FreeBSD 5.1
написал список правил для ipfw используя динамические, в результате не проходят ping и поптки подключения к pop3, smtp
подскажите где копать/что изменить
правила:
#!/bin/bash
fw="ipfw -q"
sysctl net.inet.ip.fw.autoinc_step=10 >/dev/null
sysctl net.inet.ip.fw.one_pass=0 >/dev/null
iif=tun0
lif=xl0
loif=lo0
iip=80.80.xx.xx
lip=192.168.0.100
loip=127.0.0.1
unsafe_ports=1024-65535
ati=192.168.0.100/30
inet=80.80.xx.xx/32
lnet=192.168.0.0/16
lonet=127.0.0.0/8
# clearing
$fw flush
#set counters
$fw add 10 count all from any to any in via $iif
$fw add 20 count all from any to any out via $iif
$fw add 30 count all from any to any via $loif
$fw add 40 count all from any to any via $lif
$fw add 50 count all from any to any via rl0
#end counters
$fw add 100 deny all from any to any via rl0
$fw add check-state
$fw add deny icmp from any to any in icmptype 5,9,13,14,15,16,17
$fw add pass icmp from any to any keep-state
$fw add reject ip from $lnet to any in via $iif
$fw add allow ip from any to any via lo0
$fw add allow icmp from any to any
$fw add allow udp from me to any domain keep-state
$fw add allow udp from any to me domain
$fw add allow ip from $lnet to me keep-state
$fw add allow ip from me to $lnet keep-state
$fw add allow tcp from me to any http,https,pop3,$unsafe_ports keep-state
$fw add allow tcp from any to me http,https,pop3,ssh,smtp keep-state
$fw add divert natd all from any to any via $iif
$fw add divert natd tcp from any to $iip via $iif
$fw add divert natd icmp from any to any via $iif
Вариант для распечатки
Информационная безопасность (Public)
on
02-Мрт-04, 15:27 (MSK)
