Jump to content
Калькуляторы

"FreeBSD от куда взялись такие правила IPFW"

ребята, сломали всю голову не можем понять, вообщем достался сервер от предыдущего админа, на серваке фря 6.2 сквид ипфв и нат. после переезда отказалось работать аська, и не можем соедениться с такскомом по 25 и 110 порту с компов пользователей, с роутера все работает, т.е. соединение есть, в чем косяк никак не пойму.

выкладываю конфиги:

mail# cat /etc/rc.conf

hostname="mail.triss.ru"

network_interfaces="lo0 lan0 int0"

ifconfig_rl0_name="lan0"

ifconfig_lan0="inet 192.168.0.1 netmask 255.255.255.0"

ifconfig_re0_name="int0"

ifconfig_int0="inet 89.63.207.210 netmask 255.255.255.248"

defaultrouter="89.63.207.209"

gateway_enable="YES"

 

firewall_enable="YES"

firewall_type="/etc/firewall.conf"

firewall_quiet="YES"

firewall_logging="YES"

 

ipv6_enable="NO"

ipv6_firewall_enable="NO"

tcp_drop_synfin="YES"

icmp_drop_redirect="YES"

icmp_log_redirect="YES"

icmp_bmcastecho="NO"

 

fsck_y_enable="YES"

rcshutdown_timeout="120"

check_quotas="NO"

sendmail_enable="NO"

 

named_enable="YES"

named_flags="-4"

 

sshd_enable="YES"

syslogd_enable="YES"

syslogd_flags="-ss"

 

ldconfig_paths="/usr/lib/compat /usr/X11R6/lib /usr/local/lib /usr/local/lib/compat/pkg /usr/local/mysql/lib/mysql /usr/local/clamav/lib"

 

natd_enable="YES"

natd_interface="int0"

natd_flags=" -p 8668 -same_ports -use_sockets -redirect_port tcp 192.168.0.2:3389 3389"

#natd_flags="-u -s -m"

 

font8x14="cp866-8x14"

font8x16="cp866b-8x16"

font8x8="cp866-8x8"

keymap="ru.koi8-r"

keyrate="normal"

cursor="destructive"

scrnmap="koi8-r2cp866"

 

# -- sysinstall generated deltas -- # Sun Sep 27 22:18:02 2009

ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248"

defaultrouter="83.69.207.210"

hostname="mail.triss.ru"

# -- sysinstall generated deltas -- # Sun Sep 27 22:24:16 2009

ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248"

defaultrouter="83.69.207.210"

hostname="mail.triss.ru"

# -- sysinstall generated deltas -- # Sun Sep 27 22:29:38 2009

ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248"

defaultrouter="83.69.207.210"

hostname="mail.triss.ru"

# -- sysinstall generated deltas -- # Thu Oct 1 09:54:12 2009

ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248"

defaultrouter="83.69.207.210"

hostname="mail.triss.ru"

# -- sysinstall generated deltas -- # Thu Oct 1 10:30:49 2009

ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248"

defaultrouter="83.69.207.210"

hostname="mail.triss.ru"

# -- sysinstall generated deltas -- # Thu Oct 1 10:35:53 2009

ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248"

defaultrouter="83.69.207.210"

hostname="mail.triss.ru"

# -- sysinstall generated deltas -- # Thu Oct 1 10:49:25 2009

ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248"

defaultrouter="83.69.207.209"

hostname="mail.triss.ru"

# -- sysinstall generated deltas -- # Thu Oct 1 11:22:32 2009

defaultrouter="83.69.207.209"

hostname="mail.triss.ru"

# -- sysinstall generated deltas -- # Thu Oct 1 11:27:44 2009

ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248"

ifconfig_lan0="inet 192.168.0.1 netmask 255.255.255.0"

defaultrouter="83.69.207.209"

hostname="mail.triss.ru"

# -- sysinstall generated deltas -- # Thu Oct 1 11:50:01 2009

ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248"

defaultrouter="83.69.207.209"

hostname="mail.triss.ru"

mail#

 

mail# cat /etc/firewall.conf

 

