Камрады приветствую.
После добавления в IPFW правил типа$cmd 030 nat 123 ip from any to me in via $LanOut
$cmd 800 nat 123 ip from $NetIn to any out via $LanOutпадает внешний интерфейс. Это произошло после перезагрузки сервака. До этого обновил Apache, PHP, PHP-Extension.
rc.conf
# -- sysinstall generated deltas -- # Wed Dec 1 11:49:28 2010
# Created: Wed Dec 1 11:49:28 2010
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.# -- sysinstall generated deltas -- # Wed Dec 1 11:07:55 2010
ifconfig_bge0="inet 192.168.0.10 netmask 255.255.254.0"
hostname="out"# -- sysinstall generated deltas -- # Thu Feb 3 10:00:11 2011
ifconfig_bge1="inet 192.168.100.31 netmask 255.255.255.0"
defaultrouter="192.168.100.1"
hostname="out"gateway_enable="YES"
keymap="ru.koi8-r"
sshd_enable="YES"
samba_enable="YES"
apache22_enable="YES"
squid_enable="YES"
squid_chdir="/usr/squid/squid/logs"
mysql_enable="YES"
mysql_dbdir="/usr/squid/db/mysql"
sams_enable="YES"
firewall_enable="YES"
firewall_quiet="YES"
firewall_type="/etc/rc.firewall"
firewall_flags="-p /bin/sh"
firewall_logging="YES"
dummynet_enable="YES"
webmin_enable="YES"
clamav_freshclam_enable="YES"
havp_enable="YES"
ntpdate_enable="YES"
ntpdate_flags=192.168.0.11
named_enable="YES"
named_uid="bind"
named_chrootdir=""
named_flags="-s"
postfix_enable="YES"
openvpn_enable="YES" # YES or NO
openvpn_if="tun" # driver(s) to load, set to "tun", "tap" or "tun tap"
openvpn_configfile="/usr/local/etc/openvpn/server.conf" # --config file
openvpn_dir="/usr/local/etc/openvpn" # --cd directory
clamav_clamd_enable="YES"
clamsmtpd_enable=YES
spamd_enable="YES"
sendmail_enable="NO"
sendmail_outbond_enable="NO"
sendmail_submit_enable="NO"
sendmail_msp_queue_enable="NO"
siproxd_enable="YES"
arpwatch_enable="YES"
arpwatch_interfaces="bge0"
pureftpd_enable=YESrc.firewall
#!/bin/sh
ipfw -f flush
ipfw -f pipe flush
ipfw -f queue flush
#NAT
#ipfw nat 123 config if bge1 log same_ports reset redirect_port tcp 192.168.1.94:10101 10101cmd="/sbin/ipfw add"
LanOut="bge1" # Внешняя сетевуха
NetOut="192.168.100.0/24" # внешняя сеть
IpOut="192.168.100.31" # Внешний IPLanIn="bge0" # внутренняя сетевуха
NetIn="192.168.0.0/23" # Внутренняя сеть
ip_lan="192.168" # Шаблон внутреннего адреса
openvpn_if="tun0" #OpenVPN port
IpVPN="10.10.200.0"
skip="skipto 851"
skip2="skipto 855"
skip3="skipto 999"
proxymac="20:cf:30:0e:a0:82"#local
$cmd 005 allow all from any to any via $LanIn
#VPN
$cmd 006 allow all from any to any via tun0
# loopback
$cmd 010 allow all from any to any via lo0#Incoming traffic to NAT
#$cmd 030 nat 123 ip from any to any in via $LanOut#Allow DYN rules
$cmd 040 check-state# DNS resolve
$cmd 052 $skip ip from any 53 to any via ${LanOut}
$cmd 053 $skip ip from any to any 53 via ${LanOut}#WWW
$cmd 054 $skip ip from any to me 4325 via $LanOut setup keep-state
$cmd 055 $skip ip from any to me 4326 via $LanOut setup keep-state
$cmd 056 $skip ip from any to me 2525 via $LanOut setup keep-state
# Outgoing server to Internet
$cmd 060 $skip ip from me to any out via $LanOut setup keep-state
# Postal service
$cmd 071 $skip tcp from any to me 25 via $LanOut setup keep-state
$cmd 072 $skip tcp from any to 80.93.62.30 25 via $LanOut setup keep-state
$cmd 073 $skip tcp from any to 80.93.62.23 110 via $LanOut setup keep-state# Taxcom
$cmd 074 $skip tcp from any to host33.taxcom.ru 25,110,443 via $LanOut setup keep-state
$cmd 075 $skip tcp from any to host28.taxcom.ru 25,110,443 via $LanOut setup keep-state
$cmd 076 $skip ip from any to 213.24.62.98 491 via $LanOut setup keep-state#FTP
$cmd 077 $skip ip from any to me 20-21,30000-50000 via $LanOut setup keep-state#banking service
$cmd 090 $skip tcp from any to any 3290 out via $LanOut setup keep-state
$cmd 094 $skip ip from any to any 1024,2046,55777 out via $LanOut keep-state
$cmd 092 $skip tcp from any to any 2525 out via $LanOut setup keep-state
$cmd 093 $skip tcp from any to 195.250.56.144 via $LanOut setup keep-state
$cmd 095 $skip ip from any to 194.186.207.182 via $LanOut setup keep-state#Vipnet
$cmd 164 $skip ip from any to any 55781,55777 via $LanOut# ICMP
