>1. читайте мануал - ситуация не новая Что именно там читать? там есть гдето информация как запустить pf после получения DHCP?
>2. покажите правила
хммм, а зачем-то правила?
Ладно вот держите
#-------------------------
# Variables and Macros
#-------------------------
# interfaces
inet_if = "tun0"
ext_if = "xl0"
int_if = "em0"
# Block connections
connblk = "synproxy state ( max-src-conn-rate 5/60, overload <BRUTEFORCERS> flush global )"
icmp_types="{ echoreq, unreach }"
#-------------------------
# ip addresses
#-------------------------
extnet = "{ 10.0.0.0/8, 192.168.252.0/24 }"
lannet = "{ 192.168.0.0/24, 192.168.2.0/24 }"
ext_ip = "195.хх.хх.хх"
server = "192.168.0.1"
private_nets = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 \
169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 224.0.0.0/4 }"
#--------------------------
# Tables
#--------------------------
table <uaix> persist file "/etc/pf/prefixes.txt"
table <BRUTEFORCERS> persist
#-------------------------
# Ports
#-------------------------
sshlhc = "52222"
sshserver = "53232"
tcp_ports = "{ smtp, pop3, ftp, ftp-data, domain, 8339, 3333 }"
udp_ports = "{ domain, smtp, ftp, ftp-data }"
#-------------------------
# Options
#-------------------------
# Default policy
set block-policy return
# Type of optimization
#set optimization normal
# State-policy
#set state-policy floating
# skip pf on lo0 interface
set skip on lo0
#timeout to tcp packets
set timeout { frag 10, tcp.established 3600 }
# Normaliztion for all interfaces
scrub in all
#-------------------------
# Queue & Speed Control
#-------------------------
#%A
#%Q
#--------------------------
# NAT & Redirect
#--------------------------
# Nat from local net to inet
nat on $inet_if from $lannet to any -> $ext_ip
# Nat from local net to ext_net
nat on $ext_if from $lannet to $extnet -> ($ext_if)
# Redirect ports
# For Active FTP sessions
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to ! (self) port 21 -> 127.0.0.1 port 8021
# to server ssh
rdr proto tcp from any to $ext_ip port $sshserver -> $server port ssh
# to igor
rdr proto tcp from any to $ext_ip port 44990 -> 192.168.0.8 port rdp
rdr proto tcp from any to $ext_ip port 28188 -> 192.168.0.8 port 28188
# to virtual terminal server1
rdr proto tcp from any to $ext_ip port 44991 -> 192.168.0.17 port 3389
# to virtual terminal server2
rdr proto tcp from any to $ext_ip port 44992 -> 192.168.0.9 port 3389
#--------------------------
# Filter Rules
#--------------------------
# Block all
block all
# IGMP IPTV
pass quick on { $ext_if $int_if } proto igmp allow-opts no state
pass quick proto udp from 192.168.252.0/24 to any allow-opts no state
# Antispoof
antispoof quick for { lo0, $int_if, $ext_if, $inet_if }
# Block all from inet to private networks via internet interface
block drop in quick on $inet_if from $private_nets to any
# Block all from lan with non-lan ip's
# !!!!!!!!!!!!!!!! UNCOMMENT when lhc should be in 192.168.0.0/24 network
#block drop in log quick on $int_if from !$int_if:network to any
# Block all spammers
block drop log quick from <BRUTEFORCERS>
#-----------------------
# In Connections
#-----------------------
# pass all connections from our lan to server
pass in on $int_if from $lannet to $int_if keep state
# pass tcp ports from inet
pass in proto tcp to $inet_if port $tcp_ports keep state
# pass for ssh lhc
pass in log proto tcp to $inet_if port $sshlhc $connblk
# pass udp ports from inet
pass in proto udp to $inet_if port $udp_ports keep state
# for ftp
pass in on $inet_if proto tcp from any to any port > 49151 keep state
# allow from lannet to extnet
pass in from $lannet to $extnet keep state
# allow pings from inet
pass in on $inet_if inet proto icmp from any to $inet_if icmp-type $icmp_types keep state
# block smtp connections to inet
block in quick log on $int_if proto tcp from $lannet to ! $int_if port 25
#--------------------------
# Out Connections
#--------------------------
#for lan
pass out from $int_if to $lannet keep state
#for tenet
pass out from $ext_if to $extnet keep state
#for inet
pass out from $inet_if keep state
#--------------------------
# Rules for rdr
#--------------------------
# Allow rpd to corei5
pass in log on $inet_if proto tcp from any to 192.168.0.8 port rdp keep state
# rdp to virtual server1
pass in log on $inet_if proto tcp from any to 192.168.0.17 port rdp keep state
# rdp to virtual server2
pass in log on $inet_if proto tcp from any to 192.168.0.9 port rdp keep state
# Allow rpd to 192.168.0.1 ssh
pass in log on $inet_if proto tcp from any to 192.168.0.1 port ssh $connblk
# For FTP PROXY
anchor "ftp-proxy/*"
#--------------------------
# тут даем инет юзерам
#--------------------------
Собственно на момент запуска (при pf_enable="YES") он ругается что нет айпишника у ext_if
где еще можно посмотреть какие флаги можно дать скушать pf ? pf_flags
Вариант для распечатки
Открытые системы на сервере (Firewall, Фильтрация пакетов / FreeBSD)
(ok) on 05-Мрт-10, 17:46 
