День добрый!
Стоит шлюз FreeBSD 6.2-STABLE
две сетевые локаль-мир
запущены НАТ, фаерволл, сквид, мпд.
Проблема заключается в том что пользователи из сети не могут ни пролезть терминалом в и-нет, ни забраться на ФТП, ни даже пропинговать мир.конфиг НАТ
same_ports yes
use_sockets yes
unregistered_only yes
interface rl0
port 8668
фаерволл
[Ss][Ii][Mm][Pp][Ll][Ee])
oif="rl0"
onet="xxx.xxx.xxx.xxx" шлюз по-умолчанию
omask="255.255.255.252"
oip="xxx.xxx.xxx.xxx" мой реальный IP
iif="vr0"
inet="192.168.0.0"
imask="255.255.255.0"
iip="192.168.0.7"
setup_loopback
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
# ${fwcmd} add divert natd all from 192.168.0.0/24 to any out xmit rl0 recv vr0
# ${fwcmd} add divert natd ip from any to xxx.xxx.xxx.xxx in recv ${natd_interface} мой реальный IP
# ${fwcmd} add divert natd all from not 192.168.0.0/24 to xxx.xxx.xxx.xxx recv rl0 мой реальный IP
${fwcmd} add divert natd 192.168.0.100 to not 192.168.0.0/24 out xmit rl0
${fwcmd} add divert natd from not 192.168.0.0/24 to xxx.xxx.xxx.xxx in recv rl0
мой реальный IP
fi
;;
esac
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
${fwcmd} add pass tcp from any to any established
${fwcmd} add pass all from any to any frag
${fwcmd} add pass tcp from any to ${oip} 22 setup
${fwcmd} add pass tcp from any to ${oip} 25 setup
${fwcmd} add pass tcp from any to ${oip} 53 setup
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oip} 53 to any
${fwcmd} add pass tcp from any to ${oip} 80 setup
${fwcmd} add pass tcp from any to ${oip} 110 setup
${fwcmd} add pass tcp from any to ${oip} 3389 setup
${fwcmd} add pass tcp from any to ${oip} 3000 setup
${fwcmd} add pass icmp from any to any icmptypes 0,8,11
${fwcmd} add allow tcp from any to me 1723
${fwcmd} add allow gre from any to any
${fwcmd} add deny log tcp from any to any in via ${oif} setup
${fwcmd} add pass tcp from any to any setup
${fwcmd} add pass udp from ${oip} to any 53 keep-state
${fwcmd} add pass udp from ${oip} to any 123 keep-state
${fwcmd} add allow all from any to any
мучаюсь уже с неделю... подскажите кто-нибудь...
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
(??) on 29-Мрт-07, 18:54 
