Monday, August 21st, 2017

Пример скрипта автоматической настройки dummynet во FreeBSD

Published on Март 30, 2009 by   ·   Комментариев нет

Автоматический скрипт настройки firewall (ipfw) shaper (dummynet)
для двух-интерфейсной шлюзловой машины под FreeBSD. Данный скрипт расчитан на
то, что кроме интернет шлюза, других сервисов на машине нет — иначе придется
сделать соответствующие изменения в фаерволе. В скрипт включена поддержка
шейпера dummynet. Вся конфигурация выполняется в виде списков доступа, что
упрощает настройку фаервола неопытным пользователем, также предусмотрена
некоторая оптимизация, отключающая неиспользуемые правила. Дополнительно
реализованно несколько полезных с хозяйстве вешей (см. ниже коментарии в самом
скрипте). В остальном скрипт базируется на стандартном /etc/rc.firewall.

Что касается использования dummynet: настройка каналов может быть не оптимальной,
но как рабочий вариант вполне годится (man ipfw, man dummynet по вопросам тюнинга).

В крипте используется дуплексная эмуляция канала с отдельной настройкой ширины в
каждом напрвлении, с последующей группировкой пользовательких каналов в коллективную
трубу. Возможна группировка ip адрессов пользователей в произвольное количество
групп (в скрипте реализовано 3 группы, количество групп несложно увеличить) с
возможностью дальнейшего задания толщины канала для каждой группы индивидуально.

И кое-что ещо — смотрите коментарии скрипта.

Скрипт приведен с примером рабочей конфигурации (ip адреса вымышленные).

P.S. может комуто понравится или даже поможет :)

#   /etc/rc.firewall
#   Firewall (ipfw)   shaper (dummynet) for gateway host (with natd)
#   Automated ipfw setup script for FreeBSD
#   v 0.7
#   (CopyLeft) Pavel Ustyugov aka Pahanivo
#
################################################################################
#
#   !!! WARNING !!!
#
#   Misconfiguring the firewall can put your computer in an unusable state,
#   possibly shutting down network services and requiring console access to
#   regain control of it.
#
################################################################################
#
#   Usage:
#   make your own settings
#   copy this file to /etc/rc.firewall
#   cd /etc
#   ./netstart &
#
#   For testing use (only show list of rules, do not apply
#   onto current firewall):
#   cd /etc
#   chmod 744 rc.firewall
#   ./rc.firewall testmode
#   Warning: if you run ./rc.firewall without arguments or with any other
#   arguments - firewall will reloaded and settings will apllied.
#
################################################################################
#
#   Before use this firewall you need to compile kernel with options:
#   (or load some as module)
#
#   #IPFW (required)
#   options IPFIREWALL
#   #enable verbose mode (for `log` options, optional)
#   options IPFIREWALL_VERBOSE
#   #enable forward rules (optional)
#   options IPFIREWALL_FORWARD
#   #default rule - allow any to any (optional)
#   options IPFIREWALL_DEFAULT_TO_ACCEPT
#
#   #divert socket (required for natd)
#   options IPDIVERT
#
#   #dummynet shaper (required, if you want use shaper)
#   options DUMMYNET
#   #enable device polling (recomended)
#   #you need enable polling on interface too - man polling
#   options DEVICE_POLLING
#   #pooling frequency (strongly recomended)
#   options HZ=1000 (or HZ=2000)
#
################################################################################
#
#   Shaper scheme (for incoming traffice)
#   ##############################
#
# --------------------external interface / incoming traffic---------------------
#    >                                                                         >
#    >    Unrestricted external resources group                                >
#    >      res1->all_users >=================== unlimit ====================> >
#    >      res2->all_users >=================== unlimit ====================> >
#    >      ...                                                                >
#    >                                                                         >
#    >    Unrestricted users group                                             >
#    >      internet->users1 >================== unlimit ====================> >
#    I      internet->users2 >================== unlimit ====================> >
#    N      ...                                                                >
#    C                                                                         >
#    O    Restricted external resources groups                                 >
#    M      Group 1                                 ---                        >
#    I      res1_1->all_users \                         \                      >
#    N      res1_2->all_users  >==2048Kbit/s per user==> \                     >
#    G      res1_3->all_users /                            -----------------\  >
#    >      Group 2                                        10240Kbit/s total > >
#    >      res2_1->all_users \                            -----------------/  >
#    >      res2_2->all_users  >==1024Kbit/s per user==> /                     >
#    T      res3_3->all_users /                         /                      >
#    R      ...                                     ---                        >
#    A                                                                         >
#    F    Restricted users groups                                              >
#    F      Group 1                                 ---                        >
#    I      internet->user1_1 \                         \                      >
#    C      internet->user1_2  >==128Kbit/s per user==>  \                     >
#    >      internet->user1_3 /                            -----------------\  >
#    >      Group 2                                        1024Kbit/s total  > >
#    >      internet->user2_1 \                            -----------------/  >
#    >      internet->user2_2  >==256Kbit/s per user==>  /                     >
#    >      internet->user2_3 /                         /                      >
#    >      ...                                     ---                        >
#    >                                                                         >
#    >    Other ungrouped traffic >============= unlimit ====================> >
#    >                                                                         >
# --------------------external interface / incoming traffic---------------------
#
#   Scheme for outgoing traffic absolutely analogous, but outgoing shaper work
#   on internal interface and all traffic directions in scheme is inverted.
#   Traffic bw for incoming and outgoing shapers setup separately.
#
################################################################################
# Setup
################################################################################

