211
Коммутаторы / Re:alcatel omnistack LS6224
« : Июня 05, 2011, 09:52:30 pm »
Полного аналога функции не знаю.
Но реализовать данную функцию можно с помощью acl-ей.
Но реализовать данную функцию можно с помощью acl-ей.
SMF - Just Installed!
Ясно. Но если разрешить любой ICMP, а не только echo (убрать из правила "icmptypes 8"), работать не будет.Конечно. Если разрешить, например, еще и эхо-ответ (icmptypes 0), то пинг из локальной сети уже не будет работать, поскольку ответ от удаленного ресурса будет сразу обрабатываться сервером напрямую, не попадая в НАТ.
И последний вопрос в этой теме. Учитывая твой большой опыт с одной стороны и то, что ты вник в этот набор правил с другой, как тебе вообще мой набор правил?
ipfw add 1350 allow icmp from any to 195.98.163.142 icmptypes 8 in via rl0
[Ss][Ii][Mm][Pp][Ll][Ee])
int_if="vr0" # Inside interface
ext_if="fxp0" # Outside interface
ext_ip="193.227.206.220"
int_ip="192.168.192.55"
int_net="192.168.192.0/24"
ext_net="193.227.206.216/29"
# Check dynamic rules
${fwcmd} add check-state
# Stop spoofing
${fwcmd} add deny log ip from ${int_net} to any in via ${ext_if}
${fwcmd} add deny log ip from ${ext_net} to any in via ${int_if}
# Rules for lo0
${fwcmd} add allow ip from any to any via lo0
# Rules for VPN
${fwcmd} add allow gre from any to any keep-state
# Rules for ppp0
#${fwcmd} add allow ip from any to any via ppp0 keep-state
# Allow all outgoing from server
${fwcmd} add allow ip from ${ext_ip} to any keep-state
${fwcmd} add allow ip from ${int_ip} to any keep-state
# Allow access to our services
${fwcmd} add allow ip from any to ${ext_ip} ftp\\-data,ftp,ssh,1022,smtp,smtps,domain,http,https,pop3,pop3s,ntp,imap,imaps,l2tp,pptp,xmpp\\-client,xmpp\\-server,5280,24554 keep-state
${fwcmd} add allow ip from any to ${int_ip} ftp\\-data,ftp,ssh,1022,smtp,smtps,domain,http,https,pop3,pop3s,ntp,imap,imaps,3306, xmpp\\-client,xmpp\\-server,5280,24554 keep-state
# Block some ICMP packets
${fwcmd} add deny log icmp from any to any icmptype 5,9,13,14,15,16,17
### Rules for gateway only #########################################
case ${firewall_nat_enable} in [Yy][Ee][Ss])
# Disallow users access to our proxy
${fwcmd} add deny ip from not table\(0\) to ${int_ip} 3128
# Disallow users access to our NAT service
${fwcmd} add deny ip from not table\(0\) to any in via ${int_if}
# Block access to foreign smtp
${fwcmd} add deny log ip from ${int_net} to not table\(1\) smtp
# Network Address Translation
${fwcmd} nat 123 config if ${ext_if} log deny_in same_ports
${fwcmd} add nat 123 all from any to any via ${ext_if}
# Rules for NATed packets
${fwcmd} add allow ip from ${ext_ip} to any
# Allow users to have Internet
${fwcmd} add allow ip from ${int_net} to any
${fwcmd} add allow ip from any to ${int_net}
esac
# Drop all connections w/out logging: on netbios ports
${fwcmd} add deny ip from any to any 135,137,138,139,microsoft\\-ds
# Drop all connections w/out logging: broadcast
${fwcmd} add deny ip from any to 255.255.255.255
# Drop any other packets & log it
${fwcmd} add deny log ip from any to any
;;
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 0 0 check-state
00500 0 0 deny log logamount 20 ip from 192.168.192.0/24 to any in via fxp0
00600 0 0 deny log logamount 20 ip from 193.227.206.216/29 to any in via vr0
00700 0 0 allow ip from any to any via lo0
00800 0 0 allow gre from any to any keep-state
00900 14 848 allow ip from 193.227.206.220 to any keep-state
01000 62 8904 allow ip from 192.168.192.55 to any keep-state
01100 4 176 allow ip from any to 193.227.206.220 dst-port 20,21,22,1022,25,465,53,80,443,110,995,123,143,993,1701,1723,5222,5269,5280,24554 keep-state
