У меня в архиве валялось # Включить трансляцию адресов на внешних интерфейсах.#
#nat on $ext_if_a inet from !(self) -> $ext_if_a
#nat on $ext_if_b inet from !(self) -> $ext_if_b
nat on $ext_if_a inet from !(self) tag TR !tagged TR -> $ext_if_a
nat on $ext_if_b inet from !(self) tag TR !tagged TR -> $ext_if_b
# FTP-PROXY
#no rdr on lo0 from any to any
rdr proto tcp from { $int_if:network, 192.168.4.0/24 } to !(self) port ftp -> lo0 port 8021
#rdr pass on $int_if proto tcp from 192.168.0.129 to any port {ftp} -> 192.168.0.4 port 2121
#HTTP всех на переадресовываем на Squid
#rdr pass on $int_if proto tcp from any to any port http -> $int_if port 3128
rdr on $int_if proto tcp from any to !<nosquid-list> port http -> $int_if port 3128
rdr on $int_if proto tcp from !<white-list> to any port $ext_proxy -> $int_if port 3128
#rdr pass on $int_if proto tcp from !<nosquid-list> to any port http -> $int_if port http
#rdr on $int_if proto tcp from any to any port $ext_proxy -> $int_if port 3128
# Переадресовать TCP сессии для сервисов, обслуживаемых локальным сервером.
# Правила rdr здесь НЕ должны содержать слова pass.
rdr on $ext_if_a inet proto tcp to $ext_if_a port { $int_server2_port } tag EXT_IF_A -> $int_server2
rdr on $ext_if_b inet proto tcp to $ext_if_b port { $int_server2_port } tag EXT_IF_B -> $int_server2
rdr on $ext_if_a inet proto tcp to $ext_if_a port { $ftp2ports } tag EXT_IF_A -> $ftp_lan_server
rdr on $ext_if_b inet proto tcp to $ext_if_b port { $ftp2ports } tag EXT_IF_B -> $ftp_lan_server
rdr on $ext_if_a inet proto tcp to $ext_if_a port { $ftp_ext_ports } tag EXT_IF_A -> $ftp_lan_server
rdr on $ext_if_b inet proto tcp to $ext_if_b port { $ftp_ext_ports } tag EXT_IF_B -> $ftp_lan_server
rdr on $ext_if_a inet proto tcp to $ext_if_a port { $videoports } tag EXT_IF_A -> $video_lan_server
rdr on $ext_if_b inet proto tcp to $ext_if_b port { $videoports } tag EXT_IF_B -> $video_lan_server
rdr on $ext_if_a inet proto tcp to $ext_if_a port { ssh } tag EXT_IF_A -> lo0 port ssh
rdr on $ext_if_b inet proto tcp to $ext_if_b port { ssh } tag EXT_IF_B -> lo0 port ssh
#rdr on $ext_if_b inet proto tcp to $ext_if_b port { ssh } tag EXT_IF_B -> lo0 port ssh
## SMTP-SPAM
##rdr on $ext_if_a inet proto tcp to $ext_if_a port { smtp } tag EXT_IF_A -> lo0 port smtp
rdr on $ext_if_a inet proto tcp from <spamd-whitelist> to $ext_if_a port { smtp } tag EXT_IF_A -> $ext_if_a port smtp
rdr on $ext_if_a inet proto tcp from <spamd> to $ext_if_a port { smtp } tag EXT_IF_A -> $ext_if_a port spamd
rdr on $ext_if_a inet proto tcp from !<spamd-white> to $ext_if_a port { smtp } tag EXT_IF_A -> $ext_if_a port spamd
rdr on $ext_if_a inet proto tcp from <spamd-white> to $ext_if_a port { smtp } tag EXT_IF_A -> $ext_if_a port smtp
#rdr on $ext_if_b inet proto tcp to $ext_if_b port { smtp } tag EXT_IF_B -> lo0 port smtp
rdr on $ext_if_b inet proto tcp from <spamd-whitelist> to $ext_if_b port { smtp } tag EXT_IF_B -> $ext_if_b port smtp
rdr on $ext_if_b inet proto tcp from <spamd> to $ext_if_b port { smtp } tag EXT_IF_B -> $ext_if_b port spamd
rdr on $ext_if_b inet proto tcp from !<spamd-white> to $ext_if_b port { smtp } tag EXT_IF_B -> $ext_if_b port spamd
rdr on $ext_if_b inet proto tcp from <spamd-white> to $ext_if_b port { smtp } tag EXT_IF_B -> $ext_if_b port smtp
