forum.lissyara.su

Код: Выделить всё

pass in log on $int_if inet proto tcp from $int_net to $dmz_net port $client_to_dmz keep state
pass in log on $int_if inet proto tcp from $int_net to !$dmz_net port $client_to_internet keep state
pass in log on $int_if inet proto tcp from $int_net to $eus_servers port $amadeus_out flags S/SA

Код: Выделить всё

pass in log on rl2 inet proto tcp from 192.168.1.0/24 to 192.168.2.0/24 port = www flags S/SA keep state
pass in log on rl2 inet proto tcp from 192.168.1.0/24 to 192.168.2.0/24 port = https flags S/SA keep state
pass in log on rl2 inet proto tcp from 192.168.1.0/24 to 192.168.2.0/24 port = 5190 flags S/SA keep state
pass in log on rl2 inet proto tcp from 192.168.1.0/24 to 192.168.2.0/24 port = smtp flags S/SA keep state
pass in log on rl2 inet proto tcp from 192.168.1.0/24 to 192.168.2.0/24 port = pop3 flags S/SA keep state
pass in log on rl2 inet proto tcp from 192.168.1.0/24 to 195.27.162.31 port = www flags S/SA keep state
pass in log on rl2 inet proto tcp from 192.168.1.0/24 to 195.27.162.31 port = https flags S/SA keep state
pass in log on rl2 inet proto tcp from 192.168.1.0/24 to 195.27.162.31 port = 8080 flags S/SA keep state
pass in log on rl2 inet proto tcp from 192.168.1.0/24 to 195.27.162.31 port = 9876 flags S/SA keep state
pass in log on rl2 inet proto tcp from 192.168.1.0/24 to 195.27.162.31 port = 5023 flags S/SA keep state
pass in log on rl2 inet proto tcp from 192.168.1.0/24 to ! 192.168.2.0/24 port = www flags S/SA keep state
pass in log on rl2 inet proto tcp from 192.168.1.0/24 to ! 192.168.2.0/24 port = https flags S/SA keep state
pass in log on rl2 inet proto tcp from 192.168.1.0/24 to ! 192.168.2.0/24 port = 5190 flags S/SA keep state

Код: Выделить всё

pass in log on $int_if inet proto tcp from $int_net to $eus_servers port $amadeus_out flags S/SA

Код: Выделить всё

pass in log on $int_if inet proto tcp from $int_net to !$dmz_net port $client_to_internet keep state

Код: Выделить всё

pass in log on rl2 inet proto tcp from 192.168.1.0/24 to ! 192.168.2.0/24 port = www flags S/SA keep state
pass in log on rl2 inet proto tcp from 192.168.1.0/24 to ! 192.168.2.0/24 port = https flags S/SA keep state
pass in log on rl2 inet proto tcp from 192.168.1.0/24 to ! 192.168.2.0/24 port = 5190 flags S/SA keep state

Код: Выделить всё

pass in log on rl2 inet proto tcp from 192.168.1.0/24 to 195.27.162.31 port = www flags S/SA keep state
pass in log on rl2 inet proto tcp from 192.168.1.0/24 to 195.27.162.31 port = https flags S/SA keep state
pass in log on rl2 inet proto tcp from 192.168.1.0/24 to 195.27.162.31 port = 8080 flags S/SA keep state
pass in log on rl2 inet proto tcp from 192.168.1.0/24 to 195.27.162.31 port = 9876 flags S/SA keep state
pass in log on rl2 inet proto tcp from 192.168.1.0/24 to 195.27.162.31 port = 5023 flags S/SA keep state

Код: Выделить всё

#########################_______Macros Tebles Lists______####################
#____________________________________Macroses_________________________________
ext_if_os="rl0"
ext_if_av="rl1"
int_if="rl2"
dmz_if="rl3"
hostel_if="rl4"

client_to_internet = "{http,https, icq}"
client_to_dmz = "{http,https, icq, smtp, pop3}"
udp_services = "{ domain, ntp }"
mail_server_out = "{smtp, pop3, http, https, ftp, ftp-data}"
mail_server_in = "{smtp, pop3, http}"
admin_ports = "{ssh, 4899}"
icmp_types = "{echoreq}"
amadeus_out = "{http, https, 8080, 9876, 5023}"

server="{192.168.1.1, 2.2.2.2}"
server_external="2.2.2.10"
server_internal="192.168.2.2"
pdc="192.168.1.1"
admin_pc = "{192.168.1.31}"

amadeus_servers = "{195.27.162.31}"

int_net="192.168.1.0/24"
dmz_net="192.168.2.0/24"
#_____________________________________Tables____________________________________
#table <spamd-white> persist
table <internal_servers> persist {192.168.1.1, 2.2.2..2, 192.168.2.2}
############################__________Options__________#########################
set skip on lo
set block-policy return
set loginterface $int_if
############################___________Scrub____________#########################
scrub in
############################___________ALTQ______________#########################
#altq on $dmz_if cbq bandwidth 2Mb queue { std, ssh, ftp }
#____________________________________Outbound__________________________________________
#_____________________________________Inbound___________________________________________
######################_______________NAT & RDR______________####################
no nat on $ext_if_os from $dmz_net to any
nat on $ext_if_os from $int_if:network to any -> ($ext_if_os:0)
rdr pass on $int_if proto tcp from $int_net to $server port 25 -> 127.0.0.1 port 5000
rdr pass on $int_if proto tcp from $int_net to $server port 110 -> 127.0.0.1 port 5001

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
#rdr-anchor "relayd/*"

binat on $ext_if_os from $server_internal to any -> $server_external

rdr on $int_if proto tcp from $int_net to $server_external port {smtp, pop3, http} -> $server_internal
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
##########################____________Filter____________############################
anchor "ftp-proxy/*"
block log(all) all
pass out log keep state
pass in log(all) inet proto icmp all icmp-type $icmp_types keep state
pass out log on $ext_if_os from $ext_if_os to any
pass proto {tcp,udp} from $admin_pc to any port $admin_ports

pass in log on $int_if inet proto tcp from $int_net to $dmz_net port $client_to_dmz keep state
pass in log on $int_if inet proto tcp from $int_net to !$dmz_net port $client_to_internet keep state

pass in log on $int_if inet proto tcp from $int_net to $amadeus_servers port $amadeus_out flags S/SA
pass in on $int_if inet proto udp from <internal_servers> to any port $udp_services
pass in on $dmz_if inet proto udp from $server_internal to $pdc port $udp_services
pass in log on $dmz_if inet proto tcp from $server_internal to any port $mail_server_out flags S/SA modulate state
pass in log on $ext_if_os inet proto tcp from any to $server_internal port $mail_server_in flags S/SA modulate state
pass in log on $ext_if_os inet proto udp from any to $server_internal

Код: Выделить всё

pass in log(all) 

Код: Выделить всё

pfctl -vgsr