#*****************
# Initial setup
#****************
# External network
LanOut="xl0"
IPOut="101.101.101.101"
NetOut="29"
MaskOut="255.255.255.248"
# Internal Network
LanIn="xl1"
IPIn="10.0.0.1"
NetInIP="10.0.0.0"
NetInMask="24"
MaskIn="255.255.255.0"
# Vip IP address
MyIP1="10.0.0.78"
MyIP2="10.0.0.77"
# My DNS for future needs.
dns1="101.101.101.5"
dns2="101.101.101.9"
# Reset all rules
${fwcmd} -f flush
${fwcmd} –f pipe flush
# By default loopback
${fwcmd} add pass all from any to any via lo0
# Stop private networks (RFC1918) from entering the outside interface.
${fwcmd} add deny ip from 192.168.1.0/16 to any in via ${LanOut}
${fwcmd} add deny ip from 172.16.0.0/12 to any in via ${LanOut}
${fwcmd} add deny ip from 10.0.0.0/8 to any in via ${LanOut}
# Forward to SQUID all local request for http,https,ftp
#${fwcmd} add fwd 127.0.0.1,3128 tcp from ${NetInIP}/${NetInMask} to any http,https,ftp via ${LanIn}
# For NAT support
${fwcmd} add divert natd ip from ${NetInIP}/${NetInMask} to any out via ${LanOut}
${fwcmd} add divert natd ip from any to ${IPOut} in via ${LanOut}
# For DUMMYNET conections
${fwcmd} pipe 1 config bw 15KBytes/s
${fwcmd} queue 1 config weight 90 pipe 1
${fwcmd} queue 2 config weight 70 pipe 1
${fwcmd} queue 3 config weight 50 pipe 1
${fwcmd} queue 4 config weight 50 pipe 1
${fwcmd} add queue 1 ip from 10.0.0.58 to any 80,443
${fwcmd} add queue 1 ip from any 80,443 to 10.0.0.58
${fwcmd} add queue 2 ip from 10.0.0.25 to any 80,443
${fwcmd} add queue 2 ip from any 80,443 to 10.0.0.25
${fwcmd} add queue 3 ip from 10.0.0.80 to any 80,443
${fwcmd} add queue 3 ip from any 80,443 to 10.0.0.80
${fwcmd} add queue 4 ip from 10.0.0.24 to any 80,443
${fwcmd} add queue 4 ip from any 80,443 to 10.0.0.24
# Accept all RST and ACK connections
${fwcmd} add pass tcp from any to any established
# For out packets IP
${fwcmd} add pass ip from ${IPOut} to any out xmit ${LanOut}
# Allow sendmail
${fwcmd} add pass tcp from any to any 25,110 via ${LanOut}
${fwcmd} add pass tcp from any 25,110 to any via ${LanOut}
# Allow DNS
${fwcmd} add pass udp from any to any 53 via ${LanOut}
${fwcmd} add pass tcp from any to me 53
${fwcmd} add pass udp from any 53 to any via ${LanOut}
# Vip addresses access
${fwcmd} add pass tcp from ${MyIP1} to any 20,21,22,23,80,8080,443,4000
${fwcmd} add pass tcp from any 20,21,22,23,80,443,4000 to ${MyIP1}
${fwcmd} add pass tcp from ${MyIP2} to any 20,21,22,23,80,443,4000
${fwcmd} add pass tcp from any 20,21,22,23,80,443,4000 to ${MyIP2}
# Deny terminal, Squid - outside
${fwcmd} add deny tcp from any to any 20,22,23,3128 in via ${LanOut}
# Deny - www, FTP, terminal,POP,SMTP - inside
${fwcmd} add deny tcp from any to any 20,21,22,23,25,110,80,443 in via ${LanIn}
${fwcmd} add deny tcp from any to any 8000-8104 in via ${LanIn}
#Allow other throught Internal Interface
${fwcmd} add pass all from any to any via ${LanIn}
# Allow WWW from outside
#${fwcmd} add pass tcp from ${IPOut} 80 to any via ${LanOut}
#${fwcmd} add pass tcp from any to ${IPOut} 80 via ${LanOut}
# Allow FTP from outside
${fwcmd} add pass tcp from any to me 21
${fwcmd} add pass tcp from me 20 to any
# For Passive FTP servers
${fwcmd} add pass tcp from any to me 49000-50550 setup keep-state
#ICMP
${fwcmd} add allow icmp from any to ${IPOut} in via ${LanOut} icmptype 0,3,4,8,11,12
${fwcmd} add allow icmp from any to ${NetInIP}/${NetInMask} in via ${LanOut} icmptype 0,3,4,11,12
${fwcmd} add allow icmp from ${IPOut} to any out via ${LanOut} icmptype 3,8,12
${fwcmd} add allow icmp from ${IPOut} to any out via ${LanOut} frag
${fwcmd} add deny log all from any to any via ${LanOut}
${fwcmd} add deny log ip from any to any
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
(??) on
05-Дек-05, 13:34 (MSK)
