IMHO.WS - Показать сообщение отдельно

john1981 · 26.04.2006, 12:04

Вот мой порядок действий по выше описаной проблеме:

# cd /usr/src/sys/i386/conf/
# cp GENERIC MYKERNEL

редактируем MYKERNEL
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=500
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT

собираем и компилим
# cd /usr/src/
# make buildkernel KERNCONF=MYKERNEL
# make installkernel KERNCONF=MYKERNEL
# shutdown -r now

правим /etc/rc.conf
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/rc.ipfw"
firewall_logging="YES"
natd_enable="YES"
natd_program="/sbin/natd"
natd_flags="-f /etc/natd.conf"

# vi /etc/rc.ipfw

#!/bin/sh
# Manual script for ipfw
echo -n "Starting firewall..."
ipfw="/sbin/ipfw"
uports="1025-65535"

int_if="rl0"
ext_if="rl1"

int_ip="192.168.0.5"
ext_ip="195.x.x.0"

int_net="192.168.0.0"
ext_net="195.х.х.85"

for_lan="smtp,pop3,domain,http,https,ftp,ssh"
for_rout="smtp,pop3,domain,http,https,ftp,ssh"

Services="smtp,pop3,http,https,domain,ssh,ftp"
${ipfw} add allow all from any to any via lo0 -ЭТО ПРАВИЛЬНО????
${ipfw} add deny all from any to 127.0.0.0

${ipfw} add deny all from 127.0.0.0 to any in recv $ext_if
${ipfw} add deny all from 10.0.0.0 to any in recv $ext_if
${ipfw} add deny all from 172.16.0.0 to any in recv $ext_if
${ipfw} add deny all from 192.168.0.0 to any in recv $ext_if

${ipfw} add allow all from $int_net to any in recv $int_if
${ipfw} add allow all from any to $int_net out xmit $int_if

${ipfw} add divert natd all from $int_net to not $int_net out xmit $ext_if
${ipfw} add divert natd all from any to $ext_ip in recv $ext_if

${ipfw} add allow tcp from $ext_ip $uports to any $Services out xmit $ext_if
${ipfw} add allow tcp from any $for_lan to $int_net $uports in recv $ext_if established
${ipfw} add allow tcp from any $for_rout to $ext_ip $uports in recv $ext_if established
${ipfw} add allow udp from $ext_ip $uports to any domain out xmit $ext_if
${ipfw} add allow udp from any domain to $ext_ip $uports in recv $ext_if
${ipfw} add allow udp from any domain to $int_net $uports in recv $ext_if

${ipfw} add allow icmp from any to me icmptypes 0,3,4,11,12 in
${ipfw} add allow icmp from any to $int_net icmptypes 0,3,4,11,12 in recv $ext_if
${ipfw} add allow icmp from me to any icmptypes 3,8,12 out

${ipfw} add allow tcp from $ext_ip $uports to any $uports out xmit $ext_if
${ipfw} add allow tcp from any $uports to $ext_ip $uports in recv $ext_if established
${ipfw} add allow tcp from any $uports to $vip_net $uports in recv $ext_if established
${ipfw} add deny log logamount 700 tcp from any to $ext_ip in recv $ext_if setup
${ipfw} add deny all from any to any
echo "DONE"

/var/named/namedb/etc/named.conf :
forwarders 192.168.0.сервер .. ЗДЕСЬ КАКОЙ СЕРВАК ПИСАТЬ???
/etc/resolv.conf :
nameserver 127.0.0.1
/etc/rc.conf
named_enable="YES"

Все верно???

26.04.2006, 12:04	# 4
john1981 Newbie Регистрация: 01.04.2006 Сообщения: 30	Вот мой порядок действий по выше описаной проблеме: # cd /usr/src/sys/i386/conf/ # cp GENERIC MYKERNEL редактируем MYKERNEL options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=500 options IPFIREWALL_FORWARD options IPFIREWALL_DEFAULT_TO_ACCEPT собираем и компилим # cd /usr/src/ # make buildkernel KERNCONF=MYKERNEL # make installkernel KERNCONF=MYKERNEL # shutdown -r now правим /etc/rc.conf gateway_enable="YES" firewall_enable="YES" firewall_script="/etc/rc.ipfw" firewall_logging="YES" natd_enable="YES" natd_program="/sbin/natd" natd_flags="-f /etc/natd.conf" # vi /etc/rc.ipfw #!/bin/sh # Manual script for ipfw echo -n "Starting firewall..." ipfw="/sbin/ipfw" uports="1025-65535" int_if="rl0" ext_if="rl1" int_ip="192.168.0.5" ext_ip="195.x.x.0" int_net="192.168.0.0" ext_net="195.х.х.85" for_lan="smtp,pop3,domain,http,https,ftp,ssh" for_rout="smtp,pop3,domain,http,https,ftp,ssh" Services="smtp,pop3,http,https,domain,ssh,ftp" ${ipfw} add allow all from any to any via lo0 -ЭТО ПРАВИЛЬНО???? ${ipfw} add deny all from any to 127.0.0.0 ${ipfw} add deny all from 127.0.0.0 to any in recv $ext_if ${ipfw} add deny all from 10.0.0.0 to any in recv $ext_if ${ipfw} add deny all from 172.16.0.0 to any in recv $ext_if ${ipfw} add deny all from 192.168.0.0 to any in recv $ext_if ${ipfw} add allow all from $int_net to any in recv $int_if ${ipfw} add allow all from any to $int_net out xmit $int_if ${ipfw} add divert natd all from $int_net to not $int_net out xmit $ext_if ${ipfw} add divert natd all from any to $ext_ip in recv $ext_if ${ipfw} add allow tcp from $ext_ip $uports to any $Services out xmit $ext_if ${ipfw} add allow tcp from any $for_lan to $int_net $uports in recv $ext_if established ${ipfw} add allow tcp from any $for_rout to $ext_ip $uports in recv $ext_if established ${ipfw} add allow udp from $ext_ip $uports to any domain out xmit $ext_if ${ipfw} add allow udp from any domain to $ext_ip $uports in recv $ext_if ${ipfw} add allow udp from any domain to $int_net $uports in recv $ext_if ${ipfw} add allow icmp from any to me icmptypes 0,3,4,11,12 in ${ipfw} add allow icmp from any to $int_net icmptypes 0,3,4,11,12 in recv $ext_if ${ipfw} add allow icmp from me to any icmptypes 3,8,12 out ${ipfw} add allow tcp from $ext_ip $uports to any $uports out xmit $ext_if ${ipfw} add allow tcp from any $uports to $ext_ip $uports in recv $ext_if established ${ipfw} add allow tcp from any $uports to $vip_net $uports in recv $ext_if established ${ipfw} add deny log logamount 700 tcp from any to $ext_ip in recv $ext_if setup ${ipfw} add deny all from any to any echo "DONE" /var/named/namedb/etc/named.conf : forwarders 192.168.0.сервер .. ЗДЕСЬ КАКОЙ СЕРВАК ПИСАТЬ??? /etc/resolv.conf : nameserver 127.0.0.1 /etc/rc.conf named_enable="YES" Все верно???