Freebsd 7.2 (PC-BSD)
polzovatelej pustit chez proksi. // avtorizaciya po loginu porolu
192.168.21.2 - adres usera .3 .4 .5
77.108.99.210 - adres provajdera
87.245.190.122 - DNS
192.168.21.1 - proksi
/U usera vistavil shluz i DNS 192.168.21.1
/etc/rc.firewall // sdelal bakap
Propisal svoj varian/ POCHTU i ICQ - PUSTIL CHEREZ NAT
rc.firewall
Код: Выделить всё
ournet='192.168.21.0/24'
uprefix='192.168.21'
ifout='sis0'
ifuser='rl0'
ports=pop3,ftp
vse=192.168.21.2
vip2=192.168.21.3
vip=192.168.21.4,192.168.21.5
allowedports="22,25,53,110,143"
natusers="192.168.21.2,192.168.21.3,192.168.21.4"
icq_users="192.168.21.2,192.168.21.3"
msn_users="192.168.21.2,192.168.21.3"
icq_port="5190,5180,5181"
msn_port="1863,443"
jabber="5222,5223,7777"
allowed_nets="77.108.99.0/24"
ipfw add 50 divert natd all from ${natusers} to any ${allowedports},${jabber},${icq_port},${msn_port} out via sis0
ipfw add 51 divert natd all from ${icq_users} to any ${icq_port} out via sis0
ipfw add 52 divert natd all from ${msn_users} to any ${msn_port} out via sis0
ipfw add 53 divert natd icmp from ${natusers} to any out via sis0
ipfw add 54 divert natd all from ${natusers} to any ftp,1024-65535 out via sis0
ipfw add 60 divert natd all from any to 192.168.0.100 in via sis0
${fwcmd} add 97 allow all from any to me ssh
#${fwcmd} add 200 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
${fwcmd} add 210 allow all from 10.220.138.221 to me
${fwcmd} add 220 allow all from me to 10.220.138.221
${fwcmd} add 230 drop all from any to me 3128 via ${ifout}
${fwcmd} add 300 allow ip from any to any via lo0
${fwcmd} add 310 allow tcp from me to any keep-state via ${ifout}
${fwcmd} add 320 allow icmp from any to any
${fwcmd} add 330 allow udp from me to any domain keep-state
${fwcmd} add 340 allow udp from any to me domain
${fwcmd} add 350 allow ip from me to any
${fwcmd} add 49 fwd 127.0.0.1,3128 tcp from ${ournet} to any http out via ${ifout}
${fwcmd} add 400 allow all from 192.168.10.0/24 to any 5222,5223,5269,10015,5262,7777 via sis0
${fwcmd} add allow all from any to me http,https,ssh,ftp,smtp,pop3,5222,5223,5269,10015,5262,7777
#${fwcmd} add deny all from any to me via sis0
#${fwcmd} add 1000 allow all from ${ournet} to me
ipfw pipe 1 config mask dst-ip 0xffffffff bw 19Kbit/s
ipfw pipe 11 config mask src-ip 0xffffffff bw 19Kbit/s
ipfw queue 1 config pipe 1 weight 50 queue 20 mask dst-ip 0xffffffff
ipfw queue 11 config pipe 11 weight 50 queue 20 mask src-ip 0xffffffff
ipfw pipe 2 config mask dst-ip 0xffffffff bw 33Kbit/s
ipfw pipe 22 config mask src-ip 0xffffffff bw 33Kbit/s
ipfw queue 2 config pipe 2 weight 50 queue 20 mask dst-ip 0xffffffff
ipfw queue 22 config pipe 22 weight 50 queue 20 mask src-ip 0xffffffff
ipfw pipe 3 config mask dst-ip 0xffffffff bw 256Kbit/s
ipfw pipe 33 config mask src-ip 0xffffffff bw 256Kbit/s
ipfw queue 3 config pipe 3 weight 100 queue 40 mask dst-ip 0xffffffff
ipfw queue 33 config pipe 33 weight 100 queue 40 mask src-ip 0xffffffff
ipfw add reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg
ipfw add reject tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg
ipfw add reject log tcp from any to any not established tcpflags fin
ipfw add deny log ip from any to any not verrevpath in via sis0
ipfw add count all from any to any
${fwcmd} add 1001 queue 3 all from ${allowed_nets} to ${natusers} via sis0
${fwcmd} add 1002 queue 33 all from ${natusers} to ${allowed_nets} via sis0
${fwcmd} add 1003 queue 2 all from any to ${natusers} via sis0
${fwcmd} add 1004 queue 22 all from ${natusers} to any via sis0
${fwcmd} add 1005 pass all from ${natusers} to any
${fwcmd} add 1006 pass all from any to ${natusers}
1. icq i Pochta - rabotaut tolko esli ukazivayu DNS provajdera - a ne proksi/
2. ne vighu trafik pochti i icq v squid
rc.conf
Код: Выделить всё
# Enable the firewall
#pf_rules="/etc/pf.conf"
#pf_rules_enable="YES"
#pf_enable="YES"
#pflog_logfile="/var/log/pf.log"
#pf_flags=""
# Enable ipfw and open it by default since we have PF
firewall_enable="YES"
firewall_type="closed"
firewall_type="/etc/rc.firewall"
snddetect_enable="YES"
mixer_enable="YES"
bsdstats_enable="YES"
hostname="pcbsd"
ifconfig_rl0="inet 192.168.21.1 netmask 255.255.255.0"
ifconfig_sis0="inet 77.108.99.210 netmask 255.255.255.0"
defaultrouter="192.168.0.1"
natd_enable="YES"
natd_interface="sis0"
natd_flags=" -m -s -u -punch_fw 5000:5200"
gateway_enable="YES"
apache_enable="YES"
squid_enable="YES"
mysql_enable="YES"
sams_enable="YES"