Биллинговая система Nodeny

${f} add 60 fwd 127.0.0.1,82 tcp from not "table(0)" to not me dst-port 80 in

${f} add 60 fwd 127.0.0.1,82 tcp from not "table(0)" to not сетка ваших белых адресов dst-port 80

#!/bin/sh -
f='/sbin/ipfw'

ifOut='vlan77'

# Сети/адреса, в/из которых ВЕСЬ трафик запрещаем
${f} table 120 flush
${f} table 120 add 224.0.0.0/4
${f} table 120 add 10.10.1.0/24
${f} table 120 add 172.16.0.0/12
${f} table 120 add 192.168.0.0/16

# Сети/адреса, в/из которых ВЕСЬ трафик разрешаем
${f} table 36 flush
${f} table 36 add x.x.x.x/32 
${f} table 36 add x.x.x.y/32 

${f} table 36 add 62.149.25.124/32 #ukrpays.com
${f} table 36 add 184.73.55.73/32 #liqpay.com
${f} table 36 add 195.85.198.17/32 #secure.upc.ua
${f} table 36 add 217.117.65.235/32 # указано в мане в api ukrpays как разрешенное
${f} table 36 add 82.198.171.43/32 #c43-171-198-82.pool.globus-telecom.com
${f} table 36 add 212.118.48.43/32 #Merchant WebMoney Transfer
${f} table 36 add 87.118.97.138/32 #ns2.km22224-04.keymachine.de


${f} -f flush

#flow-tools
#${f} add 49 allow udp from 10.10.10.251 to me 8888

#sshd
${f} add 50 allow tcp from 10.10.7.0/25 to me 22
${f} add 51 allow tcp from me 22 to 10.10.7.0/25

#dns lookup
${f} add 52 allow udp from any to me 53
${f} add 53 allow udp from me 53 to any

#radius
#${f] add 54 allow udp from any to me 1812
#${f} add 55 allow udp from me 1812 to any
#${f} add 56 allow udp from any to me 1813
#${f} add 57 allow udp from me 1813 to any

${f} add 58 allow ip from any to "table(36)"
${f} add 59 allow ip from "table(36)" to any

#fwd block clients
${f} add 60 fwd 127.0.0.1,82 tcp from not "table(0)" to not me dst-port 80 in


${f} add 61 allow ip from 10.10.0.0/16 to 10.10.0.0/16

${f} add 62 allow ip from 10.5.0.0/16 to 10.5.0.0/16

${f} add 63 allow ip from 10.10.0.0/16 to 10.5.0.0/16

${f} add 64 allow ip from 10.5.0.0/16 to 10.10.0.0/16

${f} add 80 allow ip from 10.10.0.0/16 to 10.10.1.0/24
${f} add 81 allow ip from 10.10.1.0/24 to 10.10.0.0/16

${f} add 82 deny ip from 10.5.0.0/16 to 10.10.1.0/24
${f} add 83 deny ip from 10.10.1.0/24 to 10.5.0.0/16

#mysql
${f} add 88 allow tcp from 10.10.15.0/24 to me 3306
${f} add 89 allow tcp from me 3306 to 10.10.15.0/24

#snmp
${f} add 90 allow udp from 10.10.15.0/24 to me 161
${f} add 91 allow udp from me 161 to 10.10.15.0/24
${f} add 92 allow tcp from 10.10.15.0/24 to me 199
${f} add 93 allow tcp from me 199 to 10.10.15.0/24
${f} add 94 allow udp from x.x.x.x/23 to me 161
${f} add 95 allow udp from me 161 to x.x.x.x/23
${f} add 96 allow tcp from x.x.x.x/23 to me 199
${f} add 97 allow tcp from me 199 to x.x.x.x/23

${f} add 100 deny tcp from any to any 445

${f} add 110 allow ip from any to any via lo0
${f} add 120 skipto 1000 ip from me to any
${f} add 130 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
${f} add 140 deny ip from any to "table(120)"
${f} add 150 deny ip from "table(120)" to any
${f} add 160 skipto 2000 ip from any to me

${f} add 200 skipto 500 ip from any to any via ${ifOut}

${f} add 300 skipto 4500 ip from any to any in

${f} add 400 skipto 450 ip from any to any recv ${ifOut}
${f} add 420 tee 1 ip from any to any
${f} add 450 tee 2 ip from any to any
${f} add 490 allow ip from any to any

${f} add 500 skipto 32500 ip from any to any in
${f} add 510 tee 1 ip from any to any
${f} add 540 allow ip from any to any

${f} add 1000 allow udp from any 53,7723 to any
${f} add 1010 allow tcp from any to any setup keep-state
${f} add 1020 allow udp from any to any keep-state
${f} add 1100 allow ip from any to any

${f} add 2000 check-state
${f} add 2010 allow icmp from any to any
${f} add 2020 allow tcp from any to any 80,443
${f} add 2050 deny ip from any to any via ${ifOut}
${f} add 2060 allow udp from any to any 53,7723

${f} add 2100 deny ip from any to any

${f} add 32490 deny ip from any to any

${f} add 60 fwd 127.0.0.1,82 tcp from not "table(0)" to not "table(0)" dst-port 80 in

${f} add 61 allow ip from "table(0)" to "table(0)"

allow ip from me to any

${f} add 61 allow ip from "table(0)" to "table(0)"

${f} add 61 allow ip from "table(0)" to "table(0)"

${f} add 61 allow ip from "table(0)" to "table(0)"

${f} add 61 allow ip from "table(0)" to "table(0)"

${f} add 60 fwd 127.0.0.1,82 tcp from not "table(0)" to not "table(0)" dst-port 80 in

09:56:41.258478 IP 236.190.224.159.triolan.net.64865 > 21.2.86.109.triolan.net.domain: 46253+ A? www.speedtest.net. (35)
09:56:41.382161 IP 236.190.224.159.triolan.net.3791 > 111.221.74.31.https: Flags [S], seq 4264544421, win 65535, options [mss 1440,nop,nop,sackOK], length 0
09:56:41.382281 IP 236.190.224.159.triolan.net.3792 > 213.199.179.157.https: Flags [S], seq 3760766955, win 65535, options [mss 1440,nop,nop,sackOK], length 0
09:56:41.382467 IP 236.190.224.159.triolan.net.3793 > 149.5.45.206.https: Flags [S], seq 403384598, win 65535, options [mss 1440,nop,nop,sackOK], length 0
09:56:41.631607 IP 236.190.224.159.triolan.net.59464 > 2.2.86.109.triolan.net.domain: 40188+ A? www.facebook.com. (34)
09:56:41.631673 IP 236.190.224.159.triolan.net.59464 > 21.2.86.109.triolan.net.domain: 40188+ A? www.facebook.com. (34)
09:56:41.696092 ARP, Request who-has 236.190.224.159.triolan.net tell 254.190.224.159.triolan.net, length 46
09:56:41.720463 IP 236.190.224.159.triolan.net.54719 > 2.2.86.109.triolan.net.domain: 5692+ A? vk.com. (24)