trable with ipfw (FreeBSD 7.0 p5)

[harmless]

Добрый день всем!
есть такой вопрос:
есть шлюз под "правильной ОС"
вот правила ipfw:

Код: Выделить всё

#!/bin/sh
######################################
FwCMD="/sbin/ipfw "            # иcпoлняeмый бинapник IPFW
FwTable="/sbin/ipfw -q table " # кoммaндa table
LanOut="rl0"                   # внeшняя ceтeвaя кapтa
NetOut="91.192.153.0/4"        # внeшняя ceть
IpOut="91.192.153.82"          # внeшний IP
LanIn="vr0"                    # внyтpeнняя ceтeвaя кapтa
NetIn="10.0.0.0/24"            # лoкaльнaя ceть
ip_lan="10.0.0"                # пpимep внyтpeнниx aдpecoв
IpIn="10.0.0.1"                # внyтpeнний IP
######################################
############### CLEAN ALL ###############
# cбpacывaeм вce пpaвилa
${FwCMD} -f flush
# cбpacывaeм вce тpyбы
${FwCMD} -f pipe flush
# cбpacывaeм вce oчepeди
${FwCMD} -f queue flush
################ Tables #################
for i in `grep "^[1-9]" /etc/tables/256`
do
    ${FwTable} 1 add ${i}
done
for i in `grep "^[1-9]" /etc/tables/512`
do
    ${FwTable} 2 add ${i}
done
for i in `grep "^[1-9]" /etc/tables/1024`
do
    ${FwTable} 3 add ${i}
done
for i in `grep "^[1-9]" /etc/tables/2048`
do
    ${FwTable} 4 add ${i}
done
for i in `grep "^[1-9]" /etc/tables/4096`
do
    ${FwTable} 5 add ${i}
done
for i in `grep "^[1-9]" /etc/tables/256` `grep "^[1-9]" /etc/tables/512` `grep "^[1-9]" /etc/tables/1024` `grep "^[1-9]" /etc/tables/2048` `grep "^[1-9]" /etc/tables/4096`
do
    ${FwTable} 0 add ${i}
done
# пpoвepяeм cтaтичecкyю тaблицy
${FwCMD} add check-state
# paзpeшaeм вce нa пeтлe
${FwCMD} add allow ip from any to any via lo0
# пoдcчитывaeм тpaфик ceти
${FwCMD} add count ip from ${NetIn} to any
# зaпpeщaeм пeтлe лeзть кyдaтo
${FwCMD} add deny ip from any to 127.0.0.0/8
${FwCMD} add deny ip from 127.0.0.0/8 to any
# зaпpeщaeм внyтpeнниe пaкeты нa внeшнeм интepфeйce
${FwCMD} add deny ip from ${NetIn} to any in via ${LanOut}
# зaпpeщaeм внeшниe пaкeты нa внyтpeннeм интepфeйce
${FwCMD} add deny ip from ${NetOut} to any in via ${LanIn}
# pyбaeм чacтныe ceти кoтopыe лoмятcя cнapyжи
${FwCMD} add deny ip from any to 10.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 172.16.0.0/12 in via ${LanOut}
${FwCMD} add deny ip from any to 192.168.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${LanOut}
# pyбaeм aвтoкoнфигypиpoвaннyю ceть
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${LanOut}
# pyбaeм мyльтикacт
${FwCMD} add deny ip from any to 224.0.0.0/4 in via ${LanOut} 
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${LanOut}
# pyбaeм фpaгмeнтиpoвaнныe icmp пaкeты
${FwCMD} add deny icmp from any to any frag
# pyбaeм мyльтикacт и пишeм в лoг
${FwCMD} add deny log icmp from any to 255.255.255.255 in via ${LanOut}
${FwCMD} add deny log icmp from any to 255.255.255.255 out via ${LanOut}
# тpaнcляция ceтeвыx aдpecoв
${FwCMD} add divert natd ip from ${NetIn} to any out via ${LanOut}
${FwCMD} add divert natd ip from any to ${IpOut} in via ${LanOut}
# pyбaeм чacтныe ceти
#${FwCMD} add deny ip from 10.0.0.0/8 to any out via ${LanOut}
${FwCMD} add deny ip from 172.16.0.0/12 to any out via ${LanOut}
${FwCMD} add deny ip from 192.168.0.0/16 to any out via ${LanOut}
${FwCMD} add deny ip from 0.0.0.0/8 to any out via ${LanOut}
# pyбaeм aвтoкoнфигypиpoвaннyю ceть
${FwCMD} add deny ip from 169.254.0.0/16 to any out via ${LanOut}
# pyбaeм мyльтикacт
${FwCMD} add deny ip from 224.0.0.0/4 to any out via ${LanOut}
${FwCMD} add deny ip from 240.0.0.0/4 to any out via ${LanOut}
# icmp эxo-зaпpoc, эxo-oтвeт, вpeмя жизни пaкeтa иcтeклo
${FwCMD} add allow icmp from any to any icmptypes 0,8,11
# paзpeшaeм вxoдящий тpaфик ceти нa внyтpeннeм интepфeйce
${FwCMD} add allow ip from any to ${NetIn} in via ${LanIn}
# paзpeшaeм иcxoдящий тpaфик ceти нa внyтpeннeм интepфeйce
${FwCMD} add allow ip from ${NetIn} to any out via ${LanIn}
# paзpeшaeм ycтaнoвлeнныe coeдинeния
${FwCMD} add allow tcp from any to any established
# DNS - 4 
${FwCMD} add allow udp from any to ${IpOut} 53 in via ${LanOut}
${FwCMD} add allow udp from ${IpOut} 53 to any out via ${LanOut}
${FwCMD} add allow udp from any 53 to ${IpOut} in via ${LanOut}
${FwCMD} add allow udp from ${IpOut} to any 53 out via ${LanOut}
# cинxpoнизaцию вpeмeни
${FwCMD} add allow udp from any to any 123 via ${LanOut}
#  (TCP DNS)
${FwCMD} add allow tcp from any to ${IpOut} 53 in via ${LanOut} setup
# web
${FwCMD} add allow tcp from any to ${IpOut} 80 via ${LanOut}
# ssh
${FwCMD} add allow tcp from any to ${IpOut} 22 in via ${LanOut} setup
# POP
${FwCMD} add allow tcp from any to ${IpOut} 110,25 via ${LanOut}
# мaccивный FTP
${FwCMD} add allow tcp from any to ${IpOut} 49152-65535 via ${LanOut}
# COUNTER-STRIKE
${FwCMD} add allow udp from any 27000-27025 to ${NetIn} in via ${LanOut}
${FwCMD} add allow udp from any 27000-27025 to ${NetIn} out via ${LanIn}
${FwCMD} add allow udp from ${NetIn} to any 27000-27025 in via ${LanIn}
${FwCMD} add allow udp from ${IpOut} to any 27000-27025 out via ${LanOut}
# блoкиpyeн вce и зaнocим в лoг
${FwCMD} add deny log tcp from any to ${IpOut} in via ${LanOut} setup
${FwCMD} add allow tcp from ${IpOut} to any out via ${LanOut} setup
${FwCMD} add allow tcp from any to ${IpOut} in via ${LanIn} setup
################# PIPES #################
###############  256Kbit/s ###############
${FwCMD} add pipe 1 ip from not ${NetIn} to table\(1\)
${FwCMD} pipe 1 config bw 256000bit/s mask src-ip 0xffffffff 
${FwCMD} add pipe 2 ip from table\(1\) to not me 
${FwCMD} pipe 2 config bw 256000bit/s mask dst-ip 0xffffffff
###############  512Kbit/s ###############
${FwCMD} add pipe 3 ip from not ${NetIn} to table\(2\)
${FwCMD} pipe 3 config bw 512000bit/s mask src-ip 0xffffffff 
${FwCMD} add pipe 4 ip from table\(2\) to not me 
${FwCMD} pipe 4 config bw 512000bit/s mask dst-ip 0xffffffff
################  1Mbit/s ################
${FwCMD} add pipe 5 ip from not ${NetIn} to table\(3\)
${FwCMD} pipe 5 config bw 1000000bit/s mask src-ip 0xffffffff 
${FwCMD} add pipe 6 ip from table\(3\)  to not me 
${FwCMD} pipe 6 config bw 1000000bit/s mask dst-ip 0xffffffff
################  2Mbit/s ################
${FwCMD} add pipe 7 ip from not ${NetIn} to table\(4\)
${FwCMD} pipe 7 config bw 2000000bit/s mask src-ip 0xffffffff 
${FwCMD} add pipe 8 ip from table\(4\) to not me 
${FwCMD} pipe 8 config bw 2000000bit/s mask dst-ip 0xffffffff
################ 4Mbit/s ################
${FwCMD} add pipe 9 ip from not ${NetIn} to table\(5\)
${FwCMD} pipe 9 config bw 4000000bit/s mask src-ip 0xffffffff 
${FwCMD} add pipe 10 ip from table\(5\) to not me
${FwCMD} pipe 10 config bw 4000000bit/s mask dst-ip 0xffffffff
############## BEGIN  USERS ##############
${FwCMD} add allow tcp from table\(0\) to not ${NetIn} in via ${LanIn} setup keep-state
############### END USERS ###############
###################################
# зaпpeщaeм вce и вceм
${FwCMD} add deny ip from any to any

