помогите пожалуста я только розбираюсь в freebsd!!
есть правила ipwf.rules надо пару компам по ip дать полный доступ к инету!! прога через прокси неработает хочет прямой инет!! конфиг не я писал помогите что мне в нем дописать!!!
#!/bin/sh
###Clear ipfw rulset
/sbin/ipfw -f flush
###Some variable deffinition
cmd="/sbin/ipfw -q add"
#tcmd="/sbin/ipfw -q table"
ncmd="/sbin/ipfw nat"
#skip="skipto 9900"
infjust_if="rl0"
infjust_ip="10.2.112.2"
mpls_if="rl1"
mpls_ip="192.168.1.2,172.16.23.2"
lan_if="rl2"
lan_ip="192.168.0.1"
ukrtel_inet_if="tun100"
ukrtel_mpls_if="rl4"
infjust_net="10.2.112.0/21"
infjust_servers_net="10.2.113.0/28"
mpls_net="192.168.2.0/25,192.168.10.0/23,172.16.0.0/17"
lan_net="192.168.0.1/24"
eng_ip="192.168.0.108"
torrent_port="6881"
liga_ip="192.168.0.110"
liga_port="30583"
pib_ip="192.168.0.134"
pib_port="10000"
edr_ip="192.168.0.139,192.168.0.140,192.168.0.97,192.168.0.99,192.168.0.132"
edr_port="8086,8000,80,4307,139,443,4310"
ic_inet_net="193.111.173.0/24"
local_services_ports="20,21,22,25,80,110,143,993,3128"
infjust_dns_ip="10.2.113.1"
infjust_nod_ip="10.2.113.1"
infjust_proxy_ip="10.2.113.1"
infjust_mail_ip="10.2.113.1"
#configure kernel nat instances
# 1 for inet
# 2 for infjust
inet_nat=1
infjust_nat=2
ukrtel_mpls_nat=3
$ncmd ${inet_nat} config redirect_port tcp ${eng_ip}:${torrent_port} ${torrent_port} if ${ukrtel_inet_if} same_ports
$ncmd ${infjust_nat} config if ${infjust_if} same_ports
#$ncmd ${ukrtel_mpls_nat} config redirect_port tcp ${liga_ip}:${liga_port} ${liga_port} redirect_port tcp ${liga_ip}:1411 1411 if ${ukrtel_mpls_if} same_ports
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 0010 allow all from any to any via lo0
#Allow intranet without proxy
$cmd 0020 allow tcp from ${lan_net},${mpls_net} to me 80,443,8080 in
#Force transparent proxy
$cmd 0030 fwd 127.0.0.1,3128 tcp from ${lan_net},${mpls_net} to any 80,443,8080 keep-state
# hole for local services
$cmd 0050 allow ip from any to me ${local_services_ports} in
$cmd 0055 allow ip from me ${local_services_ports} to any out
#################################################################
# check if packet is inbound and nat address if it is
#################################################################
###$cmd 0110 divert natd ip from any to any in via ${ukrtel_inet_if}
$cmd 0110 nat ${inet_nat} all from any to any in via ${ukrtel_inet_if}
$cmd 0120 nat ${infjust_nat} all from any to any in via ${infjust_if}
#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 0130 check-state
# DNS
$cmd 0200 allow udp from ${lan_net},${mpls_net} to me 53 keep-state
