Уже запарился. Ткните носом меня, где нада закрыть, чтобы из нутри нелзя было по http лазить, кроме как явно указать прокси в настройках броузера. Прозрачный прокси не катит, так как имеется аутентификация пользователей. Вот rc.firewall:

    lanout="lnc0"
    lanin="lnc1"
    fw="ip-внешний"
    local="192.168.161.56"
    net="192.168.161.0/24"
    outnet="ip-внешний/16"

    ${fwcmd} -f flush
    setup_loopback
    ${fwcmd} add check-state
    ${fwcmd} add deny icmp from any to any in icmptype 5,9,13,14,15,16,17
    ${fwcmd} add reject ip from ${net} to any in via ${lanout}
    ${fwcmd} add deny all from any to any frag    
    ${fwcmd} add deny log all from ${net} to any in via ${lanout}
    ${fwcmd} add deny log all from ${outnet} to any in via ${lanin}
     ${fwcmd} add 100 fwd ${local},2121 tcp from ${net} to any 21 via ${lanin}
    case ${natd_enable} in
    [Yy][Ee][Ss])
     if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd all from any to any via ${natd_interface}
     fi
     ;;
    esac
    ${fwcmd} add allow all from any to any via ${lanin}
    ${fwcmd} add allow all from any to any via lo0

    ${fwcmd} add allow tcp from any to ${fw} out via  ${lanout} setup
    ${fwcmd} add allow tcp from ${fw} to any out via  ${lanout} setup    
    ${fwcmd} add allow tcp from any to any established

    ${fwcmd} add allow tcp from any to ${fw} 21 setup in via ${lanout}
    ${fwcmd} add allow tcp from ${fw} to any 21 setup out via ${lanout}
    ${fwcmd} add allow tcp from any to ${fw} 20 setup in via ${lanout}
    ${fwcmd} add allow tcp from ${fw} to any 20 setup out via ${lanout}

     ${fwcmd} add allow tcp from any to ${fw} 22 setup in via ${lanout}
    ${fwcmd} add allow tcp from ${fw} to any 22 setup out via ${lanout}

     ${fwcmd} add allow tcp from any to ${fw} 25 setup in via ${lanout}
    ${fwcmd} add allow tcp from ${fw} to any 25 setup out via ${lanout}

     ${fwcmd} add allow tcp from any to ${fw} 110 setup in via ${lanout}
    ${fwcmd} add allow tcp from ${fw} to any 110 setup out via ${lanout}

    ${fwcmd} add allow udp from any to ${fw} 53 setup in via ${lanout}
    ${fwcmd} add allow udp from ${fw} to any 53 setup out via ${lanout}

    ${fwcmd} add deny tcp from any to ${net} 80 setup in via ${lanout} <----
    ${fwcmd} add deny tcp from ${net} to any 80 setup out via ${lanout} <---- (где эту хрень приткнуть)
    ${fwcmd} add allow tcp from any to ${fw} 443 setup in via ${lanout}
    ${fwcmd} add allow tcp from ${fw} to any 443 setup out via ${lanout}
    ${fwcmd} add allow udp from any to ${fw} 995 setup in via ${lanout}
    ${fwcmd} add allow udp from ${fw} to any 995 setup out via ${lanout}
    ${fwcmd} add deny tcp from any to ${fw} 113 setup in via ${lanout}
    ${fwcmd} add deny tcp from any to ${fw} 139 setup in via ${lanout}
    ${fwcmd} add deny tcp from any to ${fw} 389 setup in via ${lanout}
    ${fwcmd} add deny tcp from any to ${fw} 445 setup in via ${lanout}
    ${fwcmd} add deny udp from any 137 to any in via ${lanout}
    ${fwcmd} add deny udp from any to any 137 in via ${lanout}
    ${fwcmd} add deny udp from any 138 to any in via ${lanout}
    ${fwcmd} add deny udp from any 513 to any in via ${lanout}
    ${fwcmd} add deny udp from any 525 to any in via ${lanout}
    ${fwcmd} add allow udp from any 53 to ${fw} in via ${lanout}
    ${fwcmd} add allow udp from ${fw} 53 to any out via ${lanout}
    ${fwcmd} add allow udp from any 123 to ${fw} in via ${lanout}
    ${fwcmd} add allow udp from ${fw} to any 123 out via ${lanout}
    ${fwcmd} add deny udp from any to ${fw} 123 in via ${lanout}
    ${fwcmd} add unreach port udp from any to ${fw} 33435-33524 in via ${lanout}

    ${fwcmd} add allow icmp from any to any in via ${lanout} icmptypes 0,3,4,8,11
    ${fwcmd} add allow icmp from any to any out via ${lanout} icmptypes 0,3,4,8,11

    ${fwcmd} add deny all from any to 255.255.255.255
    ${fwcmd} add deny log all from any to any

• Как зарезать 80 порт, crash, 05:22 , 25-Июл-04, (1)
  • Как зарезать 80 порт, Руля, 12:01 , 25-Июл-04, (2)