#!/bin/shipfw_cmd="/sbin/ipfw -q"
${ipfw_cmd} flush
${ipfw_cmd} queue flush
${ipfw_cmd} pipe flush
${ipfw_cmd} nat flush
${ipfw_cmd} table all flush
${ipfw_cmd} zero
${ipfw_cmd} disable one_pass
primary_if="vr0"
ip_of_primary_if="194.143.145.26"
secondary_if="vr1"
ip_of_secondary_if="77.91.152.172"
int_if="rl0"
ip_of_int_if="192.168.100.8"
localnet="192.168.100.0/24"
broadcast_ip_of_localnet="192.168.100.255"
${ipfw_cmd} table 1 add 192.168.100.10
${ipfw_cmd} table 1 add ...
${ipfw_cmd} table 2 add ...
${ipfw_cmd} table 2 add ...
${ipfw_cmd} table 5 add (содержимое table 1 и table 2)
${ipfw_cmd} table 3 add 192.168.100.200
${ipfw_cmd} table 3 add ...
${ipfw_cmd} table 4 add ...
${ipfw_cmd} table 4 add ...
${ipfw_cmd} table 7 add (содержимое table 3 и table 4)
# ip-адреса, которым запрещён выход в интернет.
${ipfw_cmd} table 6 add ...
${ipfw_cmd} nat 1 config log ip ${ip_of_primary_if} same_ports
${ipfw_cmd} nat 2 config log ip ${ip_of_secondary_if} same_ports
# Опишем primary канал - направления in и out:
# in
${ipfw_cmd} pipe 10 config bw 0Kbit/s mask dst-ip 0x000000ff
${ipfw_cmd} pipe 11 config bw 1950Kbit/s queue 44 gred 0.002/40/44/0.1
# out
${ipfw_cmd} pipe 20 config bw 0Kbit/s mask src-ip 0x000000ff
# какая скорость на отдачу на primary канале ? (допустим симметрия)
${ipfw_cmd} pipe 21 config bw 1950Kbit/s queue 44 gred 0.002/40/44/0.1
# Опишем secondary канал - направления in и out:
# in
${ipfw_cmd} pipe 30 config bw 0Kbit/s mask dst-ip 0x000000ff
${ipfw_cmd} pipe 31 config bw 9950Kbit/s queue 50 gred 0.002/45/50/0.1
# out
${ipfw_cmd} pipe 40 config bw 0Kbit/s mask src-ip 0x000000ff
# какая скорость на отдачу на secondary канале ? (допустим симметрия)
${ipfw_cmd} pipe 41 config bw 9950Kbit/s queue 50 gred 0.002/45/50/0.1
# VIP через primary канал. in
${ipfw_cmd} queue 111 config pipe 11 weight 60 mask dst-ip 0x000000ff
# Другие (primary канал). in
${ipfw_cmd} queue 112 config pipe 11 weight 35 mask dst-ip 0x000000ff
# VIP через primary канал. out
${ipfw_cmd} queue 211 config pipe 21 weight 60 mask src-ip 0x000000ff
# Другие (primary канал). out
${ipfw_cmd} queue 212 config pipe 21 weight 35 mask src-ip 0x000000ff
# VIP через secondary канал. in
${ipfw_cmd} queue 311 config pipe 31 weight 60 mask dst-ip 0x000000ff
# Другие (secondary канал). in
${ipfw_cmd} queue 312 config pipe 31 weight 35 mask dst-ip 0x000000ff
# VIP через secondary канал. out
${ipfw_cmd} queue 411 config pipe 41 weight 60 mask src-ip 0x000000ff
# Другие (secondary канал). out
${ipfw_cmd} queue 412 config pipe 41 weight 35 mask src-ip 0x000000ff
${ipfw_cmd} add 10 set 31 allow ip4 from any to any via lo0
${ipfw_cmd} add 10 set 31 deny ip4 from any to 127.0.0.0/8
${ipfw_cmd} add 10 set 31 deny ip4 from 127.0.0.0/8 to any
#
# Правила для входящих в шлюз пакетов:
#
${ipfw_cmd} add 15 set 31 reass all from any to any in
${ipfw_cmd} add 15 set 31 deny log logamount 500 ip4 from any to any not antispoof
# Для dhcp-клиентов. (dhcp-сервер имеется ?)
${ipfw_cmd} add 90 set 31 allow udp from 0.0.0.0 68 to 255.255.255.255 67 in recv ${int_if}
${ipfw_cmd} add 90 set 31 allow ip4 from ${localnet} to ${ip_of_int_if} in recv ${int_if}
# Для шейпа.
# Шейпим исходящий трафик.
${ipfw_cmd} add 100 set 31 deny ip4 from any to ${broadcast_ip_of_localnet} in recv ${int_if}
${ipfw_cmd} add 100 set 31 deny ip4 from any to 255.255.255.255 in recv ${int_if}
RFC1918="192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8"
${ipfw_cmd} add 100 set 31 deny log logamount 1000 ip4 from any to ${RFC1918} in recv ${int_if}
${ipfw_cmd} add 100 set 1 setfib 0 ip4 from table\(5\) to any in recv ${int_if}
${ipfw_cmd} add 100 set 1 skipto 1000 ip4 from table\(5\) to any in recv ${int_if}
${ipfw_cmd} add 100 set 1 setfib 1 ip4 from table\(7\) to any in recv ${int_if}
${ipfw_cmd} add 100 set 1 skipto 1000 ip4 from table\(7\) to any in recv ${int_if}
${ipfw_cmd} add 200 set 1 skipto 3000 ip4 from any to ${ip_of_primary_if} in recv ${primary_if}
${ipfw_cmd} add 200 set 1 skipto 4000 ip4 from any to ${ip_of_secondary_if} in recv ${secondary_if}
${ipfw_cmd} add 495 set 31 deny log logamount 1000 ip4 from any to any in
#
# Правила для исходящих пакетов:
#
${ipfw_cmd} add 500 set 31 allow ip4 from ${ip_of_int_if} to ${localnet} out xmit ${int_if}