    #Prepare to work
    ##############################

    #Before use this script - recomend to set net.inet.ip.fw.autoinc_step=5
    #or less. Use sysctl or /etc/sysctl.conf

    #System paths
    ipfw_cmd="/sbin/ipfw"
    grep_cmd="/usr/bin/grep"
    dev_null="/dev/null"

################################################################################
   
    #IPFW interfaces setup    
    ##############################

    #Interfaces setup
   
    #Outside interface setup
    oif="xl0"
    onet="123.123.32.0"
    omask="255.255.255.248"
    oip="123.123.32.1"

    #Inside interface setup
    iif="fxp0"
    inet="192.168.0.0"
    imask="255.255.0.0"
    iip="192.168.0.1"

################################################################################

    #Access lists setup
    ##############################

    #ACL - list of allowed (or denied) IPs or newtworks in CIDR notation
    #ACL may contain comments, but any comments in ACL must begin from `#`
    #and not contain any space chars (because ACL process by word).
    #ACLs maybe used in any script's loop (see below).
    #Any of this ACLs maybe loaded from file. Use "`cat /path/file_name`"
    #command inside ACL for loading from file.
    #Example:
    #  pass_lan_users_acl="
    #  10.0.1.0/24
    #  10.0.2.0/24
    #  `cat /etc/ALLOWED_USERS`
    #  "

    #Denied external hosts

    #You can use this for stoping attacks from outside.
    deny_wan_hosts_acl="
    #flooder
    123.123.0.233
    "


    #From LAN to Internet access

    #Denied IPs process before allowed. Access allowed for all IPs in
    #allowed ACL except IPs in denied ACL.

    #Denied LAN users
    deny_lan_users_acl="
    #stupids
    192.168.10.15
    192.168.10.33
    "


    #Allowed LAN users
    pass_lan_users_acl="
    192.168.0.0/16
    "


    #Anti-spambot protection

    #Reject all incoming connection from LAN to any external SMTP servers,
    #except allowed servers (yes or no)
    anti_spambot_enable="yes"

    #Allowed SMTP servers
    #If this ACL empty, anti-spambot feature will automatically disabled,
    #and traffic to any SMTP servers will allowed.
    anti_spambot_allowed_servers_acl="
    #own_smtp_relay
    123.123.32.2
    #own_smtp_relay
    123.123.32.3
    #provider_smtp_relay
    123.123.0.11
    "


    #SSH

    #SSH access to this server from outside
    pass_ssh_acl="
    #admin1
    124.124.124.124
    #admin2
    125.125.125.125
    "


    #Shaper's ACLs

    #Enable shaper (yes or no)
    shaper_enable="yes"

    #Not shaped external resouces
    #All LAN users will have unlimited bw to and from this IPs.
    not_shaped_ext_res_acl="
    #own_smtp_relay
    123.123.32.2
    #own_smtp_relay
    123.123.32.3
    #provider_smtp_relay
    123.123.0.11
    "


    #Not shaped users
    #This users will have unlimit bw from and to any.
    not_shaped_users_acl="
    #Admin's_net
    192.168.33.0/24
    "


    #Shaped external resources - similarly to `shaped user` (see below), but for
    #specific external hosts only. Traffic match this shaper not process by
    #`shaped user`.

    #External resource group 1
    shaped_ext_res_g1_name="own_dataservers"
    shaped_ext_res_g1_acl="
    #own_dataservers
    123.123.32.4
    123.123.32.5
    "


    #External resource group 2
    shaped_ext_res_g2_name="isp_dataservers"
    shaped_ext_res_g2_acl="
    #isp_dataservers
    123.123.0.2
    123.123.0.3
    123.123.0.4
    "


    #External resource group 3
    shaped_ext_res_g3_name="servers_3"
    shaped_ext_res_g3_acl="
    "


    #Add more groups below
    #...

    #Shaped users - will have restricted bw. Other allowed users will have unlimit
    #bw from any to any (except shaped external resources). Shaped users separated
    #by groups. See below for restrictions setup for all groups.
    #Groups process in succession: group 1, group 2 etc. Inside group IPs process
    #in list order. Once processed IP (or subnet) will not process more.
    #Because overlaps in group and between groups not a problem.

    #User group 1
    shaped_users_g1_name="slow"
    shaped_users_g1_acl="
    #looosers
    192.168.20.0/24
    192.168.21.1
    192.168.21.2
    "


    #User group 2
    shaped_users_g2_name="fast"
    shaped_users_g2_acl="
    #BOSS
    192.168.0.5
    "


    #User group 3
    shaped_users_g3_name="default"
    shaped_users_g3_acl="
    192.168.0.0/16
    "


    #Add more groups below
    #...

