Пример скрипта автоматической настройки dummynet во FreeBSD
Написал Алхимик   
Четверг, 10 Апрель 2008

Автоматический скрипт настройки firewall (ipfw) + shaper (dummynet)
для двух-интерфейсной шлюзловой машины под FreeBSD. Данный скрипт расчитан на
то, что кроме интернет шлюза, других сервисов на машине нет - иначе придется
сделать соответствующие изменения в фаерволе. В скрипт включена поддержка
шейпера dummynet. Вся конфигурация выполняется в виде списков доступа, что
упрощает настройку фаервола неопытным пользователем, также предусмотрена
некоторая оптимизация, отключающая неиспользуемые правила. Дополнительно
реализованно несколько полезных с хозяйстве вешей (см. ниже коментарии в самом
скрипте). В остальном скрипт базируется на стандартном /etc/rc.firewall.

Что касается использования dummynet: настройка каналов может быть не оптимальной,
но как рабочий вариант вполне годится (man ipfw, man dummynet по вопросам тюнинга).

В крипте используется дуплексная эмуляция канала с отдельной настройкой ширины в
каждом напрвлении, с последующей группировкой пользовательких каналов в коллективную
трубу. Возможна группировка ip адрессов пользователей в произвольное количество
групп (в скрипте реализовано 3 группы, количество групп несложно увеличить) с
возможностью дальнейшего задания толщины канала для каждой группы индивидуально.

И кое-что ещо - смотрите коментарии скрипта.

Скрипт приведен с примером рабочей конфигурации (ip адреса вымышленные).

P.S. может комуто понравится или даже поможет :)


#   /etc/rc.firewall
#   Firewall (ipfw) + shaper (dummynet) for gateway host (with natd)
#   Automated ipfw setup script for FreeBSD
#   v 0.7
#   (CopyLeft) Pavel Ustyugov aka Pahanivo
#
################################################################################
#
#   !!! WARNING !!!
#
#   Misconfiguring the firewall can put your computer in an unusable state,
#   possibly shutting down network services and requiring console access to
#   regain control of it.
#
################################################################################
#
#   Usage:
#   make your own settings
#   copy this file to /etc/rc.firewall
#   cd /etc
#   ./netstart &
#
#   For testing use (only show list of rules, do not apply
#   onto current firewall):
#   cd /etc
#   chmod 744 rc.firewall
#   ./rc.firewall testmode
#   Warning: if you run ./rc.firewall without arguments or with any other
#   arguments - firewall will reloaded and settings will apllied.
#
################################################################################
#
#   Before use this firewall you need to compile kernel with options:
#   (or load some as module)
#
#   #IPFW (required)
#   options IPFIREWALL
#   #enable verbose mode (for `log` options, optional)
#   options IPFIREWALL_VERBOSE
#   #enable forward rules (optional)
#   options IPFIREWALL_FORWARD
#   #default rule - allow any to any (optional)
#   options IPFIREWALL_DEFAULT_TO_ACCEPT
#
#   #divert socket (required for natd)
#   options IPDIVERT
#
#   #dummynet shaper (required, if you want use shaper)
#   options DUMMYNET
#   #enable device polling (recomended)
#   #you need enable polling on interface too - man polling
#   options DEVICE_POLLING
#   #pooling frequency (strongly recomended)
#   options HZ=1000 (or HZ=2000)
#
################################################################################
#
#   Shaper scheme (for incoming traffice)
#   ##############################
#
# --------------------external interface / incoming traffic---------------------
#    >                                                                         >
#    >    Unrestricted external resources group                                >
#    >      res1->all_users >=================== unlimit ====================> >
#    >      res2->all_users >=================== unlimit ====================> >
#    >      ...                                                                >
#    >                                                                         >
#    >    Unrestricted users group                                             >
#    >      internet->users1 >================== unlimit ====================> >
#    I      internet->users2 >================== unlimit ====================> >
#    N      ...                                                                >
#    C                                                                         >
#    O    Restricted external resources groups                                 >
#    M      Group 1                                 ---+                       >
#    I      res1_1->all_users \                         \                      >
#    N      res1_2->all_users  >==2048Kbit/s per user==> \                     >
#    G      res1_3->all_users /                           +-----------------\  >
#    >      Group 2                                        10240Kbit/s total > >
#    >      res2_1->all_users \                           +-----------------/  >
#    >      res2_2->all_users  >==1024Kbit/s per user==> /                     >
#    T      res3_3->all_users /                         /                      >
#    R      ...                                     ---+                       >
#    A                                                                         >
#    F    Restricted users groups                                              >
#    F      Group 1                                 ---+                       >
#    I      internet->user1_1 \                         \                      >
#    C      internet->user1_2  >==128Kbit/s per user==>  \                     >
#    >      internet->user1_3 /                           +-----------------\  >
#    >      Group 2                                        1024Kbit/s total  > >
#    >      internet->user2_1 \                           +-----------------/  >
#    >      internet->user2_2  >==256Kbit/s per user==>  /                     >
#    >      internet->user2_3 /                         /                      >
#    >      ...                                     ---+                       >
#    >                                                                         >
#    >    Other ungrouped traffic >============= unlimit ====================> >
#    >                                                                         >
# --------------------external interface / incoming traffic---------------------
#
#   Scheme for outgoing traffic absolutely analogous, but outgoing shaper work
#   on internal interface and all traffic directions in scheme is inverted.
#   Traffic bw for incoming and outgoing shapers setup separately.
#
################################################################################
# Setup
################################################################################

