forum.opennet.ru

Составление сообщения

Исходное сообщение

"ipfw pipe + if_bridge ограничивается скорость только на icmp"
Отправлено weldpua2008, 19-Фев-07 15:15

Не проверял в действии для ДС и фтп
#!/bin/sh
vr0=rl0
vr1=rl1
router_card=$vr0 #card where add ip
routerip="10.11.25.6"
cards="$vr0 $vr1" #card to up
deny_dns_card="" # deny_dns_card="$vr0 $vr1"
deny_netbios_cards="$vr0 $vr1" #deny netbios through this card's
d_dhcp_cards=""  #deny dchp through this card's
ftp="10.11.25.3"
dc="10.11.25.3" #dc="( 10.11.25.3 or 10.11.13.8 )"
denyports="20 21 123 136 137 138 139 445 7777 7551 7550 8167" #to all
allow_ports="1-66 69-134 140-444 446-7549 7552-7776 7778-8166 8168-65535" #to all
speed1="2000Kbit/s" # to ftp
speed2="5000Kbit/s" # to dc
speed3="5000Kbit/s" # from any to any LOCAL
speed4="2000Kbit/s"  # internet
speed5="200Kbit/s"  # ping's
local_net="192.168.0.0/16 10.0.0.0/8 172.168.0.0/16"
deny_ftp_ip="" #deny ip to ftp server
deny_dc_ip=""  #deny ip to dc server
deny_ftp_card="" #deny all to ftp server via card
deny_dc_card=""  #deny all to dc server via card
ifc="/sbin/ifconfig "
$ifc bridge0 create
for cd in $cards;
    do
   $ifc $cd up;
   $ifc bridge0 addm $cd up
done
$ifc $router_card $routerip
$ifc bridge0 up
$sysctl net.inet.ip.fw.one_pass=0
$sysctl    net.link.bridge.ipfw=1
$sysctl    net.link.bridge.ipfw_arp=1
$sysctl net.inet.ip.fw.verbose_limit=10000
######################################## ####
#/usr/local/etc/rc.d/ipfw.sh
echo "/usr/local/etc/rc.d/ipfw.sh"
#don't edit this
s_v="-1"
n_v="$s_v"
ipfw="/sbin/ipfw "
ipf="$ipfw add "
ipf_del="/sbin/ipfw delete "
pr_r=""
r=""
appyrule=/appyrule.txt
echo '#!/bin/sh
'>$appyrule
ipf="/sbin/ipfw add"
ipf_del="/sbin/ipfw delete"

f ()
{
#s_v="-1"
#n_v="$s_v"
n_v=$n
if [ $s_v -gt 0  ]; then
echo "add number for rule: $r"
elif [ "$s_v" != "$n_v" ]; then
    if [ "$r" = "" ]; then
    echo "no rule for number: $n"
    elif [ "$pr_r" != "$r" ]; then
    n=` expr $n + 1 `
    $ipf_del $n
    $ipf $n $r
    echo "$ipf $n $r">>$appyrule
    fi
fi
}

p="/sbin/ipfw "
n=100
$p pipe 1 config bw $speed1 # to ftp
$p pipe 2 config bw $speed2 # to dc
$p pipe 3 config bw $speed3 # from any to any
$p pipe 4 config bw $speed4 # internet
$p pipe 5 config bw $speed5 # ping's

n=` expr $n + 100 `
r="allow udp from  0.0.0.0 2054 to 0.0.0.0"
f
r="allow layer2 from any to any mac-type arp"
f
r="allow all from any to any via lo0"
f
for card in $deny_dns_card;
    do
    r="deny udp from  any to any 53 via $card";
    f;
    r="deny tcp from  any to any 53 via $card";
    f;
done