################################################################################

    #Pipes setup (shaper)
    ##############################

    #Shaped external resources
   
    #External resources group 1
    #Pipe's number
    shaped_ext_res_g1_pipe_num_in="1011"
    shaped_ext_res_g1_pipe_num_out="1012"
    #BW
    shaped_ext_res_g1_bw_in="3Mbit/s"
    shaped_ext_res_g1_bw_out="3Mbit/s"
    #Queue size, in slots or KBytes (see man ipfw).
    shaped_ext_res_g1_q_in="50"
    shaped_ext_res_g1_q_out="50"

    #External resources group 2
    #Pipe's number
    shaped_ext_res_g2_pipe_num_in="1021"
    shaped_ext_res_g2_pipe_num_out="1022"
    #BW
    shaped_ext_res_g2_bw_in="1024Kbit/s"
    shaped_ext_res_g2_bw_out="1024Kbit/s"
    #Queue size, in slots or KBytes (see man ipfw).
    shaped_ext_res_g2_q_in="50"
    shaped_ext_res_g2_q_out="50"

    #External resources group 3
    #Pipe's number
    shaped_ext_res_g3_pipe_num_in="1031"
    shaped_ext_res_g3_pipe_num_out="1032"
    #BW
    shaped_ext_res_g3_bw_in="512Kbit/s"
    shaped_ext_res_g3_bw_out="512Kbit/s"
    #Queue size, in slots or KBytes (see man ipfw).
    shaped_ext_res_g3_q_in="40"
    shaped_ext_res_g3_q_out="40"    

    #Add more groups below
    #...
   
    #Collective external resource's pipe (max allowed summary bw for
    #external resources, except not shaped).
    #Pipe's number
    sum_shaped_ext_res_pipe_num_in="1901"
    sum_shaped_ext_res_pipe_num_out="1902"
    #BW
    sum_shaped_ext_res_bw_in="6Mbit/s"
    sum_shaped_ext_res_bw_out="6Mbit/s"    
    #Queue size, in slots or KBytes (see man ipfw)
    sum_shaped_ext_res_q_in="50"
    sum_shaped_ext_res_q_out="50"

    #Personal pipe for each user (with separate by group)

    #User group 1
    #Pipe's number
    shaped_users_g1_pipe_num_in="2011"
    shaped_users_g1_pipe_num_out="2012"
    #BW
    shaped_users_g1_bw_in="160Kbit/s"
    shaped_users_g1_bw_out="160Kbit/s"
    #Queue size, in slots or KBytes (see man ipfw).
    shaped_users_g1_q_in="18"
    shaped_users_g1_q_out="18"

    #User group 2
    #Pipe's number
    shaped_users_g2_pipe_num_in="2021"
    shaped_users_g2_pipe_num_out="2022"
    #BW
    shaped_users_g2_bw_in="512Kbit/s"
    shaped_users_g2_bw_out="512Kbit/s"
    #Queue size, in slots or KBytes (see man ipfw).
    shaped_users_g2_q_in="40"
    shaped_users_g2_q_out="40"

    #User group 3
    #Pipe's number
    shaped_users_g3_pipe_num_in="2031"
    shaped_users_g3_pipe_num_out="2032"
    #BW
    shaped_users_g3_bw_in="256Kbit/s"
    shaped_users_g3_bw_out="256Kbit/s"
    #Queue size, in slots or KBytes (see man ipfw).
    shaped_users_g3_q_in="25"
    shaped_users_g3_q_out="25"

    #Add more groups below
    #...

    #Collective user's pipe (max allowed summary bw for users, except not
    #shaped).
    #Pipe's number
    sum_shaped_users_pipe_num_in="2901"
    sum_shaped_users_pipe_num_out="2902"
    #BW
    sum_shaped_users_bw_in="768Kbit/s"
    sum_shaped_users_bw_out="768Kbit/s"    
    #Queue size, in slots or KBytes (see man ipfw)
    sum_shaped_users_q_in="50"
    sum_shaped_users_q_out="50"

################################################################################

    #Numeration
    ##############################

    #All ipfw rules split onto section. First rule in each section
    #begin from fixed number. All other rules will numbers by ipfw, consider
    #net.inet.ip.fw.autoinc_step. This script use `skipto` rules, because
    #needs for fixed number. Usually you don't need to change this values,
    #if you have problems this large quantity of rules only.

    f_num_acb=1000    
    f_num_aacb=2000
    f_num_outshb=3000
    f_num_routshb=4000
    f_num_routshb_inj=5500
    f_num_uoutshb=6000
    f_num_uoutshb_inj=7500
    f_num_natb=8000
    f_num_inshb=9000
    f_num_rinshb=10000
    f_num_rinshb_inj=11500
    f_num_uinshb=12000
    f_num_uinshb_inj=13500
    f_num_stdb=14000
    f_num_pcb=30000 # please read below about this
    f_num_lastb=40000

################################################################################
   
    #Auto-config
    ##############################
   
    for loop in \
      ${shaped_ext_res_g1_acl} \
      ${shaped_ext_res_g2_acl} \
      ${shaped_ext_res_g3_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        shaped_ext_res_ne_flag="yes"
        break
      fi
    done

    for loop in \
      ${shaped_users_g1_acl} \
      ${shaped_users_g2_acl} \
      ${shaped_users_g3_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        shaped_users_ne_flag="yes"
        break
      fi
    done

    for loop in ${anti_spambot_allowed_servers_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        anti_spambot_allowed_servers_ne_flag="yes"
        break
      fi
    done

    if [ -z ${anti_spambot_allowed_servers_ne_flag} ]; then
      anti_spambot_enable="no"
    fi
   
    if [ -z ${shaped_ext_res_ne_flag} ] && [ -z ${shaped_users_ne_flag} ]; then
      shaper_enable="no"
    fi

    if [ "$1" = "testmode" ]; then
      ipfw_cmd="echo ipfw"
    fi

################################################################################
# Firewall rules
################################################################################

