Freesco, NND, CDN, EOS

Z powodu chwilowej , mam nadzieję , niestbilnej przcy sieci chciałem zablokować wszystko wszystkim i udostępnić tylko podstawowe usługi . Zerknijcie czy to będzie działać OK:
ipfwadm -I -i deny -W eth0 -S 10.1.1.1/0
ipfwadm -I -i accept -W eth0 -S 10.1.1.1/24 21 22 23 25 53 80 110 1550
miałem na myśli pocztę ,www, telnet ssh ,gg tylko nie wiem czy można wpisać tyle portów w jednej linii i czy o czymś nie zapomniałem

Nie. nie będzie

hm... to może w ten sposób ?
ipfwadm -I -i deny -S 10.1.1.1/24 -D 0.0.0.0/0
ipfwadm -I -i accept -P tcp -S 10.1.1.1/24 -D 0/0 numery_portów

jeśli to nie zadziała to proszę o jakąś podpowiedź
do tych numerów portów możnaby dorzucić jeszcze 443 ale nie wiem ile ich może być w jednej linii

Prawie dobrze
musisz jeszcze pozwolic na ruch na porty 53 udp i tcp (DNS-y)

tez nie wiem ile, ale jak bedzie blad mozesz to rozbic na dwie linie

pfwadm -I -i deny -S 10.1.1.1/24 -D 0.0.0.0/0
wystarczy tak:
pfwadm -I -i deny -S 10.1.1.1/24
A zamiast -D 0.0.0.0/0 pisz:
-D 0/0 to to samo a ladniej wyglada

Witam ....

ja mam tak plik w ./mnt/router/rc/rcuser/rc_ipping a wnim

#!/bin/sh
#
# User startup/shutdown and firewall script.

. /etc/system.cfg
. /etc/live.cfg
. /etc/chat.pwd

if [ "$1" = firewall ]; then
# Add your custom firewall rules here. Warning, incorrect rules could
# leave your system insecure. $INET always represents the internet
# interface. These rules come before standard system rules. Example:
# reject incomming tcp connections to port 22 from the internet and log
#ipfwadm -I -a reject -P tcp -W $INET -D 0.0.0.0/0 22 -y -o




#----------------------------------------------------------------------
exit; fi

if [ "$1" = stop -o "$1" = restart ]; then
echo -n "Stopping rc_ipping... "
# Add commands here you want to execute when shutting down or rebooting.
# Be careful not to use any commands which wait for user input.


#----------------------------------------------------------------------
$DONE; [ "$1" = stop ] && exit; fi

echo -n "Starting rc_ipping... "


