RU/2: Форум. Общение пользователей и разработчиков OS/2 (eCS). : sfire

From	:	valerius
To	:	Pavek Shtemenko
Subj	:	sfire

> Господа, дайте рабочий sfire.cfg вместе с шейпингом. По доке пробовал - фиг вам.

У меня все работает -- и траффик шейпер, и портмаппер, секрет, похоже, в том, что
надо указывать явно значения параметров, а не полагаться на дефолты. Мой конфиг
(не самый оптимальный, конечно):

[---==============================куть хере===================----------------]
;
!include f:\sys\conf\etc\SafeFire\mfilter.cfg
;
; Sample configuration file for SafeFire Firewall 1.2+.
;
; Copy it to SFIRE.CFG to put it to work.
;
; Many variables have reasonable default values so do not touch
; them unless you sure what you want to do.
;

[nat]
;Network Address Translation configuration parameters
; This variable enables NAT. By default NAT is ON
enable=yes

; This variable enables assembling packets before translation
defragment=yes

; This variable enables forwarding of packets ignored by NAT
forward_ignored=yes

; This variable prevents incoming connections
; (e.g. to telnet, ftp, web servers).
deny_incoming=no

; This variables reduces set of internal IP's which will be translated
; to three ranges (see RFC1918):
; 10.0.0.0 -> 10.255.255.255
; 172.16.0.0 -> 172.31.255.255
; 192.168.0.0 -> 192.168.255.255
;
; By default this value is ON.
private_net=yes

[timeouts]
;NAT engine timeouts
; Each connection in the NAT engine is presented as a link of
; particular type. Each type of link has its own idle timeout.
; When this timeout expires at the next housekeeping
; it will be removed from NAT engine. All values are in seconds.
;
; Following variables are recognized:

;ICMP links
icmp = 60

;UDP links
udp = 60

;TCP links (initial value)
tcp = 300

;TCP header fragment
header = 10

;TCP body fragment
fragment = 30

; Header and body fragments are stored in the
; NAT engine before assembling if
; 'defragment' option is turned on.

;TCP broken connection
broken = 10

;TCP partially broken connection
halfbroken = 90

;TCP connected at both sides link
connected = 86400

[cleanup] ;NAT engine cleanup parameters
; Cleanup is done with specified interval and at each cleanup
; only part of links is processed.
;
; Following variables are recognized:

;This variable determines time interval
;between cleanups in seconds.
interval = 60

;This variable determines number of table
;rows processed during each cleanup.
spokes = 30

[ident] ; Internal IDENT server configuration
; This variable enables internal IDENTD
enable=yes
;
; In general response looks like following:
; 123, 12345: USERID: OS/2: os2user
;
; Following variable determines last part of response
;user=os2user
user=somebody

[portmap]
; Port mapping rules. NOTE: Portmapper requires enabled NAT!
; This variable can be mentioned more than once, i.e. you can define as many
; port mappings as you wish by adding appropriate 'rule' variable.
;
; Each rule is described by two pairs addr:port as in following example:
;
; rule = 123.45.67.89:80,192.168.1.1:8080
;
; This rule will redirect all connections going trough SafeFire to
; host 123.45.67.89 and port 80 (www) to host 192.168.1.1 and port 8080.
; You can use 0 in the place of first address if host is the same
; where SafeFire is running

; By default rules are empty

;for tcpbeui on comps of my inner net

;winemu
rule = 192.168.11.50:137,192.168.11.9:137 udp
rule = 192.168.11.50:138,192.168.11.9:138 udp
rule = 192.168.11.50:139,192.168.11.9:139 tcp
;ins2
rule = 192.168.11.51:137,192.168.11.2:137 udp
rule = 192.168.11.51:138,192.168.11.2:138 udp
rule = 192.168.11.51:139,192.168.11.2:139 tcp
;mama
rule = 192.168.11.52:137,192.168.11.3:137 udp
rule = 192.168.11.52:138,192.168.11.3:138 udp
rule = 192.168.11.52:139,192.168.11.3:139 tcp

; rules needed to support nassi
; in Virtual PC under Win98:
rule = 234.0.0.1:50138,192.168.11.9:50138
rule = 234.0.0.1:50139,192.168.11.9:50139
;xp
rule = 0:50138,192.168.11.9:50138
rule = 0:50139,192.168.11.9:50139
;ins2
;rule = 0:50138,192.168.11.2:50138
;rule = 0:50139,192.168.11.2:50139

;For InetAccess:
;rule = 0:5554,192.168.11.9:5554 udp 2
;rule = 192.168.11.50:5554,192.168.11.13:5554 udp 2

