>Если хочеш чтобы не все пакеты попали в нат опиши до правила
>ната
>например если у тебя поднят веб сервер Посмотрите, пожалуйста, в низу новый конфиг: так будет правильно?
>Короче говоря я всегда ставлю net.inet.ip.fw.one_pass=0 что и тебе советую
>
А по умолчанию значение равно 0? и как это проверит?
>
Вот ещё маленький вопросик: в этом варианте правил я пытался динамически запретить инециализацию какихлибосоединений из вне, мене удалось? или как всегда что-то перемудрил?
И что можно сказать о уровнебезопасности по данным правилам?
#=====Firewall Configuration
#var
inthost="192.168.1.1"
macint="00:80:48:38:3A:3D"
intnet="192.168.1.0/29"
outhost="10.15.4.8"
admcomp="192.168.1.2"
macadm="00:E0:18:99:E5:11"
outinterface="rl0"
intinterface="rl1"
#Rules Begin
#antihack
#No Fragmentation
add 10 deny ip from any to any frag
#Deny ISMP hack
add 11 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
#Deny interip mask hack
add 12 reject ip from ${intnet} to any in via ${outinterface}
# Deny X-scaning
add 13 reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg
# Deny N-scaning
add 14 reject tcp from any to any tcpflags !'fin', !'syn', !'rst', !'psh', !'ack', !'urg'
# Deny FIN-scaning
add 15 reject tcp from any to any not established tcpflags fin
# Prevent from spoofing
add 16 deny ip from any to any not verrevpath in
add 17 deny ip from ${intnet} to any in via ${outinterface}
add 18 deny ip from ${outhost} to any via ${intinterface}
# ip-session limit
#add 19 allow ip from any to any setup limit src-addr 10
#Deny loop back external acces
add 20 deny all from any to 127.0.0.0/8
add 21 deny all from 127.0.0.0/8 to any
add 22 deny all from any to 127.0.0.0/8
add 23 deny all from 127.0.0.0/8 to any
#Deny Windows flood
add 24 deny ip from ${intnet} to ${intnet} 135,137-139,445 in via ${intinterface}
add 25 deny ip from any to ${outhost} 135,137-139,445 in via ${outinterface}
#SSH
add 30 allow tcp from ${admcomp} to ${inthost} 22 in via ${intinterface} mac ${macadm} ${macint}
add 31 allow tcp from ${inthost} 22 to ${admcomp} out via ${intinterface} mac ${macint} ${macadm}
add 32 deny tcp from any to ${inthost},${outhost} 22
#dynamic on
add 40 check-state
#ICMP
add 50 deny icmp from any to any via ${outinterface}
#HTTP/HTTPS/FTP
#from intnet to Global over NAT
add 60 skipto 72 tcp from ${intnet} to not ${intnet} 20,21,80,8080,443 keep-state via ${outinterface}
add 61 skipto 72 upd from ${intnet} to not ${intnet} 20,21 keep-state via ${outinterface}
#from Global to intnet over NAT
add 62 skipto 72 tcp from not ${intnet} 20,21,80,8080,443 to ${outhost} via ${outinterface}
add 63 skipto 72 upd from not ${intnet} 20,21 to ${outhost} via ${outinterface}
#NAT
add 70 skipto 72 all from any to any via ${intinterface}
add 71 deny all from any to any via ${outinterface}
add 72 nat ip from any to not ${intnet} out via ${outinterface}
#HTTP/HTTPS/FTP
#from intnet to Global via intinterface
add 80 allow tcp from ${intnet} to not ${intnet} 20,21,80,8080,443 keep-state via ${intinterface}
add 81 allow upd from ${intnet} to not ${intnet} 20,21 keep-state via ${intinterface}!
#from NAT to Global
add 82 allow tcp from ${outhost} to not ${intnet} 20,21,80,8080,443 keep-state via ${outinterface}
add 83 allow upd from ${outhost} to not ${intnet} 20,21 keep-state via ${outinterface}
#from NAT to intnet
add 82 allow tcp from not ${intnet} 20,21,80,8080,443 to ${intnet} via ${outinterface}
add 83 allow upd from not ${intnet} 20,21 to ${intnet} via ${outinterface}
#from Global to intnet via intinterface
add 82 allow tcp from not ${intnet} 20,21,80,8080,443 to ${intnet} via ${intinterface}
add 83 allow upd from not ${intnet} 20,21 to ${intnet} via ${intinterface}
#inter comps
#add 1000 allow ip from ${admcomp} to not ${intnet} via ${intinterface}
#add 1001 allow ip from 192.168.1.3 to not ${intnet} via ${intinterface}
#Deny any all
add 10000 deny all from any to any via ${outinterface}
add 10001 deny all from any to any via ${intinterface}
#Rules END
ОГРООООООООМНОЕ!!!!!!! СПАСИБО!!!!!!!!!,
С ГЛУБОКИМ УВАЖЕНИЕМ,
Alex123.
