# set these to your outside interface network and netmask and ip
cn_if="cn_net" # set these to your inside interface network and netmask and ip
kv_net="192.168.114.0/26"
kv_mask="0xffffffc0"
kvXXX_mask="0xfffffff8"
kv143_if="kv143"
kv143_net="192.168.114.24/29"
kv144_if="kv144"
kv144_net="192.168.114.32/29"
kv140_if="kv140"
kv140_net="192.168.114.40/29"
kv139_if="kv139"
kv139_net="192.168.114.48/29"
kvNNN_if="kvNNN"
kvNNN_net="192.168.114.56/29"
${fwcmd} disable one_pass
${fwcmd} add 100 check-state
# setup_loopback
${fwcmd} add 200 pass all from any to any via lo0
${fwcmd} add 210 deny all from any to 127.0.0.0/8
${fwcmd} add 220 deny all from 127.0.0.0/8 to any
# Stop spoofing
${fwcmd} add 400 reject log ip from ${kv_net} to any in via ${cn_if}
${fwcmd} add 401 reject log ip from ${kv_net} to any in via ${home_if}
# Разрешить только розданные IP
${fwcmd} add 410 deny log all from not ${kv143_net} to any in via ${kv143_if}
${fwcmd} add 411 deny log all from any to not ${kv143_net} out via ${kv143_if}
${fwcmd} add 420 deny log all from not ${kv144_net} to any in via ${kv144_if}
${fwcmd} add 421 deny log all from any to not ${kv144_net} out via ${kv144_if}
${fwcmd} add 430 deny log all from not ${kv140_net} to any in via ${kv140_if}
${fwcmd} add 431 deny log all from any to not ${kv140_net} out via ${kv140_if}
${fwcmd} add 440 deny log all from not ${kv139_net} to any in via ${kv139_if}
${fwcmd} add 441 deny log all from any to not ${kv139_net} out via ${kv139_if}
${fwcmd} add 450 deny log all from not ${kvNNN_net} to any in via ${kvNNN_if}
${fwcmd} add 451 deny log all from any to not ${kvNNN_net} out via ${kvNNN_if}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} table 1 add 0.0.0.0/8
