Вот, разобрался с нумерацией и воспользовался некоторыми рекомндациями...
01: ############
02: # Flush out the list before we begin.
03: ${fwcmd} -f flush
04:
05: ############
06: # Only in rare cases do you want to change these rules
07: ${fwcmd} add 100 pass all from any to any via lo0
08: ${fwcmd} add 200 deny all from any to 127.0.0.0/8
09: ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
10:
11: ############
12: # Set these to your values
13: oif="ed1"
14: iif="ed0"
15: own_net="192.168.0.0/24"
16: dialip="192.168.0.128"
17: ftp="ftp,ftp\\-data"
18: mail="pop3,smtp"
19: proxy="3128"
20: diverted_ports="${ftp},${mail},https"
21:
22: # outer HACKERS !!!
23: ${fwcmd} add 401 deny all from xxx.xxx.xxx.xxx to any
24: ${fwcmd} add 402 deny all from any to xxx.xxx.xxx.xxx
25:
26: # Top-secret inner IP's
27: ${fwcmd} add 501 deny all from xxx.xxx.xxx.xxx to any
28: ${fwcmd} add 502 deny all from any to xxx.xxx.xxx.xxx
29:
30: ############
31: # DIVERTING PACKETS FOR diverted_ports
32: case ${natd_enable} in
33: [Yy][Ee][Ss])
34: if [ -n "${natd_interface}" ]; then
35: oif=${natd_interface}
36: ${fwcmd} add 601 divert natd tcp from any ${diverted_ports} to me in recv ${oif}
37: ${fwcmd} add 602 divert natd tcp from ${own_net} to any ${diverted_ports} out xmit ${oif}
38: ${fwcmd} add 603 pass tcp from any ${diverted_ports} to ${own_net} in recv ${oif}
39: ${fwcmd} add 604 pass tcp from me to any ${diverted_ports} out xmit ${oif}
40:
41: # ICMP - enable this, if you really need it
42: #${fwcmd} add 650 divert natd icmp from any to any via ${oif}
43: fi
44: ;;
45: esac
46:
47: # Allow access to DNS for me
48: ${fwcmd} add 701 pass udp from me to any domain out xmit ${oif}
49: ${fwcmd} add 702 pass udp from any domain to me in recv ${oif}
50:
51: # Allow access to WWW for me
52: ${fwcmd} add 801 pass tcp from me to any www out xmit ${oif}
53: ${fwcmd} add 802 pass tcp from any www to me in recv ${oif} established
54:
55: # ICMP - enable this, if you really need it
56: #${fwcmd} add 901 deny icmp from any to any frag
57: #${fwcmd} add 902 pass icmp from any to any
58:
59: # Allow DNS for my own net
60: ${fwcmd} add 1001 pass udp from ${own_net} to me domain in recv ${iif}
61: ${fwcmd} add 1002 pass udp from me domain to ${own_net} out xmit ${iif}
62: # and for dialup
63: ${fwcmd} add 1003 pass udp from ${dialip} to me domain in recv ppp0
64: ${fwcmd} add 1004 pass udp from me domain to ${dialip} out xmit ppp0
65:
66: # Redirect www-queries to my proxy
67: ${fwcmd} add 1101 fwd 127.0.0.1,${proxy} tcp from ${own_net} to any www,${proxy} in recv ${iif}
68: # and for dialup
69: ${fwcmd} add 1102 fwd 127.0.0.1,${proxy} tcp from ${dialip} to any www,${proxy} in recv ppp0
70:
71: # Access to internet resources from my own net
72: ${fwcmd} add 1201 pass tcp from any www,${proxy},${mail},https to ${own_net} out xmit ${iif} established
73: ${fwcmd} add 1202 pass tcp from any ${ftp} to ${own_net} out xmit ${iif}
74: ${fwcmd} add 1203 pass tcp from ${own_net} to any ${ftp},${mail},https in recv ${iif}
75: # and for dialup
76: ${fwcmd} add 1204 pass tcp from any www,${proxy},${mail} to ${dialip} out xmit ppp0 established
77: ${fwcmd} add 1205 pass tcp from any ${ftp} to ${own_net} out xmit ppp0
78: ${fwcmd} add 1206 pass tcp from ${dialip} to any ${ftp},${mail} in recv ppp0
79:
80: # Everything else is denied by default
---
|