Проблема в том, что я несколько начинающий, и не могу сообразить, как в данном наборе правил закрыть доступ http всем, кроме машины с адресом 192.168.4.7. Что тут неправильно на ваш взгляд, уважаемые?
lcl="127.0.0.0/8"
xl0="xl0"
xl1="xl1"
xl2="xl2"
out="217.S.S.S"
in4="192.168.4.5"
in5="192.168.5.5"
net1="192.168.0.0/16"
net2="10.186.20.0/24"
am="192.168.4.7"
#stop the spoofing
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to ${lcl}
${fwcmd} add 300 deny ip from ${lcl} to any
#ipa
#${fwcmd} add 321 count ip from any to me in via xl0
#${fwcmd} add 322 count ip from me to any out via xl0
#divert
${fwcmd} add 323 divert natd ip from ${net1} to any out via ${xl0}
${fwcmd} add 324 divert natd ip from ${net2} to any out via ${xl0}
${fwcmd} add 325 divert natd ip from any to ${out} in via ${xl0}
#ssh
${fwcmd} add 330 allow tcp from ${am} to me ssh
${fwcmd} add 340 allow tcp from X.X.X.X to me ssh
${fwcmd} add 345 allow tcp from me 22 to X.X.X.X
${fwcmd} add 350 allow tcp from Z.Z.Z.Z to me ssh
${fwcmd} add 355 allow tcp from me 22 to Z.Z.Z.Z
${fwcmd} add 360 deny tcp from any to me ssh
#add ping
${fwcmd} add 2000 pass icmp from any to any
#allow to connect here
${fwcmd} add 2100 pass tcp from any to ${in4} 80 in via ${xl1}
${fwcmd} add 2101 pass tcp from any to ${in5} 80 in via ${xl2}
${fwcmd} add 2200 pass tcp from any to ${out} 80 in via ${xl1}
${fwcmd} add 2201 pass tcp from any to ${out} 80 in via ${xl2}
#close some dangerous ports
${fwcmd} add 2300 reset tcp from any to ${out} 137-139 in via ${xl1}
${fwcmd} add 2310 reset tcp from any to ${out} 137-139 in via ${xl2}
#add some usefull deny rules
${fwcmd} add 2400 reset tcp from any to ${out} 23 in via ${xl0}
#use squid for http
#only proxy users allowed
${fwcmd} add 2500 reset tcp from any to any 80,8100,8080,8000,90,443,8800,8001 in via ${xl1}
${fwcmd} add 2510 reset tcp from any to any 80,8100,8080,8000,90,443,8800,8001 in via ${xl2}
#open some usefull ports
#http, https
${fwcmd} add 2520 pass tcp from any to any 80,8100,8080,8000,90,443
${fwcmd} add 2530 pass tcp from any 80,8100,8080,8000,90,443 to any
#ftp
${fwcmd} add 2600 pass tcp from any to any 20,21
${fwcmd} add 2700 pass tcp from any 20,21 to any
#smtp
${fwcmd} add 3000 pass tcp from any to any 25
${fwcmd} add 3100 pass tcp from any 25 to any
#pop3
${fwcmd} add 3200 pass tcp from any to any 110
${fwcmd} add 3300 pass tcp from any 110 to any
#nntp
${fwcmd} add 3400 pass tcp from any to any 119
${fwcmd} add 3500 pass tcp from any 119 to any
#icq
${fwcmd} add 3600 pass tcp from any to any 5190
${fwcmd} add 3700 pass tcp from any 5190 to any
#squid
${fwcmd} add 3800 pass tcp from any to any 3128
${fwcmd} add 3900 pass tcp from any 3128 to any
#allow DNS request
${fwcmd} add 4000 pass udp from any to any 53
${fwcmd} add 4100 pass udp from any 53 to any
${fwcmd} add 4200 pass tcp from any to any 53
${fwcmd} add 4300 pass tcp from any 53 to any
#allow ntp request
${fwcmd} add 4400 pass udp from any to any 123
${fwcmd} add 4500 pass udp from any 123 to any
#other
${fwcmd} add 64999 pass all from any to any via ${xl1}
${fwcmd} add 65000 pass all from any to any via ${xl2}
Вариант для распечатки
Информационная безопасность (Public)
on
16-Июн-05, 09:15 (MSK)
