> покажите правила ipfw, настройки nat и часть rc.conf связную с ipfw и
> nat /etc/list.ipfw:
FwCMD="/sbin/ipfw -q "
if_ppp="tun0" #Интерфейс создаваемый подключением PPPoE
if_lan="re0" #Интерфейс смотрящий в лок сеть
IpOut="81.18.81.18" #Внешний стат адресс
IpIn="192.168.1.222" #Адресс фри
ip_lan="192.168.1.0/24"
${FwCMD} -f flush
# For me
${FwCMD} add check-state
${FwCMD} add allow ip from me to any keep-state via ${if_ppp}
${FwCMD} add allow ip from me to any keep-state via ${if_lan}
${FwCMD} add allow ip from me to any
${FwCMD} add allow all from any to any via lo0
${FwCMD} add deny all from any to 127.0.0.0/8
${FwCMD} add deny all from 127.0.0.0/8 to any
#deny hacker
${FwCMD} add drop ip from any to 58.65.234.17
${FwCMD} add drop ip from 58.65.234.17 to any
${FwCMD} add drop ip from any to 69.50.160.212
${FwCMD} add drop ip from 69.50.160.212 to any
${FwCMD} add deny ip from any to 10.0.0.0/8 in via ${if_ppp}
${FwCMD} add deny ip from 10.0.0.0/8 to any out via ${if_ppp}
${FwCMD} add deny ip from any to 172.16.0.0/12 in via ${if_ppp}
${FwCMD} add deny ip from 172.16.0.0/12 to any out via ${if_ppp}
${FwCMD} add deny ip from any to 192.168.0.0/16 in via ${if_ppp}
${FwCMD} add deny ip from 192.168.0.0/16 to any out via ${if_ppp}
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${if_ppp}
${FwCMD} add deny ip from 0.0.0.0/8 to any out via ${if_ppp}
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${if_ppp}
${FwCMD} add deny ip from 169.254.0.0/16 to any out via ${if_ppp}
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${if_ppp}
${FwCMD} add deny ip from 240.0.0.0/4 to any out via ${if_ppp}
${FwCMD} add deny ip from any to 224.0.0.0/4 in via ${if_ppp}
${FwCMD} add deny ip from 224.0.0.0/4 to any out via ${if_ppp}
# ssh
${FwCMD} add allow ip from any to me 22 via ${if_ppp}
# deny icmp
${FwCMD} add deny icmp from any to any frag
${FwCMD} add deny log icmp from any to 255.255.255.255 in via ${if_ppp}
${FwCMD} add deny log icmp from any to 255.255.255.255 out via ${if_ppp}
# NAT
${FwCMD} nat 1 config log if ${if_ppp} reset same_ports deny_in redirect_port tcp 192.168.1.20:80 80 redirect_port tcp 192.168.1.102:3389 3389
${FwCMD} add nat 1 ip from any to any via ${if_ppp}
В данный момент использую NAT ядерный, поэтому ядро пересобрано с такими опциями:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_NAT
options IPFIREWALL_FORWARD
options DUMMYNET
options LIBALIAS
options ROUTETABLES=2
options HZ="1000"
/etc/rc.conf:
## Net Settings ##
gateway_enable="YES"
hostname="proxy.domain.ru"
ifconfig_re0="inet 192.168.1.222 netmask 255.255.255.0"
ppp_enable="YES"
ppp_mode="ddial"
ppp_profile="bwc"
firewall_enable="YES"
firewall_script="/etc/list.ipfw"
firewall_logging="YES"
tcp_extensions="NO"
tcp_drop_synfin="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"