Код: Выделить всё
#!/bin/sh
. /etc/rc.subr
# IPFW binary
FwCMD="/sbin/ipfw "
# ext if
LanOut="rl1"
# ext lan
NetOut="81.30.*.126/27"
# ext ip
IpOut="81.30.*.126"
# int if
LanIn="rl0"
# int lan
NetIn="192.168.0.0/24"
# int addr mask
ip_lan="192.168.0"
# LuckyNet
LuckyNet="192.168.1.0/24"
# JuiceNet
JuiceNet="192.168.0.0/24"
${FwCMD} -f flush
${FwCMD} add allow ip from any to any via lo0
# JuiceNet <-> LuckyNet
${FwCMD} add allow all from ${LuckyNet} to ${JuiceNet}
${FwCMD} add allow all from ${JuiceNet} to ${LuckyNet}
# deny packets `from intlan, but ext if`
${FwCMD} add deny ip from ${NetIn} to any in via ${LanOut}
# deny packets `from extlan, but int if`
${FwCMD} add deny ip from ${NetOut} to any in via ${LanIn}
#deny private nets on ext if
${FwCMD} add deny ip from any to 10.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 192.168.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${LanOut}
# drop autoconfig private net
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${LanOut}
# drop multicast
${FwCMD} add deny ip from any to 224.0.0.0/4 in via ${LanOut}
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${LanOut}
# drop frag icmp
${FwCMD} add deny icmp from any to any frag
# drop broadcast icmp ext if wid log
${FwCMD} add deny log icmp from any to 255.255.255.255 in via ${LanOut}
${FwCMD} add deny log icmp from any to 255.255.255.255 out via ${LanOut}
# transsquid
${FwCMD} add fwd 127.0.0.1,3128 tcp from ${NetIn} to any 80 via ${LanOut}
# NATting
${FwCMD} add divert natd ip from ${NetIn} to any out via ${LanOut}
${FwCMD} add divert natd ip from any to ${IpOut} in via ${LanOut}
# drop private nets via ext
# THESE RULES DIFFERS FROM ABOVE !!!
${FwCMD} add deny ip from 10.0.0.0/8 to any out via ${LanOut}
${FwCMD} add deny ip from 192.168.0.0/16 to any out via ${LanOut}
${FwCMD} add deny ip from 0.0.0.0/8 to any out via ${LanOut}
# drop autoconfigured private net
${FwCMD} add deny ip from 169.254.0.0/16 to any out via ${LanOut}
# drop multicasts
${FwCMD} add deny ip from 224.0.0.0/4 to any out via ${LanOut}
${FwCMD} add deny ip from 240.0.0.0/4 to any out via ${LanOut}
# ICMP echo-request, echo-reply, ttl expiried allowed
${FwCMD} add allow icmp from any to any icmptypes 0,8,11
# Internal Lan allowd on internal iface (inbound)
${FwCMD} add allow ip from any to ${NetIn} in via ${LanIn}
# Internal Lan allowd on internal iface (outbound)
${FwCMD} add allow ip from ${NetIn} to any out via ${LanIn}
# all established tcp allowed
${FwCMD} add allow tcp from any to any established
#DNS
${FwCMD} add allow udp from any 53 to ${IpOut} in via ${LanOut}
${FwCMD} add allow udp from ${IpOut} to any 53 out via ${LanOut}
# WWW
${FwCMD} add allow tcp from any to ${IpOut} 80 in via ${LanOut} setup
# FTP
${FwCMD} add allow tcp from any to ${IpOut} 20,21 in via ${LanOut} setup
# SSH A
${FwCMD} add allow tcp from any to ${IpOut} 22 in via ${LanOut} setup
# Jabber
${FwCMD} add allow tcp from any to ${IpOut} 5222,5223,5269,9090 in via ${LanOut} setup
#IRC
${FwCMD} add allow tcp from any to ${IpOut} 6667-6699 in via ${LanOut} setup
########### BEGIN USERS ###############################
# POP/SMTP allowed
${FwCMD} add allow tcp from ${NetIn} to smtp.masterhost.ru 25 in via ${LanIn} setup
${FwCMD} add allow tcp from ${NetIn} to pop.masterhost.ru 110 in via ${LanIn} setup
#ICQ allowed (Olesya)
${FwCMD} add allow tcp from 192.168.0.21 to any 5190 in via ${LanIn} setup
# All traffic allowed
${FwCMD} add allow tcp from 192.168.0.199 to any in via ${LanIn} setup
############# END USERS #################################
Почему то не идет форвард на проксик (прозрачность на сквиде настроена).
LuckyNet<->JuiceNet - это гиф туннель между филиалами (не пашет ).
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 81.30.*.126 --> 81.30.*.86
inet 172.16.1.1 --> 172.16.1.2 netmask 0xfffffffc
Где я накосячил и в какую сторону копать?