mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-19 17:57:22 +01:00
0aa3eac4d4
rule element by name after group is expanded, this helps ensure stable ordering of objects in generated configuration. * Compiler.cpp (replaceClusterInterfaceInItfRE::processNext): sorting objects in rule element after cluster interfaces have been replaced, this helps ensure stable ordering of objects in generated configuration. * FWObject.h (FWObjectNameCmpPredicate): moved this class from gui-specific module to libfwbuilder as it is universally useful. It can compare FWObject objects by name and can optionally can follow references; it can be used with std::sort() to sort lists of FWObject pointers or directly sort rule elements.
76 lines
3.0 KiB
Plaintext
76 lines
3.0 KiB
Plaintext
|
|
|
|
|
|
|
|
# Tables: (4)
|
|
table <block these> persist file "block-hosts.tbl"
|
|
table <spammers> persist
|
|
table <tbl.r0.d> { 192.168.1.1 , 192.168.1.2 , 192.168.1.3/30 , 192.168.1.200 , 192.168.1.201 , 192.168.2.128/25 }
|
|
table <tbl.r1> { 7.7.7.7 , 61.150.47.112 , 192.168.1.1 , 192.168.1.2 , 192.168.1.3/30 , 192.168.1.200 , 192.168.1.201 , 192.168.2.128/25 }
|
|
|
|
#
|
|
# Rule 0 (NAT)
|
|
rdr on eth0.100 proto tcp from ! <block these> to (eth0.100) port 25 -> 192.168.1.10 port 25
|
|
#
|
|
# Rule 1 (NAT)
|
|
rdr on eth0.100 proto tcp from <block these> to (eth0.100) port 25 -> 192.168.1.10 port 25
|
|
rdr on eth0.100 proto tcp from <tbl.r1> to (eth0.100) port 25 -> 192.168.1.10 port 25
|
|
#
|
|
# Rule 2 (NAT)
|
|
nat on eth0.100 proto {tcp udp icmp} from 192.168.1.0/24 to ! <block these> -> (eth0.100)
|
|
#
|
|
# Rule 3 (NAT)
|
|
rdr proto tcp from any to (eth0.100) port 25 -> { 192.168.1.1 , 192.168.1.2 , 192.168.1.200 , 192.168.1.201 , 192.168.1.3/30 , 192.168.2.128/25 } port 25
|
|
#
|
|
# Rule 4 (NAT)
|
|
rdr proto {tcp udp icmp} from any to (eth0.100) -> { 192.168.1.1 , 192.168.1.2 , 192.168.1.200 , 192.168.1.201 , 192.168.1.3/30 , 192.168.2.128/25 }
|
|
#
|
|
# Rule 5 (NAT)
|
|
no nat proto {tcp udp icmp} from 192.168.1.0/24 to <block these>
|
|
no rdr proto {tcp udp icmp} from 192.168.1.0/24 to <block these>
|
|
#
|
|
# Rule 6 (NAT)
|
|
rdr proto {tcp udp icmp} from 192.168.1.0/24 to <block these> -> 127.0.0.1
|
|
|
|
#
|
|
# Rule 0 (global)
|
|
pass quick inet from any to <tbl.r0.d> keep state label "RULE 0 -- ACCEPT on global "
|
|
#
|
|
# Rule 1 (global)
|
|
block log quick inet from any to <block these> label "RULE 1 -- DROP on global "
|
|
#
|
|
# Rule 2 (global)
|
|
block log quick inet from any to <block these> label "RULE 2 -- DROP on global "
|
|
block log quick inet from any to <tbl.r1> label "RULE 2 -- DROP on global "
|
|
#
|
|
# Rule 3 (global)
|
|
block log quick inet from any to <tbl.r0.d> label "RULE 3 -- DROP on global "
|
|
#
|
|
# Rule 4 (global)
|
|
block log quick inet from <spammers> to any label "RULE 4 -- DROP on global "
|
|
#
|
|
# Rule 5 (global)
|
|
block quick inet proto tcp from any to <block these> port 25 label "RULE 5 -- DROP on global "
|
|
block quick inet proto tcp from any to 61.150.47.112 port 25 label "RULE 5 -- DROP on global "
|
|
#
|
|
# Rule 6 (global)
|
|
block log quick inet from <block these> to any label "RULE 6 -- DROP on global "
|
|
#
|
|
# Rule 7 (global)
|
|
block log quick inet from <block these> to any label "RULE 7 -- DROP on global "
|
|
block log quick inet from 61.150.47.112 to any label "RULE 7 -- DROP on global "
|
|
#
|
|
# Rule 9 (global)
|
|
pass quick inet proto tcp from any to 192.168.1.10 port 25 keep state ( max-src-conn 5, overload <spammers> flush global ) label "RULE 9 -- ACCEPT on global "
|
|
#
|
|
# Rule 10 (global)
|
|
pass quick inet from 192.168.1.0/24 to any keep state label "RULE 10 -- ACCEPT on global "
|
|
#
|
|
# Rule 11 (global)
|
|
block log quick inet from any to any label "RULE 11 -- DROP on global "
|
|
#
|
|
# Rule fallback rule
|
|
# fallback rule
|
|
block quick inet from any to any label "RULE 10000 -- DROP on global "
|
|
|