прописал в rc.conf так на обоих!
Код: Выделить всё
defaultrouter="80.111.333.65"
gateway_enable="YES"
hostname="router.dialin.kz"
ifconfig_bce0="inet 80.111.333.70 netmask 255.255.255.248"
ifconfig_bce1="inet 172.168.1.102 netmask 255.255.255.0"
ifconfig_em0="inet 10.10.0.1 netmask 255.255.255.0"
ifconfig_em1="inet 192.168.10.111 netmask 255.255.255.0"
ifconfig_em2="inet 192.168.20.111 netmask 255.255.255.0"
ifconfig_em3="inet 192.168.30.111 netmask 255.255.255.0"
gif_interfaces="YES"
gif_interfaces="gif0"
static_routes="vpn1"
ifconfig_gif0="inet 192.168.10.111 192.168.0.100 netmask 255.255.255.0"
gifconfig_gif0="80.111.333.70 212.111.333.166"
route_vpn1="-net 192.168.0.0/24 -interface gif0"
export route_vpn1
pf.conf
Код: Выделить всё
## dukat
## dukat
ext_if1="bce0" #основной провайдер и шлюз по умолчанию его
ext_if0="bce1"
ext_gateway0="172.168.1.1"
## к AD и local Dialin
ad_if="em1"
## к Diasy и Mobitex
int_if="em2"
## к dmz www, ftp,mail,backup ( идет через ext_if1 в DMZ на маил сервер)
dmz_if="em0"
#vpn="gif0"
## ip-адреса хостов, которые нам понадобятся
web_server="10.10.0.3" # он же mail, www, dns2
#backup_server="10.10.0.4" #просто бакап
activ="192.168.10.254" # AD, proxy, Exchange, radmin, acq, sgds,
admin="192.168.10.1" # мои копрутер
#cheef="192.168.0.196" # привелигированный компутер
## табличка с хостами, которым разрешен доступ в обход прокси. Стоящей на роутере ))
table <servers> const { $activ, $admin }
## отбрасывать пакеты будем тихо, чтобы никто не догадался.. ))
set block-policy drop
## Игнорируем петлевой интерфейс
set skip on lo0
## нормализуем входящий трафик
scrub in all fragment reassemble
## пакеты, пришедшие на внешний интерфейс ext_if1 на порт 80, 21, 23, 799-radmin.
## отправляем внутрь сети и метим их
rdr on $ext_if1 inet proto tcp to $ext_if1 port 80 tag WEB_SERVER -> $web_server port 80
rdr on $ext_if1 inet proto tcp to $ext_if1 port 13579 tag SSH_WEBSERVER -> $web_server port 22
rdr on $ext_if1 inet proto tcp to $ext_if1 port 25 tag MAIL -> $web_server port 25
rdr on $ext_if1 inet proto tcp to $ext_if1 port 110 tag MAIL -> $web_server port 110
#rdr on $ext_if1 inet proto tcp to $ext_if1 port 21 tag FTP_SERVER -> $backup_server port ftp
#rdr on $ext_if1 inet proto tcp to $ext_if1 port 4899 tag RADMIN -> $admin port 4899
## Отдаем proxe пакеты идущие к внешним ftp от наших сетей
##rdr pass on $ad_if inet proto tcp from $ad_if:network to !$web_server port ftp -> 127.0.0.1 port 3128
##rdr pass on $int_if inet proto tcp from $int_if:network to {!$web_server, !$backup_server } port ftp -> 127.0.0.1 port 3128
########################################
## натим все пакеты на внешнем(exp-if1) интерфейсе, которые помечены
#nat on $ext_if1 from $dmz_if:network -> ($ext_if1)
#nat on $ext_if0 from $dmz_if:network -> ($ext_if0)
nat on $ext_if1 from $ad_if:network -> ($ext_if1)
nat on $ext_if1 inet proto tcp tagged SSH -> ($ext_if1)
#nat on $ext_if1 inet proto tcp tagged ADMIN -> ($ext_if1)
#nat on $ext_if1 inet proto tcp tagged RADMIN -> ($ext_if1)
#nat on $ext_if1 inet proto tcp tagged ICQ -> ($ext_if1)
nat on $ext_if1 inet proto tcp tagged SSH_WEBSERVER -> ($ext_if1)
