Сразу прошу не посылать куда подальше, т.к. обратиться не к кому. Ситуация такая: пришел на фирму, тут шлюз на freebsd (я в этом полный новичок). У некоторых ip - полный доступ в инет, у других только mail.ru и аська. Ниже мой конфиг, прошу объяснить построчно, что делает каждый параметр. И дайте пожалуйста образец, как определенному ip открыть полный доступ в инет по всем портам.ExtIf = "nfe0"
IntIf = "rl0"
IntNet = "192.168.1.0/24"
ExtAddr = "213.171.1.78"
NoRouteIPs = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24,
204.152.64.0/23, 224.0.0.0/3, 20.20.20.0/
scrub in on $ExtIf all
rdr on $IntIf proto tcp from $IntNet port > 1023 to any port { 80, 3128 } ->127.0.0.1 port 3128
#nat on $ExtIf from { 192.168.1.38 } to any -> $ExtAddr
no nat on $IntIf proto tcp from $IntNet to any port { 80, 3128 }
nat on $ExtIf from { 192.168.1.4 , 192.168.1.78 , 192.168.1.233 } to any -> $ExtAddr
nat on $ExtIf proto icmp from $IntNet to any -> $ExtAddr
nat on $ExtIf proto tcp from 192.168.1.250 to 195.239.107.10 port { 4899, 60049 } -> $ExtAddr
nat on $ExtIf proto tcp from $IntNet to any port { 21, 443, 25, 110, 995, 465 } -> $ExtAddr
nat on $ExtIf proto tcp from { 192.168.1.78 } to any port 5190 -> $ExtAddr
nat on $ExtIf proto tcp from { 192.168.1.183 } to any port 5190 -> $ExtAddr
#nat on $ExtIf from { 192.168.1.250, 192.168.1.240, 192.168.1.80, 192.168.1.4, 192.168.1.37, 192.168.1.78,
192.168.1.77, 192.168.1.213, 192.168.1.233 } to
nat on $ExtIf proto tcp from 192.168.1.240 to any port 5190 -> $ExtAddr
rdr on $ExtIf proto tcp from any to $ExtAddr port 3389 -> 192.168.1.250 port 3389
rdr on $ExtIf proto tcp from any to $ExtAddr port 60000:61000 -> 192.168.1.4
pass in quick all
pass out quick all
block in all
block out all
antispoof quick for $ExtIf
block in log quick on $ExtIf from $NoRouteIPs to any
block out log quick on $ExtIf from any to $NoRouteIPs
#passive OS detect
block in quick proto tcp from any to $ExtAddr flags SF/SFRA
#block in quick proto tcp from any to $ExtAddr flags SFUP/SFRAU
block in quick proto tcp from any to $ExtAddr flags FPU/SFRAUP
block in quick proto tcp from any to $ExtAddr flags F/SFRA
block in quick proto tcp from any to $ExtAddr flags U/SFRAU
block in quick proto tcp from any to $ExtAddr flags P/P
##### ICMP TRAFIC
pass in quick on $ExtIf proto icmp from any to $ExtAddr icmp-type echoreq
pass in quick on $ExtIf proto icmp from any to $ExtAddr icmp-type echorep
pass out quick on $ExtIf proto icmp from $ExtAddr to any icmp-type echoreq
pass out quick on $ExtIf proto icmp from $ExtAddr to any icmp-type echorep
block in log quick on $ExtIf proto icmp from any to any
block out log quick on $ExtIf proto icmp from any to any
pass quick on lo0 all
pass quick on gif0 all
pass quick on $ExtIf from 127.0.0.1 to any keep state
pass in quick on $ExtIf proto tcp from any to $ExtAddr port = 22 keep state probability 20%
pass in quick on $IntIf proto tcp from 192.168.1.78 to 192.168.1.2 port = 22 keep state
block in log quick on $ExtIf proto tcp from any to any port = 22
block return in quick on $IntIf proto tcp from { $IntNet, ! 192.168.1.78 } to 192.168.1.2 port 22 flags S/SA
pass in quick on $ExtIf proto tcp from any to $ExtAddr port = 1241 keep state
pass in quick on $ExtIf proto { tcp, udp } from any to $ExtAddr port = 3784 keep state
pass in quick on $ExtIf proto tcp from any to $ExtAddr port 3389 keep state
pass in quick on $ExtIf proto { tcp, udp } from any to 192.168.1.250 port { 3389, 3784 } keep state
pass out quick on $ExtIf from any to 195.239.107.10 keep state
pass in quick on $ExtIf from 195.239.107.10 to any keep state
pass out quick on $ExtIf from $ExtAddr to any keep state
pass in quick on $IntIf from $IntNet to any keep state
pass out quick on $IntIf from any to $IntNet
block in log quick on $ExtIf proto tcp from any to $ExtAddr flags S/SAFRP
block in log quick on $ExtIf proto udp from any to $ExtAddr
Вариант для распечатки
Информационная безопасность (Public)
(ok) on 12-Окт-09, 13:36 