# //ipfwadm\\
# ipfwadm -I -f
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D any/0
ipfwadm -I -i reject -P tcp -S 192.168.0.1 22
# //uslugi\\
#
# //DNS
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D 194.204.159.1
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D 194.204.152.34
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D 212.244.117.100
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D 217.17.34.10
# //ftp
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 21
# //ftp_data
ipfwadm -I -i accept -P tcp -S 192.168.0.6/16 -D any/0 20
ipfwadm -I -i accept -P tcp -S 192.168.0.121/16 -D any/0 20
ipfwadm -I -i accept -P tcp -S 192.168.0.161/16 -D any/0 20
ipfwadm -I -i accept -P tcp -S 192.168.0.161/16 -D any/0 20
ipfwadm -I -i accept -P tcp -S 192.168.0.49/16 -D any/0 20
# //kaza
#ipfwadm -I -i accept -P tcp -S 192.168.0.200/32 -D any/0 1214
# //dc
#ipfwadm -I -i accept -P tcp -S 192.168.0.200/32 -D any/0 412
# //telnet
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 23
# //ssh
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 22
# //www
# //2020 <-- admin.virt501.kei.pl <-- vuja
# /proxy 8080
# //Zalatwiem sobie profesjonalny i tani hosting i chciabym aby odblokowa
# //- 2082- 2095- 2087- 2083 Adres strony z hostungiem to: www.hostings.p
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 80
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 81
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 82
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 83
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 84
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 85
ipfwadm -I -i accept -P udp -S 192.168.0.1/16 -D any/0 85
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 86
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 2020
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D 0/0 8080
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D 0/0 2082:2095
# //GG 1550
# //8074 --sms
# //tlen 443 <-> 440:450
# //yahoo 66.218.70.32-44 all 5000-5010
# //skype 33033 a do gadania 443
# //wp.pl konnekt rozmw video TCP 1720 UDP 5000-5003
# //wp.pl jaber (on dizal z wp konnekt)
# //wp.pl pliki przesylanie 9413
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 1550
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 8074
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 440:450
ipfwadm -I -i accept -P udp -S 192.168.0.1/16 -D any/0 440:450
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 5000:5010
ipfwadm -I -i accept -P udp -S 192.168.0.1/16 -D any/0 5000:5010
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 33033
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 1720
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 5222:5225
ipfwadm -I -i accept -P udp -S 192.168.0.1/16 -D any/0 5222:5225
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 9413
ipfwadm -I -i accept -P udp -S 192.168.0.1/16 -D any/0 9413
# //poczta
# //110 --odbiur
# //25 --wysylanie
# //553 --autowyzacia jakas
# //553 --autowyzacia jakas
# //465 and 995 if you use SSL - which is not the default set-up for most
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 110
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 25
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 465
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 553
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 995
# //grupy duskusyjne
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 119
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 503
# //????
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 1433
# //mirc
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 6667:6669
# //czaty
# //5579:5581 wp.pl
# //5010:5030 onet.pl
# //14011:14012 interia.pl -> kamerki 14012;14016
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 5579:5581
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 5010:5030
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 14010:14016
# //programy do gieldy ( ma go 4/20 i go urzywa )
# //i inne
# //ip 193.108.35.17
# //11008
# //11009
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 11008:11009
# //BANY_IP\\
# //znane z kazy
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 68.39.151.148
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 24.112.216.236
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 24.57.105.64
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 141.213.185.66
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 24.187.241.144
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 24.70.227.235
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 68.13.33.186
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 68.102.52.241
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 68.100.121.146
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 24.94.54.88
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 66.66.78.165
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 137.141.238.163
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 24.49.251.211
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 68.46.133.102
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 68.57.58.103
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 67.33.122.233
