_dmitr_ Опубликовано 7 октября, 2009 (изменено) · Жалоба ребята, сломали всю голову не можем понять, вообщем достался сервер от предыдущего админа, на серваке фря 6.2 сквид ипфв и нат. после переезда отказалось работать аська, и не можем соедениться с такскомом по 25 и 110 порту с компов пользователей, с роутера все работает, т.е. соединение есть, в чем косяк никак не пойму. выкладываю конфиги: mail# cat /etc/rc.conf hostname="mail.triss.ru" network_interfaces="lo0 lan0 int0" ifconfig_rl0_name="lan0" ifconfig_lan0="inet 192.168.0.1 netmask 255.255.255.0" ifconfig_re0_name="int0" ifconfig_int0="inet 89.63.207.210 netmask 255.255.255.248" defaultrouter="89.63.207.209" gateway_enable="YES" firewall_enable="YES" firewall_type="/etc/firewall.conf" firewall_quiet="YES" firewall_logging="YES" ipv6_enable="NO" ipv6_firewall_enable="NO" tcp_drop_synfin="YES" icmp_drop_redirect="YES" icmp_log_redirect="YES" icmp_bmcastecho="NO" fsck_y_enable="YES" rcshutdown_timeout="120" check_quotas="NO" sendmail_enable="NO" named_enable="YES" named_flags="-4" sshd_enable="YES" syslogd_enable="YES" syslogd_flags="-ss" ldconfig_paths="/usr/lib/compat /usr/X11R6/lib /usr/local/lib /usr/local/lib/compat/pkg /usr/local/mysql/lib/mysql /usr/local/clamav/lib" natd_enable="YES" natd_interface="int0" natd_flags=" -p 8668 -same_ports -use_sockets -redirect_port tcp 192.168.0.2:3389 3389" #natd_flags="-u -s -m" font8x14="cp866-8x14" font8x16="cp866b-8x16" font8x8="cp866-8x8" keymap="ru.koi8-r" keyrate="normal" cursor="destructive" scrnmap="koi8-r2cp866" # -- sysinstall generated deltas -- # Sun Sep 27 22:18:02 2009 ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248" defaultrouter="83.69.207.210" hostname="mail.triss.ru" # -- sysinstall generated deltas -- # Sun Sep 27 22:24:16 2009 ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248" defaultrouter="83.69.207.210" hostname="mail.triss.ru" # -- sysinstall generated deltas -- # Sun Sep 27 22:29:38 2009 ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248" defaultrouter="83.69.207.210" hostname="mail.triss.ru" # -- sysinstall generated deltas -- # Thu Oct 1 09:54:12 2009 ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248" defaultrouter="83.69.207.210" hostname="mail.triss.ru" # -- sysinstall generated deltas -- # Thu Oct 1 10:30:49 2009 ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248" defaultrouter="83.69.207.210" hostname="mail.triss.ru" # -- sysinstall generated deltas -- # Thu Oct 1 10:35:53 2009 ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248" defaultrouter="83.69.207.210" hostname="mail.triss.ru" # -- sysinstall generated deltas -- # Thu Oct 1 10:49:25 2009 ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248" defaultrouter="83.69.207.209" hostname="mail.triss.ru" # -- sysinstall generated deltas -- # Thu Oct 1 11:22:32 2009 defaultrouter="83.69.207.209" hostname="mail.triss.ru" # -- sysinstall generated deltas -- # Thu Oct 1 11:27:44 2009 ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248" ifconfig_lan0="inet 192.168.0.1 netmask 255.255.255.0" defaultrouter="83.69.207.209" hostname="mail.triss.ru" # -- sysinstall generated deltas -- # Thu Oct 1 11:50:01 2009 ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248" defaultrouter="83.69.207.209" hostname="mail.triss.ru" mail# mail# cat /etc/firewall.conf #add 50 deny all from any to 84.204.3.255 via int0 add 100 allow ip from any to any via lo add 110 deny log ip from 192.168.0.0/24 to any in via int0 add 115 allow all from any to 255.255.255.255:67 via lan0 add 120 deny log ip from not 192.168.0.0/24 to any in via lan0 add 140 deny icmp from any to any in icmptype 5,9,13,14,15,16,17 add 145 allow icmp from any to any add 4200 fwd 127.0.0.1,3128 tcp from 192.168.0.0/24 to not 192.168.0.0/24 80 out xmit int0 add 4210 divert 8668 ip from 192.168.0.0/24 to any out via int0 add 4220 divert 8668 ip from any to 83.69.207.209 in via int0 add 4260 allow all from 87.245.135.160 to me 3389 add 4261 allow all from 87.245.135.160 to 192.168.0.2 3389 add 4261 allow all from 87.245.135.160 to 192.168.0.9 3389 add 4262 allow all from 194.67.255.242 to me 3389 add 4263 allow all from 194.67.255.242 to 192.168.0.9 3389 add 4265 deny all from any to me 3389 add 4266 deny ip from any to 192.168.0.2 dst-port 3389 add 4300 allow all from me to any add 4305 allow tcp from any to me 22,25,26,80,110,443,1025-65535 #add 4307 allow all from any to any 5190 #add 4308 allow all from any 5190 to any add 4310 allow ip from me to any 53 add 4315 allow ip from any 53 to me add 4320 allow ip from any to me 53 add 4325 allow ip from me 53 to any add 4326 allow ip from any to me 67 via lan0 add 4327 allow ip from me 67 to any via lan0 add 4330 allow ip from me to any 123,6277 add 4335 allow ip from any 123,6277 to me add 4340 allow ip from 192.168.0.2 to any 123 add 4341 allow ip from any 123 to 192.168.0.2 add 4342 allow ip from 192.168.0.22 to any 123 add 4343 allow ip from any 123 to 192.168.0.22 #add 4520 allow tcp from 192.168.0.0/24 to any via lan0 add 4520 allow tcp from any to 192.168.0.0/24 via int0 #add 11002 allow tcp from 192.168.0.2 to not 192.168.0.0/24 via lan0 #add 11003 allow tcp from 192.168.0.3 to not 192.168.0.0/24 via lan0 #add 11004 allow tcp from 192.168.0.4 to not 192.168.0.0/24 via lan0 #add 11005 allow tcp from 192.168.0.5 to not 192.168.0.0/24 via lan0 #add 11006 allow tcp from 192.168.0.6 to not 192.168.0.0/24 via lan0 #add 11007 allow tcp from 192.168.0.7 to not 192.168.0.0/24 via lan0 #add 11008 allow tcp from 192.168.0.8 to not 192.168.0.0/24 via lan0 #add 12002 allow tcp from not 192.168.0.0/24 to 192.168.0.2 via lan0 #add 12003 allow tcp from not 192.168.0.0/24 to 192.168.0.3 via lan0 #add 12004 allow tcp from not 192.168.0.0/24 to 192.168.0.4 via lan0 #add 12005 allow tcp from not 192.168.0.0/24 to 192.168.0.5 via lan0 #add 12006 allow tcp from not 192.168.0.0/24 to 192.168.0.6 via lan0 #add 12007 allow tcp from not 192.168.0.0/24 to 192.168.0.7 via lan0 #add 12008 allow tcp from not 192.168.0.0/24 to 192.168.0.8 via lan0 add 12100 allow tcp from 195.161.42.230 to 192.168.0.5 25,110 add 12110 allow tcp from 192.168.0.5 to 195.161.42.230 25,110 add 65000 allow gre from any to any #add 65534 deny log ip from any to any add 65534 allow all from any to any mail# mail# ipfw list 00100 allow ip from any to any via lo 00110 deny log logamount 1000 ip from 192.168.0.0/24 to any in via int0 00115 allow ip from any to 0.0.0.67:0.0.0.67 via lan0 00120 deny log logamount 1000 ip from not 192.168.0.0/24 to any in via lan0 00140 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17 00145 allow