    #Prepare to work
    ##############################

    #Before use this script - recomend to set net.inet.ip.fw.autoinc_step=5
    #or less. Use sysctl or /etc/sysctl.conf

    #System paths
    ipfw_cmd="/sbin/ipfw"
    grep_cmd="/usr/bin/grep"
    dev_null="/dev/null"

################################################################################
  
    #IPFW interfaces setup   
    ##############################

    #Interfaces setup
   
    #Outside interface setup
    oif="xl0"
    onet="123.123.32.0"
    omask="255.255.255.248"
    oip="123.123.32.1"

    #Inside interface setup
    iif="fxp0"
    inet="192.168.0.0"
    imask="255.255.0.0"
    iip="192.168.0.1"

################################################################################

    #Access lists setup
    ##############################

    #ACL - list of allowed (or denied) IPs or newtworks in CIDR notation
    #ACL may contain comments, but any comments in ACL must begin from `#`
    #and not contain any space chars (because ACL process by word).
    #ACLs maybe used in any script's loop (see below).
    #Any of this ACLs maybe loaded from file. Use "`cat /path/file_name`"
    #command inside ACL for loading from file.
    #Example:
    #  pass_lan_users_acl="
    #  10.0.1.0/24
    #  10.0.2.0/24
    #  `cat /etc/ALLOWED_USERS`
    #  "

    #Denied external hosts

    #You can use this for stoping attacks from outside.
    deny_wan_hosts_acl="
    #flooder
    123.123.0.233
    "

    #From LAN to Internet access

    #Denied IPs process before allowed. Access allowed for all IPs in
    #allowed ACL except IPs in denied ACL.

    #Denied LAN users
    deny_lan_users_acl="
    #stupids
    192.168.10.15
    192.168.10.33
    "

    #Allowed LAN users
    pass_lan_users_acl="
    192.168.0.0/16
    "

    #Anti-spambot protection

    #Reject all incoming connection from LAN to any external SMTP servers,
    #except allowed servers (yes or no)
    anti_spambot_enable="yes"

    #Allowed SMTP servers
    #If this ACL empty, anti-spambot feature will automatically disabled,
    #and traffic to any SMTP servers will allowed.
    anti_spambot_allowed_servers_acl="
    #own_smtp_relay
    123.123.32.2
    #own_smtp_relay
    123.123.32.3
    #provider_smtp_relay
    123.123.0.11
    "

    #SSH

    #SSH access to this server from outside
    pass_ssh_acl="
    #admin1
    124.124.124.124
    #admin2
    125.125.125.125
    "

    #Shaper's ACLs

    #Enable shaper (yes or no)
    shaper_enable="yes"

    #Not shaped external resouces
    #All LAN users will have unlimited bw to and from this IPs.
    not_shaped_ext_res_acl="
    #own_smtp_relay
    123.123.32.2
    #own_smtp_relay
    123.123.32.3
    #provider_smtp_relay
    123.123.0.11
    "

    #Not shaped users
    #This users will have unlimit bw from and to any.
    not_shaped_users_acl="
    #Admin's_net
    192.168.33.0/24
    "

    #Shaped external resources - similarly to `shaped user` (see below), but for
    #specific external hosts only. Traffic match this shaper not process by
    #`shaped user`.

    #External resource group 1
    shaped_ext_res_g1_name="own_dataservers"
    shaped_ext_res_g1_acl="
    #own_dataservers
    123.123.32.4
    123.123.32.5
    "

    #External resource group 2
    shaped_ext_res_g2_name="isp_dataservers"
    shaped_ext_res_g2_acl="
    #isp_dataservers
    123.123.0.2
    123.123.0.3
    123.123.0.4
    "

    #External resource group 3
    shaped_ext_res_g3_name="servers_3"
    shaped_ext_res_g3_acl="
    "

    #Add more groups below
    #...

    #Shaped users - will have restricted bw. Other allowed users will have unlimit
    #bw from any to any (except shaped external resources). Shaped users separated
    #by groups. See below for restrictions setup for all groups.
    #Groups process in succession: group 1, group 2 etc. Inside group IPs process
    #in list order. Once processed IP (or subnet) will not process more.
    #Because overlaps in group and between groups not a problem.

    #User group 1
    shaped_users_g1_name="slow"
    shaped_users_g1_acl="
    #looosers
    192.168.20.0/24
    192.168.21.1
    192.168.21.2
    "

    #User group 2
    shaped_users_g2_name="fast"
    shaped_users_g2_acl="
    #BOSS
    192.168.0.5
    "

    #User group 3
    shaped_users_g3_name="default"
    shaped_users_g3_acl="
    192.168.0.0/16
    "

    #Add more groups below
    #...

