The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы  помощь  поиск  регистрация  майллист  ВХОД  слежка  RSS
"ipfw"
Вариант для распечатки Архивированная нить - только для чтения! 
Пред. тема | След. тема 
Форумы OpenNET: Виртуальная конференция (Public)
Изначальное сообщение [Проследить за развитием треда]

"ipfw"
Сообщение от deny Искать по авторуВ закладки on 13-Авг-02, 17:43  (MSK)
Добрый день. Я человек только начинающий, написал для своей домашней локалки правила. Посмотрите пожалуйста, наверняка там куча ошибок, хотя тестил, все работает.
start.sh:
fwcmd="/sbin/ipfw"
localde0="111.111.111.111" -выход в инет
locallnc0="192.168.254.1" - выход в локалку
localdomain="192.168.254.0-192.168.254.254" - айпи локалки
localinet="111.111.111.0/25"           - наши инетовские айпи (а вдруг?)
client_rules="/etc/rules/client.rules"     - правила для клиентов
local_deny="/etc/rules/local.deny"         - правила для локалки
host_deny="/etc/rules/host.deny"           - отверженные хосты

${fwcmd} -f flush
. $local_deny
. $host_deny
${fwcmd} add pass all from any to any via lo0
${fwcmd} add deny icmp from any to any frag
#${fwcmd} add check-state           - а нужно ли это?


#natd
${fwcmd} add divert natd all from any to any via ${de0}

#allow http,https,ftp from localdomain
${fwcmd} add fwd ${locallnc0},8080 tcp from ${localdomain} to any http in via $lnc0}
${fwcmd} add fwd ${locallnc0},8080 tcp from ${localdomain} to any ftp in via ${lnc0}
${fwcmd} add fwd ${locallnc0},8080 tcp from ${localdomain} to any 443 in via ${lnc0}
${fwcmd} add pass tcp from ${localdomain} to ${locallnc0} 8080
${fwcmd} add pass tcp from ${locallnc0} 8080 to ${localdomain}

#pipe
${fwcmd} pipe 10 config bw 256Kbit/s
${fwcmd} add pipe 10 all from any to any via ${de0}


#${fwcmd} add pass all from any to any
#${fwcmd} add pass all from any to any via lo0
${fwcmd} add pass tcp from ${localde0} to any
${fwcmd} add pass tcp from any to ${localde0}
${fwcmd} add pass icmp from ${localde0} to any
${fwcmd} add pass icmp from any to ${localde0}
${fwcmd} add pass udp from ${localde0} to any
${fwcmd} add pass udp from any to ${localde0}

${fwcmd} add pass tcp from ${locallnc0} to 192.168.254.0/24
${fwcmd} add pass icmp from ${locallnc0} to 192.168.254.0/24
${fwcmd} add pass udp from ${locallnc0} to 192.168.254.0/24
${fwcmd} add pass tcp from 192.168.254.0/24 to ${locallnc0}
${fwcmd} add pass udp from 192.168.254.0/24 to ${locallnc0}
${fwcmd} add pass icmp from 192.168.254.0/24 to ${locallnc0}


. $client_rules

${fwcmd} add pass tcp from ${localinet} to any
${fwcmd} add pass tcp from any to ${localinet}
${fwcmd} add pass udp from ${localinet} to any
${fwcmd} add pass udp from any to ${localinet}
${fwcmd} add pass icmp from ${localinet} to any
${fwcmd} add pass icmp from any to ${localinet}

client_rules и host.deny пока пусты.

