задача: всех гнать через проксю, избранным оставить аську и почтовых клиентов.
накрапал такой вот конфиг для ipfw, только вот после его применения инет не пашет, с самого сервака пингануться не могу. плиз хелп
Код: Выделить всё
#!/bin/sh
FwCMD="/sbin/ipfw add" # binarnik ipfw
LanOut="vr0" # modem lan
LanIn="vr2" # office lan
IpOut="192.168.1.21" # na modem
IpIn="192.168.210.21" # na office lan
NetIn="192.168.210.0/24" # setka offisa
Pochta=" 192.168.210.199/32, 192.168.210.26/32, 192.168.210.225/32 "
ICQ=" 192.169.210.8/32"
skip="skipto 10000 "
/sbin/ipfw -q -f flush
#####################################################################
###Begin IPFW rules
#####################################################################
${FwCMD} 100 allow ip from any to any via lo0
#razreshem trafic office_lan na vnutrennem interfeice
${FwCMD} 150 allow ip from any to any via ${LanIn}
${FwCMD} 200 divert natd ip from any to any in via ${LanOut}
${FwCMD} 300 check-state
# rubim autoconfig ip
${FwCMD} 400 deny ip from any to 169.254.0.0/16 in via ${LanOut}
#rubim multicast
${FwCMD} 500 deny ip from any to 240.0.0.0/4 in via ${LanOut}
${FwCMD} 600 deny ip from 224.0.0.0/4 to any out via ${LanOut}
${FwCMD} 700 deny ip from 240.0.0.0/4 to any out via ${LanOut}
#rubim fragmetirovannie icmp paketi
#{FwCMD} 800 deny icmp from any to any frag
# rubim shirokoveschatelnie icmp na vheshnem interfeice
${FwCMD} 900 deny log icmp from any to 255.255.255.255 in via ${LanOut}
${FwCMD} 1000 deny log icmp from any to 255.255.255.255 out via ${LanOut}
# Allow out FreeBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
${FwCMD} 1050 $skip log tcp from me to any out via ${LanOut} setup keep-state uid root
#razreshaem serveru v inet
${FwCMD} 1100 allow log ip from me to any out via ${LanOut} setup keep-state
#zapreschaem dostup k mysql iz vneshki
${FwCMD} 1200 deny ip from any to me 3306 via ${LanOut}
#zapreschaem dostup k squid iz vneshki
${FwCMD} 1300 deny ip from any to me 3128 via ${LanOut}
#zapreschaem dostup k apache iz vneshki
${FwCMD} 1400 deny ip from any to me 80 via ${LanOut}
#zapreschaem dostup k sshd iz vneshki
${FwCMD} 1500 deny ip from any to me 22 via ${LanOut}
#rubim ${NetIn} na 80 port,chtobi ne hodili mimo proxy
${FwCMD} 1600 deny log ip from ${NetIn} to any 80 via ${LanOut}
#razreshaem ${NetIn} na proxy
${FwCMD} 1700 allow ip from ${NetIn} to me 3128 via ${LanIn}
# Allow out send & get email function
${FwCMD} 1800 $skip log tcp from ${Pochta} to any 25 out via ${LanOut} setup keep-state
${FwCMD} 1850 $skip log tcp from ${Pochta} to any 110 out via ${LanOut} setup keep-state
#razreshem gruppe ICQ 5190 port
${FwCMD} 1900 $skip log tcp from ${ICQ} to any 5190 setup
# Allow out ping
${FwCMD} 2000 $skip log icmp from any to any out via ${LanOut} keep-state
#razreshaem DNS
${FwCMD} 2100 $skip log tcp from any to any 53 out via ${LanOut} setup keep-state
# rubim autoconfig ip
${FwCMD} 2500 deny ip from 169.254.0.0/16 to any out via ${LanOut}
# rubim multicast na vneshke
${FwCMD} 2600 deny ip from 224.0.0.0/4 to any out via ${LanOut}
${FwCMD} 2700 deny ip from 240.0.0.0/4 to any out via ${LanOut}
#razreshaem uge ustanovlennie tcp
${FwCMD} 3000 allow tcp from any to any established
# Allow out whois
${FwCMD} 3100 $skip tcp from any to any 43 out via ${LanOut} setup keep-state
# Allow ntp time server
${FwCMD} 3200 $skip udp from any to any 123 out via ${LanOut} keep-state
# Reject & Log all unauthorized incoming connections from the public Internet
${FwCMD} 3300 deny log all from any to any in via ${LanOut}
# Reject & Log all unauthorized out going connections to the public Internet
${FwCMD} 3400 deny log all from any to any out via ${LanOut}
# This is skipto location for outbound stateful rules
#${FwCMD} 10000 divert natd ip from ${NetIn} to ${IpOut} out via ${LanOut}
${FwCMD} 10000 divert natd ip from any to any out via ${LanOut}
${FwCMD} 10100 allow log ip from any to any
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
${FwCMD} 20000 deny log all from any to any
#####################################################################
###End IPFW rules
#####################################################################