Прочёл тучу всяких док (man, handbook, инет) и получили вот такие правили.
Наверняка, что-нибудь упустил, а что-нибудь сделал не так. Ткните. ;-)
1. И ещё не очень понятно с frag - одни убивают такие пакеты, другие, наоборот, разрешают? А как лучше?
2. Некоторые добавляют в правила established и setup. Не очень понятно, в какие правила стоит их добавить.
локалка: iif - inside if, inet - inside net
интернет: oif - outside if, onet - outside net
# Check dynamic rules
${fwcmd} add check-state
# Stop spoofing
${fwcmd} add deny ip from ${inet} to any in via ${oif}
${fwcmd} add deny ip from ${onet} to any in via ${iif}
# Deny all traffic with non-routable reserved addresses on the outside interface
${fwcmd} add deny ip from any to 172.16.0.0/12 via ${oif} #RFC 1918 private IP
${fwcmd} add deny ip from any to 192.168.0.0/16 via ${oif} #RFC 1918 private IP
${fwcmd} add deny ip from any to 10.0.0.0/8 via ${oif} #RFC 1918 private IP
${fwcmd} add deny ip from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny ip from any to 169.254.0.0/16 via ${oif} #DHCP auto-config
${fwcmd} add deny ip from any to 192.0.2.0/24 via ${oif} #reserved for docs
${fwcmd} add deny ip from any to 224.0.0.0/4 via ${oif} #Class D & E multicast
${fwcmd} add deny ip from any to 240.0.0.0/4 via ${oif}
# Rules for lo0
${fwcmd} add allow ip from any to any via lo0
${fwcmd} add deny ip from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any
# Rules for ppp0
# Через ppp0 хожу только я, а себе доверяю. Или всё равно лучше что-нибудь дописать?
${fwcmd} add allow ip from any to any via ppp0 keep-state
# Stop some ICMP pakets and allow other
${fwcmd} add allow icmp from any to any in not icmptype 5,9,13,14,15,16,17
# Allow all outgoing from server
${fwcmd} add allow ip from ${oip} to any keep-state
${fwcmd} add allow ip from ${iip} to any keep-state
# Allow access to our services
${fwcmd} add allow ip from any to ${oip} ftp\\-data,ftp,49152-65535,ssh,smtp,domain,http,https,pop3,pop3s,imap,imaps,24554 keep-state
${fwcmd} add allow ip from any to ${iip} ftp\\-data,ftp,49152-65535,ssh,smtp,domain,http,https,pop3,pop3s,imap,imaps,24554 keep-state
############
# Rules for gateway only
#
case ${natd_enable} in [Yy][Ee][Ss])
# Forward http queries to Squid
#${fwcmd} add fwd ${iip},3128 tcp from ${inet} to any http out via ${oif}
# Block access to foreign smtp
${fwcmd} add deny ip from ${inet} to not ${iip},${oip} smtp
# Network Address Translation
#Какая из этих 3-х строчек будет работать я сейчас проверить не могу, так что пока здесь все три
${fwcmd} add divert natd ip from ${inet} to any out via ${oif}
#${fwcmd} add divert natd ip from ${inet} to any in via ${iif}
#${fwcmd} add divert natd all from any to any via ${oif}
# Allow users to have Internet
${fwcmd} add allow ip from ${inet} to any setup keep-state
esac
# Reject & log all setup of incoming connections
${fwcmd} add deny log ip from any to any