for ftp_ip in $deny_ftp_ip;
    do
    r=" deny all from $ftp_ip to $ftp 20,21";
    f;
    r=" deny all from $ftp 20,21 to $ftp_ip";
    f;
    done
for dc_ip in $deny_dc_ip;
    do
    r=" deny all from $dc_ip to $dc 411";
    f;
    r=" deny all from $dc 411 to $dc_ip";
    f;
    done
for ftp_card in $deny_ftp_card;
    do
    r=" deny all from any to $ftp 20,21 via $ftp_card";
    f;
    r=" deny all from $ftp 20,21 to any via $ftp_card";
    f;
    done
for dc_card in $deny_dc_card;
    do
    r=" deny all from any to $dc 411 via $ftp_card";
    f;
    r=" deny all from $ftp 20,21 to any via $ftp_card";
    f;
    done
for d_nb_card in $deny_netbios_cards;
    do
    r="deny all from any to any 135-139 via $d_nb_card";
    f;
    done
for d_dhcp_card in $d_dhcp_cards;
    do
    r="deny all from any to any 67-68 via $d_dhcp_card"
    f
    done

n=` expr $n + 100 `
r=" deny icmp from any to any in icmptype 5,9,13,14,15,16,17"
f
r="allow all from any to $routerip"
f
#################PIPES ######################
r=" pipe 5 icmp from any to any"
f
r=" allow tcp from any to $ftp limit src-addr 10"
f
r=" pipe 1 all from  any to $ftp 21,20"
f
r=" pipe 1 all from  $ftp 21,20 to any"
f
r=" pipe 2 all from  any to $dc 411"
f
r=" pipe 2 all from  $dc 411 to any"
f
for net in $local_net;
    do
    for net1 in $local_net;
        do
    r=" pipe 4 all from  $net to not $net1" #Internet
    f
    done
done
for net in $local_net;
    do
    for net1 in $local_net;
        do
    r=" pipe 3 all from  $net to $net1" #local
    f
    done
done
r=" deny tcp from any to $routerip in tcpflags syn,fin,!ack"
f
r=" deny tcp from any to $routerip in tcpflags syn,fin,urg,psh,!ack"
f
r=" deny tcp from any to $routerip in tcpflags fin,urg,psh,!ack"
f
r=" allow gre from any to any"
f
r=" allow udp from any to any 500"
f
r=" allow tcp from any to any 1023,1723"
f
r=" allow esp from any to any"
f
for port1 in $allow_ports;
    do
    r=" allow all from any to any $port1";
    f;
    done
for port in $denyports;
    do
    r=" deny all from any to any $port";
    f;
    done
r="allow all from any to any 53"
f
n=` expr $n + 100 `
r="allow all from any to any"
f
r="deny log  all from any to any"
#f
echo "" > /var/log/security

