--------------------
| |
| Internet |
| |
--------------------
|
|
--------------------
| (81.24.213.XXX) |
--------------------
| |
| Dlink Router |
| |
--------------------
| (192.168.7.1) |
--------------------
|
|
--------------------
| re0 (192.168.7.21) |
--------------------
| |------------------- ------------------------------
| FreeBSD 6.2 |vr0 (192.168.70.1) |--- | LAN (192.168.70.0/24) |
| |------------------- ------------------------------
--------------------
| vr1 (192.168.1.1) |
--------------------
|
|
--------------------
| | -----------------------------
|LAN (192.168.1.0/24)|--| Web Server (192.168.1.2:80) |
| | -----------------------------
--------------------
gate# ipfw list
01000 allow ip from any to any via lo0
01100 deny ip from any to 127.0.0.0/8
01200 deny icmp from any to any frag
01300 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
01400 deny tcp from any to any not established tcpflags fin
01500 deny tcp from any to any tcpflags syn,fin,ack,psh,rst,urg
01600 deny tcp from any to any tcpflags !syn,!fin,!ack,!psh,!rst,!urg
04000 deny udp from any 137-139 to any via vr0
04050 deny udp from any to any dst-port 137-139 via vr0
04100 deny udp from any 137-139 to any via vr1
04150 deny udp from any to any dst-port 137-139 via vr1
04200 deny ip from any to 192.168.7.0/24 via vr0
04300 deny ip from any to 192.168.1.0/24 via vr0
04400 deny log logamount 10 ip from 192.168.1.0/24 to any in via re0
04500 deny log logamount 10 ip from 192.168.70.0/24 to any in via re0
04600 deny log logamount 10 ip from 192.168.70.0/24 to 192.168.70.1 dst-port 22 in via vr0
04700 fwd 192.168.1.1,3128 tcp from 192.168.1.0/24 to not 192.168.1.0/24 dst-port 80 in via vr1
04750 fwd 192.168.70.1,3128 tcp from 192.168.70.0/24 to not 192.168.70.0/24 dst-port 80 in via vr0
05000 divert 8668 ip from 192.168.70.0/24 to any out xmit re0
05050 divert 8668 ip from 192.168.1.0/24 to any out xmit re0
05100 divert 8668 ip from any to 192.168.7.21
06000 allow icmp from any to any
06500 allow tcp from any to 192.168.7.21 in via re0
06600 allow tcp from 192.168.7.21 to any out via re0
07000 allow ip from any to any via vr1
07500 allow ip from 192.168.7.0/24 to any out via re0
08000 allow ip from any to 192.168.1.0/24 in via re0
09000 allow ip from any to 192.168.70.0/24 in via re0
09500 allow ip from 192.168.70.0/24 to any in via vr0
09600 allow ip from any to 192.168.70.0/24 out via vr0
20000 allow ip from any 53 to 192.168.7.0/24 in via re0
30000 divert 8888 tcp from any to 192.168.7.21 dst-port 80 via re0
30100 divert 8888 ip from 192.168.1.2 to any via re0
30200 allow tcp from any to 192.168.1.2 dst-port 80
60000 deny log logamount 10 ip from any to any
65535 allow ip from any to any
Dlink Router мапит 81.24.213.ХХХ:80 >> 192.168.7.21:80
FreeBSD мапит 192.168.7.21:80 (правила 30000-30200)
gate# ps -ax | grep natd
1131 ?? Ss 0:00.38 /sbin/natd -n re0
1335 ?? Is 0:00.00 natd -p 8888 -n re0 -redirect_port tcp 192.168.1.2:80 80
на FreeBSD открыт ssh, Dlink мапит 81.24.213.ХХХ:22 >> 192.168.7.21:22 , из инета видно
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
(ok) on 16-Ноя-07, 13:52 