# Разрешить подключение к переадресованным сервисам из локальной сети по
# внешним адресам.
#
rdr pass on $int_if inet proto tcp to { $ext_if_a $ext_if_b } port { $int_server2_port } tag INT_IF_RDR -> $int_server2
rdr pass on $int_if inet proto tcp to { $int_if $ext_if_a $ext_if_b } port { $ftp2ports } tag INT_IF_RDR -> $ftp_lan_server
rdr pass on $int_if inet proto tcp to { $int_if $ext_if_a $ext_if_b } port { $ftp_ext_ports } tag INT_IF_RDR -> $ftp_lan_server
rdr pass on $int_if inet proto tcp to { $int_if $ext_if_a $ext_if_b } port { $videoports } tag INT_IF_RDR -> $video_lan_server
nat on $int_if tagged INT_IF_RDR -> $int_if:0
# Перенаправляем определенные tcp по определенному каналу
#nat on $ext_if_b inet proto tcp from $ext_if_b to port 25 -> $ext_if_a
#nat on !$int_if inet proto {tcp udp } to port 53 tag TRANSFER !tagged TRANSFER -> {($ext_if_a),($ext_if_b)}
#nat on !$int_if inet proto tcp to port http tag TRANSFER !tagged TRANSFER -> { ($ext_if_a:0) , ($ext_if_b:0) }
# По умолчанию блокировать весь трафик на всех интерфейсах. Для входящих TCP
# соединений возвращать RST.
block log on { $ext_if_a $ext_if_b $int_if}
block return log on { $ext_if_a $ext_if_b $int_if} inet proto tcp
# Blok by rfc1918
block in quick on { $ext_if_a $ext_if_b } from <rfc1918> to any
# Blok by white-list and block-list
block in quick on $int_if from !<white-list> to <block-list>
#teamviever
block in quick on $int_if inet proto {tcp udp} from any to any port 5938
# pass traffic on the loopback interface in either direction
pass in on lo0 all
#pass quick on lo0 all
pass out on lo0 all
## pass all outgoing packets on internal interface
#pass out on $int_if from any to $int_if:network
## pass in quick any packets destined for the gateway itself
#pass in quick on $int_if from $int_if:network to $int_if
#Разрешить доступ через лок интерфейс к терминал серверу
pass out quick on $int_if inet proto tcp from any to $int_server1 port {$int_server1_port} keep state queue iif_sound
pass out quick on $int_if inet proto tcp from any to $int_server2 port {$int_server2_port} keep state queue iif_sound
pass out quick on { $int_if } inet proto tcp from any to { $ftp_lan_server } port { $ftp2ports } keep state queue iif_sound
pass out quick on { $int_if } inet proto tcp from any to { $ftp_lan_server } port { $ftp_ext_ports } keep state queue iif_sound
pass out quick on { $int_if } inet proto tcp from any to { $video_lan_server } port { $videoports } keep state queue iif_sound
