Решил проблему следующим набором правил:add allow icmp from any to any
add check-state
add divert natd tcp from 192.168.0.0/16 to any 22,25,110,143,465,587,993,995,7000,7001,7005 out xmit bce1 keep-state
add divert natd udp from 192.168.0.0/16 to any 7000,7001,7005 out xmit bce1 keep-state
add divert natd ip from 192.168.89.8/32,192.168.89.254/32 to any out xmit bce1 keep-state
add deny ip from any to any frag
add deny tcp from any to any established
# боимся непонятного
add deny ip from any to 192.168.0.0/16 in recv bce1
add deny ip from 192.168.0.0/16 to any in recv bce1
add deny ip from any to 172.16.0.0/12 in recv bce1
add deny ip from 172.16.0.0/12 to any in recv bce1
add deny ip from any to 10.0.0.0/8 in recv bce1
add deny ip from 10.0.0.0/8 to any in recv bce1
add deny ip from any to 169.254.0.0/16 in recv bce1
add deny ip from 169.254.0.0/16 to any in recv bce1
add allow tcp from any to any ssh setup keep-state
add allow tcp from any to XXX.XXX.XXX.66 53 setup keep-state
add allow udp from any to XXX.XXX.XXX.66 53 keep-state
add deny log ip from any to XXX.XXX.XXX.66
add allow tcp from any to XXX.XXX.XXX.64/27 setup keep-state
add allow tcp from 192.168.0.0/16 to any setup in recv bce0 keep-state
add allow udp from 192.168.0.0/16 to any in recv bce0 keep-state
add allow udp from any to any out keep-state
add allow tcp from any to any out setup keep-state
add allow udp from any to YYY.YYY.YYY.YYY dst-port 2601,2604 in recv bce1 keep-state
add allow tcp from any to YYY.YYY.YYY.YYY dst-port 2601,2604 in recv bce1 setup keep-state
add 65534 deny log ip from any to any
Версия для распечатки
stateful ipfw: ipfw_install_state: entry already present,
0rt, 18-Ноя-11, 07:35
[смотреть все]