#add 50 deny all from any to 84.204.3.255 via int0

 

add 100 allow ip from any to any via lo

add 110 deny log ip from 192.168.0.0/24 to any in via int0

add 115 allow all from any to 255.255.255.255:67 via lan0

add 120 deny log ip from not 192.168.0.0/24 to any in via lan0

add 140 deny icmp from any to any in icmptype 5,9,13,14,15,16,17

add 145 allow icmp from any to any

 

add 4200 fwd 127.0.0.1,3128 tcp from 192.168.0.0/24 to not 192.168.0.0/24 80 out xmit int0

add 4210 divert 8668 ip from 192.168.0.0/24 to any out via int0

add 4220 divert 8668 ip from any to 83.69.207.209 in via int0

 

add 4260 allow all from 87.245.135.160 to me 3389

add 4261 allow all from 87.245.135.160 to 192.168.0.2 3389

add 4261 allow all from 87.245.135.160 to 192.168.0.9 3389

add 4262 allow all from 194.67.255.242 to me 3389

add 4263 allow all from 194.67.255.242 to 192.168.0.9 3389

add 4265 deny all from any to me 3389

add 4266 deny ip from any to 192.168.0.2 dst-port 3389

 

add 4300 allow all from me to any

add 4305 allow tcp from any to me 22,25,26,80,110,443,1025-65535

#add 4307 allow all from any to any 5190

#add 4308 allow all from any 5190 to any

add 4310 allow ip from me to any 53

add 4315 allow ip from any 53 to me

 

add 4320 allow ip from any to me 53

add 4325 allow ip from me 53 to any

 

add 4326 allow ip from any to me 67 via lan0

add 4327 allow ip from me 67 to any via lan0

 

add 4330 allow ip from me to any 123,6277

add 4335 allow ip from any 123,6277 to me

 

add 4340 allow ip from 192.168.0.2 to any 123

add 4341 allow ip from any 123 to 192.168.0.2

add 4342 allow ip from 192.168.0.22 to any 123

add 4343 allow ip from any 123 to 192.168.0.22

 

 

#add 4520 allow tcp from 192.168.0.0/24 to any via lan0

add 4520 allow tcp from any to 192.168.0.0/24 via int0

 

 

#add 11002 allow tcp from 192.168.0.2 to not 192.168.0.0/24 via lan0

#add 11003 allow tcp from 192.168.0.3 to not 192.168.0.0/24 via lan0

#add 11004 allow tcp from 192.168.0.4 to not 192.168.0.0/24 via lan0

#add 11005 allow tcp from 192.168.0.5 to not 192.168.0.0/24 via lan0

#add 11006 allow tcp from 192.168.0.6 to not 192.168.0.0/24 via lan0

#add 11007 allow tcp from 192.168.0.7 to not 192.168.0.0/24 via lan0

#add 11008 allow tcp from 192.168.0.8 to not 192.168.0.0/24 via lan0

 

 

#add 12002 allow tcp from not 192.168.0.0/24 to 192.168.0.2 via lan0

#add 12003 allow tcp from not 192.168.0.0/24 to 192.168.0.3 via lan0

#add 12004 allow tcp from not 192.168.0.0/24 to 192.168.0.4 via lan0

#add 12005 allow tcp from not 192.168.0.0/24 to 192.168.0.5 via lan0

#add 12006 allow tcp from not 192.168.0.0/24 to 192.168.0.6 via lan0

#add 12007 allow tcp from not 192.168.0.0/24 to 192.168.0.7 via lan0

#add 12008 allow tcp from not 192.168.0.0/24 to 192.168.0.8 via lan0

add 12100 allow tcp from 195.161.42.230 to 192.168.0.5 25,110

add 12110 allow tcp from 192.168.0.5 to 195.161.42.230 25,110

add 65000 allow gre from any to any

 

#add 65534 deny log ip from any to any

add 65534 allow all from any to any

mail#

 

mail# ipfw list

00100 allow ip from any to any via lo

00110 deny log logamount 1000 ip from 192.168.0.0/24 to any in via int0

00115 allow ip from any to 0.0.0.67:0.0.0.67 via lan0

00120 deny log logamount 1000 ip from not 192.168.0.0/24 to any in via lan0

00140 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17

00145 allow icmp from any to any

02000 allow tcp from 192.168.0.253 to not 192.168.0.0/24 dst-port 80

04200 fwd 127.0.0.1,3128 tcp from 192.168.0.0/24 to not 192.168.0.0/24 dst-port 80 out xmit int0