# Пропускаем входящие пакеты для переадресованых сервисов. Устанавливаем
# для них симметричную маршрутизацию (если пакет пришел
# из канала A, ответ пойдет через канал A независимо от default route)
pass in quick reply-to ($ext_if_a $ext_gw_a) tagged EXT_IF_A keep state
pass in quick reply-to ($ext_if_b $ext_gw_b) tagged EXT_IF_B keep state
#pass in reply-to ($ext_if_a $ext_gw_a) tagged EXT_IF_A keep state
#pass in reply-to ($ext_if_b $ext_gw_b) tagged EXT_IF_B keep state
# Выпускать исходящие пакеты. Установить маршрутизацию в зависимости от
# адреса источника. Пакеты с адресом интерфейса A уходят в канал A,
# с адресом интерфейса B - в канал B.
pass out route-to ( $ext_if_a $ext_gw_a ) inet from $ext_if_a keep state
pass out log route-to ( $ext_if_a $ext_gw_a ) inet proto tcp from $ext_if_a to port {smtp} keep state queue eif_a_smtp
pass out route-to ( $ext_if_a $ext_gw_a ) inet proto udp from $ext_if_a to port {$1ext_ext_serv_udp} keep state queue eif_a_sound
pass out route-to ( $ext_if_a $ext_gw_a ) inet proto tcp from $ext_if_a to port {$1ext_ext_serv} keep state queue eif_a_sound
pass out route-to ( $ext_if_a $ext_gw_a ) inet proto tcp from $ext_if_a to port {$2ext_ext_serv} keep state queue eif_a_ftp
pass out route-to ( $ext_if_a $ext_gw_a ) inet proto tcp from $ext_if_a to port {$3ext_ext_serv} keep state queue eif_a_http
pass out route-to ( $ext_if_b $ext_gw_b ) inet from $ext_if_b keep state
pass out log route-to ( $ext_if_b $ext_gw_b ) inet proto tcp from $ext_if_b to port {smtp} keep state queue eif_b_smtp
pass out route-to ( $ext_if_b $ext_gw_b ) inet proto udp from $ext_if_b to port {$1ext_ext_serv_udp} keep state queue eif_b_sound
pass out route-to ( $ext_if_b $ext_gw_b ) inet proto tcp from $ext_if_b to port {$1ext_ext_serv} keep state queue eif_b_sound
pass out route-to ( $ext_if_b $ext_gw_b ) inet proto tcp from $ext_if_b to port {$2ext_ext_serv} keep state queue eif_b_ftp
pass out route-to ( $ext_if_b $ext_gw_b ) inet proto tcp from $ext_if_b to port {$3ext_ext_serv} keep state queue eif_b_http
# Разрешить входящие ICMP PING пакеты.#
pass in on $ext_if_a reply-to ($ext_if_a $ext_gw_a) inet proto icmp to $ext_if_a icmp-type echoreq code 0 keep state queue eif_a_sound
pass in on $ext_if_b reply-to ($ext_if_b $ext_gw_b) inet proto icmp to $ext_if_b icmp-type echoreq code 0 keep state queue eif_b_sound
# Разрешить входящие TCP сессии для обслуживаемых сервисов.#
#pass in on $ext_if_a reply-to ( $ext_if_a $ext_gw_a) inet to $ext_if_a
pass in on $ext_if_a reply-to ( $ext_if_a $ext_gw_a) inet proto udp to $ext_if_a port { $1ext_int_serv_udp } queue eif_a_sound
pass in log on $ext_if_a reply-to ( $ext_if_a $ext_gw_a) inet proto tcp to $ext_if_a port smtp keep state queue eif_a_smtp
pass in on $ext_if_a reply-to ( $ext_if_a $ext_gw_a) inet proto tcp to $ext_if_a port { $1ext_int_serv } flags S/SA keep state queue eif_a_sound
pass in on $ext_if_a reply-to ( $ext_if_a $ext_gw_a) inet proto tcp to $ext_if_a port { $2ext_int_serv } flags S/SA keep state queue eif_a_ftp
pass in on $ext_if_a reply-to ( $ext_if_a $ext_gw_a) inet proto tcp to $ext_if_a port { $3ext_int_serv } flags S/SA keep state queue eif_a_http
#pass in on $ext_if_b reply-to ($ext_if_b $ext_gw_b) inet to $ext_if_b
pass in on $ext_if_b reply-to ($ext_if_b $ext_gw_b) inet proto udp to $ext_if_b port { $1ext_int_serv_udp } keep state queue eif_b_sound