################################################################################

    #Pipes setup (shaper)
    ##############################

    #Shaped external resources
   
    #External resources group 1
    #Pipe's number
    shaped_ext_res_g1_pipe_num_in="1011"
    shaped_ext_res_g1_pipe_num_out="1012"
    #BW
    shaped_ext_res_g1_bw_in="3Mbit/s"
    shaped_ext_res_g1_bw_out="3Mbit/s"
    #Queue size, in slots or KBytes (see man ipfw).
    shaped_ext_res_g1_q_in="50"
    shaped_ext_res_g1_q_out="50"

    #External resources group 2
    #Pipe's number
    shaped_ext_res_g2_pipe_num_in="1021"
    shaped_ext_res_g2_pipe_num_out="1022"
    #BW
    shaped_ext_res_g2_bw_in="1024Kbit/s"
    shaped_ext_res_g2_bw_out="1024Kbit/s"
    #Queue size, in slots or KBytes (see man ipfw).
    shaped_ext_res_g2_q_in="50"
    shaped_ext_res_g2_q_out="50"

    #External resources group 3
    #Pipe's number
    shaped_ext_res_g3_pipe_num_in="1031"
    shaped_ext_res_g3_pipe_num_out="1032"
    #BW
    shaped_ext_res_g3_bw_in="512Kbit/s"
    shaped_ext_res_g3_bw_out="512Kbit/s"
    #Queue size, in slots or KBytes (see man ipfw).
    shaped_ext_res_g3_q_in="40"
    shaped_ext_res_g3_q_out="40"   

    #Add more groups below
    #...
   
    #Collective external resource's pipe (max allowed summary bw for
    #external resources, except not shaped).
    #Pipe's number
    sum_shaped_ext_res_pipe_num_in="1901"
    sum_shaped_ext_res_pipe_num_out="1902"
    #BW
    sum_shaped_ext_res_bw_in="6Mbit/s"
    sum_shaped_ext_res_bw_out="6Mbit/s"   
    #Queue size, in slots or KBytes (see man ipfw)
    sum_shaped_ext_res_q_in="50"
    sum_shaped_ext_res_q_out="50"

    #Personal pipe for each user (with separate by group)

    #User group 1
    #Pipe's number
    shaped_users_g1_pipe_num_in="2011"
    shaped_users_g1_pipe_num_out="2012"
    #BW
    shaped_users_g1_bw_in="160Kbit/s"
    shaped_users_g1_bw_out="160Kbit/s"
    #Queue size, in slots or KBytes (see man ipfw).
    shaped_users_g1_q_in="18"
    shaped_users_g1_q_out="18"

    #User group 2
    #Pipe's number
    shaped_users_g2_pipe_num_in="2021"
    shaped_users_g2_pipe_num_out="2022"
    #BW
    shaped_users_g2_bw_in="512Kbit/s"
    shaped_users_g2_bw_out="512Kbit/s"
    #Queue size, in slots or KBytes (see man ipfw).
    shaped_users_g2_q_in="40"
    shaped_users_g2_q_out="40"

    #User group 3
    #Pipe's number
    shaped_users_g3_pipe_num_in="2031"
    shaped_users_g3_pipe_num_out="2032"
    #BW
    shaped_users_g3_bw_in="256Kbit/s"
    shaped_users_g3_bw_out="256Kbit/s"
    #Queue size, in slots or KBytes (see man ipfw).
    shaped_users_g3_q_in="25"
    shaped_users_g3_q_out="25"

    #Add more groups below
    #...

    #Collective user's pipe (max allowed summary bw for users, except not
    #shaped).
    #Pipe's number
    sum_shaped_users_pipe_num_in="2901"
    sum_shaped_users_pipe_num_out="2902"
    #BW
    sum_shaped_users_bw_in="768Kbit/s"
    sum_shaped_users_bw_out="768Kbit/s"   
    #Queue size, in slots or KBytes (see man ipfw)
    sum_shaped_users_q_in="50"
    sum_shaped_users_q_out="50"

################################################################################

    #Numeration
    ##############################

    #All ipfw rules split onto section. First rule in each section
    #begin from fixed number. All other rules will numbers by ipfw, consider
    #net.inet.ip.fw.autoinc_step. This script use `skipto` rules, because
    #needs for fixed number. Usually you don't need to change this values,
    #if you have problems this large quantity of rules only.

    f_num_acb=1000   
    f_num_aacb=2000
    f_num_outshb=3000
    f_num_routshb=4000
    f_num_routshb_inj=5500
    f_num_uoutshb=6000
    f_num_uoutshb_inj=7500
    f_num_natb=8000
    f_num_inshb=9000
    f_num_rinshb=10000
    f_num_rinshb_inj=11500
    f_num_uinshb=12000
    f_num_uinshb_inj=13500
    f_num_stdb=14000
    f_num_pcb=30000 # please read below about this
    f_num_lastb=40000

