TECH DOC

Категории

Live CONF [1]
Squid [2]
Security [2]
Other [3]

Map

Теги

Статистика

Онлайн всего: 1
Гостей: 1
Пользователей: 0

Поделиться

Каталог статей

Главная » Статьи » FreeBSD » Live CONF

IPFW


Firewall
[root@router /etc]# cat rc.firewall
#!/bin/sh
FwCMD="/sbin/ipfw"
LanOut="rl1"
LanIn="rl0"
IpOut="xxx.xxx.xxx.xxx"
#IpOut="192.168.175.1"
IpIn="192.168.0.2"
NetMask="24"
NetIn="192.168.0.0"

##${FwCMD} -f flush 0 flush
##${FwCMD} add check-state
${FwCMD} -f flush
${FwCMD} -f pipe flush
${FwCMD} -f queue flush

${FwCMD} add allow ip from any to any via lo0
${FwCMD} add deny ip from any to 127.0.0.0/8
${FwCMD} add deny ip from 127.0.0.0/8 to any
# rulezz for sshit table
${FwCMD} add deny not icmp from "table(0)" to me
${FwCMD} add deny ip from any to 10.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 172.16.0.0/12 in via ${LanOut}
${FwCMD} add deny ip from any to 192.168.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${LanOut}
# автоконфигуреную частную сеть
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${LanOut}
# мультикастовые рассылки
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${LanOut}
# рубим фрагментированные icmp
${FwCMD} add deny icmp from any to any frag
# рубим широковещательные icmp на внешнем интерфейсе
${FwCMD} add deny log icmp from any to 255.255.255.255 in via ${LanOut}
${FwCMD} add deny log icmp from any to 255.255.255.255 out via ${LanOut}


#ClientBank
${FwCMD} add allow tcp from me to any dst-port 1723
${FwCMD} add allow tcp from any 1723 to me
${FwCMD} add allow tcp from me to any dst-port 500
${FwCMD} add allow tcp from any 500 to me
${FwCMD} add allow tcp from me to any dst-port 47
${FwCMD} add allow tcp from any 47 to me


#bank
${FwCMD} add allow ip from xxx.xxx.xxx.xxx to any
${FwCMD} add allow ip from any to xxx.xxx.xxx.xxx


${FwCMD} add allow tcp from 192.168.0.68 to any 80
${FwCMD} add allow tcp from 192.168.0.23 to any 80
${FwCMD} add fwd 127.0.0.1,3128 tcp from ${NetIn}/${NetMask} to any 80,8080,3128
${FwCMD} add allow all from any to any via ${LanIn}

#DNS
${FwCMD} add allow ip from any to any 53
${FwCMD} add allow ip from any 53 to any

#SMTP
${FwCMD} add allow tcp from me to any dst-port 21
${FwCMD} add allow tcp from any 21 to me
${FwCMD} add allow tcp from me to any dst-port 25
${FwCMD} add allow tcp from any 25 to me
${FwCMD} add allow tcp from any 25 to any via rl0
${FwCMD} add allow tcp from me to any dst-port 587
${FwCMD} add allow tcp from any 587 to me

#POP3
${FwCMD} add allow tcp from me to any dst-port 110
${FwCMD} add allow tcp from any 110 to me
${FwCMD} add allow tcp from me to any dst-port 993
${FwCMD} add allow tcp from any 993 to me

#voip
##${FwCMD} add allow tcp from me to any dst-port 5060
##${FwCMD} add allow tcp from any 5060 to me
##${FwCMD} add allow udp from me to any dst-port 5060
##${FwCMD} add allow udp from any 5060 to me

#I
${FwCMD} add allow ip from xxx.xxx.xxx.xxx to any
${FwCMD} add allow ip from any to xxx.xxx.xxx.xxx

#McAfee
#${FwCMD} add allow ip from 84.53.182.25 to any
#${FwCMD} add allow ip from any to 84.53.182.25

#SQUID
${FwCMD} add fwd 127.0.0.1,3128 tcp from 192.168.0.0/24 to any dst-port 80 in via ${LanOut}
${FwCMD} add fwd 127.0.0.1,3128 tcp from ${NetIn}/${NetMask} to any 80,8080,3128
${FwCMD} add fwd 127.0.0.1,3128 tcp from ${NetIn}/${NetMask} to any 80 via ${LanOut}


#####${FwCMD} add allow tcp from any to ${IpOut} 3389 via ${LanOut}
${FwCMD} add allow ip from xxx.xxx.xxx.xxx to me 3389
${FwCMD} add deny all from any to me 3389
${FwCMD} add allow tcp from any to ${IpOut} 3399 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 3999 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 3398 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 47476 via ${LanOut}


${FwCMD} add allow icmp from any to any icmptypes 0,8,11
${FwCMD} add allow tcp from any to any established

${FwCMD} add deny ip from any to any
[root@router /etc]#
Категория: Live CONF | Добавил: Kogr (17.11.2009)
Просмотров: 4485 | Рейтинг: 0.0/0

Поиск

Vir Actiy

IP

Узнай свой IP адрес

Scan File

Scan URL

+

Бесплатный анализ сайта

Статьи , новости информационных технологий , обзоры , описание ошибок , Операционные системы , системные ошибки , новые технологии , аутсорсинг , windows , Linux , VoIP , FreeBSD , Cisco , информационная безопасность , Win7 , Win8 , server , проблемы с серверами , ИТ , управление инфраструктурой и многое другое…