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 24.242.85.48
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 66.69.20.221
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 156.34.176.33
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 68.34.16.236
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 66.69.74.115
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 62.90.195.82
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 200.199.201.83
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 63.208.2.24
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 65.89.43.128
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 24.27.169.105
ipfwadm -I -i reject -P tcp -S 192.168.0.1/16 -D 12.236.151.221
# //RadiO
# //radio internetowe
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 8000:8009
ipfwadm -I -i accept -P udp -S 192.168.0.1/16 -D any/0 8000:8009
# //gry\\
# //diablo2
# //quake 27500
# //starcraft
# //CS -> nowy
# //World of Tibia >www.tibia.de albo www.tibia.com<
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 6110:6120
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 4000
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 27000:28000
ipfwadm -I -i accept -P udp -S 192.168.0.1/16 -D any/0 27000:28000
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 7171
# //gry ze stron\\
# //kurnik.pl
# //wp.pl
# //http://www.tibia.pl/
# //rpg jakis www.tibia.pl
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 17000:17060
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 5000:5010
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 7170:7180
ipfwadm -I -i accept -P udp -S 192.168.0.1/16 -D any/0 7170:7180
# //serwery\\
# //IP 002
# //IP_003
#ipfwadm -I -i accept -S 192.168.0.2/32
#ipfwadm -I -i accept -S 192.168.0.3/32
#ipfwadm -I -i accept -P tcp -S 192.168.0.3/32
#ipfwadm -I -i accept -P udp -S 192.168.0.3/32
# //demony\\
# //squid
#ipfwadm -I -i accept -r 8080 -P tcp -S 192.168.0.0/24 -D any/0 www
#ipfwadm -I -i accept -r 8080 -P tcp -S 192.168.0.0/24 -D any/0 www
# //user\\
# //port tcp+udp 3531 nadeslal TK-696xxxxxx IP-192.168.1.128
ipfwadm -I -i accept -S 192.168.0.200
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 3531
ipfwadm -I -i accept -P udp -S 192.168.0.1/16 -D any/0 3531
#ipfwadm -I -i accept -S 192.168.0.201
#ipfwadm -I -i accept -S 192.168.0.235
#ipfwadm -I -i accept -S 192.168.1.123
#ipfwadm -I -i accept -S 192.168.1.210
#ipautofw -A -r tcp 4660 4669 -h 192.168.0.201
#ipautofw -A -r tcp 4660 4669 -h 192.168.0.201
#ipautofw -A -r tcp 4660 4669 -h 192.168.0.235
#ipautofw -A -r tcp 4660 4669 -h 192.168.0.235
#ipautofw -A -r udp 20 21 -h 192.168.0.200
#
# /dziwne wpisy w logah z tyh IP
ipfwadm -I -i reject -S 4.15.8.80/32 -D any/0
ipfwadm -I -i reject -S any/0 -D 4.15.8.80/32
ipfwadm -I -i reject -S 216.74.27.24/32 -D any/0
ipfwadm -I -i reject -S any/0 -D 216.74.27.24/32
# ipfwadm -I -i reject -P tcp -S any/0 22 -D 80.51.255.94
# ipfwadm -I -i accept -P tcp -S 192.168.0.0/16 -D 192.168.0.1/32 www
# ipfwadm -I -i reject -P tcp -S 192.168.0.1/24 -D any/0
# ipfwadm -I -i reject -P tcp -S 192.168.0.1/24 -D any/0
# ipfwadm -I -i reject -P tcp -S 192.168.0.1/24 -D any/0
# ipfwadm -I -i reject -P tcp -S 192.168.0.1/24 -D any/0
# /blaster
ipfwadm -I -a deny -P tcp -D 0/0 130:140
ipfwadm -I -i deny -P tcp -D 0/0 130:140
ipfwadm -I -i deny -S 127.0.0.1
# //jakis pierdolniety program do pitu test
# //jkaiegos funduszu
# //korzysta z niego 37/4 ; PT_2DOM
# //jakis fundusz 85 500 2746 udp
# // IP 213.25.45.71
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 80:90
ipfwadm -I -i accept -P udp -S 192.168.0.1/16 -D any/0 80:90
ipfwadm -I -i accept -P udp -S 192.168.0.1/16 -D any/0 85
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 495:505
ipfwadm -I -i accept -P udp -S 192.168.0.1/16 -D any/0 495:505
ipfwadm -I -i accept -P udp -S 192.168.0.1/16 -D any/0 500
ipfwadm -I -i accept -P tcp -S 192.168.0.1/16 -D any/0 2740:2750
ipfwadm -I -i accept -P udp -S 192.168.0.1/16 -D any/0 2740:2750
ipfwadm -I -i accept -P udp -S 192.168.0.1/16 -D any/0 2746
ipfwadm -I -i accept -P all -S 192.168.0.1/16 -D 213.25.45.71
ipfwadm -I -i accept -P all -S 213.25.45.71 -D 192.168.0.1/16
ipfwadm -I -i accept -S 192.168.2.16
ipfwadm -I -i accept -S 192.168.2.17
#ipfwadm -I -i accept -P all -S 192.168.1.202
#ipfwadm -I -i accept -P all -S 192.168.1.202
# //IP serwisowe blokniete
ipfwadm -I -i reject -S 192.168.0.2
ipfwadm -I -i reject -S 192.168.0.3
ipfwadm -I -i reject -S 192.168.0.4
ipfwadm -I -i reject -S 192.168.0.5
ipfwadm -I -i reject -S 192.168.0.6
ipfwadm -I -i reject -S 192.168.0.7
ipfwadm -I -i reject -S 192.168.0.8
# //IP wolne aktualnie dostep all
ipfwadm -I -i accept -S 192.168.111.111
ipfwadm -I -i accept -S 192.168.111.112
ipfwadm -I -i accept -S 192.168.111.113
ipfwadm -I -i accept -S 192.168.111.114
ipfwadm -I -i accept -S 192.168.111.115
#----------------------------------------------------------------------
$DONE


Tu masz mniej wiecej to co powino byc i blokuje all tylko se musisz zmienic IP z 192.168.x.x na to twoje 10.0.0.1

pamietaj rze /32 oznacza tylko jeden adres
/23 zakres adresuw 192.168.0.xxx czyli 255
/16 zakres aderesu 192.168.xxx.xxxx czyli 255*255