################################################################################
   
    #Auto-config
    ##############################
   
    for loop in \
      ${shaped_ext_res_g1_acl} \
      ${shaped_ext_res_g2_acl} \
      ${shaped_ext_res_g3_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        shaped_ext_res_ne_flag="yes"
        break
      fi
    done

    for loop in \
      ${shaped_users_g1_acl} \
      ${shaped_users_g2_acl} \
      ${shaped_users_g3_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        shaped_users_ne_flag="yes"
        break
      fi
    done

    for loop in ${anti_spambot_allowed_servers_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        anti_spambot_allowed_servers_ne_flag="yes"
        break
      fi
    done

    if [ -z ${anti_spambot_allowed_servers_ne_flag} ]; then
      anti_spambot_enable="no"
    fi
   
    if [ -z ${shaped_ext_res_ne_flag} ] && [ -z ${shaped_users_ne_flag} ]; then
      shaper_enable="no"
    fi

    if [ "$1" = "testmode" ]; then
      ipfw_cmd="echo ipfw"
    fi

################################################################################
# Firewall rules
################################################################################

    #Flush all before set new rules
    ${ipfw_cmd} -f flush
    ${ipfw_cmd} -f pipe flush
    ${ipfw_cmd} -f queue flush

################################################################################

    #Loopback rules (required)
    ${ipfw_cmd} add pass all from any to any via lo0 // loopback
    ${ipfw_cmd} add deny all from any to 127.0.0.0/8 // loopback
    ${ipfw_cmd} add deny all from 127.0.0.0/8 to any // loopback

###############################################################################

    # Stop spoofing
    ${ipfw_cmd} add deny all from ${inet}:${imask} to any in via ${oif} // anti-spoofing
    ${ipfw_cmd} add deny all from ${onet}:${omask} to any in via ${iif} // anti-spoofing

###############################################################################

    #Access control
    ##############################

    #Denied external hosts

    #Apply deny_wan_hosts_acl
    for loop in ${deny_wan_hosts_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add deny all from $loop to any in via ${oif} // denied WAN IPs
      fi
    done

    #Skip all incoming traffic up to divert rules
    ${ipfw_cmd} add skipto ${f_num_natb} all from any to any in via ${oif} // skip incoming traffic up to NAT

    #Allow ICMP for all from inside
    ${ipfw_cmd} add skipto ${f_num_outshb} icmp from ${inet}:${imask} to any in via ${iif} // allow ICMP for any from inside

    #Access from LAN

    ${ipfw_cmd} add ${f_num_acb} count all from any to any // begin access control block

    #Allow SSH from LAN if you are accidentally add yourself in denied users list
    for loop in ${deny_lan_users_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_stdb} tcp from ${inet}:${imask} to ${iip} 22 in via ${iif} // allow SSH from LAN for allowed users
        break
      fi
    done

    #Apply deny_lan_users_acl
    for loop in ${deny_lan_users_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add deny all from $loop to any in via ${iif} // denied LAN IPs
      fi
    done

    #Apply pass_lan_users_acl
    for loop in ${pass_lan_users_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_aacb} all from $loop to any in via ${iif} // allowed LAN IPs
      fi
    done

    #Default rule - deny all not in pass_lan_users_acl
    ${ipfw_cmd} add deny all from any to any in via ${iif} // deny not allowed LAN IPs

    #Additional access control

    ${ipfw_cmd} add ${f_num_aacb} count all from any to any // begin additional access control block

    case ${anti_spambot_enable} in
    [Yy][Ee][Ss])

    #Anti-spambot
    #Apply anti_spambot_allowed_servers_acl
    for loop in ${anti_spambot_allowed_servers_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_outshb} all from ${inet}:${imask} to ${loop} 25 in via ${iif} // Anti-spambot - allowed servers
      fi
    done
    ${ipfw_cmd} add deny log all from ${inet}:${imask} to any 25 in via ${iif} // Anti-spambot - deny all other servers

    ;;
    *)
    ;;
    esac

    #Stop windows flood from inside
    ${ipfw_cmd} add deny all from ${inet}:${imask} to ${inet}:${imask} 135,137-139,445 in via ${iif} // Stop windows flood from inside

###############################################################################

    #Inject to pipes (outgoing packets)
    ##############################

    case ${shaper_enable} in
    [Yy][Ee][Ss])
   
    ${ipfw_cmd} add ${f_num_outshb} count all from any to any // begin shaper block \|out\|

    if [ ! -z ${shaped_ext_res_ne_flag} ]; then
   
    #Not shaped resources
    #Apply not_shaped_ext_res_acl
    for loop in ${not_shaped_ext_res_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_natb} all from ${inet}:${imask} to ${loop} in via ${iif} // skip not shaped resources \|out\|
      fi
    done

    fi

    if [ ! -z ${shaped_users_ne_flag} ]; then

    #Not shaped users
    #Apply not_shaped_users_acl
    for loop in ${not_shaped_users_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_natb} all from ${loop} to any in via ${iif} // skip not shaped users \|out\|
      fi
    done

    fi

    #External resources pipes
   
    if [ ! -z ${shaped_ext_res_ne_flag} ]; then

    ${ipfw_cmd} add ${f_num_routshb} count all from any to any // begin external resources shaper block \|out\|
   