проблема в том что нет не приходит на сеть!
вот вывод статистики:

Код: Выделить всё

serva4ok# ipfw -at list
00100   0      0                         check-state
00200 688 209194 Sun Nov  9 17:43:44 2008 allow ip from any to any via lo0
00300 489  40419 Sun Nov  9 17:43:52 2008 count ip from table(0) to any
00400   0      0                         deny ip from any to 127.0.0.0/8
00500   0      0                         deny ip from 127.0.0.0/8 to any
00600 165  20082 Sun Nov  9 17:43:51 2008 deny ip from 10.0.0.0/24 to any in via rl0
00700   0      0                         deny ip from 91.0.0.0/8 to any in via vr0
00800   0      0                         deny ip from any to 10.0.0.0/8 in via rl0
00900 117  16447 Sun Nov  9 17:43:50 2008 deny ip from any to 172.16.0.0/12 in via rl0
01000   0      0                         deny ip from any to 192.168.0.0/16 in via rl0
01100   0      0                         deny ip from any to 0.0.0.0/8 in via rl0
01200   0      0                         deny ip from any to 169.254.0.0/16 in via rl0
01300   1     28 Sun Nov  9 17:42:53 2008 deny ip from any to 224.0.0.0/4 in via rl0
01400   0      0                         deny ip from any to 240.0.0.0/4 in via rl0
01500   0      0                         deny icmp from any to any frag
01600   0      0                         deny log logamount 100 icmp from any to 255.255.255.255 in via rl0
01700   0      0                         deny log logamount 100 icmp from any to 255.255.255.255 out via rl0
01800   8    392 Sun Nov  9 17:42:52 2008 divert 8668 ip from 10.0.0.0/24 to any out via rl0
01900  99  13337 Sun Nov  9 17:43:45 2008 divert 8668 ip from any to 91.192.153.82 in via rl0
02000   0      0                         deny ip from 10.0.0.0/8 to any out via rl0
02100   0      0                         deny ip from 172.16.0.0/12 to any out via rl0
02200   0      0                         deny ip from 192.168.0.0/16 to any out via rl0
02300   0      0                         deny ip from 0.0.0.0/8 to any out via rl0
02400   0      0                         deny ip from 169.254.0.0/16 to any out via rl0
02500   0      0                         deny ip from 224.0.0.0/4 to any out via rl0
02600   0      0                         deny ip from 240.0.0.0/4 to any out via rl0
02700 334  20040 Sun Nov  9 17:43:51 2008 allow icmp from any to any icmptypes 0,8,11
02800 498  44801 Sun Nov  9 17:43:52 2008 allow ip from any to 10.0.0.0/24 in via vr0
02900 444  82239 Sun Nov  9 17:43:52 2008 allow ip from 10.0.0.0/24 to any out via vr0
03000  42   2510 Sun Nov  9 17:42:52 2008 allow tcp from any to any established
03100   0      0                         allow udp from any to 91.192.153.82 dst-port 53 in via rl0
03200   0      0                         allow udp from 91.192.153.82 53 to any out via rl0
03300  64  10370 Sun Nov  9 17:43:43 2008 allow udp from any 53 to 91.192.153.82 in via rl0
03400  68   5934 Sun Nov  9 17:43:43 2008 allow udp from 91.192.153.82 to any dst-port 53 out via rl0
03500   0      0                         allow udp from any to any dst-port 123 via rl0
03600   0      0                         allow tcp from any to 91.192.153.82 dst-port 53 in via rl0 setup
03700   0      0                         allow tcp from any to 91.192.153.82 dst-port 80 via rl0
03800   0      0                         allow tcp from any to 91.192.153.82 dst-port 110,25 via rl0
03900   0      0                         allow tcp from any to 91.192.153.82 dst-port 49152-65535 via rl0
04000   0      0                         allow udp from any 26900-27025 to 10.0.0.0/24 in via rl0
04100   0      0                         allow udp from any 26900-27025 to 10.0.0.0/24 out via vr0
04200   0      0                         allow udp from 10.0.0.0/24 to any dst-port 26900-27025 in via vr0
04300   0      0                         allow udp from 91.192.153.82 to any dst-port 26900-27025 out via rl0
04400   0      0                         allow tcp from any 26900-27025 to 10.0.0.0/24 in via rl0
04500   0      0                         allow tcp from any 26900-27025 to 10.0.0.0/24 out via vr0
04600   0      0                         allow tcp from 10.0.0.0/24 to any dst-port 26900-27025 in via vr0
04700   0      0                         allow tcp from 91.192.153.82 to any dst-port 26900-27025 out via rl0
04800  16    772 Sun Nov  9 17:43:31 2008 deny log logamount 100 tcp from any to 91.192.153.82 in via rl0 setup
04900   0      0                         allow tcp from 91.192.153.82 to any out via rl0 setup
05000   6    288 Sun Nov  9 17:42:41 2008 allow tcp from any to 91.192.153.82 in via vr0 setup
05100   0      0                         pipe 100 ip from 10.0.0.1 20,21 to 10.0.0.0/24
05200   0      0                         pipe 101 ip from 10.0.0.0/24 to 10.0.0.1 dst-port 20,21
05300   0      0                         pipe 1 ip from not 10.0.0.0/24 to table(1)
05400   0      0                         pipe 2 ip from table(1) to not me
05500   0      0                         pipe 3 ip from not 10.0.0.0/24 to table(2)
05600   0      0                         pipe 4 ip from table(2) to not me
05700   0      0                         pipe 5 ip from not 10.0.0.0/24 to table(3)
05800   0      0                         pipe 6 ip from table(3) to not me
05900   0      0                         pipe 7 ip from not 10.0.0.0/24 to table(4)
06000   0      0                         pipe 8 ip from table(4) to not me
06100   0      0                         pipe 9 ip from not 10.0.0.0/24 to table(5)
06200   0      0                         pipe 10 ip from table(5) to not me
06300   0      0                         pipe 11 ip from not 10.0.0.0/24 to table(6)
06400   7    336 Sun Nov  9 17:43:16 2008 pipe 12 ip from table(6) to not me
06500  38   1824 Sun Nov  9 17:43:25 2008 allow tcp from table(0) to not 10.0.0.0/24 in via vr0 setup keep-state
06600 304  33803 Sun Nov  9 17:43:51 2008 deny ip from any to any
65535  20   2083 Sun Nov  9 17:41:03 2008 deny ip from any to any

не могу понять где что не так
подозреваю

Код: Выделить всё

06500  38   1824 Sun Nov  9 17:43:25 2008 allow tcp from table(0) to not 10.0.0.0/24 in via vr0 setup keep-state

Жду предложений

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[paradox]

есть шлюз под "правильной ОС"

+1 ))))

ну да похоже что в таблице чтото
хостов видать нет

[paradox]

а вообще ты зверь
юзеров нелюбишь

дал им один токо tcp
этого мало

[harmless]

В том то и дело что они есть!
а нет не пускает шлюз!
пинги идут ресолв тоже а тсп не хочет пускать думаю что трубы не там стоят!
если после ната поставить разрешенку на все то нет идет!

[harmless]

а вообще ты зверь
юзеров нелюбишь

дал им один токо tcp
этого мало

а что им еще нужно
чат, фтп, п2п, почта все в сети есть!
им нужен только нет!

[harmless]

за основу взят пример у Лиса

Код: Выделить всё

########### BEGIN USERS   ###############################

# Разрешаем всем аську (ICQ)
${FwCMD} add allow tcp from ${NetIn} to any 5190 in via ${LanIn} setup

# Пользователи которым разрешён инет
${FwCMD} add allow tcp from ${ip_lan}.151 to not ${NetIn} in via ${LanIn} setup
${FwCMD} add allow tcp from ${ip_lan}.153 to not ${NetIn} in via ${LanIn} setup
${FwCMD} add allow tcp from ${ip_lan}.154 to not ${NetIn} in via ${LanIn} setup

############# END USERS #################################

http://www.lissyara.su/?id=1127

[paradox]

а уберика в том правиле

in via vr0

[harmless]

попробую позднее - потом и отпишусь чуток занят на работе!

[harmless]

Привет всем!
Вот с горя перелез на тестовую машинку с такими же настройками:

Код: Выделить всё

harmless# cat /etc/firewall.conf
#!/bin/sh

######################################
FwCMD="/sbin/ipfw "            # иcпoлняeмый бинapник IPFW
FwTable="/sbin/ipfw -q table " # кoммaндa table
LanOut="rl0"                   # внeшняя ceтeвaя кapтa
NetOut="192.168.1.0/24"        # внeшняя ceть
IpOut="192.168.1.18"          # внeшний IP
LanIn="nfe0"                    # внyтpeнняя ceтeвaя кapтa
NetIn="10.0.0.0/24"            # лoкaльнaя ceть
ip_lan="10.0.0"                # пpимep внyтpeнниx aдpecoв
IpIn="10.0.0.1"                # внyтpeнний IP
######################################
############### CLEAN ALL ###############
# cбpacывaeм вce пpaвилa
${FwCMD} -f flush
# cбpacывaeм вce тpyбы
${FwCMD} -f pipe flush
# cбpacывaeм вce oчepeди
${FwCMD} -f queue flush

################ Tables #################

for i in `grep "^[1-9]" /etc/tables/256`
do
    ${FwTable} 1 add ${i}
done

for i in `grep "^[1-9]" /etc/tables/512`
do
    ${FwTable} 2 add ${i}
done

for i in `grep "^[1-9]" /etc/tables/1024`
do
    ${FwTable} 3 add ${i}
done

for i in `grep "^[1-9]" /etc/tables/2048`
do
    ${FwTable} 4 add ${i}
done

for i in `grep "^[1-9]" /etc/tables/4096`
do
    ${FwTable} 5 add ${i}
done

for i in `grep "^[1-9]" /etc/tables/256` `grep "^[1-9]" /etc/tables/512` `grep "^[1-9]" /etc/tables/1024` `grep "^[1-9]" /etc/tables/2048` `grep "^[1-9]" /etc/tables/4096`
do
    ${FwTable} 0 add ${i}
done

# пpoвepяeм cтaтичecкyю тaблицy
${FwCMD} add check-state
# paзpeшaeм вce нa пeтлe
${FwCMD} add allow ip from any to any via lo0

# пoдcчитывaeм тpaфик ceти
${FwCMD} add count ip from ${NetIn} to any

# зaпpeщaeм пeтлe лeзть кyдaтo
${FwCMD} add deny ip from any to 127.0.0.0/8
${FwCMD} add deny ip from 127.0.0.0/8 to any
# зaпpeщaeм внyтpeнниe пaкeты нa внeшнeм интepфeйce
${FwCMD} add deny ip from ${NetIn} to any in via ${LanOut}
# зaпpeщaeм внeшниe пaкeты нa внyтpeннeм интepфeйce
${FwCMD} add deny ip from ${NetOut} to any in via ${LanIn}
# pyбaeм чacтныe ceти кoтopыe лoмятcя cнapyжи
${FwCMD} add deny ip from any to 10.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 172.16.0.0/12 in via ${LanOut}

#${FwCMD} add deny ip from any to 192.168.0.0/16 in via ${LanOut}

${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${LanOut}
# pyбaeм aвтoкoнфигypиpoвaннyю ceть
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${LanOut}
# pyбaeм мyльтикacт
${FwCMD} add deny ip from any to 224.0.0.0/4 in via ${LanOut}
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${LanOut}
# pyбaeм фpaгмeнтиpoвaнныe icmp пaкeты
${FwCMD} add deny icmp from any to any frag
# pyбaeм мyльтикacт и пишeм в лoг
${FwCMD} add deny log icmp from any to 255.255.255.255 in via ${LanOut}
${FwCMD} add deny log icmp from any to 255.255.255.255 out via ${LanOut}

# тpaнcляция ceтeвыx aдpecoв
${FwCMD} add divert natd ip from ${NetIn} to any out via ${LanOut}
${FwCMD} add divert natd ip from any to ${IpOut} in via ${LanOut}

# pyбaeм чacтныe ceти
${FwCMD} add deny ip from 10.0.0.0/8 to any out via ${LanOut}

${FwCMD} add deny ip from 172.16.0.0/12 to any out via ${LanOut}
#${FwCMD} add deny ip from 192.168.0.0/16 to any out via ${LanOut}
${FwCMD} add deny ip from 0.0.0.0/8 to any out via ${LanOut}
# pyбaeм aвтoкoнфигypиpoвaннyю ceть
${FwCMD} add deny ip from 169.254.0.0/16 to any out via ${LanOut}
# pyбaeм мyльтикacт
${FwCMD} add deny ip from 224.0.0.0/4 to any out via ${LanOut}
${FwCMD} add deny ip from 240.0.0.0/4 to any out via ${LanOut}
# icmp эxo-зaпpoc, эxo-oтвeт, вpeмя жизни пaкeтa иcтeклo
${FwCMD} add allow icmp from any to any icmptypes 0,8,11
# paзpeшaeм вxoдящий тpaфик ceти нa внyтpeннeм интepфeйce
${FwCMD} add allow ip from any to ${NetIn} in via ${LanIn}
# paзpeшaeм иcxoдящий тpaфик ceти нa внyтpeннeм интepфeйce
${FwCMD} add allow ip from ${NetIn} to any out via ${LanIn}
# paзpeшaeм ycтaнoвлeнныe coeдинeния
${FwCMD} add allow tcp from any to any established
# DNS - 4
${FwCMD} add allow udp from any to ${IpOut} 53 in via ${LanOut}
${FwCMD} add allow udp from ${IpOut} 53 to any out via ${LanOut}
${FwCMD} add allow udp from any 53 to ${IpOut} in via ${LanOut}
${FwCMD} add allow udp from ${IpOut} to any 53 out via ${LanOut}
# cинxpoнизaцию вpeмeни
${FwCMD} add allow udp from any to any 123 via ${LanOut}
#  (TCP DNS)
${FwCMD} add allow tcp from any to ${IpOut} 53 in via ${LanOut} setup
# web
${FwCMD} add allow tcp from any to ${IpOut} 80 via ${LanOut}
# ssh
${FwCMD} add allow tcp from any to ${IpOut} 22 in via ${LanOut} setup
# POP
${FwCMD} add allow tcp from any to ${IpOut} 110,25 via ${LanOut}
# мaccивный FTP
${FwCMD} add allow tcp from any to ${IpOut} 49152-65535 via ${LanOut}
# COUNTER-STRIKE
${FwCMD} add allow udp from any 27000-27025 to ${NetIn} in via ${LanOut}
${FwCMD} add allow udp from any 27000-27025 to ${NetIn} out via ${LanIn}
${FwCMD} add allow udp from ${NetIn} to any 27000-27025 in via ${LanIn}
${FwCMD} add allow udp from ${IpOut} to any 27000-27025 out via ${LanOut}
# блoкиpyeн вce и зaнocим в лoг
${FwCMD} add deny log tcp from any to ${IpOut} in via ${LanOut} setup
${FwCMD} add allow tcp from ${IpOut} to any out via ${LanOut} setup
${FwCMD} add allow tcp from any to ${IpOut} in via ${LanIn} setup


############## PIPES TO FTP ##############

${FwCMD} queue 100 config pipe 100 weight 10 queue 20 mask dst-addr 0xffffffff
${FwCMD} queue 100 config pipe 100 weight 10 queue 20 mask src-addr 0xffffffff
${FwCMD} queue 1000 config pipe 1000 weight 50 queue 20 mask dst-addr 0xffffffff
${FwCMD} queue 1000 config pipe 1000 weight 50 queue 20 mask src-addr 0xffffffff


${FwCMD} add pipe 100 ip from ftp.bc-gold.kiev.ua 20,21 to ${NetIn}
${FwCMD} pipe 100 config bw 40Mbit/s queue 20 mask src-ip 0xffffffff
${FwCMD} add pipe 100 ip from ${NetIn} to ftp.bc-gold.kiev.ua 20,21
${FwCMD} pipe 100 config bw 40Mbit/s queue 20
mask dst-ip 0xffffffff

################# PIPES #################

###############  256Kbit/s ###############
${FwCMD} add pipe 1 ip from not ${NetIn} to table\(1\)
${FwCMD} pipe 1 config bw 256000bit/s mask src-ip 0xffffffff
${FwCMD} add pipe 2 ip from table\(1\) to not me
${FwCMD} pipe 2 config bw 256000bit/s mask dst-ip 0xffffffff
###############  512Kbit/s ###############
${FwCMD} add pipe 3 ip from not ${NetIn} to table\(2\)
${FwCMD} pipe 3 config bw 512000bit/s mask src-ip 0xffffffff
${FwCMD} add pipe 4 ip from table\(2\) to not me
${FwCMD} pipe 4 config bw 512000bit/s mask dst-ip 0xffffffff
################  1Mbit/s ################
${FwCMD} add pipe 5 ip from not ${NetIn} to table\(3\)
${FwCMD} pipe 5 config bw 1000000bit/s mask src-ip 0xffffffff
${FwCMD} add pipe 6 ip from table\(3\)  to not me
${FwCMD} pipe 6 config bw 1000000bit/s mask dst-ip 0xffffffff
################  2Mbit/s ################
${FwCMD} add pipe 7 ip from not ${NetIn} to table\(4\)
${FwCMD} pipe 7 config bw 2000000bit/s mask src-ip 0xffffffff
${FwCMD} add pipe 8 ip from table\(4\) to not me
${FwCMD} pipe 8 config bw 2000000bit/s mask dst-ip 0xffffffff
################ 4Mbit/s ################
${FwCMD} add pipe 9 ip from not ${NetIn} to table\(5\)
${FwCMD} pipe 9 config bw 4000000bit/s mask src-ip 0xffffffff
${FwCMD} add pipe 10 ip from table\(5\) to not me
${FwCMD} pipe 10 config bw 4000000bit/s mask dst-ip 0xffffffff
#${FwCMD} add queue 10 pipe 10 width 50

############## BEGIN  USERS ##############
${FwCMD} add allow tcp from table\(0\) to not ${NetIn} in via ${LanIn} setup keep-state

############### END USERS ###############
###################################
# зaпpeщaeм вce и вceм
${FwCMD} add deny ip from any to any

и

Код: Выделить всё

harmless# ipfw -at list
00100    0       0                         check-state
00200    0       0                         allow ip from any to any via lo0
00300 1746  326387 Wed Nov 12 17:45:03 2008 count ip from 10.0.0.0/24 to any
00400    0       0                         deny ip from any to 127.0.0.0/8
00500    0       0                         deny ip from 127.0.0.0/8 to any
00600    0       0                         deny ip from 10.0.0.0/24 to any in via rl0
00700    0       0                         deny ip from 192.168.1.0/24 to any in via nfe0
00800    0       0                         deny ip from any to 10.0.0.0/8 in via rl0
00900    0       0                         deny ip from any to 172.16.0.0/12 in via rl0
01000    0       0                         deny ip from any to 0.0.0.0/8 in via rl0
01100    0       0                         deny ip from any to 169.254.0.0/16 in via rl0
01200    4     112 Wed Nov 12 17:45:01 2008 deny ip from any to 224.0.0.0/4 in via rl0
01300    0       0                         deny ip from any to 240.0.0.0/4 in via rl0
01400    0       0                         deny icmp from any to any frag
01500    0       0                         deny log logamount 100 icmp from any to 255.255.255.255 in via rl0
01600    0       0                         deny log logamount 100 icmp from any to 255.255.255.255 out via rl0
01700  791  150281 Wed Nov 12 17:44:59 2008 divert 8668 ip from 10.0.0.0/24 to any out via rl0
01800  977 1128382 Wed Nov 12 17:44:59 2008 divert 8668 ip from any to 192.168.1.18 in via rl0
01800 2805 1460939 Wed Nov 12 17:45:03 2008 allow ip from any to any
01900    0       0                         deny ip from 10.0.0.0/8 to any out via rl0
02000    0       0                         deny ip from 172.16.0.0/12 to any out via rl0
02100    0       0                         deny ip from 0.0.0.0/8 to any out via rl0
02200    0       0                         deny ip from 169.254.0.0/16 to any out via rl0
02300    0       0                         deny ip from 224.0.0.0/4 to any out via rl0
02400    0       0                         deny ip from 240.0.0.0/4 to any out via rl0
02500    0       0                         allow icmp from any to any icmptypes 0,8,11
02600    0       0                         allow ip from any to 10.0.0.0/24 in via nfe0
02700    0       0                         allow ip from 10.0.0.0/24 to any out via nfe0
02800  964 1125467 Wed Nov 12 17:44:59 2008 allow tcp from any to any established
02900    0       0                         allow udp from any to 192.168.1.18 dst-port 53 in via rl0
03000    0       0                         allow udp from 192.168.1.18 53 to any out via rl0
03100   13    2915 Wed Nov 12 17:41:08 2008 allow udp from any 53 to 192.168.1.18 in via rl0
03200    0       0                         allow udp from 192.168.1.18 to any dst-port 53 out via rl0
03300    0       0                         allow udp from any to any dst-port 123 via rl0
03400    0       0                         allow tcp from any to 192.168.1.18 dst-port 53 in via rl0 setup
03500    0       0                         allow tcp from any to 192.168.1.18 dst-port 80 via rl0
03600    0       0                         allow tcp from any to 192.168.1.18 dst-port 22 in via rl0 setup
03700    0       0                         allow tcp from any to 192.168.1.18 dst-port 110,25 via rl0
03800    0       0                         allow tcp from any to 192.168.1.18 dst-port 49152-65535 via rl0
03900    0       0                         allow udp from any 27000-27025 to 10.0.0.0/24 in via rl0
04000    0       0                         allow udp from any 27000-27025 to 10.0.0.0/24 out via nfe0
04100    0       0                         allow udp from 10.0.0.0/24 to any dst-port 27000-27025 in via nfe0
04200    0       0                         allow udp from 192.168.1.18 to any dst-port 27000-27025 out via rl0
04300    0       0                         deny log logamount 100 tcp from any to 192.168.1.18 in via rl0 setup
04400    0       0                         allow tcp from 192.168.1.18 to any out via rl0 setup
04500    0       0                         allow tcp from any to 192.168.1.18 in via nfe0 setup
04600    0       0                         pipe 100 ip from 91.192.153.82 20,21 to 10.0.0.0/24
04700    0       0                         pipe 100 ip from 10.0.0.0/24 to 91.192.153.82 dst-port 20,21
04800    0       0                         pipe 1 ip from not 10.0.0.0/24 to table(1)
04900    0       0                         pipe 2 ip from table(1) to not me
05000    0       0                         pipe 3 ip from not 10.0.0.0/24 to table(2)
05100    0       0                         pipe 4 ip from table(2) to not me
05200    0       0                         pipe 5 ip from not 10.0.0.0/24 to table(3)
05300    0       0                         pipe 6 ip from table(3) to not me
05400    0       0                         pipe 7 ip from not 10.0.0.0/24 to table(4)
05500    0       0                         pipe 8 ip from table(4) to not me
05600    0       0                         pipe 9 ip from not 10.0.0.0/24 to table(5)
05700    0       0                         pipe 10 ip from table(5) to not me
05800    0       0                         allow tcp from table(0) to not 10.0.0.0/24 in via nfe0 setup keep-state
05900    0       0                         deny ip from any to any
65535    0       0                         deny ip from any to any

но проблема таже, только звучит подругому:
на рабочем шлюзе нет вообще не приходит в сеть без правила № 01800

Код: Выделить всё

allow ip from any to any

а на тестовой приходит но очень туго и не на все адреса в нете могу попасть(ася даже не может пройти) такое впечатление будто шлюз ограничивает количество подключений

а уберика в том правиле in via vr0

результата ноль - сейчас выложу листинг

Код: Выделить всё

harmless# ipfw -at list
00100   0     0                         check-state
00200   0     0                         allow ip from any to any via lo0
00300 425 72585 Wed Nov 12 17:53:15 2008 count ip from 10.0.0.0/24 to any
00400   0     0                         deny ip from any to 127.0.0.0/8
00500   0     0                         deny ip from 127.0.0.0/8 to any
00600   0     0                         deny ip from 10.0.0.0/24 to any in via rl0
00700   0     0                         deny ip from 192.168.1.0/24 to any in via nfe0
00800   0     0                         deny ip from any to 10.0.0.0/8 in via rl0
00900   0     0                         deny ip from any to 172.16.0.0/12 in via rl0
01000   0     0                         deny ip from any to 0.0.0.0/8 in via rl0
01100   0     0                         deny ip from any to 169.254.0.0/16 in via rl0
01200   0     0                         deny ip from any to 224.0.0.0/4 in via rl0
01300   0     0                         deny ip from any to 240.0.0.0/4 in via rl0
01400   0     0                         deny icmp from any to any frag
01500   0     0                         deny log logamount 100 icmp from any to 255.255.255.255 in via rl0
01600   0     0                         deny log logamount 100 icmp from any to 255.255.255.255 out via rl0
01700   2    86 Wed Nov 12 17:52:51 2008 divert 8668 ip from 10.0.0.0/24 to any out via rl0
01800   9  1545 Wed Nov 12 17:52:53 2008 divert 8668 ip from any to 192.168.1.18 in via rl0
01900   0     0                         deny ip from 10.0.0.0/8 to any out via rl0
02000   0     0                         deny ip from 172.16.0.0/12 to any out via rl0
02100   0     0                         deny ip from 0.0.0.0/8 to any out via rl0
02200   0     0                         deny ip from 169.254.0.0/16 to any out via rl0
02300   0     0                         deny ip from 224.0.0.0/4 to any out via rl0
02400   0     0                         deny ip from 240.0.0.0/4 to any out via rl0
02500   0     0                         allow icmp from any to any icmptypes 0,8,11
02600 157  7825 Wed Nov 12 17:53:15 2008 allow ip from any to 10.0.0.0/24 in via nfe0
02700 249 63564 Wed Nov 12 17:53:15 2008 allow ip from 10.0.0.0/24 to any out via nfe0
02800   6   252 Wed Nov 12 17:52:51 2008 allow tcp from any to any established
02900   0     0                         allow udp from any to 192.168.1.18 dst-port 53 in via rl0
03000   0     0                         allow udp from 192.168.1.18 53 to any out via rl0
03100   8  1505 Wed Nov 12 17:52:53 2008 allow udp from any 53 to 192.168.1.18 in via rl0
03200   8   636 Wed Nov 12 17:52:53 2008 allow udp from 192.168.1.18 to any dst-port 53 out via rl0
03300   0     0                         allow udp from any to any dst-port 123 via rl0
03400   0     0                         allow tcp from any to 192.168.1.18 dst-port 53 in via rl0 setup
03500   0     0                         allow tcp from any to 192.168.1.18 dst-port 80 via rl0
03600   0     0                         allow tcp from any to 192.168.1.18 dst-port 22 in via rl0 setup
03700   0     0                         allow tcp from any to 192.168.1.18 dst-port 110,25 via rl0
03800   0     0                         allow tcp from any to 192.168.1.18 dst-port 49152-65535 via rl0
03900   0     0                         allow udp from any 27000-27025 to 10.0.0.0/24 in via rl0
04000   0     0                         allow udp from any 27000-27025 to 10.0.0.0/24 out via nfe0
04100   0     0                         allow udp from 10.0.0.0/24 to any dst-port 27000-27025 in via nfe0
04200   0     0                         allow udp from 192.168.1.18 to any dst-port 27000-27025 out via rl0
04300   0     0                         deny log logamount 100 tcp from any to 192.168.1.18 in via rl0 setup
04400   0     0                         allow tcp from 192.168.1.18 to any out via rl0 setup
04500   0     0                         allow tcp from any to 192.168.1.18 in via nfe0 setup
04600   0     0                         pipe 100 ip from 91.192.153.82 20,21 to 10.0.0.0/24
04700   0     0                         pipe 100 ip from 10.0.0.0/24 to 91.192.153.82 dst-port 20,21
04800   0     0                         pipe 1 ip from not 10.0.0.0/24 to table(1)
04900   0     0                         pipe 2 ip from table(1) to not me
05000   0     0                         pipe 3 ip from not 10.0.0.0/24 to table(2)
05100   0     0                         pipe 4 ip from table(2) to not me
05200   0     0                         pipe 5 ip from not 10.0.0.0/24 to table(3)
05300  15  1024 Wed Nov 12 17:53:09 2008 pipe 6 ip from table(3) to not me
05400   0     0                         pipe 7 ip from not 10.0.0.0/24 to table(4)
05500   0     0                         pipe 8 ip from table(4) to not me
05600   0     0                         pipe 9 ip from not 10.0.0.0/24 to table(5)
05700   0     0                         pipe 10 ip from table(5) to not me
05800  36  1728 Wed Nov 12 17:53:12 2008 allow tcp from table(0) to not 10.0.0.0/24 setup keep-state
05900  12   804 Wed Nov 12 17:53:00 2008 deny ip from any to any
65535   0     0                         deny ip from any to any

в чем может быть трабл не знаю!

[paradox]

Код: Выделить всё

05810  allow all from not 10.0.0.0/24 to  from table(0) 

добавь

[Yam]

А где хоть одно правило которое разрешало бы пакетам из сети 10.0.0.0/24 покидать ваш шлюз через внешний интерфейс?

[harmless]

Код: Выделить всё

05810  allow all from not 10.0.0.0/24 to  from table(0) 

