Сейчас конфиг такой:
rc.conf
Internet
ifconfig_em0="inet 1.1.1.1 netmask 255.255.255.248"
Alias internet ftp
ifconfig_em0_alias0="inet 1.1.2.1 netmask 255.255.255.255"
Local Network
ifconfig_em1="inet 192.168.1.10 netmask 255.255.255.0"
DMZ
ifconfig_em2="inet 192.168.2.10 netmask 255.255.255.0" Правила
#!/bin/sh
#reset rules
ipfw -q -f flush
#-------main network-------
#macro
net="em0"
lan="em1"
dmz="em2"
cmd="ipfw -q add"
skip="skipto 2000"
#kernel nat 1 config
ipfw -q nat 1 config if $net same_ports unreg_only \
redirect_port tcp 192.168.2.31:21 21 \
redirect_port tcp 192.168.2.31:20 20 \
redirect_port tcp 192.168.2.31:30000-31000 30000-31000 \
redirect_port tcp 192.168.1.58:443 443 \
redirect_port tcp 192.168.2.60:25 25
#-------rules network -------
#allow networks
$cmd 0001 allow all from any to any via $lan
$cmd 0002 allow all from any to any via $dmz
$cmd 0004 allow all from any to any via lo0
#kernel nat 1 in
$cmd 0040 nat 1 ip from any to any in via $net
#dinamic rules
$cmd 0050 check-state
#-------out network-------
#allow trafic from gate out
$cmd 0060 $skip tcp from any to any out via $net setup keep-state
$cmd 0061 $skip udp from any to any out via $net keep-state
$cmd 0062 $skip icmp from any to any out via $net keep-state
#exchange trafic out
$cmd 0070 $skip tcp from 192.168.1.58 443 to any
$cmd 0071 $skip tcp from 192.168.2.60 25 to any
#dmz ftp trafic out
$cmd 0072 $skip tcp from 192.168.2.31 20,21,30000-31000 to any
#-------in network-------
#exchange trafic in
$cmd 0130 allow tcp from any to 192.168.1.58 443
$cmd 0131 allow tcp from any to 192.168.2.60 25
#dmz ftp trafic in
$cmd 0130 allow tcp from any to 192.168.2.31 20,21,30000-31000
#-------end network-------
#deny all
$cmd 0500 deny log all from any to any in via $net
$cmd 0510 deny log all from any to any out via $net
#kernel nat 1 out
$cmd 2000 nat 1 ip from any to any out via $net
$cmd 3000 allow ip from any to any
#deny all other
$cmd 4000 deny log all from any to any
Вариант для распечатки
(?), 24-Май-21, 14:52 
