allow ip from any to any via lo0
allow log logamount 100 ip from any to any via sk0
allow log logamount 100 ip from any to any via tun0deny ip from any to me dst-port 3306 in via sk0
deny ip from any to me dst-port 3128 in via sk0
deny ip from any to me dst-port 25 in via sk0
deny ip from any to me dst-port 110 in via sk0
allow log logamount 100 udp from any to me dst-port 2093 in via sk0
allow udp from me 2093 to any out via sk0
allow udp from me to 195.5.128.130 out via sk0
allow udp from 195.5.128.130 to me in via sk0
divert 8668 ip from any to any in via sk0
check-state
allow gre from any to any
allow log logamount 100 tcp from 10.8.0.0/24 to me dst-port 1723 via tun0
allow log logamount 100 tcp from any to me dst-port 1723 via sk0
allow log logamount 100 tcp from me 1723 to any via sk0
00206 allow ip from any to any
skipto 5000 log logamount 100 ip from any to any out via sk0 setup keep-state
skipto 5000 log logamount 100 udp from me to any dst-port 53 out via sk0 keep-state
skipto 5000 log logamount 100 udp from any to any dst-port 53 out via sk0 keep-state
deny log logamount 100 tcp from any to any dst-port 53 in via sk0
skipto 5000 tcp from any to any dst-port 25 out via sk0 setup keep-state
skipto 5000 tcp from any to any dst-port 110 out via sk0 setup keep-state
skipto 5000 tcp from any to any dst-port 143 out via sk0 setup keep-state
skipto 5000 tcp from any to any dst-port 995 out via sk0 setup keep-state
skipto 5000 tcp from any to any dst-port 80 out via sk0 setup keep-state
skipto 5000 tcp from any to any dst-port 443 out via sk0 setup keep-state
skipto 5000 tcp from any to any dst-port 2082 out via sk0 setup keep-state
skipto 5000 tcp from me to any out via sk0 setup uid root keep-state
skipto 5000 tcp from any to any dst-port 37 out via sk0 setup keep-state
skipto 5000 tcp from any to any dst-port 43 out via sk0 setup keep-state
skipto 5000 udp from any to any dst-port 123 out via sk0 keep-state
deny ip from 192.168.0.0/16 to any in via sk0
deny ip from 172.16.0.0/12 to any in via sk0
deny ip from 10.0.0.0/8 to any in via sk0
deny ip from 127.0.0.0/8 to any in via sk0
deny ip from 0.0.0.0/8 to any in via sk0
deny ip from 169.254.0.0/16 to any in via sk0
deny ip from 192.0.2.0/24 to any in via sk0
deny ip from 204.152.64.0/23 to any in via sk0
deny ip from 224.0.0.0/3 to any in via sk0
deny tcp from any to any dst-port 113 in via sk0
deny tcp from any to any dst-port 137 in via sk0
deny tcp from any to any dst-port 138 in via sk0
deny tcp from any to any dst-port 139 in via sk0
deny tcp from any to any dst-port 81 in via sk0
deny ip from any to any frag in via sk0
deny tcp from any to any established in via sk0
deny log logamount 100 ip from any to any in via sk0
deny log logamount 100 ip from any to any out via sk0
05000 0 0 divert 8668 ip from any to any out via sk0
allow ip from any to any
deny log logamount 100 ip from any to any
deny ip from any to any
номера правил, кроме 5000, убрал, чтобы не отвлекали,
sk0 - внешний интерфейс,
tun0 - OpenVPN интерфейс,
00206 allow ip from any to any - сейчас все идет через это правило, чтобы не заморачиваться, что не так в настройках ipfw.
сервер:
ifconfig ng0
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1296
inet 10.9.0.1 --> 10.9.0.3 netmask 0xffffffff
клиент:
test - PPP адаптер:
DNS-суффикс этого подключения . . :
IP-адрес . . . . . . . . . . . . : 10.9.0.3
Маска подсети . . . . . . . . . . : 255.255.255.255
Основной шлюз . . . . . . . . . . : 10.9.0.3
Что посоветуете, чтобы клиент мог выходить в интернет и прочее? Хотя бы по максимуму разрешив ему все?
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
(ok) on 21-Авг-08, 17:05 
