#!/bin/sh
ipfw="/sbin/ipfw"
${ipfw} -f flush
blocklist1="192.168.11.33, 192.168.11.50, 192.168.11.51, 192.168.11.19, 192.168.11.89, 192.168.11.90, 192.168.11.28, 192.168.11.30, 192.168.11.2, 192.168.10.55, 192.168.10.110, 192.168.11.120"
blocklist2="192.168.11.64, 192.168.11.89, 192.168.11.29, 192.168.11.34"
#setup_loopback
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}"]; then
${ipfw} add 50 divert natd all from any to any via ${natd_interface}
fi
;;
esac
${ipfw} add 20 divert 8672 ip from 192.168.11.0/24 to 57.5.64.251 via rl0
${ipfw} add 30 divert 8672 ip from 192.168.10.0/24 to 57.5.64.251 via rl0
${ipfw} add 21 divert 8672 ip from 192.168.11.0/24 to 57.5.64.250 via rl0
${ipfw} add 31 divert 8672 ip from 192.168.10.0/24 to 57.5.64.250 via rl0
${ipfw} add 40 divert 8672 ip from 57.5.64.251 to any via rl0
${ipfw} add 41 divert 8672 ip from 57.5.64.250 to any via rl0
${ipfw} add 50 divert natd all from any to any via rl1
${ipfw} add 100 pass all from any to any via lo0
${ipfw} add 200 deny all from any to 127.0.0.0/8
${ipfw} add 300 deny ip from 127.0.0.0/8 to any
${ipfw} add pass all from any to any frag
${ipfw} add allow ip from any to 192.168.10.4
${ipfw} add allow ip from 192.168.10.4 to any
${ipfw} add pipe 1 tcp from any 3128 to 192.168.11.91, 192.168.11.10, 192.168.11.89, 192.168.11.9,192.168.10.114,192.168.11.12,192.168.11.64
${ipfw} pipe 1 config bw 128Kbit/s
${ipfw} add pipe 2 tcp from any 3128 to 192.168.11.67
${ipfw} pipe 2 config bw 8Kbit/s
${ipfw} add pipe 3 tcp from any 3128 to 192.168.11.29,192.168.11.150,192.168.11.33
${ipfw} pipe 3 config bw 24Kbit/s
${ipfw} add pipe 4 tcp from any 3128 to 192.168.11.50, 192.168.11.61, 192.168.11.51,192.168.11.19
${ipfw} pipe 4 config bw 36Kbit/s
${ipfw} add pipe 5 tcp from any 3128 to 192.168.10.115, 192.168.11.9,192.168.10.102,192.168.10.63
${ipfw} pipe 5 config bw 24Kbit/s
${ipfw} add pipe 6 tcp from any 3128 to 192.168.11.11,192.168.10.55,192.168.11.79,192.168.10.119,192.168.10.121,192.168.10.205
${ipfw} pipe 6 config bw 80Kbit/s
${ipfw} add pipe 7 tcp from any 3128 to 192.168.11.90,192.168.11.89, 192.168.11.28
${ipfw} pipe 7 config bw 80Kbit/s
${ipfw} add pipe 8 tcp from any 3128 to 192.168.11.30, 192.168.11.31, 192.168.11.32,192.168.11.90,192.168.10.48
${ipfw} pipe 8 config bw 80Kbit/s
${ipfw} add pipe 9 tcp from any 3128 to 192.168.10.110, 192.168.10.112, 192.168.11.2
${ipfw} pipe 9 config bw 38Kbit/s
${ipfw} add pipe 10 tcp from any 3128 to 192.168.11.120, 192.168.10.73
${ipfw} pipe 10 config bw 256Kbit/s
${ipfw} add deny all from any 80,8080,8101,20,21 to 192.168.10.0/24 via em0
${ipfw} add deny all from any 80,8080,8101,20,21 to 192.168.11.0/24 via fxp0
${ipfw} add pass all from 192.168.10.0/24 to 192.168.11.0/24
${ipfw} add pass all from 192.168.11.0/24 to 192.168.10.0/24
${ipfw} add pass all from 10.2.1.0/24 to 192.168.11.0/24
${ipfw} add pass all from 192.168.11.0/24 to 10.2.1.0/24
${ipfw} add pass all from 192.168.1.0/24 to 192.168.10.0/24
${ipfw} add pass all from 192.168.10.0/24 to 192.168.1.0/24
${ipfw} add deny tcp from 192.168.11.0/24 to any 4661,4662,4672,4665,4711,6881-6889,6881-6999
${ipfw} add deny all from 192.168.11.0/24 to 152.163.159.0/24, 152.163.208.0/24, 61.12.161.0/24
${ipfw} add deny tcp from 192.168.10.54 to any not 25,110,113,143
${ipfw} add deny tcp from 192.168.10.56 to any not 25,110,113,143
${ipfw} add deny tcp from 192.168.10.57 to any not 25,110,113,143
${ipfw} add deny tcp from 192.168.10.58 to any not 25,110,113,143
${ipfw} add deny tcp from 192.168.10.60 to any not 25,110,113,143
${ipfw} add deny tcp from 192.168.10.62 to any not 25,110,113,143
${ipfw} add deny tcp from 192.168.10.64 to any not 25,110,113,143
${ipfw} add deny tcp from 192.168.10.65 to any not 25,110,113,143
${ipfw} add deny tcp from 192.168.10.66 to any not 25,110,113,143
${ipfw} add deny tcp from 192.168.10.67 to any not 25,110,113,143
${ipfw} add deny tcp from 192.168.10.68 to any not 25,110,113,143
${ipfw} add deny tcp from 192.168.11.89 to any not 25,110,113,143
${ipfw} add deny tcp from 192.168.11.64 to any not 25,110,113,143
${ipfw} add deny tcp from 192.168.10.115 to any not 25,110,113,143,3128
${ipfw} add deny tcp from 192.168.10.119 to any not 25,110,113,143,3128
${ipfw} add deny tcp from ${blocklist2} to any
${ipfw} add deny tcp from ${blocklist1} to any
${ipfw} add deny tcp from 192.168.11.60, 192.168.11.61, 192.168.11.62 to any 3128
${ipfw} add deny tcp from 192.168.11.13 to any not 25,110,113,143
${ipfw} add deny tcp from 192.168.11.14 to any not 25,110,113,143
${ipfw} add deny tcp from 192.168.11.15 to any not 25,110,113,143
${ipfw} add deny tcp from 192.168.11.16 to any not 25,110,113,143
${ipfw} add deny tcp from 192.168.11.21 to any not 25,110,113,143
${ipfw} add deny ip from 192.168.11.72 to any 3128
${ipfw} add pass all from any to any
${ipfw} add deny log all from any to any
Вариант для распечатки
Информационная безопасность (Public)
(ok) on 05-Окт-07, 12:08 
