правили фаервола брал из ститьи лиса
firewall.conf
Код: Выделить всё
#!/bin/sh
########## FIREWALL CONFIGURATION FILE ##########
fwcmd="/sbin/ipfw"
##################################
##
LanOut="vr1" ##
LanIn="vr0" ##
##
IpOut="192.168.1.8" ##
IpIn="192.168.111.111" ##
##
#NetMask="16" ##
NetIn="192.168.0.0/16" ##
User="192.168.111" ##
##################################
########## CLEAN ALL ##########
${fwcmd} -f flush
${fwcmd} add allow icmp from ${IpOut} to any via vr1
########## PIPES TO FTP ##########
${fwcmd} add pipe 10 ip from ${IpIn} 20,21 to ${NetIn}
${fwcmd} pipe 10 config bw 40Mbit/s
########## USERS WHAT ARE NOT GIVE INTERNET ##########
#${fwcmd} add deny ip from ${User} to any out via ${LanOut}
#${fwcmd} add deny ip from any to ${User} in via ${LanOut}
########## PIPES ##########
${fwcmd} add pipe 100 ip from not ${NetIn} to ${User}.10,${User}.11,${User}.15
${fwcmd} pipe 100 config bw 1024Kbit/s
########## USER 1 ##########
########## USER 2 ##########
########## USER 3 ##########
########## USER 4 ##########
########## USER 5 ##########
########## USER 6 ##########
########## USER 7 ##########
########## USER 8 ##########
########## USER 9 ##########
########## USER 10,11,15 ##########
#${fwcmd} add pipe 1 ip from not ${NetIn} to ${User}.10,${User}.11,${User}.15
#${fwcmd} pipe 1 config bw 1024Kbit/s queue 1
#${fwcmd} add queue 1 ip from any to ${User}.10,${User}.15
#${fwcmd} queue 1 config pipe 1 weight 1
#${fwcmd} add queue 30 ip from any to ${User}.11
#${fwcmd} queue 30 config pipe 1 weight 40
#${fwcmd} add pipe 2 ip from ${User}.10,${User}.11,${User}.15 to not me
#${fwcmd} pipe 2 config bw 512Kbit/s queue 2
#${fwcmd} add queue 2 ip from ${User}.10,${User}.11,${User}.15 to not me
#${fwcmd} queue 2 config pipe 2 weight 1
########## USER 11 ##########
#${fwcmd} add pipe 3 ip from not ${NetIn} to ${User}.11
#${fwcmd} pipe 3 config bw 64Kbit/s queue 3
#${fwcmd} add pipe 4 ip from ${User}.11 to not me
#${fwcmd} pipe 4 config bw 16Kbit/s queue 4
#${fwcmd} add queue 3 ip from any to ${User}.11
#${fwcmd} queue 3 config pipe 3 weight 100
#${fwcmd} add queue 4 ip from ${User}.11 to not me
#${fwcmd} queue 4 config pipe 4 weight 100
########## USER 12 ##########
${fwcmd} add pipe 5 ip from not ${NetIn} to ${User}.12
${fwcmd} pipe 5 config bw 64Kbit/s queue 5
${fwcmd} add pipe 6 ip from ${User}.12 to not me
${fwcmd} pipe 6 config bw 16Kbit/s queue 6
${fwcmd} add queue 5 ip from any to ${User}.12
${fwcmd} queue 5 config pipe 5 weight 100
${fwcmd} add queue 6 ip from ${User}.12 to not me
${fwcmd} queue 6 config pipe 6 weight 100
########## USER 13 ##########
${fwcmd} add pipe 7 ip from not ${NetIn} to ${User}.13
${fwcmd} pipe 7 config bw 64Kbit/s queue 7
${fwcmd} add pipe 8 ip from ${User}.13 to not me
${fwcmd} pipe 8 config bw 16Kbit/s queue 8
${fwcmd} add queue 7 ip from any to ${User}.13
${fwcmd} queue 7 config pipe 7 weight 100
${fwcmd} add queue 8 ip from ${User}.13 to not me
${fwcmd} queue 8 config pipe 8 weight 100
########## USER 14 ##########
${fwcmd} add pipe 9 ip from not ${NetIn} to ${User}.14
${fwcmd} pipe 9 config bw 128Kbit/s queue 9
${fwcmd} add pipe 10 ip from ${User}.14 to not me
