# firewall command FwCMD="/sbin/ipfw -q" ${FwCMD} -f flush # Interfaces setup LAN_IF="ix0" WAN_IF="ix1" INTERNAL_IP="10.0.1.1/24" ENABLE_VLANS="YES" BRIDGE_NAME="bridge0" VLAN_INTERFACE=${LAN_IF} VLAN_COUNT="16" VLAN_FROM="21" case $ENABLE_VLANS in YES) # Bridge interface creation /sbin/ifconfig bridge create # casting VLANS and adding it to bridge for i in $( jot ${VLAN_COUNT} ${VLAN_FROM} ); do echo "Creating vlan: ${VLAN_INTERFACE}.${i}" /sbin/ifconfig ${VLAN_INTERFACE}.${i} create /sbin/ifconfig ${VLAN_INTERFACE}.${i} up echo "Adding vlan: ${VLAN_INTERFACE}.${i} to ${BRIDGE_NAME}" /sbin/ifconfig ${BRIDGE_NAME} addm ${VLAN_INTERFACE}.${i} up /sbin/ifconfig ${BRIDGE_NAME} private ${VLAN_INTERFACE}.${i} done USER_INTERFACE=${BRIDGE_NAME} /sbin/ifconfig ${BRIDGE_NAME} maxaddr 9000 ;; NO) USER_INTERFACE=${LAN_IF} ;; esac # manual MAC inherit /sbin/ifconfig ${USER_INTERFACE} ether 00:e0:ed:6a:05:e0 # setting internal interface IP /sbin/ifconfig ${USER_INTERFACE} ${INTERNAL_IP} echo "Internal interface IP set to ${INTERNAL_IP}" # alias vlan interface /sbin/ifconfig ${USER_INTERFACE} alias 10.0.2.1/24 /sbin/ifconfig ${USER_INTERFACE} alias 10.0.3.1/24 /sbin/ifconfig ${USER_INTERFACE} alias 10.0.4.1/24 ${FwCMD} table 2 add 10.0.1.0/24 ${FwCMD} table 2 add 10.0.2.0/24 ${FwCMD} table 2 add 10.0.3.0/24 ${FwCMD} table 2 add 10.0.4.0/24 ${FwCMD} table 9 add *.*.73.66 # Safe zones ${FwCMD} table 22 add 127.0.0.1 ${FwCMD} table 22 add 10.10.0.1 ${FwCMD} table 22 add *.*.73.250 # Safe zones allow policy ${FwCMD} add 45 allow ip from table\(22\) to me ${FwCMD} add 45 allow ip from me to table\(22\) # mysql access ${FwCMD} add 47 deny ip from any to me dst-port 3306 ${FwCMD} add 47 deny ip from me to any src-port 3306 # sgconf access ${FwCMD} add 48 deny ip from any to me dst-port 5555 ${FwCMD} add 48 deny ip from me to any src-port 5555 # http ${FwCMD} add 4 allow ip from table\(2\) to me dst-port 80 via ${USER_INTERFACE} ${FwCMD} add 4 allow ip from me to table\(2\) src-port 80 via ${USER_INTERFACE} # DHCP + DNS ${FwCMD} add 5 allow udp from any 67,68,53 to any via ${USER_INTERFACE} ${FwCMD} add 7 allow ip from table\(2\) to me dst-port 53 via ${USER_INTERFACE} ${FwCMD} add 7 allow udp from me 53 to table\(2\) via ${USER_INTERFACE} # DENY NETBIOS ${FwCMD} add 1100 deny udp from any to any 137,138 via ${USER_INTERFACE} ${FwCMD} add 1100 deny tcp from any to any 135,139 via ${USER_INTERFACE} # NAT-POOL ${FwCMD} nat 1 config log ip *.*.73.67 deny_in reset same_ports ${FwCMD} nat 2 config log ip *.*.73.68 deny_in reset same_ports ${FwCMD} nat 3 config log ip *.*.73.69 deny_in reset same_ports ${FwCMD} nat 4 config log ip *.*.73.70 deny_in reset same_ports ${FwCMD} nat 5 config log ip *.*.73.71 deny_in reset same_ports ${FwCMD} nat 6 config log ip *.*.73.72 deny_in reset same_ports ${FwCMD} nat 7 config log ip *.*.73.73 deny_in reset same_ports ${FwCMD} nat 8 config log ip *.*.73.74 deny_in reset same_ports ${FwCMD} nat 9 config log ip *.*.73.75 deny_in reset same_ports ${FwCMD} nat 10 config log ip *.*.73.76 deny_in reset same_ports ${FwCMD} nat 11 config log ip *.