>> Скрипты при написании правил не использовались. > rc.firewall - скрипт, вообще-то... >> Буду рад, если подскажете, как заставить работать шейпер. > при изменении onepass в 0 при ранее отлаженных правилах, если шейпить надо > только для 192.168.180.0, камкаж, пайпы лучше вставить перед "allow all from > any to any via $LanIn" и продублировать все правила с nat > сразу за ними соответствующими правилами с "allow". >> PS. Я же игрался с номерами правил. Сейчас начало правил выглядит так: > Всё-равно легче ориентироваться по "ipfw list" после перезагрузки (или перезапуска скрипта). После перевода onepass=0 и изменения правил до такого состояния не помогло. 00003 pipe 1 ip from any to 192.168.180.0/23 in 00004 pipe 2 ip from 192.168.180.0/23 to any out 00005 allow ip from any to any via igb0 00006 allow ip from any to any via tun0 00007 allow ip from any to any via vlan10 00008 allow ip from any to any via gif0 00009 allow ip from any to any via vlan20 00010 allow ip from any to any via lo0 00030 nat 1 ip from any to any in via igb1 00033 nat 1 ip from 192.168.180.0/23 to any out via igb1 00035 nat 1 ip from 192.168.185.0/24 to any out via igb1 00038 nat 1 ip from 192.168.190.0/24 to any out via igb1 00040 check-state 00052 allow ip from any 53 to any via igb1 00053 allow ip from any to any dst-port 53 via igb1 00060 allow ip from me to any out via igb1 setup keep-state 00061 allow udp from xxx.xxx.xxx.xxx to me dst-port 500 00062 allow udp from me to xxx.xxx.xxx.xxx dst-port 500 00063 allow esp from xxx.xxx.xxx.xxx to me 00064 allow esp from me to xxx.xxx.xxx.xxx 00065 allow ipencap from xxx.xxx.xxx.xxx to me 00066 allow ipencap from me to xxx.xxx.xxx.xxx 00100 allow icmp from any to any out via igb1 keep-state 00101 allow tcp from xxx.xxx.xxx.xxx to me dst-port 2000 in via igb1 00102 allow tcp from me 2000 to xxx.xxx.xxx.xxx out via igb1 00103 allow ip from any to any in via tun0 00104 allow ip from any to any out via tun0 00120 allow udp from any to any dst-port 123 out via igb1 keep-state 00123 allow ip from 192.168.185.0/24 to any dst-port 80,443,21 out via igb1 setup keep-state 00131 allow ip from 193.201.230.128/26 to 192.168.180.0/24{31-89} in via igb1 00132 allow ip from 192.168.180.0/24{31-89} to 193.201.230.128/26 out via igb1 00141 allow ip from 192.168.180.0/24{11-29} to any out via igb1 setup keep-state 00142 allow ip from any to 192.168.180.0/24{11-29} in via igb1 setup keep-state 00143 allow ip from 192.168.180.0/24{95-97} to any out via igb1 setup keep-state 00161 allow icmp from any to me in via igb1 icmptypes 3,8,12 00162 allow icmp from me to any out via igb1 icmptypes 0,3,4,11,12 00163 deny log logamount 50 icmp from any to me in via igb1 icmptypes 5,9,10,13,15,17 00200 deny ip from 192.168.0.0/16 to any in via igb1 00201 deny ip from 172.16.0.0/12 to any in via igb1 00202 deny ip from 10.0.0.0/8 to any in via igb1 00203 deny ip from 127.0.0.0/8 to any in via igb1 00204 deny ip from 0.0.0.0/8 to any in via igb1 00205 deny ip from 169.254.0.0/16 to any in via igb1 00206 deny ip from 192.0.2.0/24 to any in via igb1 00207 deny ip from 204.152.64.0/23 to any in via igb1 00208 deny ip from 224.0.0.0/3 to any in via igb1 00209 deny tcp from any to any dst-port 113 in via igb1 00210 deny tcp from any to any dst-port 137 via igb1 00211 deny tcp from any to any dst-port 138 via igb1 00212 deny tcp from any to any dst-port 139 via igb1 00213 deny tcp from any to any dst-port 81 via igb1 00214 deny ip from any to any frag in via igb1 00215 deny tcp from any to any established in via igb1 00300 allow tcp from xxx.xxx.xxx.xxx to me dst-port 22 in via igb1 setup limit src-addr 1 00400 deny log logamount 50 ip from any to any in via igb1 00410 deny log logamount 50 ip from any to any out via igb1 65535 deny ip from any to any Не совсем понял, какие правила нужно продублировать
|