options IPFIREWALL options IPFIREWALL_DEFAU

1. options IPFIREWALL
2. options IPFIREWALL_DEFAULT_TO_ACCEPT
3. options IPFIREWALL_VERBOSE
4. options IPFIREWALL_VERBOSE_LIMIT=50
5. options IPDIVERT
6. options IPFIREWALL_NAT
7. options LIBALIAS
8. options ROUTETABLES=2
9. options DUMMYNET
10. options HZ="1000"
11.  
12. ifconfig_re1="inet 192.168.0.2 netmask 255.255.255.0"
13. sshd_enable="YES"
14. ntpd_enable="YES"
15. # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
16. dumpdev="AUTO"
17.  
18. gateway_enable="YES" # разрешаем пересылку пакетов между се
19. firewall_nat_enable="YES" # включаем ядерный nat
20. firewall_nat_interface="re0" # указываем внешний интерфейс для nat
21. firewall_enable="YES" # включаем ipfw
22. firewall_script="/usr/local/etc/ipfw/rc.firewall"
23.  
24. usbd_enable="YES"
25.  
26. ppp_enable="YES"
27. ppp_mode="ddial"
28. ppp_nat="YES"
29. ppp_profile="ISP1"
30. ppp_user="root"
31.  
32. ppp -ddial -unit 1 ISP2
33.  
34. re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
35. options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
36. ether 98:de:d0:03:11:57
37. nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
38. media: Ethernet autoselect (100baseTX <full-duplex>)
39. status: active
40. re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
41. options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
42. ether 98:de:d0:03:f4:e1
43. inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
44. nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
45. media: Ethernet autoselect (1000baseT <full-duplex,master>)
46. status: active
47. re2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
48. options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
49. ether 38:d5:47:a9:84:52
50. nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
51. media: Ethernet autoselect (none)
52. status: no carrier
53. lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
54. options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
55. inet6 ::1 prefixlen 128
56. inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
57. inet 127.0.0.1 netmask 0xff000000
58. nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
59. groups: lo
60. tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
61. options=80000<LINKSTATE>
62. inet XXX.XXX.XXX.XX2 --> XXX.XXX.XXX.XX1 netmask 0xffffffff
63. nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
64. groups: tun
65. Opened by PID 581
66. tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
67. options=80000<LINKSTATE>
68. inet YYY.YYY.YYY.YY2 --> YYY.YYY.YYY.YY1 netmask 0xffffffff
69. nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
70. groups: tun
71. Opened by PID 1168
72.  
73. # XXX.XXX.XXX.XX1 - IP-адрес шлюза провайдера 1
74. # XXX.XXX.XXX.XX2 - Выделенный IP-адрес провайдера 1
75. # YYY.YYY.YYY.YY1 - IP-адрес шлюза провайдера 2
76. # YYY.YYY.YYY.YY2 - Выделенный IP-адрес провайдера 1
77. # 192.168.0.100 - IP-адрес компьютера в локальной сети, на который необходимо настроить перенаправление
78.  
79. cmd="ipfw -q"
80.  
81. $cmd -f flush
82.  
83. $cmd add 100 allow ip from any to any via lo0
84.  
85. # Запрещаем доступ из вне к нутреннему интерфейсу
86. $cmd add 200 deny ip from any to 127.0.0.0/8
87. $cmd add 300 deny ip from 127.0.0.0/8 to any
88.  
89.  
90. # Разрешаем подключение по ssh
91. $cmd add 400 allow tcp from any to XXX.XXX.XXX.XX2 22 in via tun0
92. $cmd add 410 allow tcp from XXX.XXX.XXX.XX2 22 to any out via tun0 established
93.  
94. $cmd add 420 allow tcp from any to YYY.YYY.YYY.YY2 22 in via tun1
95. $cmd add 430 allow tcp from YYY.YYY.YYY.YY2 22 to any out via tun1 established
96.  
97. # Разрешаем DNS запросы
98. $cmd add 500 allow udp from any to XXX.XXX.XXX.XX2 53 in via tun0
99. $cmd add 510 allow udp from XXX.XXX.XXX.XX2 53 to any out via tun0 established
100.  