## Наш ftp сервер сможет работать только в активном режиме, поэтому натим пакеты идущие от его 20 порта
#nat on $ext_if1 inet proto tcp from $backup_server port 20 to any -> ($ext_if1)
## натим пакеты на интерфейсе основного провайдера (exp-if0), идущие от прокси сервера (одной из сетей)
#nat on $ext_if0 inet proto tcp from $activ to !$web_server port www -> ($ext_if0)
############################### (ext-if1 то есть казтел)
block in on $ext_if1
#pass in on $ext_if1 reply-to ($ext_if1 $ext_gateway1) inet proto tcp tag SSH_WEBSERVER keep state
#pass in on $ext_if1 reply-to ($ext_if1 $ext_gateway) inet proto tcp tagged FTP_SERVER keep state
#pass in on $ext_if1 reply-to ($ext_if1 $ext_gateway1) inet proto tcp tag SSH keep state
##### ping
#pass in on $ext_if1 inet proto icmp from $ext_if1:network keep state
pass in on $ext_if1 inet proto icmp from any to $ext_if1 keep state
#pass in on $ext_if1 inet proto tcp from any to <servers> keep state
pass out on $ext_if1 keep state
##################################################################
block in on $ad_if
pass in on $ad_if inet proto tcp from $ad_if:network to { $ad_if, $int_if, $web_server } port 22 keep state
#pass in on $ad_if inet proto udp from $ad_if:network to $ad_if port 53 keep state
pass in on $ad_if inet proto udp from $ad_if:network to any port 53 keep state
pass in on $ad_if inet proto tcp from $ad_if:network to any port { smtp, pop3 } keep state
pass in on $ad_if inet proto tcp from <servers> to any port http keep state
pass in on $ad_if inet proto tcp from <servers> to any port https keep state
pass in on $ad_if inet proto tcp from $ad_if:network to any keep state
pass in on $ad_if inet proto tcp from $ad_if:network to any port 5190 tag ICQ keep state
pass in on $ad_if inet proto tcp from $ad_if:network to any port ftp keep state
pass in on $ad_if inet proto icmp from $ad_if:network to any keep state
pass out on $ad_if keep state
########################## на интерфейсе DMZ
## Запрещаем все соединения
block in on $dmz_if
## серверам в DMZ нужно общаться с dns
pass in quick on $dmz_if inet proto udp from $web_server to $dmz_if keep state
#pass in on $dmz_if reply-to ($ext_if1 $ext_gateway1) proto udp keep state
pass in on $dmz_if route-to ($ext_if0 $ext_gateway0) proto udp keep state
#pass in on $dmz_if inet proto udp from $dmz_if:network to $dmz_if keep state
#pass in on $dmz_if route-to ($ext_if1 $ext_gateway1) inet proto {tcp,udp} from $web_server to any keep state
## отправляем пакеты, идущие к внешним ssh серверам, по другому маршруту
pass in on $dmz_if route-to ($ext_if0 $ext_gateway0) inet proto tcp from $web_server to any port {22, 13579} modulate state
#pass in on $dmz_if route-to ($ext_if1 $ext_gateway1) inet proto udp from $web_server to any keep state
## разрешаем соединения по SSH
###pass in on $dmz_if inet proto tcp from $dmz_if:network to $dmz_if port 22 keep state
### ping
pass in on $dmz_if inet proto icmp from $dmz_if:network to $dmz_if keep state
## разрешаем все исходящие соединения
pass out on $dmz_if keep state
Прошу уважаемых гуру направить на путь истинного конфига! :-)