${fwcmd} table 1 add 169.254.0.0/16
${fwcmd} table 1 add 192.0.2.0/24
${fwcmd} table 1 add 224.0.0.0/4
${fwcmd} table 1 add 240.0.0.0/4
${fwcmd} add 500 deny all from any to table\(1\) via ${cn_if}
${fwcmd} add 501 deny all from table\(1\) to any via ${cn_if}
${fwcmd} add 510 deny all from any to table\(1\) via ${home_if}
${fwcmd} add 511 deny all from table\(1\) to any via ${home_if}
${fwcmd} add 610 allow icmp from any to me in via ${cn_if} icmptype 0,3,4,11,12
${fwcmd} add 611 allow icmp from me to any out via ${cn_if} icmptype 3,8,12
${fwcmd} add 614 allow icmp from me to any out via ${cn_if} frag
${fwcmd} add 615 deny log icmp from any to any in via ${cn_if}
${fwcmd} add 620 allow icmp from any to any
# Разрешить DHCP
${fwcmd} add 700 allow ip from any to any 67,68
# Allow access to DNS
${fwcmd} add 710 allow tcp from any to any 53 setup
${fwcmd} add 711 allow udp from any to any 53 keep-state
${fwcmd} add 712 allow udp from any 53 to any
# Разрешить ssh
${fwcmd} add 1000 allow tcp from any to me ssh
# Закрыть все привилегированные порты
${fwcmd} add 1010 deny log ip from any to me 1-1024
# Пространоство адресов сети
${fwcmd} table 11 add 172.16.0.0/12
${fwcmd} table 11 add 91.240.0.0/12
${fwcmd} table 11 add 80.64.80.0/20
${fwcmd} table 11 add 10.245.192.0/20
# Настройка счетчиков трафика
# ...
# Используем squid для http (настрою позже)
# ${fwcmd} add 1900 fwd 127.0.0.1,3128 tcp from ${kv_net} to any http out via ${cn_if}
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add 2000 divert natd all from any to any via ${natd_interface}
fi
;;
esac
# Allow TCP through if setup succeeded
${fwcmd} add 2100 pass tcp from any to any established
# Настройка исходящего общего трафика
${fwcmd} add 2200 pipe 1 ip from any to any out via ${natd_interface}
${fwcmd} pipe 1 config bw 100Mbit/s # исходящий общий трафик
#
${fwcmd} add 2201 queue 1 ip from ${kv143_net} to any
${fwcmd} add 2202 queue 2 ip from ${kv144_net} to any
${fwcmd} add 2203 queue 3 ip from ${kv140_net} to any
${fwcmd} add 2204 queue 4 ip from ${kv139_net} to any
${fwcmd} add 2205 queue 5 ip from ${kvNNN_net} to any
${fwcmd} queue 1 config pipe 1 weight 69 mask dst-ip 0x00000000 # kv143
${fwcmd} queue 2 config pipe 1 weight 70 mask dst-ip 0x00000000 # kv144
${fwcmd} queue 3 config pipe 1 weight 70 mask dst-ip 0x00000000 # kv140
${fwcmd} queue 4 config pipe 1 weight 70 mask dst-ip 0x00000000 # kv139
${fwcmd} queue 5 config pipe 1 weight 70 mask dst-ip 0x00000000 # kvNNN
# Настройка входящего internet-трафика
${fwcmd} add 2210 pipe 3 ip from not table\(11\) to any in via ${natd_interface}
${fwcmd} pipe 3 config bw 4Mbit/s # входящий internet-трафик
#
${fwcmd} add 2211 queue 11 ip from not table\(11\) to ${kv143_net}
${fwcmd} add 2212 queue 12 ip from not table\(11\) to ${kv144_net}
${fwcmd} add 2213 queue 13 ip from not table\(11\) to ${kv140_net}
${fwcmd} add 2214 queue 14 ip from not table\(11\) to ${kv139_net}
${fwcmd} add 2215 queue 15 ip from not table\(11\) to ${kvNNN_net}
${fwcmd} queue 11 config pipe 3 weight 69 mask dst-ip 0x00000000 # kv143
${fwcmd} queue 12 config pipe 3 weight 70 mask dst-ip 0x00000000 # kv144
${fwcmd} queue 13 config pipe 3 weight 70 mask dst-ip 0x00000000 # kv140
${fwcmd} queue 14 config pipe 3 weight 70 mask dst-ip 0x00000000 # kv139
${fwcmd} queue 15 config pipe 3 weight 70 mask dst-ip 0x00000000 # kvNNN
# Настройка входящего не_internet-трафика
${fwcmd} add 2220 pipe 4 ip from table\(11\) to any in via ${natd_interface}
${fwcmd} pipe 4 config bw 100Mbit/s # входящий не_internet трафик
#
${fwcmd} add 2221 queue 21 ip from table\(11\) to ${kv143_net}
${fwcmd} add 2222 queue 22 ip from table\(11\) to ${kv144_net}
${fwcmd} add 2223 queue 23 ip from table\(11\) to ${kv140_net}
${fwcmd} add 2224 queue 24 ip from table\(11\) to ${kv139_net}
${fwcmd} add 2225 queue 25 ip from table\(11\) to ${kvNNN_net}
${fwcmd} queue 21 config pipe 4 weight 49 mask dst-ip 0x00000000
${fwcmd} queue 22 config pipe 4 weight 50 mask dst-ip 0x00000000
${fwcmd} queue 23 config pipe 4 weight 50 mask dst-ip 0x00000000
${fwcmd} queue 24 config pipe 4 weight 50 mask dst-ip 0x00000000
${fwcmd} queue 25 config pipe 4 weight 50 mask dst-ip 0x00000000
# Настройка пропускной способности каналов
${fwcmd} pipe 10 config bw 100Mbit/s
${fwcmd} pipe 11 config bw 3Mbit/s # kv143
${fwcmd} pipe 12 config bw 3Mbit/s # kv144
${fwcmd} pipe 13 config bw 3Mbit/s # kv140
${fwcmd} pipe 14 config bw 3Mbit/s # kv139
${fwcmd} pipe 15 config bw 3Mbit/s # kvNNN
#
${fwcmd} add 2300 pipe 11 ip from not table\(11\) to any out via ${kv143_if}
${fwcmd} add 2310 pipe 12 ip from not table\(11\) to any out via ${kv144_if}
${fwcmd} add 2320 pipe 13 ip from not table\(11\) to any out via ${kv140_if}
${fwcmd} add 2330 pipe 14 ip from not table\(11\) to any out via ${kv139_if}
${fwcmd} add 2340 pipe 15 ip from not table\(11\) to any out via ${kvNNN_if}
# Allow IP fragments to pass through
${fwcmd} add 5100 pass all from any to any frag
${fwcmd} add 65000 pass all from any to any
# ${fwcmd} add 65535 deny all from any to any