$cmd 0210 allow udp from me to ${infjust_dns_ip} 53 keep-state
$cmd 0215 allow tcp from me to ${infjust_dns_ip} 53 keep-state
$cmd 0211 allow udp from me 53 to ${infjust_net} keep-state
$cmd 0216 allow tcp from me 53 to ${infjust_net} keep-state
$cmd 0220 allow udp from me to any 53 out via ${ukrtel_inet_if} keep-state
#if we whant to secondary uprjust zone
$cmd 0230 allow udp from ${infjust_dns_ip} 53 to me keep-state
$cmd 0240 allow tcp from ${infjust_dns_ip} 53 to me keep-state
# SSH
##$cmd 0300 allow tcp from 10.2.113.20 to 10.2.113.34 22 setup keep-state
##$cmd 0310 allow tcp from 10.2.113.34 22 to 10.2.113.20 setup keep-state
$cmd 0320 allow tcp from ${lan_net},${mpls_net},${infjust_net} to ${lan_net},${mpls_net},${infjust_net} 22 setup keep-state
# Registry
$cmd 0410 allow ip from ${lan_net},${mpls_net} to 193.111.173.53 8080 keep-state
$cmd 0420 allow ip from ${lan_net},${mpls_net} to 193.111.173.54 8080 keep-state
$cmd 0430 allow ip from ${lan_net},${mpls_net} to 193.111.173.55 8080 keep-state
$cmd 0440 allow ip from ${lan_net},${mpls_net} to 193.111.173.56 8080 keep-state
$cmd 0450 allow ip from ${lan_net},${mpls_net} to 193.111.173.57 8080 keep-state
$cmd 0455 allow ip from ${lan_net},${mpls_net} to 193.111.173.58 8080 keep-state
$cmd 0460 allow ip from ${lan_net},${mpls_net} to 193.111.173.37,193.111.173.38,193.111.173.39,193.111.173.40 keep-state
#MRO aka REZ
##$cmd 0450 $skip tcp from ${lan_net},${mpls_net} to 212.82.216.42 80 setup keep-state
##$cmd 0460 $skip tcp from ${lan_net},${mpls_net} to 92.240.97.198 80 setup keep-state
$cmd 0450 allow tcp from ${lan_net},${mpls_net} to 212.82.216.42 80 in
$cmd 0460 allow tcp from ${lan_net},${mpls_net} to 92.240.97.198 80 in
$cmd 0470 nat ${infjust_nat} tcp from ${lan_net},${mpls_net} to 212.82.216.42 80 out via ${infjust_if} setup keep-state
$cmd 0480 nat ${infjust_nat} tcp from ${lan_net},${mpls_net} to 92.240.97.198 80 out via ${infjust_if} setup keep-state
#NOD32 updater from zk.informjust.ua
$cmd 0510 allow tcp from me to ${infjust_nod_ip} 2221 keep-state
#some minjust registry
$cmd 0520 nat ${inet_nat} tcp from ${lan_net},${mpls_net} to 204.232.192.26 5900 out via ${ukrtel_inet_if} setup keep-state
#204.232.192.26,5900
# Outgoing HTTP acces
#UKRTEL INET
$cmd 0610 allow tcp from me to any 80,443,8080 out via ${ukrtel_inet_if} setup keep-state
#INFJUST HTTP ACCESS
$cmd 0620 allow tcp from me to any 80,443,8080 out via ${infjust_if} setup keep-state
#delete them later
$cmd 0630 allow tcp from ${lan_net},${mpls_net} to any 80,443,8080 in setup keep-state
$cmd 0640 allow tcp from any 80,443,8080 to ${lan_net},${mpls_net} out setup keep-state
