docs/166482: Chapter about IPFW in russian handbook (27.6)
Vladimir
tinkae.kel at gmail.com
Thu Mar 29 08:50:09 UTC 2012
>Number: 166482
>Category: docs
>Synopsis: Chapter about IPFW in russian handbook (27.6)
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-doc
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: doc-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Mar 29 08:50:09 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Vladimir
>Release: 8.2
>Organization:
>Environment:
all platforms
>Description:
For now, there is no chapter about IPFW in russian handbook. In .ru net exists some translations of this chapter, but they are pretty poor and comlicated for perception.
>How-To-Repeat:
Go to http://www.freebsd.org/doc/ru_RU.KOI8-R/books/handbook/firewalls-ipfw.html
There is no russian chapter about IPFW
>Fix:
With collegue we've done this job for our internal use. In my opinion, it sounds not bad we're ready to send our version of chapter on russian language.
File with a translation attached.
Patch attached with submission follows:
31.6 IPFW
IPFIREWALL (IPFW) - ïðåäñòàâëÿåò ñîáîé ìåæñåòåâîé ýêðàí, ðàçðàáàòûâàåìûé, ôèíàíñèðóåìûé è ïîääåðæèâàþùèéñÿ àññîöèàöèåé FreeBSD. Çäåñü èñïîëüçóþòñÿ ïðàâèëà áåç íàñëåäîâàíèÿ ñîñòîÿíèÿ è ïðàâèëà íàñëåäîâàíèÿ òåõíèêè êîäèðîâàíèÿ äëÿ äîñòèæåíèÿ òîãî, ÷òî íàçûâàþò ýëåìåíòàðíîé ëîãèêîé ñîõðàíåíèÿ ñîñòîÿíèé (ïðè ïåðâîì ïðî÷òåíèè ðåêîìåíäóåòñÿ ïîêà íå çàîñòðÿòü âíèìàíèå íà òåðìèíå "ñîõðàíåíèå ñîñòîÿíèÿ", òàê êàê â äàëüíåéøåì áóäóò ïðèâåäåíû äàííûå, íåîáõîäèìûå äëÿ ïîëíîãî ïîíèìàíèÿ ýòîãî òåðìèíà).
Ïðèìåð ïðîñòåéøèõ ïðàâèë IPFW (íàõîäèòñÿ â /etc/rc.firewall è /etc/rc.firewall6) ñîäåðæèòñÿ â ñòàíäàðòíîé ïîñòàâêå è íå îæèäàåòñÿ, ÷òî áóäåò èñïîëüçîâàí ïðÿìî áåç ìîäèôèêàöèé.
Ñèíòàêñèñ ïðàâèë áåç ñîõðàíåíèÿ ñîñòîÿíèÿ â IPFW îáåñïå÷èâàåò ðàñøèðåííûå âîçìîæíîñòè îòáîðà, êîòîðûå íàìíîãî ïðåâîñõîäÿò óðîâåíü çíàíèé îáû÷íîãî ïîëüçîâàòåëÿ ìåæñåòåâîãî ýêðàíà. IPFW âûáèðàþò ïðîôåññèîíàëüíûå ïîëüçîâàòåëè èëè ëþáèòåëè ñîâðåìåííîé êîìïüþòåðíîé òåõíèêè, êòî èìååò ïîâûøåííûå òðåáîâàíèÿ ïî îòáîðó ïàêåòîâ. Óãëóáëåííûå çíàíèÿ òîãî, êàê ðàçíûå ïðîòîêîëû èñïîëüçóþò è ôîðìèðóþò ñâîè óíèêàëüíûå çàãîëîâêè íåîáõîäèìû äëÿ òîãî, ÷òîáû èñïîëüçîâàòü âîçìîæíîñòè IPFW â ïîëíóþ ñèëó. Ïðåäîñòàâëåíèå áîëåå ïîäðîáíûõ îáúÿñíåíèé âûõîäèò çà ðàìêè òåêóùåãî ðàçäåëà ðóêîâîäñòâà.
IPFW ñîñòîèò èç ñåìè ñîñòàâíûõ ÷àñòåé, ãëàâíàÿ êîìïîíåíòà - ïðîöåññîð ïðàâèë ôèëüòðà óðîâíÿ ÿäðà, â êîòîðûé âêëþ÷åíû âîçìîæíîñòè: ó÷åòà ïàêåòîâ, çàíåñåíèÿ èíôîðìàöèè î ïàêåòàõ â ëîã - ôàéë (æóðíàëèðîâàíèå), ïðàâèëà òèïà divert, ïîñðåäñòâîì êîòîðûõ àêòèâèðóåòñÿ ôóíêöèÿ NAT è äðóãèå âîçìîæíîñòè ñïåöèàëüíîãî íàçíà÷åíèÿ, òàêèå êàê ñðåäñòâà îãðàíè÷åíèÿ ïðîïóñêíîé ñïîñîáíîñòè òðàôôèêà (dummynet), ñðåäñòâà ïåðåíàïðàâëåíèÿ fwd rule, ñðåäñòâà ñîçäàíèÿ ñåòåâîãî ìîñòà, è ñðåäñòâà àíòèòðàññèðîâêè ipstealth. IPFW ïîääåðæèâàåò îáà ïðîòîêîëà IPv4 è IPv6.
31.6.1 Àêòèâàöèÿ IPFW
IPFW ñîäåðæèòñÿ â áàçîâîé ïîñòàâêå FreeBSD êàê îòäåëüíûé ïîäãðóæàåìûé ìîäóëü. Ñèñòåìà äèíàìè÷åñêè çàãðóæàåò ìîäóëü ÿäðà, êîãäà â rc.conf âêëþ÷åíà ñòðîêà firewall_enable="YES".
Ïîñëå ïåðåçàãðóçêè âàøåé ñèñòåìû ñ çàïèñüþ firewall_enable="YES" â rc.conf âûñâåòèòñÿ áåëûì ïîñëåäóþùåå ñîîáùåíèå íà ýêðàíå êàê ÷àñòü ïðîöåññà çàãðóçêè îïåðàöèîííîé ñèñòåìû:
ipfw2 initialized, divert disabled, rule-based forwarding disabled, default to deny, logging disabled
Çàãðóæàåìûé ìîäóëü ñêîìïèëèðîâàí ñ ïîääåðæêîé âîçìîæíîñòè çàíåñåíèÿ â ëîã-ôàéë èíôîðìàöèè î òðàôôèêå. ×òîáû âêëþ÷èòü ôóíêöèþ çàíåñåíèÿ â ëîã ôàéë èíôîðìàöèè î òðàôôèêå è óñòàíîâèòü óðîâåíü äåòàëüíîñòè èíôîðìàöèè, çàíîñèìîé â ëîã-ôàéë, ìîæíî âîñïîëüçîâàòüñÿ ôóíêöèÿìè, ïðåäîñòàâëÿåìûìè êîíôèãóðàöèîííûì ôàéëîì /etc/sysctl.conf. Ïðè äîáàâëåíèè ñëåäóþùèõ äâóõ ñòðîê â /etc/sysctl.conf ôóíêöèÿ çàíåñåíèÿ â ëîã áóäåò àêòèâèðîâàíà ïðè ïîñëåäóþùèõ çàãðóçêàõ ñèñòåìû:
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
31.6.2 Ïàðàìåòðû ÿäðà
Íåò íåîáõîäèìîñòè â çàïèñè äàííîãî ïàðàìåòðà â êîíôèãóðàöèîííîì ôàéëå, ïðåäíàçíà÷åííîì äëÿ ïîñëåäóþùåé ñáîðêè ÿäðà, äî òîãî ìîìåíòà ïîêà íå ïîòðåáóåòñÿ ôóíêöèîíàë NAT.
Ýòè ïàðàìåòðû ïðåäñòàâëåíû çäåñü â êà÷åñòâå ñïðàâêè äëÿ äàëüíåéøèõ ïðèìåðîâ.
options IPFIREWALL
Ýòîò ïàðàìåòð óêàçûâàåò êîìïèëÿòîðó âêëþ÷èòü IPFW êàê ÷àñòü ÿäðà (íå ïîäãðóæàåìóþ).
options IPFIREWALL_VERBOSE
Ýòîò ïàðàìåòð âêëþ÷àåò âîçìîæíîñòü çàíåñåíèÿ â ëîã-ôàéë èíôîðìàöèè î ïàêåòàõ, êîòîðûå ïðîõîäÿò ÷åðåç IPFW ïî ïðàâèëàì, ñîäåðæàùèì êëþ÷åâîå ñëîâî log.
options IPFIREWALL_VERBOSE_LIMIT=5
Îãðàíè÷èâàåò ÷èñëî ïàêåòîâ çàðåãèñòðèðîâàííûõ â syslogd (8), íà÷èíàÿ ñ ïåðâîãî. Ýòîò ïàðàìåòð ìîæåò áûòü èñïîëüçîâàí âî âðàæäåáíîì îêðóæåíèè, êîãäà îòñëåæèâàòü àêòèâíîñòü ìåæñåòåâîãî ýêðàíà âñå æå íåîáõîäèìî. Ýòî íå äàñò âîçìîæíîñòè àòàêóþùåìó âûçâàòü îòêàç â îáñëóæèâàíèè ïîñðåäñòâîì syslogd.
options IPFIREWALL_DEFAULT_TO_ACCEPT
Ýòîò ïàðàìåòð óêàçûâàåò êîìïèëÿòîðó âêëþ÷èòü äëÿ IPFW ðàçðåøàþùóþ ïîëèòèêó ïî óìîë÷àíèþ. Ýòî óäîáíî ïðè ïåðâûõ ïîïûòêàõ íàñòðîéêè IPFW.
options IPDIVERT
Ýòîò ïàðàìåòð âûâîäèò ïàêåòû íà óðîâåíü îáðàáîòêè ïðèëîæåíèÿìè, â òîì ÷èñëå NAT ôóíêöèîíàëîì.
Ïðèìå÷àíèå: ìåæñåòåâîé ýêðàí áóäåò áëîêèðîâàòü âñå âõîäÿùèå è èñõîäÿùèå ïàêåòû, åñëè ïðèñóòñòâóåò îïöèÿ ÿäðà IPFIREWALL_DEFAULT_TO_ACCEPT èëè ïðàâèëî ÿâíî ðàçðåøàþùåå ýòè ñîåäèíåíèÿ îòñóòñòâóåò.
31.6.3 Ïàðàìåòðû /etc/rc.conf
Àêòèâàöèÿ ìåæñåòåâîãî ýêðàíà:
firewall_enable="YES"
Äëÿ âûáîðà îäíîãî èç ñòàíäàðòíûõ òèïîâ ìåæñåòåâîãî ýêðàíà, ïîñòàâëÿåìûõ ñ FreeBSD, íàéäèòå íàèáîëåå ïîäõîäÿùèé â ôàéëå /etc/rc.firewall è çàïèøèòå åãî êàê ïîêàçàíî íèæå:
firewall_type="open"
Äîñòóïíûå çíà÷åíèÿ äëÿ ýòîãî ïàðàìåòðà:
open -- ïðîïóñêàåì âåñü òðàôôèê.
client -- çàùèùàåì òîëüêî ýòó ìàøèíó.
simple -- çàùèùàåì âñþ ñåòü.
closed -- ïîëíîñòüþ çàïðåùàåò IP òðàôôèê êðîìå òðàôôèêà íà loopback èíòåðôåéñå.
UNKNOWN -- îòêëþ÷àåò çàãðóçêó ïðàâèë ìåæñåòåâîãî ýêðàíà.
filename -- àáñîëþòíûé ïóòü ôàéëà, ñîäåðæàùåãî ïðàâèëà ìåæñåòåâîãî ýêðàíà.
