Достался мне шлюз с почтовиком на борту...
по желанию хозяина - попросил убрать нат для внутренней сети дабы все ходили через прокси сервер.
Я попытался применить правило для единичного компутеря
#test
block log on $int_if proto tcp from 192.168.0.241 to any port 80потом сказал
office# /etc/rc.d/./pf reload
Reloading pf rules.
No ALTQ support in kernel
ALTQ related functions disabled
(Судя по докам - ALTQ в моем случае не нужен - я не собираюсь зажимать канал.)
Так вот - указанный в правиле комп (192.168.0.241) продолжает ходить в инет- тоесть открываю браузер и тыркаю первую ссылку.
вот собственно хозяйство
office# ifconfig
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=2808<VLAN_MTU,WOL_UCAST,WOL_MAGIC>
ether 00:22:b0:50:eb:54
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:24:8c:b9:46:cd
inet 192.168.0.100 netmask 0xffffff00 broadcast 192.168.0.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
inet 62.80.169.25 --> 62.80.172.90 netmask 0xffffffff
Opened by PID 378
ng0: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
ng1: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
office# cat /etc/rc.conf
background_fsck=NO
mousechar_start="3"
saver="logo"
font8x8="cp866-8x8"
font8x14="cp866-8x14"
font8x16="cp866b-8x16"
scrnmap="koi8-r2cp866"
keyrate="fast"
keymap="ru.koi8-r"
#################################################
ifconfig_nfe0="inet 192.168.0.100 netmask 255.255.255.0"
#defaultrouter="192.168.5.1"
sshd_enable="YES"
inetd_enable="YES"
hostname="office.cominform.kiev.ua"
gateway_enable="YES"
#####################################
ppp_enable="YES"
ppp_mode="ddial"
ppp_nat="YES"
ppp_profile="cyfra.net"
####################################
squid_enable="YES"
samba_enable="YES"
mpd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf-rules.conf"
pflog_enable="YES"
named_enable="YES"
#ntpd_enable="YES"
#ntpd_flags="-p /var/run/ntpd.pid -f /var/db/ntpd.drift -l /var/log/ntpd.log"
mysql_enable="YES"
courier_authdaemond_enable="YES"
courier_imap_pop3d_enable="YES"
################################
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
webmin_enable="YES"
postfix_enable="YES"
apache_enable="YES"
clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"
spamd_enable="YES"
#amavisd_enable="YES"
courier_imap_imapd_enable="YES"
postgrey_enable="YES"
office# cat /etc/pf-rules.conf
# Macros
ext_if="tun0"
int_if="nfe0"
localnet="192.168.1.0/24"
tcp_services = "{ ftp, ssh, smtp, http, domain, 1723}"
#tcp_services = "{ ssh, smtp, domain, http, pop3 }"
Server="192.168.0.241"
icmp_types = "echoreq"
# Tables
table <rfc1918> const { 127.0.0.0/8, 10.0.0.0/8, 172.168.0.0/12 \
192.168.0.0/16 }
table <dsua03> const { 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24 \
224.0.0.0/4, 240.0.0.0/4 }
#
# Options
#
#
# Normalization
#
scrub in all
#
# Queueing
#
# Translation
nat on $ext_if from 192.168.0.0/16 to 62.149.28.34 port 3307 -> $ext_if
nat on $ext_if from 192.168.0.0/16 to 62.149.28.10 port 21 -> $ext_if
nat on $ext_if from 192.168.0.0/16 to 62.149.28.10 port 22 -> $ext_if
nat on $ext_if from 192.168.0.0/16 to 62.149.28.10 port 3306 -> $ext_if
#
#
nat on $ext_if from 192.168.0.0/24 to 62.149.9.49 port 21 -> $ext_if
nat on $ext_if from 192.168.0.0/24 to 62.149.9.49 port 22 -> $ext_if
#NAT to ME
nat on $ext_if from 192.168.0.70/32 to any -> $ext_if
nat on $ext_if from 192.168.0.11/32 to any -> $ext_if
#NAT for Client bank
nat on $ext_if from 192.168.0.17/32 to 213.156.66.66 port 10080 -> $ext_if
nat on $ext_if from 192.168.0.17/32 to 193.200.190.17 port 80 -> $ext_if
nat on $ext_if from 192.168.0.99/32 to 213.156.66.66 port 10080 -> $ext_if
nat on $ext_if from 192.168.0.99/32 to 193.41.49.69 port 2031 -> $ext_if
#Port 110 for E-Mail
nat on $ext_if from 192.168.0.0/24 to any port 110 -> $ext_if
#Webmin port's
nat on $ext_if from 192.168.0.0/24 to any port 10000 -> $ext_if
#Server time
nat on $ext_if from 192.43.244.18 to 192.168.0.0/24 -> $ext_if
nat on $ext_if from 192.168.0.0/24 to 192.43.244.18 -> $ext_if
#
# Rules
#
# setup a default deny all policy
block drop log all
# pass traffic on the loopback interface in either direction
pass quick on lo0 all
pass quick on ng0 all
#test
block log on $int_if proto tcp from 192.168.0.241 to any port 80
#pass in quick on $ext_if proto { tcp udp } from any to 192.168.0.0/24 port 4899 keep state
#MPD4
pass quick on $ext_if from any to 193.201.81.10 keep state
pass quick on $ext_if proto { tcp udp } from any to 192.168.0.0/24 port 4899 keep state
block drop in quick on $ext_if from <rfc1918> to any
block drop in quick on $ext_if from <dsua03> to any
block drop in quick on $ext_if from 83.149.80.111 to any
block drop out quick on $ext_if from any to 83.149.80.111
block drop in quick on $ext_if from 87.255.33.0/24 to any
block drop out quick on $ext_if from any to 87.255.33.0/24
block drop in quick on $ext_if from 195.122.131.0/24 to any
block drop out quick on $ext_if from any to 195.122.131.0/24
block drop in quick on $ext_if from 195.203.36.201 to any
block drop out quick on $ext_if from any to 195.203.36.201
block drop in quick on $ext_if from 212.68.137.188 to any
block drop out quick on $ext_if from any to 212.68.137.188
block drop in quick on $ext_if from 193.203.36.201 to any
block drop out quick on $ext_if from any to 193.203.36.201
block drop in quick on $ext_if from 83.222.11.79 to any
block drop out quick on $ext_if from any to 83.222.11.79
block drop out quick on $ext_if from any to <rfc1918>
block drop out quick on $ext_if from any to <dsua03>
#rADMIN
#pass out quick on $ext_if inet proto tcp from 194.63.140.22 to any keep state
#pass in quick on $int_if inet proto tcp from 192.168.0.253 ext_if keep state
pass in quick on $ext_if inet proto tcp from any to $ext_if \
port $tcp_services flags S/SA keep state
pass in quick on $ext_if inet proto udp from any to $ext_if \
port = domain keep state
pass in quick inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if inet from $int_if:network to any keep state
pass out quick on $int_if inet from any to $int_if:network keep state
pass out on $ext_if proto tcp all flags S/SA modulate state
pass out on $ext_if proto { udp, icmp } all keep state