Gateway freebsd+ipf do is invite the friends Banggemang Internet server these days has been a virus attack, installed firewall and virus firewall would be useless, thought to be used freebsd Gateway, beginning with IPFW, strangely, and the allocation of core documents to get a start NATD is not, therefore, in some friends suggested using ipf, you could not quite understand the IPF. go out these days has no time to study carefully what you wish Which friend configuration files Allocation : 5.4R freebsd 192.168.0.222 : dc0->; external network adapter (first experiment in some rooms, two machine) Dc1->; internal 192.168.1.1 , And realize the machine 192.168.1.85 Transparent Proxy Transparent Proxy function only on the need to achieve a basic trip IPF has been configured so the kernel (Yesterday, it has already done, read a lot of information online, the way they never succeeded) Bar about 100 machines around, I would like to thank all our friends) Originally, I wanted to use a simple point on the trip, after studies IPF and then add rules that even the most basic agents are not materialize, there is no way, to help Gateway freebsd+ipf do is invite the friends Banggemang Even using the ADSL, for reference : Rule 2.1 : the creation and distribution of IPF # Ee /etc/ipf.conf ==================================ipf.conf================================== # # +-----------+   +------------------------------+   +------------------+ ADSL-Modem|---| tun0 rl0 NAT+IPF xl0 # | | |---| Internal Network # +-----------+   +------------------------------+   +------------------+ # # +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Interface : all # Block all incoming and outgoing packets unless they 'Ampere allowed later. # +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Block in all Block out all Possibly dangerous : # packets with ip-options, short and fragmented packets Block in log quick on tun0 proto icmp from any to any Block in log quick all with short Block in log quick all with ipopts Block in log quick all with frag Block in log quick all with opt lsrr Block in log quick all with opt ssrr # Local network traffic is allowed Pass out quick on lo0 Pass in quick on lo0 Pass out quick on xl0 Pass in quick on xl0 # Block unlikely faked or "local" addresses Block in log quick on tun0 from 192.168.0.0/16 to any body Block in log quick on tun0 from 172.16.0.0/12 to any body Block in log quick on tun0 from 10.0.0.0/8 to any body Block in log quick on tun0 from 192.0.2.0/24 to any body Block in log quick on tun0 from 0.0.0.0/8 to any body Block in log quick on tun0 from 127.0.0.0/8 to any body Block in log quick on tun0 from 169.254.0.0/16 to any body Block in log quick on tun0 from 224.0.0.0/3 to any body Block in log quick on tun0 from 204.152.64.0/23 to any body # Blocking of outgoing unlikely faked or "internal" addresses Block out log quick on tun0 from any body to 192.168.0.0/16 Block out log quick on tun0 from any body to 172.16.0.0/12 Block out log quick on tun0 from any body to 10.0.0.0/8 Block out log quick on tun0 from any body to 127.0.0.0/8 Block out log quick on tun0 from any body to 0.0.0.0/8 Block out log quick on tun0 from any body to 169.254.0.0/16 Block out log quick on tun0 from any body to 192.0.2.0/24 Block out log quick on tun0 from any body to 204.152.64.0/23 Block out log quick on tun0 from any body to 224.0.0.0/3 # The pass rules to enable Services Pass in on tun0 proto tcp from any to any port = 20 flags S keep state Pass in on tun0 proto tcp from any to any port = 21 flags S keep state Pass in on tun0 proto tcp from any to any port = 22 flags S keep state Pass in on tun0 proto tcp from any to any port = 25 flags S keep state Pass in on tun0 proto tcp from any to any port = 80 flags S keep state Pass in on tun0 proto tcp from any to any port = 110 flags S keep state Pass in on tun0 proto tcp from any to any port = 443 flags S keep state Pass in on tun0 proto tcp from any to any port 55000 "S keep state flags 56000; # The general pass rules. Pass out quick on tun0 proto tcp from any to any flags S/SAFR keep state keep frags Pass out quick on tun0 proto udp from any to any keep state keep frags Pass out quick on tun0 proto icmp from any to any keep state keep frags ==================================ipf.conf================================== # Ee /etc/ipnat.conf =================================ipnat.conf================================= Map tun0 192.168.0.0/24 ->; 0.0.0.0/32 proxy port ftp ftp/tcp 0.0.0.0/32 portmap tcp/udp auto map tun0 192.168.0.0/24 ->; Map tun0 192.168.0.0/24 ->; 0.0.0.0/32 =================================ipnat.conf================================= 3.1 The provision of automatic failover IPF # Vi /usr/local/etc/rc.d/ipf.sh #!/usr/local/bin/bash /sbin/ipf -Fa-F /etc/ipf.conf /sbin/ipnat CF-f /etc/ipnat.conf # Chmod 755 /usr/local/etc/rc.d/ipf.sh Gateway freebsd+ipf do is invite the friends Banggemang Please refer to the essence of the attached articles column Zhiding Gateway freebsd+ipf do is invite the friends Banggemang Thank you, the first two illustrated above, the best I have seen, they may set up useless, mainframe access to the Internet, not Taiwan client Distribution of the bar so qq what no other game machines affected? I was outside the NIC dc0 network is network dc1 # Local network traffic is allowed Pass out quick on lo0 Pass in quick on lo0 Pass out quick on dc0 Pass in quick on dc0 On the part of some security measures directly into on the trip, so the second half I can change? # The pass rules to enable Services Pass in on dc0 proto tcp from any to any port = 20 flags S keep state Pass in on dc0 proto tcp from any to any port = 21 flags S keep state Pass in on dc0 proto tcp from any to any port = 22 flags S keep state Pass in on dc0 proto tcp from any to any port = 25 flags S keep state Pass in on dc0 proto tcp from any to any port = 80 flags S keep state Pass in on dc0 proto tcp from any to any port = 110 flags S keep state Pass in on dc0 proto tcp from any to any port = 443 flags S keep state Pass in on dc0 proto tcp from any to any port 55000 "S keep state flags 56000; # The general pass rules. Pass out quick on dc0 proto tcp from any to any flags S/SAFR keep state keep frags Pass out quick on dc0 proto udp from any to any keep state keep frags Pass out quick on dc0 proto icmp from any to any keep state keep frags ==================================ipf.conf================================== # Ee /etc/ipnat.conf =================================ipnat.conf================================= Map dc0 192.168.0.0/24 ->; 0.0.0.0/32 proxy port ftp ftp/tcp 0.0.0.0/32 portmap tcp/udp auto map dc0 192.168.0.0/24 ->; Map dc0 192.168.0.0/24 ->; 0.0.0.0/32 =================================ipnat.conf================================= 3.1 The provision of automatic failover IPF # Vi /usr/local/etc/rc.d/ipf.sh #!/usr/local/bin/bash /sbin/ipf -Fa-F /etc/ipf.conf /sbin/ipnat CF-f /etc/ipnat.conf # Chmod 755 /usr/local/etc/rc.d/ipf.sh On the launch, the IPF is not directly 5.4R start? /etc/ipf.rules Ipnat.conf be in direct rc.conf could start? Gateway freebsd+ipf do is invite the friends Banggemang Or directly in /etc/rc.conf limit can be written in the sh Gateway freebsd+ipf do is invite the friends Banggemang If not Firewall Fengdiao qq local port fail. [ Closed window ]