Опции ядра:
Код: Выделить всё
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=50
options IPFIREWALL_NAT
options LIBALIAS
options ROUTETABLES=2
options DUMMYNET
options HZ="1000"
net.inet.ip.fw.one_pass: 0
Код: Выделить всё
gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
dummynet_enable="YES"
firewall_script="/etc/firewall_nat"
firewall_logging="YES"
Код: Выделить всё
EXT=bge1
#!/bin/sh
####################################################################
####################### Flush all rules ############################
####################################################################
/sbin/ipfw -q flush
/sbin/ipfw -q pipe flush
/sbin/ipfw -q queue flush
/sbin/ipfw -q table 1 flush
/sbin/ipfw -q table 2 flush
/sbin/ipfw -q table 3 flush
/sbin/ipfw -q table 4 flush
####################################################################
####################### Variables ##################################
####################################################################
IPFW="/sbin/ipfw -q"
local="127.0.0.0/8"
INT="bge0" # integrated iface
EXT="bge1" # pci card
INT_IP="192.168.200.1"
EXT_IP="192.168.253.65"
NET_MSK="255.255.255.0"
localnet="192.168.200.0/24"
####################################################################
####################### TABLES ##################################
####################################################################
##KG_ZONE
${IPFW} table 1 add 89.237.192.0/18
${IPFW} table 1 add 80.72.176.0/20
${IPFW} table 1 add 81.20.16.0/20
${IPFW} table 1 add 194.152.37.0/24
${IPFW} table 1 add 85.115.193.0/24
${IPFW} table 1 add 212.112.96.0/19
${IPFW} table 1 add 31.29.0.0/19
${IPFW} table 1 add 85.115.216.0/21
${IPFW} table 1 add 212.97.0.0/19
${IPFW} table 1 add 94.143.192.0/21
${IPFW} table 1 add 31.186.48.0/21
${IPFW} table 1 add 195.38.160.0/19
${IPFW} table 1 add 178.217.168.0/21
${IPFW} table 1 add 46.226.208.0/21
${IPFW} table 1 add 194.176.111.0/24
${IPFW} table 1 add 85.115.192.0/24
${IPFW} table 1 add 77.235.0.0/19
${IPFW} table 1 add 85.115.197.0/24
${IPFW} table 1 add 85.115.208.0/21
${IPFW} table 1 add 85.115.200.0/21
${IPFW} table 1 add 85.115.195.0/24
${IPFW} table 1 add 92.245.96.0/19
${IPFW} table 1 add 92.62.64.0/20
${IPFW} table 1 add 77.95.56.0/21
${IPFW} table 1 add 212.2.224.0/19
${IPFW} table 1 add 91.205.48.0/22
${IPFW} table 1 add 46.251.192.0/19
${IPFW} table 1 add 109.201.160.0/19
${IPFW} table 1 add 31.192.248.0/21
${IPFW} table 1 add 81.88.192.0/20
${IPFW} table 1 add 193.106.48.0/22
${IPFW} table 1 add 212.241.0.0/19
${IPFW} table 1 add 217.29.16.0/20
${IPFW} table 1 add 91.213.233.0/24
${IPFW} table 1 add 85.113.0.0/19
${IPFW} table 1 add 85.115.196.0/24
${IPFW} table 1 add 109.71.224.0/21
${IPFW} table 1 add 212.42.96.0/19
${IPFW} table 1 add 85.115.198.0/24
${IPFW} table 1 add 178.216.208.0/21
${IPFW} table 1 add 85.115.199.0/24
${IPFW} table 1 add 194.152.36.0/24
${IPFW} table 1 add 95.215.244.0/22
${IPFW} table 1 add 85.115.194.0/24
${IPFW} table 1 add 195.162.92.0/22
${IPFW} table 1 add 91.192.64.0/22
${IPFW} table 1 add 213.145.128.0/19
##CLIENT_ZONE 128 Kbit/s
${IPFW} table 2 add 192.168.200.10
${IPFW} table 2 add 192.168.200.11
##CLIENT_ZONE 256 Kbit/s
${IPFW} table 3 add 192.168.200.50
##CLIENT_ZONE 512 Kbit/s
${IPFW} table 4 add 192.168.200.100
####################################################################
##################### Allow Rules ##################################
####################################################################
