS} in via ${exface} ######################## # Deny badhost rules # ######################## ######################## # Reject rules # ######################## ######################## # Internal connections # # and divert rules # ######################## ############ # Enable NAT # case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add 4000 divert natd all from any to any via ${natd_interface} fi ;; esac ############ # Enable internal connections # ${fwcmd} add 4100 allow all from any to any via lo0 ${fwcmd} add 4110 allow all from any to any via ${inface} ${fwcmd} add 4120 allow all from any to ${innet} via ${exface} ######################## # Allow rules # ######################## ############ # Allow external TCP connection if setup succeeded # ${fwcmd} add 5000 allow tcp from any to any via ${exface} established ############ # Allow setup connection to local services (OPEN_SERVICE_PORTS) # ${fwcmd} add 5100 allow tcp from any to ${exip} ${OPEN_SERVICE_PORTS} via ${exface} setup ${fwcmd} add 5110 allow tcp from ${exip} ${OPEN_SERVICE_PORTS} to any via ${exface} setup ${fwcmd} add 5120 allow udp from any to ${exip} ${OPEN_SERVICE_PORTS} via ${exface} ${fwcmd} add 5130 allow udp from ${exip} ${OPEN_SERVICE_PORTS} to any via ${exface} ############ # Allow setup external connections (EXT_OPEN_PORTS1 + EXT_OPEN_PORTS2 + UNPRIV_PORTS) # ${fwcmd} add 5200 allow tcp from ${exip} ${UNPRIV_PORTS} to any ${EXT_OPEN_PORTS1} via ${exface} setup ${fwcmd} add 5210 allow tcp from ${exip} ${UNPRIV_PORTS} to any ${EXT_OPEN_PORTS2} via ${exface} setup ${fwcmd} add 5220 allow tcp from ${exip} ${UNPRIV_PORTS} to any ${UNPRIV_PORTS} via ${exface} setup ${fwcmd} add 5230 allow udp from ${exip} ${UNPRIV_PORTS} to any ${EXT_OPEN_PORTS1} via ${exface} ${fwcmd} add 5240 allow udp from ${exip} ${UNPRIV_PORTS} to any ${EXT_OPEN_PORTS2} via ${exface} ${fwcmd} add 5250 allow udp from any ${EXT_OPEN_PORTS1} to ${exip} ${UNPRIV_PORTS} via ${exface} ${fwcmd} add 5260 allow udp from any ${EXT_OPEN_PORTS2} to ${exip} ${UNPRIV_PORTS} via ${exface} ############ # Allow TRACEROUTE queries out in the world (TRACEROUTE_SRC_PORTS + TRACEROUTE_DST_PORTS) # ${fwcmd} add 5300 allow udp from any ${TRACEROUTE_DST_PORTS} to ${exip} ${TRACEROUTE_SRC_PORTS} via ${exface} keep-state ${fwcmd} add 5310 allow udp from ${exip} ${TRACEROUTE_SRC_PORTS} to any ${TRACEROUTE_DST_PORTS} via ${exface} keep-state ############ # Allow ICQ (over UDP) # #${fwcmd} add 5400 allow udp from ${exip} to any ${ICQ_PORTS} via ${exface} #${fwcmd} add 5410 allow udp from any ${ICQ_PORTS} to ${exip} via ${exface} ############ # Allow ICMP: # Echo Reply (0), # Destination Unreachable (3), # Source Quench (4), # Echo Request (8), # Time-to-live exceeded (11), # IP header bad/Parameter problem (12) # ${fwcmd} add 5500 allow icmp from ${exip} to any via ${exface} icmptypes ${OUTGOING_ICMP_MSGS} ${fwcmd} add 5510 allow icmp from any to ${exip} via ${exface} icmptypes ${INCOMING_ICMP_MSGS} ######################## # Accounting rules # ######################## ######################## # DEBUG section # ######################## ######################## # Logging other denying packets # #${fwcmd} add 65000 deny log all from any to any via ${exface} #${fwcmd} add 65100 deny log all from any to any via ${inface} ;; [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; ) if [ -r "${firewall_type}" ]; then ${fwcmd} ${firewall_flags} ${firewall_type} fi ;; esac
	Рекомендовать в FAQ \| Cообщить модератору \| Наверх