Перекроил файлик с правилами фаервола (проверьте на ошибки пожалуйста)ipfw flush
ipfw add 100 check-state
#Закрыл обращения с внешнего интерфейса на ло0
ipfw add 101 deny ip from any to 127.0.0.0/8 via rl0
#Переслал на сквид все что пришло от моих юзеров
ipfw add 150 fwd 192.168.0.2,3128 ip from 192.168.0.0/24 to any dst-port 80
#ipfw add 510 divert natd ip from 192.168.0.0/24 to any out via rl0
# Запрет X-сканирования:
add 151 reject log tcp from any to any tcpflags fin, syn, rst, psh, ack, urg via rl0
# Запрет N-сканирования:
add 152 reject log tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg via rl0
# Запрет FIN-сканирования:
add 153 reject log tcp from any to any not established tcpflags fin via rl0
# Защита от спуфинга
add 154 deny log ip from any to any not verrevpath in
# Ограничение числа одновременных соединений:
add 155 allow ip from any to any setup limit src-addr 10 via rl0
#Запрет на все исмп кроме пинга
#echo reply (0), destination unreachable (3), source quench (4), redirect (5), echo request (8), router adver-tisement (9),
#router solicitation(10), time-to-live exceeded (11), IP header bad (12), timestamp request (13), timestamp reply (14),
#information request (15), information reply (16), address mask request (17) and address mask reply (18).
ipfw add 200 deny icmp from any to me icmptype 5,9,13,14,15,16,17 via rl0
#Сброс пакетов содержащих все флаги или не содержащие флагов
ipfw add number reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg via rl0
ipfw add number reject tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg via rl0
#Сброс подменных айпишников что пришли не оттуда
ipfw add 208 deny ip from any to any not verrevpath in
ipfw add 209 deny log logamount 10 ip from any to any not verrevpath in
#Запрет стучаться в сеть под видом "своих" адресов через внешний интерфейс
ipfw add 210 deny ip from 192.168.0.0/24 to any in via rl0
#Разрешил своей сети ходить через внутренний интерфейс
ipfw add 211 allow ip from 192.168.0.0/24 to me keep-state via rl1
#ipfw add 212 allow ip from 192.168.0.0/24 to 192.168.0.0/24 via rl1
ipfw add 213 deny ip from 192.168.0.0/24 to 192.168.0.0/24 via rl0
#Запрет стучаться от внешнего интерфейса по нетбиосу
ipfw add 250 drop ip from any to me dst-port 135-139,445 via rl0
ipfw add 251 drop ip from any to me dst-port 4000-6534 via rl0
#Разрешение хождения пакетов от своей подсети
ipfw add 300 allow ip from 192.168.0.0/24 to 192.168.0.0/24 via lo
#Разрешение хождения пакетов от моих адресов через внешний интерфейс
ipfw add 310 allow tcp from me to any keep-state
ipfw add 320 allow icmp from any to any
#Разрешить идти от меня куда угодно
ipfw add 340 allow ip from me to any
#Разрешить ходить комне HTTP, HTTPS, Telnet, SSH
ipfw add 400 allow tcp from any to me dst-port 80,21,22
#Разрешить от моей сети по 25 порту к серверу, писать в лог
ipfw add 410 allow tcp from 192.168.0.0/24 to me dst-port 25 keep-state
ipfw add 413 deny tcp from any to any 113 in via rl0
ipfw add 414 deny tcp from any to any 137 in via rl0
ipfw add 415 deny tcp from any to any 138 in via rl0
ipfw add 416 deny tcp from any to any 139 in via rl0
ipfw add 417 deny tcp from any to any 81 in via rl0
# Запрещаем пакеты прибывшие позже
ipfw add 418 deny ip from any to me frag in via rl0
