Суть стоит маршрутизатор внутри локалка пока из 2 компов (самого роутера и рабочей станции), планируется ставить вебсервер и ещё кучу всякого.
ядро собрано вот как это пока для проверки позже будет пересобираться
Код: Выделить всё
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options IPFIREWALL_FORWARD
options IPDIVERT
options DUMMYNET
options IPFIREWALL_DEFAULT_TO_ACCEPT
Код: Выделить всё
00099 allow ip from any to any via lo0
00099 deny ip from any to 127.0.0.0/8
00099 deny ip from 127.0.0.0/8 to any
10109 deny ip from 192.168.1.0/24 to any in via re0
10110 deny ip from 83.234.14.127 to any in via re0
10120 deny tcp from any to 83.234.14.127 in via re0 setup
10130 deny ip from any to 10.0.0.0/8 via re0
10131 deny ip from any to 172.16.0.0/12 via re0
10132 deny ip from any to 192.168.0.0/16 via re0
10140 deny ip from any to 0.0.0.0/8 via re0
10141 deny ip from any to 169.254.0.0/16 via re0
10142 deny ip from any to 192.0.2.0/24 via re0
10143 deny ip from any to 224.0.0.0/4 via re0
10144 deny ip from any to 240.0.0.0/4 via re0
10150 deny ip from any to 255.255.255.255 via re0
10151 deny ip from any to 224.0.0.0/24 in via re0
10152 deny ip from not 192.168.1.0/24 to any in recv re0
10160 deny icmp from any to any frag
10170 deny log logamount 5 icmp from any to 255.255.255.255 in via re0
10171 deny log logamount 5 icmp from any to 255.255.255.255 out via re0
11910 allow ip from 192.168.1.1 to 192.168.1.0/24 out via re1
11910 allow ip from 192.168.1.0/24 to 192.168.1.1 in via re1
11920 allow ip from any 5190 to any out via re1
11920 allow ip from any to any dst-port 5190 in via re1
11930 allow tcp from any 48616 to any out via re1
11930 allow tcp from any to any dst-port 48616 in via re1
11931 allow udp from any 48616 to any out via re1
11931 allow udp from any to any dst-port 48616 in via re1
11940 allow ip from any 80 to any out via re1
11940 allow ip from any to any dst-port 80 in via re1
11941 allow ip from any 443 to any out via re1
11941 allow ip from any to any dst-port 443 in via re1
11950 allow ip from any 110 to any out via re1
11950 allow ip from any to any dst-port 110 in via re1
11951 allow ip from any 25 to any out via re1
11951 allow ip from any to any dst-port 25 in via re1
11960 allow tcp from any 21 to any out via re1
11960 allow tcp from any to any dst-port 21 in via re1
11961 allow tcp from any 20 to any out via re1
11961 allow tcp from any to any dst-port 20 in via re1
11970 allow icmp from any to any icmptypes 0,8,11 out via re1
11980 allow tcp from any 3724,6112,6881-6999 to any out via re1
11980 allow tcp from any to any dst-port 3724,6112,6881-6999 in via re1
12501 divert 8668 ip from any to 83.234.14.127
12501 divert 8668 ip from 192.168.1.0/24 to any
65535 allow ip from any to any