fogary писал(а):Без редиректа на squid и без прописанного proxy в браузере, т. е. чисто через nat, клиенты в интернет ходить могут?
Да всё ходит и всё работает.
Мой конфиг фаирвола
Код: Выделить всё
########## interface info ##########
int_if="lan"
ext_if="tun0"
lannet="192.168.0.0/24"
int_ip="192.168.0.1"
########## open ports ##########
www="{ 80,443 }"
mail="{ 465,587,993,995,143,25,110 }"
rdp="{ 730,10913 }"
torrent="{ 51413,49152:65535,5650:5670 }"
ssh="{ 1981,1985,1986 }"
vpn="{ 1983, 1423 }"
ftp="{ 20,21,30000:65000 }"
voip="{ 4000:4010,4050:4090,5060:5065,5160:5165,8000:8002,9000:65534 }"
udp_services="{ 53,123 }"
stim="{ 27000:27050, 4380}"
icmp_types="{echoreq, unreach}"
########## CONTROL PF ##########
#set block-policy return ## сбрасываем соединение вежливо
set timeout { frag 10, tcp.established 3600 } # Изменяем время для состояния установленного tcp соединения, которое по-умолчанию чересчур большое (24часа).
set block-policy drop ## сбрасываем соединение грубо
set skip on lo0 ## полностью пропускаем проверку на петле
set skip on $int_if ## полностью пропускаем проверку на интерфейсе
set loginterface $ext_if
set optimization normal
########## PF_tables ##########
table <white_list> persist { 1.2.3.4 }
table <full_dos> persist file "/etc/pftables/full_dos"
table <srv> persist file "/etc/pftables/srv"
### bloc tables ###
table <ca.zone> persist file "/etc/pftables/ca.zone"
table <cn.zone> persist file "/etc/pftables/cn.zone"
table <de.zone> persist file "/etc/pftables/de.zone"
table <fr.zone> persist file "/etc/pftables/fr.zone"
table <ua.zone> persist file "/etc/pftables/ua.zone"
table <ip.bloc> persist file "/etc/pftables/ip.bloc"
##########
scrub in all ## нормализуем все входящие пакеты на всех интерфейсах
scrub on $ext_if all reassemble tcp
########## NAT ##########
#nat on $ext_if inet from $lannet to any -> ($ext_if)
nat on $ext_if inet from $int_ip to any -> ($ext_if)
nat on $ext_if inet from <full_dos> to any -> ($ext_if)
nat on $ext_if inet proto tcp from $lannet to any port $ftp -> ($ext_if)
nat on $ext_if inet proto tcp from $lannet to any port $www -> ($ext_if)
nat on $ext_if inet proto tcp from $lannet to any port $mail -> ($ext_if)
nat on $ext_if inet proto tcp from $lannet to any port $rdp -> ($ext_if)
nat on $ext_if inet proto udp from $lannet to any port $udp_services -> ($ext_if)
nat log on $ext_if inet proto icmp from $lannet to any -> ($ext_if)
########## redirect ##########
rdr pass inet proto tcp from $lannet to any port 80 -> 127.0.0.1 port 3128
########## filters ##########
antispoof log quick for { lo0, $int_if, $ext_if }
########## Правела блокировки ##########
block in log all
block out all
block in quick on $ext_if from <ip.bloc> to ($ext_if)
block in quick on $ext_if from <ca.zone> to ($ext_if)
block in quick on $ext_if from <cn.zone> to ($ext_if)
block in quick on $ext_if from <de.zone> to ($ext_if)
block in quick on $ext_if from <fr.zone> to ($ext_if)
block in quick on $ext_if from <ua.zone> to ($ext_if)
block in quick on $ext_if from <us.zone> to ($ext_if)
block drop in log quick on $ext_if from <ddos> to any
block drop in log quick on $ext_if from <ssh> to any
pass out quick on $ext_if from ($ext_if) to any
pass quick on lo0 all ## разрешаем петлю
pass quick on $ext_if from <white_list> to ($ext_if) keep state
########## Разрешаем открытые порты на внешнем интерфейсе ##########
pass in on $ext_if proto tcp from any to ($ext_if) port $www synproxy state ## чистим траф www от SYN flood
pass in on $ext_if proto tcp to ($ext_if) port $www flags /SA keep state \(max-src-conn 60, max-src-conn-rate 10/2, overload <ddos> flush) ## www режим тех кто превысил лимиты и ложим в таблицу
pass in on $ext_if proto tcp to ($ext_if) port $ssh flags S/SA keep state \(max-src-conn 5, max-src-conn-rate 10/5, overload <ssh> flush global)
pass in on $ext_if proto tcp to ($ext_if) port $rdp flags S/SA keep state \(max-src-conn 1, max-src-conn-rate 5/20, overload <ddos> flush global)
pass in on $ext_if proto tcp to ($ext_if) port $ftp flags S/SA keep state \(max-src-conn 1, max-src-conn-rate 5/20, overload <ddos> flush global)
pass in on $ext_if proto udp to ($ext_if) port $vpn keep state \(max-src-conn 1, max-src-conn-rate 5/20, overload <ddos> flush global)
pass in on $ext_if proto tcp to ($ext_if) port $mail flags S/SA keep state \(max-src-conn 50, max-src-conn-rate 8/60, overload <ddos> flush global)
pass in on $ext_if proto tcp to ($ext_if) port $stim flags S/SA keep state \(max-src-conn 50, max-src-conn-rate 8/60, overload <ddos> flush global)
pass in on $ext_if proto tcp to ($ext_if) port $torrent keep state \(max-src-conn 50, max-src-conn-rate 10/60, overload <ddos> flush global)
########## Разрешаем исходящие порты ##########
pass in quick on $ext_if inet proto {tcp,udp} from any to $lannet port $torrent
pass in quick on $ext_if inet proto tcp from any to any port $ftp # ftp
pass log inet proto icmp all icmp-type $icmp_types
Вот так вот всё работает. Если закоментировать строку nat on $ext_if inet proto tcp from $lannet to any port $www -> ($ext_if) что бы трафик пошел через проксю то на компьютерах перестаёт работать инет, и начинает работать только после того как прописать проксю в браузере.