local.deny:
${fwcmd} add deny all from 192.168.254.129 to any
${fwcmd} add deny all from 192.168.254.130 to any
${fwcmd} add deny all from 192.168.254.131 to any
${fwcmd} add deny all from 192.168.254.132 to any
${fwcmd} add deny all from 192.168.254.133 to any
${fwcmd} add deny all from 192.168.254.134 to any
${fwcmd} add deny all from 192.168.254.135 to any
${fwcmd} add deny all from 192.168.254.136 to any
${fwcmd} add deny all from 192.168.254.137 to any
${fwcmd} add deny all from 192.168.254.138 to any
${fwcmd} add deny all from 192.168.254.139 to any
${fwcmd} add deny all from 192.168.254.140 to any
${fwcmd} add deny all from 192.168.254.141 to any
${fwcmd} add deny all from 192.168.254.142 to any
${fwcmd} add deny all from 192.168.254.143 to any
${fwcmd} add deny all from 192.168.254.144 to any
${fwcmd} add deny all from 192.168.254.145 to any
${fwcmd} add deny all from 192.168.254.146 to any
${fwcmd} add deny all from 192.168.254.147 to any
${fwcmd} add deny all from 192.168.254.148 to any
${fwcmd} add deny all from 192.168.254.149 to any
${fwcmd} add deny all from 192.168.254.150 to any
${fwcmd} add deny all from 192.168.254.151 to any
${fwcmd} add deny all from 192.168.254.152 to any
${fwcmd} add deny all from 192.168.254.153 to any
${fwcmd} add deny all from 192.168.254.154 to any
${fwcmd} add deny all from 192.168.254.155 to any
${fwcmd} add deny all from 192.168.254.156 to any
${fwcmd} add deny all from 192.168.254.157 to any
${fwcmd} add deny all from 192.168.254.158 to any
${fwcmd} add deny all from 192.168.254.159 to any
${fwcmd} add deny all from 192.168.254.160 to any
${fwcmd} add deny all from 192.168.254.161 to any
${fwcmd} add deny all from 192.168.254.162 to any
${fwcmd} add deny all from 192.168.254.163 to any
${fwcmd} add deny all from 192.168.254.164 to any
${fwcmd} add deny all from 192.168.254.165 to any
${fwcmd} add deny all from 192.168.254.166 to any
${fwcmd} add deny all from 192.168.254.167 to any
${fwcmd} add deny all from 192.168.254.168 to any
${fwcmd} add deny all from 192.168.254.169 to any
${fwcmd} add deny all from 192.168.254.170 to any
${fwcmd} add deny all from 192.168.254.171 to any
${fwcmd} add deny all from 192.168.254.172 to any
${fwcmd} add deny all from 192.168.254.173 to any
${fwcmd} add deny all from 192.168.254.174 to any
${fwcmd} add deny all from 192.168.254.175 to any
${fwcmd} add deny all from 192.168.254.176 to any
${fwcmd} add deny all from 192.168.254.177 to any
${fwcmd} add deny all from 192.168.254.178 to any
${fwcmd} add deny all from 192.168.254.179 to any
${fwcmd} add deny all from 192.168.254.180 to any
${fwcmd} add deny all from 192.168.254.181 to any
${fwcmd} add deny all from 192.168.254.182 to any
${fwcmd} add deny all from 192.168.254.183 to any
${fwcmd} add deny all from 192.168.254.184 to any
${fwcmd} add deny all from 192.168.254.185 to any
${fwcmd} add deny all from 192.168.254.186 to any
${fwcmd} add deny all from 192.168.254.187 to any
${fwcmd} add deny all from 192.168.254.188 to any
${fwcmd} add deny all from 192.168.254.189 to any
${fwcmd} add deny all from 192.168.254.190 to any
${fwcmd} add deny all from 192.168.254.191 to any
${fwcmd} add deny all from 192.168.254.192 to any
${fwcmd} add deny all from 192.168.254.193 to any
${fwcmd} add deny all from 192.168.254.194 to any
#${fwcmd} add deny all from 192.168.254.195 to any
#${fwcmd} add deny all from 192.168.254.196 to any
#${fwcmd} add deny all from 192.168.254.197 to any
#${fwcmd} add deny all from 192.168.254.198 to any
#${fwcmd} add deny all from 192.168.254.199 to any
#${fwcmd} add deny all from 192.168.254.200 to any
#${fwcmd} add deny all from 192.168.254.201 to any
#${fwcmd} add deny all from 192.168.254.202 to any
#${fwcmd} add deny all from 192.168.254.203 to any
#${fwcmd} add deny all from 192.168.254.204 to any
#${fwcmd} add deny all from 192.168.254.205 to any
#${fwcmd} add deny all from 192.168.254.206 to any
#${fwcmd} add deny all from 192.168.254.207 to any
#${fwcmd} add deny all from 192.168.254.208 to any
#${fwcmd} add deny all from 192.168.254.209 to any
#${fwcmd} add deny all from 192.168.254.210 to any
#${fwcmd} add deny all from 192.168.254.211 to any
#${fwcmd} add deny all from 192.168.254.212 to any
#${fwcmd} add deny all from 192.168.254.213 to any
#${fwcmd} add deny all from 192.168.254.214 to any
#${fwcmd} add deny all from 192.168.254.215 to any
#${fwcmd} add deny all from 192.168.254.216 to any
#${fwcmd} add deny all from 192.168.254.217 to any
#${fwcmd} add deny all from 192.168.254.218 to any