icmp from any to any 02000 allow tcp from 192.168.0.253 to not 192.168.0.0/24 dst-port 80 04200 fwd 127.0.0.1,3128 tcp from 192.168.0.0/24 to not 192.168.0.0/24 dst-port 80 out xmit int0 04210 divert 8668 ip from 192.168.0.0/24 to any out via int0 04220 divert 8668 ip from any to 83.69.207.209 in via int0 04260 allow ip from 87.245.135.160 to me dst-port 3389 04261 allow ip from 87.245.135.160 to 192.168.0.2 dst-port 3389 04261 allow ip from 87.245.135.160 to 192.168.0.9 dst-port 3389 04262 allow ip from 194.67.255.242 to me dst-port 3389 04263 allow ip from 194.67.255.242 to 192.168.0.9 dst-port 3389 04265 deny ip from any to me dst-port 3389 04266 deny ip from any to 192.168.0.2 dst-port 3389 04300 allow ip from me to any 04305 allow tcp from any to me dst-port 22,25,26,80,110,443,1025-65535 04310 allow ip from me to any dst-port 53 04315 allow ip from any 53 to me 04320 allow ip from any to me dst-port 53 04325 allow ip from me 53 to any 04326 allow ip from any to me dst-port 67 via lan0 04327 allow ip from me 67 to any via lan0 04330 allow ip from me to any dst-port 123,6277 04335 allow ip from any 123,6277 to me 04340 allow ip from 192.168.0.2 to any dst-port 123 04341 allow ip from any 123 to 192.168.0.2 04342 allow ip from 192.168.0.22 to any dst-port 123 04343 allow ip from any 123 to 192.168.0.22 04520 allow tcp from any to 192.168.0.0/24 via int0 12100 allow tcp from 195.161.42.230 to 192.168.0.5 dst-port 25,110 12110 allow tcp from 192.168.0.5 to 195.161.42.230 dst-port 25,110 15000 allow tcp from 192.168.0.15 to not 192.168.0.0/24 via lan0 15001 allow tcp from 192.168.0.10 to not 192.168.0.0/24 via lan0 15002 allow tcp from 192.168.0.23 to not 192.168.0.0/24 via lan0 15003 allow tcp from 192.168.0.33 to not 192.168.0.0/24 via lan0 15004 allow tcp from 192.168.0.13 to not 192.168.0.0/24 via lan0 15005 allow tcp from 192.168.0.29 to not 192.168.0.0/24 via lan0 15006 allow tcp from 192.168.0.22 to not 192.168.0.0/24 via lan0 15007 allow tcp from 192.168.0.20 to not 192.168.0.0/24 via lan0 15008 allow tcp from 192.168.0.18 to not 192.168.0.0/24 via lan0 15009 allow tcp from 192.168.0.3 to not 192.168.0.0/24 via lan0 15010 allow tcp from 192.168.0.2 to not 192.168.0.0/24 via lan0 15011 allow tcp from 192.168.0.252 to not 192.168.0.0/24 via lan0 15012 allow tcp from 192.168.0.6 to not 192.168.0.0/24 via lan0 15013 allow tcp from 192.168.0.24 to not 192.168.0.0/24 via lan0 15014 allow tcp from 192.168.0.30 to not 192.168.0.0/24 via lan0 15015 allow tcp from 192.168.0.5 to not 192.168.0.0/24 via lan0 15016 allow tcp from 192.168.0.34 to not 192.168.0.0/24 via lan0 15017 allow tcp from 192.168.0.14 to not 192.168.0.0/24 via lan0 15018 allow tcp from 192.168.0.11 to not 192.168.0.0/24 via lan0 15019 allow tcp from 192.168.0.16 to not 192.168.0.0/24 via lan0 15020 allow tcp from 192.168.0.8 to not 192.168.0.0/24 via lan0 15021 allow tcp from 192.168.0.32 to not 192.168.0.0/24 via lan0 15022 allow tcp from 192.168.0.26 to not 192.168.0.0/24 via lan0 15023 allow tcp from 192.168.0.27 to not 192.168.0.0/24 via lan0 15024 allow tcp from 192.168.0.19 to not 192.168.0.0/24 via lan0 15025 allow tcp from 192.168.0.9 to not 192.168.0.0/24 via lan0 15026 allow tcp from 192.168.0.35 to not 192.168.0.0/24 via lan0 15027 allow tcp from 192.168.0.253 to not 