Чт. Янв 20th, 2022

    ipfirewallмежсетевой экран, который встроен во FreeBSD начиная с версии 2.0. С его помощью можно, например, подсчитывать трафик по любым разумным правилам, основывающимся на данных заголовков пакетов протоколов стека TCP/IP, обрабатывать пакеты внешними программами, прятать за одним компьютером целую сеть и т. п.[1]

    Реально работающий конфиг для шлюза

    #!/bin/sh

    fw=»/sbin/ipfw -q»

    out_ext=»192.168.0.5/28″
    int_ext=»192.168.1.1/28″
    adm=»192.168.0.4/28″
    my_net=»192.168.0.0/28″

    ${fw} -f flush

    ##### LOOPBACK #####

    ${fw} add 10 pass all from any to any via lo0

    ##### NATD #####

    ${fw} add 15 divert natd ip from any to any via xl0

    ##### ESTABLISHED & FRAG #####

    ${fw} add 20 pass tcp from any to any established
    ${fw} add 30 pass tcp from any to any frag

    ##### ADMIN Setting #####

    ${fw} add 100 pass tcp from ${adm} to me 22
    ${fw} add 110 pass tcp from me 22 to ${adm}
    ${fw} add 120 pass tcp from ${adm} to me 20,21 setup
    ${fw} add 130 pass tcp from me 20,21 to ${adm}

    ##### Server Setting #####

    ${fw} add 140 pass tcp from me to any 20,21,25,53,80,139,445,8080 setup
    ${fw} add 150 pass tcp from any 20,21,25,53,80,139,445,8080 to me

    ##### Common Setting #####

    ${fw} add 200 pass tcp from any to me 25,53,80,110,139,443,445,3128,3306,8080
    ${fw} add 210 pass tcp from me 25,53,80,110,139,443,445,3128,3306,8080 to any
    ${fw} add 220 pass tcp from me 5000-65000 to any 5000-65000
    ${fw} add 230 pass tcp from any 5000-65000 to me 5000-65000

    ##### UDP Connect #####

    ${fw} add 1000 pass udp from ${my_net} to me 53,123,137,138,445
    ${fw} add 1010 pass udp from me 53,123,137,138,445 to ${my_net}
    ${fw} add 1020 pass udp from me to ${my_net} 53,123,137,138,445
    ${fw} add 1030 pass udp from ${my_net} 53,123,137,138,445 to me
    ${fw} add 1040 pass udp from me 1025-65535 to any 1024-65535
    ${fw} add 1050 pass udp from any 1025-65535 to me 1024-65535

    ##### ICMP Conect #####

    ${fw} add 2000 pass icmp from me to any
    ${fw} add 2010 pass icmp from any to me icmptype 0,3,8,11

    ##### LOG PACKETS #####

    ${fw} add 65000 deny log tcp from any to any

    Почтовый сервер:

    $IPFW -f -q flush
    
    $IPFW add 5000 allow ip from any to any via lo0
    
    $IPFW add deny log ip from 172.16.0.0/12 to any
    $IPFW add deny log ip from any to 172.16.0.0/12
    $IPFW add deny log ip from 127.0.0.1/8 to any
    $IPFW add deny log ip from any to 127.0.0.1/8
    $IPFW add deny log ip from 192.168.0.0/16 to any
    $IPFW add deny log ip from any to 192.168.0.0/16
    
    # Allow ICMP type from any to any
    $IPFW add pipe 10 icmp from any to any icmptypes 0,8,3,5,11
    $IPFW pipe 10 config bw 64000
    # For TraceRouting
    $IPFW add allow udp from me to any 33434-33600
    
    $IPFW add allow tcp from $ADMIN 1024-65535 to me ssh
    $IPFW add allow tcp from me ssh to $ADMIN 1024-65535
    $IPFW add allow tcp from $ADMIN1 1024-65535 to me ssh
    $IPFW add allow tcp from me ssh to $ADMIN1 1024-65535
    $IPFW add allow tcp from $ADMIN_GLUK 1024-65535 to me ssh
    $IPFW add allow tcp from me ssh to $ADMIN_GLUK 1024-65535
    