04210 divert 8668 ip from 192.168.0.0/24 to any out via int0

04220 divert 8668 ip from any to 83.69.207.209 in via int0

04260 allow ip from 87.245.135.160 to me dst-port 3389

04261 allow ip from 87.245.135.160 to 192.168.0.2 dst-port 3389

04261 allow ip from 87.245.135.160 to 192.168.0.9 dst-port 3389

04262 allow ip from 194.67.255.242 to me dst-port 3389

04263 allow ip from 194.67.255.242 to 192.168.0.9 dst-port 3389

04265 deny ip from any to me dst-port 3389

04266 deny ip from any to 192.168.0.2 dst-port 3389

04300 allow ip from me to any

04305 allow tcp from any to me dst-port 22,25,26,80,110,443,1025-65535

04310 allow ip from me to any dst-port 53

04315 allow ip from any 53 to me

04320 allow ip from any to me dst-port 53

04325 allow ip from me 53 to any

04326 allow ip from any to me dst-port 67 via lan0

04327 allow ip from me 67 to any via lan0

04330 allow ip from me to any dst-port 123,6277

04335 allow ip from any 123,6277 to me

04340 allow ip from 192.168.0.2 to any dst-port 123

04341 allow ip from any 123 to 192.168.0.2

04342 allow ip from 192.168.0.22 to any dst-port 123

04343 allow ip from any 123 to 192.168.0.22

04520 allow tcp from any to 192.168.0.0/24 via int0

12100 allow tcp from 195.161.42.230 to 192.168.0.5 dst-port 25,110

12110 allow tcp from 192.168.0.5 to 195.161.42.230 dst-port 25,110

15000 allow tcp from 192.168.0.15 to not 192.168.0.0/24 via lan0

15001 allow tcp from 192.168.0.10 to not 192.168.0.0/24 via lan0

15002 allow tcp from 192.168.0.23 to not 192.168.0.0/24 via lan0

15003 allow tcp from 192.168.0.33 to not 192.168.0.0/24 via lan0

15004 allow tcp from 192.168.0.13 to not 192.168.0.0/24 via lan0

15005 allow tcp from 192.168.0.29 to not 192.168.0.0/24 via lan0

15006 allow tcp from 192.168.0.22 to not 192.168.0.0/24 via lan0

15007 allow tcp from 192.168.0.20 to not 192.168.0.0/24 via lan0

15008 allow tcp from 192.168.0.18 to not 192.168.0.0/24 via lan0

15009 allow tcp from 192.168.0.3 to not 192.168.0.0/24 via lan0

15010 allow tcp from 192.168.0.2 to not 192.168.0.0/24 via lan0

15011 allow tcp from 192.168.0.252 to not 192.168.0.0/24 via lan0

15012 allow tcp from 192.168.0.6 to not 192.168.0.0/24 via lan0

15013 allow tcp from 192.168.0.24 to not 192.168.0.0/24 via lan0

15014 allow tcp from 192.168.0.30 to not 192.168.0.0/24 via lan0

15015 allow tcp from 192.168.0.5 to not 192.168.0.0/24 via lan0

15016 allow tcp from 192.168.0.34 to not 192.168.0.0/24 via lan0

15017 allow tcp from 192.168.0.14 to not 192.168.0.0/24 via lan0

15018 allow tcp from 192.168.0.11 to not 192.168.0.0/24 via lan0

15019 allow tcp from 192.168.0.16 to not 192.168.0.0/24 via lan0

15020 allow tcp from 192.168.0.8 to not 192.168.0.0/24 via lan0

15021 allow tcp from 192.168.0.32 to not 192.168.0.0/24 via lan0

15022 allow tcp from 192.168.0.26 to not 192.168.0.0/24 via lan0

15023 allow tcp from 192.168.0.27 to not 192.168.0.0/24 via lan0

15024 allow tcp from 192.168.0.19 to not 192.168.0.0/24 via lan0

15025 allow tcp from 192.168.0.9 to not 192.168.0.0/24 via lan0

15026 allow tcp from 192.168.0.35 to not 192.168.0.0/24 via lan0