Åñòü äâà âàðèàíòà çàãðóçêè ïîëüçîâàòåëüñêèõ ïðàâèë äëÿ ìåæñåòåâîãî ýêðàíà ipfw. Ïåðâûé ñïîñîá - óñòàíîâèòü çíà÷åíèå ïåðåìåííîé firewall_type â âèäå àáñîëþòíîãî ïóòè ôàéëà, ñîäåðæàùåãî ïðàâèëà äëÿ ìåæñåòåâîãî ýêðàíà ipfw áåç îáùåãî ïðåôèêñà êîìàíä ipfw. Íèæå ïðåäñòàâëåí ïðîñòîé ïðèìåð ôàéëà ïðàâèë, êîòîðûé áëîêèðóåò âåñü âõîäÿùèé è èñõîäÿùèé òðàôôèê:
add deny in
add deny out
Âòîðîé ñïîñîá - óñòàíîâèòü çíà÷åíèå ïåðåìåííîé firewall_script â âèäå àáñîëþòíîãî ïóòè èñïîëíÿåìîãî ñêðèïòà, ñîäåðæàùåãî êîìàíäû ipfw, âûïîëíÿþùèåñÿ âî âðåìÿ çàãðóçêè îïåðàöèîííîé ñèñòåìû. Ïðàâèëüíûé ôîðìàò ïðàâèë èñïîëíÿåìîãî ñêðèïòà äîëæåí ñîîòâåòñòâîâàòü ôîðìàòó ôàéëà ïðàâèë íèæå:
#!/bin/sh
ipfw -q flush
ipfw add deny in
ipfw add deny out
Ïðèìå÷àíèå: Åñëè çíà÷åíèå ïåðåìåííîé firewall_type îïðåäåëåíî êàê client èëè simple, òî ïðàâèëà, ðàñïîëîæåííûå ïî óìîë÷àíèþ â /etc/rc.firewall äîëæíû áûòü ïðèâåäåíû â ñîîòâåòñòâèå ñ êîíôèãóðàöèåé äàííîé ìàøèíû. Ñëåäóåò ïîìíèòü, ÷òî â ïðèìåðàõ, ïðèâåäåííûõ â ýòîé ãëàâå, çíà÷åíèåì ïåðåìåííîé firewall_script óñòàíîâëåíî /etc/ipfw.rules.
Àêòèâàöèÿ ôóíêöèè æóðíàëèðîâàíèÿ:
firewall_logging="YES"
Âíèìàíèå: Åäèíñòâåííîå, ÷òî äåëàåò ïàðàìåòð firewall_logging - ïðèñâàèâàåò ëîãè÷åñêóþ åäèíèöó ïåðåìåííîé net.inet.ip.fw.verbose â êîíôèãóðàöèîííîì ôàéëå sysctl (ñìîòðèòå ãëàâó 31.6.1).  rc.conf íåò ïåðåìåííîé, îãðàíè÷èâàþùåé æóðíàëèðîâàíèå, íî îíî ìîæåò áûòü óñòàíîâëåíî ÷åðåç ïåðåìåííóþ sysctl âðó÷íóþ èëè ÷åðåç êîíôèãóðàöèîííûé ôàéë /etc/sysctl.conf
net.inet.ip.fw.verbose_limit=5
Åñëè âàøà ìàøèíà âûïîëíÿåò ðîëü øëþçà, ò.å. îáåñïå÷èâàåò òðàíñëÿöèþ ñåòåâûõ àäðåñîâ (NAT) ñ ïîìîùüþ natd, èìååò ñìûñë ñðàçó ïåðåéòè ê ÷òåíèþ ãëàâû 32.10 äëÿ óòî÷íåíèÿ èíôîðìàöèè êàñàòåëüíî ïàðàìåòðîâ /etc/rc.conf
31.6.4 Êîìàíäà IPFW
Èñïîëíÿåìûé ôàéë ipfw ýòî óíèâåðñàëüíûé ìåõàíèçì, ïîçâîëÿþùèé âðó÷íóþ äîáàâëÿòü è óäàëÿòü ïðàâèëà ïðè óñëîâèè àêòèâíîñòè ìåæñåòåâîãî ýêðàíà. Îñíîâíàÿ ïðîáëåìà ïðè èñïîëüçîâàíèè ýòîãî ìåòîäà ñîñòîèò â òîì, ÷òî ïðè ïåðåçàãðóçêå îïåðàöèîííîé ñèñòåìû, âñå èçìåíåíèÿ, ïðîèçâåäåííûå ñ ïîìîùüþ äàííîé êîìàíäû, ñáðàñûâàþòñÿ. Âçàìåí ýòîãî ìåòîäà, ðåêîìåíäóåòñÿ çàïèñàòü âñå âàøè ïðàâèëà â ôàéë èç êîòîðîãî áóäóò ïðîèçâîäèòüñÿ ÷òåíèå ïðàâèë âî âðåìÿ çàãðóçêè îïåðàöèîííîé ñèñòåìû, èëè ïðè ïåðåçàãðóçêå äàåìîíà ipfw.
Òåì íå ìåíåå, èñïîëüçîâàíèå êîìàíäû ipfw ïîëåçíî â ñëó÷àå âîçíèêíîâåíèÿ íåîáõîäèìîñòè âèçóàëüíî îòîáðàçèòü òåêóùóþ êîíôèãóðàöèþ ïðàâèë.
Ó÷åòíûé ìîäóëü IPFW ñîçäàåò ñ÷åò÷èê äëÿ êàæäîãî ïðàâèëà, êîòîðûé ïîäñ÷èòûâàåò êîëè÷åñòâî ïàêåòîâ ñîîòâåòñòâóþùèõ óñëîâèÿì ñðàáàòûâàíèÿ ïðàâèëà. Âî âðåìÿ ïðîöåññà òåñòèðîâàíèÿ ïðàâèë, âûâîä ñòàòèñòè÷åñêîé èíôîðìàöèè ïî ñïèñêó çàãðóæåííûõ ïðàâèë, ÿâëÿåòñÿ îäíèì èç ñïîñîáîâ óáåäèòüñÿ, ñðàáàòûâàåò ëè ïðàâèëî, ïðè ïðîõîæäåíèè ÷åðåç íåãî ïàêåòà èëè íåò.
Âûâîä ïîëíîãî ñïèñêà ïðàâèë:
# ipfw list
Âûâîä ïîëíîãî ñïèñêà ïðàâèë ñ ìàðêåðîì âðåìåíè êîãäà â ïîñëåäíèé ðàç ñðàáàòûâàëî ïðàâèëî:
# ipfw -t list
Ýòà êîìàíäà âûâîäèò ó÷åòíóþ èíôîðìàöèþ â ñëåäóþùåì âèäå:
- ïåðâûì ñòîëáöîì ñëåäóåò íîìåð ïðàâèëà,
- âòîðûì ñòîëáöîì - ÷èñëî èñõîäÿùèõ ïàêåòîâ, âûçâàâøèõ ñðàáàòûâàíèå ïðàâèëà,
- òðåòüèì ñòîëáöîì - ÷èñëî ñîîòâåòñòâóþùèõ âõîäÿùèõ ïàêåòîâ,
- ÷åòâåðòûì ñòîëáöîì - ñàìè ïðàâèëà.
# ipfw -a list
Âûâîä äèíàìè÷åñêèõ ïðàâèë âìåñòå ñî ñòàòè÷åñêèìè.
# ipfw -d list
Îòîáðàçèòü ñòàòè÷åñêèå è äèíàìè÷åñêèå ïðàâèëà, â ò.÷. è ñ èñòåêøèì ñðîêîì æèçíè:
# ipfw -d -e list
Îáíóëåíèå ñ÷åò÷èêîâ:
# ipfw zero
Îáíóëèòü ñ÷åò÷èê òîëüêî äëÿ ïðàâèëà ïîä íîìåðîì NUM:
# ipfw zero NUM
31.6.5 Ïðàâèëà IPFW
Ñïèñîê ïðàâèë - ýòî òàêîé íàáîð ïðàâèë, êîòîðûé ïîçâîëÿåò ïðîèçâîëüíûì îáðàçîì ðàçðåøèòü èëè çàïðåòèòü ïðîõîæäåíèå ïàêåòà ÷åðåç ìåæñåòåâîé ýêðàí, íà îñíîâàíèè çíà÷åíèé êëþ÷åâûõ ïàðàìåòðîâ ïîëåé ïàêåòà. Äâóíàïðàâëåííûé îáìåí ïàêåòîâ ìåæäó ìàøèíàìè ÿâëÿåòñÿ ñåññèåé. Ìåæñåòåâîé ýêðàí îáðàáàòûâàåò ñ ïîìîùüþ ñïèñêà ïðàâèë ïàêåòû, ïðèõîäÿùèå èç ãëîáàëüíîé ñåòè, à òàêæå ïàêåòû, èñõîäÿùèå èç ñèñòåìû â ãëîáàëüíóþ ñåòü. Êàæäûé TCP/IP ñåðâèñ (ò.å.: telnet, www, mail, è ò.ä.)ïðèíàäëåæèò îïðåäåëåííîìó ïðîòîêîëó è ïðèâèëåãèðîâàííîìó (ñëóøàþùåìóñÿ) ïîðòó. Ïàêåòû, àäðåñîâàííûå îïðåäåëåííîìó ñåðâèñó, èñõîäÿò ïî íåïðèâèëåãèðîâàííîìó (ïîðÿäêîâûé íîìåð ñòàðøå 1024) ïîðòó è îòïðàâëÿþòñÿ ïî àäðåñó íàçíà÷åíèÿ íà ïðèâèëåãèðîâàííûé ïîðò ñåðâèñà. Âñå ýòè ïàðàìåòðû (ò.å. ïîðòû è àäðåñà) ìîãóò áûòü èñïîëüçîâàíû â êà÷åñòâå êðèòåðèåâ îòáîðà, äëÿ ñîçäàíèÿ ïðàâèë, êîòîðûå ïðîïóñêàþò èëè áëîêèðóþò ñåðâèñû.
Êîãäà ïàêåò âõîäèò â ìåæñåòåâîé ýêðàí, ïðîèñõîäèò ïðîâåðêà íà óñëîâèå ñðàáàòûâàíèÿ ïåðâîãî ïðàâèëà â ñïèñêå è òàê äàëåå äâèãàÿñü ñâåðõó âíèç â ïîðÿäêå âîçðàñòàíèÿ íîìåðà ïðàâèëà. Êîãäà ïàêåò ïðîõîäèò ïðîâåðêó ïî îïðåäåëåííûì ïàðàìåòðàì, âûïîëíÿåòñÿ äåéñòâèå, îïèñàííîå â ïðàâèëå è íà ýòîì ïîèñê ïðàâèë çàêàí÷èâàåòñÿ. Ýòîò ìåòîä ïîèñêà íàçûâàþò "ïîáåäîé ïåðâîãî ñîâïàäåíèÿ". Åñëè ñîäåðæèìîå ïàêåòà íå ñîîòâåòñòâóåò íè îäíîìó èç óñëîâèé ñðàáàòûâàíèÿ ïðàâèë, îí ïîïàäàåò íà âñòðîåííîå ïðàâèëî, çàäàííîå ïî óìîë÷àíèþ, ïîä íîìåðîì 65535, êîòîðîå çàïðåùàåò ïðîõîæäåíèå ïàêåòà è îòáðàñûâàåò åãî áåç îòêëèêà â ñòîðîíó èñòî÷íèêà çàïðîñà.
Ïðèìå÷àíèå: Ïîèñê ïðîäîëæàåòñÿ ïîñëå ïðàâèë, èñïîëüçóþùèõ êëþ÷åâûå ñëîâà count, skipto è tee.
Èíñòðóêöèè, óïîìèíàþùèåñÿ â ïðèìåðàõ, âñòðå÷àþùèõñÿ â äàííîì ðóêîâîäñòâå, áàçèðóþòñÿ íà èñïîëüçîâàíèè ïðàâèë, âêëþ÷àþùèõ â ñåáÿ êëþ÷åâûå ñëîâà ñîõðàíåíèÿ ñîñòîÿíèÿ keep-state, limit, in, out è via. Ýòè êëþ÷åâûå ñëîâà ÿâëÿþòñÿ îñíîâîé êîäèðîâàíèÿ ìåæñåòåâîãî ýêðàíà çàêðûòîãî òèïà.
Âíèìàíèå: Áóäüòå îñòîðîæíû, êîãäà ðàáîòàåòå ñî ñïèñêîì ïðàâèë ìåæñåòåâîãî ýêðàíà, òàê êàê â êîíå÷íîì èòîãå âû ìîæåòå çàáëîêèðîâàòü ñåáÿ.
31.6.5.1 Ñèíòàêñèñ ïðàâèë.
Ñèíòàêñèñ ïðàâèë ïðåäñòàâëåííûé çäåñü áûë óïðîùåí äëÿ ñîçäàíèÿ ñïèñêà ïðàâèë ñòàíäàðòíîãî ìåæñåòåâîãî ýêðàíà çàêðûòîãî òèïà. Äëÿ ïîëó÷åíèÿ ïîëíîé èíôîðìàöèè ïî ñèíòàêñèñó ïðàâèë, ñìîòðèòå ðóêîâîäñòâî ipfw(8).