    #Flush all before set new rules
    ${ipfw_cmd} -f flush
    ${ipfw_cmd} -f pipe flush
    ${ipfw_cmd} -f queue flush

################################################################################

    #Loopback rules (required)
    ${ipfw_cmd} add pass all from any to any via lo0 // loopback
    ${ipfw_cmd} add deny all from any to 127.0.0.0/8 // loopback
    ${ipfw_cmd} add deny all from 127.0.0.0/8 to any // loopback

###############################################################################

    # Stop spoofing
    ${ipfw_cmd} add deny all from ${inet}:${imask} to any in via ${oif} // anti-spoofing
    ${ipfw_cmd} add deny all from ${onet}:${omask} to any in via ${iif} // anti-spoofing

###############################################################################

    #Access control
    ##############################

    #Denied external hosts

    #Apply deny_wan_hosts_acl
    for loop in ${deny_wan_hosts_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add deny all from $loop to any in via ${oif} // denied WAN IPs
      fi
    done

    #Skip all incoming traffic up to divert rules
    ${ipfw_cmd} add skipto ${f_num_natb} all from any to any in via ${oif} // skip incoming traffic up to NAT

    #Allow ICMP for all from inside
    ${ipfw_cmd} add skipto ${f_num_outshb} icmp from ${inet}:${imask} to any in via ${iif} // allow ICMP for any from inside

    #Access from LAN

    ${ipfw_cmd} add ${f_num_acb} count all from any to any // begin access control block

    #Allow SSH from LAN if you are accidentally add yourself in denied users list
    for loop in ${deny_lan_users_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_stdb} tcp from ${inet}:${imask} to ${iip} 22 in via ${iif} // allow SSH from LAN for allowed users
        break
      fi
    done

    #Apply deny_lan_users_acl
    for loop in ${deny_lan_users_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add deny all from $loop to any in via ${iif} // denied LAN IPs
      fi
    done

    #Apply pass_lan_users_acl
    for loop in ${pass_lan_users_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_aacb} all from $loop to any in via ${iif} // allowed LAN IPs
      fi
    done

    #Default rule - deny all not in pass_lan_users_acl
    ${ipfw_cmd} add deny all from any to any in via ${iif} // deny not allowed LAN IPs

    #Additional access control

    ${ipfw_cmd} add ${f_num_aacb} count all from any to any // begin additional access control block

    case ${anti_spambot_enable} in
    [Yy][Ee][Ss])

    #Anti-spambot
    #Apply anti_spambot_allowed_servers_acl
    for loop in ${anti_spambot_allowed_servers_acl}
    do
      echo $loop | ${grep_cmd}<div style="display: none"></div> -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_outshb} all from ${inet}:${imask} to ${loop} 25 in via ${iif} // Anti-spambot - allowed servers
      fi
    done
    ${ipfw_cmd} add deny log all from ${inet}:${imask} to any 25 in via ${iif} // Anti-spambot - deny all other servers

    ;;
    *)
    ;;
    esac

    #Stop windows flood from inside
    ${ipfw_cmd} add deny all from ${inet}:${imask} to ${inet}:${imask} 135,137-139,445 in via ${iif} // Stop windows flood from inside

###############################################################################

    #Inject to pipes (outgoing packets)
    ##############################

    case ${shaper_enable} in
    [Yy][Ee][Ss])
   
    ${ipfw_cmd} add ${f_num_outshb} count all from any to any // begin shaper block \|out\|

    if [ ! -z ${shaped_ext_res_ne_flag} ]; then
   
    #Not shaped resources
    #Apply not_shaped_ext_res_acl
    for loop in ${not_shaped_ext_res_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_natb} all from ${inet}:${imask} to ${loop} in via ${iif} // skip not shaped resources \|out\|
      fi
    done

    fi

    if [ ! -z ${shaped_users_ne_flag} ]; then

    #Not shaped users
    #Apply not_shaped_users_acl
    for loop in ${not_shaped_users_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_natb} all from ${loop} to any in via ${iif} // skip not shaped users \|out\|
      fi
    done

    fi

    #External resources pipes
   
    if [ ! -z ${shaped_ext_res_ne_flag} ]; then

    ${ipfw_cmd} add ${f_num_routshb} count all from any to any // begin external resources shaper block \|out\|
   
    #External resources group 1
    #Apply shaped_ext_res_g1_acl
    for loop in ${shaped_ext_res_g1_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_routshb_inj} tag ${shaped_ext_res_g1_pipe_num_out} all from ${inet}:${imask} to ${loop} in via ${iif} // tagging  \|out\|
        shaped_ext_res_g1_ne_flag="yes"
      fi
    done

    #External resources group 2
    #Apply shaped_ext_res_g2_acl
    for loop in ${shaped_ext_res_g2_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_routshb_inj} tag ${shaped_ext_res_g2_pipe_num_out} all from ${inet}:${imask} to ${loop} in via ${iif} // tagging  \|out\|
        shaped_ext_res_g2_ne_flag="yes"
      fi
    done
   
    #External resources group 3
    #Apply shaped_ext_res_g3_acl
    for loop in ${shaped_ext_res_g3_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_routshb_inj} tag ${shaped_ext_res_g3_pipe_num_out} all from ${inet}:${imask} to ${loop} in via ${iif} // tagging  \|out\|
        shaped_ext_res_g3_ne_flag="yes"
      fi
    done

    #Add more groups below
    #...
   
