Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- # firewall command
- FwCMD="/sbin/ipfw -q"
- ${FwCMD} -f flush
- # Interfaces setup
- LAN_IF="ix0"
- WAN_IF="bce0"
- INTERNAL_IP="10.0.0.1/24"
- ENABLE_VLANS="YES"
- BRIDGE_NAME="bridge0"
- VLAN_INTERFACE=${LAN_IF}
- VLAN_COUNT="10"
- VLAN_FROM="20"
- case $ENABLE_VLANS in
- YES)
- #Bridge interface creation
- /sbin/ifconfig bridge create
- #casting VLANS and adding it to bridge
- for i in $( jot ${VLAN_COUNT} ${VLAN_FROM} );
- do
- echo "Creating vlan: ${VLAN_INTERFACE}.${i}"
- /sbin/ifconfig ${VLAN_INTERFACE}.${i} create
- /sbin/ifconfig ${VLAN_INTERFACE}.${i} up
- echo "Adding vlan: ${VLAN_INTERFACE}.${i} to ${BRIDGE_NAME}"
- /sbin/ifconfig ${BRIDGE_NAME} addm ${VLAN_INTERFACE}.${i} up
- /sbin/ifconfig ${BRIDGE_NAME} private ${VLAN_INTERFACE}.${i}
- done
- USER_INTERFACE=${BRIDGE_NAME}
- /sbin/ifconfig ${BRIDGE_NAME} maxaddr 9000
- ;;
- NO)
- USER_INTERFACE=${LAN_IF}
- ;;
- esac
- #manual MAC inherit
- /sbin/ifconfig ${USER_INTERFACE} ether 00:e0:ed:9c:9d:b3
- #setting internal interface IP
- /sbin/ifconfig ${USER_INTERFACE} ${INTERNAL_IP}
- echo "Internal interface IP set to ${INTERNAL_IP}"
- #alias vlan interface
- /sbin/ifconfig ${USER_INTERFACE} alias 10.0.1.1/24
- /sbin/ifconfig ${USER_INTERFACE} alias 10.0.2.1/24
- /sbin/ifconfig ${USER_INTERFACE} alias 10.0.3.1/24
- /sbin/ifconfig ${USER_INTERFACE} alias 172.31.0.254/24
- /sbin/ifconfig ${USER_INTERFACE} alias 172.16.0.254/24
- # Networks defines
- # Users
- ${FwCMD} table 2 add 10.0.0.0/24
- # Safe zones
- ${FwCMD} table 22 add 127.0.0.1
- ${FwCMD} table 22 add 185.*.*.*
- ${FwCMD} table 22 add 192.168.99.0/24
- # Safe zones allow policy
- ${FwCMD} add 45 allow ip from table\(22\) to me
- ${FwCMD} add 45 allow ip from me to table\(22\)
- # ssh access.
- #${FwCMD} add 46 deny ip from any to me dst-port 22
- #${FwCMD} add 46 deny ip from me to any src-port 22
- # mysql access
- ${FwCMD} add 47 deny ip from any to me dst-port 3306
- ${FwCMD} add 47 deny ip from me to any src-port 3306
- # sgconf access
- ${FwCMD} add 48 deny ip from any to me dst-port 5555
- ${FwCMD} add 48 deny ip from me to any src-port 5555
- #destroy
- ${FwCMD} add 4 allow ip from table\(2\) to me dst-port 80 via ${USER_INTERFACE}
- ${FwCMD} add 4 allow ip from me to table\(2\) src-port 80 via ${USER_INTERFACE}
- ${FwCMD} add 5 allow udp from any 67,68,53 to any via ${USER_INTERFACE}
- ${FwCMD} add 7 allow ip from table\(2\) to me dst-port 53 via ${USER_INTERFACE}
- ${FwCMD} add 7 allow udp from me 53 to table\(2\) via ${USER_INTERFACE}
- ${FwCMD} add 12 allow ip from table\(2\) to me dst-port 2222 via ${USER_INTERFACE}
- ${FwCMD} add 12 allow ip from me to table\(2\) src-port 2222 via ${USER_INTERFACE}
- #DENY NETBIOS
- ${FwCMD} add 1100 deny udp from any to any 137,138 via ${USER_INTERFACE}
- ${FwCMD} add 1100 deny tcp from any to any 135,139 via ${USER_INTERFACE}
- #UHW
- ${FwCMD} add 10 fwd 127.0.0.1,80 ip from 172.31.0.0/24 to not me dst-port 80
- #NAT-POOL
- ${FwCMD} nat 1 config log ip 37.*.*.* reset same_ports
- ${FwCMD} add 6000 nat tablearg ip from table\(66\) to any via ${WAN_IF}
- ${FwCMD} add 6001 nat tablearg ip from any to table\(67\) via ${WAN_IF}
- #######Abons address############# Which number nat
- ${FwCMD} table 66 add 10.0.0.0/24 1
- #################### EXTERNAL IP# NAT NUMBER
- ${FwCMD} table 67 add 37.*.*.* 1
- #Shaper - table 4 download speed, table 3 - upload speed
- ${FwCMD} add 12001 pipe tablearg ip from any to table\(4\) via ${USER_INTERFACE} out
- ${FwCMD} add 12000 pipe tablearg ip from table\(3\) to any via ${USER_INTERFACE} in
- # default block policy
- ${FwCMD} add 65533 deny all from table\(2\) to any via ${USER_INTERFACE}
- ${FwCMD} add 65534 deny all from any to table\(2\) via ${USER_INTERFACE}
- ${FwCMD} add 65535 allow all from any to any
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
