RU/2: Форум. Общение пользователей и разработчиков OS/2 (eCS). : Ответить на сообщение

Имя:
e-mail:
FIDO:
Home page:
сохранить данные о вас

Тема:

> > Господа, дайте рабочий sfire.cfg вместе с шейпингом. По доке пробовал - фиг вам.
> 
> У меня все работает -- и траффик шейпер, и портмаппер, секрет, похоже, в том, что
> надо указывать явно значения параметров, а не полагаться на дефолты. Мой конфиг
> (не самый оптимальный, конечно):
> 
> [---==============================куть хере===================----------------]
> ;
> !include f:\sys\conf\etc\SafeFire\mfilter.cfg
> ;
> ; Sample configuration file for SafeFire Firewall 1.2+.
> ;
> ; Copy it to SFIRE.CFG to put it to work.
> ;
> ; Many variables have reasonable default values so do not touch
> ; them unless you sure what you want to do.
> ;
> 
> [nat]
> ;Network Address Translation configuration parameters
> ; This variable enables NAT. By default NAT is ON
> enable=yes
> 
> ; This variable enables assembling packets before translation
> defragment=yes
> 
> ; This variable enables forwarding of packets ignored by NAT
> forward_ignored=yes
> 
> ;                       This variable prevents incoming connections
> ;                       (e.g. to telnet, ftp, web servers).
> deny_incoming=no
> 
> ; This variables reduces set of internal IP's which will be translated
> ; to three ranges (see RFC1918):
> ; 10.0.0.0     ->   10.255.255.255
> ; 172.16.0.0   ->   172.31.255.255
> ; 192.168.0.0  ->   192.168.255.255
> ;
> ; By default this value is ON.
> private_net=yes
> 
> [timeouts]
> ;NAT engine timeouts
> ;    Each connection in the NAT engine is presented as a link of
> ;    particular type. Each type of link has its own idle timeout.
> ;    When this timeout expires at the next housekeeping
> ;    it will be removed from NAT engine. All values are in seconds.
> ;
> ;    Following variables are recognized:
> 
> ;ICMP links
> icmp = 60
> 
> ;UDP links
> udp = 60
> 
> ;TCP links (initial value)
> tcp = 300
> 
> ;TCP header fragment
> header = 10
> 
> ;TCP body fragment
> fragment = 30
> 
> ;    Header and body fragments are stored in the
> ;    NAT engine before assembling if
> ;    'defragment' option is turned on.
> 
> ;TCP broken connection
> broken = 10
> 
> ;TCP partially broken connection
> halfbroken = 90
> 
> ;TCP connected at both sides link
> connected = 86400
> 
> 
> [cleanup]       ;NAT engine cleanup parameters
> ;    Cleanup is done with specified interval and at each cleanup
> ;    only part of links is processed.
> ;
> ;    Following variables are recognized:
> 
> ;This variable determines time interval
> ;between cleanups in seconds.
> interval = 60
> 
> 
> ;This variable determines number of table
> ;rows processed during each cleanup.
> spokes = 30
> 
> 
> [ident]         ; Internal IDENT server configuration
> ; This variable enables internal IDENTD
> enable=yes
> ;
> ; In general response looks like following:
> ; 123, 12345: USERID: OS/2: os2user
> ;
> ; Following variable determines last part of response
> ;user=os2user
> user=somebody
> 
> 
> [portmap]
> ; Port mapping rules. NOTE: Portmapper requires enabled NAT!
> ; This variable can be mentioned more than once, i.e. you can define as many
> ; port mappings as you wish by adding appropriate 'rule' variable.
> ;
> ; Each rule is described by two pairs addr:port as in following example:
> ;
> ;   rule = 123.45.67.89:80,192.168.1.1:8080
> ;
> ; This rule will redirect all connections going trough SafeFire to
> ; host 123.45.67.89 and port 80 (www) to host 192.168.1.1 and port 8080.