# Запрещаем ACK пакеты которые не совпадают с динамической таблицей правил
ipfw add 419 deny tcp from any to any established in via rl0
####СПИСОК ПИ**** (внешних)#######
ipfw add 200 deny ip from 74.0.86.138 to any via rl0
ipfw add 201 deny ip from 59.151.45.249 to any via rl0
ipfw add 202 deny ip from 210.143.128.92 to any via rl0
ipfw add 203 deny ip from 85.89.73.219 to any via rl0
ipfw add 204 deny ip from 212.14.5.154 to any via rl0
ipfw add 205 deny ip from 141.99.32.113 to any via rl0
ipfw add 206 deny ip from 208.53.138.160 to any via rl0
ipfw add 207 deny ip from 83.3.72.66 to any via rl0
ipfw add 208 deny ip from 195.210.70.13 to any via rl0
ipfw add 209 deny ip from 194.67.211.149 to any via rl0
ipfw add 210 deny ip from 216.87.66.37 to any via rl0
ipfw add 211 deny ip from 200.71.53.47 to any via rl0
ipfw add 212 deny ip from 86.125.89.46 to any via rl0
ipfw add 213 deny ip from 24.27.14.229 to any via rl0
ipfw add 214 deny ip from 210.83.203.92 to any via rl0
ipfw add 215 deny ip from 219.235.231.103 to any via rl0
ipfw add 216 deny ip from 69.118.224.121 to any via rl0
ipfw add 217 deny ip from 200.79.192.16 to any via rl0
ipfw add 218 deny ip from 83.15.231.75 to any via rl0
ipfw add 219 deny ip from 88.84.155.132 to any via rl0
ipfw add 220 deny ip from 212.176.217.4 to any via rl0
ipfw add 221 deny ip from 85.114.133.136 to any via rl0
ipfw add 222 deny ip from 195.94.224.178 to any via rl0
ipfw add 223 deny ip from 74.0.86.138 to any via rl0
ipfw add 224 deny ip from 124.135.192.4 to any via rl0
ipfw add 225 deny ip from 210.51.190.93 to any via rl0
ipfw add 226 deny ip from 196.40.57.70 to any via rl0
ipfw add 227 deny ip from 210.51.172.156 to any via rl0
ipfw add 228 deny ip from 195.154.137.17 to any via rl0
ipfw add 229 deny ip from 222.48.110.210 to any via rl0
ipfw add 230 deny ip from 193.231.226.55 to any via rl0
ipfw add 231 deny ip from 61.250.149.16 to any via rl0
ipfw add 232 deny ip from 209.135.159.10 to any via rl0
ipfw add 233 deny ip from 213.19.163.35 to any via rl0
ipfw add 234 deny ip from 221.113.9.123 to any via rl0
ipfw add 235 deny ip from 80.97.12.167 to any via rl0
ipfw add 236 deny ip from 72.55.133.231 to any via rl0
ipfw add 237 deny ip from 61.166.190.138 to any via rl0
ipfw add 238 deny ip from 203.89.181.92 to any via rl0
ipfw add 239 deny ip from 86.59.21.66 to any via rl0
ipfw add 240 deny ip from 195.154.137.17 to any via rl0
ipfw add 241 deny ip from 125.91.3.56 to any via rl0
ipfw add 242 deny ip from 200.30.94.10 to any via rl0
ipfw add 243 deny ip from 89.39.38.210 to any via rl0
ipfw add 244 deny ip from 88.222.1.129 to any via rl0
ipfw add 245 deny ip from 66.2.108.100 to any via rl0
ipfw add 246 deny ip from 64.41.74.39 to any via rl0
ipfw add 247 deny ip from 200.180.18.66 to any via rl0
ipfw add 248 deny ip from 84.232.127.4 to any via rl0
ipfw add 249 deny ip from 217.73.255.255 to any via rl0
ipfw add 250 deny ip from 81.95.255.255 to any via rl0
ipfw add 251 deny ip from 82.255.255.255 to any via rl0
ipfw add 252 deny ip from 82.144.193.241 to any via rl0
ipfw add 253 deny ip from 212.40.34.156 to any via rl0
ipfw add 254 deny ip from 59.182.72.166 to any via rl0
