Платные хостинги     Раскрутка сайта     Другие сайты

ipfw: Пример rc.firewall, всё ли правильно ?

Здравствуйте!   Я попытался настроить правила для FireWall, но с такими настройками внутрение сети не могут выйти в инет. Может можно как-то упростить правила?   Привожу пример моего rc.firewall:   Код:   #Внешний интерфейс:         eif="sk0"         enet="192.168.3.3"         emask="255.255.255.224"         eip="192.168.3.3"   #Офисная сеть:         oif="rl0"         onet="192.168.20.1"         omask="255.255.255.224"         oip="192.168.20.1"   #Сеть наших клиентов:         cif="rl1"         cnet="192.168.65.193"         cmask="255.255.255.224"         cip="192.168.65.193"   #Алиас для второго диапазона IP для клиентов         c2net="192.168.20.33"         c2mask="255.255.255.240"         c2ip="192.168.20.33"         # Allow communications through loopback interface and deny 127.0.0.1/8         # from any other interfaces         setup_loopback           # Stop spoofing         ${fwcmd} add deny log all from ${onet}:${omask} to any in via ${eif}         ${fwcmd} add deny log all from ${enet}:${emask} to any in via ${oif}         ${fwcmd} add deny log all from ${cnet}:${cmask} to any in via ${eif}         ${fwcmd} add deny log all from ${enet}:${emask} to any in via ${cif}         ${fwcmd} add deny log all from ${c2net}:${c2mask} to any in via ${eif}         ${fwcmd} add deny log all from ${enet}:${emask} to any in via ${cif}           # Stop RFC1918 nets on the outside interface         ${fwcmd} add deny log all from any to 10.0.0.0/8 via ${eif}         ${fwcmd} add deny log all from any to 172.16.0.0/12 via ${eif}         ${fwcmd} add deny log all from any to 192.168.0.0/16 via ${eif}           # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1 ,         # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E),         # RFC 3330 nets on the outside interface         ${fwcmd} add deny log all from any to 0.0.0.0/8 via ${eif}         ${fwcmd} add deny log all from any to 169.254.0.0/16 via ${eif}         ${fwcmd} add deny log all from any to 192.0.2.0/24 via ${eif}         ${fwcmd} add deny log all from any to 198.18.0.0/15 via ${eif}         ${fwcmd} add deny log all from any to 224.0.0.0/4 via ${eif}         ${fwcmd} add deny log all from any to 240.0.0.0/4 via ${eif}           # Network Address Translation.  This rule is placed here deliberately         # so that it does not interfere with the surrounding address-checking         # rules.  If for example one of your internal LAN machines had its IP         # address set to 192.168.0.2 then an incoming packet for it after being         # translated by natd(8) would match the `deny' rule above.  Similarly         # an outgoing packet originated from it before being translated would         # match the `deny' rule below.         case ${natd_enable} in         [Yy][Ee][Ss])                 if [ -n "${natd_interface}" ]; then                         ${fwcmd} add divert natd all from any to any via ${natd_interface}                 fi                 ;;         esac           # Stop RFC1918 nets on the outside interface         ${fwcmd} add deny log all from 10.0.0.0/8 to any via ${eif}         ${fwcmd} add deny log all from 172.16.0.0/12 to any via ${eif}         ${fwcmd} add deny log all from 159.148.0.0/16 to any via ${eif}           # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,         # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E),         # RFC 3330 nets on the outside interface         ${fwcmd} add deny log all from 0.0.0.0/8 to any via ${eif}         ${fwcmd} add deny log all from 169.254.0.0/16 to any via ${eif}         ${fwcmd} add deny log all from 192.0.2.0/24 to any via ${eif}         ${fwcmd} add deny log all from 198.18.0.0/15 to any via ${eif}         ${fwcmd} add deny log all from 224.0.0.0/4 to any via ${eif}         ${fwcmd} add deny log all from 240.0.0.0/4 to any via ${eif}           # Allow anything on the internal net         ${fwcmd} add allow all from any to any via ${oif}         ${fwcmd} add allow all from any to any via ${cif}           # Allow anything outbound from this net.         ${fwcmd} add allow all from ${enet}:${emask} to any out via ${eif}           # Deny anything outbound from other nets.         ${fwcmd} add deny log all from any to any out via ${eif}           # Allow TCP through if setup succeeded.         ${fwcmd} add allow tcp from any to any established           # Allow IP fragments to pass through.         ${fwcmd} add allow all from any to any frag           # Allow inbound ftp, ssh, email, tcp-dns, http, https, pop3, pop3s.         ${fwcmd} add allow tcp from any to ${eip} 21 setup in via ${eif}         ${fwcmd} add allow tcp from any to ${eip} 22 setup in via ${eif}         ${fwcmd} add allow tcp from any to ${eip} 25 setup in via ${eif}         ${fwcmd} add allow tcp from any to ${eip} 53 setup in via ${eif}         ${fwcmd} add allow tcp from any to ${eip} 80 setup in via ${eif}         ${fwcmd} add allow tcp from any to ${eip} 443 setup in via ${eif}         ${fwcmd} add allow tcp from any to ${eip} 110 setup in via ${eif}         ${fwcmd} add allow tcp from any to ${eip} 995 setup in via ${eif}           # Deny inbound auth, netbios, ldap, and Microsoft's DB protocol         # without logging.         ${fwcmd} add deny tcp from any to ${eip} 113 setup in via ${eif}         ${fwcmd} add deny tcp from any to ${eip} 139 setup in via ${eif}         ${fwcmd} add deny tcp from any to ${eip} 389 setup in via ${eif}         ${fwcmd} add deny tcp from any to ${eip} 445 setup in via ${eif}           # Deny some chatty UDP broadcast protocols without logging.         ${fwcmd} add deny udp from any 137 to any in via ${eif}         ${fwcmd} add deny udp from any to any 137 in via ${eif}         ${fwcmd} add deny udp from any 138 to any in via ${eif}         ${fwcmd} add deny udp from any 513 to any in via ${eif}         ${fwcmd} add deny udp from any 525 to any in via ${eif}           # Allow inbound DNS and NTP replies.  This is somewhat of a hole,         # since we're looking at the incoming port number, which can be         # faked, but that's just the way DNS and NTP work.         ${fwcmd} add allow udp from any 53 to ${eip} in via ${eif}         ${fwcmd} add allow udp from any 123 to ${eip} in via ${eif}           # Allow inbound DNS queries.         ${fwcmd} add allow udp from any to ${eip} 53 in via ${eif}           # Deny inbound NTP queries without logging.         ${fwcmd} add deny udp from any to ${eip} 123 in via ${eif}           # Allow traceroute to function, but not to get in.         ${fwcmd} add unreach port udp from any to ${eip} 33435-33524 in via ${eif}           # Allow some inbound icmps - echo reply, dest unreach, source quench,         # echo, ttl exceeded.         ${fwcmd} add allow icmp from any to any in via ${eif} icmptypes 0,3,4,8,11           # Broadcasts are denied and not logged.         ${fwcmd} add deny all from any to 255.255.255.255           # Everything else is denied and logged.         ${fwcmd} add deny log all from any to any   Спасибо