Вопрос с ipf и ipnat снят, заменил на PF, но и в нем проблема появилась
Пересобрал софт (squid), ведро с
Код: Выделить всё
######### PF Filter & ALTQ #############
device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_CDNR
options ALTQ_PRIQ
Сам конфиг pf.conf имеет вид:
Код: Выделить всё
ext_if="fxp1"
int_if="fxp0"
internal_net="192.168.0.0/24"
external_addr="111.111.111.111"
lo0="127.0.0.1"
tcp_services = "{ 5999, 53, 443, 5190, 1521 }"
udp_services = "{ domain, ntp }"
serv_ip = "{ 192.168.0.2, 192.168.0.3, 192.168.0.4, 192.168.0.5, 192.168.0.6, 192.168.0.7, 192.168.0.8, 192.168.0.9, 192.168.0.10 }"
vip_ip = "{ 192.168.0.20, 192.168.0.21, 192.168.0.22, 192.168.0.23, 192.168.0.24, 192.168.0.25, 192.168.0.26, 192.168.0.27, 192.168.0.28, 192.168.0.29, 192.168.0.30, 192.168.0.31, 192.168.0.32, 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/24 }"
scrub in all
nat on $ext_if from $int_if:network to any -> ($ext_if)
#nat on $ext_if from $vip_ip to any -> ($ext_if)
#nat on $ext_if from $vip_ip to any -> $external_addr
#nat on $ext_if from $serv_ip to any -> $external_addr
# squid forwarding
rdr pass on $int_if proto tcp from $internal_net to any port { 21, 80, 8080 } -> lo0 port 3128
#no rdr on $int_if from $serv_ip to any
nat on $ext_if from $vip_ip to any -> $external_addr
nat on $ext_if from $serv_ip to any -> $external_addr
pass in quick on $int_if inet proto tcp from any to lo0 port 3128 keep state
pass out quick on $ext_if inet proto tcp from any to any port 80 keep state
#DNS
pass out proto tcp to any port domain keep state
pass proto udp to any port domain keep state
#set optimization normal
#set block-policy drop
#set loginterface $ext_if
pass quick on lo0 all
block quick log from any os NMAP
block log all
block in quick on $ext_if from $internal_net to any
block out quick on $ext_if from any to $internal_net
antispoof for $ext_if
# terminal access support
#pass in proto tcp from $terminal_source to any port $terminal_port #flags S/SA keep state
#pass out proto tcp from $internal_net to $terminal_source port $terminal_port #flags S/SA keep state
# ftp support
#pass in proto { tcp, udp } from any to any port { 20, 21 } keep state
#pass out proto { tcp, udp } from any to any port { 20, 21 } keep state
# ssh support
pass in proto tcp from any to any port 23775 flags S/SA keep state
pass out proto tcp from any to any port 23775 flags S/SA keep state
# allow tcp services
pass in quick proto tcp from any to any port $tcp_services flags S/SA keep state
pass out proto tcp from any to any port $tcp_services flags S/SA keep state
# allow upd services
pass quick inet proto udp to any port $udp_services keep state
pass out proto udp to any port $udp_services keep state
# in/out ping requets support
pass in proto icmp from any to any keep state
pass out proto icmp from any to any keep state
# allow requests to/from web server
pass in log on $int_if proto tcp from $internal_net to $int_if port 80 flags S/SA
pass out log on $int_if proto tcp from any to $internal_net port 80 flags S/SA
pass in on $ext_if proto tcp from any to $ext_if port 80 keep state flags S/SA
pass out on $ext_if proto tcp from $ext_if to any port 80 keep state flags S/SA
pass in log all
pass out log all
Не могу понять, как в PF можно сделать исключение из правила.
Мне нужно всю сеть завернуть на squid но при этом избранные IP и IP серверов пустить на пряму.
Чередование правил я полагаю эффекта не даёт
.
Как можно обойти это...
При данных правилах нужные ИП также как и остальные заворачиваються на прокси