ipfirewall — межсетевой экран, который встроен во FreeBSD начиная с версии 2.0. С его помощью можно, например, подсчитывать трафик по любым разумным правилам, основывающимся на данных заголовков пакетов протоколов стека TCP/IP, обрабатывать пакеты внешними программами, прятать за одним компьютером целую сеть и т. п.[1]
Содержание
Реально работающий конфиг для шлюза
#!/bin/sh
fw=»/sbin/ipfw -q»
out_ext=»192.168.0.5/28″
int_ext=»192.168.1.1/28″
adm=»192.168.0.4/28″
my_net=»192.168.0.0/28″
${fw} -f flush
##### LOOPBACK #####
${fw} add 10 pass all from any to any via lo0
##### NATD #####
${fw} add 15 divert natd ip from any to any via xl0
##### ESTABLISHED & FRAG #####
${fw} add 20 pass tcp from any to any established
${fw} add 30 pass tcp from any to any frag
##### ADMIN Setting #####
${fw} add 100 pass tcp from ${adm} to me 22
${fw} add 110 pass tcp from me 22 to ${adm}
${fw} add 120 pass tcp from ${adm} to me 20,21 setup
${fw} add 130 pass tcp from me 20,21 to ${adm}
##### Server Setting #####
${fw} add 140 pass tcp from me to any 20,21,25,53,80,139,445,8080 setup
${fw} add 150 pass tcp from any 20,21,25,53,80,139,445,8080 to me
##### Common Setting #####
${fw} add 200 pass tcp from any to me 25,53,80,110,139,443,445,3128,3306,8080
${fw} add 210 pass tcp from me 25,53,80,110,139,443,445,3128,3306,8080 to any
${fw} add 220 pass tcp from me 5000-65000 to any 5000-65000
${fw} add 230 pass tcp from any 5000-65000 to me 5000-65000
##### UDP Connect #####
${fw} add 1000 pass udp from ${my_net} to me 53,123,137,138,445
${fw} add 1010 pass udp from me 53,123,137,138,445 to ${my_net}
${fw} add 1020 pass udp from me to ${my_net} 53,123,137,138,445
${fw} add 1030 pass udp from ${my_net} 53,123,137,138,445 to me
${fw} add 1040 pass udp from me 1025-65535 to any 1024-65535
${fw} add 1050 pass udp from any 1025-65535 to me 1024-65535
##### ICMP Conect #####
${fw} add 2000 pass icmp from me to any
${fw} add 2010 pass icmp from any to me icmptype 0,3,8,11
##### LOG PACKETS #####
${fw} add 65000 deny log tcp from any to any
Почтовый сервер:
$IPFW -f -q flush $IPFW add 5000 allow ip from any to any via lo0 $IPFW add deny log ip from 172.16.0.0/12 to any $IPFW add deny log ip from any to 172.16.0.0/12 $IPFW add deny log ip from 127.0.0.1/8 to any $IPFW add deny log ip from any to 127.0.0.1/8 $IPFW add deny log ip from 192.168.0.0/16 to any $IPFW add deny log ip from any to 192.168.0.0/16 # Allow ICMP type from any to any $IPFW add pipe 10 icmp from any to any icmptypes 0,8,3,5,11 $IPFW pipe 10 config bw 64000 # For TraceRouting $IPFW add allow udp from me to any 33434-33600 $IPFW add allow tcp from $ADMIN 1024-65535 to me ssh $IPFW add allow tcp from me ssh to $ADMIN 1024-65535 $IPFW add allow tcp from $ADMIN1 1024-65535 to me ssh $IPFW add allow tcp from me ssh to $ADMIN1 1024-65535 $IPFW add allow tcp from $ADMIN_GLUK 1024-65535 to me ssh $IPFW add allow tcp from me ssh to $ADMIN_GLUK 1024-65535 # Allow DNS query to other DNS-Servers $IPFW add allow udp from me to $DNS1 53 out $IPFW add allow udp from $DNS1 53 to me in $IPFW add