>Вопрос только, как новость повлияла на то что "перестали нормально работать правила
>фаервола". Я например вижу только увеличение производительности и смену системы логирования,
>но сами правила должны работать.
>Кстати, а какие именно правила перестали работать? Все правила если их взять отдельно прекрасно работают, дело в том что через набор правил, который работал на предидущей системе теперь не работает NAT
Вот правила:
ipfw="/sbin/ipfw"
${ipfw} -f flush
${ipfw} add 1 allow gre from any to any
${ipfw} add 40 allow all from any to any via em1
${ipfw} add 41 allow all from any to any via lo0
${ipfw} add 42 deny ip from any to 127.0.0.0/8
${ipfw} add 43 deny ip from 127.0.0.0/8 to any
${ipfw} add 50 fwd 10.3.33.33,3129 tcp from not 10.3.34.252 to not 10.0.0.0/8 80
${ipfw} add 60 divert natd all from any to any in via em0
${ipfw} add 100 check-state
############## Outgoing ################
${ipfw} add 1000 skipto 10000 icmp from any to any keep-state
${ipfw} add 1100 skipto 10000 udp from any to any 123 out via em0 keep-state
${ipfw} add 1200 skipto 10000 udp from any to any 53 out via em0 keep-state
${ipfw} add 1300 skipto 10000 tcp from any to any 53 out via em0 setup keep-state
${ipfw} add 1500 skipto 10000 tcp from 10.0.0.0/8 to any 20 out via em0 setup keep-state
${ipfw} add 1510 skipto 10000 tcp from 10.0.0.0/8 to any 21 out via em0 setup keep-state
${ipfw} add 1520 skipto 10000 udp from 10.0.0.0/8 to any 20 out via em0 keep-state
${ipfw} add 1530 skipto 10000 udp from 10.0.0.0/8 to any 21 out via em0 keep-state
${ipfw} add 1540 skipto 10000 tcp from 10.0.0.0/8 to any 22 out via em0 setup keep-state
${ipfw} add 1550 skipto 10000 tcp from 10.0.0.0/8 to any 23 out via em0 setup keep-state
${ipfw} add 1560 skipto 10000 tcp from 10.0.0.0/8 to any 25 out via em0 setup keep-state
${ipfw} add 1570 skipto 10000 tcp from 10.0.0.0/8 to any 110 out via em0 setup keep-state
${ipfw} add 1580 skipto 10000 tcp from 10.0.0.0/8 to any 143 out via em0 setup keep-state
${ipfw} add 1590 skipto 10000 tcp from 10.0.0.0/8 to any 443 out via em0 setup keep-state
${ipfw} add 1600 skipto 10000 tcp from 10.0.0.0/8 to any 540 out via em0 setup keep-state
${ipfw} add 1610 skipto 10000 tcp from 10.0.0.0/8 to any 1433 out via em0 setup keep-state
${ipfw} add 1620 skipto 10000 udp from 10.0.0.0/8 to any 1434 out via em0 keep-state
${ipfw} add 1630 skipto 10000 tcp from 10.0.0.0/8 to any 1723 out via em0 setup keep-state
${ipfw} add 1640 skipto 10000 tcp from 10.0.0.0/8 to any 2041 out via em0 setup keep-state
${ipfw} add 1650 skipto 10000 tcp from 10.0.0.0/8 to any 2042 out via em0 setup keep-state
${ipfw} add 1660 skipto 10000 tcp from 10.0.0.0/8 to any 2802 out via em0 setup keep-state
${ipfw} add 1670 skipto 10000 tcp from 10.0.0.0/8 to any 3306 out via em0 setup keep-state
${ipfw} add 1680 skipto 10000 tcp from 10.0.0.0/8 to any 4005 out via em0 setup keep-state
${ipfw} add 1690 skipto 10000 tcp from 10.0.0.0/8 to any 5000 out via em0 setup keep-state
${ipfw} add 1700 skipto 10000 tcp from 10.0.0.0/8 to any 5190 out via em0 setup keep-state
${ipfw} add 1710 skipto 10000 tcp from 10.0.0.0/8 to any 5222 out via em0 setup keep-state
${ipfw} add 1720 skipto 10000 tcp from 10.0.0.0/8 to any 6099 out via em0 setup keep-state
${ipfw} add 1730 skipto 10000 tcp from 10.0.0.0/8 to any 6667 out via em0 setup keep-state
${ipfw} add 1740 skipto 10000 tcp from 10.0.0.0/8 to any 7438 out via em0 setup keep-state
${ipfw} add 1750 skipto 10000 tcp from 10.0.0.0/8 to any 8080 out via em0 setup keep-state
${ipfw} add 1760 skipto 10000 tcp from 10.0.0.0/8 to any 8081 out via em0 setup keep-state
${ipfw} add 1770 skipto 10000 tcp from 10.0.0.0/8 to any 8585 out via em0 setup keep-state
${ipfw} add 1780 skipto 10000 tcp from 10.0.0.0/8 to any 28512 out via em0 setup keep-state
${ipfw} add 1790 skipto 10000 tcp from 10.0.0.0/8 to any 28513 out via em0 setup keep-state
${ipfw} add 5555 skipto 10000 tcp from 10.3.34.252 to any out via em0 setup keep-state
${ipfw} add 5556 skipto 10000 udp from 10.3.34.252 to any out via em0 keep-state
############# Incoming ################
${ipfw} add 6215 deny tcp from any to any 113 in via em0
${ipfw} add 6220 deny tcp from any to any 137 in via em0
${ipfw} add 6221 deny tcp from any to any 138 in via em0
${ipfw} add 6222 deny tcp from any to any 139 in via emo
${ipfw} add 6223 deny tcp from any to any 81 in via emo
${ipfw} add 6300 allow icmp from any to 10.3.34.252 in via em0 icmptypes 0,8,11
${ipfw} add 6500 allow tcp from any to 10.3.34.252 80 in via em0 setup
${ipfw} add 6580 allow tcp from any to 10.3.34.252 20 in via em0 setup
${ipfw} add 6590 allow tcp from any to 10.3.34.252 21 in via em0 setup
${ipfw} add 6595 allow udp from any to 10.3.34.252 20 in via em0 setup
${ipfw} add 6600 allow udp from any to 10.3.34.252 21 in via em0 setup
${ipfw} add 7777 allow all from any to any established
###########################################################################################
${ipfw} add 8000 deny log all from any to any
${ipfw} add 10000 divert natd all from not 10.3.34.252 to any out via em0
###########################################################################################
После обновления пакеты не выходят через правило 10000
Вариант для распечатки
on 27-Апр-10, 16:40 