${fwcmd} add deny all from 192.168.254.219 to any

#${fwcmd} add deny all from 192.168.254.220 to any
#${fwcmd} add deny all from 192.168.254.221 to any
#${fwcmd} add deny all from 192.168.254.222 to any
#${fwcmd} add deny all from 192.168.254.223 to any
#${fwcmd} add deny all from 192.168.254.224 to any
#${fwcmd} add deny all from 192.168.254.225 to any
#${fwcmd} add deny all from 192.168.254.226 to any
#${fwcmd} add deny all from 192.168.254.227 to any

#${fwcmd} add deny all from 192.168.254.228 to any
#${fwcmd} add deny all from 192.168.254.229 to any
#${fwcmd} add deny all from 192.168.254.230 to any
${fwcmd} add deny all from 192.168.254.231 to any
${fwcmd} add deny all from 192.168.254.232 to any
${fwcmd} add deny all from 192.168.254.233 to any
${fwcmd} add deny all from 192.168.254.234 to any
${fwcmd} add deny all from 192.168.254.235 to any
${fwcmd} add deny all from 192.168.254.236 to any
${fwcmd} add deny all from 192.168.254.237 to any
${fwcmd} add deny all from 192.168.254.238 to any
${fwcmd} add deny all from 192.168.254.239 to any
${fwcmd} add deny all from 192.168.254.240 to any
${fwcmd} add deny all from 192.168.254.241 to any
${fwcmd} add deny all from 192.168.254.242 to any
${fwcmd} add deny all from 192.168.254.243 to any
${fwcmd} add deny all from 192.168.254.244 to any
${fwcmd} add deny all from 192.168.254.245 to any
${fwcmd} add deny all from 192.168.254.246 to any
${fwcmd} add deny all from 192.168.254.247 to any
${fwcmd} add deny all from 192.168.254.248 to any
${fwcmd} add deny all from 192.168.254.249 to any
${fwcmd} add deny all from 192.168.254.250 to any
${fwcmd} add deny all from 192.168.254.251 to any
${fwcmd} add deny all from 192.168.254.252 to any
${fwcmd} add deny all from 192.168.254.253 to any
${fwcmd} add deny all from 192.168.254.254 to any

  Рекомендовать в FAQ | Cообщить модератору | Наверх

 Оглавление

Индекс форумов | Темы | Пред. тема | След. тема
Сообщения по теме

1. "RE: ipfw, небольшая подсказка"
Сообщение от Sulemanov . R .S emailИскать по авторуВ закладки on 14-Авг-02, 03:58  (MSK)
${fwcmd} add deny all from 192.168.254.136 to any - эту и последующие, похожие записи можно упростить написать типа ${fwcmd} add deny all from 192.168.254.0/24 to any или ${fwcmd} add deny all from 192.168.254.0:255.255.255.0, а хосты которым нужно наооборот разрешить добавить их к списку, и в место deny - allow или pass поставить.
Удачи!

  Рекомендовать в FAQ | Cообщить модератору | Наверх

2. "RE: ipfw, небольшая подсказка"
Сообщение от Garry emailИскать по авторуВ закладки on 15-Авг-02, 10:47  (MSK)
Угу, пользуйся подсетками - /28 /30 /32 а то уж очень много правил выходит
  Рекомендовать в FAQ | Cообщить модератору | Наверх


Удалить

Индекс форумов | Темы | Пред. тема | След. тема
Пожалуйста, прежде чем написать сообщение, ознакомьтесь с данными рекомендациями.




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру