TECH DOC
Статистика |
|---|
Онлайн всего: 1 Гостей: 1 Пользователей: 0
|
|
Каталог статей
IPFW
Firewall
[root@router /etc]# cat rc.firewall
#!/bin/sh
FwCMD="/sbin/ipfw"
LanOut="rl1"
LanIn="rl0"
IpOut="xxx.xxx.xxx.xxx"
#IpOut="192.168.175.1"
IpIn="192.168.0.2"
NetMask="24"
NetIn="192.168.0.0"
##${FwCMD} -f flush 0 flush
##${FwCMD} add check-state
${FwCMD} -f flush
${FwCMD} -f pipe flush
${FwCMD} -f queue flush
${FwCMD} add allow ip from any to any via lo0
${FwCMD} add deny ip from any to 127.0.0.0/8
${FwCMD} add deny ip from 127.0.0.0/8 to any
# rulezz for sshit table
${FwCMD} add deny not icmp from "table(0)" to me
${FwCMD} add deny ip from any to 10.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 172.16.0.0/12 in via ${LanOut}
${FwCMD} add deny ip from any to 192.168.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${LanOut}
# автоконфигуреную частную сеть
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${LanOut}
# мультикастовые рассылки
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${LanOut}
# рубим фрагментированные icmp
${FwCMD} add deny icmp from any to any frag
# рубим широковещательные icmp на внешнем интерфейсе
${FwCMD} add deny log icmp from any to 255.255.255.255 in via ${LanOut}
${FwCMD} add deny log icmp from any to 255.255.255.255 out via ${LanOut}
#ClientBank
${FwCMD} add allow tcp from me to any dst-port 1723
${FwCMD} add allow tcp from any 1723 to me
${FwCMD} add allow tcp from me to any dst-port 500
${FwCMD} add allow tcp from any 500 to me
${FwCMD} add allow tcp from me to any dst-port 47
${FwCMD} add allow tcp from any 47 to me
#bank
${FwCMD} add allow ip from xxx.xxx.xxx.xxx to any
${FwCMD} add allow ip from any to xxx.xxx.xxx.xxx
${FwCMD} add allow tcp from 192.168.0.68 to any 80
${FwCMD} add allow tcp from 192.168.0.23 to any 80
${FwCMD} add fwd 127.0.0.1,3128 tcp from ${NetIn}/${NetMask} to any 80,8080,3128
${FwCMD} add allow all from any to any via ${LanIn}
#DNS
${FwCMD} add allow ip from any to any 53
${FwCMD} add allow ip from any 53 to any
#SMTP
${FwCMD} add allow tcp from me to any dst-port 21
${FwCMD} add allow tcp from any 21 to me
${FwCMD} add allow tcp from me to any dst-port 25
${FwCMD} add allow tcp from any 25 to me
${FwCMD} add allow tcp from any 25 to any via rl0
${FwCMD} add allow tcp from me to any dst-port 587
${FwCMD} add allow tcp from any 587 to me
#POP3
${FwCMD} add allow tcp from me to any dst-port 110
${FwCMD} add allow tcp from any 110 to me
${FwCMD} add allow tcp from me to any dst-port 993
${FwCMD} add allow tcp from any 993 to me
#voip
##${FwCMD} add allow tcp from me to any dst-port 5060
##${FwCMD} add allow tcp from any 5060 to me
##${FwCMD} add allow udp from me to any dst-port 5060
##${FwCMD} add allow udp from any 5060 to me
#I
${FwCMD} add allow ip from xxx.xxx.xxx.xxx to any
${FwCMD} add allow ip from any to xxx.xxx.xxx.xxx
#McAfee
#${FwCMD} add allow ip from 84.53.182.25 to any
#${FwCMD} add allow ip from any to 84.53.182.25
#SQUID
${FwCMD} add fwd 127.0.0.1,3128 tcp from 192.168.0.0/24 to any dst-port 80 in via ${LanOut}
${FwCMD} add fwd 127.0.0.1,3128 tcp from ${NetIn}/${NetMask} to any 80,8080,3128
${FwCMD} add fwd 127.0.0.1,3128 tcp from ${NetIn}/${NetMask} to any 80 via ${LanOut}
#####${FwCMD} add allow tcp from any to ${IpOut} 3389 via ${LanOut}
${FwCMD} add allow ip from xxx.xxx.xxx.xxx to me 3389
${FwCMD} add deny all from any to me 3389
${FwCMD} add allow tcp from any to ${IpOut} 3399 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 3999 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 3398 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 47476 via ${LanOut}
${FwCMD} add allow icmp from any to any icmptypes 0,8,11
${FwCMD} add allow tcp from any to any established
${FwCMD} add deny ip from any to any
[root@router /etc]#
|
| Категория: Live CONF | Добавил: Kogr (17.11.2009)
|
| Просмотров: 4777
| Рейтинг: 0.0/0 |
|
Vir Actiy |
|---|
 |
IP |
|---|
 |
|
Статьи , новости
информационных технологий , обзоры , описание ошибок , Операционные системы , системные
ошибки , новые технологии , аутсорсинг , windows , Linux , VoIP , FreeBSD , Cisco , информационная безопасность , Win7 , Win8 , server , проблемы с серверами , ИТ , управление
инфраструктурой и многое другое…