> ; You can use 0 in the place of first address if host is the same
> ; where SafeFire is running
> 
> 
> ; By default rules are empty
> 
> ;for tcpbeui on comps of my inner net
> 
> ;winemu
> rule = 192.168.11.50:137,192.168.11.9:137 udp
> rule = 192.168.11.50:138,192.168.11.9:138 udp
> rule = 192.168.11.50:139,192.168.11.9:139 tcp
> ;ins2
> rule = 192.168.11.51:137,192.168.11.2:137 udp
> rule = 192.168.11.51:138,192.168.11.2:138 udp
> rule = 192.168.11.51:139,192.168.11.2:139 tcp
> ;mama
> rule = 192.168.11.52:137,192.168.11.3:137 udp
> rule = 192.168.11.52:138,192.168.11.3:138 udp
> rule = 192.168.11.52:139,192.168.11.3:139 tcp
> 
> ; rules needed to support nassi
> ; in Virtual PC under Win98:
> rule = 234.0.0.1:50138,192.168.11.9:50138
> rule = 234.0.0.1:50139,192.168.11.9:50139
> ;xp
> rule = 0:50138,192.168.11.9:50138
> rule = 0:50139,192.168.11.9:50139
> ;ins2
> ;rule = 0:50138,192.168.11.2:50138
> ;rule = 0:50139,192.168.11.2:50139
> 
> ;For InetAccess:
> ;rule = 0:5554,192.168.11.9:5554 udp 2
> ;rule = 192.168.11.50:5554,192.168.11.13:5554 udp 2
> 
> 
> [shaper]        ; Traffic shaper
> ; Sleeping time in ms within the shaper loop (def is 1)
> ;sleep=
> 
> ; This variable can be mentioned more than once, i.e. you can define as many
> ; pipes as you wish by adding appropriate 'pipe' variable.
> ;
> ; Each pipe is described using following syntax (refer to documentation
> ; for more details):
> ;
> ;  pipe=number parm ...
> ;
> ;  parm:
> ;      {speed|delay|loss|length}
> ;
> ;  speed:  speed <speed> [{M|K}][bps]  default - 0 bps (no speed limit)
> ;  delay:  delay <delay> [s|ms]        default - 0 ms  (no delay is set)
> ;  loss :  loss <loss>[%]                default - 0%    (no packet loss)
> ;  length: length <length>                default - MAX_LENGTH (500)
> 
> ;
> ;pipe=
> ; Constrain speed for windoze to 16 and 20 KBps
> pipe = 1000 speed 16 Kbps
> pipe = 1100 speed 40 Kbps
> pipe = 1110 loss 10 %
> pipe = 1120 delay 1 s
> 
> [filter]        ; Packet filter
> ; This variable enables packet filter
> enable=yes
> 
> ; This variable can be mentioned more than once, i.e. you can define as many
> ; rules as you wish by adding appropriate 'rule' variable.
> ;
> ; Each rule is described using following syntax (refer to documentation
> ; for more details):
> ;   rule = [number] action proto src dst [extra[,...]]
> ;
> ;     action: {allow|accept|permit} | {deny|drop|reject} | count | pipe <num> | plugin <num> | skipto <num>
> ;
> ;     proto : {all|ip|tcp|udp|icmp}
> ;
> ;     src   : from [not] {any|myip|ip[{/bits|:mask}]} [{port|port-port},[port],...]
> ;     dst   : to [not] {any|myip|ip[{/bits|:mask}]} [{port|port-port},[port],...]
> ;
> ;     extra : {fragment|in|out|bidi|established|setup|flags}
> ;     flags : tcpflags [!]{syn|fin|rst|ack|psh|urg},...
> 
> ;--------------------------------------------------------------
> ;rule = 100 allow all from any to any
> ;--------------------------------------------------------------
> ;sgauth
> rule = 00050 skipto 50000 udp from myip 5554 to any 5555 out
> rule = 00051 skipto 50000 udp from any to myip 5555 in
> ;InetAccess в винде
> rule = 00055 skipto 50000 udp from 192.168.11.0/24 5554 to any 5555 out
> rule = 00056 skipto 50000 udp from any to 192.168.11.0/24 5555 in
> 
> ;Разрешаем DHCP-пакеты
> rule = 00100 skipto 50000 udp from 192.168.2.129 dhcps to any in
> rule = 00110 skipto 50000 udp from 0.0.0.0 dhcpc to any dhcps out
> rule = 00120 skipto 50000 udp from myip    dhcpc to any dhcps out
> ;rule = 00082 skipto 20000 udp from 192.168.2.129 dhcps to myip dhcpc bidi
> ;rule = 00080 skipto 20000 udp from 0.0.0.0 dhcpc to 255.255.255.255 dhcps out
> ;rule = 00081 skipto 20000 udp from myip    dhcpc to 255.255.255.255 dhcps out
> ; when using 255.255.255.255 in "to" clause, we get an
> ; error about incorrect address so we use "any" instead :((.