# Incoming HTTP access for intranet web only!
$cmd 0710 allow tcp from ${lan_net},${mpls_net} to ${lan_ip},${mpls_ip} 80,443,8080 setup keep-state
# Local Mail SMTP POP3 IMAP IMAPS
$cmd 0810 allow tcp from ${lan_net},${mpls_net} to ${lan_ip},${mpls_ip} 25,110,143,993 setup keep-state
# For real inet mail delivery
$cmd 0820 allow tcp from me to any 25 out via ${ukrtel_inet_if} setup keep-state
$cmd 0830 allow tcp from any 25 to me in via ${ukrtel_inet_if} setup keep-state
#for zk.informjust.ua mail
$cmd 0840 allow tcp from ${lan_net},${mpls_net} to ${infjust_servers_net} 25,110,143,993 in
$cmd 0850 nat ${infjust_nat} tcp from ${lan_net},${mpls_net} to ${infjust_servers_net} 25,110,143,993 out via ${infjust_if} setup keep-state
# SQUID Proxy
$cmd 0910 allow tcp from ${lan_net},${mpls_net} to ${lan_ip},${mpls_ip} 3128 setup keep-state
$cmd 0910 allow tcp from me to ${infjust_proxy_ip} 3128 setup keep-state
#ESET NOD32 mirror
$cmd 0920 allow tcp from ${lan_net},${mpls_net} to ${lan_ip},${mpls_ip} 2221 setup keep-state
# Jabber in far future
#$cmd 1010 $skip ip from ${lan_net},${mpls_net} to any 5222,5223,5269 out via ${ukrtel_inet_if} keep-state
#CVSUP
$cmd 1110 allow ip from me to any 5999 keep-state
# Outgoing FTP
#UKRTEL
$cmd 1210 allow tcp from me to any 20 out via ${ukrtel_inet_if} keep-state
$cmd 1215 allow tcp from me to any 21 out via ${ukrtel_inet_if} keep-state
#UKRTEL
$cmd 1220 allow tcp from any 20 to me in via ${ukrtel_inet_if} keep-state
# Incoming FTP
$cmd 1310 allow tcp from ${lan_net},${mpls_net} to ${lan_ip},${mpls_ip} 20,21 setup keep-state
$cmd 1320 allow tcp from ${lan_net},${mpls_net} to ${lan_ip},${mpls_ip} 30000-30015 setup keep-state
# NTP
##$cmd 1410 $skip ip from me to any 123 out via ${ukrtel_inet_if} keep-state
$cmd 1410 allow ip from me to any 123
$cmd 1430 nat ${infjust_nat} ip from me to any 123 out via ${infjust_if} keep-state
$cmd 1440 nat ${inet_nat} ip from me to any 123 out via ${ukrtel_inet_if} keep-state
# SSH acces from INET
$cmd 1510 allow tcp from any to me 22 setup keep-state
#NFS Client
$cmd 1520 allow tcp from 10.2.112.2 to ${infjust_net} 111,730,963,1022,2049 keep-state
$cmd 1521 allow udp from 10.2.112.2 to ${infjust_net} 111,730,963,1022,2049 keep-state
# Allow ICMP
$cmd 1610 allow icmp from any to any keep-state
# Allow reverse connection from LAN-IP to MPLS- & LAN- NET's DO WE REALY NEED IT?
$cmd 1710 allow ip from ${lan_ip},${mpls_ip} to ${lan_net},${mpls_net} keep-state
#TNT!
$cmd 1810 allow ip from any to me ${torrent_port}
$cmd 1815 allow ip from any to ${eng_ip} ${torrent_port}
$cmd 1820 nat ${inet_nat} ip from ${eng_ip} to any keep-state
#LIGA
$cmd 1821 allow ip from any to me ${liga_port} keep-state
#in via ${ukrtel_mpls_if}
$cmd 1822 allow ip from any to ${liga_ip} ${liga_port}
$cmd 1823 nat ${ukrtel_mpls_nat} ip from ${liga_ip} ${liga_port} to any keep-state
#$cmd 1824 nat ${infjust_nat} ip from ${liga_ip} ${liga_port} to any keep-state
#PIB
#$cmd 1824 allow ip from any to ${pib_ip} ${pib_port}
$cmd 1825 nat ${inet_nat} ip from ${pib_ip} to any ${pib_port} keep-state
#edr
$cmd 1826 nat ${inet_nat} ip from ${edr_ip} to any ${edr_port} keep-state
#ut4
$cmd 1850 nat ${inet_nat} ip from me to any 27961 out via ${ukrtel_inet_if} keep-state
#GMAIL
$cmd 1900 nat ${inet_nat} ip from 192.168.0.102 to any 465,995 keep-state
#Remote conrol
#$cmd 3389 allow tcp from 192.168.0.108 to any 3389 keep-state
# Reject & Log all unauthorized connections
$cmd 9000 deny log all from any to any
есть правила ipwf.rules надо пару компам по ip дать полный доступ к инету!! прога через прокси неработает хочет прямой инет!! конфиг не я писал помогите что мне в нем дописать!!!
