Конфиг фаера:
Код: Выделить всё
01000 0 0 allow ip from any to any via lo0
02800 115 8929 nat 1 ip from any to 10.1.1.2 in via vr0
02850 7 617 nat 1 ip from table(4) to any out via vr0
03600 0 0 allow ip from any to 10.0.0.0/24 in via vr1
03700 0 0 allow ip from 10.0.0.0/24 to any out via vr1
03800 0 0 check-state
04000 0 0 allow icmp from any to any icmptypes 0,8,11
04100 123 24326 allow tcp from any to any established
04200 0 0 allow udp from any to 10.1.1.2 dst-port 53 in via vr0
04300 0 0 allow udp from 10.1.1.2 53 to any out via vr0 keep-state
04400 0 0 allow udp from any 53 to 10.1.1.2 in via vr0
04500 0 0 allow udp from 10.1.1.2 to any dst-port 53 out via vr0 keep-state
04600 0 0 allow tcp from any to 10.1.1.2 dst-port 53 in via vr0 setup
04800 0 0 allow tcp from any to 10.1.1.2 dst-port 22 in via vr0 setup limit src-addr 3
05000 0 0 allow tcp from any to 10.1.1.2 dst-port 1723 in via vr0 setup limit src-addr 50
05050 0 0 allow tcp from any to 10.1.1.2 dst-port 4321 in via vr0 setup limit src-addr 30
05100 0 0 allow gre from any to any
05700 0 0 allow udp from any 53 to 10.0.0.0/24 in via vr0
05800 0 0 allow udp from any 53 to 10.0.0.0/24 out via vr1 keep-state
05900 0 0 allow udp from 10.0.0.0/24 to any dst-port 53 in via vr1
06100 0 0 deny tcp from any to 10.1.1.2 in via vr0 setup
06200 0 0 allow tcp from 10.1.1.2 to any out via vr0 setup keep-state
06300 0 0 allow tcp from any to 10.1.1.2 in via vr1 setup
06400 0 0 deny tcp from table(1) to table(3) in via vr1 setup
06501 0 0 allow tcp from table(1) to not 10.0.0.0/24 in via vr1 setup limit src-addr 300
06502 0 0 allow tcp from table(2) to not 10.0.0.0/24 in via vr1 setup limit src-addr 100
65535 138 8697 deny ip from any to anyКод: Выделить всё
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=1000
options IPFIREWALL_NAT
options LIBALIAS
options ROUTETABLES=2
options HZ=1000