> 
> ;Разрешаем DNS
> rule = 00200 skipto 50000 udp from any 53 to myip 53 bidi
> rule = 00210 skipto 50000 tcp from any 53 to myip bidi
> rule = 00220 skipto 50000 tcp from any to myip 53 bidi
> rule = 00230 skipto 50000 udp from 192.168.11.0/24 53 to 192.168.11.1 53 bidi
> 
> ;Ограничиваем скорость скачивания 40-ка килобайтами в секунду (кроме Половинки)
> rule = 00260 skipto 00291 tcp from myip 139 80 20 to 192.168.2.4 out
> rule = 00261 skipto 00291 tcp from myip 139 80 20 to 192.168.2.18 out
> rule = 00260 skipto 00291 tcp from myip 139 80 20 to 192.168.2.20 out
> rule = 00270 skipto 00291 tcp from myip 139 80 20 to 192.168.2.36 out
> rule = 00271 skipto 00291 tcp from myip 139 80 20 to 192.168.2.37 out
> rule = 00272 skipto 00291 tcp from myip 139 80 20 to 192.168.2.38 out
> rule = 00273 skipto 00291 tcp from myip 139 80 20 to 192.168.2.40 out
> rule = 00274 skipto 00291 tcp from myip 139 80 20 to 192.168.2.42 out
> rule = 00275 skipto 00291 tcp from myip 139 80 20 to 192.168.2.49 out
> rule = 00276 skipto 00291 tcp from myip 139 80 20 to 192.168.2.69 out
> rule = 00277 skipto 00291 tcp from myip 139 80 20 to 192.168.2.78 out
> rule = 00278 skipto 00291 tcp from myip 139 80 20 to 192.168.2.81 out
> rule = 00279 skipto 00291 tcp from myip 139 80 20 to 192.168.2.85 out
> rule = 00280 skipto 00291 tcp from myip 139 80 20 to 192.168.2.86 out
> rule = 00282 skipto 00291 tcp from myip 139 80 20 to 192.168.2.90 out
> rule = 00284 skipto 00291 tcp from myip 139 80 20 to 192.168.2.9 out
> rule = 00290 pipe 1100 tcp from myip 139 20 80 to 192.168.2.0/24 out
> rule = 00291 count tcp from myip 139 20 80 to 192.168.2.0/24 out
> 
> ;Разрешаем другим доступ к моим tcp службам
> rule = 00300 skipto 50000 tcp from any to myip 8080 80 20 21 bidi
> 
> ;Разрешаем доступ к tcp_службам на других хостах
> rule = 00400 skipto 50000 tcp from any http,https,ftp,ftp-data,pop3,smtp,nntp,time,daytime to myip bidi
> rule = 00410 skipto 50000 tcp from any http,https,ftp,ftp-data,pop3,smtp,nntp,time,daytime to 192.168.11.0/24 bidi
> rule = 00420 skipto 50000 tcp from any 8000-8200 to myip bidi
> rule = 00430 skipto 50000 tcp from any 8000-8200 to 192.168.11.0/24 bidi
> 
> ;Разрешаем udp-службы других хостов
> rule = 00440 skipto 50000 udp  from any ntp,time,daytime,domain to myip bidi
> rule = 00450 skipto 50000 udp  from any ntp,time,daytime to 192.168.11.0/24 bidi
> 
> ; XFree86/OS2:
> ; allow remote X11 clients:
> rule = 00465 skipto 50000 tcp  from 192.168.2.38 1024-65535 to myip 6000-6010 bidi
> ; allow my X11 clients connect to remote server:
> rule = 00466 skipto 50000 tcp  from 192.168.2.38 6000-6010 to myip 1024-65535 bidi