allow udp from me to $DNS2 53 out $IPFW add allow udp from $DNS2 53 to me in \# For Mail trasported $IPFW add allow tcp from me 1024-65535 to any 25 out $IPFW add allow tcp from any 25 to me 1024-65535 in # For TIME syncro $IPFW add allow udp from $ME 123 to $NTP 123 out $IPFW add allow udp from $NTP 123 to $ME 123 in # ----------------------------------------------------------------------- # For DNS use (clients->me) $IPFW add allow udp from any to me 53 in $IPFW add allow udp from me 53 to any out # For DNS resolv $IPFW add allow udp from me 1024-6535 to any 53 out $IPFW add allow udp from any 53 to me 1024-65535 in # For Zone Transferr IN $IPFW add allow tcp from me 1024-65535 to any 53 out $IPFW add allow tcp from any 53 to me 1024-65535 in # For zone Transferr OUT $IPFW add allow tcp from me 53 to any 1024-65535 out $IPFW add allow tcp from any 1024-65535 to me 53 in # For HTTPD use $IPFW add allow tcp from any 1024-65535 to me 80 in $IPFW add allow tcp from me 80 to any 1024-65535 out # For POP3 use $IPFW add allow tcp from any 1024-65535 to me 110 in $IPFW add allow tcp from me 110 to any 1024-65535 out # For FTP use $IPFW add allow tcp from any to me 21,20 in $IPFW add allow tcp from me 21,20 to any out # For SMTP Use $IPFW add allow tcp from any 1024-65535 to me 25 in $IPFW add allow tcp from me 25 to any 1024-65535 out # ============================================================ # For NAGIOS Working $IPFW add allow ip from any to any uid nagios $IPFW add allow udp from any 1024-65535 to any 161 $IPFW add allow udp from any 161 to any 1024-65535 #For MRTG working $IPFW add allow udp from $ME to $NATD 161 $IPFW add allow udp from $NATD 161 to $ME
Сервер прокси-NAT
$IPFW -f flush $IPFW add 5000 allow ip from any to any via lo0 # Access denied from/to BLACKHOLE address and Multicast $IPFW add deny log ip from 127.0.0.1/8 to any $IPFW add deny log ip from any to 127.0.0.1/8 $IPFW add deny log ip from 10.0.0.0/8 to any $IPFW add deny log ip from any to 10.0.0.0/8 $IPFW add deny log ip from 172.16.0.0/12 to any $IPFW add deny log ip from any to 172.16.0.0/12 $IPFW add deny log ip from 224.0.0.0/4 to any $IPFW add deny log ip from any to 224.0.0.0/4 $IPFW add deny ip from $LOCALNET to $CLIENT $IPFW add deny ip from $CLIENT to $LOCALNET $IPFW add allow ip from any to any uid yushkin # Squid -> Any servers HTTP $IPFW add allow tcp from $SQUID 1024-65535 to any http out via $INT_REAL $IPFW add allow tcp from any http to $SQUID 1024-65525 in via $INT_REAL $IPFW add allow tcp from $ME 1024-65535 to any http out via $INT_REAL $IPFW add allow tcp from any http to $ME 1024-65525 in via $INT_REAL # Secure Shell access $IPFW add 10000 allow tcp from $ADMIN 1024-65535 to $ME ssh $IPFW add allow tcp from $ME ssh to $ADMIN 1024-65535 $IPFW add 10000 allow tcp from $ADMIN 1024-65535 to $ME ssh $IPFW add allow tcp from $ME ssh to $ADMIN 1024-65535 $IPFW add allow tcp from $LOCALNET 1024-65535 to $ME_PRIV ssh $IPFW add allow tcp from $ME_PRIV ssh to $LOCALNET 1024-65535 $IPFW add allow tcp from $S2 1024-65535 to $ME ssh $IPFW