Ïðàâèëà ñîäåðæàò êëþ÷åâûå ñëîâà: ýòè êëþ÷åâûå ñëîâà çàïèñûâàþòñÿ â îïðåäåëåííîì ëèíåéíîì ïîðÿäêå ñëåâà íàïðàâî. Êëþ÷åâûå ñëîâà â äàííîì ðóêîâîäñòâå çàïèñûâàþòñÿ bold øðèôòîì. Íåêîòîðûå êëþ÷åâûå ñëîâà èìåþò äîïîëíèòåëüíûå ïàðàìåòðû, êîòîðûå ìîãóò ÿâëÿòüñÿ êëþ÷åâûìè ñëîâàìè äëÿ íèõ ñàìèõ è òàêæå ñîäåðæàòü âëîæåííûå äîïîëíèòåëüíûå îïöèè.
Çíàê "#" èñïîëüçóåòñÿ äëÿ îáîçíà÷åíèÿ íà÷àëà êîììåíòàðèÿ è ìîæåò áûòü ðàñïîëîæåí â êîíöå ñòðîêè ïðàâèëà èëè â íà÷àëå ñòðîêè ïîä ïðàâèëîì. Ïóñòûå ñòðîêè èíòåðïðåòàòîðîì èãíîðèðóþòñÿ.
CMD RULE_NUMBER ACTION LOGGING SELECTION STATEFUL
31.6.5.1.1 CMD
Êàæäîå íîâîå ïðàâèëî íà÷èíàåòñÿ ñ êëþ÷åâîãî ñëîâà add, äëÿ äîáàâëåíèÿ ïðàâèëà ê òàáëèöå.
31.6.5.1.2 RULE_NUMBER
Êàæäîå ïðàâèëî îáîçíà÷åíî íîìåðîì â äèàïàçîíå 1..65535
31.6.5.1.3 ACTION
Ïðè ñîîòâåòñòâèè êðèòåðèåâ îòáîðà ïàêåòó, îïèñàííûõ â ïðàâèëå, ìîæåò áûòü âûïîëíåíî îäíî èç ñëåäóþùèõ äåéñòâèé:
allow | accept | pass | permit
Âñå ïåðå÷èñëåííûå êîìàíäû ðàçðåøàþò ïàêåòû, êîòîðûå ïîïàäàþò ïîä ïðàâèëî. Ïåðå÷èñëåííûå âûøå êëþ÷åâûå ñëîâà ñëóæàò äëÿ òîãî, ÷òîáû ðàçðåøèòü ïðîõîæäåíèå ïàêåòîâ ÷åðåç ìåæñåòåâîé ýêðàí. Åñëè ïàêåò ïîïàäàåò ïîä ñîîòâåòñòâèå ïðàâèëó, ñîäåðæàùåå îäíî èç ýòèõ êëþ÷åâûõ ñëîâ, äàëüíåéøèé ïîèñê ñîîòâåòñòâèé ïðåêðàùàåòñÿ.
check-state
Ïðîâåðÿåò ïàêåò íà ñîîòâåòñòâèå ñ äèíàìè÷åñêèìè ïðàâèëàìè. Åñëè ñîîòâåòñòâèå íàéäåíî, ê ïàêåòó ïðèìåíÿåòñÿ äåéñòâèå, ñîäåðæàùååñÿ â äèíàìè÷åñêîì ïðàâèëå, êîòîðîå ðàíåå áûëî ñãåíåðèðîâàííî ïðè ïîìîùè keep-state èëè limit.  ïðàâèëå check-state îòñóòñòâóåò óñëîâèå ïðîâåðêè ñðàáàòûâàíèÿ. Åñëè êëþ÷åâîå ñëîâî check-state îòñóòñòâóåò â ñïèñêå ïðàâèë, òî ïðîâåðêà ïî äèíàìè÷åñêîé òàáëèöå ïðîèñõîäèò îäíîâðåìåííî ñ ïåðâûì âõîæäåíèåì keep-state èëè limit êëþ÷åâûõ ñëîâ.
deny | drop
Ïåðå÷èñëåííûå êîìàíäû çàïðåùàþò ïðîõîæäåíèå ïàêåòîâ è îòáðàñûâàþò èõ ïðè ñîâïàäåíèè ñ ïðàâèëîì, ñîäåðæàùèì ýòè êëþ÷åâûå ñëîâà. Åñëè ïàêåò ïîïàäàåò ïîä ñîîòâåòñòâèå ïðàâèëó, ñîäåðæàùåå îäíî èç ýòèõ êëþ÷åâûõ ñëîâ, äàëüíåéøèé ïîèñê ñîîòâåòñòâèé ïðåêðàùàåòñÿ.
31.6.5.1.4 LOGGING
log èëè logamount
Êîãäà ïàêåò ñîîòâåòñòâóåò êðèòåðèÿì îòáîðà â óêàçàííîì ïðàâèëå, ñîäåðæàùåì êëþ÷åâîå ñëîâî log, èíôîðìàöèÿ îá ýòîì ïåðåñûëàåòñÿ äàåìîíó syslogd(8) ñ ïîìåòêîé SECURITY. Æóðíàëèðîâàíèå ïðîèñõîäèò òîëüêî â òîì ñëó÷àå, åñëè ÷èñëî ñðàáàòûâàíèé äëÿ äàííîãî ïðàâèëà, ñîäåðæàùåãî êëþ÷åâîå ñëîâî log íå ïðåâûñèëî çíà÷åíèÿ ïàðàìåòðà êëþ÷åâîãî ñëîâà logamount. Åñëè çíà÷åíèå ïàðàìåòðà logamount íå îáúÿâëåíî, èñïîëüçóåòñÿ îãðàíè÷åíèå, óñòàíàâëèâàåìîå çíà÷åíèåì ïàðàìåòðà net.inet.ip.fw.verbose_limit â êîíôèãóðàöèîííîì ôàéëå sysctl.  îáîèõ ñëó÷àÿõ, óñòàíîâêà çíà÷åíèÿ 0 ñíèìàåò îãðàíè÷åíèÿ. Ïî äîñòèæåíèþ ìàêñèìàëüíîãî óñòàíîâëåííîãî êîëè÷åñòâà çàïèñåé â ëîã, îãðàíè÷åíèå íà çàïèñü ìîæåò áûòü ñíÿòî ïóòåì ñáðîñà âíóòðåííèõ ñ÷åò÷èêîâ. Ýòî ìîæíî ñäåëàòü ïðè ïîìîùè êîìàíäû ipfw reset log.
Ïðèìå÷àíèå: Æóðíàëèðîâàíèå îñóùåñòâëÿåòñÿ ïîñëå ïðîâåðêè íà ñîîòâåòñòâèå ïî âñåì óñëîâèÿì â ïðàâèëå è ïåðåä âûïîëíåíèåì ïîñëåäíåãî äåéñòâèÿ (ðàçðåøåíèå/çàïðåùåíèå ïðîõîæäåíèÿ) íàä ïàêåòîì. Ýòî âàæíî äëÿ ïðèíÿòèÿ ðåøåíèÿ, êàêèå äåéñòâèÿ ïðàâèë âû õîòèòå çàíîñèòü â ëîã.
31.6.5.1.5 SELECTION
Êëþ÷åâûå ñëîâà, îïèñàííûå â ýòîì ðàçäåëå èñïîëüçóþòñÿ äëÿ îïèñàíèÿ êðèòåðèåâ ïî êîòîðûì ïðîâåðÿåòñÿ óñëîâèå ñðàáàòûâàíèÿ ïðàâèëà. Ïîñëåäîâàòåëüíîñòü èñïîëüçîâàíèÿ êëþ÷åâûõ ñëîâ îòáîðà ïî ïðîòîêîëó:
udp | tcp | icmp
Òàêæå ìîãóò áûòü èñïîëüçîâàíû èìåíà ïðîòîêîëîâ, îïèñàííûå â /etc/protocols. Ëþáîå èìÿ ïðîòîêîëà, íå îáîçíà÷åííîå â /etc/protocols, áóäåò èíòåðïðåòèðîâàòüñÿ êàê îøèáî÷íîå.
from src to dst
Êëþ÷åâûå ñëîâà from è to ñëóæàò äëÿ îòáîðà ïî IP àäðåñàì. Îáÿçàòåëüíî äîëæíû áûòü óêàçàíû è èñòî÷íèê è ïîëó÷àòåëü. any - ýòî ñïåöèàëüíîå êëþ÷åâîå ñëîâî, êîòîðîå ñîîòâåòñòâóåò ëþáîìó IP - àäðåñó. me - ýòî ñïåöèàëüíîå êëþ÷åâîå ñëîâî, êîòîðîå ñîîòâåòñòâóåò ëþáîìó èç IP àäðåñîâ, ïðèíàäëåæàùèõ èíòåôåéñàì âàøåé ñèñòåìû FreeBSD.
Ïðèìåðû êðèòåðèåâ îòáîðà ôîðìàòà from src to dst:
from me to any
from any to me
from 0.0.0.0/0 to any
from any to 0.0.0.0/0
from 0.0.0.0 to any
from any to 0.0.0.0
from me to 0.0.0.0
IP àäðåñ ìîæåò áûòü îïðåäåëåí êàê ïðîñòî IP àäðåñîì òàê è IP àäðåñîì ñ ïðåôèêñîì ïîäñåòè. Äëÿ óïðîùåíèÿ âû÷èñëåíèé, ñâÿçàííûõ ñ IP àäðåñàìè èñïîëüçóéòå ïîðò net-mgmt/ipcalc. Áîëåå äåòàëüíóþ èíôîðìàöèþ ìîæíî ïîñìîòðåòü ïî àäðåñó http://jodies.de/ipcalc.
port number
Äëÿ ïðîòîêîëîâ, ïîääåðæèâàþùèõ ïîðòû (tcp è udp) îáÿçàòåëüíî óòî÷íèòå íîìåð ïîðòà ñîîòâåòñòâóþùåãî ñåðâèñà. Âìåñòî íîìåðà ïîðòà ìîæíî èñïîëüçîâàòü èìÿ ñåðâèñà. Ñïèñîê ïîääåðæèâàåìûõ èìåí, ìîæåò áûòü íàéäåí ïî àäðåñó /etc/services.
in | out
Îòáîð ïî âõîäÿùèì è èñõîäÿùèì ïàêåòàì. Äëÿ ôîðìèðîâàíèÿ îòáîðà, ïðèñóòñòâèå îäíîãî èç ýòèõ ñëîâ îáÿçàòåëüíî.
via IF
via êëþ÷åâîå ñëîâî äëÿ îòáîðà ïî èíòåðôåéñó, çàäàííîãî èìåíåì IF.
setup
Ýòî îáÿçàòåëüíîå êëþ÷åâîå ñëîâî, ñëóæàùåå äëÿ îïðåäåëåíèÿ çàïðîñà íà÷àëà ñåññèè äëÿ TCP ïàêåòà.
keep-state
Ïðè óñëîâèè ñðàáàòûâàíèÿ ïðàâèëà ñ ïðèñóòñòâèåì äàííîãî êëþ÷åâîãî ñëîâà, ìåæñåòåâîé ýêðàí ñîçäàåò äèíàìè÷åñêîå ïðàâèëî, êîòîðîå ïðîïóñêàåò ïàêåòû â îáå ñòîðîíû ïî ïðîòîêîëó, óêàçàííîìó â èçíà÷àëüíîì ïðàâèëå ìåæäó èñòî÷íèêîì è ïðèåìíèêîì, êîòîðûå òàêæå óêàçàíû â èçíà÷àëüíîì ïðàâèëå. Ýòî îáÿçàòåëüíîå êëþ÷åâîå ñëîâî.
limit {src-addr | src-port | dst-addr | dst-port}
Ïðè óñëîâèè ñðàáàòûâàíèÿ ïðàâèëà, âêëþ÷àþùåãî â ñåáÿ äàííîå êëþ÷åâîå ñëîâî, ìåæñåòåâîé ýêðàí ðàçðåøèò òîëüêî N îäíîâðåìåííûõ ñîåäèíåíèé ñ íàáîðîì óñëîâèé, óêàçàííûõ â èçíà÷àëüíîì ïðàâèëå. Ìîãóò áûòü óêàçàíû áîëåå ÷åì îäèí èñòî÷íèê è ïðèåìíèê.  îäíîì è òîì æå ïðàâèëå íå ìîãóò áûòü îäíîâðåìåííî èñïîëüçîâàíû êëþ÷åâûå ñëîâà limit è keep-state, ò.ê. ôóíêöèîíàë êëþ÷åâîãî ñëîâà limit îñíîâàí íà ðàñøèðåííûõ âîçìîæíîñòÿõ ôóíêöèè keep-state.
31.6.5.2 Ïðèìåð ïðàâèë ñ ñîõðàíåíèåì ñîñòîÿíèÿ.