    ${ipfw_cmd} add ${f_num_routshb_inj} count all from any to any // begin inject tagged to pipes block \|out\|
   
    #Inject tagged to pipes
    #Per user pipes
    if [ ! -z ${shaped_ext_res_g1_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_ext_res_g1_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_ext_res_g1_pipe_num_out} // pipe \(${shaped_ext_res_g1_name}:${shaped_ext_res_g1_bw_out}:${shaped_ext_res_g1_q_out}\) \|out\|
    fi
    if [ ! -z ${shaped_ext_res_g2_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_ext_res_g2_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_ext_res_g2_pipe_num_out} // pipe \(${shaped_ext_res_g2_name}:${shaped_ext_res_g2_bw_out}:${shaped_ext_res_g2_q_out}\) \|out\|
    fi
    if [ ! -z ${shaped_ext_res_g3_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_ext_res_g3_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_ext_res_g3_pipe_num_out} // pipe \(${shaped_ext_res_g3_name}:${shaped_ext_res_g3_bw_out}:${shaped_ext_res_g3_q_out}\) \|out\|
    fi
    #Collective pipe
    ${ipfw_cmd} add pipe ${sum_shaped_ext_res_pipe_num_out} tag ${sum_shaped_ext_res_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_ext_res_g1_pipe_num_out},${shaped_ext_res_g2_pipe_num_out},${shaped_ext_res_g3_pipe_num_out} // collective pipe \(${sum_shaped_ext_res_bw_out}:${sum_shaped_ext_res_q_out}\) \|out\|
    ${ipfw_cmd} add skipto ${f_num_natb} all from any to any in via ${iif} tagged ${sum_shaped_ext_res_pipe_num_out} // end of external resources shaper block \|out\|

    fi

    #User pipes

    if [ ! -z ${shaped_users_ne_flag} ]; then

    ${ipfw_cmd} add ${f_num_uoutshb} count all from any to any // begin users shaper block \|out\|
   
    #User group 1
    #Apply shaped_users_g1_acl
    for loop in ${shaped_users_g1_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_uoutshb_inj} tag ${shaped_users_g1_pipe_num_out} all from ${loop} to any in via ${iif} // tagging  \|out\|
        shaped_users_g1_ne_flag="yes"
      fi
    done

    #User group 2
    #Apply shaped_users_g2_acl
    for loop in ${shaped_users_g2_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_uoutshb_inj} tag ${shaped_users_g2_pipe_num_out} all from ${loop} to any in via ${iif} // tagging  \|out\|
        shaped_users_g2_ne_flag="yes"
      fi
    done
   
    #User group 3
    #Apply shaped_users_g3_acl
    for loop in ${shaped_users_g3_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_uoutshb_inj} tag ${shaped_users_g3_pipe_num_out} all from ${loop} to any in via ${iif} // tagging  \|out\|
        shaped_users_g3_ne_flag="yes"
      fi
    done

    #Add more groups below
    #...
   
    ${ipfw_cmd} add ${f_num_uoutshb_inj} count all from any to any // begin inject tagged to pipes block \|out\|
   
    #Inject tagged to pipes
    #Per user pipes
    if [ ! -z ${shaped_users_g1_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_users_g1_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_users_g1_pipe_num_out} // pipe \(${shaped_users_g1_name}:${shaped_users_g1_bw_out}:${shaped_users_g1_q_out}\) \|out\|
    fi
    if [ ! -z ${shaped_users_g2_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_users_g2_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_users_g2_pipe_num_out} // pipe \(${shaped_users_g2_name}:${shaped_users_g2_bw_out}:${shaped_users_g2_q_out}\) \|out\|
    fi
    if [ ! -z ${shaped_users_g3_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_users_g3_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_users_g3_pipe_num_out} // pipe \(${shaped_users_g3_name}:${shaped_users_g3_bw_out}:${shaped_users_g3_q_out}\) \|out\|
    fi
    #Collective pipe
    ${ipfw_cmd} add pipe ${sum_shaped_users_pipe_num_out} tag ${sum_shaped_users_pipe_num_out} all from any to any in via ${iif} tagged ${shaped_users_g1_pipe_num_out},${shaped_users_g2_pipe_num_out},${shaped_users_g3_pipe_num_out} // collective pipe \(${sum_shaped_users_bw_out}:${sum_shaped_users_q_out}\) \|out\|
    ${ipfw_cmd} add skipto ${f_num_natb} all from any to any in via ${iif} tagged ${sum_shaped_users_pipe_num_out} // end of external resources shaper block \|out\|

    fi

    #Add more pipe groups below
    #...
   
    ;;
    *)
    ;;
    esac

###############################################################################

    #Skip all outgoing traffic up to standart rules block
    ${ipfw_cmd} add skipto ${f_num_stdb} all from any to any in via ${iif} // skip outgoing traffic up to standart rules block

    ${ipfw_cmd} add ${f_num_natb} count all from any to any // begin NAT block

    #NAT rules
    ${ipfw_cmd} add divert natd all from any to any via ${oif} // NAT

    #Stop windows flood from outside
    ${ipfw_cmd} add deny all from any to ${onet}:${omask} 135,137-139,445 in via ${oif} // Stop windows flood from outside

###############################################################################

    #Inject to pipes (incoming packets)
    ##############################

    case ${shaper_enable} in
    [Yy][Ee][Ss])
   
