>>Добрый день! Помогите разобраться с ipfw, настраиваю фаервол, как включаю правила, то
>>ничего не работает. делал по образцу из самой фри.
>
>1. Что работает до того, как Вы начинаете "настраивать" файрволл ?
>
>2. Разделите правила на группы, отдельную для первого, отдельную для второго интерфейса,
>сейчас они перемешаны.
>
>3. Если машина является маршрутизатором, то пакеты в файрволл попадают дважды, на
>входе и на выходе. 1. По умолчанию фаерволл работает в открытом режиме.
2. Вроде ве по группам раскидано.
3. Т.е надо прописать правила на вход и выход?
вот скрипт пришлось переделать т.к случайно его убил
# set these to your outside interface network
oif="stge0"
onet="any"
# set these to your inside interface network
iif="stge1"
inet="192.168.128.0/20"
${fwcmd} add 5000 allow ip from any to any
# Stop spoofing
${fwcmd} add deny all from ${inet} to any in via ${oif}
${fwcmd} add deny all from ${onet} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow ports on oif
${fwcmd} add pass tcp from any to me 22 setup via ${oif}
${fwcmd} add pass tcp from me 22 to any
${fwcmd} add pass tcp from any to me 80 setup via ${oif}
${fwcmd} add pass tcp from me 80 to any
${fwcmd} add pass tcp from any to me 443 setup via ${oif}
${fwcmd} add pass tcp from me 443 to any
# ${fwcmd} add pass tcp from any to me 3128 setup via ${oif}
# ${fwcmd} add pass tcp from me 3128 to any
${fwcmd} add pass tcp from any to me 3389 setup via ${oif}
${fwcmd} add pass tcp from me 3389 to any
# ${fwcmd} add pass tcp from any to me 10000 setup via ${oif}
# ${fwcmd} add pass tcp from me 10000 to any
# Allow ports on iif
${fwcmd} add pass tcp from any to me 22 setup via ${iif}
${fwcmd} add pass tcp from me 22 to any
${fwcmd} add pass tcp from any to me 80 setup via ${iif}
${fwcmd} add pass tcp from me 80 to any
${fwcmd} add pass tcp from any to me 443 setup via ${iif}
${fwcmd} add pass tcp from me 443 to any
${fwcmd} add pass tcp from any to me 3128 setup via ${iif}
${fwcmd} add pass tcp from me 3128 to any
${fwcmd} add pass tcp from any to me 3389 setup via ${iif}
${fwcmd} add pass tcp from me 3389 to any
${fwcmd} add pass tcp from any to me 10000 setup via ${iif}
${fwcmd} add pass tcp from me 10000 to any
#port mapping...
case ${firewall_nat_enable} in
[Yy][Ee][Ss])
${fwcmd} nat 123 config ip ${whiteip} log same_ports redirect_port tcp 192.168.129.109:3389 3389
${fwcmd} add 100 nat 123 tcp from 192.168.129.109 3389 to any
${fwcmd} add 100 nat 123 tcp from any to 192.168.129.109 3389
;;
esac
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup