IPFW — примеры боевых правил

ipfirewallмежсетевой экран, который встроен во FreeBSD начиная с версии 2.0. С его помощью можно, например, подсчитывать трафик по любым разумным правилам, основывающимся на данных заголовков пакетов протоколов стека TCP/IP, обрабатывать пакеты внешними программами, прятать за одним компьютером целую сеть и т. п.[1]

Реально работающий конфиг для шлюза

#!/bin/sh

fw=»/sbin/ipfw -q»

out_ext=»192.168.0.5/28″
int_ext=»192.168.1.1/28″
adm=»192.168.0.4/28″
my_net=»192.168.0.0/28″

${fw} -f flush

##### LOOPBACK #####

${fw} add 10 pass all from any to any via lo0

##### NATD #####

${fw} add 15 divert natd ip from any to any via xl0

##### ESTABLISHED & FRAG #####

${fw} add 20 pass tcp from any to any established
${fw} add 30 pass tcp from any to any frag

##### ADMIN Setting #####

${fw} add 100 pass tcp from ${adm} to me 22
${fw} add 110 pass tcp from me 22 to ${adm}
${fw} add 120 pass tcp from ${adm} to me 20,21 setup
${fw} add 130 pass tcp from me 20,21 to ${adm}

##### Server Setting #####

${fw} add 140 pass tcp from me to any 20,21,25,53,80,139,445,8080 setup
${fw} add 150 pass tcp from any 20,21,25,53,80,139,445,8080 to me

##### Common Setting #####

${fw} add 200 pass tcp from any to me 25,53,80,110,139,443,445,3128,3306,8080
${fw} add 210 pass tcp from me 25,53,80,110,139,443,445,3128,3306,8080 to any
${fw} add 220 pass tcp from me 5000-65000 to any 5000-65000
${fw} add 230 pass tcp from any 5000-65000 to me 5000-65000

##### UDP Connect #####

${fw} add 1000 pass udp from ${my_net} to me 53,123,137,138,445
${fw} add 1010 pass udp from me 53,123,137,138,445 to ${my_net}
${fw} add 1020 pass udp from me to ${my_net} 53,123,137,138,445
${fw} add 1030 pass udp from ${my_net} 53,123,137,138,445 to me
${fw} add 1040 pass udp from me 1025-65535 to any 1024-65535
${fw} add 1050 pass udp from any 1025-65535 to me 1024-65535

##### ICMP Conect #####

${fw} add 2000 pass icmp from me to any
${fw} add 2010 pass icmp from any to me icmptype 0,3,8,11

##### LOG PACKETS #####

${fw} add 65000 deny log tcp from any to any

Почтовый сервер:

$IPFW -f -q flush

$IPFW add 5000 allow ip from any to any via lo0

$IPFW add deny log ip from 172.16.0.0/12 to any
$IPFW add deny log ip from any to 172.16.0.0/12
$IPFW add deny log ip from 127.0.0.1/8 to any
$IPFW add deny log ip from any to 127.0.0.1/8
$IPFW add deny log ip from 192.168.0.0/16 to any
$IPFW add deny log ip from any to 192.168.0.0/16

# Allow ICMP type from any to any
$IPFW add pipe 10 icmp from any to any icmptypes 0,8,3,5,11
$IPFW pipe 10 config bw 64000
# For TraceRouting
$IPFW add allow udp from me to any 33434-33600

$IPFW add allow tcp from $ADMIN 1024-65535 to me ssh
$IPFW add allow tcp from me ssh to $ADMIN 1024-65535
$IPFW add allow tcp from $ADMIN1 1024-65535 to me ssh
$IPFW add allow tcp from me ssh to $ADMIN1 1024-65535
$IPFW add allow tcp from $ADMIN_GLUK 1024-65535 to me ssh
$IPFW add allow tcp from me ssh to $ADMIN_GLUK 1024-65535

# Allow DNS query to other DNS-Servers
$IPFW add allow udp from me to $DNS1 53 out
$IPFW add allow udp from $DNS1 53 to me in
$IPFW add allow udp from me to $DNS2 53 out
$IPFW add allow udp from $DNS2 53 to me in
\# For Mail trasported
$IPFW add allow tcp from me 1024-65535 to any 25 out
$IPFW add allow tcp from any 25 to me 1024-65535 in

# For TIME syncro
$IPFW add allow udp from $ME 123 to $NTP 123 out
$IPFW add allow udp from $NTP 123 to $ME 123 in
# -----------------------------------------------------------------------

# For DNS use (clients->me)
$IPFW add allow udp from any to me 53 in
$IPFW add allow udp from me 53 to any out

# For DNS resolv
$IPFW add allow udp from me 1024-6535 to any 53 out
$IPFW add allow udp from any 53 to me 1024-65535 in

# For Zone Transferr IN
$IPFW add allow tcp from me 1024-65535  to any 53 out
$IPFW add allow tcp from any 53 to me 1024-65535 in

# For zone Transferr OUT
$IPFW add allow tcp from me 53 to any 1024-65535 out
$IPFW add allow tcp from any 1024-65535 to me 53 in

# For HTTPD use
$IPFW add allow tcp from any 1024-65535 to me 80 in
$IPFW add allow tcp from me 80 to any 1024-65535 out

# For POP3 use
$IPFW add allow tcp from any 1024-65535  to me 110 in
$IPFW add allow tcp from me 110 to any 1024-65535 out

# For FTP use
$IPFW add allow tcp from any to me 21,20 in
$IPFW add allow tcp from me 21,20 to any out

# For SMTP Use
$IPFW add allow tcp from any 1024-65535 to me 25 in
$IPFW add allow tcp from me 25 to any 1024-65535 out

# ============================================================
# For NAGIOS Working
$IPFW add allow ip from any to any uid nagios
$IPFW add allow udp from any 1024-65535 to any 161
$IPFW add allow udp from any 161 to any 1024-65535

