Вот рабочий файрволл с такой же направленностью.
шлюз доступа в инет:
00001 470740 771676984 allow ip from any to any via lo0
00002 0 0 deny ip from any to 127.0.0.0/8
00003 0 0 deny ip from 127.0.0.0/8 to any
# антиспуфинг
00010 0 0 deny log ip from <внешний_айпи>/30 to any in recv wb0
00020 92 4416 deny log ip from 192.168.0.0/24 to any in recv ed0
# серые закрываем
00040 2225 104581 deny ip from any to 10.0.0.0/8 via ed0
00050 701 32947 deny ip from any to 172.16.0.0/12 via ed0
00060 7893 372849 deny ip from any to 192.168.0.0/16 via ed0
00070 0 0 deny ip from any to 0.0.0.0/8 via ed0
00080 7 329 deny ip from any to 169.254.0.0/16 via ed0
00090 0 0 deny ip from any to 192.0.2.0/24 via ed0
00100 0 0 deny ip from any to 224.0.0.0/4 via ed0
00110 0 0 deny ip from any to 240.0.0.0/4 via ed0
# мелкомягкая сетка
00200 12794 621995 deny tcp from any to any 134-139 via ed0
00210 733 52989 deny udp from any to any 134-139 via ed0
# админский доступ
01000 1181 49968 allow ip from <внешний_айпи> to me via ed0
01050 820 183415 allow ip from me to <внешний_айпи> via ed0
# злостный просмотровщик порнухи закрыт доступ в инет
02000 0 0 deny ip from 192.168.0.158 to any out xmit ed0
02001 0 0 deny tcp from 192.168.0.158 to me 3128
# форвард на прозрачный прокси- сквид. моно убрать
03000 1716007 192117593 fwd 127.0.0.1,3128 tcp from 192.168.0.0/24 to any 80 out xmit ed0
# нат исходящий
03030 40290020 6447780954 divert 8668 ip from 192.168.0.0/24 to any out xmit ed0
# опять серые запрещаем.
03100 17 1287 deny log ip from 10.0.0.0/8 to any via ed0
03110 0 0 deny log ip from 172.16.0.0/12 to any via ed0
03120 4 256 deny log ip from 192.168.0.0/16 to any via ed0
03130 3 168 deny log ip from 0.0.0.0/8 to any via ed0
03140 0 0 deny log ip from 169.254.0.0/16 to any via ed0
03150 0 0 deny log ip from 192.0.2.0/24 to any via ed0
03160 0 0 deny log ip from 224.0.0.0/4 to any via ed0
03170 0 0 deny log ip from 240.0.0.0/4 to any via ed0
# труба - ограничение на ширину входящего канала. моно убрать.
03900 30788587 9365198565 pipe 10 ip from any to <внешний_айпи> in recv ed0
# нат входящий
04000 28947774 8722820614 divert 8668 ip from any to <внешний_айпи> in recv ed0
# А тут подсчет входящего трафика сначала общий, потом по каждому
# адресу. счетчики снимаются прогой ipa
05000 28922663 9226322919 count ip from any to 192.168.0.0/24 out xmit wb0
05001 1555 175397 count ip from any to 192.168.0.1 out xmit wb0
05002 0 0 count ip from any to 192.168.0.2 out xmit wb0
05003 0 0 count ip from any to 192.168.0.3 out xmit wb0
05004 0 0 count ip from any to 192.168.0.4 out xmit wb0
05005 0 0 count ip from any to 192.168.0.5 out xmit wb0
05006 0 0 count ip from any to 192.168.0.6 out xmit wb0
05007 0 0 count ip from any to 192.168.0.7 out xmit wb0
05008 0 0 count ip from any to 192.168.0.8 out xmit wb0
05009 0 0 count ip from any to 192.168.0.9 out xmit wb0
05010 110739 57624534 count ip from any to 192.168.0.10 out xmit wb0
05011 0 0 count ip from any to 192.168.0.11 out xmit wb0
05012 0 0 count ip from any to 192.168.0.12 out xmit wb0