Исходное сообщение
"ipfw pipe + if_bridge ограничивается скорость только на icmp" Отправлено weldpua2008, 19-Фев-07 15:15
Не проверял в действии для ДС и фтп #!/bin/sh vr0=rl0 vr1=rl1 router_card=$vr0 #card where add ip routerip="10.11.25.6" cards="$vr0 $vr1" #card to up deny_dns_card="" # deny_dns_card="$vr0 $vr1" deny_netbios_cards="$vr0 $vr1" #deny netbios through this card's d_dhcp_cards="" #deny dchp through this card's ftp="10.11.25.3" dc="10.11.25.3" #dc="( 10.11.25.3 or 10.11.13.8 )" denyports="20 21 123 136 137 138 139 445 7777 7551 7550 8167" #to all allow_ports="1-66 69-134 140-444 446-7549 7552-7776 7778-8166 8168-65535" #to all speed1="2000Kbit/s" # to ftp speed2="5000Kbit/s" # to dc speed3="5000Kbit/s" # from any to any LOCAL speed4="2000Kbit/s" # internet speed5="200Kbit/s" # ping's local_net="192.168.0.0/16 10.0.0.0/8 172.168.0.0/16" deny_ftp_ip="" #deny ip to ftp server deny_dc_ip="" #deny ip to dc server deny_ftp_card="" #deny all to ftp server via card deny_dc_card="" #deny all to dc server via card ifc="/sbin/ifconfig " $ifc bridge0 create for cd in $cards; do $ifc $cd up; $ifc bridge0 addm $cd up done $ifc $router_card $routerip $ifc bridge0 up $sysctl net.inet.ip.fw.one_pass=0 $sysctl net.link.bridge.ipfw=1 $sysctl net.link.bridge.ipfw_arp=1 $sysctl net.inet.ip.fw.verbose_limit=10000 ######################################## #### #/usr/local/etc/rc.d/ipfw.sh echo "/usr/local/etc/rc.d/ipfw.sh" #don't edit this s_v="-1" n_v="$s_v" ipfw="/sbin/ipfw " ipf="$ipfw add " ipf_del="/sbin/ipfw delete " pr_r="" r="" appyrule=/appyrule.txt echo '#!/bin/sh '>$appyrule ipf="/sbin/ipfw add" ipf_del="/sbin/ipfw delete" f () { #s_v="-1" #n_v="$s_v" n_v=$n if [ $s_v -gt 0 ]; then echo "add number for rule: $r" elif [ "$s_v" != "$n_v" ]; then if [ "$r" = "" ]; then echo "no rule for number: $n" elif [ "$pr_r" != "$r" ]; then n=` expr $n + 1 ` $ipf_del $n $ipf $n $r echo "$ipf $n $r">>$appyrule fi fi } p="/sbin/ipfw " n=100 $p pipe 1 config bw $speed1 # to ftp $p pipe 2 config bw $speed2 # to dc $p pipe 3 config bw $speed3 # from any to any $p pipe 4 config bw $speed4 # internet $p pipe 5 config bw $speed5 # ping's n=` expr $n + 100 ` r="allow udp from 0.0.0.0 2054 to 0.0.0.0" f r="allow layer2 from any to any mac-type arp" f r="allow all from any to any via lo0" f for card in $deny_dns_card; do r="deny udp from any to any 53 via $card"; f; r="deny tcp from any to any 53 via $card"; f; done for ftp_ip in $deny_ftp_ip; do r=" deny all from $ftp_ip to $ftp 20,21"; f; r=" deny all from $ftp 20,21 to $ftp_ip"; f; done for dc_ip in $deny_dc_ip; do r=" deny all from $dc_ip to $dc 411"; f; r=" deny all from $dc 411 to $dc_ip"; f; done for ftp_card in $deny_ftp_card; do r=" deny all from any to $ftp 20,21 via $ftp_card"; f; r=" deny all from $ftp 20,21 to any via $ftp_card"; f; done for dc_card in $deny_dc_card; do r=" deny all from any to $dc 411 via $ftp_card"; f; r=" deny all from $ftp 20,21 to any via $ftp_card"; f; done for d_nb_card in $deny_netbios_cards; do r="deny all from any to any 135-139 via $d_nb_card"; f; done for d_dhcp_card in $d_dhcp_cards; do r="deny all from any to any 67-68 via $d_dhcp_card" f done n=` expr $n + 100 ` r=" deny icmp from any to any in icmptype 5,9,13,14,15,16,17" f r="allow all from any to $routerip" f #################PIPES ###################### r=" pipe 5 icmp from any to any" f r=" allow tcp from any to $ftp limit src-addr 10" f r=" pipe 1 all from any to $ftp 21,20" f r=" pipe 1 all from $ftp 21,20 to any" f r=" pipe 2 all from any to $dc 411" f r=" pipe 2 all from $dc 411 to any" f for net in $local_net; do for net1 in $local_net; do r=" pipe 4 all from $net to not $net1" #Internet f done done for net in $local_net; do for net1 in $local_net; do r=" pipe 3 all from $net to $net1" #local f done done r=" deny tcp from any to $routerip in tcpflags syn,fin,!ack" f r=" deny tcp from any to $routerip in tcpflags syn,fin,urg,psh,!ack" f r=" deny tcp from any to $routerip in tcpflags fin,urg,psh,!ack" f r=" allow gre from any to any" f r=" allow udp from any to any 500" f r=" allow tcp from any to any 1023,1723" f r=" allow esp from any to any" f for port1 in $allow_ports; do r=" allow all from any to any $port1"; f; done for port in $denyports; do r=" deny all from any to any $port"; f; done r="allow all from any to any 53" f n=` expr $n + 100 ` r="allow all from any to any" f r="deny log all from any to any" #f echo "" > /var/log/security

Ваше сообщение

Имя*:

EMail:

Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.

Заголовок*:

Сообщение*:

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру