rc.conf
========
ifconfig_sis0="inet 192.168.0.1 netmask 255.255.255.0"
ifconfig_rl0="inet xx.xx.xx.xx netmask 255.255.255.0"
defaultrouter="xx.xx.xx.xx"
gateway_enable="YES"
natd_enable="YES"
natd_interface="rl0"
natd_flags="-f /etc/natd.conf"
firewall_enable="YES"
firewall_type="OPEN"
firewall_script="/etc/rc_firewall.sh"
dummynet_enable="YES"
squid_enable="YES"
=====natd.conf
same_ports yes
use_sockets yes
unregistered_only yes
redirect_port tcp 192.168.0.105:3389 3389
redirect_port tcp 192.168.0.105:80 80
rc_firewall.sh
#!/bin/sh
ipfw='/sbin/ipfw'
ournet='192.168.0.0/24'
outip='xx.xx.xx.xx'
uprefix='192.168.0'
ifout='rl0'
ifuser='sis0'
accepted_ports='20,21,22,443,80,5190,25,110,3389,8989'
${ipfw} -f -q flush
${ipfw} resetlog
${ipfw} add 100 check-state
${ipfw} add 200 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
${ipfw} add 210 reject ip from ${ournet} to any in via ${ifout}
${ipfw} add 300 allow ip from any to any via lo
${ipfw} add 310 allow tcp from me to any keep-state via ${ifout}
${ipfw} add 350 allow ip from ${outip} to any out via ${ifout}
${ipfw} add 410 allow tcp from any to me ssh
${ipfw} add 480 allow log tcp from any to 192.168.0.105 80
${ipfw} add 490 divert natd log tcp from any to 87.244.31.10 80,3389
${ipfw} add 491 divert natd log ip from 192.168.0.105 to any via ${ifout}
${ipfw} add 500 fwd 127.0.0.1,3128 tcp from ${ournet} to any http out via ${ifout}
${ipfw} add 510 divert natd ip from any to any via ${ifout}
${ipfw} add 700 allow tcp from any to 192.168.0.105 80,20,21,25,110,3389
${ipfw} add 700 allow tcp from 192.168.0.105 80,20,21,25,110,3389 to any
${ipfw} add 900 allow ip from ${outip} to any out via ${ifout}
${ipfw} add 1000 allow ip from ${ournet} to ${ournet} via ${ifuser}
${ipfw} add 1100 allow tcp from ${ournet} to any ${accepted_ports}
${ipfw} add 1100 allow tcp from any ${accepted_ports} to ${ournet}
${ipfw} add 65400 allow udp from any to any
${ipfw} add 65400 allow icmp from any to any
${ipfw} add 65500 deny log logamount 1000 ip from any to any
форвард не на один порт не работает
в логе security DENY нет ничего
в DIVERT
Jan 28 12:42:01 bsdha kernel: ipfw: 490 Divert 8668 TCP 80.252.155.170:5377 xx.xx.xx.xx:3389 in via rl0
Jan 28 12:42:04 bsdha kernel: ipfw: 490 Divert 8668 TCP 80.252.155.170:5377 xx.xx.xx.xx:3389 in via rl0
Jan 28 12:42:10 bsdha kernel: ipfw: 490 Divert 8668 TCP 80.252.155.170:5377 xx.xx.xx.xx:3389 in via rl0
Jan 28 12:42:12 bsdha kernel: ipfw: 490 Divert 8668 TCP 192.168.0.159:55809 xx.xx.xx.xx:3389 in via sis0
Jan 28 12:42:15 bsdha kernel: ipfw: 490 Divert 8668 TCP 192.168.0.159:55809 xx.xx.xx.xx:3389 in via sis0
Jan 28 12:42:21 bsdha kernel: ipfw: 490 Divert 8668 TCP 192.168.0.159:55809 xx.xx.xx.xx:3389 in via sis0
Jan 28 12:42:43 bsdha kernel: ipfw: 490 Divert 8668 TCP 192.168.0.159:55817 xx.xx.xx.xx:3389 in via sis0
Jan 28 12:42:46 bsdha kernel: ipfw: 490 Divert 8668 TCP 192.168.0.159:55817 xx.xx.xx.xx:3389 in via sis0
Jan 28 12:42:52 bsdha kernel: ipfw: 490 Divert 8668 TCP 192.168.0.159:55817 xx.xx.xx.xx:3389 in via sis0
Jan 28 12:43:53 bsdha kernel: ipfw: 490 Divert 8668 TCP 192.168.0.177:29051 xx.xx.xx.xx:80 in via sis0
Jan 28 12:43:56 bsdha kernel: ipfw: 490 Divert 8668 TCP 192.168.0.177:29051 xx.xx.xx.xx:80 in via sis0
Jan 28 12:44:02 bsdha kernel: ipfw: 490 Divert 8668 TCP 192.168.0.177:29051 xx.xx.xx.xx:80 in via sis0
Jan 28 12:44:19 bsdha kernel: ipfw: 490 Divert 8668 TCP 192.168.0.177:29184 xx.xx.xx.xx:80 in via sis0
Jan 28 12:44:22 bsdha kernel: ipfw: 490 Divert 8668 TCP 192.168.0.177:29184 xx.xx.xx.xx:80 in via sis0
Jan 28 12:44:28 bsdha kernel: ipfw: 490 Divert 8668 TCP 192.168.0.177:29184 xx.xx.xx.xx:80 in via sis0
Что не так?