- 论坛徽章:
- 0
|
一个可用的IPFW脚本,比较简单,限制不多
#!/bin/sh
################Common#################
cmd="/sbin/ipfw -q add"
my_ip="xxx.xxx.xxxx.xxx"
nc_in="r11"
nc_out="r10"
dns1="xxx.xxx.xxx.xxx"
#dns2="xxx.xxx.xxx.xxx"
#################Rules#######################
#flush all rules
/sbin/ipfw -q -f flush
#Allow all via loopback to loopback
$cmd 500 allow all from any to any via lo0
$cmd 600 check-state
###################DNS######################
$cmd 700 allow tcp from me to $dns1 53 out
$cmd 750 allow udp from me to $dns1 53 out
$cmd 800 allow tcp from $dns1 53 to me in
$cmd 850 allow udp from $dns1 53 to me in
###############FTP,SSH,WWW,and etc.################
$cmd 01000 allow tcp from any to any 20,21,22,80,443
$cmd 01500 allow tcp from any 20,21,22,80,443 to any
##############limit to link mysql########################
$cmd 2000 allow tcp from me to xxx.xxx.xxx.0/24 3306 out
$cmd 2500 allow tcp from xxx.xxx.xxx.0/24 3306 to me in
#####################SNMP#####################
$cmd 01000 allow udp from any to any 161,162
$cmd 01500 allow udp from any 161,162 to any
#deny and log all packets that fell through to see what they are
$cmd 09999 deny log all from any to any
[ 本帖最后由 iamacnhero 于 2007-9-3 14:56 编辑 ] |
|