05013 0 0 count ip from any to 192.168.0.13 out xmit wb0
05014 0 0 count ip from any to 192.168.0.14 out xmit wb0
05015 131948 134574683 count ip from any to 192.168.0.15 out xmit wb0
05016 0 0 count ip from any to 192.168.0.16 out xmit wb0
05017 0 0 count ip from any to 192.168.0.17 out xmit wb0
05018 0 0 count ip from any to 192.168.0.18 out xmit wb0
05019 0 0 count ip from any to 192.168.0.19 out xmit wb0
05020 0 0 count ip from any to 192.168.0.20 out xmit wb0
05021 0 0 count ip from any to 192.168.0.21 out xmit wb0
05022 0 0 count ip from any to 192.168.0.22 out xmit wb0
05023 0 0 count ip from any to 192.168.0.23 out xmit wb0
05024 0 0 count ip from any to 192.168.0.24 out xmit wb0
05025 0 0 count ip from any to 192.168.0.25 out xmit wb0
05026 0 0 count ip from any to 192.168.0.26 out xmit wb0
05027 0 0 count ip from any to 192.168.0.27 out xmit wb0
05028 0 0 count ip from any to 192.168.0.28 out xmit wb0
05029 0 0 count ip from any to 192.168.0.29 out xmit wb0
05030 0 0 count ip from any to 192.168.0.30 out xmit wb0
05031 0 0 count ip from any to 192.168.0.31 out xmit wb0
05032 0 0 count ip from any to 192.168.0.32 out xmit wb0
05033 0 0 count ip from any to 192.168.0.33 out xmit wb0
05034 0 0 count ip from any to 192.168.0.34 out xmit wb0
05035 0 0 count ip from any to 192.168.0.35 out xmit wb0
05036 0 0 count ip from any to 192.168.0.36 out xmit wb0
05037 0 0 count ip from any to 192.168.0.37 out xmit wb0
05038 0 0 count ip from any to 192.168.0.38 out xmit wb0
05039 0 0 count ip from any to 192.168.0.39 out xmit wb0
05040 0 0 count ip from any to 192.168.0.40 out xmit wb0
05041 0 0 count ip from any to 192.168.0.41 out xmit wb0
05042 0 0 count ip from any to 192.168.0.42 out xmit wb0
05043 0 0 count ip from any to 192.168.0.43 out xmit wb0
05044 0 0 count ip from any to 192.168.0.44 out xmit wb0
05045 0 0 count ip from any to 192.168.0.45 out xmit wb0
05046 0 0 count ip from any to 192.168.0.46 out xmit wb0
05047 0 0 count ip from any to 192.168.0.47 out xmit wb0
05048 0 0 count ip from any to 192.168.0.48 out xmit wb0
05049 0 0 count ip from any to 192.168.0.49 out xmit wb0
05050 0 0 count ip from any to 192.168.0.50 out xmit wb0
05051 0 0 count ip from any to 192.168.0.51 out xmit wb0
05052 0 0 count ip from any to 192.168.0.52 out xmit wb0
05053 0 0 count ip from any to 192.168.0.53 out xmit wb0
05054 0 0 count ip from any to 192.168.0.54 out xmit wb0
05055 0 0 count ip from any to 192.168.0.55 out xmit wb0
05056 0 0 count ip from any to 192.168.0.56 out xmit wb0
05057 0 0 count ip from any to 192.168.0.57 out xmit wb0
05058 0 0 count ip from any to 192.168.0.58 out xmit wb0
05059 0 0 count ip from any to 192.168.0.59 out xmit wb0
05060 0 0 count ip from any to 192.168.0.60 out xmit wb0
05061 0 0 count ip from any to 192.168.0.61 out xmit wb0
05062 0 0 count ip from any to 192.168.0.62 out xmit wb0
05063 0 0 count ip from any to 192.168.0.63 out xmit wb0
05064 0 0 count ip from any to 192.168.0.64 out xmit wb0
05065 0 0 count ip from any to 192.168.0.65 out xmit wb0
05066 0 0 count ip from any to 192.168.0.66 out xmit wb0