192.168.0.0/24 via lan0 15028 allow tcp from 192.168.0.31 to not 192.168.0.0/24 via lan0 15029 allow tcp from 192.168.0.21 to not 192.168.0.0/24 via lan0 15030 allow tcp from 192.168.0.12 to not 192.168.0.0/24 via lan0 15031 allow tcp from 192.168.0.4 to not 192.168.0.0/24 via lan0 16000 allow tcp from not 192.168.0.0/24 to 192.168.0.15 via lan0 16001 allow tcp from not 192.168.0.0/24 to 192.168.0.10 via lan0 16002 allow tcp from not 192.168.0.0/24 to 192.168.0.23 via lan0 16003 allow tcp from not 192.168.0.0/24 to 192.168.0.33 via lan0 16004 allow tcp from not 192.168.0.0/24 to 192.168.0.13 via lan0 16005 allow tcp from not 192.168.0.0/24 to 192.168.0.29 via lan0 16006 allow tcp from not 192.168.0.0/24 to 192.168.0.22 via lan0 16007 allow tcp from not 192.168.0.0/24 to 192.168.0.20 via lan0 16008 allow tcp from not 192.168.0.0/24 to 192.168.0.18 via lan0 16009 allow tcp from not 192.168.0.0/24 to 192.168.0.3 via lan0 16010 allow tcp from not 192.168.0.0/24 to 192.168.0.2 via lan0 16011 allow tcp from not 192.168.0.0/24 to 192.168.0.252 via lan0 16012 allow tcp from not 192.168.0.0/24 to 192.168.0.6 via lan0 16013 allow tcp from not 192.168.0.0/24 to 192.168.0.24 via lan0 16014 allow tcp from not 192.168.0.0/24 to 192.168.0.30 via lan0 16015 allow tcp from not 192.168.0.0/24 to 192.168.0.5 via lan0 16016 allow tcp from not 192.168.0.0/24 to 192.168.0.34 via lan0 16017 allow tcp from not 192.168.0.0/24 to 192.168.0.14 via lan0 16018 allow tcp from not 192.168.0.0/24 to 192.168.0.11 via lan0 16019 allow tcp from not 192.168.0.0/24 to 192.168.0.16 via lan0 16020 allow tcp from not 192.168.0.0/24 to 192.168.0.8 via lan0 16021 allow tcp from not 192.168.0.0/24 to 192.168.0.32 via lan0 16022 allow tcp from not 192.168.0.0/24 to 192.168.0.26 via lan0 16023 allow tcp from not 192.168.0.0/24 to 192.168.0.27 via lan0 16024 allow tcp from not 192.168.0.0/24 to 192.168.0.19 via lan0 16025 allow tcp from not 192.168.0.0/24 to 192.168.0.9 via lan0 16026 allow tcp from not 192.168.0.0/24 to 192.168.0.35 via lan0 16027 allow tcp from not 192.168.0.0/24 to 192.168.0.253 via lan0 16028 allow tcp from not 192.168.0.0/24 to 192.168.0.31 via lan0 16029 allow tcp from not 192.168.0.0/24 to 192.168.0.21 via lan0 16030 allow tcp from not 192.168.0.0/24 to 192.168.0.12 via lan0 16031 allow tcp from not 192.168.0.0/24 to 192.168.0.4 via lan0 65000 allow gre from any to any 65535 deny ip from any to any mail# содержание конфига от загруженных правил отличается, вопрос, от куда онир грузяться и каким боком блочат нам соединения, или куда смотреть хоть если это не фаер виновен. Надеюсьна вашу помощь!!! Изменено 7 октября, 2009 пользователем _dmitr_ Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
hizel Опубликовано 7 октября, 2009 · Жалоба из /etc/rc.firewall Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
_dmitr_ Опубликовано 7 октября, 2009 · Жалоба firewall_type="/etc/firewall.conf" раскоментированна, первый раз ошибся, проблема актуальна :( Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
_dmitr_ Опубликовано 7 октября, 2009 · Жалоба add 4220 divert 8668 ip from any to 83.69.207.210 in via int0 при таком работает а при таком как было add 4220 divert 8668 ip from any to 83.69.207.209 in via int0 нет, спасибо всем. Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...