Исходное сообщение
"извне через ipfw внутрь.." Отправлено alchie, 17-Апр-06 16:08
>rc.conf: > >defaultrouter="мой_внешний_ИП" >gateway_enable="YES" >hostname="SHLUZ.ChanceOFFICE" >ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0" > >ppp_enable="YES" >ppp_mode="ddial" >ppp_profile="papchap" > >firewall_enable="YES" >firewall_script="/etc/rc.ipfw" >firewall_loggining="YES" >firewall_quiet="YES" > >natd_enable="YES" >natd_interface="rl1" >natd_flags="-f /etc/natd.conf" > >mta_start_script="" >sendmail_enable="NO" >sendmail_outbound_enable="NO" >sendmail_msp_queue_enable="NO" >sendmail_submit_enable="NO" > >squid_enable="YES" > >sshd_enable="YES" > >static_routes="net1" >route_net1="-net 192.168.1.0 -netmask 255.255.255.0 192.168.0.2" > >keymap="ru.koi8-r" >keychange="61 [[K" >scrnmap="koi8-r2cp866" > >в rc.ipfw > ># Stop spoofing >${fwcmd} add deny all from 192.168.0.0/24 to any in via rl1 > ># Stop RFC1918 nets on the outside interface >${fwcmd} add deny all from any to 10.0.0.0/8 via rl1 >${fwcmd} add deny all from any to 172.16.0.0/12 via rl1 > ># Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, ># DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) ># on the outside interface >${fwcmd} add deny all from any to 0.0.0.0/8 via rl1 >${fwcmd} add deny all from any to 169.254.0.0/16 via rl1 >${fwcmd} add deny all from any to 224.0.0.0/4 via rl1 >${fwcmd} add deny all from any to 240.0.0.0/4 via rl1 > >#squid > >${fwcmd} add fwd 127.0.0.1,80 tcp from 192.168.0.0/24 to мой_внешний_ИП 80,8080,443 via rl0 > >${fwcmd} add fwd 127.0.0.1,3128 tcp from 192.168.0.0/24 to any 80 via rl0 > >${fwcmd} add fwd 127.0.0.1,80 tcp from 192.168.1.0/24 to мой_внешний_ИП 80,8080,443 via rl0 > >${fwcmd} add fwd 127.0.0.1,3128 tcp from 192.168.1.0/24 to any 80 via rl0 > > >case ${natd_enable} in >[Yy][Ee][Ss]) >if [ -n "${natd_interface}" ]; then >${fwcmd} add 50 divert natd all from any to any via ${natd_interface} > >fi >;; >esac > ># Stop RFC1918 nets on the outside interface >${fwcmd} add deny all from 10.0.0.0/8 to any via rl1 >${fwcmd} add deny all from 172.16.0.0/12 to any via rl1 >${fwcmd} add deny all from 192.168.0.0/16 to any via rl1 > ># Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, ># DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) ># on the outside interface >${fwcmd} add deny all from 0.0.0.0/8 to any via rl1 >${fwcmd} add deny all from 169.254.0.0/16 to any via rl1 >${fwcmd} add deny all from 192.168.0.0/24 to any via rl1 > >.......... > >#RAdmin on 192.168.0.2 >${fwcmd} add allow log tcp from any to ИП_адрес_машины_снаружи out via tun* > >${fwcmd} add allow log tcp from ИП_адрес_машины_снаружи to any 4899 in via >tun* > >.......... > > >в natd.conf > >log yes >log_denied yes >use_sockets yes >same_ports yes >unregistered_only yes >dynamic yes >interface rl1 >redirect_port tcp 192.168.0.2:4899 4899 > > нат и редирект на физическом интерфейсе, а правило для туннеля. работать не будет естесна