${fwcmd} pipe 10 config bw 32Kbit/s queue 10
${fwcmd} add queue 9 ip from any to ${User}.14
${fwcmd} queue 9 config pipe 9 weight 100
${fwcmd} add queue 10 ip from ${User}.14 to not me
${fwcmd} queue 10 config pipe 10 weight 100
########## USER 15 ##########
#${fwcmd} add pipe 11 ip from not ${NetIn} to ${User}.15
#${fwcmd} pipe 11 config bw 16Kbit/s queue 11
#${fwcmd} add pipe 12 ip from ${User}.15 to not me
#${fwcmd} pipe 12 config bw 16Kbit/s queue 12
#${fwcmd} add queue 11 ip from any to ${User}.15
#${fwcmd} queue 11 config pipe 11 weight 20
#${fwcmd} add queue 12 ip from ${User}.15 to not me
#${fwcmd} queue 12 config pipe 12 weight 20
########## USER 16 ##########
${fwcmd} add pipe 13 ip from not ${NetIn} to ${User}.16
${fwcmd} pipe 13 config bw 128Kbit/s queue 13
${fwcmd} add pipe 14 ip from ${User}.16 to not me
${fwcmd} pipe 14 config bw 32Kbit/s queue 14
${fwcmd} add queue 13 ip from any to ${User}.16
${fwcmd} queue 13 config pipe 13 weight 100
${fwcmd} add queue 14 ip from ${User}.16 to not me
${fwcmd} queue 14 config pipe 14 weight 100
########## USER 17 ##########
${fwcmd} add pipe 15 ip from not ${NetIn} to ${User}.17
${fwcmd} pipe 15 config bw 128Kbit/s queue 15
${fwcmd} add pipe 16 ip from ${User}.17 to not me
${fwcmd} pipe 16 config bw 32Kbit/s queue 16
${fwcmd} add queue 15 ip from any to ${User}.17
${fwcmd} queue 15 config pipe 15 weight 100
${fwcmd} add queue 16 ip from ${User}.17 to not me
${fwcmd} queue 16 config pipe 16 weight 100
########## USER 18 ##########
#${fwcmd} add pipe 17 ip from not ${NetIn} to ${User}.18
#${fwcmd} pipe 17 config bw 16Kbit/s
#${fwcmd} add pipe 18 ip from ${User}.18 to not me
#${fwcmd} pipe 18 config bw 16Kbit/s
########## USER 19 ##########
#${fwcmd} add pipe 19 ip from not ${NetIn} to ${User}.19
#${fwcmd} pipe 19 config bw 128Kbit/s
#${fwcmd} add pipe 20 ip from ${User}.19 to not me
#${fwcmd} pipe 20 config bw 128Kbit/s
########## USER 20 ##########
#${fwcmd} add pipe 21 ip from not ${NetIn} to ${User}.20
#${fwcmd} pipe 21 config bw 128Kbit/s
#${fwcmd} add pipe 22 ip from ${User}.20 to not me
#${fwcmd} pipe 22 config bw 128Kbit/s
########## USER 21 ##########
########## USER 22 ##########
########## USER 23 ##########
########## USER 24 ##########
########## USER 25 ##########
########## USER 26 ##########
########## USER 27 ##########
########## USER 28 ##########
########## USER 29 ##########
########## USER 30 ##########
########## USER 31 ##########
########## USER 32 ##########
########## USER 33 ##########
########## USER 34 ##########
########## USER 35 ##########
${fwcmd} add allow icmp from any to ${IpOut} via ${LanOut}
########## DINAMYC RIGHT ##########
${fwcmd} add check-state
########## ALLOW ANY ON THE LanIn ###########
${fwcmd} add allow ip from any to any via $LanIn
########## DENY ALL ON 127.0.0.0 ##########
${fwcmd} add deny ip from any to 127.0.0.1/8
${fwcmd} add deny ip from 127.0.0.1/8 to any
########## DENY ALL IN ON THE LanOut ##########
${fwcmd} add deny ip from any to 10.0.0.0/8 in via ${LanOut}
${fwcmd} add deny ip from any to 172.16.0.0/12 in via ${LanOut}
#${fwcmd} add deny ip from any to 192.168.0.0/16 in via ${LanOut}
${fwcmd} add deny ip from any to 0.0.0.0/8 in via ${LanOut}