# Для шейпа.
# Шейпим входящий трафик - возвращающийся обратно к localnet.
${ipfw_cmd} add 500 set 1 skipto 5000 ip4 from any to table\(5\) out xmit ${int_if} recv ${primary_if}
${ipfw_cmd} add 500 set 1 skipto 6000 ip4 from any to table\(7\) out xmit ${int_if} recv ${secondary_if}
${ipfw_cmd} add 700 set 1 skipto 7000 ip4 from any to any out xmit ${primary_if} recv ${int_if}
${ipfw_cmd} add 700 set 1 skipto 8000 ip4 from any to any out xmit ${secondary_if} recv ${int_if}
${ipfw_cmd} add 900 set 1 allow ip4 from ${ip_of_primary_if} to any out xmit ${primary_if}
${ipfw_cmd} add 900 set 1 allow ip4 from ${ip_of_secondary_if} to any out xmit ${secondary_if}
${ipfw_cmd} add 995 set 31 deny log logamount 1000 ip4 from any to any out
## in recv ${int_if}
# Все DNS-запросы должны обслуживаться _локальным_ DNS-сервером, а то, к примеру, некоторые вирусы могут
# подменить DNS-сервер на свой. Хотя они обычно правят файл hosts :) (C:\Windows\System32\drivers\etc\hosts)
${ipfw_cmd} add 1005 set 31 deny log logamount 1000 ip4 from any to any dst-port 53
# Те же рассуждения касаются и 25 TCP-порта (SMTP)
${ipfw_cmd} add 1005 set 31 deny log logamount 1000 ip4 from any to any dst-port 25
# !!!
# Следующее правило для того, чтобы те, кто явно не перечислен (кто не в базе), не вышли в интернет.
${ipfw_cmd} add 1005 set 1 deny log logamount 500 ip4 from not table\(5\) to any
${ipfw_cmd} add 1005 set 1 deny log logamount 500 ip4 from not table\(7\) to any
# и + запрещаем выход тем, кто в таблице 6 !!!
${ipfw_cmd} add 1005 set 1 deny log logamount 500 ip4 from table\(6\) to any
#
${ipfw_cmd} add 1010 set 1 pipe 20 ip4 from table\(5\) to any { tcpflags syn or tcpflags fin or tcpflags rst or tcpflags psh }
${ipfw_cmd} add 1020 set 1 queue 211 ip4 from table\(1\) to any
${ipfw_cmd} add 1030 set 1 queue 212 ip4 from table\(2\) to any
${ipfw_cmd} add 1090 set 1 allow ip4 from any to any
${ipfw_cmd} add 1010 set 1 pipe 40 ip4 from table\(7\) to any { tcpflags syn or tcpflags fin or tcpflags rst or tcpflags psh }
${ipfw_cmd} add 1020 set 1 queue 411 ip4 from table\(3\) to any
${ipfw_cmd} add 1030 set 1 queue 412 ip4 from table\(4\) to any
${ipfw_cmd} add 1090 set 1 allow ip4 from any to any
## in recv ${primary_if}
# NAT
${ipfw_cmd} add 3010 set 1 nat 1 ip4 from any to any
${ipfw_cmd} add 3090 set 1 allow ip4 from any to any
## in recv ${secondary_if}
# NAT
${ipfw_cmd} add 4010 set 1 nat 2 ip4 from any to any
${ipfw_cmd} add 4090 set 1 allow ip4 from any to any
## out xmit ${int_if} recv ${primary_if}
${ipfw_cmd} add 5010 set 1 pipe 10 ip4 from any to any { tcpflags syn or tcpflags fin or tcpflags rst or tcpflags psh }
${ipfw_cmd} add 5040 set 1 queue 111 ip4 from any to table\(1\)
${ipfw_cmd} add 5060 set 1 queue 112 ip4 from any to table\(2\)
${ipfw_cmd} add 5090 set 1 allow ip4 from any to any
## out xmit ${int_if} recv ${secondary_if}
${ipfw_cmd} add 6010 set 1 pipe 30 ip4 from any to any { tcpflags syn or tcpflags fin or tcpflags rst or tcpflags psh }
${ipfw_cmd} add 6040 set 1 queue 311 ip4 from any to table\(3\)
${ipfw_cmd} add 6060 set 1 queue 312 ip4 from any to table\(4\)
${ipfw_cmd} add 6090 set 1 allow ip4 from any to any
## out xmit ${primary_if} recv ${int_if}
# NAT
${ipfw_cmd} add 7010 set 1 nat 1 ip4 from any to any
${ipfw_cmd} add 7090 set 1 allow ip4 from any to any
## out xmit ${secondary_if} recv ${int_if}
# NAT
${ipfw_cmd} add 8010 set 2 nat 2 ip4 from any to any
${ipfw_cmd} add 8090 set 2 allow ip4 from any to any
## Запрещаем то, что не разрешено явно!
${ipfw_cmd} add 50000 set 31 deny log logamount 1000 ip4 from any to any