Был полностью рабочий firewall на FreeBSD 6.0, затем система была переведена на FreeBSD 7.0 и часть конфигов просто скопированна, в том числе и firewall, со старой системы. Но работать он перестал, за исключением icmp пакетов, которые итак были полностью открыты )rc.firewall
#!/bin/sh
fwcmd="/sbin/ipfw -q"
${fwcmd} -f flush
${fwcmd} add 100 check-state
#icmp
${fwcmd} add 200 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
${fwcmd} add 210 pass icmp from any to any
#loopback
${fwcmd} add 300 pass ip from any to any via lo0
${fwcmd} add 310 deny ip from any to 127.0.0.0/8
${fwcmd} add 320 deny ip from 127.0.0.0/8 to any
#output
${fwcmd} add 410 pass tcp from any to me established
${fwcmd} add 420 pass udp from any to me
${fwcmd} add 430 pass ip from me to any
#private
${fwcmd} add 500 pass ip from 192.168.2.3 to me
${fwcmd} add 510 pass ip from 192.168.2.7 to me
${fwcmd} add 520 pass ip from 192.168.2.8 to me
${fwcmd} add 530 allow ip from 192.168.2.14 to any
#http
${fwcmd} add 600 pass ip from any to me 80,21
#udp
${fwcmd} add 810 pass udp from any 53 to any
${fwcmd} add 820 pass udp from any to any 53
#inet
${fwcmd} add 920 deny ip from 192.168.2.105 to any
${fwcmd} add 919 deny ip from 192.168.2.106 to any
${fwcmd} add 918 deny ip from 192.168.2.113 to any
${fwcmd} add 916 deny ip from 192.168.2.49 to any
${fwcmd} add 915 deny ip from 192.168.2.59 to any
${fwcmd} add 914 deny ip from 192.168.2.65 to any
${fwcmd} add 905 deny ip from 192.168.2.1/24{130-255} to any
#log
${fwcmd} add 920 deny log tcp from any to me setup
${fwcmd} add 930 deny log ip from any to me
#clouse
${fwcmd} add 10000 deny ip from any to me
скажу сразу что в ядре я прописал IP_FIREWALL IP_FIREWALL_DEFAULT_TO_ACCEPT
internet# ipfw show
00100 0 0 check-state
00200 0 0 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00210 17 1016 allow icmp from any to any
00300 0 0 allow ip from any to any via lo0
00310 0 0 deny ip from any to 127.0.0.0/8
00320 0 0 deny ip from 127.0.0.0/8 to any
00410 99 15329 allow tcp from any to me established
00420 18 2526 allow udp from any to me
00430 67 20752 allow ip from me to any
00500 0 0 allow ip from 192.168.2.3 to me
00510 0 0 allow ip from 192.168.2.7 to me
00520 0 0 allow ip from 192.168.2.8 to me
00530 0 0 allow ip from 192.168.2.14 to any
00600 0 0 allow ip from any to me dst-port 80,21
00810 0 0 allow udp from any 53 to any
00820 0 0 allow udp from any to any dst-port 53
00905 28 8456 deny ip from 192.168.2.0/24{130-255} to any
00914 0 0 deny ip from 192.168.2.65 to any
00915 0 0 deny ip from 192.168.2.59 to any
00916 0 0 deny ip from 192.168.2.49 to any
00918 0 0 deny ip from 192.168.2.113 to any
00919 0 0 deny ip from 192.168.2.106 to any
00920 0 0 deny ip from 192.168.2.105 to any
00920 0 0 deny log tcp from any to me setup
00930 0 0 deny log ip from any to me
10000 0 0 deny ip from any to me
65535 4876 456652 deny ip from any to any
когда руками его полностью открываеш с консоли, тогда всё работет, но это не дело. у кого есть какие мысли по этому поводу?
Вариант для распечатки
Информационная безопасность (Public)
(??) on 23-Апр-08, 11:48 
