Может у тебя до нужных правил в Firewall не доходит, срабатывают сначала правила запрета? У меня такае было потом внимательно пересмотрел, подправил, можно посмотреть твой конфиг Firewall.
Вот мой конфиг, может народ и мне подскажет что для безопастности еще добавить! Мне разрешено подключаться на любой комп в Инет SSH(22), отправлять(25),заберать(110,143) почту через внешнии почтовики(yandex.ru, mail.ru)
iplocal="192.168.1.8" IP На внутреннем интерфейсе шлюза
netlocal="192.168.1.0/24" Локалка
#Andrew Admin
admin="192.168.1.5" Мой комп в локалке
ipout="x.x.x.18" Внешний IP
iflocal="fxp0" Внутренний интерфейс
ifout="xl0" Внешний Интерфайс
fwcmd="/sbin/ipfw -q"
${fwcmd} -f flush
${fwcmd} add pass all from any to any via lo0
${fwcmd} add deny all from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any
# Stop spoofing
${fwcmd} add deny all from ${ipout} to any in via ${iflocal}
${fwcmd} add deny all from ${netlocal} to any in via ${ifout}
${fwcmd} add deny all from not ${netlocal} to any in via ${iflocal}
${fwcmd} add deny all from any to not ${netlocal} out via ${iflocal}
${fwcmd} add deny all from any to 10.0.0.0/8 via ${ifout}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${ifout}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${ifout}
${fwcmd} add divert natd tcp from ${netlocal} to not ${netlocal} 22 out via ${ifout}
${fwcmd} add divert natd tcp from any 22 to ${ipout} in via ${ifout}
${fwcmd} add divert natd tcp from ${netlocal} to not ${netlocal} 25,110,143 out via ${ifout}
${fwcmd} add divert natd tcp from any 25,110,143 to ${ipout} in via ${ifout}
${fwcmd} add deny all from 10.0.0.0/8 to any via ${ifout}
${fwcmd} add deny all from 172.26.0.0/12 to any via ${ifout}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${ifout}
${fwcmd} add deny icmp from any to any frag
${fwcmd} add deny icmp from any to any in icmptype 5,9,13,14,15,16,17
${fwcmd} add pass icmp from any to any
${fwcmd} add pass tcp from any to any established
${fwcmd} add pass udp from any 53 to ${ipout} in via ${ifout} keep-state
${fwcmd} add pass udp from any 123 to ${ipout} in via ${ifout} keep-state
${fwcmd} add pass udp from ${ipout} to any 53 out via ${ifout} keep-state
${fwcmd} add pass udp from ${ipout} to any 123 out via ${ifout} keep-state
${fwcmd} add pass tcp from ${ipout},${iplocal} to any 80,443 out setup
${fwcmd} add pass tcp from ${ipout},${iplocal} to any 1024-65535 out setup
${fwcmd} add pass tcp from ${ipout},${iplocal} to any 20,21 out setup
${fwcmd} add pass tcp from ${ipout},${admin} to any 22 setup
${fwcmd} add pass tcp from ${ipout},${admin} to any 25,110,143 setup
${fwcmd} add deny log tcp from any to any in via ${ifout} setup
${fwcmd} add pass tcp from ${netlocal} to ${iplocal} 22 in via ${iflocal} setup
${fwcmd} add pass tcp from ${iplocal} to ${exchange} 25,110 out via ${iflocal} setup
${fwcmd} add pass tcp from ${exchange} to ${iplocal} 25 in via ${iflocal} setup
${fwcmd} add pass udp from ${netlocal} to ${iplocal} 53 via ${iflocal}
${fwcmd} add pass udp from ${iplocal} 53 to ${netlocal} via ${iflocal}
${fwcmd} add pass udp from ${netlocal} to ${iplocal} 123 in via ${iflocal} keep-state
${fwcmd} add pass udp from ${iplocal} 123 to ${netlocal} out via ${iflocal} keep-state
${fwcmd} add pass tcp from ${netlocal} to ${iplocal} 3128 in via ${iflocal} setup
${fwcmd} add deny log tcp from any to any in via ${iflocal} setup
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
on 23-Фев-06, 00:19 