05067 0 0 count ip from any to 192.168.0.67 out xmit wb0
05068 0 0 count ip from any to 192.168.0.68 out xmit wb0
05069 0 0 count ip from any to 192.168.0.69 out xmit wb0
05070 0 0 count ip from any to 192.168.0.70 out xmit wb0
05071 0 0 count ip from any to 192.168.0.71 out xmit wb0
05072 0 0 count ip from any to 192.168.0.72 out xmit wb0
05073 0 0 count ip from any to 192.168.0.73 out xmit wb0
05074 0 0 count ip from any to 192.168.0.74 out xmit wb0
05075 0 0 count ip from any to 192.168.0.75 out xmit wb0
05076 0 0 count ip from any to 192.168.0.76 out xmit wb0
05077 0 0 count ip from any to 192.168.0.77 out xmit wb0
05078 0 0 count ip from any to 192.168.0.78 out xmit wb0
05079 0 0 count ip from any to 192.168.0.79 out xmit wb0
05080 0 0 count ip from any to 192.168.0.80 out xmit wb0
05081 0 0 count ip from any to 192.168.0.81 out xmit wb0
05082 0 0 count ip from any to 192.168.0.82 out xmit wb0
05083 0 0 count ip from any to 192.168.0.83 out xmit wb0
05084 0 0 count ip from any to 192.168.0.84 out xmit wb0
05085 0 0 count ip from any to 192.168.0.85 out xmit wb0
05086 0 0 count ip from any to 192.168.0.86 out xmit wb0
05087 0 0 count ip from any to 192.168.0.87 out xmit wb0
05088 0 0 count ip from any to 192.168.0.88 out xmit wb0
05089 0 0 count ip from any to 192.168.0.89 out xmit wb0
05090 0 0 count ip from any to 192.168.0.90 out xmit wb0
05091 0 0 count ip from any to 192.168.0.91 out xmit wb0
05092 0 0 count ip from any to 192.168.0.92 out xmit wb0
05093 0 0 count ip from any to 192.168.0.93 out xmit wb0
05094 0 0 count ip from any to 192.168.0.94 out xmit wb0
05095 0 0 count ip from any to 192.168.0.95 out xmit wb0
05096 0 0 count ip from any to 192.168.0.96 out xmit wb0
05097 0 0 count ip from any to 192.168.0.97 out xmit wb0
05098 0 0 count ip from any to 192.168.0.98 out xmit wb0
05099 0 0 count ip from any to 192.168.0.99 out xmit wb0
05100 0 0 count ip from any to 192.168.0.100 out xmit wb0
05101 0 0 count ip from any to 192.168.0.101 out xmit wb0
05102 0 0 count ip from any to 192.168.0.102 out xmit wb0
05103 0 0 count ip from any to 192.168.0.103 out xmit wb0
05104 0 0 count ip from any to 192.168.0.104 out xmit wb0
05105 0 0 count ip from any to 192.168.0.105 out xmit wb0
05106 0 0 count ip from any to 192.168.0.106 out xmit wb0
05107 0 0 count ip from any to 192.168.0.107 out xmit wb0
05108 0 0 count ip from any to 192.168.0.108 out xmit wb0
05109 0 0 count ip from any to 192.168.0.109 out xmit wb0
05110 0 0 count ip from any to 192.168.0.110 out xmit wb0
05111 0 0 count ip from any to 192.168.0.111 out xmit wb0
05112 0 0 count ip from any to 192.168.0.112 out xmit wb0
05113 0 0 count ip from any to 192.168.0.113 out xmit wb0
05114 0 0 count ip from any to 192.168.0.114 out xmit wb0
05115 0 0 count ip from any to 192.168.0.115 out xmit wb0
05116 0 0 count ip from any to 192.168.0.116 out xmit wb0
05117 0 0 count ip from any to 192.168.0.117 out xmit wb0
05118 0 0 count ip from any to 192.168.0.118 out xmit wb0
05119 0 0 count ip from any to 192.168.0.119 out xmit wb0