Ñ òî÷êè çðåíèÿ ôèëüòðàöèè ïî ïðàâèëàì ñ ñîõðàíåíèåì ñîñòîÿíèÿ, âåñü òðàôôèê âûãëÿäèò êàê äâóñòîðîííèé îáìåí ïàêåòàìè, âêëþ÷àÿ äàííûå î ñåññèÿõ. Ïðè òàêîé ôèëüòðàöèè ó íàñ åñòü ñðåäñòâà ñîïîñòàâëåíèÿ è îïðåäåëåíèÿ êîððåêòíîñòè ïðîöåäóðû äâóñòîðîííåãî îáìåíà ïàêåòàìè, ìåæäó ñòîðîíîé ïîðîäèâøåé ïàêåò è ñòîðîíîé-ïðèåìíèêîì. Ëþáûå ïàêåòû, êîòîðûå íå ïîäõîäÿò ïîä øàáëîí ñåññèè, àâòîìàòè÷åñêè îòáðàñûâàþòñÿ, êàê çëîíàìåðåííûå.
Êëþ÷åâîå ñëîâî check-state ñëóæèò äëÿ óêàçàíèÿ òî÷íîãî ìîìåíòà, êîãäà ïàêåò áóäåò ïåðåäàí íà ïðîâåðêó ñîîòâåòñòâèé äèíàìè÷åñêèì ïðàâèëàì.
 ñëó÷àå ñîîòâåòñòâèÿ îäíîìó èç äèíàìè÷åñêèõ ïðàâèë, ïðèìåíÿåòñÿ äåéñòâèå, ñîïîñòàâëåííîå ýòîìó ïðàâèëó; ñ÷åò÷èê âðåìåíè æèçíè ïðàâèëà ñáðàñûâàåòñÿ.  ïðîòèâíîì ñëó÷àå ïàêåò ïðîäîëæàåò äâèãàòüñÿ ïî îáû÷íûì ïðàâèëàì, íà÷èíàÿ ñ ïîçèöèè íèæå ïðàâèëà check-state.
Äèíàìè÷åñêèå ïðàâèëà óÿçâèìû ê àòàêå SYN-ïàêåòàìè, êîòîðûå ìîãóò ïîðîäèòü ãèãàíòñêîå êîëè÷åñòâî äèíàìè÷åñêèõ ïðàâèë. Äëÿ ïðåäîòâðàùåíèÿ òàêîãî ðîäà àòàê, âî FreeBSD ïðåäóñìîòðåíî åùå îäíî êëþ÷åâîå ñëîâî - limit.
31.6.5.3 Æóðíàëèðîâàíèå ñîîáùåíèé ìåæñåòåâîãî ýêðàíà
Âîçìîæíîñòü æóðíàëèðîâàíèÿ âàæíà è ïîëåçíà. Ñ åå ïîìîùüþ âû ìîæåòå îòñëåæèâàòü, ïîñò-ôàêòóì, ïðîõîæäåíèå êàêèõ ïàêåòîâ áûëî îòêëîíåíî, îòêóäà ýòè ïàêåòû ïðèøëè è êóäà îíè íàçíà÷àëèñü äëÿ òåõ ïðàâèë, â êîòîðûõ âêëþ÷åíà ôóíêöèÿ æóðíàëèðîâàíèÿ. Ýòî çàìå÷àòåëüíûé èíñòðóìåíò äëÿ îòñëåæèâàíèÿ àòàê íà âàøó ñèñòåìó.
Äàæå ïðè âêëþ÷åííîé ôóíêöèè âåäåíèÿ ëîãà, ïðè óñëîâèè îòñóòñòâèÿ â ïðàâèëàõ ÿâíîãî óêàçàíèÿ æóðíàëèðîâàíèÿ, îíî ïðîèçâîäèòüñÿ íå áóäåò. Àäìèíèñòðàòîð ìåæñåòåâîãî ýêðàíà äîëæåí ñàì ïðèíÿòü ðåøåíèå ïî ïîâîäó òîãî, äëÿ êàêèõ ïðàâèë áóäåò âêëþ÷åíà ôóíêöèÿ æóðíàëèðîâàíèÿ, ïîñðåäñòâîì äîáàâëåíèÿ â ñîñòàâ ïðàâèëà êëþ÷åâîãî ñëîâà log.  áîëüøèíñòâå ñèòóàöèé âïîëíå äîñòàòî÷íî âåñòè ëîãè òîëüêî ïî ñîáûòèÿì çàïðåùåíèÿ ïðîõîæäåíèÿ ïàêåòà, íàïðèìåð çàïðåò âõîäÿùåãî ICMP òðàôôèêà. Ðàñïðîñòðàíåííàÿ ïðàêòèêà äîáàâëÿòü â êîíåö ñïèñêà ïðàâèëî, êîòîðîå áóäåò çàïðåùàòü è æóðíàëèðîâàòü âåñü îñòàâøèéñÿ òðàôôèê, äàæå â òîì ñëó÷àå, åñëè äî ýòîãî ïîäîáíûå ïðàâèëà óæå ïðèñóòñòâîâàëè.
Ýòî óäîáíûé ñïîñîá îòñëåæèâàòü òå òèïû ïàêåòîâ, äëÿ êîòîðûõ âû íå ïðåäóñìîòðåëè ïðàâèë.
Áóäüòå êðàéíå îñìîòðèòåëüíû ïðè èñïîëüçîâàíèè ôóíêöèè æóðíàëèðîâàíèÿ, òàê êàê ýòî ÷ðåâàòî íåñîðàçìåðíûì ðàçðàñòàíèåì ëîã-ôàéëà, âïëîòü äî ïîëíîãî çàïîëíåíèÿ ìåñòà íà æåñòêîì äèñêå è åãî íå÷èòàáåëüíîñòè. DoS àòàêè, íàïðàâëåííûå íà ïåðåïîëíåíèå ñâîáîäíîãî ïðîñòðàíñòâà æåñòêîãî äèñêà, ÿâëÿþòñÿ îäíèìè èç ñàìûõ ñòàðåéøèõ. Ïîìèìî çàïîëíåíèÿ æåñòêîãî äèñêà ýòî íåïðèÿòíî åùå è òåì, ÷òî âûâîä syslogd íàïðàâëåí íå òîëüêî â ëîã-ôàéë, íî è â ñòàíäàðòíûé âûâîä, ÷òî ìåøàåò ëîêàëüíîé ðàáîòå íà òåðìèíàëå.
Îïöèÿ ÿäðà IPFIREWALL_VERBOSE_LIMIT=5 îãðàíè÷èâàåò ÷èñëî ïîñëåäîâàòåëüíûõ îòïðàâëåíèé ñîîáùåíèé â ñèñòåìíûé ðåãèñòðàòîð syslogd,êàñàþùèõñÿ ïàêåòà, ñîâïàâøåãî ñ ïðàâèëîì.  òîì ñëó÷àå, êîãäà ýòà îïöèÿ âêëþ÷åíà â ÿäðî, ÷èñëî ïîñëåäîâàòåëüíûõ ñîîáùåíèé, êàñàþùèõñÿ îïðåäåëåííîãî ïðàâèëà, îãðàíè÷åíî óêàçàííûì ÷èñëîì.
Îïöèÿ ÿäðà IPFIREWALL_VERBOSE_LIMIT=5 îãðàíè÷èâàåò ÷èñëî ñîîáùåíèé, êîòîðûå áóäóò çàíåñåíû â ëîã ïî êàæäîìó îòäåëüíî âçÿòîìó ïðàâèëó. Âñå ïàêåòû, êîòîðûå áóäóò ïðîõîäèòü ÷åðåç ïðàâèëà ñîäåðæàùèå êëþ÷åâîå ñëîâî log, ïðè óñëîâèè äîñòèæåíèÿ ïðàâèëîì ìàêñèìàëüíîãî ÷èñëà çàïèñåé çàíåñåííûõ â ëîã, çàäàííîãî îïöèåé IPFIREWALL_VERBOSE_LIMIT, ÍÈÊÀÊÈÕ ÇÀÏÈÑÅÉ Â ËÎÃ-ÔÀÉËÅ ÏÎÐÎÆÄÀÒÜ ÍÅ ÁÓÄÓÒ.  ñëó÷àå, åñëè syslogd äàåìîí ïîëó÷èò 200 èäåíòè÷íûõ ëîã-ñîîáùåíèé ïîäðÿä, â ëîã ôàéëå íå áóäóò îòðàæåíû âñå 200 ñîîáùåíèé, à, âìåñòî ýòîãî, áóäåò îòðàæåíà çàïèñü âèäà:
last message repeated 200 times
Ïóòü êóäà áóäóò çàïèñûâàòüñÿ äàåìîíîì syslogd ñîîáùåíèÿ ñ ïîìåòêîé SECURITY çàäàåòñÿ â ôàéëå /etc/syslogd.conf è â áàçîâîé ñèñòåìå FreeBSD ýòîò ïóòü - /var/log/security.
31.6.5.4 Íàïèñàíèå ñêðèïòà, ñîäåðæàùåãî ïðàâèëà
Íàèáîëåå îïûòíûå ïîëüçîâàòåëè IPFW ñîçäàþò ñêðèïò, ñîäåðæàùèé â ñåáå ïðàâèëà, îôîðìëåííûå òàêèì îáðàçîì, ÷òî îíè ìîãóò áûòü èñïîëíåíû êàê îáûêíîâåííûé sh-ñêðèïò. Îñíîâíîå ïðåèìóùåñòâî òàêîãî ïîäõîäà â òîì, ÷òî îí èçáàâëÿåò íàñ îò íåîáõîäèìîñòè ïðè êàæäîì âîçíèêíîâåíèè ïîòðåáíîñòè ïåðåçàãðóçèòü ïðàâèëà, äåëàòü ýòî âðó÷íóþ. Ýòî êðàéíå ïîëåçíî íà ýòàïå ðàçðàáîòêè è òåñòèðîâàíèÿ íàáîðà ïðàâèë, ò.ê., âåðîÿòíåå âñåãî, ïîòðåáóåòñÿ ÷àñòàÿ ïåðåçàãðóçêà âñåãî ñïèñêà ïðàâèë. Ïîìèìî òîãî, ÷àñòî âîçíèêàåò íåîáõîäèìîñòü îáúÿâèòü íåêóþ ãðîìîçäêóþ ôðàçó êàê ïåðåìåííóþ ñ êîðîòêèì èìåíåì, ÷òî ñóùåñòâåííî ñîêðàòèò ðàçìåð ïðàâèë è ïîâûñèò èõ ÷èòàáåëüíîñòü, êàê â ïðèìåðå ïðåäñòàâëåííîì íèæå.
Ñèíòàêñèñ ïðèìåðà, ïðèâåäåííîãî íèæå, ñîâìåñòèì ñ òðåìÿ êîìàíäíûìè îáîëî÷êàìè: sh, csh, tcsh. Äëÿ èñïîëüçîâàíèÿ çíà÷åíèÿ ðàíåå îáúÿâëåííîé ïåðåìåííîé èñïîëüçóåòñÿ ñèìâîë $. Âî âðåìÿ ïðèñâîåíèÿ çíà÷åíèÿ ïåðåìåííîé, çíà÷åíèå äîëæíî áûòü âûäåëåíî ñ äâóõ ñòîðîí äâîéíûìè êàâû÷êàìè.
Âîò ïðèìåð îò êîòîðîãî âû ìîæåòå îòòîëêíóòüñÿ âî âðåìÿ ïåðâûõ ýêñïåðèìåíòîâ ñ IPFW:
############### íà÷àëî ïðèìåðà ñêðèïòà, ñîäåðæàùåãî ïðàâèëà ipfw #############
#
ipfw -q -f flush # Ñáðîñ âñåõ ïðàâèë.
# Óñòàíîâêè ïî óìîë÷àíèþ.
oif="tun0" # íàçâàíèå âíåøíåãî èíòåðôåéñà, ïðèíàäëåæàùåãî
# ãëîáàëüíîé ñåòè.
odns="192.0.2.11" # IP DNS ñåðâåðà ïðîâàéäåðà.
cmd="ipfw -q add " # ñòàíäàðòíûé ïðåôèêñ äëÿ äîáàâëåíèÿ ïðàâèë ipfw.
ks="keep-state" # ïðîñòî ëåíü ââîäèòü êàæäûé ðàç.
$cmd 00500 check-state
$cmd 00502 deny all from any to any frag
$cmd 00501 deny tcp from any to any established
$cmd 00600 allow tcp from any to any 80 out via $oif setup $ks
$cmd 00610 allow tcp from any to $odns 53 out via $oif setup $ks
$cmd 00611 allow udp from any to $odns 53 out via $oif $ks
################### End of example ipfw rules script ##########################
 äàííîì ñëó÷àå, íå ñòîèò îáðàùàòü âíèìàíèÿ íà ïðàâèëà - îíè íàïèñàíû ðàäè òîãî, ÷òîáû ïðèâåñòè ïðèìåð ïîäñòàíîâêè çíà÷åíèÿ ïåðåìåííîé ïî åå èìåíè.
