Здравствуйте, стоит задача - закрыть контакт всем юзерам. Шлюз на FreeBSD. Как не крутил конфиг pf, контакт работает как часы. Вот конфиг:if_int = fxp0
if_ext = rl0
social_nets = "{vkontakte.ru, vk.com}"
scrub in all fragment reassemble min-ttl 20 max-mss 1440
scrub in all no-df
scrub all reassemble tcp
rdr pass on $if_ext proto tcp from any to ($if_ext) port 33990 -> 192.168.1.123 port 3389
rdr pass on $if_ext proto tcp from any to ($if_ext) port 33991 -> 192.168.1.214 port 3389
rdr pass on $if_ext proto tcp from any to ($if_ext) port 33890 -> 192.168.1.146 port 3389
rdr pass on $if_ext proto tcp from any to ($if_ext) port 43990 -> 192.168.1.123 port 4899
rdr pass on $if_int proto tcp from any to 212.113.121.5 port 110 -> 192.168.0.2 port 110
dns0 = 217.170.64.5
dns1 = 217.170.67.5
pop0 = 212.113.121.5
smtp0 = 81.9.33.32
ftp0 = 212.113.114.3
bank = 81.3.141.34
bank1 = 81.3.141.38
buh = 89.249.20.50
memebot = 69.60.123.180
dvesite0 = 88.201.201.136
dvesite1 = 88.212.196.88
consultant1 = 81.177.13.194
consultant2 = 212.5.88.13
ku_pp_ru1 = 216.98.141.250
ku_pp_ru2 = 66.197.160.197
table <unlim_ext> {$dns0,$dns1,$pop0,$smtp0,$ftp0,$bank,$bank1,$buh,$memebot,$dvesite0,$dvesite1,$consultant1,$consultant2,$ku_pp_ru1,$ku_pp_ru2}
lta = 192.168.11.33
srv = 192.168.1.123
igor = 192.168.1.112
michael = 192.168.1.100
table <DOMAIN_USERS> {}
nat on $if_ext from <DOMAIN_USERS> to <unlim_ext> -> ($if_ext)
table <unlim_local> { $srv,$lta,$igor,$michael }
nat on $if_ext inet proto icmp from $if_int:network to any -> ($if_ext)
nat on $if_ext from <unlim_local> to any -> ($if_ext)
nat on $if_ext from 10.0.0.0/24 to any -> ($if_ext)
nat on $if_ext from $if_int:network to <unlim_ext> -> ($if_ext)
nat on $if_ext from $if_int:network to any -> ($if_ext)
pass quick from <unlim_local> to any keep state
pass quick from any to <unlim_local> keep state
pass quick from 10.0.0.0/24 to any keep state
pass quick from any to 10.0.0.0/24 keep state
pass quick from $if_ext:network to <unlim_ext> keep state
pass quick from <unlim_ext> to $if_ext:network keep state
pass quick from $if_ext:network to any keep state
pass quick from any to $if_ext:network keep state
block all
block in on $if_int proto tcp from "192.168.0.0/16" to $social_nets *Вот так я пытаюсь закрыть контакт
block in log quick from any os NMAP
block in log quick proto tcp from any flags SF/SFRA
block in log quick proto tcp from any flags FPU/SFRAUP
block in log quick proto tcp from any flags F/SFRA
block in log quick proto tcp from any flags U/SFRAU
block in log quick proto tcp from any flags P/P
block in quick on $if_ext from { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, 20.20.20.0/24 }
block out quick on $if_ext from { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, 20.20.20.0/24 }
pass in quick on lo keep state
pass out quick on lo keep state
pass in on $if_int from any to any keep state
pass out on $if_int from any to any keep state
block on $if_int from 192.168.1.91 to any
block on $if_int from any to 192.168.1.91
block out on $if_int from 192.168.0.123 to any
pass in log on $if_ext inet proto icmp icmp-type echoreq
pass in on $if_ext inet proto icmp icmp-type echorep
pass in on $if_ext proto udp from 78.36.0.0/16 to $if_ext:network keep state
tcp_services_ext = "{ ssh, ftp, ftp-data, smtp, pop3, www, 1723, 7000 }"
pass in on $if_ext proto tcp from any to $if_ext:network port $tcp_services_ext flags S/SA keep state
pass in on $if_ext proto tcp from any to $if_ext:network port > 49151 flags S/SA keep state
pass out on $if_ext from any to any keep state
Вариант для распечатки