15027 allow tcp from 192.168.0.253 to not 192.168.0.0/24 via lan0

15028 allow tcp from 192.168.0.31 to not 192.168.0.0/24 via lan0

15029 allow tcp from 192.168.0.21 to not 192.168.0.0/24 via lan0

15030 allow tcp from 192.168.0.12 to not 192.168.0.0/24 via lan0

15031 allow tcp from 192.168.0.4 to not 192.168.0.0/24 via lan0

16000 allow tcp from not 192.168.0.0/24 to 192.168.0.15 via lan0

16001 allow tcp from not 192.168.0.0/24 to 192.168.0.10 via lan0

16002 allow tcp from not 192.168.0.0/24 to 192.168.0.23 via lan0

16003 allow tcp from not 192.168.0.0/24 to 192.168.0.33 via lan0

16004 allow tcp from not 192.168.0.0/24 to 192.168.0.13 via lan0

16005 allow tcp from not 192.168.0.0/24 to 192.168.0.29 via lan0

16006 allow tcp from not 192.168.0.0/24 to 192.168.0.22 via lan0

16007 allow tcp from not 192.168.0.0/24 to 192.168.0.20 via lan0

16008 allow tcp from not 192.168.0.0/24 to 192.168.0.18 via lan0

16009 allow tcp from not 192.168.0.0/24 to 192.168.0.3 via lan0

16010 allow tcp from not 192.168.0.0/24 to 192.168.0.2 via lan0

16011 allow tcp from not 192.168.0.0/24 to 192.168.0.252 via lan0

16012 allow tcp from not 192.168.0.0/24 to 192.168.0.6 via lan0

16013 allow tcp from not 192.168.0.0/24 to 192.168.0.24 via lan0

16014 allow tcp from not 192.168.0.0/24 to 192.168.0.30 via lan0

16015 allow tcp from not 192.168.0.0/24 to 192.168.0.5 via lan0

16016 allow tcp from not 192.168.0.0/24 to 192.168.0.34 via lan0

16017 allow tcp from not 192.168.0.0/24 to 192.168.0.14 via lan0

16018 allow tcp from not 192.168.0.0/24 to 192.168.0.11 via lan0

16019 allow tcp from not 192.168.0.0/24 to 192.168.0.16 via lan0

16020 allow tcp from not 192.168.0.0/24 to 192.168.0.8 via lan0

16021 allow tcp from not 192.168.0.0/24 to 192.168.0.32 via lan0

16022 allow tcp from not 192.168.0.0/24 to 192.168.0.26 via lan0

16023 allow tcp from not 192.168.0.0/24 to 192.168.0.27 via lan0

16024 allow tcp from not 192.168.0.0/24 to 192.168.0.19 via lan0

16025 allow tcp from not 192.168.0.0/24 to 192.168.0.9 via lan0

16026 allow tcp from not 192.168.0.0/24 to 192.168.0.35 via lan0

16027 allow tcp from not 192.168.0.0/24 to 192.168.0.253 via lan0

16028 allow tcp from not 192.168.0.0/24 to 192.168.0.31 via lan0

16029 allow tcp from not 192.168.0.0/24 to 192.168.0.21 via lan0

16030 allow tcp from not 192.168.0.0/24 to 192.168.0.12 via lan0

16031 allow tcp from not 192.168.0.0/24 to 192.168.0.4 via lan0

65000 allow gre from any to any

65535 deny ip from any to any

mail#

 

 

содержание конфига от загруженных правил отличается, вопрос, от куда онир грузяться и каким боком блочат нам соединения, или куда смотреть хоть если это не фаер виновен.

 

Надеюсьна вашу помощь!!!

Edited by _dmitr_

Share this post


Link to post
Share on other sites

firewall_type="/etc/firewall.conf" раскоментированна, первый раз ошибся, проблема актуальна :(

Share this post


Link to post
Share on other sites

add 4220 divert 8668 ip from any to 83.69.207.210 in via int0

 

при таком работает а при таком как было

add 4220 divert 8668 ip from any to 83.69.207.209 in via int0

нет, спасибо всем.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this