Все deny закоменчены. Симптомы как и в заведомо рабочем конфиге: не выполняется правило add fwd 127.0.0.1,3128 tcp from ${NetIn}/${NetMask} to any 80 via ${LanOut} со всеми вытекающими.
За безвозмездную помощь буду очень благодарен.
в ядре:
Код: Выделить всё
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_FORWARD
options IPDIVERT
options DUMMYNET
options IPFIREWALL_DEFAULT_TO_ACCEPT
Код: Выделить всё
ifconfig_rl0="inet 192.168.1.2 netmask 255.255.255.0"
ifconfig_nfe0="inet 100.100.1.5 netmask 255.255.255.0"
router_flags="-q"
router="/sbin/routed"
router_enable="YES"
defaultrouter="192.168.1.1"
natd_enable="YES"
natd_interface="rl0"
natd_flags="-m -u"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="/etc/rc.firewall"
firewall_logging="YES"
Код: Выделить всё
FwCMD="/sbin/ipfw"
LanOut="rl0" #- сетевуха смотрит в dsl модем
LanIn="nfe0" #- сетевуха смотрит в локальную сеть
IpOut="192.168.1.2" #- ip сетевухи смотрящей в модем
IpIn="100.100.1.5" #- ip сетевухи смотрящей в локальную сеть
NetMask="24" #
NetIn="100.100.1.0" # - локальная сеть из которой надо ходить в интернет
${FwCMD} -f flush
${FwCMD} add check-state
${FwCMD} add allow ip4 from any to any via lo0
#${FwCMD} add deny ip4 from any to 127.0.0.0/8
#${FwCMD} add deny ip4 from 127.0.0.0/8 to any
#${FwCMD} add deny ip4 from any to 10.0.0.0/8 in via ${LanOut}
#${FwCMD} add deny ip4 from any to 172.16.0.0/12 in via ${LanOut}
#${FwCMD} add deny log ip4 from any to 192.168.0.0/16 in via ${LanOut}
#${FwCMD} add deny ip4 from any to 0.0.0.0/8 in via ${LanOut}
#${FwCMD} add deny ip4 from any to 169.254.0.0/16 in via ${LanOut}
#${FwCMD} add deny ip4 from any to 240.0.0.0/4 in via ${LanOut}
#${FwCMD} add deny icmp from any to any frag
#${FwCMD} add deny icmp from any to 255.255.255.255 in via ${LanOut}
#${FwCMD} add deny icmp from any to 255.255.255.255 out via ${LanOut}
${FwCMD} add fwd 127.0.0.1,3128 tcp from ${NetIn}/${NetMask} to any 80 via ${LanOut}
${FwCMD} add divert natd ip4 from ${NetIn}/${NetMask} to any out via ${LanOut}
${FwCMD} add divert natd ip4 from any to ${IpOut} in via ${LanOut}
#${FwCMD} add deny ip4 from 10.0.0.0/8 to any out via ${LanOut}
#${FwCMD} add deny ip4 from 172.16.0.0/12 to any out via ${LanOut}
#${FwCMD} add deny log ip4 from 192.168.0.0/16 to any out via ${LanOut}
#${FwCMD} add deny ip4 from 0.0.0.0/8 to any out via ${LanOut}
#${FwCMD} add deny ip4 from 169.254.0.0/16 to any out via ${LanOut}
#${FwCMD} add deny ip4 from 224.0.0.0/4 to any out via ${LanOut}
#${FwCMD} add deny ip4 from 240.0.0.0/4 to any out via ${LanOut}
${FwCMD} add allow tcp from any to any established
${FwCMD} add allow ip4 from ${IpOut} to any out xmit ${LanOut}
${FwCMD} add allow udp from any 53 to any via ${LanOut}
${FwCMD} add allow udp from any to any 53 via ${LanOut}
${FwCMD} add allow udp from any to any 123 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 21 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 49152-65535 via ${LanOut}
${FwCMD} add allow icmp from any to any icmptypes 0,8,11
${FwCMD} add allow tcp from any to ${IpOut} 80 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 22 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 143 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 110 via ${LanOut}
${FwCMD} add allow tcp from any to any via ${LanIn}
${FwCMD} add allow udp from any to any via ${LanIn}
${FwCMD} add allow icmp from any to any via ${LanIn}
${FwCMD} add allow all from any to any
${FwCMD} add deny log ip from any to any
Код: Выделить всё
00100 0 0 check-state
00200 640 1832488 allow ip4 from any to any via lo0
00300 0 0 fwd 100.100.1.5,3128 tcp from 100.100.1.0/24 to any dst-port 80 via rl0
00400 19 1185 divert 8668 ip4 from 100.100.1.0/24 to any out via rl0
00500 0 0 divert 8668 ip4 from any to 192.168.1.2 in via rl0
00600 446 44221 allow tcp from any to any established
00700 0 0 allow ip4 from 192.168.1.2 to any out xmit rl0
00800 0 0 allow udp from any 53 to any via rl0
00900 19 1185 allow udp from any to any dst-port 53 via rl0
01000 0 0 allow udp from any to any dst-port 123 via rl0
01100 0 0 allow tcp from any to 192.168.1.2 dst-port 21 via rl0
01200 0 0 allow tcp from any to 192.168.1.2 dst-port 49152-65535 via rl0
01300 0 0 allow icmp from any to any icmptypes 0,8,11
01400 0 0 allow tcp from any to 192.168.1.2 dst-port 80 via rl0
01500 0 0 allow tcp from any to 192.168.1.2 dst-port 22 via rl0
01600 0 0 allow tcp from any to 192.168.1.2 dst-port 143 via rl0
01700 0 0 allow tcp from any to 192.168.1.2 dst-port 110 via rl0
01800 0 0 allow tcp from any to any via nfe0
01900 154 12482 allow udp from any to any via nfe0
02000 0 0 allow icmp from any to any via nfe0
02100 38 5231 allow ip from any to any
02200 0 0 deny log logamount 100 ip from any to any
65535 0 0 allow ip from any to any