Записки старого админа

HomeRouter# cat /etc/firewall.conf
#!/bin/sh
###My_firewall: /etc/firewall.conf
ipfw="/sbin/ipfw -q"
Local="fxp0"
Local_ip="10.10.1.1"
Inet="rl0"
Inet_ip="80.115.29.*"
Inet_gw="80.115.29.*"
admins="85.44.13.*,193.106,22,*"
 
${ipfw} flush
${ipfw} pipe flush
${ipfw} queue flush
 
##mrtg_count
${ipfw} add 50 count ip from any to any in via ${Inet}
${ipfw} add 51 count ip from any to any out via ${Inet}
${ipfw} add 52 count ip from any to any in via ${Local}
${ipfw} add 53 count ip from any to any out via ${Local}
###Форвардинг пакетов на шлюз, это правило нужно тогда, когда на сервере более 2х каналов.
#${ipfw} add 101 fwd ${Inet_gw} ip from ${Inet_ip} to any 
###Open_interface-lo0_and_deny_loockup_to_any
${ipfw} add 201 allow ip from any to any via lo0
${ipfw} add 202 deny ip from any to 127.0.0.1
${ipfw} add 203 deny ip from 127.0.0.1 to any
###Deny_mysql_port_on_world
${ipfw} add 301 deny tcp from me 3306 to any not dst-ip 127.0.0.1,${Local_ip}/24
${ipfw} add 302 deny tcp from any 3306 to me not src-ip 127.0.0.1,${Local_ip}/24
###Deny_other_not_using
${ipfw} add 303 deny ip from any to 0.0.0.0/8 in via ${Inet}
${ipfw} add 304 deny ip from any to 169.254.0.0/16 in via ${Inet}
${ipfw} add 305 deny ip from any to 240.0.0.0/4 in via ${Inet}
${ipfw} add 306 deny icmp from any to any frag
${ipfw} add 307 deny log icmp from any to 255.255.255.255 in via ${Inet}
${ipfw} add 308 deny log icmp from any to 255.255.255.255 out via ${Inet}
###Deny_other_any_not_using
${ipfw} add 309 deny ip from 10.2.0.0/16 to any via ${Inet}
${ipfw} add 310 deny ip from 10.195.0.0/16 to any via ${Inet}
${ipfw} add 311 deny ip from any to 10.2.0.0/16 via ${Inet}
${ipfw} add 312 deny ip from any to 10.195.0.0/16 via ${Inet}
###QoS
${ipfw} pipe 1 config bw 512Kbit/s queue 50kbytes
${ipfw} queue 1 config pipe 1 weight 5
${ipfw} queue 2 config pipe 1 weight 10
${ipfw} queue 3 config pipe 1 weight 45
${ipfw} queue 4 config pipe 1 weight 55
${ipfw} queue 5 config pipe 1 weight 95
${ipfw} queue 6 config pipe 1 weight 15
 
${ipfw} add 401 queue 5 tcp from ${Inet_ip} 22 to any via ${Inet}
${ipfw} add 402 queue 5 tcp from ${Inet_ip} 3389,5901 to any via ${Inet}
${ipfw} add 403 queue 4 udp from ${Inet_ip} 53 to any via ${Inet}
${ipfw} add 404 queue 4 udp from ${Inet_ip} 123 to any via ${Inet}
${ipfw} add 405 queue 3 tcp from ${Inet_ip} 25,110,43,143 to any via ${Inet}
${ipfw} add 406 queue 2 tcp from ${Inet_ip} 80 to any via ${Inet}
${ipfw} add 407 queue 1 tcp from ${Inet_ip} 20,21 to any via ${Inet}
${ipfw} add 408 queue 1 tcp from ${Inet_ip} 137-138,445 to any via ${Inet}
${ipfw} add 409 queue 6 icmp from ${Inet_ip} to any icmptypes 0,8,11 via ${Inet}
###
${ipfw} add 501 allow icmp from ${Inet_ip} to any icmptypes 0,8,11
${ipfw} add 502 allow tcp from ${Inet_ip} 53 to any via ${Inet}
${ipfw} add 502 allow udp from ${Inet_ip} 53 to any via ${Inet}
${ipfw} add 504 allow udp from ${Inet_ip} 123 to any via ${Inet}
${ipfw} add 505 allow tcp from ${Inet_ip} 20,21 to any  via ${Inet}
${ipfw} add 506 allow tcp from ${Inet_ip} 80 to any  via ${Inet}
${ipfw} add 507 allow tcp from ${Inet_ip} 25 to any via ${Inet}
${ipfw} add 508 allow tcp from ${Inet_ip} 22,23,3389,5901-5909 to any via ${Inet}
${ipfw} add 509 allow tcp from ${Inet_ip} 143 to any via ${Inet}
${ipfw} add 510 allow tcp from ${Inet_ip} 110 to any via ${Inet}
${ipfw} add 511 allow tcp from ${Inet_ip} 443 to any via ${Inet}
${ipfw} add 512 allow tcp from ${Inet_ip} 43,63 to any via ${Inet}
###admin_IP
${ipfw} add 513 allow ip from ${Inet_ip} to ${admins} 
 
${ipfw} add 601 divert 8668 ip from ${Local_ip}/24 to any out via rl0
${ipfw} add 602 divert 8668 ip from any to me in via ${Inet}
 
${ipfw} add 605 allow ip from any to any via lo0
${ipfw} add 605 deny ip from any to 127.0.0.1
${ipfw} add 605 deny ip from 127.0.0.1 to any
 
${ipfw} pipe 2 config bw 16KByte/s queue 12kbytes
 
${ipfw} add 701 pipe 2 all from any to ${Local_ip}/24  via ${Inet} not src-ip ${Local_ip},${Inet_ip}
${ipfw} add 702 pipe 2 all from ${Local_ip}/24 to any via ${Inet} not dst-ip ${Local_ip},${Inet_ip}
 
${ipfw} add 703 queue 5 tcp from any to ${Inet_ip} 22 via ${Inet}
${ipfw} add 703 queue 5 tcp from any to ${Inet_ip} 3389,5901 via ${Inet}
${ipfw} add 703 queue 4 udp from any to ${Inet_ip} 53 via ${Inet}
${ipfw} add 703 queue 4 udp from any to ${Inet_ip} 123 via ${Inet}
${ipfw} add 703 queue 3 tcp from any to ${Inet_ip} 25,110,43,143 via ${Inet}
${ipfw} add 703 queue 2 tcp from any to ${Inet_ip} 80 via ${Inet}
${ipfw} add 703 queue 1 tcp from any to ${Inet_ip} 20,21 via ${Inet}
${ipfw} add 703 queue 1 tcp from any to ${Inet_ip} 137-138,445 via ${Inet}
${ipfw} add 703 queue 6 icmp from any to ${Inet_ip} icmptypes 0,8,11 via ${Inet}
###
${ipfw} add 705 allow ip from any to ${Inet_ip} via ${Inet}
${ipfw} add 706 pass all from ${Inet_ip} to any via ${Inet}
${ipfw} add 707 pass all from any to ${Local_ip}/24 via ${Inet}
${ipfw} add 708 pass all from ${Local_ip}/24 to any via ${Inet}
${ipfw} add 709 pass all from any to ${Local_ip}/24 via ${Local}
${ipfw} add 710 pass all from ${Local_ip}/24 to any via ${Local}
${ipfw} add 711 allow all from any to any established
${ipfw} add 712 deny all from any to any
${ipfw} add 713 allow tcp from any to me 22 via rl0
${ipfw} add 714 allow tcp from me 22 to any via rl0