Народ, подскажите где грабли:
роутер на FreeBSD 4.6, на нем же DNS и SMTP сервера (без проблем), Squid для внутренней сетки (тож работает), не ходят pop3 и smtp (и остальные из этого же правила) из внутренней сетки на внешние сервера и обратно, своя почта и udp 53 ходят нормально.
'ipfw show' показывает что пакеты не попадают в "pass tcp from any to any 20,21,25,110,119,443 setup via ${iif}".Заранее благодарен за совет.
Вот скрипт:
#
# IPFW RULES
# /etc/ipfw.rules
#fwcmd="/sbin/ipfw"
oif="fxp0"
oip="62.118.100.1"
onet="62.118.100.0"
omask="255.255.255.0"iif="fxp1"
iip="192.168.0.9"
inet="192.168.0.0"
imask="255.255.255.0"dns2="212.188.8.37"
dns3="195.34.0.100"${fwcmd} -f flush
${fwcmd} add pass ip from any to any via lo0
# Stop private networks (RFC1918) from entering the outside interface.
${fwcmd} add deny ip from 192.168.0.0/16 to any in via $oif
${fwcmd} add deny ip from 172.16.0.0/12 to any in via $oif
${fwcmd} add deny ip from 10.0.0.0/8 to any in via $oif# NAT
${fwcmd} add divert 8668 ip from any to any via ${oif}# Allow established connections
${fwcmd} add pass tcp from any to any established# Allow all outgoing packets from fxp0
${fwcmd} add pass ip from ${oip} to any out xmit ${oif}
# Allow access to our DNS
${fwcmd} add pass udp from any to ${oip} 53 in recv ${oif}
${fwcmd} add pass udp from any 53 to ${oip} in recv ${oif}#
# rules for internal network
#
# Squid for lan
${fwcmd} add pass tcp from ${inet}:${imask} to ${iip} 8000-8104
${fwcmd} add pass tcp from ${iip} 8000-8104 to ${inet}:${imask}# DNS, ICQ
${fwcmd} add pass udp from any to any 53,4000 via ${iif}
${fwcmd} add pass udp from any 53,4000 to any via ${iif}# Allow FTP, SMTP, POP3, NEWS, HTTPS
${fwcmd} add pass tcp from any to any 20,21,25,110,119,443 setup via ${iif}
${fwcmd} add pass tcp from any 20,21,25,110,119,443 to any via ${iif}# TCP for ICQ
${fwcmd} add pass tcp from any to any 5190 via ${iif}
${fwcmd} add pass tcp from any 5190 to any via ${iif}# ICMP
${fwcmd} add allow icmp from any to any icmptypes 0,3,8,11 via ${iif}# PUBLIC SMTP, DNS, SSH only for fgor
${fwcmd} add pass tcp from any to ${oip} 25 in recv ${oif} setup
${fwcmd} add pass tcp from 100.100.100.86/32 to ${oip} 22 in recv ${oif} setup
${fwcmd} add pass tcp from ${dns2} to ${oip} 53 in recv ${oif} setup
${fwcmd} add pass tcp from ${dns3} to ${oip} 53 in recv ${oif} setup${fwcmd} add reject tcp from any to ${oip} via ${oif} in
${fwcmd} add pass icmp from any to any icmptypes 0,3,8,11
${fwcmd} add deny log all from any to any via ${oif}
${fwcmd} add deny log ip from any to any
Может быть лучше использовать при сборке ядра опцию
IPFIREWALL_DEFAULT_TO_ACCEPT ?
а если такipfw add divert 8668 tcp from 192.168.0.0/24 to any 20,21,25,110,119,443 via ${iif} in
А в /etc/rc.conf строка :gateway_enable="YES"
есть ?
>А в /etc/rc.conf строка :
>
>gateway_enable="YES"
>
>есть ?
ecть такая строка
Посмотри тут:
Народ, cорри за отнятое время,
все работает, проблема была во внутренней сетке.