Уже запарился. Ткните носом меня, где нада закрыть, чтобы из нутри нелзя было по http лазить, кроме как явно указать прокси в настройках броузера. Прозрачный прокси не катит, так как имеется аутентификация пользователей. Вот rc.firewall:
lanout="lnc0"
lanin="lnc1"
fw="ip-внешний"
local="192.168.161.56"
net="192.168.161.0/24"
outnet="ip-внешний/16"
${fwcmd} -f flush
setup_loopback
${fwcmd} add check-state
${fwcmd} add deny icmp from any to any in icmptype 5,9,13,14,15,16,17
${fwcmd} add reject ip from ${net} to any in via ${lanout}
${fwcmd} add deny all from any to any frag
${fwcmd} add deny log all from ${net} to any in via ${lanout}
${fwcmd} add deny log all from ${outnet} to any in via ${lanin}
${fwcmd} add 100 fwd ${local},2121 tcp from ${net} to any 21 via ${lanin}
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd all from any to any via ${natd_interface}
fi
;;
esac
${fwcmd} add allow all from any to any via ${lanin}
${fwcmd} add allow all from any to any via lo0
${fwcmd} add allow tcp from any to ${fw} out via ${lanout} setup
${fwcmd} add allow tcp from ${fw} to any out via ${lanout} setup
${fwcmd} add allow tcp from any to any established
${fwcmd} add allow tcp from any to ${fw} 21 setup in via ${lanout}
${fwcmd} add allow tcp from ${fw} to any 21 setup out via ${lanout}
${fwcmd} add allow tcp from any to ${fw} 20 setup in via ${lanout}
${fwcmd} add allow tcp from ${fw} to any 20 setup out via ${lanout}
${fwcmd} add allow tcp from any to ${fw} 22 setup in via ${lanout}
${fwcmd} add allow tcp from ${fw} to any 22 setup out via ${lanout}
${fwcmd} add allow tcp from any to ${fw} 25 setup in via ${lanout}
${fwcmd} add allow tcp from ${fw} to any 25 setup out via ${lanout}
${fwcmd} add allow tcp from any to ${fw} 110 setup in via ${lanout}
${fwcmd} add allow tcp from ${fw} to any 110 setup out via ${lanout}
${fwcmd} add allow udp from any to ${fw} 53 setup in via ${lanout}
${fwcmd} add allow udp from ${fw} to any 53 setup out via ${lanout}
${fwcmd} add deny tcp from any to ${net} 80 setup in via ${lanout} <----
${fwcmd} add deny tcp from ${net} to any 80 setup out via ${lanout} <---- (где эту хрень приткнуть)
${fwcmd} add allow tcp from any to ${fw} 443 setup in via ${lanout}
${fwcmd} add allow tcp from ${fw} to any 443 setup out via ${lanout}
${fwcmd} add allow udp from any to ${fw} 995 setup in via ${lanout}
${fwcmd} add allow udp from ${fw} to any 995 setup out via ${lanout}
${fwcmd} add deny tcp from any to ${fw} 113 setup in via ${lanout}
${fwcmd} add deny tcp from any to ${fw} 139 setup in via ${lanout}
${fwcmd} add deny tcp from any to ${fw} 389 setup in via ${lanout}
${fwcmd} add deny tcp from any to ${fw} 445 setup in via ${lanout}
${fwcmd} add deny udp from any 137 to any in via ${lanout}
${fwcmd} add deny udp from any to any 137 in via ${lanout}
${fwcmd} add deny udp from any 138 to any in via ${lanout}
${fwcmd} add deny udp from any 513 to any in via ${lanout}
${fwcmd} add deny udp from any 525 to any in via ${lanout}
${fwcmd} add allow udp from any 53 to ${fw} in via ${lanout}
${fwcmd} add allow udp from ${fw} 53 to any out via ${lanout}
${fwcmd} add allow udp from any 123 to ${fw} in via ${lanout}
${fwcmd} add allow udp from ${fw} to any 123 out via ${lanout}
${fwcmd} add deny udp from any to ${fw} 123 in via ${lanout}
${fwcmd} add unreach port udp from any to ${fw} 33435-33524 in via ${lanout}
${fwcmd} add allow icmp from any to any in via ${lanout} icmptypes 0,3,4,8,11
${fwcmd} add allow icmp from any to any out via ${lanout} icmptypes 0,3,4,8,11
${fwcmd} add deny all from any to 255.255.255.255
${fwcmd} add deny log all from any to any