ОС - OpenBSD 4.4. Инет симметричный 2 мегабитный Ethernet канал.int_if = "nfe0"
ext_if = "xl0"
kurkov = "192.168.9.67"
gorohov = "192.168.9.115"
basuev = "192.168.9.125"
podobin = "192.168.9.100"
table <it> { $kurkov $gorohov $basuev $podobin }
table <lan> { 192.168.2.0/24 192.168.3.0/24 192.168.9.0/24 192.168.17.0/24 }
set skip on lo
set optimization aggressive
set block-policy return
set loginterface $ext_if
set fingerprints "/etc/pf.os"
scrub in all
altq on $int_if hfsc bandwidth 98Mb queue { def_q, inet_q }
queue def_q bandwidth 96Mb priority 7 qlimit 500 hfsc(realtime 70Mb default)
queue inet_q bandwidth 2Mb qlimit 500 { pc_kurkov, pc_gorohov, pc_basuev, pc_podobin, www_squid, games }
queue pc_kurkov bandwidth 19% priority 2 qlimit 500 hfsc(realtime 19% upperlimit 95%)
queue pc_gorohov bandwidth 19% priority 2 qlimit 500 hfsc(realtime 19% upperlimit 95%)
queue pc_basuev bandwidth 19% priority 2 qlimit 500 hfsc(realtime 19% upperlimit 95%)
queue pc_podobin bandwidth 19% priority 2 qlimit 500 hfsc(realtime 19% upperlimit 95%)
queue www_squid bandwidth 19% priority 5 qlimit 500 hfsc(realtime 19% upperlimit 95%)
queue games bandwidth 5% priority 6 qlimit 500 hfsc(realtime 5%)
rdr pass on $ext_if proto {tcp udp} from any to $ext_if port 38514 -> $kurkov
rdr pass on $ext_if proto {tcp udp} from any to $ext_if port 21590 -> $basuev
rdr pass on $ext_if proto {tcp udp} from any to $ext_if port 41751 -> $gorohov
rdr pass on $ext_if proto tcp from any to $ext_if port 8082 -> $gorohov
rdr pass on $ext_if proto tcp from any to $ext_if port 8083 -> $basuev
rdr pass on $ext_if proto tcp from mt-team.homeip.net to $ext_if port 8090 -> $kurkov
rdr pass on $ext_if proto tcp from mt-team.homeip.net to $ext_if port www -> 127.0.0.1
rdr pass on $ext_if proto tcp from mt-team.homeip.net to $ext_if port ssh -> 127.0.0.1
nat on $ext_if from { <it> 192.168.9.3 } to !<lan> -> ($ext_if)
block in all
pass on $int_if
pass out on $ext_if
pass in quick on $int_if inet proto tcp from $kurkov to $int_if port ssh no state
pass out quick on $int_if inet proto tcp from $int_if port ssh to $kurkov no state
pass in quick on $int_if inet proto tcp from <lan> to $int_if port 3128 no state
pass out quick on $int_if inet proto tcp from $int_if port 3128 to <lan> no state queue www_squid
pass in quick on $int_if inet proto tcp from <lan> to $int_if port www no state
pass out quick on $int_if inet proto tcp from $int_if port www to <lan> no state
pass in quick on $int_if inet proto udp from <it> to !<lan> port { 27950 27952 } no state
pass out quick on $int_if inet proto udp from !<lan> port { 27950 27952 } to <it> no state queue games
pass in on $int_if inet from $kurkov to !<lan> no state
pass in on $int_if inet from $gorohov to !<lan> no state
pass in on $int_if inet from $basuev to !<lan> no state
pass in on $int_if inet from $podobin to !<lan> no state
pass in on $int_if inet from 192.168.9.3 to !<lan> no state
pass out on $int_if inet from !<lan> to $kurkov no state queue pc_kurkov
pass out on $int_if inet from !<lan> to $gorohov no state queue pc_gorohov
pass out on $int_if inet from !<lan> to $basuev no state queue pc_basuev
pass out on $int_if inet from !<lan> to $podobin no state queue pc_podobin
pass out on $int_if inet from !<lan> to 192.168.9.3 no state queue www_squid
Всё работает, но чувствую одним местом что что-то не так, что-то можно ещё подправить. Очень нужна Ваша помошь.
Вариант для распечатки
Информационная безопасность (Firewall и пакетные фильтры / OpenBSD)
(ok) on 05-Янв-10, 21:50 
