Вот моя конфигурация:
#!/bin/sh
# Firewall rules
# Set variables
fwcmd="/sbin/ipfw"
net="XXX.XXX.XXX.0" # Внутрянняя сеть
onet="YYY.YYY.YYY.0" # Внешняя сеть
mask="ZZZ.ZZZ.ZZZ.0" # Маска сети, одинаковая во внешней и внутренней.
ip="XXX.XXX.XXX.1" # Внутренний айпи сервера.
oip="YYY.YYY.YYY.YYY" # Внешний айпи сервера.
oif="rl0" # Внешний интерфейс сервера.
iif="rl1" # Внутренний интерфейс сервера.
user1ip="XXX.XXX.XXX.UUU" # Адрес юзера1
# Flush out the list before we begin.
${fwcmd} -f flush
${fwcmp} add check-state
# Divert all packets through the tunnel interface.
${fwcmd} add 100 divert natd all from any to any via ${oif}
${fwcmd} add 200 divert natd all from any to any via ${iif}
# Setup loopback
${fwcmd} add 300 pass all from any to any via lo0
${fwcmd} add 400 deny all from any to 127.0.0.0/8
${fwcmd} add 500 deny ip from 127.0.0.0/8 to any
# Stop spoofing
${fwcmd} add 600 deny log all from ${net}:${mask} to any in via ${oif}
${fwcmd} add 700 deny log all from ${onet}:${mask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
#${fwcmd} add deny log all from any to 10.0.0.0/8 via ${oif}
#${fwcmd} add deny log all from any to 172.16.0.0/12 via ${oif}
#${fwcmd} add deny log all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
#${fwcmd} add deny log all from any to 0.0.0.0/8 via ${oif}
#${fwcmd} add deny log all from any to 169.254.0.0/16 via ${oif}
#${fwcmd} add deny log all from any to 192.0.2.0/24 via ${oif}
#${fwcmd} add deny log all from any to 224.0.0.0/4 via ${oif}
#${fwcmd} add deny log all from any to 240.0.0.0/4 via ${oif}
# Stop RFC1918 nets on the outside interface
#${fwcmd} add deny log all from 10.0.0.0/8 to any via ${oif}
#${fwcmd} add deny log all from 172.16.0.0/12 to any via ${oif}
#${fwcmd} add deny log all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
#${fwcmd} add deny log all from 0.0.0.0/8 to any via ${oif}
#${fwcmd} add deny log all from 169.254.0.0/16 to any via ${oif}
#${fwcmd} add deny log all from 192.0.2.0/24 to any via ${oif}
#${fwcmd} add deny log all from 224.0.0.0/4 to any via ${oif}
#${fwcmd} add deny log all from 240.0.0.0/4 to any via ${oif}
# Users1 config
${fwcmd} add 3000 pipe 1 ip from any to $user1ip out
${fwcmd} add 3001 pipe 2 ip from $user1ip to any in
${fwcmd} pipe 1 config bw 512Kbits/s
${fwcmd} pipe 2 config bw 512Kbits/s
# Forward to proxy from 80 port
${fwcmd} add 3700 fwd 127.0.0.1,3128 tcp from any to any http via rl1
# Allow ICMP.
${fwcmd} add 4000 pass icmp from any to any
# Allow TCP through if setup succeeded
${fwcmd} add 4100 pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add 4200 pass all from any to any frag
# Allow DNS queries out in the world
${fwcmd} add 4300 pass udp from ${oip} to any 53 keep-state
# Allow NTP queries out in the world
${fwcmd} add 4400 pass udp from ${oip} to any 123 keep-state
# Allow quarantine range
${fwcmd} add 4500 pass tcp from any to any 49152-65535
${fwcmd} add 4600 pass udp from any to any 49152-65535
# Allow setup of incoming WWW
${fwcmd} add 4700 pass tcp from any to ${ip} 80 setup
${fwcmd} add 4750 pass tcp from any to ${oip} 80 setup
# Allow setup of incoming FTP
${fwcmd} add 4800 pass tcp from any to ${ip} 21 setup
# Allow setup of incoming DNS
${fwcmd} add 4900 pass tcp from any to ${ip} 53 setup
${fwcmd} add 5000 pass udp from any to ${ip} 53
# Allow setup of incoming SSH
${fwcmd} add 5100 pass tcp from any to ${ip} 22 setup
${fwcmd} add 5200 pass tcp from any to ${oip} 22 setup
# Allow setup of incoming PROXY
${fwcmd} add 5300 pass tcp from any to ${ip} 3128 setup
# This sends RESET to all ident packets.
${fwcmd} add 5400 reset log tcp from any to any 113 in recv ${oif}
# Allow bridge machine to say anythig it wants.
${fwcmd} add 5500 pass all from ${ip} to any out
${fwcmd} add 5600 pass all from ${oip} to any out
# Allow all connections to user1
${fwcmd} add 5800 pass all from $user1ip to any
${fwcmd} add 5900 pass all from any to $user1ip
# Disallow setup of all other connections
${fwcmd} add 10000 deny log ip from any to any
Часть правил пока закоментированы т.к. пока их использовать нельзя ввиду мерого маскарадинга на время тестирования.
Проблема в том, что правило 3700 перенаправляет все запросы на прксю с 80 порта. В таком виде всё работает, НО! Стоит только переместить правило с 3700 на 5700 оно перестаёт работать.. :( Тоесть один пакет проходит, а потом всё.. В фильтре тоже нигде не застревает, т.к. все отбросы протоколлируются.. В чём дело тут?
ЗЫ: Было бы ещё хорошо узнать, как эти правила оптимизировать/поправить/сделать более граматно, т.к. юзеры по подобию юзера1 будут добавляться/удаляться/меняться, причём скриптом (а это по 4 правила на каждого)
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
on
05-Сен-03, 17:08 (MSK)