    ${ipfw_cmd} add ${f_num_inshb} count all from any to any // begin shaper block \|in\|

    if [ ! -z ${shaped_ext_res_ne_flag} ]; then
   
    #Not shaped resources
    #Apply not_shaped_ext_res_acl
    for loop in ${not_shaped_ext_res_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_stdb} all from ${loop} to ${inet}:${imask} in via ${oif} // skip not shaped resources \|in\|
      fi
    done

    fi

    if [ ! -z ${shaped_users_ne_flag} ]; then

    #Not shaped users
    #Apply not_shaped_users_acl
    for loop in ${not_shaped_users_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_stdb} all from any to ${loop} in via ${oif} // skip not shaped users \|in\|
      fi
    done

    fi

    #External resources pipes

    if [ ! -z ${shaped_ext_res_ne_flag} ]; then
   
    ${ipfw_cmd} add ${f_num_rinshb} count all from any to any // begin external resources shaper block \|in\|
   
    #External resources group 1
    #Apply shaped_ext_res_g1_acl
    for loop in ${shaped_ext_res_g1_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_rinshb_inj} tag ${shaped_ext_res_g1_pipe_num_in} all from ${loop} to ${inet}:${imask} in via ${oif} // tagging  \|in\|
      fi
    done

    #External resources group 2
    #Apply shaped_ext_res_g2_acl
    for loop in ${shaped_ext_res_g2_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_rinshb_inj} tag ${shaped_ext_res_g2_pipe_num_in} all from ${loop} to ${inet}:${imask} in via ${oif} // tagging  \|in\|
      fi
    done
   
    #External resources group 3
    #Apply shaped_ext_res_g3_acl
    for loop in ${shaped_ext_res_g3_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_rinshb_inj} tag ${shaped_ext_res_g3_pipe_num_in} all from ${loop} to ${inet}:${imask} in via ${oif} // tagging  \|in\|
      fi
    done

    #Add more groups below
    #...
   
    ${ipfw_cmd} add ${f_num_rinshb_inj} count all from any to any // begin inject tagged to pipes block \|in\|
   
    #Inject tagged to pipes
    #Per user pipes
    if [ ! -z ${shaped_ext_res_g1_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_ext_res_g1_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_ext_res_g1_pipe_num_in} // pipe \(${shaped_ext_res_g1_name}:${shaped_ext_res_g1_bw_in}:${shaped_ext_res_g1_q_in}\) \|in\|
    fi
    if [ ! -z ${shaped_ext_res_g2_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_ext_res_g2_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_ext_res_g2_pipe_num_in} // pipe \(${shaped_ext_res_g2_name}:${shaped_ext_res_g2_bw_in}:${shaped_ext_res_g2_q_in}\) \|in\|
    fi
    if [ ! -z ${shaped_ext_res_g3_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_ext_res_g3_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_ext_res_g3_pipe_num_in} // pipe \(${shaped_ext_res_g3_name}:${shaped_ext_res_g3_bw_in}:${shaped_ext_res_g3_q_in}\) \|in\|
    fi
    #Collective pipe
    ${ipfw_cmd} add pipe ${sum_shaped_ext_res_pipe_num_in} tag ${sum_shaped_ext_res_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_ext_res_g1_pipe_num_in},${shaped_ext_res_g2_pipe_num_in},${shaped_ext_res_g3_pipe_num_in} // collective pipe \(${sum_shaped_ext_res_bw_in}:${sum_shaped_ext_res_q_in}\) \|in\|
    ${ipfw_cmd} add skipto ${f_num_stdb} all from any to any in via ${oif} tagged ${sum_shaped_ext_res_pipe_num_in} // end of external resources shaper block \|in\|

    fi

    #User pipes

    if [ ! -z ${shaped_users_ne_flag} ]; then

    ${ipfw_cmd} add ${f_num_uinshb} count all from any to any // begin users shaper block \|in\|
   
    #User group 1
    #Apply shaped_users_g1_acl
    for loop in ${shaped_users_g1_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_uinshb_inj} tag ${shaped_users_g1_pipe_num_in} all from any to ${loop} in via ${oif} // tagging  \|in\|
      fi
    done

    #User group 2
    #Apply shaped_users_g2_acl
    for loop in ${shaped_users_g2_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_uinshb_inj} tag ${shaped_users_g2_pipe_num_in} all from any to ${loop} in via ${oif} // tagging  \|in\|
      fi
    done
   
    #User group 3
    #Apply shaped_users_g3_acl
    for loop in ${shaped_users_g3_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add skipto ${f_num_uinshb_inj} tag ${shaped_users_g3_pipe_num_in} all from any to ${loop} in via ${oif} // tagging  \|in\|
      fi
    done

    #Add more groups below
    #...
   
    ${ipfw_cmd} add ${f_num_uinshb_inj} count all from any to any // begin inject tagged to pipes block \|in\|
   
    #Inject tagged to pipes
    #Per user pipes
    if [ ! -z ${shaped_users_g1_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_users_g1_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_users_g1_pipe_num_in} // pipe \(${shaped_users_g1_name}:${shaped_users_g1_bw_in}:${shaped_users_g1_q_in}\) \|in\|
    fi
    if [ ! -z ${shaped_users_g2_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_users_g2_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_users_g2_pipe_num_in} // pipe \(${shaped_users_g2_name}:${shaped_users_g2_bw_in}:${shaped_users_g2_q_in}\) \|in\|
    fi
    if [ ! -z ${shaped_users_g3_ne_flag} ]; then
      ${ipfw_cmd} add pipe ${shaped_users_g3_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_users_g3_pipe_num_in} // pipe \(${shaped_users_g3_name}:${shaped_users_g3_bw_in}:${shaped_users_g3_q_in}\) \|in\|
    fi
    #Collective pipe
    ${ipfw_cmd} add pipe ${sum_shaped_users_pipe_num_in} tag ${sum_shaped_users_pipe_num_in} all from any to any in via ${oif} tagged ${shaped_users_g1_pipe_num_in},${shaped_users_g2_pipe_num_in},${shaped_users_g3_pipe_num_in} // collective pipe \(${sum_shaped_users_bw_in}:${sum_shaped_users_q_in}\) \|in\|
    ${ipfw_cmd} add skipto ${f_num_stdb} all from any to any in via ${oif} tagged ${sum_shaped_users_pipe_num_in} // end of external resources shaper block \|in\|

    fi

    #Add more pipe groups below
    #...

    ;;
    *)
    ;;
    esac

###############################################################################

    #Standart rules
    ##############################

    ${ipfw_cmd} add ${f_num_stdb} count all from any to any // begin standart block
   
    #Allow TCP through if setup succeeded
    ${ipfw_cmd} add pass tcp from any to any established // allow packets RST or ACK bits set

    #Allow only secure ICMP types
    ${ipfw_cmd} add pass icmp from any to any icmptypes 0,3,4,8,11 // allow ICMP 0,3,4,8,11
    ${ipfw_cmd} add deny log icmp from any to any // deny other ICMP
   
    #Allow IP fragments to pass through
    ${ipfw_cmd} add pass all from any to any frag // allow IP fragments

    #Allow access to our ssh
    #Allow from LAN
    ${ipfw_cmd} add pass tcp from ${inet}:${imask} to ${iip} 22 in via ${iif} // allow SSH from LAN
    #From outside
    #Apply pass_ssh_acl
    for loop in ${pass_ssh_acl}
    do
      echo $loop | ${grep_cmd} -v "^#" > ${dev_null}
      if [ $? -eq 0 ]; then
        ${ipfw_cmd} add pass tcp from ${loop} to ${oip} 22 in via ${oif} // allow SSH
      fi
    done
    # Block all another packets to 22 port
    ${ipfw_cmd} add deny log tcp from any to ${oip},${iip} 22 // deny SSH for all other

###############################################################################

    #Particular connections block
    ##############################

    #Allow a particular connection to go through the firewall.
    #Interval (f_num_pcb - f_num_lastb) must be conformed with `punch_fw` natd
    #option if you use this (man natd). Using for dynamic rules created by natd
    #for correctly work FTP in active mode through ipfw and similar.
   
    ${ipfw_cmd} add ${f_num_pcb} count all from any to any // begin particular connection block

###############################################################################

    #Last block
    ##############################

    ${ipfw_cmd} add ${f_num_lastb} count all from any to any // begin last block

    # Reject and log all setup of incoming connections from the outside
    ${ipfw_cmd} add deny log tcp from any to ${oip} in via ${oif} setup // reject all incoming TCP connection from outside

    # Allow any to any
    ${ipfw_cmd} add 65534 pass all from any to any // allow from any to any - the end of rules

###############################################################################

    #Pipes
    ##############################

    case ${shaper_enable} in
    [Yy][Ee][Ss])

    #Reject to leave firewall after injecting packets to pipe.
    #Else maybe set net.inet.ip.fw.one_pass=0.
    ${ipfw_cmd} disable one_pass

    #pipes config

    #External resources pipes

    if [ ! -z ${shaped_ext_res_ne_flag} ]; then

    #External resources group 1
    if [ ! -z ${shaped_ext_res_g1_ne_flag} ]; then
      ${ipfw_cmd} pipe ${shaped_ext_res_g1_pipe_num_in} config bw ${shaped_ext_res_g1_bw_in} queue ${shaped_ext_res_g1_q_in} mask dst-ip 0xffffffff
      ${ipfw_cmd} pipe ${shaped_ext_res_g1_pipe_num_out} config bw ${shaped_ext_res_g1_bw_out} queue ${shaped_ext_res_g1_q_out} mask src-ip 0xffffffff
    fi

    #External resources group 2
    if [ ! -z ${shaped_ext_res_g2_ne_flag} ]; then
      ${ipfw_cmd} pipe ${shaped_ext_res_g2_pipe_num_in} config bw ${shaped_ext_res_g2_bw_in} queue ${shaped_ext_res_g2_q_in} mask dst-ip 0xffffffff
      ${ipfw_cmd} pipe ${shaped_ext_res_g2_pipe_num_out} config bw ${shaped_ext_res_g2_bw_out} queue ${shaped_ext_res_g2_q_out} mask src-ip 0xffffffff
    fi

    #External resources group 3
    if [ ! -z ${shaped_ext_res_g3_ne_flag} ]; then
      ${ipfw_cmd} pipe ${shaped_ext_res_g3_pipe_num_in} config bw ${shaped_ext_res_g3_bw_in} queue ${shaped_ext_res_g3_q_in} mask dst-ip 0xffffffff
      ${ipfw_cmd} pipe ${shaped_ext_res_g3_pipe_num_out} config bw ${shaped_ext_res_g3_bw_out} queue ${shaped_ext_res_g3_q_out} mask src-ip 0xffffffff
    fi

    #Add more groups below
    #...

