Использование IPFW
Общий вид правила:
[rule_number] [set set_number] [prob match_probability] action [log [logamount number]] [altq queue] [{tag | untag} number] body
action:
- allow, deny, unreach ICMPTYPE, reset; count
- check-state (+первое правило с keep-state)
- divertDIVPORT
- fwdIP[PORT]
- nat#
- pipe#
- queue#
- skipto#, call# / return
- teeDIVPORT
- netgraphCOOKIE, ngteeCOOKIE
- setfib#
- setdscpDSCP
- reass
body: [proto from src to dst] [options]
proto (/etc/protocols), all
src,dst: any | me | table# | addr(+/mask) addrlist [ports]
ports: port,port-port[ports]
OPTIONS
bridged layer2 diverted diverted-loopback diverted-output dst-ipIP dst-portPORTS established fib# frag gidGID jail# icmptypesTYPES in out ipidLIST iplenLIST ipoptionsSPEC ipprecedencePREC ipsec iptosSPEC dscpSPECS ipttlLIST ipversionVER keep-state limit{src-addr|src-port|dst-addr|dst-port}# lookup {dst-ip|dst-port|src-ip|src-port|uid|jail}# mac(dst-mac,any src-mac,any) mac-typeTYPE protoPROTO {recv|xmit|via}IFACE setup sockarg src-ipADDRS src-portPORTS taggedLIST tcpackACK tcpdatalenLIST tcpflagsSPEC tcpseqSEQ tcpwinLIST tcpoptionsSPEC uidUID verrevpath versrcreach antispoof
LOOKUP TABLES — аналог таблиц маршрутизации (+/MASK), но +порт,jail#,IP и ifacename
SETS OF RULES 0-31 (неубиваемый), нумерация правил общая, enable/disable/flush, move, swap
STATEFUL FIREWALL
ipfw add check-state ipfw add allow tcp from my-subnet to any setup keep-state ipfw add deny tcp from any to any
Dynamic rules are created when a packet matches a keep-state or limit rule
ipfw -d -e show
DIVERT SOCKET: просто bind
log
dummynet
divert
Пример
Разбор группы правил из FreeBSD handbook.