> 
> ; allow remote hosts access identd on my gateway:
> rule = 00470 skipto 50000 tcp  from any to myip 113 bidi
> 
> ;Разрешаем traceroute
> rule = 00500 skipto 50000 udp from myip 32000-34999 to any 32000-34999 out
> rule = 00500 skipto 50000 udp from 192.168.11.0/24 32000-34999 to any 32000-34999 out
> 
> ;Разрешаем TCPBEUI
> ;rule = 00550 skipto 50000 udp from any 137,138 to 192.168.2.200 bidi
> ;rule = 00560 skipto 50000 udp from any to 192.168.2.200 137,138 bidi
> ;rule = 00570 skipto 50000 tcp from any 139 to 192.168.2.200 bidi
> ;rule = 00580 skipto 50000 tcp from any to 192.168.2.200 139 bidi
> ;rule = 00590 skipto 50000 tcp from any 445 to 192.168.2.200 bidi
> 
> rule = 00600 skipto 50000 udp from any 137,138 to myip bidi
> rule = 00610 skipto 50000 udp from any to myip 137,138 bidi
> rule = 00620 skipto 50000 tcp from any 139 to myip bidi
> rule = 00630 skipto 50000 tcp from any to myip 139 bidi
> rule = 00640 skipto 50000 tcp from any 445 to myip bidi
> 
> rule = 00650 skipto 50000 log udp from any 137,138 to 192.168.11.0/24 bidi
> rule = 00660 skipto 50000 log udp from any to 192.168.11.0/24 137,138 bidi
> rule = 00670 skipto 50000 tcp from any 139 to 192.168.11.0/24 bidi
> rule = 00680 skipto 50000 tcp from any to 192.168.11.0/24 139 bidi
> rule = 00690 skipto 50000 tcp from any 445 to 192.168.11.0/24 bidi
> 
> 
> ;Разрешаем jabber и icq
> rule = 00700 skipto 50000 tcp from any 5190,5222 to myip bidi
> ;Разрешаем irc
> rule = 00710 skipto 50000 tcp from any 6660-6669 to myip bidi
> 
> ;nassi
> rule = 00750 skipto 50000 log udp from 192.168.2.0/24 50139 to 234.0.0.1 50138 in
> rule = 00759 skipto 50000 log udp from 192.168.11.0/24 50139 to 234.0.0.1 50138 out
> rule = 00760 skipto 50000 log udp from 192.168.2.0/24 50139 to 192.168.11.0/24 50138 in
> rule = 00770 skipto 50000 log udp from 192.168.11.0/24 50139 to 192.168.2.0/24 50138 out
> rule = 00780 skipto 50000 log tcp from 192.168.2.0/24 to 192.168.11.0/24 50138 bidi
> rule = 00790 skipto 50000 log tcp from 192.168.2.0/24 50138 to 192.168.11.0/24 bidi
> 
> ;skype
> ;rule = 00800 skipto 50000 log udp from any to 192.168.11.0/24
> 
> 
> ;Разрешаем Limewire
> rule = 00900 skipto 50000 udp from any 6346-6352 to myip 6346-6350 bidi
> rule = 00910 skipto 50000 tcp from any 6346-6352,6034,2840 to myip bidi
> rule = 00920 skipto 50000 tcp from any to myip 6346-6350,6034,2840 bidi
> 
> rule = 02000 skipto 50000 udp from any to myip 6346 bidi
> rule = 02010 skipto 50000 tcp from any 40413 to myip bidi
> 
> ;Считаем попытки зателнетиться на нас