pass in log on $ext_if_b reply-to ( $ext_if_b $ext_gw_b) inet proto tcp to $ext_if_b port smtp keep state queue eif_b_smtp
pass in on $ext_if_b reply-to ($ext_if_b $ext_gw_b) inet proto tcp to $ext_if_b port { $1ext_int_serv } flags S/SA keep state queue eif_b_sound
pass in on $ext_if_b reply-to ($ext_if_b $ext_gw_b) inet proto tcp to $ext_if_b port { $2ext_int_serv } flags S/SA keep state queue eif_b_ftp
pass in on $ext_if_b reply-to ($ext_if_b $ext_gw_b) inet proto tcp to $ext_if_b port { $3ext_int_serv } flags S/SA keep state queue eif_b_http
#pass in on $ext_if_a reply-to ($ext_if_a $ext_gw_a) inet proto tcp from any to $ext_if_a user proxy keep state
#pass in on $ext_if_b reply-to ($ext_if_b $ext_gw_b) inet proto tcp from any to $ext_if_b user proxy keep state
#block in quick on $int_if inet proto tcp from <block-list-in> to any port {3128 80 8080 8081}
#Разрешить в локалку пакеты от внутреннего интерфейса, из локальных сетей
# туннелей
pass out on $int_if inet from { $int_if:0, 192.168.3.0/24, 192.168.4.0/24 } to $int_if:network:0 keep state
pass out on $int_if inet proto tcp from { $int_if:0 } port { $1int_int_serv } to $int_if:network:0 keep state queue iif_sound
pass out on $int_if inet proto tcp from { $int_if:0 } port { $2int_int_serv } to $int_if:network:0 keep state queue iif_ftp
pass out on $int_if inet proto tcp from { $int_if:0 } port { $3int_int_serv } to $int_if:network:0 keep state queue iif_http
#Разрешить из локалки пакеты на внутренний интерфейс, в локальные сети
# туннелей
pass in on $int_if inet from $int_if:network:0 to { 192.168.3.0/24, 192.168.4.0/24 } keep state
pass in on $int_if inet proto udp from $int_if:network:0 to self port { $1int_int_serv_udp } keep state queue iif_sound
pass in on $int_if inet proto tcp from $int_if:network:0 to self port { $1int_int_serv } keep state queue iif_sound
pass in on $int_if inet proto tcp from !<block-list-in> to self port { $2int_int_serv } keep state queue iif_ftp
pass in on $int_if inet proto tcp from !<block-list-in> to self port { $3int_int_serv } keep state queue iif_http
#Разрешить из локалки пинг
pass in on $int_if inet proto icmp from $int_if:network:0 to any icmp-type echoreq code 0 keep state
#Разрешить из локалки ext_ext_serv
pass in on $int_if inet from !<block-list-in> to !(self) keep state
pass in on $int_if inet proto udp from !<block-list-in> to !(self) port { $1ext_ext_serv_udp } keep state queue iif_sound
pass in on $int_if inet proto tcp from !<block-list-in> to !(self) port { $1ext_ext_serv } flags S/SA keep state queue iif_sound
pass in on $int_if inet proto tcp from !<block-list-in> to !(self) port { $2ext_ext_serv } flags S/SA keep state queue iif_ftp
pass in on $int_if inet proto tcp from !<block-list-in> to !(self) port { $3ext_ext_serv } flags S/SA keep state queue iif_http
#Разрешить из локалки int_int_serv
pass in on $int_if inet from any to $int_if keep state
pass in on $int_if inet proto udp from $int_if:network:0 to self port { $1int_int_serv_udp } keep state
pass in on $int_if inet proto tcp from $int_if:network:0 to self port { $1int_int_serv } flags S/SA keep state
pass in on $int_if inet proto tcp from $int_if:network:0 to self port { $2int_int_serv } flags S/SA keep state
pass in on $int_if inet proto tcp from $int_if:network:0 to self port { $3int_int_serv } flags S/SA keep state
Вариант для распечатки
on 15-Июн-12, 09:41 