#!/bin/sh
###Clear ipfw rulset
/sbin/ipfw -f flush
###Some variable deffinition
cmd="/sbin/ipfw -q add"
#tcmd="/sbin/ipfw -q table"
ncmd="/sbin/ipfw nat"
#skip="skipto 9900"
infjust_if="rl0"
infjust_ip="10.2.112.2"
mpls_if="rl1"
mpls_ip="192.168.1.2,172.16.23.2"
lan_if="rl2"
lan_ip="192.168.0.1"
ukrtel_inet_if="tun100"
ukrtel_mpls_if="rl4"
infjust_net="10.2.112.0/21"
infjust_servers_net="10.2.113.0/28"
mpls_net="192.168.2.0/25,192.168.10.0/23,172.16.0.0/17"
lan_net="192.168.0.1/24"
eng_ip="192.168.0.108"
torrent_port="6881"
liga_ip="192.168.0.110"
liga_port="30583"
pib_ip="192.168.0.134"
pib_port="10000"
edr_ip="192.168.0.139,192.168.0.140,192.168.0.97,192.168.0.99,192.168.0.132"
edr_port="8086,8000,80,4307,139,443,4310"
ic_inet_net="193.111.173.0/24"
local_services_ports="20,21,22,25,80,110,143,993,3128"
infjust_dns_ip="10.2.113.1"
infjust_nod_ip="10.2.113.1"
infjust_proxy_ip="10.2.113.1"
infjust_mail_ip="10.2.113.1"
#configure kernel nat instances
# 1 for inet
# 2 for infjust
inet_nat=1
infjust_nat=2
ukrtel_mpls_nat=3
$ncmd ${inet_nat} config redirect_port tcp ${eng_ip}:${torrent_port} ${torrent_port} if ${ukrtel_inet_if} same_ports
$ncmd ${infjust_nat} config if ${infjust_if} same_ports
#$ncmd ${ukrtel_mpls_nat} config redirect_port tcp ${liga_ip}:${liga_port} ${liga_port} redirect_port tcp ${liga_ip}:1411 1411 if ${ukrtel_mpls_if} same_ports
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 0010 allow all from any to any via lo0
#Allow intranet without proxy
$cmd 0020 allow tcp from ${lan_net},${mpls_net} to me 80,443,8080 in
#Force transparent proxy
$cmd 0030 fwd 127.0.0.1,3128 tcp from ${lan_net},${mpls_net} to any 80,443,8080 keep-state
# hole for local services
$cmd 0050 allow ip from any to me ${local_services_ports} in
$cmd 0055 allow ip from me ${local_services_ports} to any out
#################################################################
# check if packet is inbound and nat address if it is
#################################################################
###$cmd 0110 divert natd ip from any to any in via ${ukrtel_inet_if}
$cmd 0110 nat ${inet_nat} all from any to any in via ${ukrtel_inet_if}
$cmd 0120 nat ${infjust_nat} all from any to any in via ${infjust_if}
#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 0130 check-state
# DNS
$cmd 0200 allow udp from ${lan_net},${mpls_net} to me 53 keep-state
$cmd 0210 allow udp from me to ${infjust_dns_ip} 53 keep-state
$cmd 0215 allow tcp from me to ${infjust_dns_ip} 53 keep-state
