Решил выложить скрипт firewalla.ю
Просьба к гуру. Обратите внимание на реализацию ftp исходящих соединений.
Из локалки только так получается достучаться до ftp.
Что Вы думаете по поводу реализации (безопасность)???
Да и любые коменты приветствуются!#!/bin/sh
fw="/sbin/ipfw -q"
inif="rl1"
outif="rl0"
inip="192.168.0.116"
outip="10.10.45.4"
innet="192.168.0.0/24"
skip="skipto 400"
${fw} -f flush
${fw} add 010 allow all from any to any via $inif
${fw} add 020 allow all from any to any via lo0
${fw} add 030 deny ip from any to 127.0.0.0/8
${fw} add 040 deny ip from 127.0.0.0/8 to any
${fw} add 069 divert natd all from ${innet} to any out via ${outif}
${fw} add 070 check-state
${fw} add 100 $skip icmp from any to any keep-state
${fw} add 105 $skip udp from any to any 123 out via $outif keep-state
${fw} add 110 $skip udp from any to any 53 out via $outif keep-state
${fw} add 111 $skip tcp from any to any 53 out via $outif setup keep-state
${fw} add 120 $skip tcp from any to any 80 out via $outif setup keep-state
${fw} add 130 $skip tcp from any to any 5190 out via $outif setup keep-state
${fw} add 140 $skip tcp from any to any 21 out via $outif setup keep-state
${fw} add 150 $skip tcp from any to any 20 out via $outif setup keep-state
${fw} add 210 $skip tcp from any 21 to $outip in via $outif setup keep-state
${fw} add 220 $skip tcp from any 20 to $outip in via $outif setup keep-state
${fw} add 300 allow icmp from any to $outip in via $outif limit src-addr 2
${fw} add 360 allow log all from any to any established
${fw} add 399 deny log all from any to any
${fw} add 400 divert natd all from any to ${outip} in via ${outif}
${fw} add 410 allow log all from any to any
${fw} add 999 deny log ip from any to any