Вот некоторое (не всё) содержимое
rc.firewall:
setup_loopback () {
############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
${fwcmd} add 400 allow icmp from 192.168.8.0/24 to any
${fwcmd} add 450 deny ip from any to 0.0.0.0/8 in via vr0
${fwcmd} add 460 deny ip from any to 10.0.0.0/8 in via vr0
${fwcmd} add 470 deny ip from any to 172.16.0.0/16 in via vr0
${fwcmd} add 480 deny ip from any to 192.168.0.0/24 in via vr0 ############
# Flush out the list before we begin.
#
${fwcmd} -f flush
############
# Network Address Translation. All packets are passed to natd(8)
# before they encounter your remaining rules. The firewall rules
# will then be run again on each packet after translation by natd
# starting at the rule number following the divert rule.
case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
fi
;;
esac
esac
при:
#ipfw sh
00050 0 0 divert 8668 ip from any to any via vr0
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 0 0 allow icmp from 192.168.8.0/24 to any
00450 0 0 deny ip from any to 0.0.0.0/8 in via vr0
00460 0 0 deny ip from any to 10.0.0.0/8 in via vr0
00470 0 0 deny ip from any to 172.16.0.0/16 in via vr0
00480 0 0 deny ip from any to 192.168.0.0/24 in via vr0
65000 701 68061 allow ip from any to any
65535 0 0 deny ip from any to any
По этому выводу видно что трафик проходит тлько через правило номер 65000.
Почему так?
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
(ok) on 31-Янв-07, 17:09 
