Здравствуйте предполагаю проблему с шей пером тоже но тут другое, пакеты исходят но не входят...прошу помочь,с альтернативным трафиком...здача такая впустить в локлаьную сеть на адрес 192.168.1.10 дополнительную локальную сеть 10.0.0.0 я придержался авторсих настроек и зделал альтернативное направление...но по каким то причинам оно не проходит...если для теста я делаю ipfw 1 add allow ip frim any to any то сразу наченает работать вторая сеть, pf прекрасно справляетца ...с натом..и в интернет, и в локальную сеть 10.0.0.0, как толька убераю правела allow..пакеты как бы уходят но не в ходят...я предплагаю что то упустил помогите разобратца в данном вопросе..привожу правела на помент не работы...
ipfw show
00050 5560 387044 allow tcp from any to me dst-port 22
00051 5312 1345225 allow tcp from me 22 to any
00110 82246 30630010 allow ip from any to any via lo0
00120 14171 2352980 skipto 1000 ip from me to any
00130 0 0 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00160 40324 3696660 skipto 2000 ip from any to me
00200 5610932 4196794030 skipto 500 ip from any to any via tun0
00300 2694195 590577743 skipto 4500 ip from any to any in
00400 3099208 3621631086 skipto 450 ip from any to any recv tun0
00420 811 48660 divert 1 ip from any to any
00450 3100019 3621679746 divert 2 ip from any to any
00490 3100019 3621679746 allow ip from any to any
00500 3101133 3623896739 skipto 32500 ip from any to any in
00510 2509799 572897291 divert 1 ip from any to any
00540 2509799 572897291 allow ip from any to any
01000 6057 1010236 allow udp from any 53,7723 to any
01010 0 0 allow tcp from any to any setup keep-state
01020 12369 1703414 allow udp from any to any keep-state
01100 1776 868523 allow ip from any to any
02000 0 0 check-state
02010 285 29027 allow icmp from any to any
02020 795 102083 allow tcp from any to any dst-port 80,443
02050 26492 1908184 deny ip from any to any via tun0
02060 6059 384662 allow udp from any to any dst-port 53,7723
05000 179814 17091981 deny ip from not table(0) to any
05001 45 2700 skipto 5010 ip from table(127) to table(126)
05002 2514664 573395499 skipto 5030 ip from any to not table(2)
05003 0 0 deny ip from any to not table(1)
05004 0 0 pipe tablearg ip from table(21) to any
05005 0 0 deny ip from any to any
05010 45 2700 pipe tablearg ip from table(127) to any
05030 0 0 deny tcp from table(15) to any dst-port 25
05226 0 0 allow ip from table(127) to table(126)
05400 2514664 573395499 pipe tablearg ip from table(11) to any
32000 0 0 deny ip from any to any
33000 0 0 pipe tablearg ip from table(126) to table(127)
33001 3100925 3623829553 skipto 33010 ip from not table(2) to any
33002 0 0 pipe tablearg ip from any to table(20)
33003 0 0 deny ip from any to any
33226 0 0 allow ip from table(126) to table(127)
33400 3100914 3623823319 pipe tablearg ip from any to table(10)
65535 66 11461 deny ip from any to any
pfctl -sn
No ALTQ support in kernel
ALTQ related functions disabled
nat pass on tun0 inet from 192.168.0.0/16 to any -> (tun0) round-robin
nat pass on rl0 inet from 192.168.1.10 to any -> 10.1.6.226
ipfw table 126 list
10.0.0.0/8 0
ipfw table 127 list
192.168.1.10/32 1006
uname -a
FreeBSD server.local.local 6.2-RELEASE-p12 FreeBSD 6.2-RELEASE-p12 #0: Fri Oct 2 16:23:40 UTC 2009 root@server.local.local:/usr/src/sys/i386/compile/NODENY i386
ifconfig
ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:02:44:20:3f:36
media: Ethernet autoselect (10baseT/UTP)
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 192.168.5.2 netmask 0xffffff00 broadcast 192.168.5.255
inet 10.1.6.226 netmask 0xffffff00 broadcast 10.1.6.255
ether 00:80:48:1f:f6:63
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
inet 92.112.215.67 --> 195.5.5.201 netmask 0xffffffff
Opened by PID 376
cat /etc/rc.firewall
#!/bin/sh -
f='/sbin/ipfw'
ifOut='tun0'
${f} -f flush
${f} add 50 allow tcp from any to me 22
${f} add 51 allow tcp from me 22 to any
${f} add 110 allow ip from any to any via lo0
${f} add 120 skipto 1000 ip from me to any
${f} add 130 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
${f} add 160 skipto 2000 ip from any to me
${f} add 200 skipto 500 ip from any to any via ${ifOut}
${f} add 300 skipto 4500 ip from any to any in
${f} add 400 skipto 450 ip from any to any recv ${ifOut}
${f} add 420 divert 1 ip from any to any
${f} add 450 divert 2 ip from any to any
${f} add 490 allow ip from any to any
${f} add 500 skipto 32500 ip from any to any in
${f} add 510 divert 1 ip from any to any
${f} add 540 allow ip from any to any
${f} add 1000 allow udp from any 53,7723 to any
${f} add 1010 allow tcp from any to any setup keep-state
${f} add 1020 allow udp from any to any keep-state
${f} add 1100 allow ip from any to any
${f} add 2000 check-state
${f} add 2010 allow icmp from any to any
${f} add 2020 allow tcp from any to any 80,443
${f} add 2050 deny ip from any to any via ${ifOut}
${f} add 2060 allow udp from any to any 53,7723
#${f} add 2100 deny ip from any to any
#${f} add 32490 deny ip from any to any