add allow tcp from $ME ssh to $S2 1024-65535 $IPFW add allow tcp from $GLUK 1024-65535 to $ME ssh $IPFW add allow tcp from $ME ssh to $GLUK 1024-65535 $IPFW add allow tcp from $GLUK1 1024-65535 to $ME ssh $IPFW add allow tcp from $ME ssh to $GLUK1 1024-65535 $IPFW add deny log tcp from any to me ssh $IPFW add deny log tcp from me ssh to any $IPFW add allow tcp from $LOCALNET 1024-65535 to $ME_PRIV 22 in via $INT_PRIV $IPFW add allow tcp from $ME_PRIV 22 to $LOCALNET 1024-65535 out via $INT_PRIV $IPFW add allow tcp from any to $ME ssh $IPFW add allow tcp from $ME 22 to any $IPFW add allow tcp from any to $ME_PRIV ssh $IPFW add allow tcp from $ME_PRIV ssh to any # For DNS use for LOCAL NETWORK $IPFW add allow udp from $LOCALNET to $ME_PRIV domain $IPFW add allow udp from $ME_PRIV domain to $LOCALNET $IPFW add allow udp from $ME to any domain $IPFW add allow udp from any domain to $ME # For Nagios Working (from S2) $IPFW add allow tcp from $S2 1024-65535 to $ME 5666 $IPFW add allow tcp from $ME 5666 to $S2 1024-65535 # For SNMP working $IPFW add allow udp from $S2 to $ME 161 $IPFW add allow udp from $ME 161 to $S2 # Allow ICMP type from any to any # $IPFW add pipe 10 icmp from any to any icmptypes 0,8,3,5,11 # $IPFW pipe 10 config bw 9600 # For TraceRouting $IPFW add allow udp from me to any 33434-33600 $IPFW add deny ip from $SERVERS to any out via $INT_REAL $IPFW add deny ip from any to $SERVERs in via $INT_REAL # ------------------------ NATD ------------------------- $IPFW add allow ip from $LOCALNET to $INTERNET in via $INT_PRIV $IPFW add divert natd ip from $LOCALNET to $INTERNET out via $INT_REAL $IPFW add allow ip from $NATD to $INTERNET out via $INT_REAL $IPFW add divert natd ip from $INTERNET to $NATD in via $INT_REAL $IPFW add allow ip from $INTERNET to $LOCALNET out via $INT_PRIV # ------------------------------------------------------- $IPFW add allow ip from $CLIENT to $INTERNET in via $INT_CLIENT $IPFW add divert 8669 ip from $CLIENT to $INTERNET out via $INT_REAL $IPFW add allow ip from $NATD_CLIENT to $INTERNET out via $INT_REAL $IPFW add allow ip from $NATD_CLIENT to $INTERNET out via $INT_REAL $IPFW add divert 8669 ip from $INTERNET to $NATD_CLIENT in via $INT_REAL $IPFW add allow ip from $INTERNET to $CLIENT out via $INT_CLIENT # ------------------------------------------------------- # $IPFW add 1 allow ip from any to any $IPFW add 50000 deny udp from any to any 138 $IPFW add deny udp from any to any 137 $IPFW add allow ip from any to any $IPFW add 100 fwd 127.0.0.1,3128 tcp from 192.168.1.0/24 to not 192.168.0.0/16 http
Источник: http://forum.ixbt.com/topic.cgi?id=76:5473
Полезные ресурсы по ipfw:
- Сравнение 3 Пакетных фильтров FreeBSD 5.3 (IPFW, PF, IPFILTER)
- Заметки об IPFW
- Подробное руководство по ipfw nat
- Сборка ядра FreeBSD под себя!
- Рассматриваем простейшие случаи раздачи интернета внутри офисной сети
- Тайна незанятого xl0 или получаем контроль над своей сетью
- IPFW — peгулировщик трафика и брандмауер для FreeBSD
- Настройка IPFW в FreeBSD
- Мониторинг FreeBSD. Полезные заметки.