Есть сервак на котором стоит squid и настроен фаервол со следующими правилами.
case ${firewall_quiet} in
[Yy][Ee][Ss])
        fwcmd="/sbin/ipfw -q"
        ;;
*)
        fwcmd="/sbin/ipfw"
        ;;
esac
${fwcmd} -f flush
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
        # set these to your network and netmask and ip
        net="192.168.200.0"
        mask="255.255.255.0"
        ip="192.168.200.52"
#Zapreshaem proxozdenie fragmentirovannyx paketov
${fwcmd} add deny icmp from any to any frag
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
${fwcmd} add pass tcp from any to any keep-state
#Razreshaem proxozdenie ICMP paketov
${fwcmd} add pass ICMP from 192.168.0.0/16 to me
${fwcmd} add pass ICMP from me to 192.168.0.0/16
${fwcmd} add pass udp from any to any 1024-65535
#Razreshaem rabotu s SMTP protokolom
${fwcmd} add pass tcp from any to any 25
${fwcmd} add pass tcp from any 25 to any
#Razreshaem rabotu s HTTP protokolom
${fwcmd} add pass tcp from 192.168.0.0/16 to ${ip} 80
${fwcmd} add pass tcp from ${ip} 80 to 192.168.0.0/16
${fwcmd} add pass tcp from ${ip} to any 80
#Razreshaem rabotu s DNS serverami
${fwcmd} add pass udp from any to any 53
${fwcmd} add pass udp from any 53 to any
#Razreshem zaxodit' po ssh s mashiny s ip=192.168.4.34,192.168.2.22,192.168.4.16,192.168.6.86
${fwcmd} add pass tcp from 192.168.4.34 to ${ip} 22 setup
${fwcmd} add pass tcp from 192.168.4.22 to ${ip} 22 setup
${fwcmd} add pass tcp from 192.168.4.16 to ${ip} 22 setup
${fwcmd} add pass tcp from 192.168.4.45 to ${ip} 22 setup
${fwcmd} add pass tcp from 192.168.6.86 to ${ip} 22 setup
#Razreshaem rabotat' po ftp s adresa
${fwcmd} add pass tcp from any to any 20 keep-state
${fwcmd} add pass tcp from any to any 21 keep-state
${fwcmd} add pass tcp from me 1024-49151 to any keep-state
${fwcmd} add pass tcp from 192.168.200.52/24 20 to 192.168.0.0/16 1024-49151 keep-state
#cvSUP
${fwcmd} add pass tcp from ${ip} to any 5999 keep-state
#Otkryvaem port 3128
${fwcmd} add pass tcp from 192.168.0.0/16 to ${ip} 3128
${fwcmd} add pass tcp from ${ip} 3128 to 192.168.0.0/16
#Otkryvaem port 1080
${fwcmd} add pass tcp from 192.168.0.0/16 to ${ip} 1080
${fwcmd} add pass tcp from ${ip} 1080 to 192.168.0.0/16
#Otkryvaem porty SNMP
${fwcmd} add pass tcp from any to any 161
${fwcmd} add pass tcp from any 161 to any
${fwcmd} add pass udp from any to any 161
${fwcmd} add pass udp from any 161 to any
# Deny any any
${fwcmd} add deny tcp from any to me 53
${fwcmd} add deny udp from 192.168.6.83 to me 514
${fwcmd} add deny log ip from any to any

из этогшо видно что правила не работают корректно.
proxy# ipfw show
00100     1540     632098 allow ip from any to any via lo0
00200        6        384 deny ip from any to 127.0.0.0/8
00300        0          0 deny ip from 127.0.0.0/8 to any
00400        0          0 deny icmp from any to any frag
00500 22263284 7200410951 allow tcp from any to any established
00600   524833   28807420 allow tcp from any to any keep-state
00700     1608      90064 allow icmp from 192.168.0.0/16 to me
00800        5        296 allow icmp from me to 192.168.0.0/16
00900    71550   11814374 allow udp from any to any dst-port 1024-65535
01000        0          0 allow tcp from any to any dst-port 25
01100        0          0 allow tcp from any 25 to any
01200        0          0 allow tcp from 192.168.0.0/16 to 192.168.200.52 dst-port 80
01300        0          0 allow tcp from 192.168.200.52 80 to 192.168.0.0/16
01400        0          0 allow tcp from 192.168.200.52 to any dst-port 80
01500    74415    5169523 allow udp from any to any dst-port 53
01600        0          0 allow udp from any 53 to any
01700        0          0 allow tcp from 192.168.4.34 to 192.168.200.52 dst-port 22 setup
01800        0          0 allow tcp from 192.168.4.22 to 192.168.200.52 dst-port 22 setup
01900        0          0 allow tcp from 192.168.4.16 to 192.168.200.52 dst-port 22 setup
02000        0          0 allow tcp from 192.168.4.45 to 192.168.200.52 dst-port 22 setup
02100        0          0 allow tcp from 192.168.6.86 to 192.168.200.52 dst-port 22 setup
02200        0          0 allow tcp from any to any dst-port 20 keep-state
02300        0          0 allow tcp from any to any dst-port 21 keep-state
02400        0          0 allow tcp from me 1024-49151 to any keep-state
02500        0          0 allow tcp from 192.168.200.0/24 20 to 192.168.0.0/16 dst-port 1024-49151 keep-state
02700        0          0 allow tcp from 192.168.200.52 to any dst-port 5999 keep-state
02800        0          0 allow tcp from 192.168.0.0/16 to 192.168.200.52 dst-port 3128
02900        0          0 allow tcp from 192.168.200.52 3128 to 192.168.0.0/16
03000        0          0 allow tcp from 192.168.0.0/16 to 192.168.200.52 dst-port 1080
03100        0          0 allow tcp from 192.168.200.52 1080 to 192.168.0.0/16
03200        0          0 allow tcp from any to any dst-port 161
03300        0          0 allow tcp from any 161 to any
03400        0          0 allow udp from any to any dst-port 161
03500        0          0 allow udp from any 161 to any
03600        0          0 deny tcp from any to me dst-port 53
03700        0          0 deny udp from 192.168.6.83 to me dst-port 514
03800      657      44793 deny log ip from any to any
65535        0          0 deny ip from any to any

по ssh можно зайти с любого айпи, даже которого нет в правилах. подозрение у меня на правило  ${fwcmd} add pass tcp from any to any keep-state. Но если его убрать то перестает работать ftp.
может кто сталкивался, как решить проблему?

• FreeBSD-5.3 & ipfw2, jamper, 12:15 , 10-Янв-05, (1)
  • FreeBSD-5.3 & ipfw2, crash, 03:05 , 11-Янв-05, (2)
• FreeBSD-5.3 & ipfw2, mAdDuke, 04:08 , 11-Янв-05, (3)
  • FreeBSD-5.3 & ipfw2, crash, 08:46 , 11-Янв-05, (4)
    • FreeBSD-5.3 & ipfw2, jamper, 10:22 , 11-Янв-05, (5)
      • FreeBSD-5.3 & ipfw2, crash, 11:37 , 11-Янв-05, (6)