[shaper] ; Traffic shaper
; Sleeping time in ms within the shaper loop (def is 1)
;sleep=

; This variable can be mentioned more than once, i.e. you can define as many
; pipes as you wish by adding appropriate 'pipe' variable.
;
; Each pipe is described using following syntax (refer to documentation
; for more details):
;
; pipe=number parm ...
;
; parm:
; {speed|delay|loss|length}
;
; speed: speed <speed> [{M|K}][bps] default - 0 bps (no speed limit)
; delay: delay <delay> [s|ms] default - 0 ms (no delay is set)
; loss : loss <loss>[%] default - 0% (no packet loss)
; length: length <length> default - MAX_LENGTH (500)

;
;pipe=
; Constrain speed for windoze to 16 and 20 KBps
pipe = 1000 speed 16 Kbps
pipe = 1100 speed 40 Kbps
pipe = 1110 loss 10 %
pipe = 1120 delay 1 s

[filter] ; Packet filter
; This variable enables packet filter
enable=yes

; This variable can be mentioned more than once, i.e. you can define as many
; rules as you wish by adding appropriate 'rule' variable.
;
; Each rule is described using following syntax (refer to documentation
; for more details):
; rule = [number] action proto src dst [extra[,...]]
;
; action: {allow|accept|permit} | {deny|drop|reject} | count | pipe <num> | plugin <num> | skipto <num>
;
; proto : {all|ip|tcp|udp|icmp}
;
; src : from [not] {any|myip|ip[{/bits|:mask}]} [{port|port-port},[port],...]
; dst : to [not] {any|myip|ip[{/bits|:mask}]} [{port|port-port},[port],...]
;
; extra : {fragment|in|out|bidi|established|setup|flags}
; flags : tcpflags [!]{syn|fin|rst|ack|psh|urg},...

;--------------------------------------------------------------
;rule = 100 allow all from any to any
;--------------------------------------------------------------
;sgauth
rule = 00050 skipto 50000 udp from myip 5554 to any 5555 out
rule = 00051 skipto 50000 udp from any to myip 5555 in
;InetAccess в винде
rule = 00055 skipto 50000 udp from 192.168.11.0/24 5554 to any 5555 out
rule = 00056 skipto 50000 udp from any to 192.168.11.0/24 5555 in

;Разрешаем DHCP-пакеты
rule = 00100 skipto 50000 udp from 192.168.2.129 dhcps to any in
rule = 00110 skipto 50000 udp from 0.0.0.0 dhcpc to any dhcps out
rule = 00120 skipto 50000 udp from myip dhcpc to any dhcps out
;rule = 00082 skipto 20000 udp from 192.168.2.129 dhcps to myip dhcpc bidi
;rule = 00080 skipto 20000 udp from 0.0.0.0 dhcpc to 255.255.255.255 dhcps out
;rule = 00081 skipto 20000 udp from myip dhcpc to 255.255.255.255 dhcps out
; when using 255.255.255.255 in "to" clause, we get an
; error about incorrect address so we use "any" instead :((.

;Разрешаем DNS
rule = 00200 skipto 50000 udp from any 53 to myip 53 bidi
rule = 00210 skipto 50000 tcp from any 53 to myip bidi
rule = 00220 skipto 50000 tcp from any to myip 53 bidi
rule = 00230 skipto 50000 udp from 192.168.11.0/24 53 to 192.168.11.1 53 bidi

;Ограничиваем скорость скачивания 40-ка килобайтами в секунду (кроме Половинки)
rule = 00260 skipto 00291 tcp from myip 139 80 20 to 192.168.2.4 out
rule = 00261 skipto 00291 tcp from myip 139 80 20 to 192.168.2.18 out
rule = 00260 skipto 00291 tcp from myip 139 80 20 to 192.168.2.20 out
rule = 00270 skipto 00291 tcp from myip 139 80 20 to 192.168.2.36 out
rule = 00271 skipto 00291 tcp from myip 139 80 20 to 192.168.2.37 out
rule = 00272 skipto 00291 tcp from myip 139 80 20 to 192.168.2.38 out
rule = 00273 skipto 00291 tcp from myip 139 80 20 to 192.168.2.40 out
rule = 00274 skipto 00291 tcp from myip 139 80 20 to 192.168.2.42 out
rule = 00275 skipto 00291 tcp from myip 139 80 20 to 192.168.2.49 out
rule = 00276 skipto 00291 tcp from myip 139 80 20 to 192.168.2.69 out
rule = 00277 skipto 00291 tcp from myip 139 80 20 to 192.168.2.78 out
rule = 00278 skipto 00291 tcp from myip 139 80 20 to 192.168.2.81 out
rule = 00279 skipto 00291 tcp from myip 139 80 20 to 192.168.2.85 out
rule = 00280 skipto 00291 tcp from myip 139 80 20 to 192.168.2.86 out
rule = 00282 skipto 00291 tcp from myip 139 80 20 to 192.168.2.90 out
rule = 00284 skipto 00291 tcp from myip 139 80 20 to 192.168.2.9 out
rule = 00290 pipe 1100 tcp from myip 139 20 80 to 192.168.2.0/24 out
rule = 00291 count tcp from myip 139 20 80 to 192.168.2.0/24 out

