forum.lissyara.su

Код: Выделить всё

int_if="vr0"
ext_if1="rl1"
ext_gw1="222.222.222.222"
ext_if2="rl0"
ext_gw2="111.111.111.111"
lan1="{ 192.168.12.0/24, !<lan2> }"
table <lan2> persist { 192.168.12.100 }
table <sshguard> persist
set skip on lo0
set block-policy return
scrub in all

nat on $ext_if1 from $lan1 to any -> $ext_if1
nat on $ext_if2 from <lan2> to any -> $ext_if2

block in log quick from <sshguard> label "ssh bruteforce"

pass out on $int_if from any to { $lan1, <lan2> }
pass in quick on $int_if from { $lan1, <lan2> } to $int_if
pass in on $int_if route-to ($ext_if1 $ext_gw1)  from $lan1 to any keep state
pass in on $int_if route-to ($ext_if2 $ext_gw2)  from <lan2> to any keep state
pass out on $ext_if1 from any to any keep state
pass out on $ext_if2 from any to any keep state
pass out on $ext_if1 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if2 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any

pass in on $ext_if1 proto tcp from any to $ext_if1 port ssh
pass in on $ext_if2 proto tcp from any to $ext_if2 port ssh

pass in inet proto icmp all icmp-type echoreq