А каким правилом все закрыть
Вот мой
# Interfaces.
if_local='vr1'
if_extern='vr0'
if_inet='tun0'
# Networks.
iif="vr1"
oip="10.11.81.108" сетка на входе
iip="192.168.2.1" моя сетка
iin="192.168.2.0/24"
extern_net='10.11.81.0/24'
extern_ip='10.11.81.108/24'
local_net='192.168.2.0/24'
local_ip='192.168.2.1/24'
inet_ip='217.X.X.X/32' внешний IP после VPN
# Commands.
natcmd='/sbin/natd'
ipfwcmd='/sbin/ipfw'
${ipfwcmd} -q -f flush
#### Start NAT ####
${natcmd} -interface ${if_extern} -port 8668
${natcmd} -interface ${if_inet} -port 8669
${ipfwcmd} add 1 deny tcp from any to any 135,137,138,139 via ${if_inet}
${ipfwcmd} add 2 deny tcp from any 135,137,138,139 to any via ${if_inet}
${ipfwcmd} add 3 deny tcp from any to any 135,137,138,139 via ${if_extern}
${ipfwcmd} add 4 deny tcp from any 135,137,138,139 to any via ${if_extern}
${ipfwcmd} add 5 deny tcp from any to any 135,137,138,139 via ${if_local}
${ipfwcmd} add 6 deny tcp from any 135,137,138,139 to any via ${if_local}
${ipfwcmd} add 7 deny udp from any to any 135,137,138,139 via ${if_inet}
${ipfwcmd} add 8 deny udp from any 135,137,138,139 to any via ${if_inet}
${ipfwcmd} add 9 deny udp from any to any 135,137,138,139 via ${if_extern}
${ipfwcmd} add 10 deny udp from any 135,137,138,139 to any via ${if_extern}
${ipfwcmd} add 11 deny udp from any to any 135,137,138,139 via ${if_local}
${ipfwcmd} add 12 deny udp from any 135,137,138,139 to any via ${if_local}
## Firewall ###
${ipfwcmd} add 19 divert 20000 ip from any to any
${ipfwcmd} add 20 divert 8668 all from any to any via ${if_extern}
${ipfwcmd} add 30 divert 8669 all from any to any via tun0
${ipfwcmd} add 40 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
${ipfwcmd} add 70 pass all from any to any via lo0
${ipfwcmd} add 80 pass all from any to any via ${if_inet}
${ipfwcmd} add 90 pass all from any to any via ${if_extern}
${ipfwcmd} add 01003 allow ip from any to 172.16.0.4
${ipfwcmd} add 01003 allow ip from 172.16.0.4 to any
${ipfwcmd} -q add 1195 pass all from 192.168.2.0/24 to 192.168.2.1 via ${if_loca
${ipfwcmd} -q add 1195 pass all from 192.168.2.1 to 192.168.2.0/24 via ${if_loca
${ipfwcmd} -q add 2000 deny all from 192.168.2.0/24 to any via ${if_local}
${ipfwcmd} -q add 2000 deny all from any to 192.168.2.0/24 via ${if_local}
${ipfwcmd} -q add 2001 deny all from 192.168.2.0/24 to any via vr0
${ipfwcmd} -q add 2001 deny all from any to 192.168.2.0/24 via vr0
${ipfwcmd} -q add 2002 deny all from 192.168.2.0/24 to any via tun0
${ipfwcmd} -q add 2002 deny all from any to 192.168.2.0/24 via tun0
${ipfwcmd} -q add 2003 deny all from 172.16.0.0/24 to any via ${if_local}
${ipfwcmd} -q add 2003 deny all from any to 172.16.0.0/24 via ${if_local}
${ipfwcmd} -q add 2004 deny all from 172.16.0.0/24 to any via vr0
${ipfwcmd} -q add 2004 deny all from any to 172.16.0.0/24 via vr0
${ipfwcmd} -q add 2005 deny all from 172.16.0.0/24 to any via tun0
${ipfwcmd} -q add 2005 deny all from any to 172.16.0.0/24 via tun0
${ipfwcmd} -q add 22050 pass ip from ${inet_ip} to any out xmit ${if_inet}
# Stop local networks for outside
${ipfwcmd} -q add 1900 deny ip from ${extern_net} to any in via ${if_inet}
${ipfwcmd} -q add 1910 deny ip from ${local_net} to any in via ${if_inet}
${ipfwcmd} -q add 1920 deny ip from 127.0.0.0/8 to any in via ${if_inet}
## Allow mail,http,https,ssh,ftp
# internet
# extern net
${ipfwcmd} -q add 22150 pass tcp from any to any 23,22,21 via ${if_extern}
${ipfwcmd} -q add 22160 pass tcp from any 23,22,21 to any via ${if_extern}
# local net
${ipfwcmd} -q add 22170 pass tcp from any to any 23,25,110,80,443,22,21 via ${if_Local
${ipfwcmd} -q add 22180 pass tcp from any 23,25,110,80,443,22,21 to any via ${if_local
## Allow dns
# internet
${ipfwcmd} -q add 22190 pass udp from any to any 53 via ${if_inet}
${ipfwcmd} -q add 22200 pass udp from any 53 to any via ${if_inet}
# local net
${ipfwcmd} -q add 22210 pass udp from any to any 53 via ${if_local}
${ipfwcmd} -q add 22220 pass udp from any 53 to any via ${if_local}
## Icmp
# localhost
${ipfwcmd} -q add 22230 pass all from any to any via lo0
${ipfwcmd} add 65535 deny all from any to any
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
on
19-Фев-05, 10:36 (MSK)
