Вот мой конф файрволла 00007 deny log logamount 10 ip from any to me dst-port 25 via tun0 00007 deny log logamount 10 ip from any to me dst-port 25 via rl0 00008 deny log logamount 10 ip from any to me dst-port 901 in via tun0 00008 deny log logamount 10 ip from any to me dst-port 901 in via rl0 00009 deny log logamount 10 ip from any to me dst-port 953 in via rl0 00009 deny log logamount 10 ip from any to me dst-port 953 in via tun0 00010 deny log logamount 10 ip from any to me dst-port 80 in via rl0 00010 deny log logamount 10 ip from any to me dst-port 80 in via tun0 00011 deny log logamount 10 ip from any to me dst-port 3306 in via tun0 00011 deny log logamount 10 ip from any to me dst-port 3306 in via rl0 00012 deny log logamount 10 ip from any to me dst-port 67 in via tun0 00012 deny log logamount 10 ip from any to me dst-port 67 in via rl0 00013 deny log logamount 10 ip from any to me dst-port 21 in via rl0 00013 deny log logamount 10 ip from any to me dst-port 21 in via tun0 00014 deny log logamount 10 ip from any to me dst-port 22 in via tun0 00014 deny log logamount 10 ip from any to me dst-port 22 in via rl0 00015 deny log logamount 10 ip from any to any dst-port 135-139 in via rl0 00015 deny log logamount 10 ip from any to any dst-port 135-139 in via tun0 00016 deny log logamount 10 ip from any to me dst-port 123 in via tun0 00016 deny log logamount 10 ip from any to me dst-port 123 in via rl0 00017 deny log logamount 10 ip from any to me dst-port 514 in via rl0 00017 deny log logamount 10 ip from any to me dst-port 514 in via tun0 00018 deny log logamount 10 ip from any to me in via rl0 frag 00018 deny log logamount 10 ip from any to me in via tun0 frag 00019 deny log logamount 10 tcp from any to me in via rl0 tcpflags syn,fin 00019 deny log logamount 10 tcp from any to me in via tun0 tcpflags syn,fin 00020 deny log logamount 10 tcp from any to me in via rl0 tcpflags syn,fin,psh,u rg 00020 deny log logamount 10 tcp from any to me in via tun0 tcpflags syn,fin,psh, urg 00021 deny log logamount 10 tcp from any to me in via rl0 tcpflags fin,psh,urg 00021 deny log logamount 10 tcp from any to me in via tun0 tcpflags fin,psh,urg 00023 deny log logamount 10 tcp from any to me in via rl0 tcpflags urg 00023 deny log logamount 10 tcp from any to me in via tun0 tcpflags urg 00024 deny log logamount 10 ip from 192.168.0.0/24 to any via rl0 00025 deny log logamount 10 ip from 192.168.0.0/24 to 192.168.0.0/24 via tun0 00025 deny log logamount 10 ip from 192.168.0.0/24 to 192.168.0.0/24 via rl0 00080 fwd 192.168.0.1,25 tcp from 192.168.0.0/24 to any dst-port 25 via tun0 00090 fwd 192.168.0.1,3128 tcp from 192.168.0.0/24 to any dst-port 80 via tun0 00095 check-state 00100 divert 8668 ip from 192.168.0.0/24 to any out xmit tun0 00110 divert 8668 ip from any to me in recv tun0 00170 allow ip from 192.168.0.0/24 to any out via tun0 keep-state 00180 allow ip from me to any keep-state 00190 allow ip from 192.168.0.0/24 to 192.168.0.0/24 via xl0 00191 allow ip from 192.168.0.0/24 to any keep-state 65000 deny log logamount 10 ip from any to any 65535 deny ip from any to anyне работает трасировка, если включить правило 00098 allow ip from any to any keep-state то трасировка работает... но как заставить работать без этого правила...
|