Åñëè ýòîò ñèíòàêñèñ ñîáëþäåí â ôàéëå /etc/ipfw.rules, òî ïðàâèëà ìîãóò áûòü áûñòðî ïåðåçàãðóæåíû êîìàíäîé:
# sh /etc/ipfw.rules
Èìÿ è ðàñïîëîæåíèå ñêðèïòà íå íåñóò ðåøàþùåé ðîëè, íî ïî óìîë÷àíèþ â FreeBSD èñïîëüçóåòñÿ èìåííî ýòîò ïóòü.
Âñå îïèñàííûå âûøå äåéñòâèÿ ìîãó áûòü çàìåíåíû ýêâèâàëåíòíûìè êîìàíäàìè, ïîñëåäîâàòåëüíî ââåäåííûìè â êîìàíäíóþ ñòðîêó:
# ipfw -q -f flush
# ipfw -q add check-state
# ipfw -q add deny all from any to any frag
# ipfw -q add deny tcp from any to any established
# ipfw -q add allow tcp from any to any 80 out via tun0 setup keep-state
# ipfw -q add allow tcp from any to 192.0.2.11 53 out via tun0 setup keep-state
# ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state
31.6.5.5 Ïðàâèëà ñ ñîõðàíåíèåì ñîñòîÿíèÿ
Ñëåäóþùèé ñïèñîê ïðàâèë, íå âêëþ÷àþùèé â ñåáÿ ïðàâèëà òðàíñëÿöèè àäðåñîâ NAT, ÿâëÿåòñÿ ïðèìåðîì òîãî êàê ñîçäàòü ïðîñòûå è â òîæå âðåìÿ áåçîïàñíûå ïðàâèëà äëÿ ìåæñåòåâîãî ýêðàíà çàêðûòîãî òèïà. Çàêðûòûé ìåæñåòåâîé ýêðàí ðàçðåøàåò òðàôôèê, îïèñàííûé â ðàçðåøàþùèõ ïðàâèëàõ è áëîêèðóåò îñòàëüíîé. Ìåæñåòåâîé ýêðàí, ïðåäíàçíà÷åííûé äëÿ çàùèòû ñåãìåíòîâ ñåòè, ñîñòîèò èç, êàê ìèíèìóì, äâóõ èíòåðôåéñîâ è ðàçðåøàþùèõ ïðàâèë äëÿ ýòèõ äâóõ èíòåðôåéñîâ.
Âñå þíèêñîïîäîáíûå îïåðàöèîííûå ñèñòåìû, âêëþ÷àÿ FreeBSD èñïîëüçóþò èíòåðôåéñ lo0 è ñîîòâåòñòâóþùèé åìó IP àäðåñ 127.0.0.1 äëÿ âíóòðåííèõ êîììóíèêàöèé. Ïðàâèëà ìåæñåòåâîãî ýêðàíà äîëæíû ñîäåðæàòü â ñâîåì ñîñòàâå ïðàâèëà, ðàçðåøàþùèå áåñïðåïÿòñòâåííîå äâèæåíèå òðàôôèêà ïî ýòîìó èíòåðôåéñó.
Íà èíòåðôåéñå, ïîäêëþ÷åííîì ê èíòåðíåò, ñëåäóåò ðàçìåñòèòü ïðàâèëà, êîòîðûå ðàçðåøàþò è êîíòðîëèðóþò äîñòóï äëÿ âõîäÿùèõ è èñõîäÿùèõ ñîåäèíåíèé. Ýòî ìîæåò áûòü, êàê òóííåëüíûé PPP tun0 èíòåðôåéñ, òàê è ñòàíäàðòíûé èíòåðôåéñ âûñîêîñêîðîñòíîãî ïðîâîäíîãî ïîäêëþ÷åíèÿ.
 ñëó÷àå êîãäà, îäèí èëè áîëåå èíòåðôåéñ, ïîäñîåäèíåí ê ëîêàëüíîé ñåòè çà ìåæñåòåâûì ýêðàíîì, äîëæíû ïðèñóòñòâîâàòü ïðàâèëà, êîòîðûå ïîçâîëÿò áåñïðåïÿòñòâåííûé èñõîäÿùèé ïîòîê òðàôôèêà ñ ýòîãî èíòåðôåéñà.
Ëîãè÷åñêè, ïðàâèëà ðàçäåëÿþòñÿ íà òðè áîëüøèå ñåêöèè: èíòåðôåéñû íå îãðàíè÷åííûå ïðàâèëàìè, ïðàâèëà äëÿ èñõîäÿùåãî òðàôôèêà íà âíåøíåì èíòåðôåéñå, ïðàâèëà äëÿ âõîäÿùåãî òðàôôèêà íà âíåøíåì èíòåðôåéñå.
 êàæäîé èç ñåêöèé, îòíîñÿùèõñÿ ê âíåøíåìó èíòåðôåéñó, ïðàâèëà äîëæíû áûòü óïîðÿäî÷åííû ïî ñëåäóþùåìó ïðèíöèïó: íàèáîëåå èñïîëüçóåìûå - â íà÷àëå, íàèìåíåå èñïîëüçóåìûå - â êîíöå. Ïîñëåäíèì ïðàâèëîì äîëæíî èäòè ïðàâèëî áëîêèðîâàíèÿ è çàíåñåíèÿ â ëîã èíôîðìàöèè î òðàôôèêå íà ýòîì èíòåôåéñå, íå ïîïàâøåãî ïîä ïðåäûäóùèå ïðàâèëà.
Ðàçäåë, îïèñûâàþùèé ïðàâèëà äëÿ èñõîäÿùåãî òðàôôèêà íà âíåøíåì èíòåðôåéñå, ñîäåðæèò òîëüêî ðàçðåøàþùèå ïðàâèëà, ñîñòîÿùèå èç çíà÷åíèé îòáîðà, êîòîðûå óíèêàëüíî èäåíòèôèöèðóþò ñåðâèñ, êîòîðîìó ðàçðåøåí äîñòóï â èíòåðíåò. Êàæäîå èç ïðàâèë ñîñòîèò èç ïîëåé proto, port, in/out, via è keep state , êîòîðûå ìîãóò áûòü îïóùåíû îïöèîíàëüíî. Ïðàâèëà, íàêëàäûâàåìûå íà tcp òðàôôèê ñîäåðæàò êëþ÷åâîå ñëîâî setup, êîòîðîå ñëóæèò äëÿ èäåíòèôèêàöèè íà÷àëà ñåññèè, êîòîðîå â äàëüíåéøåì ïåðåäàåòñÿ êàê óñëîâèå ñðàáàòûâàíèÿ â òàáëèöó keep-state.
 ñåêöèè, îïèñûâàþùåé ïðàâèëà äëÿ âõîäÿùåãî òðàôôèêà íà âíåøíåì èíòåðôåéñå, ïðàâèëà, áëîêèðóþùèå íåæåëàòåëüíûå ïàêåòû äîëæíû ñòîÿòü â ñàìîì íà÷àëå, ïî äâóì ïðè÷èíàì: Ïåðâàÿ ïðè÷èíà ñîñòîèò â òîì, ÷òî ïàêåòû, ñôîðìèðîâàííûå çëîóìûøëåííèêîì ìîãóò ÷àñòè÷íî èëè ïîëíîñòüþ ñîîòâåòñòâîâàòü ðàçðåøàþùèì ïðàâèëàì. Âòîðàÿ ïðè÷èíà ñîñòîèò â òîì, ÷òî çàâåäîìî íå èíòåðåñóþùèå íàñ ïî îïðåäåëåííûì ïðèçíàêàì ïàêåòû ìîãóò áûòü ïðîñòî îòêëîíåíû, âìåñòî òîãî, ÷òîáû áûòü ïåðåõâà÷åííûìè è çàïèñàííûìè â ëîã-ôàéë ïî ïîñëåäíåìó ïðàâèëó. Ïîñëåäíåå ïðàâèëî â êàæäîé ñåêöèè áëîêèðóåò è æóðíàëèðóåò âñå ïàêåòû è ìîæåò áûòü èñïîëüçîâàíî äëÿ þðèäè÷åñêèõ îáîñíîâàíèé â õîäå ðàçáèðàòåëüñòâ ïðîòèâ çëîóìûøëåííèêà, àòàêîâàâøåãî âàøó ñèñòåìó.
Òàêæå ñëåäóåò óáåäèòüñÿ â òîì, ÷òî âàø ñåðâåð íå îòâå÷àåò íè íà êàêèå äðóãèå ôîðìû íå ïðåäóñìîòðåííîãî òðàôôèêà. Íåêîððåêòíûå ïàêåòû äîëæíû áûòü îòáðîøåíû.  ðåçóëüòàòå àòàêóþøèå íå ïîëó÷àò èíôîðìàöèè î òîì, äîñòèã ëè åãî ïàêåò âàøåãî ñåðâåðà èëè íåò. ×åì ìåíüøå àòàêóþùèå áóäóò çíàòü î âàøåé ñèñòåìå, òåì áîëåå îíà çàùèùåíà. Ïðè íåäîñòàòî÷íîñòè âàøèõ çíàíèé î îáùåïðèíÿòûõ íîìåðàõ ïîðòîâ, ýòè çíàíèÿ ìîãóò áûòü ðàñøèðåíû ñîäåðæèìûì äèðåêòîðèè /etc/services/ è ïî ññûëêå http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers. Ðåêîìåíäóåì îçíàêîìèòüñÿ ñ ñîäåðæèìûì ññûëêè íèæå äëÿ ðàñøèðåíèÿ ñâîèõ çíàíèé îòíîñèòåëüíî îáùåïðèíÿòûõ íîìåðîâ ïîðòîâ, èñïîëüçóåìûõ òðîÿíàìè: http://www.sans.org/security-resources/idfaq/oddports.php.
31.6.5.6 Ïðèìåð ïðàâèë äëÿ ìåæñåòåâîãî ýêðàíà çàêðûòîãî òèïà.
Ïîñëåäóþùèå ïðàâèëà, íå âêëþ÷àþùèå ïîääåðæêó òðàíñëÿöèè ñåòåâûõ àäðåñîâ, ÿâëÿþòñÿ ëîãè÷åñêè ïîëíûì íàáîðîì ïðàâèë äëÿ ìåæñåòåâîãî ýêðàíà çàêðûòîãî òèïà. Ïðè èñïîëüçîâàíèè ïîäîáíîãî íàáîðà ïðàâèë âû âïîëíå ìîæåòå áûòü óâåðåíû â áåçîïàñíîñòè âàøåé ñèñòåìû. ×òîáû èçáåæàòü æóðíàëèðîâàíèÿ íåæåëàòåëüíûõ ñîîáùåíèé, äîáàâüòå ïðàâèëî "deny" â ðàçäåë, îïèñûâàþùèé âõîäÿùèé òðàôôèê íà èíòåðôåéñ. Çàìåíèòå íàçâàíèå èíòåðôåéñà dc0, óïîìèíàþùåãîñÿ â ïðàâèëàõ íèæå, íà íàçâàíèå èíòåðôåéñà, êîòîðûé â âàøåé ñèñòåìå ïðèíàäëåæèò ãëîáàëüíîé ñåòè. Äëÿ ppp ñîåäèíåíèé ýòî áóäåò tun0.
Ïðèìå÷àíèå ïî èñïîëüçîâàíèþ ýòèõ ïðàâèë.
- âñå çàïðîñû íà÷àëà ñåññèè ñ âíåøíåé ñåòüþ èñïîëüçóþò ïàðàìåòð keep-state.
- âñå ðàçðåøåííûå ñåðâèñû âíåøíåé ñåòè èìåþò êëþ÷åâîå ñëîâî limit äëÿ çàùèòû îò øòîðìà ïîðîæäåíèé äèíàìè÷åñêèõ ïðàâèë (flooding).
- Âñå ïðàâèëà èñïîëüçóþò in èëè out ïàðàìåòðû äëÿ óêàçàíèÿ íàïðàâëåíèÿ òðàôôèêà.
- Âñå ïðàâèëà èñïîëüçóþò ïàðàìåòð via interface-name äëÿ óòî÷íåíèÿ èíòåðôåéñà.
