По очереди:
pfctl -s nat
Код: Выделить всё
tgw# pfctl -s nat
nat on xl0 inet from 192.168.6.0/23 to any -> 193.23.183.24
rdr on xl0 inet proto tcp from any to 193.23.183.24 port = rdp -> 192.168.7.22 port 3389
pfctl -s rules
Код: Выделить всё
tgw# pfctl -s rules
scrub in all fragment reassemble
block drop in quick on ! xl0 inet from 193.23.183.0/26 to any
block drop in quick inet from 193.23.183.24 to any
block drop in quick on ! xl1 inet from 192.168.6.0/23 to any
block drop in quick inet from 192.168.7.207 to any
block return all
pass in log on xl0 inet proto tcp from any to 193.23.183.24 port = mdqs flags S/SA keep state
pass in on xl1 inet proto tcp from 192.168.6.0/23 to 192.168.7.207 port = mdqs flags S/SA keep state
pass in on xl1 inet proto tcp from 192.168.6.0/23 to any port = http flags S/SA keep state
pass out on xl0 inet from 193.23.183.24 to any flags S/SA keep state
pass out on xl1 inet from 192.168.7.207 to any flags S/SA keep state
pass in log on xl0 inet proto tcp from any to 192.168.7.22 port = rdp flags S/SA synproxy state
tcpdump на наружнем интерфейсе
Код: Выделить всё
tgw# tcpdump -vvv -i xl0 | grep 192.168.7.22.rdp
tcpdump: listening on xl0, link-type EN10MB (Ethernet), capture size 96 bytes
12:08:59.344795 IP (tos 0x10, ttl 64, id 48826, offset 0, flags [DF], proto TCP (6), length 40) 192.168.7.22.rdp > 193.23.183.22.3380: R, cksum 0x9daf (correct), 0:0(0) ack 3980380803 win 0
12:09:02.422287 IP (tos 0x10, ttl 64, id 48855, offset 0, flags [DF], proto TCP (6), length 40) 192.168.7.22.rdp > 193.23.183.22.3380: R, cksum 0x9daf (correct), 0:0(0) ack 1 win 0
12:09:08.356940 IP (tos 0x10, ttl 64, id 48903, offset 0, flags [DF], proto TCP (6), length 40) 192.168.7.22.rdp > 193.23.183.22.3380: R, cksum 0x9daf (correct), 0:0(0) ack 1 win 0
12:09:20.426996 IP (tos 0x10, ttl 64, id 48922, offset 0, flags [DF], proto TCP (6), length 40) 192.168.7.22.rdp > 193.23.183.22.3380: R, cksum 0x9daf (correct), 0:0(0) ack 1 win 0
12:10:32.346192 IP (tos 0x10, ttl 64, id 49088, offset 0, flags [DF], proto TCP (6), length 40) 192.168.7.22.rdp > 193.23.183.22.3380: R, cksum 0x9daf (correct), 0:0(0) ack 1 win 0
12:11:06.783555 IP (tos 0x10, ttl 64, id 49120, offset 0, flags [DF], proto TCP (6), length 40) 193.23.183.22.3380 > 192.168.7.22.rdp: R, cksum 0x3d24 (correct), 2738623004:2738623004(0) ack 1070689123 win 0
tcpdump на внутреннем интерфейсе
Код: Выделить всё
tgw# tcpdump -vvv -i xl1 | grep 192.168.7.22.rdp
tcpdump: listening on xl1, link-type EN10MB (Ethernet), capture size 96 bytes
12:19:53.047961 IP (tos 0x10, ttl 64, id 50422, offset 0, flags [DF], proto TCP (6), length 40) 192.168.7.22.rdp > 193.23.183.22.3920: R, cksum 0x0a65 (correct), 0:0(0) ack 736042259 win 0
12:19:56.130742 IP (tos 0x10, ttl 64, id 50424, offset 0, flags [DF], proto TCP (6), length 40) 192.168.7.22.rdp > 193.23.183.22.3920: R, cksum 0x0a65 (correct), 0:0(0) ack 1 win 0
12:20:02.064861 IP (tos 0x10, ttl 64, id 50466, offset 0, flags [DF], proto TCP (6), length 40) 192.168.7.22.rdp > 193.23.183.22.3920: R, cksum 0x0a65 (correct), 0:0(0) ack 1 win 0
12:20:08.200764 IP (tos 0x10, ttl 64, id 50510, offset 0, flags [DF], proto TCP (6), length 40) 192.168.7.22.rdp > 193.23.183.22.3869: R, cksum 0x0931 (correct), 0:0(0) ack 3848234233 win 0
12:20:14.034744 IP (tos 0x10, ttl 64, id 50521, offset 0, flags [DF], proto TCP (6), length 40) 192.168.7.22.rdp > 193.23.183.22.3920: R, cksum 0x0a65 (correct), 0:0(0) ack 1 win 0
12:20:38.175407 IP (tos 0x10, ttl 64, id 50552, offset 0, flags [DF], proto TCP (6), length 40) 192.168.7.22.rdp > 193.23.183.22.3920: R, cksum 0x0a65 (correct), 0:0(0) ack 1 win 0
12:20:53.281168 IP (tos 0x10, ttl 64, id 50573, offset 0, flags [DF], proto TCP (6), length 40) 193.23.183.22.3869 > 192.168.7.22.rdp: R, cksum 0x5d54 (correct), 1410172777:1410172777(0) ack 2930909621 win 0
12:21:26.155019 IP (tos 0x10, ttl 64, id 50607, offset 0, flags [DF], proto TCP (6), length 40) 192.168.7.22.rdp > 193.23.183.22.3920: R, cksum 0x0a65 (correct), 0:0(0) ack 1 win 0
12:21:55.333798 IP (tos 0x10, ttl 64, id 50631, offset 0, flags [DF], proto TCP (6), length 40) 193.23.183.22.3920 > 192.168.7.22.rdp: R, cksum 0xa9bd (correct), 2108044130:2108044130(0) ack 3569670874 win 0
=========
о ДМЗ это отдельный вопрос, теоретически его пытались зделать, вернее в фаере присутсвуют слова такие, оно настроеено на фре, и тоже ж, главные правила там гласят
Код: Выделить всё
ipfw add allow all from $dmz_net to any
ipfw add allow all from any to $dmz_net
учитуючи что оно все идет по одном шнурку без вланов и прочего как то и стремно это называть ДМЗ