$cmd 0211 allow udp from me 53 to ${infjust_net} keep-state
$cmd 0216 allow tcp from me 53 to ${infjust_net} keep-state
$cmd 0220 allow udp from me to any 53 out via ${ukrtel_inet_if} keep-state
#if we whant to secondary uprjust zone
$cmd 0230 allow udp from ${infjust_dns_ip} 53 to me keep-state
$cmd 0240 allow tcp from ${infjust_dns_ip} 53 to me keep-state
# SSH
##$cmd 0300 allow tcp from 10.2.113.20 to 10.2.113.34 22 setup keep-state
##$cmd 0310 allow tcp from 10.2.113.34 22 to 10.2.113.20 setup keep-state
$cmd 0320 allow tcp from ${lan_net},${mpls_net},${infjust_net} to ${lan_net},${mpls_net},${infjust_net} 22 setup keep-state
# Registry
$cmd 0410 allow ip from ${lan_net},${mpls_net} to 193.111.173.53 8080 keep-state
$cmd 0420 allow ip from ${lan_net},${mpls_net} to 193.111.173.54 8080 keep-state
$cmd 0430 allow ip from ${lan_net},${mpls_net} to 193.111.173.55 8080 keep-state
$cmd 0440 allow ip from ${lan_net},${mpls_net} to 193.111.173.56 8080 keep-state
$cmd 0450 allow ip from ${lan_net},${mpls_net} to 193.111.173.57 8080 keep-state
$cmd 0455 allow ip from ${lan_net},${mpls_net} to 193.111.173.58 8080 keep-state
$cmd 0460 allow ip from ${lan_net},${mpls_net} to 193.111.173.37,193.111.173.38,193.111.173.39,193.111.173.40 keep-state
#MRO aka REZ
##$cmd 0450 $skip tcp from ${lan_net},${mpls_net} to 212.82.216.42 80 setup keep-state
##$cmd 0460 $skip tcp from ${lan_net},${mpls_net} to 92.240.97.198 80 setup keep-state
$cmd 0450 allow tcp from ${lan_net},${mpls_net} to 212.82.216.42 80 in
$cmd 0460 allow tcp from ${lan_net},${mpls_net} to 92.240.97.198 80 in
$cmd 0470 nat ${infjust_nat} tcp from ${lan_net},${mpls_net} to 212.82.216.42 80 out via ${infjust_if} setup keep-state
$cmd 0480 nat ${infjust_nat} tcp from ${lan_net},${mpls_net} to 92.240.97.198 80 out via ${infjust_if} setup keep-state
#NOD32 updater from zk.informjust.ua
$cmd 0510 allow tcp from me to ${infjust_nod_ip} 2221 keep-state
#some minjust registry
$cmd 0520 nat ${inet_nat} tcp from ${lan_net},${mpls_net} to 204.232.192.26 5900 out via ${ukrtel_inet_if} setup keep-state
#204.232.192.26,5900
# Outgoing HTTP acces
#UKRTEL INET
$cmd 0610 allow tcp from me to any 80,443,8080 out via ${ukrtel_inet_if} setup keep-state
#INFJUST HTTP ACCESS
$cmd 0620 allow tcp from me to any 80,443,8080 out via ${infjust_if} setup keep-state
#delete them later
$cmd 0630 allow tcp from ${lan_net},${mpls_net} to any 80,443,8080 in setup keep-state
$cmd 0640 allow tcp from any 80,443,8080 to ${lan_net},${mpls_net} out setup keep-state
