[FreeBSD]: IPFW
Осилил наконец-то firewall.
На роутере:
1. SQUID, BIND - Caching DNS, SMTP, NAT (во внешний мир);
2. DHCP,BIND - Caching DNS, SMTP, POP3, FTP (внутри локальной сети);
3. Необходимо обеспечить доступ из локальной сети к внешним FTP (Passive/Active), ICQ, Jabber-серверам;
4. Необходимо обеспечить работу банк-клиента (SMTP до сервера банка).
5. FreeBSD 5.2.1 (здесь ваши розовые мечты о kernel NAT, ну понятно ... )
Загвоздка была в Passive FTP, стыдно. Однако и красивого решения, по-моему нет.
[1] - выучить наизусть.
#!/bin/sh
# DVS Thu Nov 18 13:36:53 MSK 2010
# Office Gateway router with NAT IPFW configuration file
# 1. General settings
# 1.1 Interfaces
# 1.1.1 External interface
eif='rl0'
eip='xx.xx.xx.190'
# 1.1.2 Internal interface
iif='vr0'
iip='192.168.0.254'
# 1.2 Access lists
# 1.2.1 Local access ACL
laccess="192.168.0.0/24"
# 1.2.2 Remote access ACL
raccess="xx.xx.xx.188/30,xx.xx.xx.xx/30"
# 1.2.3 Local access to external Mail Servers ACL
emaccess="192.168.0.77,192.168.0.140"
# 1.2.4 Blocklists ACL
blocklst01="192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,127.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23,224.0.0.0/3"
blocklst02="81,113,137,138,139,445"
# 1.3 System defined variables
# 1.3.1 Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
# 1.3.2 Set quiet mode if requested
case ${ipfw_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac
# 2. Global Ruleset
# 2.1 Flush out the list before we begin.
${fwcmd} -f flush
# 2.2 No restrictions on Loopback Interface
${fwcmd} add allow ip from any to any via lo0
# 2.3 Rules based on traffic destanation
# 2.3.1 External interface :: OUT
${fwcmd} add skipto 10000 all from any to any out via ${eif}
# 2.3.2 External interface :: IN
${fwcmd} add skipto 15000 all from any to any in via ${eif}
# 2.3.3 Internal interface :: OUT
${fwcmd} add skipto 20000 all from any to any out via ${iif}
# 2.3.4 Internal interface :: IN
${fwcmd} add skipto 25000 all from any to any in via ${iif}
# 2.6.3 Destanation does not match
${fwcmd} add deny log ip from any to any
# 3. Local Rulesets
# 3.1 Ruleset based on 2.3.1
# NAT :: Outgoing packets
${fwcmd} add 10000 divert natd ip from ${laccess} to any
# Local Network/Local Host :: Internet (ALL)
${fwcmd} add 10050 allow ip from me to ${raccess}
${fwcmd} add 10100 allow ip from me to any keep-state
# Default rule
${fwcmd} add 10200 deny ip from any to any
#---------------------------
# 3.2 Ruleset based on 2.3.2
# Block List :: Non routable networks
${fwcmd} add 15000 deny ip from ${blocklst01} to any
# NAT :: Incoming packets
${fwcmd} add 15100 divert natd ip from any to me
# Dynamic rules
${fwcmd} add 15200 check-state
${fwcmd} add 15250 allow ip from ${raccess} to me
# Internet :: Local Netwok/Localhost (Framents, ACK W/O SYN, NetBIOS, Ident)
${fwcmd} add 15300 deny all from any to any frag
${fwcmd} add 15400 deny tcp from any to any established
${fwcmd} add 15500 deny tcp from any to any ${blocklst02}
# Internet :: Localhost (SMTP, Restricted ICMP)
${fwcmd} add 15600 allow tcp from any to me 25 setup keep-state
${fwcmd} add 15700 allow icmp from any to me icmptypes 0,3,8,11
# Internet :: Local Network (Static rule)
${fwcmd} add 15800 allow ip from any to ${laccess}
# Default rule
${fwcmd} add 15900 deny ip from any to any
#---------------------------
# 3.3 Ruleset based on 2.3.3
# ALL :: Local Network
${fwcmd} add 20000 allow ip from any to ${laccess}
# Default rule
${fwcmd} add 20100 deny ip from any to any
#---------------------------
# 3.4 Ruleset based on 2.3.4
# Local Network :: Localhost (FTP, SSH, SMTP, DNS, DHCP, POP3, IMAP, SQUID, ICMP)
${fwcmd} add 25000 allow tcp from ${laccess} to me 20,21,22,25,53,67,110,143,3128
${fwcmd} add 25100 allow udp from ${laccess} to me 53,67
${fwcmd} add 25200 allow icmp from ${laccess} to me
# Local Network :: Local Network
${fwcmd} add 25300 allow ip from ${laccess} to ${laccess}
# Local Network :: Internet (Restricted SMTP, FTP, SSH, POP3, IMAP, HTTPS, Jabber, ICMP)
${fwcmd} add 25400 allow ip from ${emaccess} to any 25 keep-state
${fwcmd} add 25500 allow ip from ${laccess} to any 22,110,143,443,5190,5222 keep-state
${fwcmd} add 25550 allow ip from ${laccess} to any 20,21,1023-65500 keep-state
${fwcmd} add 25600 allow icmp from ${laccess} to any
# Default rule
${fwcmd} add 25700 deny ip from any to any
#---------------------------Syhi-подсветка кода
[1]: http://slacksite.com/other/ftp.html
На роутере:
1. SQUID, BIND - Caching DNS, SMTP, NAT (во внешний мир);
2. DHCP,BIND - Caching DNS, SMTP, POP3, FTP (внутри локальной сети);
3. Необходимо обеспечить доступ из локальной сети к внешним FTP (Passive/Active), ICQ, Jabber-серверам;
4. Необходимо обеспечить работу банк-клиента (SMTP до сервера банка).