    # Allow DNS query to other DNS-Servers
    $IPFW add allow udp from me to $DNS1 53 out
    $IPFW add allow udp from $DNS1 53 to me in
    $IPFW add allow udp from me to $DNS2 53 out
    $IPFW add allow udp from $DNS2 53 to me in
    \# For Mail trasported
    $IPFW add allow tcp from me 1024-65535 to any 25 out
    $IPFW add allow tcp from any 25 to me 1024-65535 in
    
    # For TIME syncro
    $IPFW add allow udp from $ME 123 to $NTP 123 out
    $IPFW add allow udp from $NTP 123 to $ME 123 in
    # -----------------------------------------------------------------------
    
    # For DNS use (clients->me)
    $IPFW add allow udp from any to me 53 in
    $IPFW add allow udp from me 53 to any out
    
    # For DNS resolv
    $IPFW add allow udp from me 1024-6535 to any 53 out
    $IPFW add allow udp from any 53 to me 1024-65535 in
    
    # For Zone Transferr IN
    $IPFW add allow tcp from me 1024-65535  to any 53 out
    $IPFW add allow tcp from any 53 to me 1024-65535 in
    
    # For zone Transferr OUT
    $IPFW add allow tcp from me 53 to any 1024-65535 out
    $IPFW add allow tcp from any 1024-65535 to me 53 in
    
    # For HTTPD use
    $IPFW add allow tcp from any 1024-65535 to me 80 in
    $IPFW add allow tcp from me 80 to any 1024-65535 out
    
    # For POP3 use
    $IPFW add allow tcp from any 1024-65535  to me 110 in
    $IPFW add allow tcp from me 110 to any 1024-65535 out
    
    # For FTP use
    $IPFW add allow tcp from any to me 21,20 in
    $IPFW add allow tcp from me 21,20 to any out
    
    # For SMTP Use
    $IPFW add allow tcp from any 1024-65535 to me 25 in
    $IPFW add allow tcp from me 25 to any 1024-65535 out
    
    # ============================================================
    # For NAGIOS Working
    $IPFW add allow ip from any to any uid nagios
    $IPFW add allow udp from any 1024-65535 to any 161
    $IPFW add allow udp from any 161 to any 1024-65535
    
    #For MRTG working
    $IPFW add allow udp from $ME to $NATD 161
    $IPFW add allow udp from $NATD 161 to $ME

    Сервер прокси-NAT

    $IPFW -f flush
    
    $IPFW add 5000 allow ip from any to any via lo0
    
    # Access denied from/to BLACKHOLE address and Multicast
    $IPFW add deny log ip from 127.0.0.1/8 to any
    $IPFW add deny log ip from any to 127.0.0.1/8
    $IPFW add deny log ip from 10.0.0.0/8 to any
    $IPFW add deny log ip from any to 10.0.0.0/8
    $IPFW add deny log ip from 172.16.0.0/12 to any
    $IPFW add deny log ip from any to 172.16.0.0/12
    $IPFW add deny log ip from 224.0.0.0/4 to any
    $IPFW add deny log ip from any to 224.0.0.0/4
    
    $IPFW add deny ip from $LOCALNET to $CLIENT
    $IPFW add deny ip from $CLIENT to $LOCALNET
    
    $IPFW add allow ip from any to any uid yushkin
    
    # Squid -> Any servers HTTP
    $IPFW add allow tcp from $SQUID 1024-65535 to any http out via $INT_REAL
    $IPFW add allow tcp from any http to $SQUID 1024-65525 in via $INT_REAL
    $IPFW add allow tcp from $ME 1024-65535 to any http out via $INT_REAL
    $IPFW add allow tcp from any http to $ME 1024-65525 in via $INT_REAL
    
    # Secure Shell access
    $IPFW add 10000 allow tcp from $ADMIN 1024-65535 to $ME ssh
    $IPFW add allow tcp from $ME ssh to $ADMIN 1024-65535
    