> rule = 00900 count log tcp from any to myip 23 in,setup
> 
> ; Разрешаем широковещательные пакеты
> ;Главная сеть АМН
> rule = 01000 skipto 50000 ip from 192.168.2.0/24 to 192.168.2.255 bidi
> rule = 01010 skipto 50000 ip from 192.168.0.0/16 to 192.168.255.255 bidi
> ;rule = 01020 skipto 50000 ip from 192.168.0.0/16 to 255.255.255.255 bidi
> ;Алиасы
> rule = 01030 skipto 50000 ip from 192.168.11.32/27 to 192.168.11.63 bidi
> rule = 01040 skipto 50000 ip from 192.168.11.64/27 to 192.168.11.63 bidi
> ;Сеть моей квартиры
> rule = 01050 skipto 50000 ip from 192.168.11.0/28 to 192.168.11.15 bidi
> ;Подсетки моей квартиры
> rule = 01060 skipto 50000 ip from 192.168.11.0/29 to 192.168.11.7 bidi
> rule = 01070 skipto 50000 ip from 192.168.11.8/29 to 192.168.11.7 bidi
> rule = 01080 skipto 50000 ip from 192.168.11.16/29 to 192.168.11.7 bidi
> rule = 01090 skipto 50000 ip from 192.168.11.24/29 to 192.168.11.7 bidi
> 
> 
> ; Многоадресные рассылки nassi
> ;rule = 01100 count log ip from any to 234.0.0.1 bidi
> ; разрешаем multicast
> rule = 01110 skipto 50000 ip from any to 224.0.0.0/4 bidi
> 
> ;misc
> rule = 01200 count ip from any to 169.254.0.0/8 bidi
> rule = 01210 count ip from any to 0.0.0.0 bidi
> 
> ;Если поставить вместо allow "skipto 50000", то фиревалл пишет, что не может
> ;найти правило #1
> rule = 48900 allow icmp from myip to any out icmptypes 0,3,5,8,11,12,13,14,15,16
> rule = 48901 allow icmp from 192.168.11.0/24 to any out icmptypes 0,3,5,8,11,12,13,14,15,16
> rule = 48910 allow icmp from any to myip in icmptypes 0,3,11,12,13,14,15,16
> rule = 48911 allow icmp from any to 192.168.11.0/24 in icmptypes 0,3,11,12,13,14,15,16
> 
> ; (dis)allow incoming icmp echo
> rule = 49000 allow log icmp from any to myip in icmptypes 8
> rule = 49001 allow log icmp from any to 192.168.11.0/24 in icmptypes 8
> 
> ; disallow big (so, fragmented) icmp packets
> ; (some protection against Ping of death):
> rule = 49010 deny log icmp from any to myip fragment,in
> rule = 49020 deny log icmp from any to 192.168.11.0/24 fragment,in
> 
> ; allow non-privileged ports:
> rule = 49100 skipto 50000 tcp from any to myip 1024-4096 bidi
> 
> ; deny all other
> rule = 49999 deny log ip from any to any bidi
> 
> ; IpStat plugin by zuko
> rule = 50000 plugin 100
> rule = 65535 allow all from any to any bidi
> ;--------------------------------------------------------------
> 
> 
> [mfilter]        ; Packet filter by MAC addresses
> ; This variable enables filter
> enable=no
> 
> ; This variable can be mentioned more than once, i.e. you can define as many
> ; rules as you wish by adding appropriate 'rule' variable.
