Содержание

Настройка ipfw на сервере FreeBSD.

Включение ipfw без пересборки ядра

Подготовка и настройка ОСи

# russian lang for root
 
sysrc keymap="ru"
echo '# RUS'  >> /boot/loader.conf
echo 'kern.vty=vt' >> /boot/loader.conf
 
pw usermod -n root -L russian
 
echo '# RUS
LANG=ru_RU.UTF-8
export LANG
MM_CHARSET=UTF-8
export MM_CHARSET
export EDITOR=/usr/local/bin/nano' >> /etc/profile
echo 'export EDITOR=/usr/local/bin/nano' >> /root/.profile
 
 
 
pkg update && pkg upgrade
 
pkg install -y mc nano rsync  tmux bash htop bind-tools
 
# replace bash for root
chsh -s /usr/local/bin/bash root

Включение ipfw

echo '# IPFW
ipfw_load="YES"
ipfw_nat_load="YES"
firewall_logif="YES"
# PIPE + dummynet
ipdivert_load="YES"
dummynet_load="YES"
ng_pipe_load="YES"
# SETFIB
net.fibs="4"' >> /boot/loader.conf

Работающий в первый же запуск скрипт ipfw

echo '#!/usr/local/bin/bash
 
cmd="/sbin/ipfw -q"
$cmd -f flush
 
$cmd disable one_pass
$cmd add allow all from any to any via lo0
$cmd add deny all from any to 127.0.0.0/8
$cmd add deny all from 127.0.0.0/8 to any
$cmd add deny all from any to any frag
 
# ssh
$cmd table admin create missing
$cmd table admin add 10.1.1.0/24
$cmd table admin add 192.168.10.0/24
 
$cmd add check-state
#$cmd add allow tcp from any to any established
$cmd add allow all from any to any out keep-state
 
$cmd add allow ip from "table(admin)" to me 22
 
# Ping
$cmd add allow icmp from "table(admin)" to me in icmptype 8
$cmd add allow icmp from me to "table(admin)" out icmptype 0,8
 
$cmd add allow all from any to any
$cmd add deny log all from any to any' > /etc/ipfw.script
 
sysrc firewall_enable="YES"
sysrc firewall_script="/etc/ipfw.script"
sysrc firewall_logging="YES"

NTPd

# ntpd
echo '# NTP
 
server ntp.ix.ru iburst maxpoll 9 prefer
server ntp2.aas.ru iburst maxpoll 9
server 0.freebsd.pool.ntp.org iburst maxpoll 9
server 1.freebsd.pool.ntp.org iburst maxpoll 9
 
restrict default ignore
 
restrict 127.0.0.1
restrict ntp.ix.ru
restrict ntp2.aas.ru
restrict 0.freebsd.pool.ntp.org
interface ignore wildcard
interface listen igb0
 
logfile /var/log/ntp.log
driftfile /var/db/ntp.drift
' > /etc/ntp.conf
 
touch /var/db/ntp.drift
touch /var/log/ntp.log
 
sysrc ntpd_enable="YES"
sysrc ntpdate_enable="YES"
sysrc ntpdate_hosts="127.0.0.1"
sysrc ntpd_sync_on_start="NO"
 
service ntpd start

Включение NAT

sysrc gateway_enable="YES"

fw

ipfw.sh
#!/usr/local/bin/bash
 
cmd="/sbin/ipfw -q"
$cmd -f flush
 
# Интерфейс, на котором слушаем
WAN="igb0"
IP="51.51.51.51"
 
# IP, на который будем пробрасывать порты
ToIP="163.33.33.3"
 
#
LIM="30"
 
$cmd enable one_pass
$cmd add allow all from any to any via lo0
$cmd add deny all from any to 127.0.0.0/8
$cmd add deny all from 127.0.0.0/8 to any
$cmd add deny all from any to any frag
 
#$cmd add check-state
#$cmd add allow tcp from any to any established
#$cmd add allow all from any to any out keep-state
 
# table admin
$cmd table admin create missing
$cmd table admin add 46.160.11.11
$cmd table admin add 109.111.64.0/19
 
# ssh to admin
$cmd add allow ip from "table(admin)" to me 22
 
# table bad boys
$cmd table badb create missing
$cmd add deny ip from "table(badb)" to me
 
# dns
DNS="8.8.8.8,1.1.1.1"
$cmd add allow udp from ${DNS} to ${IP} in via ${WAN}
$cmd add allow udp from ${IP} to ${DNS} out via ${WAN}
 
# HTTP && HTTPS
#$cmd add allow tcp from any to me 443 in limit src-addr 80
#$cmd add allow tcp from any to me 80 in limit src-addr 80
 
# Ping
$cmd add allow icmp from "table(admin)" to me in icmptype 8
$cmd add allow icmp from me to "table(admin)" out icmptype 0,8
 
# allow ping
$cmd add allow icmp from me to any out icmptype 0,8
$cmd add allow icmp from any to me in icmptype 0,8
 
# NAT
# ssh in
$cmd add nat 1 tcp from any to any 22022 in via ${WAN}
# TCP 163.172.255.167:22 51.159.5.135:49795 in via igb0
$cmd add nat 1 tcp from ${ToIP} to ${IP} in via ${WAN}
 
$cmd add nat 1 tcp from any to any 29000 in limit src-addr ${LIM} via ${WAN}
$cmd add nat 1 tcp from any to any 29001 in limit src-addr ${LIM} via ${WAN}
$cmd add nat 1 tcp from any to any 29002 in limit src-addr ${LIM} via ${WAN}
$cmd add nat 1 tcp from any to any 29003 in limit src-addr ${LIM} via ${WAN}
$cmd add nat 1 tcp from any to any 32550 in limit src-addr ${LIM} via ${WAN}
 
# Собственно - редирект портов
$cmd nat 1 config log if ${WAN} same_ports reset  \
  redirect_port tcp ${ToIP}:22 22022 \
  redirect_port tcp ${ToIP}:29000 29000 \
  redirect_port tcp ${ToIP}:29001 29001 \
  redirect_port tcp ${ToIP}:29002 29002 \
  redirect_port tcp ${ToIP}:29003 29003 \
  redirect_port tcp ${ToIP}:32550 32550
 
 
#Deny TCP 46.160.11.108:39844 51.159.5.135:29000 in via igb0
$cmd add allow tcp from any to any 29000 in via ${WAN}
 
# TCP 195.3.134.136:4851 163.172.255.167:31002 out via igb0
$cmd add nat 1 tcp from any to any out via ${WAN}
 
# 188.191.23.31:49773 163.172.255.167:22 out via igb0
$cmd add nat 1 ip from any to ${ToIP} 22 out via ${WAN}
 
# TCP 51.159.5.135:22 46.160.11.108:53529 out via igb0
$cmd add nat 1 ip from ${IP},${ToIP} 22 to any out via ${WAN}
#TCP 163.172.255.167:22 188.191.23.31:49789 out via igb0
#$cmd add nat 1 ip from ${ToIP} 22 to any out via ${WAN}
 
#---------------------------
# nat - debug
# $cmd add nat 1 log tcp from any to any via ${WAN}
#---------------------------