#For MRTG working
$IPFW add allow udp from $ME to $NATD 161
$IPFW add allow udp from $NATD 161 to $ME

Сервер прокси-NAT

$IPFW -f flush

$IPFW add 5000 allow ip from any to any via lo0

# Access denied from/to BLACKHOLE address and Multicast
$IPFW add deny log ip from 127.0.0.1/8 to any
$IPFW add deny log ip from any to 127.0.0.1/8
$IPFW add deny log ip from 10.0.0.0/8 to any
$IPFW add deny log ip from any to 10.0.0.0/8
$IPFW add deny log ip from 172.16.0.0/12 to any
$IPFW add deny log ip from any to 172.16.0.0/12
$IPFW add deny log ip from 224.0.0.0/4 to any
$IPFW add deny log ip from any to 224.0.0.0/4

$IPFW add deny ip from $LOCALNET to $CLIENT
$IPFW add deny ip from $CLIENT to $LOCALNET

$IPFW add allow ip from any to any uid yushkin

# Squid -> Any servers HTTP
$IPFW add allow tcp from $SQUID 1024-65535 to any http out via $INT_REAL
$IPFW add allow tcp from any http to $SQUID 1024-65525 in via $INT_REAL
$IPFW add allow tcp from $ME 1024-65535 to any http out via $INT_REAL
$IPFW add allow tcp from any http to $ME 1024-65525 in via $INT_REAL

# Secure Shell access
$IPFW add 10000 allow tcp from $ADMIN 1024-65535 to $ME ssh
$IPFW add allow tcp from $ME ssh to $ADMIN 1024-65535

$IPFW add 10000 allow tcp from $ADMIN 1024-65535 to $ME ssh
$IPFW add allow tcp from $ME ssh to $ADMIN 1024-65535
$IPFW add allow tcp from $LOCALNET 1024-65535 to $ME_PRIV ssh
$IPFW add allow tcp from $ME_PRIV ssh to $LOCALNET 1024-65535
$IPFW add allow tcp from $S2 1024-65535 to $ME ssh
$IPFW add allow tcp from $ME ssh to $S2 1024-65535
$IPFW add allow tcp from $GLUK 1024-65535 to $ME ssh
$IPFW add allow tcp from $ME ssh to $GLUK 1024-65535
$IPFW add allow tcp from $GLUK1 1024-65535 to $ME ssh
$IPFW add allow tcp from $ME ssh to $GLUK1 1024-65535

$IPFW add deny log tcp from any to me ssh
$IPFW add deny log tcp from me ssh to any

$IPFW add allow tcp from $LOCALNET 1024-65535 to $ME_PRIV 22 in via $INT_PRIV
$IPFW add allow tcp from $ME_PRIV 22 to $LOCALNET 1024-65535 out via $INT_PRIV
$IPFW add allow tcp from any to $ME ssh
$IPFW add allow tcp from $ME 22 to any
$IPFW add allow tcp from any to $ME_PRIV ssh
$IPFW add allow tcp from $ME_PRIV ssh to any

# For DNS use for LOCAL NETWORK
$IPFW add allow udp from $LOCALNET to $ME_PRIV domain
$IPFW add allow udp from $ME_PRIV domain to $LOCALNET
$IPFW add allow udp from $ME to any domain
$IPFW add allow udp from any domain to $ME

# For Nagios Working (from S2)
$IPFW add allow tcp from $S2 1024-65535 to $ME 5666
$IPFW add allow tcp from $ME 5666 to $S2 1024-65535

# For SNMP working
$IPFW add allow udp from $S2 to $ME 161
$IPFW add allow udp from $ME 161 to $S2

# Allow ICMP type from any to any
# $IPFW add pipe 10 icmp from any to any icmptypes 0,8,3,5,11
# $IPFW pipe 10 config bw 9600
# For TraceRouting
$IPFW add allow udp from me to any 33434-33600

$IPFW add deny ip from $SERVERS to any out via $INT_REAL
$IPFW add deny ip from any to $SERVERs in via $INT_REAL

# ------------------------ NATD -------------------------
$IPFW add allow ip from $LOCALNET to $INTERNET in via $INT_PRIV
$IPFW add divert natd ip from $LOCALNET to $INTERNET out via $INT_REAL
$IPFW add allow ip from $NATD to $INTERNET out via $INT_REAL

$IPFW add divert natd ip from $INTERNET to $NATD in via $INT_REAL
$IPFW add allow ip from $INTERNET to $LOCALNET out via $INT_PRIV
# -------------------------------------------------------
$IPFW add allow ip from $CLIENT to $INTERNET in via $INT_CLIENT
$IPFW add divert 8669 ip from $CLIENT to $INTERNET out via $INT_REAL
$IPFW add allow ip from $NATD_CLIENT to $INTERNET out via $INT_REAL
$IPFW add allow ip from $NATD_CLIENT to $INTERNET out via $INT_REAL

$IPFW add divert 8669 ip from $INTERNET to $NATD_CLIENT in via $INT_REAL
$IPFW add allow ip from $INTERNET to $CLIENT out via $INT_CLIENT
# -------------------------------------------------------

# $IPFW add 1 allow ip from any to any
$IPFW add 50000 deny udp from any to any 138
$IPFW add deny udp from any to any 137

$IPFW add allow ip from any to any

$IPFW add 100 fwd 127.0.0.1,3128 tcp from 192.168.1.0/24 to not 192.168.0.0/16 http

Источник: http://forum.ixbt.com/topic.cgi?id=76:5473

Полезные ресурсы по ipfw: