论坛徽章:: 4

电梯直达

1楼 [收藏(0)] [报告]

发表于 2009-09-13 10:48 |只看该作者 |倒序浏览

10可用积分

### set these to your outside interface network and netmask and ip
oif="fxp1"
onet="192.168.0.0"
omask="255.255.255.0"
oip="192.168.0.124"
onet6="fe80::"
oprefixlen6="64"
oip6="fe80::202:b3ff:fe0a:c30e"

### set these to your inside interface network and netmask and ip
iif="fxp0"
inet="192.168.1.0"
imask="255.255.255.0"
iip="192.168.1.1"
inet6="2001:2f8:22:802::"
iprefixlen6="64"
iip6="2001:2f8:22:802::1"

fwcmd="/sbin/ipfw"

### reset firewall rules
$fwcmd -q -f flush

### divert packet to NATD
$fwcmd add 1 divert natd ip4 from any to any via ${oif}

### Stop spoofing
$fwcmd add deny all from ${inet}

{imask} to any in via ${oif}
$fwcmd add deny all from ${onet}

{omask} to any in via ${iif}

### Allow from / to myself
$fwcmd add pass all from ${iip} to any via ${iif}
$fwcmd add pass all from ${oip} to any via ${oif}
$fwcmd add pass all from any to ${iip} via ${iif}
$fwcmd add pass all from any to ${oip} via ${oif}
$fwcmd add pass all from ${iip6} to any via ${iif}
$fwcmd add pass all from ${oip6} to any via ${oif}
$fwcmd add pass all from any to ${iip6} via ${iif}
$fwcmd add pass all from any to ${oip6} via ${oif}

### Allow DNS queries out in the world
### (if DNS is on localhost, delete passDNS)
$fwcmd add pass udp from any 53 to any
$fwcmd add pass udp from any to any 53
$fwcmd add pass tcp from any to any 53
$fwcmd add pass tcp from any 53 to any

### Allow RA RS NS NA Redirect...
$fwcmd add pass ipv6-icmp from any to any

# Allow IP fragments to pass through
$fwcmd add pass all from any to any frag

# Allow RIPng
$fwcmd add pass udp from fe80::/10 521 to ff02::9 521
$fwcmd add pass udp from fe80::/10 521 to fe80::/10 521

############Taggged rules############################
## Opengate add following rules after authentication
## count tag <TagNo> ip from any to <ClientAddr>
## count tag <TagNo> ip from <ClientAddr> to any
## <TagNo> : IpfwTagNumber in opengatesrv.conf
## <ClientAddr> :IP address of authenticated client

$fwcmd add 60000 allow ip from any to any tagged 123

################################################

### Forwarding IPv4 http connection from unauth client
$fwcmd add 60100 fwd localhost tcp from ${inet}

{imask} to any 80
$fwcmd add 60100 fwd localhost tcp from ${inet}

{imask} to any 443

### Allow http reply for forwarded request
### (it is sent out from localhost but has original source address)
$fwcmd add 60110 pass tcp from any 80 to any out
$fwcmd add 60120 pass tcp from any 443 to any out

# TCP reset notice message for IPv6 http connection
$fwcmd add 60130 reset tcp from any to any 80
$fwcmd add 60140 reset tcp from any to any 443

最佳答案

HonestQiao

查看完整内容

### set these to your outside interface network and netmask and ip变量设置阶段，主要是外部网卡相关### set these to your inside interface network and netmask and ip变量设置阶段，主要是内部网卡相关　　防火墙类型simple用于设置一个简单的防火墙系统，用于保护内部网络中的计算机。由于防火墙系统需要连接多个网络界面，一个用于连接外部网络，而其他用于连接内部网络。这个简单的防火墙只针对两个网络界面进行了过滤 ...

文库|博客

HonestQiao

版主

论坛徽章:: 1

2楼 [报告]

发表于 2009-09-13 10:48 |只看该作者

### set these to your outside interface network and netmask and ip
变量设置阶段，主要是外部网卡相关

### set these to your inside interface network and netmask and ip
变量设置阶段，主要是内部网卡相关

　　防火墙类型simple用于设置一个简单的防火墙系统，用于保护内部网络中的计算机。由于防火墙系统需要连接多个网络界面，一个用于连接外部网络，而其他用于连接内部网络。这个简单的防火墙只针对两个网络界面进行了过滤规则的设置，内部网络的界面iif，外部网络的界面oif，因此它只适合只有两个网络界面的防火墙系统。

#设置ipfw指令
fwcmd="/sbin/ipfw"

### reset firewall rules
清空原有指令，使用脚本后面设置的。

### divert packet to NATD
ipv4的natd固有设置方法

### Stop spoofing
这两个过滤规则用于丢弃涉及IP地址欺骗的数据包，这包括来自于外部网络界面，但源地址为内部网络地址，或者来自于内部网络界面，但源地址为外部网络地址的数据包。由于这些数据包涉及IP地址欺骗，每个路由器都应该丢弃这样的数据包。

### Allow from / to myself
允许那些数据包从某ip到某ip，通过某网卡

### Allow DNS queries out in the world
### (if DNS is on localhost, delete passDNS)
允许查询外部dns

### Allow RA RS NS NA Redirect...
允许ipv6的icmp查询

# Allow IP fragments to pass through
允许ip数据包的片段通行

# Allow RIPng
允许ipv6的路由选择协议

############Taggged rules############################
## Opengate add following rules after authentication
## count tag <TagNo> ip from any to <ClientAddr>
## count tag <TagNo> ip from <ClientAddr> to any
## <TagNo> : IpfwTagNumber in opengatesrv.conf
## <ClientAddr> :IP address of authenticated client

允许所有打标为123的规则的数据通行

################################################

### Forwarding IPv4 http connection from unauth client
将符合规则封包的去向转向到 ipaddr，ipaddr 可以是 IP 地址或是 hostname。如果设定的 ipaddr 不是直接可以到达的地址，则会依本机即有的 routing table 来将封包送出。如果该地址是本地地址 (local address)，则保留本地地址并将封包送原本指定的 IP 地址。这项设定通常用来和 transparent proxy 搭配使用。

### Allow http reply for forwarded request
### (it is sent out from localhost but has original source address)
放行向外的http数据包

# TCP reset notice message for IPv6 http connection
将http规则的日志计数或包计数清零来重新启用日志

...