05120 0 0 count ip from any to 192.168.0.120 out xmit wb0
05121 0 0 count ip from any to 192.168.0.121 out xmit wb0
05122 0 0 count ip from any to 192.168.0.122 out xmit wb0
05123 0 0 count ip from any to 192.168.0.123 out xmit wb0
05124 0 0 count ip from any to 192.168.0.124 out xmit wb0
05125 0 0 count ip from any to 192.168.0.125 out xmit wb0
05126 0 0 count ip from any to 192.168.0.126 out xmit wb0
05127 0 0 count ip from any to 192.168.0.127 out xmit wb0
05128 0 0 count ip from any to 192.168.0.128 out xmit wb0
05129 0 0 count ip from any to 192.168.0.129 out xmit wb0
05130 0 0 count ip from any to 192.168.0.130 out xmit wb0
05131 0 0 count ip from any to 192.168.0.131 out xmit wb0
05132 0 0 count ip from any to 192.168.0.132 out xmit wb0
05133 0 0 count ip from any to 192.168.0.133 out xmit wb0
05134 0 0 count ip from any to 192.168.0.134 out xmit wb0
05135 0 0 count ip from any to 192.168.0.135 out xmit wb0
05136 0 0 count ip from any to 192.168.0.136 out xmit wb0
05137 0 0 count ip from any to 192.168.0.137 out xmit wb0
05138 0 0 count ip from any to 192.168.0.138 out xmit wb0
05139 0 0 count ip from any to 192.168.0.139 out xmit wb0
05140 0 0 count ip from any to 192.168.0.140 out xmit wb0
05141 0 0 count ip from any to 192.168.0.141 out xmit wb0
05142 0 0 count ip from any to 192.168.0.142 out xmit wb0
05143 0 0 count ip from any to 192.168.0.143 out xmit wb0
05144 0 0 count ip from any to 192.168.0.144 out xmit wb0
05145 0 0 count ip from any to 192.168.0.145 out xmit wb0
05146 0 0 count ip from any to 192.168.0.146 out xmit wb0
05147 0 0 count ip from any to 192.168.0.147 out xmit wb0
05148 0 0 count ip from any to 192.168.0.148 out xmit wb0
05149 0 0 count ip from any to 192.168.0.149 out xmit wb0
05150 0 0 count ip from any to 192.168.0.150 out xmit wb0
05151 0 0 count ip from any to 192.168.0.151 out xmit wb0
05152 0 0 count ip from any to 192.168.0.152 out xmit wb0
05153 487918 503176120 count ip from any to 192.168.0.153 out xmit wb0
05154 0 0 count ip from any to 192.168.0.154 out xmit wb0
05155 0 0 count ip from any to 192.168.0.155 out xmit wb0
05156 968997 877645063 count ip from any to 192.168.0.156 out xmit wb0
05157 102268 75780957 count ip from any to 192.168.0.157 out xmit wb0
05158 0 0 count ip from any to 192.168.0.158 out xmit wb0
05159 0 0 count ip from any to 192.168.0.159 out xmit wb0
05160 0 0 count ip from any to 192.168.0.160 out xmit wb0
05161 0 0 count ip from any to 192.168.0.161 out xmit wb0
05162 0 0 count ip from any to 192.168.0.162 out xmit wb0
05163 224976 134348628 count ip from any to 192.168.0.163 out xmit wb0
05164 0 0 count ip from any to 192.168.0.164 out xmit wb0
05165 507451 543335781 count ip from any to 192.168.0.165 out xmit wb0
05166 154274 153976916 count ip from any to 192.168.0.166 out xmit wb0
05167 0 0 count ip from any to 192.168.0.167 out xmit wb0
05168 243083 168687075 count ip from any to 192.168.0.168 out xmit wb0
05169 0 0 count ip from any to 192.168.0.169 out xmit wb0
05170 0 0 count ip from any to 192.168.0.170 out xmit wb0
05171 0 0 count ip from any to 192.168.0.171 out xmit wb0