Ïîñëåäóþùèå ïðàâèëà çàïèñûâàþòñÿ â /etc/ipfw.rules
####################### Íà÷àëî ôàéëà ïðàâèë IPFW #######################
# Ñáðîñ âñåõ ïðàâèë ïåðåä íà÷àëîì ðàáîòû ñêðèïòà.
ipfw -q -f flush
# Çàäàíèå ñòàíäàðòíûõ ïåðåìåííûõ
cmd="ipfw -q add" # ñòàíäàðòíûé ïðåôèêñ äëÿ äîáàâëåíèÿ ïðàâèë ipfw
pif="dc0" # íàçâàíèå âíåøíåãî èíòåðôåéñà, ïðèíàäëåæàùåãî
# ãëîáàëüíîé ñåòè
########################################################################
# Íåò îãðàíè÷åíèÿ âíóòðè ñåòåâîãî èíòåðôåéñà äëÿ ëîêàëüíîé ñåòè
# Íåò íåîáõîäèìîñòè â ýòîì, ïîêà ó âàñ íåò ëîêàëüíîé ñåòè.
# Çàìåíèòå xl0 íà íàçâàíèå èíòåðôåéñà âàøåé ëîêàëüíîé ñåòè.
########################################################################
#$cmd 00005 allow all from any to any via xl0
########################################################################
# Íåò îãðàíè÷åíèé íà ïåòëåâîì èíòåðôåéñå
########################################################################
$cmd 00010 allow all from any to any via lo0
########################################################################
# Ðàçðåøèòü ïàêåò, åñëè îí áûë ðàíåå äîáàâëåí â äèíàìè÷åñêóþ
# òàáëèöó ïðè ïîìîùè keep-state
########################################################################
$cmd 00015 check-state
########################################################################
# Ðàçäåë, îïèñûâàþùèé ïðàâèëà äëÿ èñõîäÿùåãî òðàôôèêà íà
# èíòåðôåéñå, ïðèíàäëåæàùåì ãëîáàëüíîé ñåòè.
# Àíàëèç çàïðîñîâ íà÷àëà ñåññèè èäóùèõ èç-çà ìåæñåòåâîãî ýêðàíà
# â ëîêàëüíóþ ñåòü èëè îò ýòîãî øëþçà â èíòåðíåò.
########################################################################
# Ðàçðåøèòü èñõîäÿùèé òðàôôèê ê DNS ñåðâåðó âàøåãî
# èíòåðíåò-ïðîâàéäåðà
# x.x.x.x íåîáõîäèìî çàìåíèòü íà IP àäðåñ DNS ñåðâåðà âàøåãî
# èíòåðíåò-ïðîâàéäåðà
# Ïðîäóáëèðóéòå ýòè ñòðîêè, åñëè ó âàñ áîëüøå ÷åì îäèí DNS ñåðâåð
# èíòåðíåò ïðîâàéäåðà
# Ýòè IP àäðåñà ìîãóò áûòü îïèñàíû â /etc/resolv.conf ôàéëå.
$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state
# Ðàçðåøèòü èñõîäÿùèé òðàôôèê ê DHCP ñåðâåðó âàøåãî èíòåðíåò-ïðîâàéäåðà
# äëÿ cable/DSL êîíôèãóðàöèé.
# Ýòî ïðàâèëî íå íóæíî äëÿ .user ppp. ñîåäèíåíèé ñ ãëîáàëüíîé ñåòüþ
# â ýòîì ñëó÷àå âû ìîæåòå óäàëèòü ýòè ïðàâèëà.
# Èñïîëüçóéòå ýòî ïðàâèëî äëÿ çàïèñè íåîáõîäèìîãî íàì IP àäðåñà â ëîã-ôàéë.
# Âîçüìèòå çíà÷åíèå IP àäðåñà èç ëîã-ôàéëà è çàìåíèòå â çàêîììåíòèðîâàííîì
# íèæå ïðàâèëå x.x.x.x íà çíà÷åíèå ýòîãî IP àäðåñà è óäàëèòå ïåðâîå ïðàâèëî.
$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state
# Ðàçðåøèòü èñõîäÿùèé òðàôôèê äëÿ ñåññèè íåçàùèùåííîãî www ñîåäèíåíèÿ
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
# Ðàçðåøèòü èñõîäÿùèé òðàôôèê äëÿ ñåññèè çàùèùåííîãî www ñîåäèíåíèÿ
# https ñ ïîääåðæêîé TLS è SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state
# Ðàçðåøèòü èñõîäÿùèé POP/SMTP òðàôôèê.
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state
# Ðàçðåøèòü èñõîäÿùèé FBSD (make install & cvsup) òðàôôèê
# Íàçíà÷àåì ïîëüçîâàòåëþ root ïîëíûå ïðèâèëåãèè.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root
# Ðàçðåøàåì èñõîäÿùèé icmp òðàôôèê äëÿ êîððåêòíîé ðàáîòû óòèëèòû ping
$cmd 00250 allow icmp from any to any out via $pif keep-state
# Ðàçðåøàåì èñõîäÿùèé tcp òðàôôèê äëÿ óòèëèòû Time.
$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state
# Ðàçðåøàåì èñõîäÿùèé tcp òðàôôèê äëÿ óòèëèò nntp news
$cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state
# Ðàçðåøàåì èñõîäÿùèé áåçîïàñíûé òðàôôèê äëÿ óòèëèò FTP, Telnet, è SCP
# Ýòà ôóíêöèÿ èñïîëüçóåòñÿ ïðîãðàììíûì îáåñïå÷åíèåì, ðàáîòàþùèì ÷åðåç ïðîòîêîë SSH
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state
# Ðàçðåøàåì èñõîäÿùèé òðàôôèê äëÿ óòèëèòû whois
$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state
# Çàïðåùàåì è çàíîñèì â ëîã îñòàëüíîé òðàôôèê, ÷òî ïûòàåòñÿ âûéòè ñ âíåøíåãî èíòåðôåéñà.
# Ïðè íàëè÷èè ïîäîáíîãî ïðàâèëà âíå çàâèñèìîñòè îò âûáðàííîé óìîë÷àòåëüíîé ïîëèòèêè,
# ìåæñåòåâîé ýêðàí áóäåò âåñòè ñåáÿ êàê ìåæñåòåâîé ýêðàí çàêðûòîãî òèïà.
$cmd 00299 deny log all from any to any out via $pif
########################################################################
# Ðàçäåë, îïèñûâàþùèé ïðàâèëà äëÿ âõîäÿùåãî òðàôôèêà íà èíòåðôåéñå,
# ïðèíàäëåæàùåì ãëîáàëüíîé ñåòè.
# Ïðîèçâîäèòñÿ àíàëèç ïàêåòîâ, ïðèõîäÿùèõ ñ ãëîáàëüíîé ñåòè,
# ïðåäíàçíà÷åííûõ äëÿ ýòîãî øëþçà èëè ëîêàëüíîé ñåòè
########################################################################
# Çàïðåùàåì âåñü âõîäÿùèé òðàôôèê ñ àäðåñíûõ ïðîñòðàíñòâ, íå èñïîëüçóþùèõñÿ â ìàðøðóòèçàöèè.
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif # ñòàíäàðò RFC 1918 äëÿ ëîêàëüíûõ IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif # ñòàíäàðò RFC 1918 äëÿ ëîêàëüíûõ IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif # ñòàíäàðò RFC 1918 äëÿ ëîêàëüíûõ IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif # ïåòëåâîé èíòåðôåéñ
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif # ïåòëåâîé èíòåðôåéñ
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif # DHCP àâòî-êîíôèãóðèðîâàíèå
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif # çàðåçåðâèðîâàíî
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif # Sun cluster ñîåäèíåíèÿ.
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif # D è E ìíîãîàäðåñíûå êëàññû
# Çàïðåùàåì ïèíã èç ãëîáàëüíîé ñåòè
$cmd 00310 deny icmp from any to any in via $pif
# Çàïðåùàåì âõîäÿùèå ñîåäèíåíèÿ ïî 113 ïîðòó
$cmd 00315 deny tcp from any to any 113 in via $pif
# Çàïðåùàåì âñå Netbios ñëóæáû. 137=name, 138=datagram, 139=session
# Netbios ýòî MS/Windows ñåðâèñ îáìåíà.
# Áëîêèðóåì MS/Windows hosts2 çàïðîñû ñåðâåðà èìåí ïî ïîðòó 81
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif
# Çàïðåùàåì ëþáûå îïîçäàâøèå ïàêåòû.
$cmd 00330 deny all from any to any frag in via $pif
# Çàïðåùàåì ïàêåòû c ôëàãîì ACK, êîòîðûå íå ñîîòâåòñòâóþò äèíàìè÷åñêîé òàáëèöå ïðàâèë.
$cmd 00332 deny tcp from any to any established in via $pif
# Ðàçðåøàåì âõîäÿùèé òðàôôèê ñ âíåøíåãî DHCP ñåðâåðà èíòåðíåò-ïðîâàéäåðà. Ýòî ïðàâèëî äîëæíî ñîäåðæàòü IP àäðåñà âàøåãî âíåøíåãî
# DHCP ñåðâåðà èíòåðíåò ïðîâàéäåðà, ÷òîáû ýòîò ðåñóðñ áûë åäèíñòâåííûì, îò êîãî ðàçðåøåíî ïîëó÷àòü ïàêåòû äàííîãî òèïà.
# Ýòî íåîáõîäèìî äëÿ ïðîâîäíûõ è DSL ñîåäèíåíèé. Äëÿ .user ppp. òèïîâ ñîåäèíåíèé ñ ãëîáàëüíîé ñåòüþ, â èñïîëüçîâàíèè ýòîãî ïðàâèëà íåò íåîáõîäèìîñòè.
# Ýòî òîò æå IP àäðåñ, âûáðàííûé è èñïîëüçóåìûé âàìè â ðàçäåëå, îïèñûâàþùåì ïðàâèëà äëÿ èñõîäÿùåãî òðàôôèêà.
$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state
# Ðàçðåøèòü âõîäÿùèé òðàôôèê äëÿ ñåññèè íåçàùèùåííîãî www ñîåäèíåíèÿ, òàê êàê ÿ èñïîëüçóþ apache ñåðâåð.
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2
# Ðàçðåøèòü âõîäÿùèé òðàôôèê áåçîïàñíûõ ñîåäèíåíèé ïî ïðîòîêîëó FTP, Telnet è SCP èç ãëîáàëüíîé ñåòè
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2
# Ðàçðåøèòü âõîäÿùèé òðàôôèê íåáåçîïàñíûõ Telnet ñîåäèíåíèé èç ãëîáàëüíîé ñåòè
# ýòî ñîåäèíåíèå ñ÷èòàåòñÿ íåáåçîïàñíûì, ïîòîìó ÷òî ID è PW ïðîïóñêàþòñÿ èç ãëîáàëüíîé ñåòè â âèäå íåçàøèôðîâàííîãî òåêñòà,
# óäàëèòå ýòîò øàáëîí, åñëè âû íå èñïîëüçóåòå telnet.
$cmd 00420 allow tcp from any to me 23 in via $pif setup limit src-addr 2
# Îòáðàñûâàåì è çàíîñèì â ëîã âåñü âõîäÿùèé òðàôôèê èç ãëîáàëüíîé ñåòè.
$cmd 00499 deny log all from any to any in via $pif
# Çàïðåùàåì è çàíîñèì â ëîã âåñü òðàôôèê, ÷òî íå óäîâëåòâîðèë âûøåîïèñàííûì ïðàâèëàì.
$cmd 00999 deny log all from any to any
################ Êîíåö ôàéëà ïðàâèë IPFW ###############################
31.6.5.7 Ïðèìåð ïðàâèë ìåæñåòåâîãî ýêðàíà çàêðûòîãî òèïà ñ ïîääåðæêîé NAT.
Çäåñü ïåðå÷èñëåíû íåêîòîðûå äîïîëíèòåëüíûå ïàðàìåòðû, êîòîðûå äîëæíû àêòèâèðîâàòü ôóíêöèþ NAT ìåæñåòåâîãî ýêðàíà IPFW. Ê êîäó ÿäðà FreeBSD íàäî äîáàâèòü ïàðàìåòð option IPDIVERT ê óæå ïåðå÷èñëåííûì ïàðàìåòðàì, âêëþ÷àþùèì IPFIREWALL.