# Incoming HTTP access for intranet web only!
$cmd 0710 allow tcp from ${lan_net},${mpls_net} to ${lan_ip},${mpls_ip} 80,443,8080 setup keep-state
# Local Mail SMTP POP3 IMAP IMAPS
$cmd 0810 allow tcp from ${lan_net},${mpls_net} to ${lan_ip},${mpls_ip} 25,110,143,993 setup keep-state
# For real inet mail delivery
$cmd 0820 allow tcp from me to any 25 out via ${ukrtel_inet_if} setup keep-state
$cmd 0830 allow tcp from any 25 to me in via ${ukrtel_inet_if} setup keep-state
#for zk.informjust.ua mail
$cmd 0840 allow tcp from ${lan_net},${mpls_net} to ${infjust_servers_net} 25,110,143,993 in
$cmd 0850 nat ${infjust_nat} tcp from ${lan_net},${mpls_net} to ${infjust_servers_net} 25,110,143,993 out via ${infjust_if} setup keep-state
# SQUID Proxy
$cmd 0910 allow tcp from ${lan_net},${mpls_net} to ${lan_ip},${mpls_ip} 3128 setup keep-state
$cmd 0910 allow tcp from me to ${infjust_proxy_ip} 3128 setup keep-state
#ESET NOD32 mirror
$cmd 0920 allow tcp from ${lan_net},${mpls_net} to ${lan_ip},${mpls_ip} 2221 setup keep-state
# Jabber in far future
#$cmd 1010 $skip ip from ${lan_net},${mpls_net} to any 5222,5223,5269 out via ${ukrtel_inet_if} keep-state
#CVSUP
$cmd 1110 allow ip from me to any 5999 keep-state
# Outgoing FTP
#UKRTEL
$cmd 1210 allow tcp from me to any 20 out via ${ukrtel_inet_if} keep-state
$cmd 1215 allow tcp from me to any 21 out via ${ukrtel_inet_if} keep-state
#UKRTEL
$cmd 1220 allow tcp from any 20 to me in via ${ukrtel_inet_if} keep-state
# Incoming FTP
$cmd 1310 allow tcp from ${lan_net},${mpls_net} to ${lan_ip},${mpls_ip} 20,21 setup keep-state
$cmd 1320 allow tcp from ${lan_net},${mpls_net} to ${lan_ip},${mpls_ip} 30000-30015 setup keep-state
# NTP
##$cmd 1410 $skip ip from me to any 123 out via ${ukrtel_inet_if} keep-state
$cmd 1410 allow ip from me to any 123
$cmd 1430 nat ${infjust_nat} ip from me to any 123 out via ${infjust_if} keep-state
$cmd 1440 nat ${inet_nat} ip from me to any 123 out via ${ukrtel_inet_if} keep-state
# SSH acces from INET
$cmd 1510 allow tcp from any to me 22 setup keep-state
#NFS Client
$cmd 1520 allow tcp from 10.2.112.2 to ${infjust_net} 111,730,963,1022,2049 keep-state
$cmd 1521 allow udp from 10.2.112.2 to ${infjust_net} 111,730,963,1022,2049 keep-state
# Allow ICMP
$cmd 1610 allow icmp from any to any keep-state
# Allow reverse connection from LAN-IP to MPLS- & LAN- NET's DO WE REALY NEED IT?
$cmd 1710 allow ip from ${lan_ip},${mpls_ip} to ${lan_net},${mpls_net} keep-state
#TNT!
$cmd 1810 allow ip from any to me ${torrent_port}
$cmd 1815 allow ip from any to ${eng_ip} ${torrent_port}
$cmd 1820 nat ${inet_nat} ip from ${eng_ip} to any keep-state
#LIGA
$cmd 1821 allow ip from any to me ${liga_port} keep-state
#in via ${ukrtel_mpls_if}
$cmd 1822 allow ip from any to ${liga_ip} ${liga_port}
$cmd 1823 nat ${ukrtel_mpls_nat} ip from ${liga_ip} ${liga_port} to any keep-state
#$cmd 1824 nat ${infjust_nat} ip from ${liga_ip} ${liga_port} to any keep-state
#PIB
#$cmd 1824 allow ip from any to ${pib_ip} ${pib_port}
$cmd 1825 nat ${inet_nat} ip from ${pib_ip} to any ${pib_port} keep-state
#edr
$cmd 1826 nat ${inet_nat} ip from ${edr_ip} to any ${edr_port} keep-state
#ut4
$cmd 1850 nat ${inet_nat} ip from me to any 27961 out via ${ukrtel_inet_if} keep-state
#GMAIL
$cmd 1900 nat ${inet_nat} ip from 192.168.0.102 to any 465,995 keep-state
#Remote conrol
#$cmd 3389 allow tcp from 192.168.0.108 to any 3389 keep-state
# Reject & Log all unauthorized connections
$cmd 9000 deny log all from any to any