101. $cmd add 520 allow udp from any to YYY.YYY.YYY.YY2 53 in via tun1
102. $cmd add 530 allow udp from YYY.YYY.YYY.YY2 53 to any out via tun1 established
103.  
104.  
105. # Эти правила должны обеспечить активность двух каналов
106. $cmd add 600 fwd XXX.XXX.XXX.XX1 ip from XXX.XXX.XXX.XX2 to any
107. $cmd add 610 fwd YYY.YYY.YYY.YY1 ip from YYY.YYY.YYY.YY2 to any
108.  
109.  
110. # Разрешаем некоторые типы ICMP траффика - эхо-запрос, эхо-ответ и время жизни пакета истекло
111. $cmd add 700 allow icmp from any to any icmptypes 0,8,11
112.  
113.  
114. # Разрешаем все соединения на локальном интерфейсе
115. $cmd add 800 allow all from any to any via re1
116.  
117.  
118. # Первый NAT
119. $cmd nat 1 config log if tun0 reset same_ports deny_in redirect_port tcp 192.168.0.100:3389 3389
120. $cmd add 1100 nat 1 ip from any to any via tun0
121.  
122. # Второй NAT
123. $cmd nat 2 config log if tun1 reset same_ports deny_in redirect_port tcp 192.168.0.100:3389 3389
124. $cmd add 1200 nat 2 ip from any to any via tun1
125.  
126.  
127. # Разрешаем все остальные
128. $cmd add 65535 allow ip from any to any
129.  
130. net.inet.ip.fw.one_pass=0
131.  
132. Internet:
133. Destination Gateway Flags Netif Expire
134. default XXX.XXX.XXX.XX1 UGS tun0
135. XXX.XXX.XXX.XX1 link#5 UHS tun0
136. 127.0.0.1 link#4 UH lo0
137. YYY.YYY.YYY.YY1 link#6 UHS tun1
138. 192.168.0.0/24 link#2 U re1
139. 192.168.0.2 link#2 UHS lo0
140. XXX.XXX.XXX.XX2 link#5 UHS lo0
141. YYY.YYY.YYY.YY2 link#6 UHS lo0
142.  
143. Internet:
144. Destination Gateway Flags Netif Expire
145. default YYY.YYY.YYY.YY1 UGS tun1
146. XXX.XXX.XXX.XX1 link#5 UH tun0
147. 127.0.0.1 link#4 UH lo0
148. YYY.YYY.YYY.YY1 link#6 UH tun1
149. 192.168.0.0/24 link#2 U re1
150.  
151. 00100 0 0 allow ip from any to any via lo0
152. 00200 0 0 deny ip from any to 127.0.0.0/8
153. 00300 0 0 deny ip from 127.0.0.0/8 to any
154. 00400 207 29610 allow tcp from any to XXX.XXX.XXX.XX2 dst-port 22 in via tun0
155. 00410 151 47696 allow tcp from XXX.XXX.XXX.XX2 22 to any out via tun0 established
156. 00420 23 3278 allow tcp from any to YYY.YYY.YYY.YY2 dst-port 22 in via tun1
157. 00430 14 6180 allow tcp from YYY.YYY.YYY.YY2 22 to any out via tun1 established
158. 00500 0 0 allow udp from any to XXX.XXX.XXX.XX2 dst-port 53 in via tun0
159. 00510 0 0 allow udp from XXX.XXX.XXX.XX2 53 to any out via tun0 established
160. 00520 0 0 allow udp from any to YYY.YYY.YYY.YY2 dst-port 53 in via tun1
161. 00530 0 0 allow udp from YYY.YYY.YYY.YY2 53 to any out via tun1 established
162. 00600 108 7484 fwd XXX.XXX.XXX.XX1 ip from XXX.XXX.XXX.XX2 to any
163. 00610 28 1596 fwd YYY.YYY.YYY.YY1 ip from YYY.YYY.YYY.YY2 to any
164. 00700 20 1120 allow icmp from any to any icmptypes 0,8,11
165. 00800 2846 708794 allow ip from any to any via re1
166. 01100 1305 445563 nat 1 ip from any to any via tun0
167. 01200 16 1159 nat 2 ip from any to any via tun1
168. 65535 2155 835010 allow ip from any to any