имеем машину на фре 6.0-релиз с тремя интерфейсами.
rl0 - lan
rl1 - к инету со статическим ипом на интерфейсе
rl2 - к провайдеру для доступа к впн серверу
ng1 - впн к инету на динамике.
Код: Выделить всё
# ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:80:48:32:b1:34
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 81.30.*.* netmask 0xffffffe0 broadcast 81.30.222.127
ether 00:50:22:9f:fb:ff
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 10.66.46.70 netmask 0xffffff00 broadcast 10.66.46.255
ether 00:80:48:3a:cd:4a
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
ng1: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1460
inet 89.189.145.81 --> 10.8.0.8 netmask 0xffffffff
фаервол - ipfw
Код: Выделить всё
#generic NAT
ipfw add 50 divert 8778 ip from 192.168.0.0/16 to not 192.168.0.0/16 via ng1
ipfw add 50 divert 8778 ip from any to any in via ng1
#PBR
ipfw add 100 fwd 81.30.222.97 ip from 81.30.222.126 to any
#allow own gate's traffic
ipfw add 500 allow all from any to me
ipfw add 500 allow all from me to any
#LuckyNet <-> JuiceNet
ipfw add 700 allow all from 192.168.0.0/24 to 192.168.1.0/24
ipfw add 700 allow all from 192.168.1.0/24 to 192.168.0.0/24
#Table 1: dest hosts allowed for all
#Table 2: Trusted hosts
#registrar count
#ipfw add 910 count all from plast.virtualufa.ru to any
#allow traffit to trusted hosts
ipfw add 10000 allow all from 192.168.0.0/16 to table\(1\)
#NOD32 Update
ipfw add 15000 allow all from 192.168.0.3 to 89.202.0.0/16
ipfw add 15001 allow all from 192.168.0.3 to 72.32.7.91
#Mail
ipfw add 15100 allow ip from 192.168.0.4 to smtp.mail.ru 25
ipfw add 15400 allow ip from 192.168.0.199 to any 25
ipfw add 15400 deny ip from any to any 25
#WEB Access (fwd to tr. proxy)
ipfw add 30000 fwd 192.168.0.1,3128 tcp from 192.168.0.0/24 to any 80
#ICQ Users
ipfw add 40001 allow ip from ov to any 5190
ipfw add 40001 allow ip from 192.168.0.195 to any 5190
ipfw add 40001 allow ip from ov to any https
ipfw add 40001 allow ip from 192.168.0.195 to any https
#Computerz wid full access
ipfw add 50000 allow all from table\(2\) to any
#returned traffic
ipfw add 65000 allow ip from any to 192.168.0.0/24
Где затык?