Подскажите где что не так?
firewall# uname -a
FreeBSD firewall.wv.ru 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Tue May 12 12:46:30 UTC 2009 root@firewall.wv.ru:/usr/obj/usr/src/sys/MYKERNEL i386
Ядро собрано с
Код: Выделить всё
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=1000
options IPFIREWALL_FORWARD
options IPDIVERT
options DUMMYNET
options IPFIREWALL_NAT
options LIBALIAS
Код: Выделить всё
hostname="firewall.wv.ru"
ifconfig_rl0="inet 192.168.10.254 netmask 255.255.255.0"
ifconfig_fxp0="inet 123.123.123.123 netmask 255.255.255.252"
defaultrouter="123.123.123.1"
sshd_enable="YES"
usbd_enable="YES"
firewall_enable="YES"
#firewall_nat_enable="YES"
#firewall_nat_interface="fxp0"
#firewall_nat_flags="/etc/natd.conf"
firewall_script="/etc/firewall.conf"
natd_enable="YES"
natd_interface="fxp0"
natd_flags="-f /etc/natd.conf"
gateway_enable="YES"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
squid_enable="YES"
Код: Выделить всё
fwcmd="ipfw"
######
lanout="fxp0"
lanin="rl0"
NatIP="123.123.123.1"
emule="212.112.238.21"
ipout="123.123.123.123"
ipin="192.168.10.254"
netmask="24"
netin="192.168.10.0"
${fwcmd} -f flush
${fwcmd} -f pipe flush
${fwcmd} -f queue flush
${fwcmd} table 1 add 192.168.10.222
${fwcmd} table 3 add 192.168.10.58
${fwcmd} table 1 add 192.168.10.27
${fwcmd} table 1 add 192.168.10.24
${fwcmd} table 1 add 192.168.10.54
${fwcmd} table 1 add 192.168.10.1
${fwcmd} table 1 add 192.168.10.5
${fwcmd} table 2 add 192.168.10.20
${fwcmd} table 3 add 192.168.10.21
${fwcmd} table 3 add 192.168.10.26
${fwcmd} table 3 add 192.168.10.30
${fwcmd} table 3 add 192.168.10.23
${fwcmd} table 2 add 192.168.10.36
${fwcmd} add pipe 1 ip from any to table\(1\) out via ${lanin}
${fwcmd} pipe 1 config bw 2Mbit/s
${fwcmd} add pipe 2 ip from any to table\(2\) out via ${lanin}
${fwcmd} pipe 2 config bw 1Mbit/s
${fwcmd} add pipe 3 ip from any to table\(3\) out via ${lanin}
${fwcmd} pipe 3 config bw 2Mbit/s
${fwcmd} add pipe 4 ip from any to table\(4\) out via ${lanin}
${fwcmd} pipe 4 config bw 1Mbit/s
###########
${fwcmd} add allow ip from any to any via lo0
${fwcmd} add deny ip from 192.168.10.255 to any
${fwcmd} add deny ip from any to 192.168.10.255
${fwcmd} add deny ip from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any
${fwcmd} add deny ip from any to 10.0.0.0/8 in via ${lanout}
${fwcmd} add deny ip from 192.168.10.1 to 8.255.2.254 in via ${lanout}
${fwcmd} add deny ip from 8.255.2.254 to 192.168.10.1 in via ${lanout}
${fwcmd} add deny ip from any to 172.16.0.0/12 in via ${lanout}
${fwcmd} add deny ip from any to 0.0.0.0/8 in via ${lanout}
${fwcmd} add deny ip from any to 169.254.0.0/16 in via ${lanout}
${fwcmd} add deny ip from any to 240.0.0.0/4 in via ${lanout}
${fwcmd} add deny icmp from any to any frag
${fwcmd} add deny icmp from any to 255.255.255.255 in via ${lanout}
${fwcmd} add deny icmp from any to 255.255.255.255 out via ${lanout}
${fwcmd} add fwd 127.0.0.1,3128 tcp from ${netin}/${netmask} to not 192.168.10.254 80
############ Kernel NAT
#${fwcmd} nat 123 config ip ${NatIP} log reset same_ports
#${fwcmd} add nat 123 ip from 192.168.10.0/24 to any
#${fwcmd} add nat 123 ip from any to 192.168.10.0/24
#${fwcmd} add nat 123 ip from any to ${NatIP}
############ NATD
${fwcmd} add divert natd ip from ${netin}/${netmask} to any out via ${lanout}
${fwcmd} add divert natd ip from any to ${ipout} in via ${lanout}
############
${fwcmd} add allow tcp from any to 192.168.10.58 4000-20011
${fwcmd} add allow udp from any to 192.168.10.58 4000-20011
${fwcmd} add allow tcp from 192.168.10.58 4000-20011 to any
${fwcmd} add allow udp from 192.168.10.58 4000-20011 to any
#####
${fwcmd} add allow tcp from any to 192.168.10.5 2112 via ${lanout}
${fwcmd} add allow tcp from any to 192.168.10.5 2112 via ${lanin}
${fwcmd} add allow tcp from any to 192.168.10.5 49152-65535
${fwcmd} add allow tcp from any 49152-65535 to 192.168.10.5
${fwcmd} add allow tcp from any to ${ipout} 22198 via ${lanout}
${fwcmd} add allow tcp from any to 192.168.10.5 25,7060
${fwcmd} add allow tcp from ${netin}/${netmask} to 89.111.176.249 110,25 via ${lanin} keep-state
${fwcmd} add allow tcp from ${netin}/${netmask} to 212.114.13.1 110,25 via ${lanin} keep-state
${fwcmd} add allow tcp from ${netin}/${netmask} to any 443,5190,2041,2042 via ${lanin} keep-state
${fwcmd} add allow tcp from ${netin}/${netmask} to 192.168.10.254 80 via ${lanin} keep-state
${fwcmd} add allow tcp from 192.168.10.5 25,7060 to any
${fwcmd} add deny ip from 10.0.0.0/8 to any out via ${lanout}
${fwcmd} add deny ip from 172.16.0.0/12 to any out via ${lanout}
${fwcmd} add deny ip from 0.0.0.0/8 to any out via ${lanout}
${fwcmd} add deny ip from 169.254.0.0/16 to any out via ${lanout}
${fwcmd} add deny ip from 224.0.0.0/4 to any out via ${lanout}
${fwcmd} add deny ip from 240.0.0.0/4 to any out via ${lanout}
###################################################################
${fwcmd} add allow tcp from any to any established
${fwcmd} add allow ip from ${ipout} to any out xmit ${lanout}
${fwcmd} add allow udp from any 53 to any via ${lanout}
${fwcmd} add allow icmp from any to any icmptypes 0,8,11
${fwcmd} add allow tcp from 192.168.10.5 to any via ${lanin} keep-state
##############################
${fwcmd} add allow tcp from table\(1\) to any via ${lanin} keep-state
${fwcmd} add allow tcp from table\(2\) to any via ${lanin} keep-state
#######################################################################
${fwcmd} add allow udp from any to any via ${lanin}
${fwcmd} add deny log tcp from any to any
Код: Выделить всё
interface fxp0
same_ports yes
unregistered_only yes
redirect_port tcp 192.168.10.5:2112 2112
redirect_port tcp 192.168.10.5:25 25
redirect_port tcp 192.168.10.58:4661 4661
redirect_port udp 192.168.10.58:4661 4661
