pf.conf

[KObO]

Добрый день. Помогите плиз с pf.

Код: Выделить всё

wan_if="xl0"
lan_if="rl0"
loo_if="lo0"
def_host="x.x.x.x"
local_host="192.168.240.100"
lan_addr="192.168.240.0/24"
ext_addr="x.x.x.x"
#=================================================================
scrub in on $wan_if all
scrub out on $wan_if all
#=================================================================
table <ip_ints> persist file "/usr/local/etc/pf_table/ip_in"
table <ip_black> persist file "/usr/local/etc/pf_table/ip_black"
table <ssh_bruteforce> persist file "/usr/local/etc/pf_table/ssh_bruteforce"
table <ip_spam> persist file "/usr/local/etc/pf_table/ip_spam"
table <ip_permit> persist file "/usr/local/etc/pf_table/ip_permit"
table <ip_deny> persist file "/usr/local/etc/pf_table/ip_deny"
table <rfc1918> const { 10/8, 192.168/16, 172.16/12 }
#================================================================================================================
nat on $wan_if from $lan_addr  to any -> $wan_if
rdr on $lan_if inet proto { tcp, udp } from $lan_addr to ! $local_host port { www, 8080 } -> $loo_if port 3128
#================================================================================================================
pass in quick on $loo_if all
pass out quick on $loo_if all
#====================================================================
lock drop in quick on $wan_if inet6 all
block drop in quick on $wan_if from any to 255.255.255.255
block drop in quick on $wan_if from { <fc1918>, <ip_black> } to any
block drop in quick on $wan_if from <ssh_bruteforce>
block in log quick on $wan_if proto tcp from any to any flags SF/SF
block in log quick on $wan_if proto tcp from any to any flags SR/SR
antispoof for { $loo_if, $lan_if, $wan_if }

#====================================================================
#=============================== WAN ================================
block in on $wan_if
pass in quick on $wan_if proto { tcp, udp } from any to $ext_addr port { smtp, ftp } keep state
pass in on $wan_if inet proto { tcp, udp } from <ip_in> to $ext_addr port 22 keep state
pass in on $wan_if inet proto { tcp, udp } from <ip_in> to $ext_addr port 110
pass in on $wan_if inet proto icmp from any to $wan_if keep state
pass in on $wan_if proto tcp from any to $wan_if port 22 flags S/SA modulate state (max-src-conn-rate 4/30, overload <s
pass out on $wan_if keep state
#=========================== END of WAN =============================

#====================================================================
#=============================== LAN ================================
block in on $lan_if
pass in quick on $lan_if inet proto icmp from $lan_addr to any keep state
pass in quick on $lan_if inet proto tcp from $lan_addr to any port { smtp, pop3, ftp } keep state
pass in on $lan_if inet proto { tcp, udp} from $lan_addr to $local_host port 53 keep state
pass in quick on $lan_if inet proto { tcp, udp } from <ip_permit> to any port { 22, 25, 80, 110, 443, 2121, 3128, 5190
pass out on $lan_if keep state
#=========================== END of LAN =============================

Пытаюсь настроить полный выход из локалки для ip перечиланых в таблице <ip_permit> с перенапровлением в squid, что собственно и не получается.Остальным только smtp и pop3.

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[KObO]

UP

[Alex Keda]

Скорей всего все используют IPFW.