05172 0 0 count ip from any to 192.168.0.172 out xmit wb0
05173 0 0 count ip from any to 192.168.0.173 out xmit wb0
05174 0 0 count ip from any to 192.168.0.174 out xmit wb0
05175 0 0 count ip from any to 192.168.0.175 out xmit wb0
05176 0 0 count ip from any to 192.168.0.176 out xmit wb0
05177 0 0 count ip from any to 192.168.0.177 out xmit wb0
05178 0 0 count ip from any to 192.168.0.178 out xmit wb0
05179 0 0 count ip from any to 192.168.0.179 out xmit wb0
05180 0 0 count ip from any to 192.168.0.180 out xmit wb0
05181 0 0 count ip from any to 192.168.0.181 out xmit wb0
05182 0 0 count ip from any to 192.168.0.182 out xmit wb0
05183 0 0 count ip from any to 192.168.0.183 out xmit wb0
05184 0 0 count ip from any to 192.168.0.184 out xmit wb0
05185 0 0 count ip from any to 192.168.0.185 out xmit wb0
05186 0 0 count ip from any to 192.168.0.186 out xmit wb0
05187 0 0 count ip from any to 192.168.0.187 out xmit wb0
05188 0 0 count ip from any to 192.168.0.188 out xmit wb0
05189 738287 731426174 count ip from any to 192.168.0.189 out xmit wb0
05190 0 0 count ip from any to 192.168.0.190 out xmit wb0
05191 0 0 count ip from any to 192.168.0.191 out xmit wb0
05192 0 0 count ip from any to 192.168.0.192 out xmit wb0
05193 0 0 count ip from any to 192.168.0.193 out xmit wb0
05194 0 0 count ip from any to 192.168.0.194 out xmit wb0
05195 0 0 count ip from any to 192.168.0.195 out xmit wb0
05196 0 0 count ip from any to 192.168.0.196 out xmit wb0
05197 0 0 count ip from any to 192.168.0.197 out xmit wb0
05198 47006 40201001 count ip from any to 192.168.0.198 out xmit wb0
05199 383891 356612234 count ip from any to 192.168.0.199 out xmit wb0
05200 0 0 count ip from any to 192.168.0.200 out xmit wb0
05201 1 127 count ip from any to 192.168.0.201 out xmit wb0
05202 512994 615071974 count ip from any to 192.168.0.202 out xmit wb0
05203 44 7803 count ip from any to 192.168.0.203 out xmit wb0
05204 0 0 count ip from any to 192.168.0.204 out xmit wb0
05205 0 0 count ip from any to 192.168.0.205 out xmit wb0
05206 0 0 count ip from any to 192.168.0.206 out xmit wb0
05207 0 0 count ip from any to 192.168.0.207 out xmit wb0
05208 0 0 count ip from any to 192.168.0.208 out xmit wb0
05209 0 0 count ip from any to 192.168.0.209 out xmit wb0
05210 212669 159817445 count ip from any to 192.168.0.210 out xmit wb0
05211 0 0 count ip from any to 192.168.0.211 out xmit wb0
05212 24093970 4673445596 count ip from any to 192.168.0.212 out xmit wb0
05213 0 0 count ip from any to 192.168.0.213 out xmit wb0
05214 0 0 count ip from any to 192.168.0.214 out xmit wb0
05215 0 0 count ip from any to 192.168.0.215 out xmit wb0
05216 0 0 count ip from any to 192.168.0.216 out xmit wb0
05217 0 0 count ip from any to 192.168.0.217 out xmit wb0
05218 0 0 count ip from any to 192.168.0.218 out xmit wb0
05219 0 0 count ip from any to 192.168.0.219 out xmit wb0
05220 0 0 count ip from any to 192.168.0.220 out xmit wb0
05221 0 0 count ip from any to 192.168.0.221 out xmit wb0
05222 0 0 count ip from any to 192.168.0.222 out xmit wb0