5. FreeBSD 5.2.1 (здесь ваши розовые мечты о kernel NAT, ну понятно ... )
Загвоздка была в Passive FTP, стыдно. Однако и красивого решения, по-моему нет.
[1] - выучить наизусть.
#!/bin/sh
# DVS Thu Nov 18 13:36:53 MSK 2010
# Office Gateway router with NAT IPFW configuration file
# 1. General settings
# 1.1 Interfaces
# 1.1.1 External interface
eif='rl0'
eip='xx.xx.xx.190'
# 1.1.2 Internal interface
iif='vr0'
iip='192.168.0.254'
# 1.2 Access lists
# 1.2.1 Local access ACL
laccess="192.168.0.0/24"
# 1.2.2 Remote access ACL
raccess="xx.xx.xx.188/30,xx.xx.xx.xx/30"
# 1.2.3 Local access to external Mail Servers ACL
emaccess="192.168.0.77,192.168.0.140"
# 1.2.4 Blocklists ACL
blocklst01="192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,127.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23,224.0.0.0/3"
blocklst02="81,113,137,138,139,445"
# 1.3 System defined variables
# 1.3.1 Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
# 1.3.2 Set quiet mode if requested
case ${ipfw_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac
# 2. Global Ruleset
# 2.1 Flush out the list before we begin.
${fwcmd} -f flush
# 2.2 No restrictions on Loopback Interface
${fwcmd} add allow ip from any to any via lo0
# 2.3 Rules based on traffic destanation
# 2.3.1 External interface :: OUT
${fwcmd} add skipto 10000 all from any to any out via ${eif}
# 2.3.2 External interface :: IN
${fwcmd} add skipto 15000 all from any to any in via ${eif}
# 2.3.3 Internal interface :: OUT
${fwcmd} add skipto 20000 all from any to any out via ${iif}
# 2.3.4 Internal interface :: IN
${fwcmd} add skipto 25000 all from any to any in via ${iif}
# 2.6.3 Destanation does not match
${fwcmd} add deny log ip from any to any
# 3. Local Rulesets
# 3.1 Ruleset based on 2.3.1
# NAT :: Outgoing packets
${fwcmd} add 10000 divert natd ip from ${laccess} to any
# Local Network/Local Host :: Internet (ALL)
${fwcmd} add 10050 allow ip from me to ${raccess}
${fwcmd} add 10100 allow ip from me to any keep-state
# Default rule
${fwcmd} add 10200 deny ip from any to any
#---------------------------
# 3.2 Ruleset based on 2.3.2
# Block List :: Non routable networks
${fwcmd} add 15000 deny ip from ${blocklst01} to any
# NAT :: Incoming packets
${fwcmd} add 15100 divert natd ip from any to me
# Dynamic rules
${fwcmd} add 15200 check-state
${fwcmd} add 15250 allow ip from ${raccess} to me
# Internet :: Local Netwok/Localhost (Framents, ACK W/O SYN, NetBIOS, Ident)
${fwcmd} add 15300 deny all from any to any frag
${fwcmd} add 15400 deny tcp from any to any established
${fwcmd} add 15500 deny tcp from any to any ${blocklst02}
# Internet :: Localhost (SMTP, Restricted ICMP)
${fwcmd} add 15600 allow tcp from any to me 25 setup keep-state
${fwcmd} add 15700 allow icmp from any to me icmptypes 0,3,8,11
# Internet :: Local Network (Static rule)
${fwcmd} add 15800 allow ip from any to ${laccess}
# Default rule
${fwcmd} add 15900 deny ip from any to any
#---------------------------
# 3.3 Ruleset based on 2.3.3
# ALL :: Local Network
${fwcmd} add 20000 allow ip from any to ${laccess}
# Default rule
${fwcmd} add 20100 deny ip from any to any
#---------------------------
# 3.4 Ruleset based on 2.3.4
# Local Network :: Localhost (FTP, SSH, SMTP, DNS, DHCP, POP3, IMAP, SQUID, ICMP)
${fwcmd} add 25000 allow tcp from ${laccess} to me 20,21,22,25,53,67,110,143,3128
${fwcmd} add 25100 allow udp from ${laccess} to me 53,67
${fwcmd} add 25200 allow icmp from ${laccess} to me
# Local Network :: Local Network
${fwcmd} add 25300 allow ip from ${laccess} to ${laccess}
# Local Network :: Internet (Restricted SMTP, FTP, SSH, POP3, IMAP, HTTPS, Jabber, ICMP)
${fwcmd} add 25400 allow ip from ${emaccess} to any 25 keep-state
${fwcmd} add 25500 allow ip from ${laccess} to any 22,110,143,443,5190,5222 keep-state
${fwcmd} add 25550 allow ip from ${laccess} to any 20,21,1023-65500 keep-state
${fwcmd} add 25600 allow icmp from ${laccess} to any
# Default rule
${fwcmd} add 25700 deny ip from any to any
#---------------------------Syhi-подсветка кода
[1]: http://slacksite.com/other/ftp.html