#Allows to use more than 1 pipe for packet
#/sbin/sysctl net.inet.ip.fw.one_pass=0
${IPFW} add 100 allow ip from any to any via lo0
${IPFW} add 110 deny ip from any to ${local}
${IPFW} add 120 deny ip from ${local} to any
${IPFW} add 1000 allow ip from any to any via ${INT}
####################################################################
##################### DUMMYNET #####################################
####################################################################
${IPFW} pipe 1 config bw 10Mbit/s mask src-ip 0x000000ff # OUTBOUND to KG_ZONE
${IPFW} pipe 2 config bw 10Mbit/s mask dst-ip 0x000000ff # INCOMING from KG_ZONE
${IPFW} pipe 3 config bw 512Kbit/s mask src-ip 0x000000ff # OUTBOUND to MIR
${IPFW} pipe 4 config bw 900Kbit/s mask dst-ip 0x000000ff # INCOMING from MIR
${IPFW} pipe 5 config bw 256Kbit/s mask src-ip 0x000000ff
${IPFW} pipe 6 config bw 256Kbit/s mask dst-ip 0x000000ff
${IPFW} pipe 7 config bw 512Kbit/s mask src-ip 0x000000ff
${IPFW} pipe 8 config bw 512Kbit/s mask dst-ip 0x000000ff
####################################################################
######################## NAT #######################################
####################################################################
${IPFW} nat 1 config log if ${EXT} reset same_ports deny_in
##KG
${IPFW} add 1150 pipe 1 ip from "table(2)" to "table(1)" out xmit ${EXT} #TO KG_ZONE
${IPFW} add 1160 pipe 2 ip from "table(1)" to any in recv ${EXT} #FROM KG_ZONE
##MIR
${IPFW} add 1170 pipe 3 ip from "table(2)" to not "table(1)" out xmit ${EXT} #TO MIR
${IPFW} add 1180 pipe 4 ip from not "table(1)" to any in recv ${EXT} #FROM MIR
${IPFW} add 1500 nat 1 ip from any to any via ${EXT}
${IPFW} add 1600 allow all from any to any
####################################################################
##################### Drop RFC 1918 network addresses ##############
####################################################################
${IPFW} add 1070 deny ip from any to 172.16.0.0/12 in recv ${EXT}
${IPFW} add 1080 deny ip from 172.16.0.0/12 to any in recv ${EXT}
${IPFW} add 1090 deny ip from any to 10.0.0.0/8 in recv ${EXT}
${IPFW} add 1100 deny ip from 10.0.0.0/8 to any in recv ${EXT}
${IPFW} add 1110 deny ip from any to 169.254.0.0/16 in recv ${EXT}
${IPFW} add 1120 deny ip from 169.254.0.0/16 to any in recv ${EXT}
####################################################################
######################## DROP ALL ##################################
####################################################################
${IPFW} add deny log all from any to any
####################################################################
Код: Выделить всё
00512: 512.000 Kbit/s 0 ms burst 0
q131584 50 sl. 0 flows (1 buckets) sched 66048 weight 0 lmax 0 pri 0 droptail
sched 66048 type FIFO flags 0x1 64 buckets 0 active
mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
Код: Выделить всё
00010 19653 14099455 allow ip from any to any via bge0
00100 19474 14087440 nat 1 ip from any to any via bge1
00400 104 125949 allow ip from any to 192.168.253.0/24 in via bge1
00500 9588 13639229 allow ip from any to 192.168.200.0/24 in via bge1
[b]00513 0 0 pipe 1 log logamount 50 ip from any to table(1) via bge1[/b]
00600 9954 448722 allow ip from 192.168.253.0/24 to any out via bge1
00700 0 0 allow ip from 192.168.200.0/24 to any out via bge1
65535 63 22281 deny ip from any to any
А нужно еще будет заняться разделением канала на городской и мир...