ipfw add 255 deny ip from 195.126.0.0/24 to any via rl0
ipfw add 257 deny ip from 212.40.34.0/24 to any via rl0
ipfw add 258 deny ip from 64.12.24.45 to any via rl0
ipfw add 259 deny ip from 88.212.221.0/24 to any via rl0
ipfw add 260 deny ip from 194.126.224.0/24 to any via rl0
ipfw add 261 deny ip from 164.89.0.0/16 to any via rl0
ipfw add 262 deny ip from 216.157.224.0/19 to any via rl0
ipfw add 263 deny ip from 80.239.177.0/24 to any via rl0
ipfw add 264 deny ip from 200.222.187.0/24 to any via rl0
ipfw add 265 deny ip from 121.184.0.0/24 to any via rl0
ipfw add 266 deny ip from 216.65.0.0/17 to any via rl0
ipfw add 267 deny ip from 200.202.0.0/18 to any via rl0
ipfw add 268 deny ip from 64.18.0.0/20 to any via rl0
ipfw add 1004 pipe 4 tcp from any to 192.168.0.4 via rl1
ipfw add 1104 pipe 104 ip from 192.168.0.4 to any via rl1
ipfw pipe 4 config bw 3MBit/s
ipfw pipe 104 config bw 3MBit/s
ipfw add 1008 pipe 8 ip from any to 192.168.0.8 via rl1
ipfw add 1108 pipe 108 ip from 192.168.0.8 to any via rl1
ipfw pipe 8 config bw 128KBit/s
ipfw pipe 108 config bw 64KBit/s
ipfw add 1010 pipe 10 ip from any to 192.168.0.10 via rl1
ipfw add 1110 pipe 110 ip from 192.168.0.10 to any via rl1
ipfw pipe 10 config bw 128KBit/s
ipfw pipe 110 config bw 64KBit/s
ipfw add 1011 pipe 11 ip from any to 192.168.0.11 via rl1
ipfw add 1111 pipe 111 ip from 192.168.0.11 to any via rl1
ipfw pipe 11 config bw 128KBit/s
ipfw pipe 111 config bw 64KBit/s
ipfw add 1012 pipe 12 ip from any to 192.168.0.12 via rl1
ipfw add 1112 pipe 112 ip from 192.168.0.12 to any via rl1
ipfw pipe 12 config bw 128KBit/s
ipfw pipe 112 config bw 64Kit/s
ipfw add 1013 pipe 13 ip from any to 192.168.0.13 via rl1
ipfw pipe 113 config bw 64KBit/s
ipfw add 1014 pipe 14 ip from any to 192.168.0.14 via rl1
ipfw add 1114 pipe 114 ip from 192.168.0.14 to any via rl1
ipfw pipe 14 config bw 128KBit/s
ipfw pipe 114 config bw 64KBit/s
ipfw add 1015 pipe 15 ip from any to 192.168.0.15 via rl1
ipfw add 1115 pipe 115 ip from 192.168.0.15 to any via rl1
ipfw pipe 15 config bw 128KBit/s
ipfw pipe 115 config bw 64KBit/s
ipfw add 1016 pipe 16 ip from any to 192.168.0.16 via rl1
ipfw add 1116 pipe 116 ip from 192.168.0.16 to any via rl1
ipfw pipe 16 config bw 128KBit/s
ipfw pipe 116 config bw 64Kit/s
ipfw add 1017 pipe 17 ip from any to 192.168.0.17 via rl1
ipfw add 1117 pipe 117 ip from any to 192.168.0.17 any via rl1
ipfw pipe 17 config bw 128KBit/s
ipfw pipe 117 config bw 64KBit/s
ipfw add 1018 pipe 18 ip from any to 192.168.0.18 via rl1
ipfw add 1118 pipe 118 ip from any to 192.168.0.18 via rl1
ipfw pipe 18 config bw 128KBit/s
ipfw pipe 118 config bw 64KBit/s
ipfw add 1025 pipe 25 ip from any to 192.168.0.25 via rl1
ipfw add 1125 pipe 125 ip from any to 192.168.0.25 via rl1
ipfw pipe 25 config bw 128KBit/s
ipfw pipe 125 config bw 64KBit/s
ipfw add 1026 pipe 26 ip from any to 192.168.0.26 via rl1
ipfw add 1126 pipe 126 ip from any to 192.168.0.26 via rl1
ipfw pipe 26 config bw 256KBit/s
ipfw pipe 126 config bw 256KBit/s
ipfw add 1027 pipe 27 ip from any to 192.168.0.6 via rl1
ipfw add 1127 pipe 127 ip from any to 192.168.0.6 via rl1
ipfw pipe 27 config bw 128KBit/s
ipfw pipe 127 config bw 64KBit/s
ipfw add 65535 deny ip from any to any