    #External resources group 1
    #Apply shaped_ext_res_g1_acl
    for loop in ${shaped_ext_res_g1_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_routshb_inj} tag ${shaped_ext_res_g1_pipe_num_out} all from ${inet}:${imask} to ${loop} in via ${iif} // tagging  \|out\|
        shaped_ext_res_g1_ne_flag="yes"
      fi
    done

    #External resources group 2
    #Apply shaped_ext_res_g2_acl
    for loop in ${shaped_ext_res_g2_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_routshb_inj} tag ${shaped_ext_res_g2_pipe_num_out} all from ${inet}:${imask} to ${loop} in via ${iif} // tagging  \|out\|
        shaped_ext_res_g2_ne_flag="yes"
      fi
    done
   
    #External resources group 3
    #Apply shaped_ext_res_g3_acl
    for loop in ${shaped_ext_res_g3_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_routshb_inj} tag ${shaped_ext_res_g3_pipe_num_out} all from ${inet}:${imask} to ${loop} in via ${iif} // tagging  \|out\|
        shaped_ext_res_g3_ne_flag="yes"
      fi
    done

    #Add more groups below
    #...
   
    ${ipfw_cmd} add ${f_num_routshb_inj} count all from any to any // begin inject tagged to pipes block \|out\|
   
    #Inject tagged to pipes
    #Per user pipes
    if [ ! -z ${shaped_ext_res_g1_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_ext_res_g1_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_ext_res_g1_pipe_num_out} // pipe \(${shaped_ext_res_g1_name}:${shaped_ext_res_g1_bw_out}:${shaped_ext_res_g1_q_out}\) \|out\|
    fi
    if [ ! -z ${shaped_ext_res_g2_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_ext_res_g2_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_ext_res_g2_pipe_num_out} // pipe \(${shaped_ext_res_g2_name}:${shaped_ext_res_g2_bw_out}:${shaped_ext_res_g2_q_out}\) \|out\|
    fi
    if [ ! -z ${shaped_ext_res_g3_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_ext_res_g3_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_ext_res_g3_pipe_num_out} // pipe \(${shaped_ext_res_g3_name}:${shaped_ext_res_g3_bw_out}:${shaped_ext_res_g3_q_out}\) \|out\|
    fi
    #Collective pipe
    ${ipfw_cmd} add pipe ${sum_shaped_ext_res_pipe_num_out} tag ${sum_shaped_ext_res_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_ext_res_g1_pipe_num_out},${shaped_ext_res_g2_pipe_num_out},${shaped_ext_res_g3_pipe_num_out} // collective pipe \(${sum_shaped_ext_res_bw_out}:${sum_shaped_ext_res_q_out}\) \|out\|
    ${ipfw_cmd} add skipto ${f_num_natb} all from any to any in via ${iif} tagged ${sum_shaped_ext_res_pipe_num_out} // end of external resources shaper block \|out\|

    fi

    #User pipes

    if [ ! -z ${shaped_users_ne_flag} ]; then

    ${ipfw_cmd} add ${f_num_uoutshb} count all from any to any // begin users shaper block \|out\|
   
    #User group 1
    #Apply shaped_users_g1_acl
    for loop in ${shaped_users_g1_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_uoutshb_inj} tag ${shaped_users_g1_pipe_num_out} all from ${loop} to any in via ${iif} // tagging  \|out\|
        shaped_users_g1_ne_flag="yes"
      fi
    done

    #User group 2
    #Apply shaped_users_g2_acl
    for loop in ${shaped_users_g2_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_uoutshb_inj} tag ${shaped_users_g2_pipe_num_out} all from ${loop} to any in via ${iif} // tagging  \|out\|
        shaped_users_g2_ne_flag="yes"
      fi
    done
   
    #User group 3
    #Apply shaped_users_g3_acl
    for loop in ${shaped_users_g3_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_uoutshb_inj} tag ${shaped_users_g3_pipe_num_out} all from ${loop} to any in via ${iif} // tagging  \|out\|
        shaped_users_g3_ne_flag="yes"
      fi
    done

    #Add more groups below
    #...
   
    ${ipfw_cmd} add ${f_num_uoutshb_inj} count all from any to any // begin inject tagged to pipes block \|out\|
   
