Netams over divert

sh# ln -s /usr/local/etc /conf
sh# cat /conf/netams.conf
#####################################################################################################
#NeTAMS 3.4.1 (3446.1) root@relay.fortd.ru / Wed Apr 29 11:31:59 MSD 2009
#configuration built Sun May 17 16:29:59 2009
#begin
#global variables configuration
debug all
language ru
user oid 0CC50C name admin crypted $1$$R9O/fXSc4WCSUm6RnM1qn/ email root@chelny.fortd.ru permit all

#services configuration

service server 0
login local
listen 555
max-conn 1

service processor
lookup-delay 60
flow-lifetime 180
policy oid 05BD97 name ip target proto ip
policy oid 0F9AB2 name tcp target proto tcp
policy oid 0ED7CC name udp target proto udp
policy oid 07B442 name icmp target proto icmp
policy oid 051670 name port-22 target proto tcp port 22
policy oid 09FA2F name port-25 target proto tcp port 25
policy oid 038E0F name port-53 target proto udp port 53
policy oid 0FC695 name port-80 target proto tcp port 80
policy oid 090725 name port-110 target proto tcp port 110
policy oid 0BDE5D name port-123 target proto udp port 123
policy oid 02CB17 name port-143 target proto tcp port 143
policy oid 097C05 name port-443 target proto tcp port 443
policy oid 08B2AE name port-995 target proto tcp port 995
policy oid 0E12C2 name port-3424 target proto tcp port 3424
policy oid 05DFB8 name port-5000 target proto tcp port 5000
policy oid 03FE8D name port-5900 target proto tcp port 5900
policy oid 0D7B63 name port-8080 target proto tcp port 8080
policy oid 0DFB24 name port-9013 target proto tcp port 9013
policy oid 018D3E name port-9091 target proto tcp port 9091
policy oid 0FDB3E name port-2401 target proto tcp port 2401
policy oid 0F732E name port-3200 target proto tcp port 3200
policy oid 081082 name port-3209 target proto tcp port 3209
policy oid 0D64B3 name port-3299 target proto tcp port 3299
policy oid 07F171 name port-3389 target proto tcp port 3389
policy oid 065B95 name port-4899 target proto tcp port 4899
policy oid 0F21C4 name port-10000 target proto tcp port 10000
policy oid 0B12A5 name port-17130 target proto tcp port 17130
policy oid 08837A name port-17133 target proto tcp port 17133
policy oid 09F538 name port-50025 target proto tcp port 50025
policy oid 0817FF name port-50110 target proto tcp port 50110
restrict all pass local pass
unit group oid 073600 name NET-1
unit group oid 0D827D name NET-5
unit group oid 0D9A83 name NET-9
unit group oid 02DA3F name NET-10
unit net oid 07997C name NET-1-ALL ip 192.168.1.0/24 parent NET-1 acct-policy ip port-995
unit net oid 012157 name host-6 ip 192.168.1.6/32 parent NET-1 acct-policy ip
unit net oid 0E3EB0 name host-11 ip 192.168.1.11/32 parent NET-1 acct-policy ip port-5900
unit net oid 009BDD name host-203 ip 192.168.1.203/32 parent NET-1 acct-policy ip
unit net oid 02DBA2 name NET-5-ALL ip 192.168.5.0/24 parent NET-5 acct-policy ip
unit net oid 008B15 name host-119 ip 192.168.5.119/32 parent NET-5 acct-policy ip
unit net oid 0AF2AB name host-121 ip 192.168.5.121/32 parent NET-5 acct-policy ip port-3389 port-4899 port-17130 port-17133
unit net oid 0C694B name host-124 ip 192.168.5.124/32 parent NET-5 acct-policy ip port-3389 port-4899 port-17130 port-17133
unit net oid 0F0DAE name host-125 ip 192.168.5.125/32 parent NET-5 acct-policy ip port-3389 port-4899 port-17130 port-17133
unit net oid 051FCF name host-232 ip 192.168.5.232/32 parent NET-5 acct-policy ip port-3389 port-4899 port-17130 port-17133
unit net oid 08339A name NET-9-ALL ip 192.168.9.0/24 parent NET-9 acct-policy ip port-22 port-25 port-110 port-3299 port-50025 port-50110
unit net oid 0B730D name host-103 ip 192.168.9.103/32 parent NET-9 acct-policy ip port-2401 port-3200
unit net oid 097E2D name NET-10-ALL ip 192.168.10.0/24 parent NET-10 acct-policy ip
unit net oid 0B2F41 name host-12 ip 192.168.10.12/32 parent NET-10 acct-policy ip port-9091
unit net oid 0184FB name host-18 ip 192.168.10.18/32 parent NET-10 acct-policy ip port-25 port-110
unit net oid 02DFBF name host-20 ip 192.168.10.20/32 parent NET-10 acct-policy ip port-25 port-110
unit net oid 0CF734 name host-21 ip 192.168.10.21/32 parent NET-10 acct-policy ip
unit net oid 00CD4E name host-54 ip 192.168.10.54/32 parent NET-10 acct-policy ip
unit net oid 07CB1B name host-55 ip 192.168.10.55/32 parent NET-10 acct-policy ip port-80 port-443 port-9013 port-10000
unit net oid 0A7538 name host-63 ip 192.168.10.63/32 parent NET-10 acct-policy ip port-3424 port-5000
unit net oid 033A81 name host-73 ip 192.168.10.73/32 parent NET-10 acct-policy ip port-443 port-8080
unit net oid 0C3B34 name host-92 ip 192.168.10.92/32 parent NET-10 acct-policy ip port-80 port-443 port-9013
unit net oid 02A1E4 name host-128 ip 192.168.10.128/32 parent NET-10 acct-policy ip
unit net oid 0FA4A8 name GW ip xxx.xxx.xxx.xxx/32 acct-policy ip tcp udp icmp port-22 port-25 port-53 port-80 port-110 port-123 port-143 port-443 port-3209

service storage 1
type mysql
host localhost
user netams
password smaten
dbname netams
accept all

service data-source 1
type ip-traffic
source divert 199
rule 250 "ip from any to any out via tun0"
rule 401 "ip from any to any in via tun0"

service alerter 0
report oid 06100 name rep1 type traffic period day detail simple
smtp-server localhost

service html
path /usr/local/www/netams/stat
run 1min
url http://netams.fortd.ru/stat/
client-pages all
display-top 10
account-pages none

service scheduler
oid 094E1A time 1min action "html"
oid 08FFFF time 1min action "html"


#end
#####################################################################################################

После старта netams должны появится два правила ipfw c номерами 250 и 401! 
Эти 2 правила должны обрамлять правила nat/divert'а:

sh# ipfw show
#####################################################################################################
00250  45101892  8428568849 divert 199 ip from any to any out via tun0
00350    977018    79552549 divert 8668 ip from 192.168.1.6 to any out via tun0
00351         0           0 divert 8668 ip from 192.168.1.13 to any dst-port 22 out via tun0
00352         0           0 divert 8668 ip from 192.168.1.11 to xxx.xxx.xxx.xxx dst-port 5900 via tun0
00353    304656    48259896 divert 8668 ip from 192.168.5.124 to any out via tun0
00400  41676094 20881747774 divert 8668 ip from any to xxx.xxx.xxx.xxx in via tun0
00401  41671192 20880704785 divert 199 ip from any to any in via tun0