01200 729 88240 allow ip from any to 192.168.192.55 dst-port 20,21,22,1022,25,465,53,80,443,110,995,123,143,993,3306,5222,5269,5280,24554 keep-state
01300 1 56 deny log logamount 20 icmp from any to any icmptypes 5,9,13,14,15,16,17
01400 0 0 deny ip from not table(0) to 192.168.192.55 dst-port 3128
01500 2518 227717 deny ip from not table(0) to any in via vr0
01600 3 192 deny log logamount 20 ip from 192.168.192.0/24 to not table(1) dst-port 25
01700 28539 7789742 nat 123 ip from any to any via fxp0
01800 0 0 allow ip from 193.227.206.220 to any
01900 3163 274331 allow ip from 192.168.192.0/24 to any
02000 5197 6392918 allow ip from any to 192.168.192.0/24
02100 0 0 deny ip from any to any dst-port 135,137,138,139,445
02200 0 0 deny ip from any to 255.255.255.255
02300 0 0 deny log logamount 20 ip from any to any
65535 793397154 580488975665 allow ip from any to any
19:30[]root@office#~>ping muff.kiev.ua
PING muff.kiev.ua (195.3.159.250): 56 data bytes
64 bytes from 195.3.159.250: icmp_seq=0 ttl=62 time=0.685 ms
64 bytes from 195.3.159.250: icmp_seq=1 ttl=62 time=0.518 ms
64 bytes from 195.3.159.250: icmp_seq=2 ttl=62 time=0.420 ms
64 bytes from 195.3.159.250: icmp_seq=3 ttl=62 time=0.435 ms
64 bytes from 195.3.159.250: icmp_seq=4 ttl=62 time=0.475 ms
^C
--- muff.kiev.ua ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.420/0.507/0.685/0.095 ms
C:\>ping muff.kiev.ua
Обмен пакетами с muff.kiev.ua [195.3.159.250] по 32 байт:
Ответ от 195.3.159.250: число байт=32 время=6мс TTL=61
Ответ от 195.3.159.250: число байт=32 время<1мс TTL=61
Ответ от 195.3.159.250: число байт=32 время=2мс TTL=61
Ответ от 195.3.159.250: число байт=32 время=2мс TTL=61
Статистика Ping для 195.3.159.250:
Пакетов: отправлено = 4, получено = 4, потеряно = 0 (0% потерь),
Приблизительное время приема-передачи в мс:
Минимальное = 0мсек, Максимальное = 6 мсек, Среднее = 2 мсек
${fwcmd} add 1450 allow icmp from any to any icmptypes 0,3,8,11
${fwcmd} add 1750 allow icmp from any to me icmptypes 0,3,8,11 via ${ext_if}
По ходу пакеты уже должны выйти из НАТа, соответсвенно под это правило попадут пакеты, направленные именно серверу.${fwcmd} add 1720 allow icmp from me to any icmptypes 0,3,8,11 via ${ext_if}
${fwcmd} add 501 allow icmp from 111.1.111.11 to any icmptypes 0,3,8,11 out via ${ext_if}
${fwcmd} add 502 allow icmp from any to 111.1.111.11 icmptypes 0,3,8,11 in via ${ext_if}
${fwcmd} add deny log ip from any to any via ${ext_if}
${fwcmd} add allow icmp from me to any icmptypes 0,3,8,11
${fwcmd} add allow icmp from any to me icmptypes 0,3,8,11
${fwcmd} add allow icmp from me to any icmptypes 0,3,8,11
${fwcmd} add allow icmp from any to me icmptypes 0,3,8,11
[Nn][Aa][Tt])
oif="nfe0"
iif="rl0"
inet="192.168.1.0/24"
onet="xx.xx.226.0/23"
natip="xx.xx.227.101"
#NAT
${fwcmd} nat 1 config ip ${natip} unreg_only \
redirect_port tcp 192.168.1.100:3389 3389
# Stop spoofing
${fwcmd} add deny all from ${inet} to any in via ${oif}
${fwcmd} add deny all from ${onet} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
# NAT forwarding
${fwcmd} add nat 1 ip from ${inet} to any xmit ${oif}
${fwcmd} add nat 1 ip from any to ${natip} recv ${oif}
# Allow ICMP
${fwcmd} add allow icmp from any to any icmptypes 0,3,8,11
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow setup
${fwcmd} add pass tcp from any to me 22 setup
${fwcmd} add pass tcp from any to me 25 setup
${fwcmd} add pass tcp from any to me 80 setup
# DNS
${fwcmd} add pass udp from any to me 53
${fwcmd} add pass udp from me 53 to any
# Allow my setup TCP connection
${fwcmd} add pass tcp from me to any setup
# Deny incoming
${fwcmd} add deny all from any to any via ${oif}
;;
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="NAT"