    #Inject tagged to pipes
    #Per user pipes
    if [ ! -z ${shaped_users_g1_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_users_g1_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_users_g1_pipe_num_out} // pipe \(${shaped_users_g1_name}:${shaped_users_g1_bw_out}:${shaped_users_g1_q_out}\) \|out\|
    fi
    if [ ! -z ${shaped_users_g2_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_users_g2_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_users_g2_pipe_num_out} // pipe \(${shaped_users_g2_name}:${shaped_users_g2_bw_out}:${shaped_users_g2_q_out}\) \|out\|
    fi
    if [ ! -z ${shaped_users_g3_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_users_g3_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_users_g3_pipe_num_out} // pipe \(${shaped_users_g3_name}:${shaped_users_g3_bw_out}:${shaped_users_g3_q_out}\) \|out\|
    fi
    #Collective pipe
    ${ipfw_cmd} add pipe ${sum_shaped_users_pipe_num_out} tag ${sum_shaped_users_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_users_g1_pipe_num_out},${shaped_users_g2_pipe_num_out},${shaped_users_g3_pipe_num_out} // collective pipe \(${sum_shaped_users_bw_out}:${sum_shaped_users_q_out}\) \|out\|
    ${ipfw_cmd} add skipto ${f_num_natb} all from any to any in via ${iif} tagged ${sum_shaped_users_pipe_num_out} // end of external resources shaper block \|out\|

    fi

    #Add more pipe groups below
    #...
   
    ;;
    *)
    ;;
    esac

###############################################################################

    #Skip all outgoing traffic up to standart rules block
    ${ipfw_cmd} add skipto ${f_num_stdb} all from any to any in via ${iif} // skip outgoing traffic up to standart rules block

    ${ipfw_cmd} add ${f_num_natb} count all from any to any // begin NAT block

    #NAT rules
    ${ipfw_cmd} add divert natd all from any to any via ${oif} // NAT

    #Stop windows flood from outside
    ${ipfw_cmd} add deny all from any to ${onet}:${omask} 135,137-139,445 in via ${oif} // Stop windows flood from outside

###############################################################################

    #Inject to pipes (incoming packets)
    ##############################

    case ${shaper_enable} in
    [Yy][Ee][Ss])
   
    ${ipfw_cmd} add ${f_num_inshb} count all from any to any // begin shaper block \|in\|

    if [ ! -z ${shaped_ext_res_ne_flag} ]; then
   
    #Not shaped resources
    #Apply not_shaped_ext_res_acl
    for loop in ${not_shaped_ext_res_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_stdb} all from ${loop} to ${inet}:${imask} in via ${oif} // skip not shaped resources \|in\|
      fi
    done

    fi

    if [ ! -z ${shaped_users_ne_flag} ]; then

    #Not shaped users
    #Apply not_shaped_users_acl
    for loop in ${not_shaped_users_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_stdb} all from any to ${loop} in via ${oif} // skip not shaped users \|in\|
      fi
    done

    fi

    #External resources pipes

    if [ ! -z ${shaped_ext_res_ne_flag} ]; then
   
    ${ipfw_cmd} add ${f_num_rinshb} count all from any to any // begin external resources shaper block \|in\|
   
    #External resources group 1
    #Apply shaped_ext_res_g1_acl
    for loop in ${shaped_ext_res_g1_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_rinshb_inj} tag ${shaped_ext_res_g1_pipe_num_in} all from ${loop} to ${inet}:${imask} in via ${oif} // tagging  \|in\|
      fi
    done

    #External resources group 2
    #Apply shaped_ext_res_g2_acl
    for loop in ${shaped_ext_res_g2_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_rinshb_inj} tag ${shaped_ext_res_g2_pipe_num_in} all from ${loop} to ${inet}:${imask} in via ${oif} // tagging  \|in\|
      fi
    done
   
    #External resources group 3
    #Apply shaped_ext_res_g3_acl
    for loop in ${shaped_ext_res_g3_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_rinshb_inj} tag ${shaped_ext_res_g3_pipe_num_in} all from ${loop} to ${inet}:${imask} in via ${oif} // tagging  \|in\|
      fi
    done

    #Add more groups below
    #...
   
    ${ipfw_cmd} add ${f_num_rinshb_inj} count all from any to any // begin inject tagged to pipes block \|in\|
   
    #Inject tagged to pipes
    #Per user pipes
    if [ ! -z ${shaped_ext_res_g1_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_ext_res_g1_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_ext_res_g1_pipe_num_in} // pipe \(${shaped_ext_res_g1_name}:${shaped_ext_res_g1_bw_in}:${shaped_ext_res_g1_q_in}\) \|in\|
    fi
    if [ ! -z ${shaped_ext_res_g2_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_ext_res_g2_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_ext_res_g2_pipe_num_in} // pipe \(${shaped_ext_res_g2_name}:${shaped_ext_res_g2_bw_in}:${shaped_ext_res_g2_q_in}\) \|in\|
    fi
    if [ ! -z ${shaped_ext_res_g3_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_ext_res_g3_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_ext_res_g3_pipe_num_in} // pipe \(${shaped_ext_res_g3_name}:${shaped_ext_res_g3_bw_in}:${shaped_ext_res_g3_q_in}\) \|in\|
    fi
    #Collective pipe
    ${ipfw_cmd} add pipe ${sum_shaped_ext_res_pipe_num_in} tag ${sum_shaped_ext_res_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_ext_res_g1_pipe_num_in},${shaped_ext_res_g2_pipe_num_in},${shaped_ext_res_g3_pipe_num_in} // collective pipe \(${sum_shaped_ext_res_bw_in}:${sum_shaped_ext_res_q_in}\) \|in\|
    ${ipfw_cmd} add skipto ${f_num_stdb} all from any to any in via ${oif} tagged ${sum_shaped_ext_res_pipe_num_in} // end of external resources shaper block \|in\|

    fi

    #User pipes

    if [ ! -z ${shaped_users_ne_flag} ]; then

    ${ipfw_cmd} add ${f_num_uinshb} count all from any to any // begin users shaper block \|in\|
   
