stiks
October 2nd, 2003, 10:27
Today i use ipfw, but maybe i have something wrong, that is my config file:

natd:
natd -f /etc/natd.conf -n fxp0

natd.conf:
same_ports yes
use_sockets yes
unregistered_only yes
dynamic yes
interface fxp0

firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="open"
firewall_quiet="NO"
firewall_logging="NO"
firewall_flags=""

ipfw.conf:
#!/bin/sh

ipfw='/sbin/ipfw -q'
ournet='10.0.0.1/20'
inet='80.235.127.82'

ifout='fxp0'
ifuser='xl0'

#${ipfw} flush
${ipfw} add 100 check-state
${ipfw} add pass tcp from any to any established

${ipfw} add allow icmp from any to any out via ${ifout} keep-state


#${ipfw} add 200 deny icmp from any to any in icmptype 5,9,13,14,15,16,17

${ipfw} add divert natd all from any to any via ${ifout}

${ipfw} add 210 reject ip from ${ournet} to any in via ${ifout}
${ipfw} add 300 allow ip from any to any via lo
${ipfw} add 310 allow tcp from me to any keep-state via ${ifout}
${ipfw} add 320 allow icmp from any to any
${ipfw} add 330 allow udp from me to any domain keep-state
${ipfw} add 340 allow udp from any to me domain
${ipfw} add 350 allow ip from me to any
${ipfw} add 400 allow tcp from any to me http,https,ssh
#${ipfw} add 400 allow tcp from any to me 4000
#${ipfw} add 410 allow tcp from not ${ournet} to me smtp
${ipfw} add 500 fwd 10.0.0.1,3128 tcp from any to any http out via ${ifuser}

#${ipfw} add 510 skipto 65500 tcp from any to any http
#${ipfw} add divert natd all from any to any via ${ifout}

${ipfw} pipe 1 config bw 384Kbit/s queue 3Kbytes
${ipfw} pipe 2 config bw 384Kbit/s queue 3Kbytes
${ipfw} add 510 pipe 1 ip from 10.0.5.11 to any via ${ifout} out
${ipfw} add 511 pipe 2 ip from any to 10.0.5.11 via ${ifout} in
${ipfw} add 512 divert natd ip from 10.0.5.11 to any out xmit ${ifout}

${ipfw} add 513 deny ip from 10.0.5.12 to any

${ipfw} add 514 deny ip from 10.0.5.13 to any

${ipfw} pipe 3 config bw 5120Kbit/s queue 3Kbytes
${ipfw} pipe 4 config bw 5120Kbit/s queue 3Kbytes
${ipfw} add 515 pipe 3 ip from 80.235.127.195 to any via ${ifout} out
${ipfw} add 516 pipe 4 ip from any to 80.235.127.195 via ${ifout} in
${ipfw} add 517 divert natd ip from 80.235.127.195 to any out xmit ${ifout}

${ipfw} pipe 5 config bw 384Kbit/s queue 3Kbytes
${ipfw} pipe 6 config bw 384Kbit/s queue 3Kbytes
${ipfw} add 518 pipe 5 ip from 10.0.5.15 to any via ${ifout} out
${ipfw} add 519 pipe 6 ip from any to 10.0.5.15 via ${ifout} in
${ipfw} add 520 divert natd ip from 10.0.5.15 to any out xmit ${ifout}
это только небольшой отрывок, файло большой там.

далее ipf в rc.conf
ipfilter_enable="YES"
ipfilter_program="/sbin/ipf"
ipfilter_rules="/etc/ipf.conf"
ipfilter_flags=""
ipnat_enable="YES"
ipnat_program="/sbin/ipnat"
ipnat_rules="/etc/ipnat.conf"
ipnat_flags=""
ipmon_enable="NO"
ipmon_program="/sbin/ipmon"
ipmon_flags="-Dvn /var/log/firewall.log"

ipf.conf:
#block in quick on xl0 proto tcp from any to any port = 10024 keep state
#block in quick on xl0 proto icmp from any to any keep state
#block in quick on xl0 proto igmp all

block in quick on xl0 all with ipopts
block in quick on xl0 all with frag
block in quick on xl0 all with short

block return-rst in quick on xl0 proto tcp all flags FUP

block in log proto icmp all icmp-type 8
block in log proto icmp all icmp-type 13
block in log proto icmp all icmp-type 15
block in log proto icmp all icmp-type 17


ipnat.conf
rdr xl0 10.0.0.1/20 port 80 -> 10.0.0.1 port 3128

map fxp0 0.0.0.0/20 -> 0.0.0.0/32