Показать сообщение отдельно
Старый 26.06.2007, 12:35   #5
Alarick
Пользователь
 
Аватар для Alarick
 
Пол:Мужской
Регистрация: 18.09.2006
Сообщений: 36
Репутация: 764
По умолчанию Ответ: FreeBSD:Инструкции для начинающих (установка, настройка и т.п.)

rc.ipfw

#!/bin/sh
# Manual script for ipfw
Echo –n “Starting ipfw_firewall…”

ipfw=”/sbin/ipfw –q”
uports=”1025-65535”
int_if=”xl1”
ext_if=”xl0”
tap_if=”tap0”
tun_if=”tun0”

int_net=”192.168.13.1”
ext_net=”193.194……./255.255.255.252”

for_lan=”smtp,pop3,http,https,aol,domain,ssh”
Services=”smtp,pop3,http,https,aol,domain,ssh”

${ipfw} –f flush
${ipfw} add check-state
${ipfw} add allow all from any to any via lo0
${ipfw} add deny icmp from any to any frag
${ipfw} add deny all from $int_net to me in recv $ext_if

${ipfw} add allow tcp from $ext_ip $uports to any $Services out xmit $ext_if

#ssh
${ipfw} add allow tcp from 85……… to me 22
${ipfw} add allow tcp from me 22 to 85………
${ipfw} add allow tcp from me to 192.168.13.0/24 22 out xmit $int_if
${ipfw} add deny tcp from any to me 22 via $ext_if
${ipfw} add deny icmp from any to any frag

${ipfw} add allow tcp from $ext_ip $uports to 194………. 670 out xmit $ext_if
${ipfw} add allow tcp from $ext_ip $uports to 194………. 666 out xmit $ext_if
${ipfw} add allow tcp from 194………. 670 to $ext_ip $uports in recv $ext_if
${ipfw} add allow tcp from 194………. 666 to $ext_ip $uports in recv $ext_if

Echo “proxi”
${ipfw} add fwd 127.0.0.1,3128 tcp from $int_net to any http in recv $int_if
${ipfw} add divert natd all from $int_net to not $int_net out xmit $ext_if
${ipfw} add divert natd all from any to $ext_ip in recv $ext_if
${ipfw} add 100 divert natd all from $int_net to any out recv $int_if xmit $ext_if
${ipfw} add 200 divert natd all from not $int_net to $ext_ip recv $ext_if

Echo “allow_local_net”
${ipfw} add allow all from $int_net to any in recv $int_if
${ipfw} add allow all from any to $int_net out xmit $int_if

Echo “tun_if”
${ipfw} add allow tcp from $ext_ip to 195………. 2222 out xmit $ext_if
${ipfw} add allow tcp from 195………. 2222 to $ext_ip in recv $ext_if
${ipfw} add allow tcp from $ext_ip 1194 to 80…….. $uports out xmit $ext_if
${ipfw} add allow tcp from 80…….. $uports to $ext_ip 1194 in recv $ext_if
${ipfw} add allow all from any to any via $tun_if
${ipfw} add allow all from any to any via $tap_if

Echo “net_inet”
${ipfw} add allow tcp from $ext_ip $uports to any $Services out xmit $ext_if
${ipfw} add allow tcp from any $for_lan to $int_net $uports in recv $ext_if established
${ipfw} add allow tcp from $int_net $uports to any $Services out xmit $ext_if
${ipfw} add allow tcp from any $for_lan to $int_net $uports in recv $ext_if established
${ipfw} add allow tcp from any 80 to $ext_ip $uports in recv $ext_if established

Echo “domain”
${ipfw} add allow udp from $ext_ip $uports to any domain out xmit $ext_if
${ipfw} add allow udp from any domain to $ext_ip $uports in recv $ext_if
${ipfw} add allow udp from any domain to $int_net $uports in recv $ext_if

${ipfw} add allow tcp from $ext_ip $uports to any $uports out xmit $ext_if
${ipfw} add allow tcp from any $uports to $ext_ip $uports in recv $ext_if established

Echo “icmp”
${ipfw} add allow icmp from any to me icmptypes 0,3,4,11,12 in
${ipfw} add allow icmp from any to $int_net icmptypes 0,3,4,11,12 in recv $ext_if
${ipfw} add allow icmp from me to any icmptypes 3,8,12 out

${ipfw} add deny all from any to any

__________________________________________________ _________________

-удаленный доступ работает нормально;
-шлюз заходит по телнету на нужный адрес, а локальная машина нет;
-впн с 195.......... работает, т.е. сервера на обоих концах друг друга видят;
-впн2 - не работает, т.е. не "видно" сервера 192.168.12.2;
-нужно разграничить доступ, т.е. не все пользователи должны ходить в инет;
__________________
От СПАСИБО не откажусь...

Последний раз редактировалось Alarick; 26.06.2007 в 12:45..
Alarick вне форума
 
Ответить с цитированием Вверх
 
Время генерации страницы 0.08360 секунды с 9 запросами