Код: Выделить всё
FreeBSD gateway 9.1-RELEASE amd64
Код: Выделить всё
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=40198<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
ether 00:22:4d:67:87:64
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::222:4dff:fe67:8764%em0 prefixlen 64 scopeid 0x1
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=42198<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
ether 00:22:4d:67:87:63
inet 1.1.1.2 netmask 0xfffffffc broadcast 1.1.1.3
inet6 fe80::222:4dff:fe67:8763%em1 prefixlen 64 scopeid 0x3
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: active
Код: Выделить всё
#***********************Lans net
wan_lan="1.1.1.1/30"
lan_net="192.168.0.0/24"
#***********************interfaces
lan_int="em0"
wan_int="em1"
ng0_int="ng0"
ng1_int="ng1"
ng2_int="ng2"
#***********************ip to interface
wan_ip="1.1.1.2"
lan_ip="192.168.0.1"
#************************tables
${fwcmd} table 1 add 10.0.0.0/8
${fwcmd} table 1 add 192.168.0.0/16
${fwcmd} table 1 add 172.16.0.0/12
${fwcmd} table 1 add 169.254.0.0/16
${fwcmd} table 1 add 240.0.0.0/4
${fwcmd} table 1 add 224.0.0.0/4
#************************reset
${fwcmd} -f flush
${fwcmd} -f table 0 flush
#************************access loopback
${fwcmd} add 20 pass all from any to any via lo0
#************************deny loopback 127.0.0.0/8 to all
${fwcmd} add 30 deny log all from any to 127.0.0.0/8
${fwcmd} add 40 deny log all from 127.0.0.0/8 to any
#************************dimond shit shild to brut pass
${fwcmd} add 50 deny not icmp from "table(0)" to me
#************************shild to WAN interface rfc
${fwcmd} add 100 deny all from "table(1)" to any in via ${wan_int}
${fwcmd} add 110 deny all from any to "table(1)" in via ${wan_int}
#*************************deny on tcp state flags
${fwcmd} add 120 deny log tcp from any to any not established tcpflags fin
${fwcmd} add 130 deny log tcp from any to any tcpflags fin,syn,rst,psh,ack,urg
${fwcmd} add 140 deny log tcp from any to any tcpflags !fin,!syn,!rst,!psh,!ack,!urg
#*****************************nat in
# config nat interface
#deny in
${fwcmd} nat 1 config log ip 1.1.1.2 same_ports reset deny_in
# nat in
${fwcmd} add 200 nat 1 ip from any to 1.1.1.2 in via ${wan_int}
#************************ access all to lan interface
${fwcmd} add 250 allow all from any to any via ${lan_int}
#************************* ng interfaces all access
#ng0
# establlished
${fwcmd} add 300 allow all from any to any via ${ng0_int}
${fwcmd} add 310 allow all from any to any via ${ng1_int}
#*****************************nat rules
# redirect to Telefoniay
${fwcmd} nat 2 config log if em1 same_ports reset deny_in redirect_port tcp 192.168.0.2:37979 37979
#test allow in traffic to server external interface
${fwcmd} add 400 allow ip from any to any in via ${wan_int}
#****************************nat out
# nat local net out connects
${fwcmd} add 500 nat 1 ip from 192.168.0.0/24 to any out via ${wan_int}
#*****************************server rules wan_int access
# allow ip out external inteface
${fwcmd} add 600 allow ip from any to any out via ${wan_int}
# deny all to not allow
${fwcmd} add 65000 deny all from any to any
Собственно трабла если поставить deny_in
Код: Выделить всё
${fwcmd} nat 1 config log ip 1.1.1.2 same_ports reset deny_in
ВПН -ки не поднимаются до удаленных офисов. так же с самого Сервака не пингуется даже шлюз провайдера 1.1.1.1
Видимо где то есть косяк
пока понять не могу где именно
