WIPFW / IPFW - [4] :: Программы :: Компьютерный форум Ru.Board

добрый день
Не работают правила фаервола... (( Внутри сети всё нормально. Из вне нет доступа к серверу по ssh и т.д. Где нагрешил?

сервер с самой и сквидом. Без домена. две сетевухи.
em0 - WAN 192.168.50.170
xl0 - LAN 192.168.1.1

собирал ядро с

Код: Выделить всё
ident ROUTER
makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
options IPFIREWALL
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
options IPFIREWALL_FORWARD
options DUMMYNET

rc.conf

Код: Выделить всё
firewall_enable="YES"
firewall_script="/etc/rules"
firewall_logging="YES"
natd_enable="YES"
natd_interface="em0"

/etc/rules

Код: Выделить всё
#!/bin/sh

ipfw -q -f flush

cmd=”ipfw -q add”
skip=”skipto 400″
wanip=”192.168.50.170″ # внешний IP
lannet=”192.168.1.0/24″ # внутренняя сеть
eif=”em0″ # внешний интерфейс

$cmd 010 allow all from any to any via em0

$cmd 020 allow all from any to any via lo0

$cmd 030 deny ip from any to 127.0.0.0/8
$cmd 040 deny ip from 127.0.0.0/8 to any

$cmd 050 fwd 127.0.0.1,3129 tcp from $lannet to any 21,80,443,5190 out via $eif

$cmd 060 divert natd ip from any to any in via $eif

$cmd 070 check-state

############## Outgoing ################

$cmd 100 $skip icmp from any to any keep-state

$cmd 105 $skip udp from any to any 123 out via $eif keep-state

$cmd 110 $skip udp from any to any 53 out via $eif keep-state
$cmd 111 $skip tcp from any to any 53 out via $eif setup keep-state

$cmd 140 $skip all from $lannet to any 4899 out via $eif setup keep-state
$cmd 150 $skip all from $lannet to any 3389 out via $eif setup keep-state
$cmd 160 $skip all from $lannet to any 25 out via $eif setup keep-state
$cmd 170 $skip all from $lannet to any 110 out via $eif setup keep-state

$cmd 190 $skip all from $wanip to any out via $eif setup keep-state

############# Incoming ################

$cmd 200 deny all from 192.168.0.0/16 to any in via $eif #RFC 1918 private IP
$cmd 201 deny all from 172.16.0.0/12 to any in via $eif #RFC 1918 private IP
$cmd 202 deny all from 10.0.0.0/8 to any in via $eif #RFC 1918 private IP
$cmd 203 deny all from 127.0.0.0/8 to any in via $eif #loopback
$cmd 204 deny all from 0.0.0.0/8 to any in via $eif #loopback
$cmd 205 deny all from 169.254.0.0/16 to any in via $eif #DHCP auto-config
$cmd 206 deny all from 192.0.2.0/24 to any in via $eif #reserved for docs
$cmd 207 deny all from 204.152.64.0/23 to any in via $eif #Sun cluster
$cmd 208 deny all from 224.0.0.0/3 to any in via $eif #Class D & E multicast

$cmd 215 deny tcp from any to any 113 in via $eif

$cmd 220 deny tcp from any to any 137 in via $eif
$cmd 221 deny tcp from any to any 138 in via $eif
$cmd 222 deny tcp from any to any 139 in via $eif
$cmd 223 deny tcp from any to any 81 in via $eif

$cmd 300 allow icmp from any to $wanip in via $eif icmptypes 0,8,11 limit src-addr 2

$cmd 310 allow tcp from any to $wanip 80 in via $eif setup limit src-addr 2

$cmd 320 allow tcp from any to $wanip 22 in via $eif setup limit src-addr 2

$cmd 330 allow tcp from any to $wanip 25 in via $eif setup limit src-addr 2

$cmd 340 allow tcp from any to $wanip 110 in via $eif setup limit src-addr 2

$cmd 350 allow tcp from any to $wanip 4899 in via $eif setup limit src-addr 2

$cmd 360 allow all from any to any established

########### Final ###############
$cmd 399 deny log all from any to any
$cmd 400 divert natd ip from any to any out via $eif
$cmd 410 allow all from any to any
$cmd 999 deny log all from any to any

Модерирует : gyra, Maz
Версия для печати • Подписаться • Добавить в закладки
Страницы: 1 2 3 4 5 6 7 8 9