;Разрешаем другим доступ к моим tcp службам
rule = 00300 skipto 50000 tcp from any to myip 8080 80 20 21 bidi

;Разрешаем доступ к tcp_службам на других хостах
rule = 00400 skipto 50000 tcp from any http,https,ftp,ftp-data,pop3,smtp,nntp,time,daytime to myip bidi
rule = 00410 skipto 50000 tcp from any http,https,ftp,ftp-data,pop3,smtp,nntp,time,daytime to 192.168.11.0/24 bidi
rule = 00420 skipto 50000 tcp from any 8000-8200 to myip bidi
rule = 00430 skipto 50000 tcp from any 8000-8200 to 192.168.11.0/24 bidi

;Разрешаем udp-службы других хостов
rule = 00440 skipto 50000 udp from any ntp,time,daytime,domain to myip bidi
rule = 00450 skipto 50000 udp from any ntp,time,daytime to 192.168.11.0/24 bidi

; XFree86/OS2:
; allow remote X11 clients:
rule = 00465 skipto 50000 tcp from 192.168.2.38 1024-65535 to myip 6000-6010 bidi
; allow my X11 clients connect to remote server:
rule = 00466 skipto 50000 tcp from 192.168.2.38 6000-6010 to myip 1024-65535 bidi

; allow remote hosts access identd on my gateway:
rule = 00470 skipto 50000 tcp from any to myip 113 bidi

;Разрешаем traceroute
rule = 00500 skipto 50000 udp from myip 32000-34999 to any 32000-34999 out
rule = 00500 skipto 50000 udp from 192.168.11.0/24 32000-34999 to any 32000-34999 out

;Разрешаем TCPBEUI
;rule = 00550 skipto 50000 udp from any 137,138 to 192.168.2.200 bidi
;rule = 00560 skipto 50000 udp from any to 192.168.2.200 137,138 bidi
;rule = 00570 skipto 50000 tcp from any 139 to 192.168.2.200 bidi
;rule = 00580 skipto 50000 tcp from any to 192.168.2.200 139 bidi
;rule = 00590 skipto 50000 tcp from any 445 to 192.168.2.200 bidi

rule = 00600 skipto 50000 udp from any 137,138 to myip bidi
rule = 00610 skipto 50000 udp from any to myip 137,138 bidi
rule = 00620 skipto 50000 tcp from any 139 to myip bidi
rule = 00630 skipto 50000 tcp from any to myip 139 bidi
rule = 00640 skipto 50000 tcp from any 445 to myip bidi

rule = 00650 skipto 50000 log udp from any 137,138 to 192.168.11.0/24 bidi
rule = 00660 skipto 50000 log udp from any to 192.168.11.0/24 137,138 bidi
rule = 00670 skipto 50000 tcp from any 139 to 192.168.11.0/24 bidi
rule = 00680 skipto 50000 tcp from any to 192.168.11.0/24 139 bidi
rule = 00690 skipto 50000 tcp from any 445 to 192.168.11.0/24 bidi

;Разрешаем jabber и icq
rule = 00700 skipto 50000 tcp from any 5190,5222 to myip bidi
;Разрешаем irc
rule = 00710 skipto 50000 tcp from any 6660-6669 to myip bidi

;nassi
rule = 00750 skipto 50000 log udp from 192.168.2.0/24 50139 to 234.0.0.1 50138 in
rule = 00759 skipto 50000 log udp from 192.168.11.0/24 50139 to 234.0.0.1 50138 out
rule = 00760 skipto 50000 log udp from 192.168.2.0/24 50139 to 192.168.11.0/24 50138 in
rule = 00770 skipto 50000 log udp from 192.168.11.0/24 50139 to 192.168.2.0/24 50138 out
rule = 00780 skipto 50000 log tcp from 192.168.2.0/24 to 192.168.11.0/24 50138 bidi
rule = 00790 skipto 50000 log tcp from 192.168.2.0/24 50138 to 192.168.11.0/24 bidi

