====== Настройка ipfw на сервере FreeBSD. ======

===== Включение ipfw без пересборки ядра =====
==== Подготовка и настройка ОСи ====


<code bash>
# russian lang for root

sysrc keymap="ru"
echo '# RUS'  >> /boot/loader.conf
echo 'kern.vty=vt' >> /boot/loader.conf

pw usermod -n root -L russian

echo '# RUS
LANG=ru_RU.UTF-8
export LANG
MM_CHARSET=UTF-8
export MM_CHARSET
export EDITOR=/usr/local/bin/nano' >> /etc/profile
echo 'export EDITOR=/usr/local/bin/nano' >> /root/.profile



pkg update && pkg upgrade

pkg install -y mc nano rsync  tmux bash htop bind-tools

# replace bash for root
chsh -s /usr/local/bin/bash root




</code>

==== Включение ipfw ====

<code bash>

echo '# IPFW
ipfw_load="YES"
ipfw_nat_load="YES"
firewall_logif="YES"
# PIPE + dummynet
ipdivert_load="YES"
dummynet_load="YES"
ng_pipe_load="YES"
# SETFIB
net.fibs="4"' >> /boot/loader.conf

</code>

==== Работающий в первый же запуск скрипт ipfw ====

<code bash>
echo '#!/usr/local/bin/bash
 
cmd="/sbin/ipfw -q"
$cmd -f flush
 
$cmd disable one_pass
$cmd add allow all from any to any via lo0
$cmd add deny all from any to 127.0.0.0/8
$cmd add deny all from 127.0.0.0/8 to any
$cmd add deny all from any to any frag

# ssh
$cmd table admin create missing
$cmd table admin add 10.1.1.0/24
$cmd table admin add 192.168.10.0/24
 
$cmd add check-state
#$cmd add allow tcp from any to any established
$cmd add allow all from any to any out keep-state

$cmd add allow ip from "table(admin)" to me 22
 
# Ping
$cmd add allow icmp from "table(admin)" to me in icmptype 8
$cmd add allow icmp from me to "table(admin)" out icmptype 0,8
 
$cmd add allow all from any to any
$cmd add deny log all from any to any' > /etc/ipfw.script

sysrc firewall_enable="YES"
sysrc firewall_script="/etc/ipfw.script"
sysrc firewall_logging="YES"

</code>

==== NTPd ====

<code bash>
# ntpd
echo '# NTP

server ntp.ix.ru iburst maxpoll 9 prefer
server ntp2.aas.ru iburst maxpoll 9
server 0.freebsd.pool.ntp.org iburst maxpoll 9
server 1.freebsd.pool.ntp.org iburst maxpoll 9

restrict default ignore

restrict 127.0.0.1
restrict ntp.ix.ru
restrict ntp2.aas.ru
restrict 0.freebsd.pool.ntp.org
interface ignore wildcard
interface listen igb0

logfile /var/log/ntp.log
driftfile /var/db/ntp.drift
' > /etc/ntp.conf

touch /var/db/ntp.drift
touch /var/log/ntp.log

sysrc ntpd_enable="YES"
sysrc ntpdate_enable="YES"
sysrc ntpdate_hosts="127.0.0.1"
sysrc ntpd_sync_on_start="NO"

service ntpd start

</code>

==== Включение NAT ====


<code bash>

sysrc gateway_enable="YES"

</code>


===== fw =====


<file bash ipfw.sh>
#!/usr/local/bin/bash

cmd="/sbin/ipfw -q"
$cmd -f flush

# Интерфейс, на котором слушаем
WAN="igb0"
IP="51.51.51.51"

# IP, на который будем пробрасывать порты
ToIP="163.33.33.3"

#
LIM="30"

$cmd enable one_pass
$cmd add allow all from any to any via lo0
$cmd add deny all from any to 127.0.0.0/8
$cmd add deny all from 127.0.0.0/8 to any
$cmd add deny all from any to any frag

#$cmd add check-state
#$cmd add allow tcp from any to any established
#$cmd add allow all from any to any out keep-state

# table admin
$cmd table admin create missing
$cmd table admin add 46.160.11.11
$cmd table admin add 109.111.64.0/19

# ssh to admin
$cmd add allow ip from "table(admin)" to me 22

# table bad boys
$cmd table badb create missing
$cmd add deny ip from "table(badb)" to me

# dns
DNS="8.8.8.8,1.1.1.1"
$cmd add allow udp from ${DNS} to ${IP} in via ${WAN}
$cmd add allow udp from ${IP} to ${DNS} out via ${WAN}

# HTTP && HTTPS
#$cmd add allow tcp from any to me 443 in limit src-addr 80
#$cmd add allow tcp from any to me 80 in limit src-addr 80

# Ping
$cmd add allow icmp from "table(admin)" to me in icmptype 8
$cmd add allow icmp from me to "table(admin)" out icmptype 0,8

# allow ping
$cmd add allow icmp from me to any out icmptype 0,8
$cmd add allow icmp from any to me in icmptype 0,8

# NAT
# ssh in
$cmd add nat 1 tcp from any to any 22022 in via ${WAN}
# TCP 163.172.255.167:22 51.159.5.135:49795 in via igb0
$cmd add nat 1 tcp from ${ToIP} to ${IP} in via ${WAN}

$cmd add nat 1 tcp from any to any 29000 in limit src-addr ${LIM} via ${WAN}
$cmd add nat 1 tcp from any to any 29001 in limit src-addr ${LIM} via ${WAN}
$cmd add nat 1 tcp from any to any 29002 in limit src-addr ${LIM} via ${WAN}
$cmd add nat 1 tcp from any to any 29003 in limit src-addr ${LIM} via ${WAN}
$cmd add nat 1 tcp from any to any 32550 in limit src-addr ${LIM} via ${WAN}

# Собственно - редирект портов
$cmd nat 1 config log if ${WAN} same_ports reset  \
  redirect_port tcp ${ToIP}:22 22022 \
  redirect_port tcp ${ToIP}:29000 29000 \
  redirect_port tcp ${ToIP}:29001 29001 \
  redirect_port tcp ${ToIP}:29002 29002 \
  redirect_port tcp ${ToIP}:29003 29003 \
  redirect_port tcp ${ToIP}:32550 32550


#Deny TCP 46.160.11.108:39844 51.159.5.135:29000 in via igb0
$cmd add allow tcp from any to any 29000 in via ${WAN}

# TCP 195.3.134.136:4851 163.172.255.167:31002 out via igb0
$cmd add nat 1 tcp from any to any out via ${WAN}

# 188.191.23.31:49773 163.172.255.167:22 out via igb0
$cmd add nat 1 ip from any to ${ToIP} 22 out via ${WAN}

# TCP 51.159.5.135:22 46.160.11.108:53529 out via igb0
$cmd add nat 1 ip from ${IP},${ToIP} 22 to any out via ${WAN}
#TCP 163.172.255.167:22 188.191.23.31:49789 out via igb0
#$cmd add nat 1 ip from ${ToIP} 22 to any out via ${WAN}

#---------------------------
# nat - debug
# $cmd add nat 1 log tcp from any to any via ${WAN}
#---------------------------

</file>