добавь

>>>>

Код: Выделить всё

harmless# ipfw -at show
00100    0      0                         check-state
00200    0      0                         allow ip from any to any via lo0
00300 1291 231926 Wed Nov 12 18:30:21 2008 count ip from 10.0.0.0/24 to any
00400    0      0                         deny ip from any to 127.0.0.0/8
00500    0      0                         deny ip from 127.0.0.0/8 to any
00600    0      0                         deny ip from 10.0.0.0/24 to any in via rl0
00700    0      0                         deny ip from 192.168.1.0/24 to any in via nfe0
00800    0      0                         deny ip from any to 10.0.0.0/8 in via rl0
00900    0      0                         deny ip from any to 172.16.0.0/12 in via rl0
01000    0      0                         deny ip from any to 0.0.0.0/8 in via rl0
01100    0      0                         deny ip from any to 169.254.0.0/16 in via rl0
01200    0      0                         deny ip from any to 224.0.0.0/4 in via rl0
01300    0      0                         deny ip from any to 240.0.0.0/4 in via rl0
01400    0      0                         deny icmp from any to any frag
01500    0      0                         deny log logamount 100 icmp from any to 255.255.255.255 in via rl0
01600    0      0                         deny log logamount 100 icmp from any to 255.255.255.255 out via rl0
01700    4    183 Wed Nov 12 18:30:09 2008 divert 8668 ip from 10.0.0.0/24 to any out via rl0
01800    5    496 Wed Nov 12 18:30:09 2008 divert 8668 ip from any to 192.168.1.18 in via rl0
01900    0      0                         deny ip from 10.0.0.0/8 to any out via rl0
02000    0      0                         deny ip from 172.16.0.0/12 to any out via rl0
02100    0      0                         deny ip from 0.0.0.0/8 to any out via rl0
02200    0      0                         deny ip from 169.254.0.0/16 to any out via rl0
02300    0      0                         deny ip from 224.0.0.0/4 to any out via rl0
02400    0      0                         deny ip from 240.0.0.0/4 to any out via rl0
02500    0      0                         allow icmp from any to any icmptypes 0,8,11
02600  473  22820 Wed Nov 12 18:30:21 2008 allow ip from any to 10.0.0.0/24 in via nfe0
02700  798 208164 Wed Nov 12 18:30:21 2008 allow ip from 10.0.0.0/24 to any out via nfe0
02800   14    718 Wed Nov 12 18:30:09 2008 allow tcp from any to any established
02900    0      0                         allow udp from any to 192.168.1.18 dst-port 53 in via rl0
03000    0      0                         allow udp from 192.168.1.18 53 to any out via rl0
03100    2    320 Wed Nov 12 18:29:16 2008 allow udp from any 53 to 192.168.1.18 in via rl0
03200    2    130 Wed Nov 12 18:29:15 2008 allow udp from 192.168.1.18 to any dst-port 53 out via rl0
03300    0      0                         allow udp from any to any dst-port 123 via rl0
03400    0      0                         allow tcp from any to 192.168.1.18 dst-port 53 in via rl0 setup
03500    0      0                         allow tcp from any to 192.168.1.18 dst-port 80 via rl0
03600    0      0                         allow tcp from any to 192.168.1.18 dst-port 22 in via rl0 setup
03700    0      0                         allow tcp from any to 192.168.1.18 dst-port 110,25 via rl0
03800    0      0                         allow tcp from any to 192.168.1.18 dst-port 49152-65535 via rl0
03900    0      0                         allow udp from any 27000-27025 to 10.0.0.0/24 in via rl0
04000    0      0                         allow udp from any 27000-27025 to 10.0.0.0/24 out via nfe0
04100    0      0                         allow udp from 10.0.0.0/24 to any dst-port 27000-27025 in via nfe0
04200    0      0                         allow udp from 192.168.1.18 to any dst-port 27000-27025 out via rl0
04300    0      0                         deny log logamount 100 tcp from any to 192.168.1.18 in via rl0 setup
04400    0      0                         allow tcp from 192.168.1.18 to any out via rl0 setup
04500    0      0                         allow tcp from any to 192.168.1.18 in via nfe0 setup
04600    0      0                         pipe 100 ip from 91.192.153.82 20,21 to 10.0.0.0/24
04700    0      0                         pipe 100 ip from 10.0.0.0/24 to 91.192.153.82 dst-port 20,21
04800    0      0                         pipe 1 ip from not 10.0.0.0/24 to table(1)
04900    0      0                         pipe 2 ip from table(1) to not me
05000    0      0                         pipe 3 ip from not 10.0.0.0/24 to table(2)
05100    0      0                         pipe 4 ip from table(2) to not me
05200    0      0                         pipe 5 ip from not 10.0.0.0/24 to table(3)
05300   12    576 Wed Nov 12 18:30:14 2008 pipe 6 ip from table(3) to not me
05400    0      0                         pipe 7 ip from not 10.0.0.0/24 to table(4)
05500    0      0                         pipe 8 ip from table(4) to not me
05600    0      0                         pipe 9 ip from not 10.0.0.0/24 to table(5)
05700    0      0                         pipe 10 ip from table(5) to not me
05800   56   2688 Wed Nov 12 18:30:18 2008 allow tcp from table(0) to not 10.0.0.0/24 in via nfe0 setup keep-state
05900    0      0                         allow ip from not 10.0.0.0/24 to table(0)
06000    3     88 Wed Nov 12 18:29:21 2008 deny ip from any to any
65535    3     84 Wed Nov 12 18:29:15 2008 deny ip from any to any

[harmless]

А где хоть одно правило которое разрешало бы пакетам из сети 10.0.0.0/24 покидать ваш шлюз через внешний интерфейс?

Правила написаны по примеру Лиса с одной лишь разницей что трубы добавлены!
А трубы разве не действуют как разрешающие правила!???

[Yam]

А где хоть одно правило которое разрешало бы пакетам из сети 10.0.0.0/24 покидать ваш шлюз через внешний интерфейс?

Правила написаны по примеру Лиса с одной лишь разницей что трубы добавлены!

[paradox]

Код: Выделить всё

05800   allow all from table(0) to not 10.0.0.0/24
05900    allow ip from not 10.0.0.0/24 to table(0)

пробуй так

[harmless]

Код: Выделить всё

05800   allow all from table(0) to not 10.0.0.0/24
05900    allow ip from not 10.0.0.0/24 to table(0)

пробуй так

Код: Выделить всё

05800   56   2688 Wed Nov 12 18:30:18 2008 allow tcp from table(0) to not 10.0.0.0/24 in via nfe0 setup keep-state
05900    0      0                         allow ip from not 10.0.0.0/24 to table(0)

с таким раскладом ни один пакет не проходит через второе правило
у меня таки подозрения в сторону труб!

[harmless]