;skype
;rule = 00800 skipto 50000 log udp from any to 192.168.11.0/24

;Разрешаем Limewire
rule = 00900 skipto 50000 udp from any 6346-6352 to myip 6346-6350 bidi
rule = 00910 skipto 50000 tcp from any 6346-6352,6034,2840 to myip bidi
rule = 00920 skipto 50000 tcp from any to myip 6346-6350,6034,2840 bidi

rule = 02000 skipto 50000 udp from any to myip 6346 bidi
rule = 02010 skipto 50000 tcp from any 40413 to myip bidi

;Считаем попытки зателнетиться на нас
rule = 00900 count log tcp from any to myip 23 in,setup

; Разрешаем широковещательные пакеты
;Главная сеть АМН
rule = 01000 skipto 50000 ip from 192.168.2.0/24 to 192.168.2.255 bidi
rule = 01010 skipto 50000 ip from 192.168.0.0/16 to 192.168.255.255 bidi
;rule = 01020 skipto 50000 ip from 192.168.0.0/16 to 255.255.255.255 bidi
;Алиасы
rule = 01030 skipto 50000 ip from 192.168.11.32/27 to 192.168.11.63 bidi
rule = 01040 skipto 50000 ip from 192.168.11.64/27 to 192.168.11.63 bidi
;Сеть моей квартиры
rule = 01050 skipto 50000 ip from 192.168.11.0/28 to 192.168.11.15 bidi
;Подсетки моей квартиры
rule = 01060 skipto 50000 ip from 192.168.11.0/29 to 192.168.11.7 bidi
rule = 01070 skipto 50000 ip from 192.168.11.8/29 to 192.168.11.7 bidi
rule = 01080 skipto 50000 ip from 192.168.11.16/29 to 192.168.11.7 bidi
rule = 01090 skipto 50000 ip from 192.168.11.24/29 to 192.168.11.7 bidi

; Многоадресные рассылки nassi
;rule = 01100 count log ip from any to 234.0.0.1 bidi
; разрешаем multicast
rule = 01110 skipto 50000 ip from any to 224.0.0.0/4 bidi

;misc
rule = 01200 count ip from any to 169.254.0.0/8 bidi
rule = 01210 count ip from any to 0.0.0.0 bidi

;Если поставить вместо allow "skipto 50000", то фиревалл пишет, что не может
;найти правило #1
rule = 48900 allow icmp from myip to any out icmptypes 0,3,5,8,11,12,13,14,15,16
rule = 48901 allow icmp from 192.168.11.0/24 to any out icmptypes 0,3,5,8,11,12,13,14,15,16
rule = 48910 allow icmp from any to myip in icmptypes 0,3,11,12,13,14,15,16
rule = 48911 allow icmp from any to 192.168.11.0/24 in icmptypes 0,3,11,12,13,14,15,16

; (dis)allow incoming icmp echo
rule = 49000 allow log icmp from any to myip in icmptypes 8
rule = 49001 allow log icmp from any to 192.168.11.0/24 in icmptypes 8

; disallow big (so, fragmented) icmp packets
; (some protection against Ping of death):
rule = 49010 deny log icmp from any to myip fragment,in
rule = 49020 deny log icmp from any to 192.168.11.0/24 fragment,in

; allow non-privileged ports:
rule = 49100 skipto 50000 tcp from any to myip 1024-4096 bidi

; deny all other
rule = 49999 deny log ip from any to any bidi

; IpStat plugin by zuko
rule = 50000 plugin 100
rule = 65535 allow all from any to any bidi
;--------------------------------------------------------------

[mfilter] ; Packet filter by MAC addresses
; This variable enables filter
enable=no

; This variable can be mentioned more than once, i.e. you can define as many
; rules as you wish by adding appropriate 'rule' variable.
;
; Each rule is described using following syntax (refer to documentation
; for more details):
; rule = [number] action [log] proto [src] [dst] [direction] [extra]
;
; action: {allow|accept|permit} | {deny|drop|reject} | count | pipe <num> | plugin <num> | skipto <num>
;
; proto : {all|ip|arp|proto number}
;
; src : from [!]{any|mac address}[=[!]{any|ip|myip}] [req_match]
; = means matching particular MAC to particular IP in packets
; of some protocols (ip, arp)
; match means matching mac address in ethernet header to the arp
; packet's corresponding mac address
; dst : to [!]{any|mac address}[=[!]{any|ip|myip}] [req_match]
; dst : to [not] {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]
;
; direction : {in|out|bidi}
; extra : {opt opt_number}

