4. vi ipf.conf
#
# The following routes should be configured, if not already:
#
# route add 10.0.0.1 localhost 0
# route add 172.16.0.1 localhost 0
#
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
pass out on sppp0 all head 150
block out from 127.0.0.0/8 to any group 150
block out from any to 127.0.0.0/8 group 150
block out from any to 218.108.173.134/32 group 150
pass in on sppp0 all head 100
block in from 127.0.0.0/8 to any group 100
block in from 218.108.173.134/32 to any group 100
block in from 10.0.0.1/0xff000000 to any group 100
block in from 172.16.0.1/0xffff0000 to any group 100
pass out on elxl0 all head 350
block out from 127.0.0.0/8 to any group 350
block out from any to 127.0.0.0/8 group 350
block out from any to 10.0.0.1/32 group 350
pass in on elxl0 all head 300
block in from 127.0.0.0/8 to any group 300
block in from 10.0.0.1/32 to any group 300
block in from 218.108.173.134/0xffffff00 to any group 300
block in from 172.16.0.1/0xffff0000 to any group 300
pass out on elxl1 all head 450
block out from 127.0.0.0/8 to any group 450
block out from any to 127.0.0.0/8 group 450
block out from any to 172.16.0.1/32 group 450
pass in on elxl1 all head 400
block in from 127.0.0.0/8 to any group 400
block in from 172.16.0.1/32 to any group 400
block in from 218.108.173.134/0xffffff00 to any group 400
block in from 10.0.0.1/0xff000000 to any group 400
pass out quick on sppp0 proto tcp from 172.16.0.0/16 to any keep state
pass out quick on sppp0 proto udp from 172.16.0.0/16 to any keep state
pass out quick on sppp0 proto icmp from 172.16.0.0/16 to any keep state
pass in quick on sppp0 proto icmp from any to any icmp-type echorep
block in quick on sppp0 proto icmp from any to any icmp-type redir
block in quick on sppp0 proto icmp from any to any
block in quick on sppp0 proto icmp from any to any icmp-type echo
pass in from any to any
pass out from any to any
block_default_workaround() {
ipf -F a
echo "constructing minimal name resolution rules..."
NAMESERVERS=`cat /etc/resolv.conf 2>;/dev/null| \
nawk '/nameserver/ {printf "%s ", $2}' 2>;/dev/null`
if [ -z "$NAMESERVERS" ] ; then
return
fi
for NS in $NAMESERVERS ; do
IF_TO_NS=`/usr/sbin/route -n get $NS 2>;/dev/null| \
nawk '$1 == "interface:" { print $NF ; exit }' \
2>;/dev/null`
if [ -z "$IF_TO_NS" ] ; then
continue
fi
IP_TO_NS=`ifconfig $IF_TO_NS 2>;/dev/null| \
nawk 'NR == "2" { print $2 ; exit }' 2>;/dev/null`
if [ -z "$IP_TO_NS" ] ; then
continue
fi
echo "pass out quick on $IF_TO_NS proto udp from $IP_TO_NS to $NS port = 53 keep state" | \
ipf -f -
done
}
case "$1" in
start)
if [ x"$pid" != x ] ; then
kill -TERM $pid 2>;/dev/null
fi
if [ x$id != x ] ; then
modunload -i $id 2>;/dev/null
fi
modload /usr/kernel/drv/ipf
if [ -r ${IPFILCONF} ]; then
if `/sbin/ipf -V | \
nawk '$1 == "Default:" && $2 == "pass" { exit 1 }'` ; then
block_default_workaround
fi
ipf -IFa -f ${IPFILCONF}
if [ $? != 0 ]; then
echo "$0: load of ${IPFILCONF} into alternate set failed"
else
ipf -s
fi
fi
ipf -y
if [ -r ${IP6FILCONF} ]; then
ipf -IFa -6f ${IP6FILCONF}
if [ $? != 0 ]; then
echo "$0: load of ${IPFILCONF} into alternate set failed"
else
ipf -IF a
ipf -6f ${IP6FILCONF}
fi
fi
if [ -r ${IPNATCONF} ]; then
ipnat -CF -f ${IPNATCONF}
if [ $? != 0 ]; then
echo "$0: load of ${IPNATCONF} failed"
fi
fi
ipmon -Ds
;;
stop)
if [ x"$pid" != x ] ; then
kill -TERM $pid
fi
if [ x$id != x ] ; then
modunload -i $id
fi
;;
reload)
if [ -r ${IPFILCONF} ]; then
ipf -I -Fa -f ${IPFILCONF}
if [ $? != 0 ]; then
echo "$0: reload of ${IPFILCONF} into alternate set failed"
else
ipf -s
fi
fi
if [ -r ${IPNATCONF} ]; then
ipnat -CF -f ${IPNATCONF}
if [ $? != 0 ]; then
echo "$0: reload of ${IPNATCONF} failed"
fi
fi
;;
reipf)
if [ -r ${IPFILCONF} ]; then
ipf -I -Fa -f ${IPFILCONF}
if [ $? != 0 ]; then
echo "$0: reload of ${IPFILCONF} into alternate set failed"
else
ipf -s
fi
fi
;;
*)
echo "Usage: $0 (start|stop|reload)" >;&2
exit 1
;;
esac
exit 0
作者: 北极星 时间: 2002-08-28 23:31 标题: [转载]IP Filter3.4.28 for solaris 安装、配置 好东东。我先收起来!作者: study12 时间: 2002-08-29 08:58 标题: [转载]IP Filter3.4.28 for solaris 安装、配置 怎么不早拿出来!作者: 韦小宝 时间: 2002-08-29 09:16 标题: [转载]IP Filter3.4.28 for solaris 安装、配置 tnnd,你没看发表日期吗?还在冒热气呢作者: study12 时间: 2002-08-29 09:26 标题: [转载]IP Filter3.4.28 for solaris 安装、配置 O作者: asfasf 时间: 2002-09-11 17:53 标题: [转载]IP Filter3.4.28 for solaris 安装、配置 众里寻她千百度,蓦然回首那人却在灯火阑珊处作者: littletiger 时间: 2002-09-11 18:39 标题: [转载]IP Filter3.4.28 for solaris 安装、配置 save先作者: miling 时间: 2002-10-16 17:06 标题: [转载]IP Filter3.4.28 for solaris 安装、配置 //ft还叫好哩,越往下看,越觉得眼熟,仔细一看,原来从王波先生写的《FreeBSD使用大全》上大段大段摘下来的,偶尔改动的还改错了。