Код: Выделить всё

harmless# ipfw -at show
00100    0      0                         check-state
00200    0      0                         allow ip from any to any via lo0
00300 1346 224930 Wed Nov 12 18:47:47 2008 count ip from 10.0.0.0/24 to any
00400    0      0                         deny ip from any to 127.0.0.0/8
00500    0      0                         deny ip from 127.0.0.0/8 to any
00600    0      0                         deny ip from 10.0.0.0/24 to any in via rl0
00700    0      0                         deny ip from 192.168.1.0/24 to any in via nfe0
00800    0      0                         deny ip from any to 10.0.0.0/8 in via rl0
00900    0      0                         deny ip from any to 172.16.0.0/12 in via rl0
01000    0      0                         deny ip from any to 0.0.0.0/8 in via rl0
01100    0      0                         deny ip from any to 169.254.0.0/16 in via rl0
01200    0      0                         deny ip from any to 224.0.0.0/4 in via rl0
01300    0      0                         deny ip from any to 240.0.0.0/4 in via rl0
01400    0      0                         deny icmp from any to any frag
01500    0      0                         deny log logamount 100 icmp from any to 255.255.255.255 in via rl0
01600    0      0                         deny log logamount 100 icmp from any to 255.255.255.255 out via rl0
01700    3    143 Wed Nov 12 18:47:35 2008 divert 8668 ip from 10.0.0.0/24 to any out via rl0
01800    4    420 Wed Nov 12 18:47:35 2008 divert 8668 ip from any to 192.168.1.18 in via rl0
01900    0      0                         deny ip from 10.0.0.0/8 to any out via rl0
02000    0      0                         deny ip from 172.16.0.0/12 to any out via rl0
02100    0      0                         deny ip from 0.0.0.0/8 to any out via rl0
02200    0      0                         deny ip from 169.254.0.0/16 to any out via rl0
02300    0      0                         deny ip from 224.0.0.0/4 to any out via rl0
02400    0      0                         deny ip from 240.0.0.0/4 to any out via rl0
02500    0      0                         allow icmp from any to any icmptypes 0,8,11
02600  494  23868 Wed Nov 12 18:47:47 2008 allow ip from any to 10.0.0.0/24 in via nfe0
02700  843 200632 Wed Nov 12 18:47:47 2008 allow ip from 10.0.0.0/24 to any out via nfe0
02800   10    486 Wed Nov 12 18:47:35 2008 allow tcp from any to any established
02900    0      0                         allow udp from any to 192.168.1.18 dst-port 53 in via rl0
03000    0      0                         allow udp from 192.168.1.18 53 to any out via rl0
03100    2    320 Wed Nov 12 18:47:24 2008 allow udp from any 53 to 192.168.1.18 in via rl0
03200    2    130 Wed Nov 12 18:47:24 2008 allow udp from 192.168.1.18 to any dst-port 53 out via rl0
03300    0      0                         allow udp from any to any dst-port 123 via rl0
03400    0      0                         allow tcp from any to 192.168.1.18 dst-port 53 in via rl0 setup
03500    0      0                         allow tcp from any to 192.168.1.18 dst-port 80 via rl0
03600    0      0                         allow tcp from any to 192.168.1.18 dst-port 22 in via rl0 setup
03700    0      0                         allow tcp from any to 192.168.1.18 dst-port 110,25 via rl0
03800    0      0                         allow tcp from any to 192.168.1.18 dst-port 49152-65535 via rl0
03900    0      0                         allow udp from any 27000-27025 to 10.0.0.0/24 in via rl0
04000    0      0                         allow udp from any 27000-27025 to 10.0.0.0/24 out via nfe0
04100    0      0                         allow udp from 10.0.0.0/24 to any dst-port 27000-27025 in via nfe0
04200    0      0                         allow udp from 192.168.1.18 to any dst-port 27000-27025 out via rl0
04300    0      0                         deny log logamount 100 tcp from any to 192.168.1.18 in via rl0 setup
04400    0      0                         allow tcp from 192.168.1.18 to any out via rl0 setup
04500    0      0                         allow tcp from any to 192.168.1.18 in via nfe0 setup
04600    0      0                         pipe 100 ip from 91.192.153.82 20,21 to 10.0.0.0/24
04700    0      0                         pipe 100 ip from 10.0.0.0/24 to 91.192.153.82 dst-port 20,21
04800   18    864 Wed Nov 12 18:47:47 2008 allow tcp from table(0) to not 10.0.0.0/24 in via nfe0 setup keep-state
04900    0      0                         allow ip from not 10.0.0.0/24 to table(0)
05000    4    116 Wed Nov 12 18:47:34 2008 deny ip from any to any
65535    3     84 Wed Nov 12 18:29:15 2008 deny ip from any to any

[paradox]

ты разницу между тем что я дал и тем что ты добавляешь видишь?))))

[Yam]

Код: Выделить всё

05800   allow all from table(0) to not 10.0.0.0/24
05900    allow ip from not 10.0.0.0/24 to table(0)

пробуй так

Код: Выделить всё

05800   56   2688 Wed Nov 12 18:30:18 2008 allow tcp from table(0) to not 10.0.0.0/24 in via nfe0 setup keep-state
05900    0      0                         allow ip from not 10.0.0.0/24 to table(0)

с таким раскладом ни один пакет не проходит через второе правило
у меня таки подозрения в сторону труб!

Ну так убирите трубы и убедитесь что дело не в них. А в правило 5900 ничего не попадает потому что проваливается в правило 2600, так как судя по вашему конфигу в table(0) адреса только из сети 10.0.0.0/24

[harmless]

ты разницу между тем что я дал и тем что ты добавляешь видишь?))))

Вижу!
Извени!
Только мне кто-то может обьяснить зачем тогда нужно

Код: Выделить всё

setup keep-state

(с ними не пашет)

[paradox]

фаервол пишеться исходя из познаний в его работе
а не из примеров)))

[Yam]

Только мне кто-то может обьяснить зачем тогда нужно

Код: Выделить всё

setup keep-state

(с ними не пашет)

Применительно к tcp разрешает прохождение пакетов с установленным флагом SYN и добавляет обратную запись в динамическую таблицу, которую за тем просматривает check-state.

фаервол пишеться исходя из познаний в его работе
а не из примеров)))

абсолютно согласен, толку от переписанного у Лисяры конфига, если не понятен даже смысл.

[harmless]

Смысл понятен только не совсем до конца!
Вот одно уже чуток понятно про setup и keep-state
Спасибо за разяснения!

[paradox]

давече на опеннете видел обьяснение некоего Владимира
по поводу setup и keep-state
когда что и для чего
очень кратко
и очень правильно
найди почитай))

[harmless]

Есть догадка у меня насчет setup и keep-state:
если правила в которых они присутствуют позначают пакеты как SYN то в

Код: Выделить всё

harmless# cat /etc/rc.conf
keymap="ru.koi8-r"
ifconfig_nfe0="inet 10.0.0.1  netmask 255.255.255.0"
linux_enable="YES"
rpcbind_enable="YES"
sshd_enable="YES"
named_enable="NO"
named_flags="-u bind"
inetd_enable="YES"
hostname="harmless.bc-gold.kiev.ua"
ifconfig_rl0="inet 192.168.1.18  netmask 255.255.255.0"
router_flags="-q"
router="/sbin/routed"
router_enable="YES"
gateway_enable="YES"
defaultrouter="192.168.1.1"
firewall_enable="YES"
firewall_script="/etc/firewall.conf"
natd_enable="YES"
natd_interface="rl0"
natd_flags="-m -u "
firewall_logging="YES"
[b]tcp_drop_synfin="YES"[/b]

будет отбрасывать ети пакеты???
Или я ошибаюсь?