########## DENY AUTOCONFIGURE NETWORK ON LanOut ##########
${fwcmd} add deny ip from any to 169.254.0.0/4 via ${LanOut}
########## DENY ALL MULTICAST MESSEGING ##########
${fwcmd} add deny ip from any to 240.0.0.0/4 via ${LanOut}
########## DENY ICMP FRAG ##########
${fwcmd} add deny icmp from any to any frag
########## DENY LOG ALL BROADCAST ICMP ON LanOut ##########
${fwcmd} add deny log icmp from any to 255.255.255.255 in via ${LanOut}
${fwcmd} add deny log icmp from any to 255.255.255.255 out via ${LanOut}
########## firewall ##############
## ##
##${fwcmd} add ##
## ##
## ##
##################################
########## NAT ##########
${fwcmd} add divert natd ip from ${NetIn} to any out via ${LanOut}
${fwcmd} add divert natd ip from any to ${IpOut} in via ${LanOut}
########## DENY ALL LOCAL OUT LanOut ##########
${fwcmd} add deny ip from 10.0.0.0/8 to any out via ${LanOut}
${fwcmd} add deny ip from 172.16.0.0/12 to any out via ${LanOut}
#${fwcmd} add deny ip from 192.168.0.0/16 to any out via ${LanOut}
${fwcmd} add deny ip from 0.0.0.0/8 to any out via ${LanOut}
########## DENY ALL AUTOCONFIGURE NETWORK OUT LanOut ##########
${fwcmd} add deny ip from 169.254.0.0/16 to any out via ${LanOut}
########## DENY ALL MULTICAST MESEGES ON LanOut ##########
${fwcmd} add deny ip from 224.0.0.0/4 to any out via ${LanOut}
${fwcmd} add deny ip from 240.0.0.0/4 to any out via ${LanOut}
########## ALLOW ALL ESTABLISHED ##########
${fwcmd} add allow ip from any to any established
########## ALLOW ANY SERVER CONNECT VIA LanOut ##########
${fwcmd} add allow ip from ${IpOut} to any out xmit ${LanOut}
########## ALLOW DNS IN LanOut ##########
${fwcmd} add allow ip from any 53 to any via ${LanOut}
########## ALLOW SSH ON LanOut ##########
${fwcmd} add allow tcp from any to ${IpOut} 22 via ${LanOut}
########## ALLOW ANY ON LanIn ##########
${fwcmd} add allow tcp from any to any via ${LanIn}
${fwcmd} add allow udp from any to any via ${LanIn}
${fwcmd} add allow icmp from any to any via ${LanIn}
########## DENY ALL ##########
${fwcmd} add deny ip from any to any
Код: Выделить всё
# -- sysinstall generated deltas -- # Tue Jan 1 20:20:24 2008
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
#arpwanch_enable="YES"
defaultrouter="192.168.1.1"
gateway_enable="YES"
hostname="harmless.kiev.ua"
network_interfaces="vr0 vr1 lo0"
ifconfig_vr0="inet 192.168.111.111 netmask 255.255.0.0"
ifconfig_vr1="inet 192.168.1.8 netmask 255.255.255.0"
inetd_enable="YES"
keymap="ru.koi8-r"
linux_enable="YES"
moused_enable="NO"
moused_type="NO"
sshd_enable="YES"
usbd_enable="YES"
natd_enable="YES"
natd_flags="-m -u"
natd_interface="vr0"
firewall_enable="YES"
firewall_script="/etc/firewall.conf"
firewall_logging="YES"
к внешней сетевой 192.168.1.8 подключен модем ADSL Zyxel 660RT EE IP 192.168.1.1(с автоматическими настройками в режими роутера)
когда без правил фаера - то фря получает нет, а с правилами нет и в месте с ней и сеть(квип говорит Error: DNS lookup failed)
сразу скажу что ппп не поднимал так как шлюз получает нет и без него но спотыкается как я понял об правила фаера
плз подскажите что делать куда копать или пните в нужную сторону