Ниже привожу пример рабочего конфига (у меня расположен в файле /usr/local/etc/rc.d/firewall.sh, не забудьте 'chmod +x firewall.sh'):#!/bin/sh
# macroses
pif="xl0"
cmd="ipfw -q add"
skip="skipto 5000"
remote_IP=”25.25.25.25”
# Flush out the list before we begin.
ipfw -q -f flush
# BEGIN of FIREWALL
$cmd 0010 allow all from any to any via lo0
# Allow all
#$cmd 0050 allow log all from any to any via $pif
# Input SSH
$cmd 0160 allow tcp from $remote_IP to me 22 in via $pif
$cmd 0161 allow tcp from me 22 to $remote_IP out via $pif
# NAT
$cmd 0200 divert natd ip from any to any in via $pif
$cmd 0201 check-state
$cmd 0202 allow gre from any to any
$cmd 0204 allow log tcp from $remote_IP to me 1723 via $pif
$cmd 0205 allow log tcp from me 1723 to $remote_IP via $pif
#$cmd 0206 allow all from any to any
#$cmd 0210 $skip log all from any to any out via $pif setup keep-state
# DNS
$cmd 0220 $skip log udp from me to any 53 out via $pif keep-state
$cmd 0230 $skip log udp from any to any 53 out via $pif keep-state
# Allow out non-secure standard pop3/smtp/imap function
$cmd 0320 $skip tcp from any to any 25 out via $pif setup keep-state
$cmd 0330 $skip tcp from any to any 110 out via $pif setup keep-state
$cmd 0340 $skip tcp from any to any 143 out via $pif setup keep-state
$cmd 0345 $skip tcp from any to any 995 out via $pif setup keep-state
# WWW (HTTP/HTTPS/..)
$cmd 0350 $skip tcp from any to any 80 out via $pif setup keep-state
$cmd 0360 $skip tcp from any to any 443 out via $pif setup keep-state
# Allow out FreeBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 0410 $skip tcp from me to any out via $pif setup keep-state uid root
# Allow out Time
$cmd 0450 $skip tcp from any to any 37 out via $pif setup keep-state
# Allow out whois
$cmd 0460 $skip tcp from any to any 43 out via $pif setup keep-state
# Allow ntp time server
$cmd 0470 $skip udp from any to any 123 out via $pif keep-state
# DENY
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 1300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 1301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 1302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 1303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 1304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 1305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 1306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 1307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
$cmd 1308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
# Deny ident
$cmd 1315 deny tcp from any to any 113 in via $pif
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 1320 deny tcp from any to any 137 in via $pif
$cmd 1321 deny tcp from any to any 138 in via $pif
$cmd 1322 deny tcp from any to any 139 in via $pif
$cmd 1323 deny tcp from any to any 81 in via $pif
# Deny any late arriving packets
$cmd 1330 deny all from any to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 1332 deny tcp from any to any established in via $pif
# Reject & Log all unauthorized incoming connections from the public Internet
$cmd 1400 deny log all from any to any in via $pif
# Reject & Log all unauthorized out going connections to the public Internet
$cmd 1450 deny log all from any to any out via $pif
# This is skipto location for outbound stateful rules
$cmd 5000 divert natd ip from any to any out via $pif
$cmd 5001 allow ip from any to any
# deny and log all packets that fell through to see what they are
$cmd 10000 deny log all from any to any
#############################################
Сначала разершаю то, что хочу разрешить до DIVERT (он же nat), потом включаю DIVERT (правило 200), после чего правила типчала разершаю то, что хочу разрешить до DIVERT (он же nat), потом включаю DIVERT (правило 200), после чего правила типа:
$cmd 0350 $skip tcp from any to any 80 out via $pif setup keep-state
направляет запросы на порт 80 через правило 5000 (которое и выполняет функции nat). Ну а все остальное, что не подошло под разные правила, отбрасывается правилом 1400 или 1450.
Ммм, довольно сумбурно, но хоть что-то.
В /etc/rc.conf добавить
# Enable natd.
natd_enable="YES"
natd_interface="xl0" # your public network interface
Ну и в ядре опции поставить (приведены опции для FreeBSD 7 на моем роутере)
# IPFW options
options IPFIREWALL
options IPDIVERT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_FORWARD #enable transparent proxy support
#options TCP_DROP_SYNFIN
options DUMMYNET
______________________________________________________________________________
PS:
Могу сказать, что когда я после FreeBSD стал пытаться понять iptables, чуть с ума не сошел, даже книженцию купил :)