 äîïîëíåíèå ê ñòàíäàðòíûì IPFW ïàðàìåòðàì â /etc/rc.conf äîáàâèì ñëåäóþùåå:
natd_enable="YES" # Âêëþ÷èòü NATD ôóíêöèþ
natd_interface="rl0" # Íàçâàíèå ñåòåâîãî èíòåðôåéñà,
# ïðèíàäëåæàùåãî ãëîáàëüíîé ñåòè
natd_flags="-dynamic -m" # -m = ñîõðàíèòü íîìåðà ïîðòîâ, åñëè ýòî âîçìîæíî
Èñïîëüçîâàíèå ïðàâèë ìåæñåòåâîãî ýêðàíà çàêðûòîãî òèïà ñ divert natd ïðàâèëîì (Network Address Translation) çíà÷èòåëüíî çàòðóäíÿåò ëîãèêó ñîñòàâëåíèÿ ïðàâèë. Ðàñïîëîæåíèå êëþ÷åâûõ ñëîâ check-state è divert natd â òàáëèöå ïðàâèë âëèÿåò íà ïîâåäåíèå ìåæñåòåâîãî ýêðàíà. Ýòî óæå íå ïðîñòî ïîñëåäîâàòåëüíûé ëîãè÷åñêèé ïîòîê. Ïðè ïðèìåíåíèè âûøåîçíà÷åííûõ ïàðàìåòðîâ ñòàíîâèòñÿ äîñòóïíûì íîâîå êëþ÷åâîå ñëîâî skipto. Ïðè èñïîëüçîâàíèè skipto íóìåðàöèÿ ïðàâèë ñòàíîâèòñÿ îáÿçàòåëüíîé.  êà÷åñòâå àðãóìåíòà skipto èñïîëüçóåòñÿ íîìåð ïðàâèëà, ê êîòîðîìó íóæíî ïåðåéòè.
Íèæå ïîñëåäóåò ïðèìåð ìåòîäà êîäèðîâàíèÿ, íå ñíàáæåííûé êîììåíòàðèÿìè, ïðèâåäåííûé çäåñü äëÿ âíåñåíèÿ ÿñíîñòè îòíîñèòåëüíî ïîñëåäîâàòåëüíîñòè ïðîõîæäåíèÿ ïàêåòîâ ÷åðåç íàáîð ïðàâèë.
Îáðàáîòêà ïðàâèë íà÷èíàåòñÿ ñ ïåðâîãî ïî ñ÷åòó è èäåò ïîñëåäîâàòåëüíî îò íà÷àëà ñïèñêà.  õîäå îáðàáîòêè, ïàêåò ïðîâåðÿòåñÿ íà ñîîòâåòñòâèå êðèòåðèÿì îòáîðà.  ñëó÷àå åñëè ñîîòâåòñòâèå íàéäåíî, ê ïàêåòó ïðèìåíÿåòñÿ òî äåéñòâèå, êîòîðîå ïðåäóñìîòðåíî ïðàâèëîì; â ñëó÷àå åñëè íè îäíî èç ïðàâèë íå ñðàáîòàëî, ïðèìåíÿåòñÿ ïîëèòèêà, ïðåäóñìîòðåííàÿ â ñèñòåìå (ìåæñåòåâîé ýêðàí çàêðûòîãî/îòêðûòîãî òèïà).
Äëÿ ïðàâèë ïîä íîìåðàìè 100, 101, 450, 500 è 510 âàæåí ïîðÿäîê èõ ðàñïîëîæåíèÿ. Ýòè ïðàâèëà êîíòðîëèðóþò òðàíñëÿöèþ èñõîäÿùèõ è âõîäÿùèõ ïàêåòîâ; â òàáëèöå keep-state ðåãèñòðèðóþòñÿ òîëüêî ëîêàëüíûå IP àäðåñà.  ïîñëåäóþùåì ïðèìåðå ðàçðåøàþùèå è çàïðåùàþùèå ïðàâèëà óêàçûâàþò íàïðàâëåíèå ïàêåòîâ (èñõîäÿùèå èëè âõîäÿùèå) è òàêæå óòî÷íÿþò èíòåðôåéñ. Òàêæå ñòîèò îòìåòèòü, ÷òî âñå çàïðîñû íà÷àëà èñõîäÿùåé ñåññèè ïåðåäàþòñÿ ïî êëþ÷åâîìó ñëîâó skipto íà ïðàâèëî ïîä íîìåðîì 500 äëÿ òðàíñëÿöèè àäðåñîâ.
Ïðåäïîëîæèì, ÷òî ïîëüçîâàòåëü ëîêàëüíîé ñåòè çàïðàøèâàåò ñòðàíèöó ÷åðåç áðàóçåð. Âåá-ñòðàíèöû ïåðåäàþòñÿ ïî ïîðòó 80. Ïàêåò âõîäèò â ìåæñåòåâîé ýêðàí. Ýòîò ïàêåò íå ïîïàäàåò ïîä ïðàâèëî 100, ïîòîìó ÷òî â åãî êðèòåðèÿõ îòáîðà çíà÷èòñÿ êëþ÷åâîå ñëîâî in.
Ýòîò ïàêåò íå ïîïàäàåò ïîä ïðàâèëî 101, ïîòîìó ÷òî ýòî ïåðâûé ïàêåò ñåññèè è îí åùå íå áûë çàíåñåí â äèíàìè÷åñêóþ òàáëèöó keep-state. Äîñòèãíóâ ïðàâèëà 125, ïàêåò, íàêîíåö, óäîâëåòâîðÿåò âñåì êðèòåðèÿì îòáîðà. Ïîñêîëüêó öåëü íàçíà÷åíèÿ ïàêåòà íàõîäèòñÿ â ãëîáàëüíîé ñåòè, ýòîò ïàêåò äîëæåí áûòü íàïðàâëåí íà èíòåðôåéñ, âçàèìîäåéñòâóþùèé ñ ãëîáàëüíîé ñåòüþ. Íà äàííîì ýòàïå ó ïàêåòà â êà÷åñòâå îáðàòíîãî àäðåñà óêàçàí IP àäðåñ ëîêàëüíîãî ïîëüçîâàòåëÿ. Ïî óñëîâèþ ýòîãî ïðàâèëà, ê ïàêåòó ïðèìåíÿþòñÿ äâà äåéñòâèÿ:
Ïàðàìåòð keep-state ñîçäàñò íîâóþ çàïèñü â äèíàìè÷åñêîé òàáëèöå è îñóùåñòâèò äåéñòâèå, óêàçàííîå â ïðàâèëå. Äàííîå äåéñòâèå òàêæå ÿâëÿåòñÿ ÷àñòüþ èíôîðìàöèè, çàíîñèìîé â äèíàìè÷åñêóþ òàáëèöó.  äàííîì ñëó÷àå ýòî skipto rule 500. Ïðàâèëî 500 òðàíñëèðóåò (NAT) àäðåñà ïàêåòà è îòïóñêàåò åãî â ñåòü. Äàííîå çàìå÷àíèå î÷åíü âàæíî.
Ýòîò ïàêåò èäåò ê öåëè, ãäå ãåíåðèðóåòñÿ îòâåòíûé ïàêåò è îòïðàâëÿåòñÿ îáðàòíî. Ýòîò íîâûé ïàêåò íà÷èíàåò ñâîé ïóòü âíóòðè NAT ìåæñåòåâîãî ýêðàíà ñ ïåðâîãî ïðàâèëà â ñïèñêå. Íà ýòîò ðàç ïàêåò ñîîòâåòñòâóåò ïðàâèëó 100 è åãî IP àäðåñ íàçíà÷åíèÿ òðàíñëèðóåòñÿ îáðàòíî íà ñîîòâåòñòâóþùèé IP àäðåñ ëîêàëüíîé ñåòè. Çàòåì îí îáðàáàòûâàåòñÿ ïðàâèëîì check-state, òî åñòü, ïîñêîëüêó ïðàâèëî, ñîîòâåòñòâóþùåå äàííîé ñåññèè óæå ïðèñóòñòâóåò â äèíàìè÷åñêîé òàáëèöå òî îñóùåñòâëÿåòñÿ äåéñòâèå, óêàçàííîå â ïðàâèëå ïî keep-state è ïàêåò îòïóñêàåòñÿ â ëîêàëüíóþ ñåòü.
Äàëüøå ïàêåò âîçâðàùàåòñÿ ê îòïðàâèâøåìó åãî ïîëüçîâàòåëþ è ãåíåðèðóåòñÿ íîâûé ïàêåò, çàïðàøèâàþùèé íîâóþ ïîðöèþ äàííûõ ñ óäàëåííîãî ñåðâåðà. Íà ýòîò ðàç ïàêåò ñðàçó ïðîâåðÿåòñÿ ïðàâèëîì check-state è â ñëó÷àå ïðèñóòñòâèÿ èñõîäÿùåé çàïèñè äàííîãî ïàêåòà, âûïîëíÿåòñÿ äåéñòâèå skipto 500. Ïàêåò ïðûãàåò íà ïðàâèëî 500, òðàíñëèðóåòñÿ è îòïóñêàåòñÿ â ñåòü.
 ðàçäåëå, îïèñûâàþùåì âõîäÿùèé òðàôôèê, âñå ïàêåòû, âõîäÿùèå â êà÷åñòâå îòâåòà, â ðàìêàõ ñóùåñòâóþùèõ ñåññèé, ïî ïðàâèëó keep-state, ïåðåíàïðàâëÿþòñÿ íà ïðàâèëî divert natd. Åñëè ÷òî-òî íóæíî ðàçðåøèòü ñâåðõ ýòîãî, òî íóæíî íàïèñàòü ñîîòâåòñòâóþùèå ïðàâèëà. Òàêæå íåîáõîäèìî â êîíöå óêàçàòü ïðàâèëî, êîòîðîå çàïðåùàåò âåñü îñòàëüíîé íåáåçîïàñíûé òðàôôèê. Äîïóñòèì íà ñåðâåðå ñ ìåæñåòåâûì ýêðàíîì çàïóùåí apache è ìû õîòèì ðàçðåøèòü ëþäÿì èç ãëîáàëüíîé ñåòè äîñòóï íà ëîêàëüíûé âåá-ñàéò. Íîâûé âõîäÿùèé ïàêåò, çàïðàøèâàþùèé íà÷àëî ñåññèè ñîîòâåòñòâóåò ïðàâèëó 100 è åãî IP àäðåñ òðàíñëèðóåòñÿ êàê ëîêàëüíûé IP. Äàëåå ïàêåò ïðîâåðÿåòñÿ íà ñîîòâåòñòâèå âðåäîíîñíîìó òðàôôèêó è â ñëó÷àå îòñóòñòâèÿ ñîîòâåòñòâèÿ ïîïàäàåò íà ïðàâèëî 425.  ñëó÷àå ñîîòâåòñòâèÿ äàííîìó ïðàâèëó ïðîèñõîäÿò äâå âåùè: Ïàêåò ïðàâèë ïîìåùàåòñÿ â äèíàìè÷åñêóþ òàáëèöó keep-state, íî â äàííûé ìîìåíò ëþáàÿ íîâàÿ ñåññèÿ çàïðîñîâ ïîðîæäåííûõ ñ ýòîãî IP, îãðàíè÷åíà 2 îäíîâðåìåííûìè ñîåäèíåíèÿìè. Ýòî çàùèùàåò îò ïåðåíàãðóçêè ñåðâè
ñà ïî îïðåäåëåííîìó ïðàâèëîì ïîðòó.
 êà÷åñòâå äåéñòâèÿ â ïðàâèëå óêàçàí allow, ñëåäîâàòåëüíî ïàêåò ïðîïóñêàåòñÿ â ëîêàëüíóþ ñåòü. Ïàêåò ñôîðìèðîâàííûé â êà÷åñòâå îòâåòà ïîïàäàåò ïîä check-state è ðàñïîçíàåòñÿ èì êàê ïðèíàäëåæàùèé ñóùåñòâóþùåé ñåññèè. Äàëåå îí ïîïàäàåò ïîä ïðàâèëî 500, ãäå ïðîèñõîäèò îáðàòíàÿ òðàíñëÿöèÿ, ïîñëå ÷åãî ïàêåò ïîïàäàåò íà èíòåðôåéñ, ïðèíàäëåæàùèé ãëîáàëüíîé ñåòè.