> ;
> ; Each rule is described using following syntax (refer to documentation
> ; for more details):
> ;   rule = [number] action [log] proto [src] [dst] [direction] [extra]
> ;
> ;     action: {allow|accept|permit} | {deny|drop|reject} | count | pipe <num> | plugin <num> | skipto <num>
> ;
> ;     proto : {all|ip|arp|proto number}
> ;
> ;     src   : from [!]{any|mac address}[=[!]{any|ip|myip}] [req_match]
> ;               = means matching particular MAC to particular IP in packets
> ;                 of some protocols (ip, arp)
> ;               match means matching mac address in ethernet header to the arp
> ;                 packet's corresponding mac address
> ;     dst   : to [!]{any|mac address}[=[!]{any|ip|myip}] [req_match]
> ;     dst   : to [not] {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]
> ;
> ; direction : {in|out|bidi}
> ;     extra : {opt opt_number}
> 
> ;------------------------------------------
> ;rule=65500 allow arp from all match to all match bidi
> ;rule=65510 deny arp from all to all bidi
> ;rule=65520 allow all from all to all bidi
> ;------------------------------------------
> ; allow our arp requests to the net
> ;rule=10 allow arp from any=myip to FF:FF:FF:FF:FF:FF out
> ; deny all other
> ;rule=65534 deny all from all to all bidi
> ;------------------------------------------
> ; (some ARP spoofing protection ;-))
> ;
> ; allow our arp requests (opt 1) to the net:
> ;;;;;rule = 00010 permit arp from 00:80:48:22:A4:6E=myip to FF:FF:FF:FF:FF:FF out
> ;opt 1
> rule = 00005 permit arp from 00:02:b3:e7:42:43 to 00:80:48:22:A4:6E in
> rule = 00010 permit arp from 00:80:48:22:A4:6E to FF:FF:FF:FF:FF:FF out
> rule = 00015 permit arp from any=any to FF:FF:FF:FF:FF:FF bidi
> 
> ;opt 1
> ; allow our correct arp replies (opt 2):
> ;;;;;rule = 00020 permit arp from 00:80:48:22:A4:6E=myip match to any=any out
> ;opt 2
> ;
> ; MAC addresses in ethernet frame header must
> ; match MAC addresses in the ARP packet:
> rule = 65500 permit arp from any match to any match bidi
> ; or to not match in case when the souce is my provider's gateway:
> ;;;;;rule = 65510 permit arp from 00:02:b3:e7:42:43=192.168.2.129 to any=any bidi
> 
> ; deny all other arp packets:
> rule = 65520 deny log arp from any to any bidi
> ; allow other protocols:
> rule = 65530 permit all from any to any bidi
> ;                                       ^
> ;                                       |
> ; if no bidi then error! >--------------+
> ;rule=65534 deny all from all to all bidi
> ;------------------------------------------
> 
> 
> [key]           ; License key section
> ;name=
> ;key=
> 
> 
> [remote]
> ; Remote Control section
> ;
> ; Order of checks: allow, deny
> ; If address of remote falls under conditions of allow and does not match
> ; anything in 'deny' then connection is accepted.
> ; All other cases only logged and connections are not permitted
> ;
> ; Format of rule (either deny and allow):
> ;
> ;  any|ip[{/bits|:mask}]
> ;
> ; NOTE: connections from address 127.0.0.1 are always enabled,
> ;       unless port is set to 0.
> 
> enable = yes
> port   = 1021
> 
> ;allow  =
> ;deny   =
> allow  = 127.0.0.1
> ;allow  = 192.168.2.39
> ;deny   = any
> 
> ; NOTE: this is NOT a default values.
> ; By default remote access is disabled because of empty rule sets.
> ;
> userid   = "userid"
> password = "password"
> 
> 
> [log]
> console=yes
> level=6
> 
> 
> [dhcp]
> ; Interval in seconds between checks of IP address change.
> ; Value less than or equal to 0 disables check.
> interval=5
> 
> ; Enable automatic startup of filter/nat on valid address assignment
> auto_pipe=off
> 
> ; Command line of the application which will be started
> ; when IP address change will be detected (limited to 2000 bytes).
> ; Command line may contain %1, %2, %3 and %4 strings. They will
> ; automatically be replaced with the following information:
> ;
> ; %1 - with new IP address in usual dot-delimited form
> ; %2 - with old IP address in usual dot-delimited form
> ; %3 - with new IP mask in usual dot-delimited form
> ; %4 - with old IP mask in usual dot-delimited form
> ;
> ;run="cmd.exe /c ifinit.cmd %1 %2 %3 %4"
> 
> ; Enable clearing up internal ARP cache on IP address change
> clear_arp=no
> 
> 
> [device]
> ;unit=0
> broken_arp=yes
> 
> filter_all=yes
> 
> ; Needed by IPStat:
> assembly=no
> 
> fastmode=no
> ;fastmode=yes
> queuedepth=8
> 
> 
> [plugins]
> ; IPStat by zuko:
> ; note: dll is on the LIBPATH:
> plugin = 100 IPsfStat.dll
> extvar = 100:Config f:\sys\conf\etc\IPsfStat.cfg
> 
> [---==============================куть хере===================----------------]
> 
> WBR,
> Валерий

_, _, _, / \ (_ / ~ ) \ / , ) / / ~ ~ ~~~