05223 0 0 count ip from any to 192.168.0.223 out xmit wb0
05224 0 0 count ip from any to 192.168.0.224 out xmit wb0
05225 0 0 count ip from any to 192.168.0.225 out xmit wb0
05226 276 191552 count ip from any to 192.168.0.226 out xmit wb0
05227 0 0 count ip from any to 192.168.0.227 out xmit wb0
05228 0 0 count ip from any to 192.168.0.228 out xmit wb0
05229 0 0 count ip from any to 192.168.0.229 out xmit wb0
05230 0 0 count ip from any to 192.168.0.230 out xmit wb0
05231 0 0 count ip from any to 192.168.0.231 out xmit wb0
05232 0 0 count ip from any to 192.168.0.232 out xmit wb0
05233 0 0 count ip from any to 192.168.0.233 out xmit wb0
05234 0 0 count ip from any to 192.168.0.234 out xmit wb0
05235 0 0 count ip from any to 192.168.0.235 out xmit wb0
05236 0 0 count ip from any to 192.168.0.236 out xmit wb0
05237 0 0 count ip from any to 192.168.0.237 out xmit wb0
05238 0 0 count ip from any to 192.168.0.238 out xmit wb0
05239 0 0 count ip from any to 192.168.0.239 out xmit wb0
05240 0 0 count ip from any to 192.168.0.240 out xmit wb0
05241 0 0 count ip from any to 192.168.0.241 out xmit wb0
05242 0 0 count ip from any to 192.168.0.242 out xmit wb0
05243 0 0 count ip from any to 192.168.0.243 out xmit wb0
05244 0 0 count ip from any to 192.168.0.244 out xmit wb0
05245 0 0 count ip from any to 192.168.0.245 out xmit wb0
05246 70 52566 count ip from any to 192.168.0.246 out xmit wb0
05247 246 171293 count ip from any to 192.168.0.247 out xmit wb0
05248 0 0 count ip from any to 192.168.0.248 out xmit wb0
05249 0 0 count ip from any to 192.168.0.249 out xmit wb0
05250 0 0 count ip from any to 192.168.0.250 out xmit wb0
05251 0 0 count ip from any to 192.168.0.251 out xmit wb0
05252 0 0 count ip from any to 192.168.0.252 out xmit wb0
05253 0 0 count ip from any to 192.168.0.253 out xmit wb0
05254 0 0 count ip from any to 192.168.0.254 out xmit wb0
# через локальный интерфейс пускаем всех.
06000 73777831 16458729472 allow ip from any to any via wb0
# icmp тоже все
06050 476241 31567542 allow icmp from any to any
# tcp установленные тоже пропускаем
06100 22427180 11633309752 allow tcp from any to any established
06200 16 10906 allow ip from any to any frag
06300 0 0 check-state
# исходящие udp
06400 34051632 2093004130 allow udp from <внешний_айпи> to any keep-state
# исходящие tcp
06500 442041 25765972 allow tcp from <внешний_айпи> to any
# пропускаем в локалку то, что прошло через NAT на клиентов
06600 17524463 2097486181 allow ip from any to 192.168.0.0/24 in recv ed0
# DNS входящий
08000 1 60 allow tcp from any to <внешний_айпи> 53 via ed0 setup
08100 122 17590 allow udp from any to <внешний_айпи> 53 keep-state via ed0
# SMTP входящие. аналогично и 80, HTTPS
08200 17593 883148 allow tcp from any to <внешний_айпи> 25 via ed0 setup
# логируем всех левых, которые к нам стучаться.
60000 24188 1176056 deny log tcp from any to any in recv ed0
61000 65387 11413617 deny log udp from any to any in recv ed0
# на всякий случай ;) а моно и прибить.
65000 0 0 allow log ip from any to any
65535 0 0 deny ip from any to any
жду ваши поправки и замечания.