*.73.77 deny_in reset same_ports ${FwCMD} nat 12 config log ip *.*.73.78 deny_in reset same_ports ${FwCMD} nat 13 config log ip *.*.73.79 deny_in reset same_ports ${FwCMD} nat 14 config log ip *.*.73.80 deny_in reset same_ports ${FwCMD} nat 15 config log ip *.*.73.81 deny_in reset same_ports ${FwCMD} nat 16 config log ip *.*.73.82 deny_in reset same_ports ${FwCMD} nat 17 config log ip *.*.73.83 deny_in reset same_ports ${FwCMD} nat 18 config log ip *.*.73.84 deny_in reset same_ports ${FwCMD} nat 19 config log ip *.*.73.85 deny_in reset same_ports ${FwCMD} nat 20 config log ip *.*.73.86 deny_in reset same_ports ${FwCMD} nat 21 config log ip *.*.73.87 deny_in reset same_ports ${FwCMD} nat 22 config log ip *.*.73.88 deny_in reset same_ports ${FwCMD} nat 23 config log ip *.*.73.89 deny_in reset same_ports ${FwCMD} nat 24 config log ip *.*.73.90 deny_in reset same_ports ${FwCMD} nat 25 config log ip *.*.73.91 deny_in reset same_ports ${FwCMD} nat 26 config log ip *.*.73.92 deny_in reset same_ports ${FwCMD} nat 27 config log ip *.*.73.93 deny_in reset same_ports ${FwCMD} nat 28 config log ip *.*.73.94 deny_in reset same_ports ${FwCMD} nat 29 config log ip *.*.73.95 deny_in reset same_ports ${FwCMD} nat 30 config log ip *.*.73.96 deny_in reset same_ports ${FwCMD} nat 31 config log ip *.*.73.97 deny_in reset same_ports ${FwCMD} nat 32 config log ip *.*.73.98 deny_in reset same_ports ${FwCMD} add 6000 nat tablearg ip from table\(66\) to any via ${WAN_IF} ${FwCMD} add 6001 nat tablearg ip from any to table\(67\) via ${WAN_IF} #################### EXTERNAL IP → NAT NUMBER ${FwCMD} table 67 add *.*.73.67 1 ${FwCMD} table 67 add *.*.73.68 2 ${FwCMD} table 67 add *.*.73.69 3 ${FwCMD} table 67 add *.*.73.70 4 ${FwCMD} table 67 add *.*.73.71 5 ${FwCMD} table 67 add *.*.73.72 6 ${FwCMD} table 67 add *.*.73.73 7 ${FwCMD} table 67 add *.*.73.74 8 ${FwCMD} table 67 add *.*.73.75 9 ${FwCMD} table 67 add *.*.73.76 10 ${FwCMD} table 67 add *.*.73.77 11 ${FwCMD} table 67 add *.*.73.78 12 ${FwCMD} table 67 add *.*.73.79 13 ${FwCMD} table 67 add *.*.73.80 14 ${FwCMD} table 67 add *.*.73.81 15 ${FwCMD} table 67 add *.*.73.82 16 ${FwCMD} table 67 add *.*.73.83 17 ${FwCMD} table 67 add *.*.73.84 18 ${FwCMD} table 67 add *.*.73.85 19 ${FwCMD} table 67 add *.*.73.86 20 ${FwCMD} table 67 add *.*.73.87 21 ${FwCMD} table 67 add *.*.73.88 22 ${FwCMD} table 67 add *.*.73.89 23 ${FwCMD} table 67 add *.*.73.90 24 ${FwCMD} table 67 add *.*.73.91 25 ${FwCMD} table 67 add *.*.73.92 26 ${FwCMD} table 67 add *.*.73.93 27 ${FwCMD} table 67 add *.*.73.94 28 ${FwCMD} table 67 add *.*.73.95 29 ${FwCMD} table 67 add *.*.73.96 30 ${FwCMD} table 67 add *.*.73.97 31 ${FwCMD} table 67 add *.*.73.98 32 # default block policy ${FwCMD} add 65533 deny all from table\(2\) to any via ${USER_INTERFACE} ${FwCMD} add 65534 deny all from any to table\(2\) via ${USER_INTERFACE} ${FwCMD} add 65535 allow all from any to any # netflow stats /usr/local/bin/softflowd -i bridge0 -s 100 \ -t udp=60 -t tcp=60 -t icmp=60 -t general=60 \ -t maxlife=60 -t tcp.rst=60 -t tcp.fin=60 \ -n 10.10.0.104:42112