Ïðèìåð ôàéëà ïðàâèë #1:
#!/bin/sh
cmd="ipfw -q add"
skip="skipto 500"
pif=rl0
ks="keep-state"
good_tcpo="22,25,37,43,53,80,443,110,119"
ipfw -q -f flush
$cmd 002 allow all from any to any via xl0 # ðàçðåøàåì òðàôôèê íà ëîêàëüíîì èíòåðôåéñå
$cmd 003 allow all from any to any via lo0 # ðàçðåøàåì òðàôôèê íà ïåòëåâîì èíòåðôåéñå
$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state
# Ðàçðåøåííûå èñõîäÿùèå ïàêåòû
$cmd 120 $skip udp from any to xx.168.240.2 53 out via $pif $ks
$cmd 121 $skip udp from any to xx.168.240.5 53 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks
$cmd 135 $skip udp from any to any 123 out via $pif $ks
# Çàïðåùàåì âåñü âõîäÿùèé òðàôôèê ñ àäðåñíûõ ïðîñòðàíñòâ, íå èñïîëüçóþùèõñÿ â ìàðøðóòèçàöèè.
$cmd 300 deny all from 192.168.0.0/16 to any in via $pif # ñòàíäàðò RFC 1918 äëÿ ëîêàëüíûõ IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $pif # ñòàíäàðò RFC 1918 äëÿ ëîêàëüíûõ IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $pif # ñòàíäàðò RFC 1918 äëÿ ëîêàëüíûõ IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $pif # ïåòëåâîé èíòåðôåéñ
$cmd 304 deny all from 0.0.0.0/8 to any in via $pif # ïåòëåâîé èíòåðôåéñ
$cmd 305 deny all from 169.254.0.0/16 to any in via $pif # DHCP àâòî-êîíôèãóðèðîâàíèå
$cmd 306 deny all from 192.0.2.0/24 to any in via $pif # Çàðåçåðâèðîâàíî äëÿ äîêóìåíòîâ
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif # Sun cluster ñîåäèíåíèÿ
$cmd 308 deny all from 224.0.0.0/3 to any in via $pif # D è E ìíîãîàäðåñíûå êëàññû
# Ðàçðåøàåì âõîäÿùèå ïàêåòû
$cmd 400 allow udp from xx.70.207.54 to any 68 in $ks
$cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1
$cmd 450 deny log ip from any to any
# Ýòîò ðàçäåë skipto äëÿ ïðàâèë ñ íàñëåäîâàíèåì ñîñòîÿíèÿ, îïèñàííûõ äëÿ èñõîäÿùèõ ïàêåòîâ.
$cmd 500 divert natd ip from any to any out via $pif
$cmd 510 allow ip from any to any
################################# Îêîí÷àíèå ôàéëà ïðàâèë #####################################
Ïðèìåð Ïðàâèë #2:
#!/bin/sh
################################# Íà÷àëî ôàéëà ïðàâèë IPFW ####################################
# Ñáðîñ âñåõ ïðàâèë ïåðåä íà÷àëîì ðàáîòû ñêðèïòà.
ipfw -q -f flush
# Çàäàíèå ñòàíäàðòíûõ ïåðåìåííûõ
cmd="ipfw -q add"
skip="skipto 800"
pif="rl0" # íàçâàíèå âíåøíåãî èíòåðôåéñà,
# ïðèíàäëåæàùåãî ãëîáàëüíîé ñåòè
###############################################################################################
# Íåò îãðàíè÷åíèÿ âíóòðè ñåòåâîãî èíòåðôåéñà äëÿ ëîêàëüíîé ñåòè
# Íåò íåîáõîäèìîñòè â äàííîì ïðàâèëå, ïîêà ó âàñ íåò ëîêàëüíîé ñåòè.
# Çàìåíèòå xl0 íà íàçâàíèå èíòåðôåéñà, ïðèíàäëåæàøåãî âàøåé
# ëîêàëüíîé ñåòè.
###############################################################################################
$cmd 005 allow all from any to any via xl0
###############################################################################################
# Íåò îãðàíè÷åíèé íà ïåòëåâîì èíòåðôåéñå
###############################################################################################
$cmd 010 allow all from any to any via lo0
###############################################################################################
# ïðîâåðêà âõîäÿùåãî ïàêåòà íà çàïèñü î íåì â äèíàìè÷åñêîé òàáëèöå
###############################################################################################
$cmd 014 divert natd ip from any to any in via $pif
###############################################################################################
# Ðàçðåøèòü ïàêåò, åñëè îí áûë ðàíåå äîáàâëåí â äèíàìè÷åñêóþ
# òàáëèöó ïðè ïîìîùè keep-state
###############################################################################################
$cmd 015 check-state
###############################################################################################
# Ðàçäåë, îïèñûâàþùèé ïðàâèëà äëÿ èñõîäÿùåãî òðàôôèêà íà
# èíòåðôåéñå, ïðèíàäëåæàùåì ãëîáàëüíîé ñåòè.
# Àíàëèç çàïðîñîâ íà÷àëà ñåññèè èäóùèõ èç-çà ìåæñåòåâîãî ýêðàíà â ëîêàëüíóþ
# ñåòü èëè îò ýòîãî øëþçà â èíòåðíåò.
###############################################################################################
# Ðàçðåøèòü èñõîäÿùèé òðàôôèê ê DNS ñåðâåðó âàøåãî
# èíòåðíåò-ïðîâàéäåðà
# x.x.x.x äîëæåí áûòü IP àäðåñîì DNS ñåðâåðà âàøåãî
# èíòåðíåò-ïðîâàéäåðà
# Ïðîäóáëèðóéòå ýòè ñòðîêè, åñëè ó âàñ áîëüøå ÷åì îäèí DNS ñåðâåð
# èíòåðíåò ïðîâàéäåðà
# Ýòè IP àäðåñà ìîãóò áûòü îïèñàíû â /etc/resolv.conf ôàéëå.
$cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state
# Ðàçðåøèòü èñõîäÿùèé òðàôôèê ê DHCP ñåðâåðó âàøåãî èíòåðíåò-ïðîâàéäåðà
# äëÿ cable/DSL êîíôèãóðàöèé
$cmd 030 $skip udp from any to x.x.x.x 67 out via $pif keep-state
# Ðàçðåøèòü èñõîäÿùèé òðàôôèê äëÿ ñåññèè íåçàùèùåííîãî www ñîåäèíåíèÿ
$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state
# Ðàçðåøèòü èñõîäÿùèé òðàôôèê äëÿ ñåññèè çàùèùåííîãî www ñîåäèíåíèÿ
# https ñ ïîääåðæêîé TLS è SSL
$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state
# Ðàçðåøèòü èñõîäÿùèé POP/SMTP òðàôôèê.
$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state
# Ðàçðåøèòü èñõîäÿùèé FBSD (make install & cvsup) òðàôôèê
# Íàçíà÷àåì ïîëüçîâàòåëþ root ïîëíûå ïðèâèëåãèè.
$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root
# Ðàçðåøàåì èñõîäÿùèé icmp òðàôôèê äëÿ êîððåêòíîé ðàáîòû óòèëèòû ping
$cmd 080 $skip icmp from any to any out via $pif keep-state
# Ðàçðåøàåì èñõîäÿùèé tcp òðàôôèê äëÿ óòèëèòû Time.
$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state
# Ðàçðåøàåì èñõîäÿùèé tcp òðàôôèê äëÿ óòèëèò nntp, news (òî åñòü news groups)
$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state
# Ðàçðåøàåì èñõîäÿùèé áåçîïàñíûé òðàôôèê äëÿ óòèëèò FTP, Telnet, è SCP
# Ýòà ôóíêöèÿ èñïîëüçóåòñÿ ïðîãðàììíûì îáåñïå÷åíèåì, ðàáîòàþùèì ÷åðåç ïðîòîêîë SSH
$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state
# Ðàçðåøàåì èñõîäÿùèé òðàôôèê äëÿ óòèëèòû whois
$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state
# Ðàçðåøàåì èñõîäÿùèé udp òðàôôèê äëÿ ntp time server
$cmd 130 $skip udp from any to any 123 out via $pif keep-state
###############################################################################################
# Ðàçäåë, îïèñûâàþùèé ïðàâèëà äëÿ âõîäÿùåãî òðàôôèêà íà èíòåðôåéñå, ïðèíàäëåæàùåì
# ãëîáàëüíîé ñåòè ïðîèçâîäèòñÿ àíàëèç ïàêåòîâ, ïðèõîäÿùèõ ñ ãëîáàëüíîé ñåòè, ïðåäíàçíà÷åííûõ
# äëÿ ýòîãî øëþçà èëè ëîêàëüíîé ñåòè
###############################################################################################
# Çàïðåùàåì âåñü âõîäÿùèé òðàôôèê ñ àäðåñíûõ ïðîñòðàíñòâ, íå èñïîëüçóþùèõñÿ â ìàðøðóòèçàöèè.
$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
# Çàïðåùàåì âõîäÿùèå ñîåäèíåíèÿ ïî 113 ïîðòó
$cmd 315 deny tcp from any to any 113 in via $pif
# Çàïðåùàåì âñå Netbios ñëóæáû. 137=name, 138=datagram, 139=session
# Netbios ýòî MS/Windows ñåðâèñ îáìåíà.
# Áëîêèðóåì MS/Windows hosts2 çàïðîñû ñåðâåðà èìåí ïî ïîðòó 81
$cmd 320 deny tcp from any to any 137 in via $pif
$cmd 321 deny tcp from any to any 138 in via $pif
$cmd 322 deny tcp from any to any 139 in via $pif
$cmd 323 deny tcp from any to any 81 in via $pif
# Çàïðåùàåì ëþáûå îïîçäàâøèå ïàêåòû.
$cmd 330 deny all from any to any frag in via $pif
# Çàïðåùàåì ïàêåòû c ôëàãîì ACK, êîòîðûå íå ñîîòâåòñòâóþò äèíàìè÷åñêîé òàáëèöå ïðàâèë.
$cmd 332 deny tcp from any to any established in via $pif
# Ðàçðåøàåì âõîäÿùèé òðàôôèê ñ âíåøíåãî DHCP ñåðâåðà èíòåðíåò-ïðîâàéäåðà. Ýòî ïðàâèëî
# äîëæíî ñîäåðæàòü IP àäðåñà âàøåãî âíåøíåãî DHCP ñåðâåðà èíòåðíåò ïðîâàéäåðà, ÷òîáû
# ýòîò ðåñóðñ áûë åäèíñòâåííûì, îò êîãî ðàçðåøåíî ïîëó÷àòü ïàêåòû äàííîãî òèïà.
# Ýòî íåîáõîäèìî äëÿ ïðîâîäíûõ è DSL ñîåäèíåíèé. Äëÿ .user ppp. òèïîâ ñîåäèíåíèé ñ
# ãëîáàëüíîé ñåòüþ, â èñïîëüçîâàíèè ýòîãî ïðàâèëà íåò íåîáõîäèìîñòè.
# Ýòî òîò æå IP àäðåñ, âûáðàííûé è èñïîëüçóåìûé âàìè â ðàçäåëå, îïèñûâàþùåì ïðàâèëà äëÿ
# èñõîäÿùåãî òðàôôèêà.
$cmd 360 allow udp from x.x.x.x to any 68 in via $pif keep-state
# Ðàçðåøèòü âõîäÿùèé òðàôôèê äëÿ ñåññèè íåçàùèùåííîãî www ñîåäèíåíèÿ, òàê êàê ÿ èñïîëüçóþ
# apache ñåðâåð.
$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2
# Ðàçðåøèòü âõîäÿùèé òðàôôèê áåçîïàñíûõ ñîåäèíåíèé ïî ïðîòîêîëó FTP, Telnet è SCP èç
# ãëîáàëüíîé ñåòè
$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
# Ðàçðåøèòü âõîäÿùèé òðàôôèê íåáåçîïàñíûõ Telnet ñîåäèíåíèé èç ãëîáàëüíîé ñåòè.
# Ýòî ñîåäèíåíèå ñ÷èòàåòñÿ íåáåçîïàñíûì, ïîòîìó ÷òî ID è PW ïðîïóñêàþòñÿ èç ãëîáàëüíîé ñåòè
# â âèäå íåçàøèôðîâàííîãî òåêñòà.
# Óäàëèòå ýòîò øàáëîí, åñëè âû íå èñïîëüçóåòå telnet.
$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2
# Îòáðàñûâàåì è çàíîñèì â ëîã âåñü âõîäÿùèé òðàôôèê èç ãëîáàëüíîé ñåòè.
$cmd 400 deny log all from any to any in via $pif
# Îòáðàñûâàåì è çàíîñèì â ëîã âåñü èñõîäÿùèé òðàôôèê â ãëîáàëüíóþ ñåòü.
$cmd 450 deny log all from any to any out via $pif
# Ýòî ðàçäåë äëÿ êëþ÷åâîãî ñëîâà skipto ñîäåðæàùåãîñÿ â ïðàâèëàõ ñ íàñëåäîâàíèåì ñîñòîÿíèÿ.
$cmd 800 divert natd ip from any to any out via $pif
$cmd 801 allow ip from any to any
# Çàïðåùàåì è çàíîñèì â ëîã âåñü òðàôôèê, ÷òî íå óäîâëåòâîðèë âûøåîïèñàííûì ïðàâèëàì.
$cmd 999 deny log all from any to any
################################# Îêîí÷àíèå ôàéëà ïðàâèë IPFW ####################################
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-doc
mailing list