    #User group 1
    #Apply shaped_users_g1_acl
    for loop in ${shaped_users_g1_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_uinshb_inj} tag ${shaped_users_g1_pipe_num_in} all from any to ${loop} in via ${oif} // tagging  \|in\|
      fi
    done

    #User group 2
    #Apply shaped_users_g2_acl
    for loop in ${shaped_users_g2_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_uinshb_inj} tag ${shaped_users_g2_pipe_num_in} all from any to ${loop} in via ${oif} // tagging  \|in\|
      fi
    done
   
    #User group 3
    #Apply shaped_users_g3_acl
    for loop in ${shaped_users_g3_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_uinshb_inj} tag ${shaped_users_g3_pipe_num_in} all from any to ${loop} in via ${oif} // tagging  \|in\|
      fi
    done

    #Add more groups below
    #...
   
    ${ipfw_cmd} add ${f_num_uinshb_inj} count all from any to any // begin inject tagged to pipes block \|in\|
   
    #Inject tagged to pipes
    #Per user pipes
    if [ ! -z ${shaped_users_g1_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_users_g1_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_users_g1_pipe_num_in} // pipe \(${shaped_users_g1_name}:${shaped_users_g1_bw_in}:${shaped_users_g1_q_in}\) \|in\|
    fi
    if [ ! -z ${shaped_users_g2_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_users_g2_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_users_g2_pipe_num_in} // pipe \(${shaped_users_g2_name}:${shaped_users_g2_bw_in}:${shaped_users_g2_q_in}\) \|in\|
    fi
    if [ ! -z ${shaped_users_g3_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_users_g3_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_users_g3_pipe_num_in} // pipe \(${shaped_users_g3_name}:${shaped_users_g3_bw_in}:${shaped_users_g3_q_in}\) \|in\|
    fi
    #Collective pipe
    ${ipfw_cmd} add pipe ${sum_shaped_users_pipe_num_in} tag ${sum_shaped_users_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_users_g1_pipe_num_in},${shaped_users_g2_pipe_num_in},${shaped_users_g3_pipe_num_in} // collective pipe \(${sum_shaped_users_bw_in}:${sum_shaped_users_q_in}\) \|in\|
    ${ipfw_cmd} add skipto ${f_num_stdb} all from any to any in via ${oif} tagged ${sum_shaped_users_pipe_num_in} // end of external resources shaper block \|in\|

    fi

    #Add more pipe groups below
    #...

    ;;
    *)
    ;;
    esac

###############################################################################

    #Standart rules
    ##############################

    ${ipfw_cmd} add ${f_num_stdb} count all from any to any // begin standart block
   
    #Allow TCP through if setup succeeded
    ${ipfw_cmd} add pass tcp from any to any established // allow packets RST or ACK bits set

    #Allow only secure ICMP types
    ${ipfw_cmd} add pass icmp from any to any icmptypes 0,3,4,8,11 // allow ICMP 0,3,4,8,11
    ${ipfw_cmd} add deny log icmp from any to any // deny other ICMP
   
    #Allow IP fragments to pass through
    ${ipfw_cmd} add pass all from any to any frag // allow IP fragments

    #Allow access to our ssh
    #Allow from LAN
    ${ipfw_cmd} add pass tcp from ${inet}:${imask} to ${iip} 22 in via ${iif} // allow SSH from LAN
    #From outside
    #Apply pass_ssh_acl
    for loop in ${pass_ssh_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add pass tcp from ${loop} to ${oip} 22 in via ${oif} // allow SSH
      fi
    done
    # Block all another packets to 22 port
    ${ipfw_cmd} add deny log tcp from any to ${oip},${iip} 22 // deny SSH for all other

###############################################################################

    #Particular connections block
    ##############################

    #Allow a particular connection to go through the firewall.
    #Interval (f_num_pcb - f_num_lastb) must be conformed with `punch_fw` natd
    #option if you use this (man natd). Using for dynamic rules created by natd
    #for correctly work FTP in active mode through ipfw and similar.
   
