>http://bsd.opennet.ru/base/net/ipfw_guide.txt.html
>например
например он не совсем рабочий...
#!/bin/sh
ipfw='/sbin/ipfw -q'
ournet='192.168.0.1/24'
uprefix='192.168.0'
ifout='rl0'
ifuser='rl1'
${ipfw} flush
${ipfw} add 100 check-state
${ipfw} add 200 deny icmp from any to any in icmptype
5,9,13,14,15,16,17
${ipfw} add 210 reject ip from ${ournet} to any in via ${ifout}
${ipfw} add 300 allow ip from any to any via lo
${ipfw} add 310 allow tcp from me to any keep-state via ${ifout}
${ipfw} add 320 allow icmp from any to any
${ipfw} add 330 allow udp from me to any domain keep-state
${ipfw} add 340 allow udp from any to me domain
${ipfw} add 350 allow ip from me to any
${ipfw} add 400 allow tcp from any to me http,https,ssh
${ipfw} add 410 allow tcp from not ${ournet} to me smtp
${ipfw} add 500 fwd 127.0.0.1,3128 tcp from ${ournet} to any http out
via ${ifout}
${ipfw} add 510 divert natd ip from ${ournet} to any out via ${ifout}
${ipfw} add 1002 allow ip from ${uprefix}.2 to any via ${ifuser}
${ipfw} add 1002 allow ip from any to ${uprefix}.2 via ${ifuser}
${ipfw} add 1003 allow ip from ${uprefix}.3 to any via ${ifuser}
${ipfw} add 1003 allow ip from any to ${uprefix}.3 via ${ifuser}
${ipfw} add 1004 allow ip from ${uprefix}.4 to any via ${ifuser}
${ipfw} add 1004 allow ip from any to ${uprefix}.4 via ${ifuser}
#${ipfw} add 65535 deny ip from any to any
# ipfw -a list
00100 0 0 check-state
00200 0 0 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00210 0 0 reject ip from 10.0.0.0/24 to any in via rl0
00300 0 0 allow ip from any to any via lo0
00310 0 0 allow tcp from me to any via rl0 keep-state
00320 0 0 allow icmp from any to any
00330 22 2217 allow udp from me to any dst-port 53 keep-state
00340 0 0 allow udp from any to me dst-port 53
00350 57 4690 allow ip from me to any
00400 73 3846 allow tcp from any to me dst-port 80,443,22
00410 0 0 allow tcp from not 10.0.0.0/24 to me dst-port 25
00500 0 0 fwd 10.0.0.12,3128 tcp from 10.0.0.0/24 to any dst-port 80 out via wb0
00510 5 240 divert 8668 ip from 10.0.0.0/24 to any out via rl0
01002 0 0 allow ip from 10.0.0.13 to any via wb0
01002 0 0 allow ip from any to 10.0.0.13 via wb0
01003 19 1274 allow ip from 10.0.0.11 to any via wb0
01003 0 0 allow ip from any to 10.0.0.11 via wb0
01004 44 12974 allow ip from 10.0.0.4 to any via wb0
01004 0 0 allow ip from any to 10.0.0.4 via wb0
65535 624 67406 deny ip from any to any
наскока на практике видно начинают ходить только те что открыты правилами 10ХХ все остальные никак .... на проксю не заворачивает ???
в чём как бы может ошибка, сказано ведь рабочий ???
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
on
19-Янв-04, 11:24 (MSK)
