ipfw+natd
Доброго времени суток!
не получеться организовать НАТ с помощью ipfw
вот конфиг:
# flush old ruleses
${ipfw} -f flush
# localhost (loopback)
${ipfw} add 10 pass all from any to any via lo0
${ipfw} add 20 deny all from 127.0/8 to any
${ipfw} add 30 deny all from any to 127.0/8
# airnet
${ipfw} add 40 pass all from any to any via rl0
# ground
${ipfw} add 50 pass all from any to any via fxp0
# allow internal traffic
${ipfw} add 60 pass all from ${inet} to ${inet} via ${iif}
# allow VPN
${ipfw} add 70 pass gre from any to any
${ipfw} add 80 pass all from any to any 1723
${ipfw} add 90 pass all from any 1723 to any
${ipfw} add 100 pass all from any to any via ng0
#deny fragmentated packets
${ipfw} add 110 deny all from any to any frag
# icmp
${ipfw} add 120 pass icmp from any to any
# NAT
${ipfw} add 130 divert natd ip from any to ${gip} in via ${gif}
#for dynamic ruls
${ipfw} add 140 check-state
##########################Outbound section#############################
#DNS
${ipfw} add 150 pass tcp from any to any 53 out via ${gif} setup keep-state
${ipfw} add 160 pass udp from any to any 53 out via ${gif} keep-state
#http,https,etc...
${ipfw} add 170 pass tcp from any to any 80,443,8080,8100,8101,8102,8103,8104,8108
out via ${gif} setup keep-state
${ipfw} add 171 pass tcp from any 20,21 to any 1024-65535 out via ${gif} setup
keep-state
#mail
${ipfw} add 180 pass tcp from any to any 25 out via ${gif} setup keep-state
${ipfw} add 190 pass tcp from any to any 110 out via ${gif} setup keep-state
# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
${ipfw} add 200 pass tcp from me to any out via ${gif} setup keep-state uid root
# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
${ipfw} add 210 pass tcp from any to any 22 out via ${gif} setup keep-state
#Allow LineAge
${ipfw} add 220 pass tcp from any to 217.23.143.43 out via ${gif} setup keep-state
${ipfw} add 221 pass tcp from any to 212.158.163.219 out via ${gif} setup keep-state
##########################Inbound section################################
# Deny ACK packets that did not match the dynamic rule table
${ipfw} add 230 deny tcp from any to any established in via ${gif}
# Allow in secure FTP, Telnet, and SCP from public Internet
${ipfw} add 240 pass tcp from any to me 22 in via ${gif} setup limit src-addr
2
#Allow ftp service on my server
${ipfw} add 250 pass all from any to me 20,21 in via ${gif} setup limit src-addr
5
#Allow mail server to work
${ipfw} add 260 pass tcp from any to me 25,110 in via ${gif} setup limit src-addr
10
# This is skipto location for outbound stateful rules
${ipfw} add 700 divert natd ip from 192.168.8.108/32 to any out via ${gif}
# deny and log everything else that.s trying to get out.
# This rule enforces the block all by default logic.
${ipfw} add 900 deny log logamount 1000 all from any to any out via ${gif}
# Reject & Log all incoming connections from the outside
${ipfw} add 1000 deny log logamount 1000 all from any to any in via ${gif}
#######################################################################
${ipfw} add 65534 deny all from any to any
где gif - интерфейс смотрит в интернет
fxp и rl0 - в локалку
В данном конфиге работет всё кроме ната..
и ещё:
140 правило, а именно
${ipfw} add 140 check-state
при команде ipfw show показывает понулям!!! так и должно быть???
С уважением, ohitmano.
-*Название листа "[BSD] Решение вопросов по FreeBSD, OpenBSD и NetBSD";
Написать в лист: mailto:comp.soft.bsd.all-list@subscribe.ru
Адрес правил листа http://subscribe.ru/catalog/comp.soft.bsd.all/rules
Номер письма: 2975; Возраст листа: 893; Участников: 938
Адрес сайта рассылки: http://www.linuxrsp.ru
Адрес этого письма в архиве: http://subscribe.ru/archive/comp.soft.bsd.all/msg/580666