    #Collective user&#039;s pipe
    ${ipfw_cmd} pipe ${sum_shaped_ext_res_pipe_num_in} config bw ${sum_shaped_ext_res_bw_in} queue ${sum_shaped_ext_res_q_in}
    ${ipfw_cmd} pipe ${sum_shaped_ext_res_pipe_num_out} config bw ${sum_shaped_ext_res_bw_out} queue ${sum_shaped_ext_res_q_out}

    fi

    #Personal pipes for each user

    if [ ! -z ${shaped_users_ne_flag} ]; then

    #User group 1
    if [ ! -z ${shaped_users_g1_ne_flag} ]; then
      ${ipfw_cmd} pipe ${shaped_users_g1_pipe_num_in} config bw ${shaped_users_g1_bw_in} queue ${shaped_users_g1_q_in} mask dst-ip 0xffffffff
      ${ipfw_cmd} pipe ${shaped_users_g1_pipe_num_out} config bw ${shaped_users_g1_bw_out} queue ${shaped_users_g1_q_out} mask src-ip 0xffffffff
    fi

    #User group 2
    if [ ! -z ${shaped_users_g2_ne_flag} ]; then
      ${ipfw_cmd} pipe ${shaped_users_g2_pipe_num_in} config bw ${shaped_users_g2_bw_in} queue ${shaped_users_g2_q_in} mask dst-ip 0xffffffff
      ${ipfw_cmd} pipe ${shaped_users_g2_pipe_num_out} config bw ${shaped_users_g2_bw_out} queue ${shaped_users_g2_q_out} mask src-ip 0xffffffff
    fi

    #User group 3
    if [ ! -z ${shaped_users_g3_ne_flag} ]; then
      ${ipfw_cmd} pipe ${shaped_users_g3_pipe_num_in} config bw ${shaped_users_g3_bw_in} queue ${shaped_users_g3_q_in} mask dst-ip 0xffffffff
      ${ipfw_cmd} pipe ${shaped_users_g3_pipe_num_out} config bw ${shaped_users_g3_bw_out} queue ${shaped_users_g3_q_out} mask src-ip 0xffffffff
    fi

    #Add more groups below
    #...

    #Collective user&#039;s pipe
    ${ipfw_cmd} pipe ${sum_shaped_users_pipe_num_in} config bw ${sum_shaped_users_bw_in} queue ${sum_shaped_users_q_in}
    ${ipfw_cmd} pipe ${sum_shaped_users_pipe_num_out} config bw ${sum_shaped_users_bw_out} queue ${sum_shaped_users_q_out}

    fi

    ;;
    *)
    ;;
    esac
   
###############################################################################

#The end
zp8497586rq














Смотрите также:

Readers Comments (Комментариев нет)

Comments are closed.

Exchange 2007

Проведение мониторинга Exchange 2007 с помощью диспетчера System Center Operations Manager 2007 (часть 3)

Если вы хотите прочитать предыдущие части этой серии статей, перейдите по ссылкам: Проведение мониторинга Exchange 2007 с помощью диспетчера System ... [+]

Практическое рассмотрение перехода с Exchange 2003 на Exchange 2007 (часть 1)

Введение В этой статье из нескольких частей я хочу показать вам процесс, который недавно использовал для перехода с существующей среды Exchange 2003 ... [+]

Использование инструмента Exchange Server Remote Connectivity Analyzer Tool (часть 2)

Если вы пропустили первую часть этой серии, пожалуйста, прочтите ее по ссылке Использование инструмента Exchange Server Remote Connectivity Analyzer Tool (Часть ... [+]

Мониторинг Exchange 2007 с помощью диспетчера System Center Operations Manager 2007 (часть 2)

Если вы пропустили предыдущую часть этой серии статей, перейдите по ссылке Мониторинг Exchange 2007 с помощью диспетчера System Center Operations ... [+]

Подробное рассмотрение подготовки Active Directory для Exchange 2007 (часть 5)

Если вы пропустили предыдущие части этой серии статей, перейдите по ссылкам: Подробное рассмотрение подготовки Active Directory для Exchange 2007 (часть 1) ... [+]

Установка и настройка Exchange 2007 из командной строки (Часть 3)

If you missed the previous parts in this article series please read: Exchange 2007 Install and Configuration from the command line (Part ... [+]

Использование инструмента Exchange Server Remote Connectivity Analyzer Tool (часть 1)

Инструмент ExRCA Текущий выпуск инструмента предоставляется только в целях тестирования и оснащен 5 опциями: Тест подключения Outlook 2007 Autodiscover Тест подключения Outlook 2003 RPC ... [+]

Развертывание сервера Exchange 2007 Edge Transport (часть 5)

Если вы хотите прочитать предыдущие части этой серии статей, перейдите по ссылкам: Развертывание сервера Exchange 2007 Edge Transport (часть 1) Развертывание ... [+]

Установка и настройка Exchange 2007 из командной строки (часть 2)

Если вы пропустили первую статью данного цикла, пожалуйста, перейдите по ссылке: Exchange 2007 Install and Configuration from the command line (Part ... [+]

Использование интегрированных сценариев Using Exchange Server 2007 – часть 2: генерирование отчетов агента Transport AntiSpam Agent

Если вы пропустили предыдущую часть этой серии статей, перейдите по ссылке Использование интегрированных сценариев Using Exchange Server 2007 – часть ... [+]