Код: Выделить всё
мой конфиг:
vne = "rl1"
vnu = "rl0"
lan = "192.168.0.0/24"
dns_serv = "81.28.160.1"
proxy_port = "3128"
proxy_if = "lo0"
non_route_nets_inet = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
allowed_icmp_types = "{ echoreq, unreach }"
set block-policy drop
set skip on lo0
scrub all
nat on $vne proto tcp from $vnu to any port { 443, 25, 110, 995, 465 } -> $vne
rdr on $vnu proto tcp from $lan to any port www -> $proxy_if port $proxy_port
rdr on $vne proto tcp from any to $vne port rdp -> $lan port rdp
block in on $vne
antispoof log quick for { lo0, $vnu, $vne }
block drop in log quick on $vne from $non_route_nets_inet to any
block drop in log quick on $vnu from !$lan to any
block drop log quick from <SSH>
pass in on $vnu proto tcp from $lan to $vnu port ssh queue ( qssh, qack ) synproxy state ( max-src-conn-rate 1/60, overload <SSH> flush global )
pass in on $vne proto tcp from any to $vne port ssh queue ( qssh, qack ) synproxy state ( max-src-conn-rate 1/60, overload <SSH> flush global )
pass in on $vnu proto tcp from $lan to any port $proxy_port
pass in on $vnu proto udp from $lan to any port ntp queue qntp keep state
pass in on $vnu proto udp from $lan to any port domain queue qdns keep state
pass in on $vnu proto tcp from any to $lan port rdp queue ( qlan, qack ) synproxy state
pass out on $vne proto udp from $vne to any port ntp keep state queue qntp
pass out on $vne proto tcp from $vne to any port www modulate state
pass out on $vne proto udp from $vne to $dns_serv port domain keep state queue qdns
pass in log on $vne proto tcp from any to $vne port www synproxy state
pass log inet proto icmp all icmp-type $allowed_icmp_types