;------------------------------------------
;rule=65500 allow arp from all match to all match bidi
;rule=65510 deny arp from all to all bidi
;rule=65520 allow all from all to all bidi
;------------------------------------------
; allow our arp requests to the net
;rule=10 allow arp from any=myip to FF:FF:FF:FF:FF:FF out
; deny all other
;rule=65534 deny all from all to all bidi
;------------------------------------------
; (some ARP spoofing protection ;-))
;
; allow our arp requests (opt 1) to the net:
;;;;;rule = 00010 permit arp from 00:80:48:22:A4:6E=myip to FF:FF:FF:FF:FF:FF out
;opt 1
rule = 00005 permit arp from 00:02:b3:e7:42:43 to 00:80:48:22:A4:6E in
rule = 00010 permit arp from 00:80:48:22:A4:6E to FF:FF:FF:FF:FF:FF out
rule = 00015 permit arp from any=any to FF:FF:FF:FF:FF:FF bidi

;opt 1
; allow our correct arp replies (opt 2):
;;;;;rule = 00020 permit arp from 00:80:48:22:A4:6E=myip match to any=any out
;opt 2
;
; MAC addresses in ethernet frame header must
; match MAC addresses in the ARP packet:
rule = 65500 permit arp from any match to any match bidi
; or to not match in case when the souce is my provider's gateway:
;;;;;rule = 65510 permit arp from 00:02:b3:e7:42:43=192.168.2.129 to any=any bidi

; deny all other arp packets:
rule = 65520 deny log arp from any to any bidi
; allow other protocols:
rule = 65530 permit all from any to any bidi
; ^
; |
; if no bidi then error! >--------------+
;rule=65534 deny all from all to all bidi
;------------------------------------------

[key] ; License key section
;name=
;key=

[remote]
; Remote Control section
;
; Order of checks: allow, deny
; If address of remote falls under conditions of allow and does not match
; anything in 'deny' then connection is accepted.
; All other cases only logged and connections are not permitted
;
; Format of rule (either deny and allow):
;
; any|ip[{/bits|:mask}]
;
; NOTE: connections from address 127.0.0.1 are always enabled,
; unless port is set to 0.

enable = yes
port = 1021

;allow =
;deny =
allow = 127.0.0.1
;allow = 192.168.2.39
;deny = any

; NOTE: this is NOT a default values.
; By default remote access is disabled because of empty rule sets.
;
userid = "userid"
password = "password"

[log]
console=yes
level=6

[dhcp]
; Interval in seconds between checks of IP address change.
; Value less than or equal to 0 disables check.
interval=5

; Enable automatic startup of filter/nat on valid address assignment
auto_pipe=off

; Command line of the application which will be started
; when IP address change will be detected (limited to 2000 bytes).
; Command line may contain %1, %2, %3 and %4 strings. They will
; automatically be replaced with the following information:
;
; %1 - with new IP address in usual dot-delimited form
; %2 - with old IP address in usual dot-delimited form
; %3 - with new IP mask in usual dot-delimited form
; %4 - with old IP mask in usual dot-delimited form
;
;run="cmd.exe /c ifinit.cmd %1 %2 %3 %4"

; Enable clearing up internal ARP cache on IP address change
clear_arp=no

[device]
;unit=0
broken_arp=yes

filter_all=yes

; Needed by IPStat:
assembly=no

fastmode=no
;fastmode=yes
queuedepth=8

[plugins]
; IPStat by zuko:
; note: dll is on the LIBPATH:
plugin = 100 IPsfStat.dll
extvar = 100:Config f:\sys\conf\etc\IPsfStat.cfg

[---==============================куть хере===================----------------]

WBR,
Валерий

Sat 18 Jun 2005 11:47

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

sfire (Pavek Shtemenko, 16.06.05 07:57)
- sfire (Dmitry Ban, 17.06.05 21:35)
  - sfire (Pavel Shtemenko, 18.06.05 21:46)
- sfire (valerius, 18.06.05 11:47)
  - sfire (Pavel Shtemenko, 18.06.05 21:45)
    - sfire (valerius, 20.06.05 10:10)
  - sfire (Pardus, 19.06.05 14:18)
    - sfire (valerius, 20.06.05 09:44)
      - sfire (???, 20.06.05 10:06)

Список сообщений \| Написать новое \| Ответить на сообщение \| Домой	Поиск:
Предыдущее сообщение \| Следующее сообщение