    ${ipfw_cmd} add ${f_num_pcb} count all from any to any // begin particular connection block

###############################################################################

    #Last block
    ##############################

    ${ipfw_cmd} add ${f_num_lastb} count all from any to any // begin last block

    # Reject and log all setup of incoming connections from the outside
    ${ipfw_cmd} add deny log tcp from any to ${oip} in via ${oif} setup // reject all incoming TCP connection from outside

    # Allow any to any
    ${ipfw_cmd} add 65534 pass all from any to any // allow from any to any - the end of rules

###############################################################################

    #Pipes
    ##############################

    case ${shaper_enable} in
    [Yy][Ee][Ss])

    #Reject to leave firewall after injecting packets to pipe.
    #Else maybe set net.inet.ip.fw.one_pass=0.
    ${ipfw_cmd} disable one_pass

    #pipes config

    #External resources pipes

    if [ ! -z ${shaped_ext_res_ne_flag} ]; then

    #External resources group 1
    if [ ! -z ${shaped_ext_res_g1_ne_flag} ]; then
      ${ipfw_cmd} pipe ${shaped_ext_res_g1_pipe_num_in} config bw ${shaped_ext_res_g1_bw_in} queue ${shaped_ext_res_g1_q_in} mask dst-ip 0xffffffff
      ${ipfw_cmd} pipe ${shaped_ext_res_g1_pipe_num_out} config bw ${shaped_ext_res_g1_bw_out} queue ${shaped_ext_res_g1_q_out} mask src-ip 0xffffffff
    fi

    #External resources group 2
    if [ ! -z ${shaped_ext_res_g2_ne_flag} ]; then
      ${ipfw_cmd} pipe ${shaped_ext_res_g2_pipe_num_in} config bw ${shaped_ext_res_g2_bw_in} queue ${shaped_ext_res_g2_q_in} mask dst-ip 0xffffffff
      ${ipfw_cmd} pipe ${shaped_ext_res_g2_pipe_num_out} config bw ${shaped_ext_res_g2_bw_out} queue ${shaped_ext_res_g2_q_out} mask src-ip 0xffffffff
    fi

    #External resources group 3
    if [ ! -z ${shaped_ext_res_g3_ne_flag} ]; then
      ${ipfw_cmd} pipe ${shaped_ext_res_g3_pipe_num_in} config bw ${shaped_ext_res_g3_bw_in} queue ${shaped_ext_res_g3_q_in} mask dst-ip 0xffffffff
      ${ipfw_cmd} pipe ${shaped_ext_res_g3_pipe_num_out} config bw ${shaped_ext_res_g3_bw_out} queue ${shaped_ext_res_g3_q_out} mask src-ip 0xffffffff
    fi

    #Add more groups below
    #...

    #Collective user's pipe
    ${ipfw_cmd} pipe ${sum_shaped_ext_res_pipe_num_in} config bw ${sum_shaped_ext_res_bw_in} queue ${sum_shaped_ext_res_q_in}
    ${ipfw_cmd} pipe ${sum_shaped_ext_res_pipe_num_out} config bw ${sum_shaped_ext_res_bw_out} queue ${sum_shaped_ext_res_q_out}

    fi

    #Personal pipes for each user

    if [ ! -z ${shaped_users_ne_flag} ]; then

    #User group 1
    if [ ! -z ${shaped_users_g1_ne_flag} ]; then
      ${ipfw_cmd} pipe ${shaped_users_g1_pipe_num_in} config bw ${shaped_users_g1_bw_in} queue ${shaped_users_g1_q_in} mask dst-ip 0xffffffff
      ${ipfw_cmd} pipe ${shaped_users_g1_pipe_num_out} config bw ${shaped_users_g1_bw_out} queue ${shaped_users_g1_q_out} mask src-ip 0xffffffff
    fi

    #User group 2
    if [ ! -z ${shaped_users_g2_ne_flag} ]; then
      ${ipfw_cmd} pipe ${shaped_users_g2_pipe_num_in} config bw ${shaped_users_g2_bw_in} queue ${shaped_users_g2_q_in} mask dst-ip 0xffffffff
      ${ipfw_cmd} pipe ${shaped_users_g2_pipe_num_out} config bw ${shaped_users_g2_bw_out} queue ${shaped_users_g2_q_out} mask src-ip 0xffffffff
    fi

    #User group 3
    if [ ! -z ${shaped_users_g3_ne_flag} ]; then
      ${ipfw_cmd} pipe ${shaped_users_g3_pipe_num_in} config bw ${shaped_users_g3_bw_in} queue ${shaped_users_g3_q_in} mask dst-ip 0xffffffff
      ${ipfw_cmd} pipe ${shaped_users_g3_pipe_num_out} config bw ${shaped_users_g3_bw_out} queue ${shaped_users_g3_q_out} mask src-ip 0xffffffff
    fi

    #Add more groups below
    #...

    #Collective user's pipe
    ${ipfw_cmd} pipe ${sum_shaped_users_pipe_num_in} config bw ${sum_shaped_users_bw_in} queue ${sum_shaped_users_q_in}
    ${ipfw_cmd} pipe ${sum_shaped_users_pipe_num_out} config bw ${sum_shaped_users_bw_out} queue ${sum_shaped_users_q_out}

    fi

    ;;
    *)
    ;;
    esac
   
###############################################################################

#The end

Комментарии

Только зарегистрированные пользователи могут оставлять комментарии.
Пожалуйста авторизируйтесь или зарегистрируйтесь.

 
< Предыдущая новость   Следующая новость >

Последние новости
 
Самые читаемые за месяц


Реклама | Контакты | ©2005-2013 Алхимик