    $IPFW add 10000 allow tcp from $ADMIN 1024-65535 to $ME ssh
    $IPFW add allow tcp from $ME ssh to $ADMIN 1024-65535
    $IPFW add allow tcp from $LOCALNET 1024-65535 to $ME_PRIV ssh
    $IPFW add allow tcp from $ME_PRIV ssh to $LOCALNET 1024-65535
    $IPFW add allow tcp from $S2 1024-65535 to $ME ssh
    $IPFW add allow tcp from $ME ssh to $S2 1024-65535
    $IPFW add allow tcp from $GLUK 1024-65535 to $ME ssh
    $IPFW add allow tcp from $ME ssh to $GLUK 1024-65535
    $IPFW add allow tcp from $GLUK1 1024-65535 to $ME ssh
    $IPFW add allow tcp from $ME ssh to $GLUK1 1024-65535
    
    $IPFW add deny log tcp from any to me ssh
    $IPFW add deny log tcp from me ssh to any
    
    $IPFW add allow tcp from $LOCALNET 1024-65535 to $ME_PRIV 22 in via $INT_PRIV
    $IPFW add allow tcp from $ME_PRIV 22 to $LOCALNET 1024-65535 out via $INT_PRIV
    $IPFW add allow tcp from any to $ME ssh
    $IPFW add allow tcp from $ME 22 to any
    $IPFW add allow tcp from any to $ME_PRIV ssh
    $IPFW add allow tcp from $ME_PRIV ssh to any
    
    # For DNS use for LOCAL NETWORK
    $IPFW add allow udp from $LOCALNET to $ME_PRIV domain
    $IPFW add allow udp from $ME_PRIV domain to $LOCALNET
    $IPFW add allow udp from $ME to any domain
    $IPFW add allow udp from any domain to $ME
    
    # For Nagios Working (from S2)
    $IPFW add allow tcp from $S2 1024-65535 to $ME 5666
    $IPFW add allow tcp from $ME 5666 to $S2 1024-65535
    
    # For SNMP working
    $IPFW add allow udp from $S2 to $ME 161
    $IPFW add allow udp from $ME 161 to $S2
    
    # Allow ICMP type from any to any
    # $IPFW add pipe 10 icmp from any to any icmptypes 0,8,3,5,11
    # $IPFW pipe 10 config bw 9600
    # For TraceRouting
    $IPFW add allow udp from me to any 33434-33600
    
    $IPFW add deny ip from $SERVERS to any out via $INT_REAL
    $IPFW add deny ip from any to $SERVERs in via $INT_REAL
    
    # ------------------------ NATD -------------------------
    $IPFW add allow ip from $LOCALNET to $INTERNET in via $INT_PRIV
    $IPFW add divert natd ip from $LOCALNET to $INTERNET out via $INT_REAL
    $IPFW add allow ip from $NATD to $INTERNET out via $INT_REAL
    
    $IPFW add divert natd ip from $INTERNET to $NATD in via $INT_REAL
    $IPFW add allow ip from $INTERNET to $LOCALNET out via $INT_PRIV
    # -------------------------------------------------------
    $IPFW add allow ip from $CLIENT to $INTERNET in via $INT_CLIENT
    $IPFW add divert 8669 ip from $CLIENT to $INTERNET out via $INT_REAL
    $IPFW add allow ip from $NATD_CLIENT to $INTERNET out via $INT_REAL
    $IPFW add allow ip from $NATD_CLIENT to $INTERNET out via $INT_REAL
    
    $IPFW add divert 8669 ip from $INTERNET to $NATD_CLIENT in via $INT_REAL
    $IPFW add allow ip from $INTERNET to $CLIENT out via $INT_CLIENT
    # -------------------------------------------------------
    
    # $IPFW add 1 allow ip from any to any
    $IPFW add 50000 deny udp from any to any 138
    $IPFW add deny udp from any to any 137
    
    $IPFW add allow ip from any to any
    
    $IPFW add 100 fwd 127.0.0.1,3128 tcp from 192.168.1.0/24 to not 192.168.0.0/16 http

    Источник: http://forum.ixbt.com/topic.cgi?id=76:5473

    Полезные ресурсы по ipfw:

    от Andrew