Задача: дать доступ из внутренней сети 192.168.0.0/24 и модемного подключения -> в интеренет. Кое что - через нат, www - через прокси. DNS - внутренний + форварды во вне.
Гляньте на уязвимость. Может че попроще можно написать. Может где лучше динамические правила использовать... ну и т.д.
############
# Flush out the list before we begin.
01: ${fwcmd} -f flush
############
# Only in rare cases do you want to change these rules
02: ${fwcmd} add 100 pass all from any to any via lo0
03: ${fwcmd} add 200 deny all from any to 127.0.0.0/8
04: ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
############
05: oif="ed1"
06: iif="ed0"
07: own_net="192.168.0.0/24"
08: dialip="192.168.0.128"
09: ftp="ftp,ftp\\-data"
10: mail="pop3,smtp"
11: diverted_ports="${ftp},${mail},https"
12: proxy="3128"
# outer HACKERS !!!
13: ${fwcmd} add deny all from xxx.xxx.xxx.xxx to any
14: ${fwcmd} add deny all from any to xxx.xxx.xxx.xxx
# Top-secret inner IP's
15: ${fwcmd} add deny all from xxx.xxx.xxx.xxx to any
16: ${fwcmd} add deny all from any to xxx.xxx.xxx.xxx
############
# DIVERTING PACKETS FOR diverted_ports
17: case ${natd_enable} in
18: [Yy][Ee][Ss])
19: if [ -n "${natd_interface}" ]; then
20: oif=${natd_interface}
21: ${fwcmd} add divert natd tcp from any ${diverted_ports} to me in recv ${oif}
22: ${fwcmd} add divert natd tcp from ${own_net} to any ${diverted_ports} out xmit ${oif}
23: ${fwcmd} add pass tcp from me to any ${diverted_ports} out xmit ${oif}
24: ${fwcmd} add pass tcp from any ${diverted_ports} to ${own_net} in recv ${oif}
# ICMP - enable if you need it
25: #${fwcmd} add divert natd icmp from any to any via ${oif}
26: fi
27: ;;
28: esac
# Allow access to DNS for me
29: ${fwcmd} add pass udp from me to any domain out xmit ${oif}
30: ${fwcmd} add pass udp from any domain to me in recv ${oif}
# Allow access to WWW for me
31: ${fwcmd} add pass tcp from me to any www out xmit ${oif}
32: ${fwcmd} add pass tcp from any www to me in recv ${oif} established
# ICMP - enable if you need it
33: #${fwcmd} add deny icmp from any to any frag
34: #${fwcmd} add pass icmp from any to any
# Redirect www-queries to my proxy
35: ${fwcmd} add 350 fwd 127.0.0.1,${proxy} tcp from ${own_net} to any www,${proxy} in recv ${iif}
# and for dialup
36: ${fwcmd} add 351 fwd 127.0.0.1,${proxy} tcp from ${dialip} to any www,${proxy} in recv ppp0
# Allow DNS for my own net
37: ${fwcmd} add pass udp from ${own_net} to me domain in recv ${iif}
38: ${fwcmd} add pass udp from me domain to ${own_net} out xmit ${iif}
# and for dialup
39: ${fwcmd} add pass udp from ${dialip} to me domain in recv ppp0
40: ${fwcmd} add pass udp from me domain to ${dialip} out xmit ppp0
# Direct access to internet resources from my own net
41: ${fwcmd} add pass tcp from any www,${proxy},${ftp},${mail},https to ${own_net} out xmit ${iif}
42: ${fwcmd} add pass tcp from ${own_net} to any www,${proxy},${ftp},${mail},https in recv ${iif}
# and for dialup
43: ${fwcmd} add pass tcp from any www,${proxy},${ftp},${mail} to ${dialip} out xmit ppp0
44: ${fwcmd} add pass tcp from ${dialip} to any www,${proxy},${ftp},${mail} in recv ppp0
# Everything else is denied by default
---
|