$cmd 100 $skip icmp from any to any out via $LanOut keep-state#OpenVPN
$cmd 101 $skip tcp from any to ${IpOut} 2000 in via ${LanOut}
$cmd 102 $skip tcp from ${IpOut} 2000 to any out via ${LanOut}
$cmd 103 $skip all from any to any in via ${openvpn_if}
$cmd 104 $skip all from any to any out via ${openvpn_if}#RDP
$cmd 110 $skip ip from 192.168.1.135 to any 3389 out via $LanOut setup keep-state
$cmd 111 $skip ip from 192.168.1.187 to any 3389 out via $LanOut setup keep-state
$cmd 112 $skip ip from 192.168.1.25 to any 3389 out via $LanOut setup keep-state
$cmd 113 $skip ip from 192.168.1.113 to any 3389 out via $LanOut setup keep-state
$cmd 114 $skip ip from 192.168.1.39 to any 3389 out via $LanOut setup keep-state# Time
$cmd 120 $skip udp from any to any 123 out via $LanOut keep-state
# NAT for 192.168.0.11
$cmd 130 $skip ip from 192.168.0.11 to any out via $LanOut setup keep-state
$cmd 131 $skip ip from 192.168.1.25 to any out via $LanOut setup keep-state
$cmd 132 $skip ip from 192.168.0.50 to any out via $LanOut setup keep-state#WSUS
$cmd 133 $skip ip from 192.168.0.3 to any 80,443 out via $LanOut setup keep-state# Direktor
$cmd 134 $skip ip from 192.168.1.236 to any out via $LanOut setup keep-state
#Iphone
$cmd 135 $skip ip from 192.168.1.119 to any out via $LanOut setup keep-state
$cmd 137 $skip ip from 192.168.0.132 to any out via $LanOut setup keep-state
#Puzikov
$cmd 136 $skip ip from 192.168.1.57 to any out via $LanOut setup keep-state
#WoT
$cmd 138 $skip ip from any to any 20013-20018,32801-32825 out via $LanOut keep-state
#Petukhova
$cmd 139 $skip ip from 192.168.0.43 to any out via $LanOut setup keep-state
# ATS
$cmd 140 $skip udp from 192.168.0.95 to any 5060,7070-7089,1024-65535 out via $LanOut keep-state
$cmd 141 $skip2 tcp from 192.168.0.95 155 to any via $LanOut#Videonablyudenie
$cmd 151 $skip ip from any to 192.168.1.94 10101 in via $LanOut#Videokamera
$cmd 152 $skip ip from any 5000-5010 to any via ${LanOut}
$cmd 153 $skip ip from any to any 5000-5010 via ${LanOut}#Televizor
$cmd 154 $skip ip from 192.168.0.45 to any out via $LanOut setup keep-state# Deny all inbound traffic from non-routable reserved address spaces
$cmd 200 deny all from 192.168.0.0/16 to any in via $LanOut
$cmd 201 deny all from 172.16.0.0/12 to any in via $LanOut
$cmd 202 deny all from 10.0.0.0/8 to any in via $LanOut
$cmd 203 deny all from 127.0.0.0/8 to any in via $LanOut
$cmd 204 deny all from 0.0.0.0/8 to any in via $LanOut
$cmd 205 deny all from 169.254.0.0/16 to any in via $LanOut
$cmd 206 deny all from 192.0.2.0/24 to any in via $LanOut
$cmd 207 deny all from 204.152.64.0/23 to any in via $LanOut
$cmd 208 deny all from 224.0.0.0/3 to any in via $LanOut# Deny ident
$cmd 209 deny tcp from any to any 113 in via $LanOut#Netbios
$cmd 210 deny tcp from any to any 137 via $LanOut
$cmd 211 deny tcp from any to any 138 via $LanOut
$cmd 212 deny tcp from any to any 139 via $LanOut
$cmd 213 deny tcp from any to any 81 via $LanOut# Deny fragments packets
$cmd 214 deny all from any to any frag in via $LanOut# Deny ACK packets that did not match the dynamic rule table
$cmd 215 deny tcp from any to any established in via $LanOut# Allow in ssh from Internet
$cmd 300 allow tcp from xxx.xxx.xxx.xxx to me 22 in via $LanOut setup limit src-addr 1# Reject incomming traffic from Inet
#$cmd 400 deny log all from any to any in via $LanOut# Reject outgoing traffic to Inet
#$cmd 410 deny log all from any to any out via $LanOut# NAT from local to Inet
#$cmd 851 nat 123 ip from $NetIn to any out via $LanOut$cmd 806 allow ip from any to any
$cmd 853 allow ip from any to any
$cmd 854 $skip3 ip from any to any#$cmd 855 nat 123 ip from $NetIn to any via $LanOut
$cmd 856 allow ip from any to any#$cmd 999 deny log all from any to any
Как только я включаю любое правило содержащее "nat", внешняя сетевая (bge1) сразу же падает.В какую примерно сторону копать?
> блаблабла
> rc.firewall
> #!/bin/sh
> ipfw -f flush
> ipfw -f pipe flush
> ipfw -f queue flush
> #NAT
> #ipfw nat 123 config if bge1 log same_ports reset redirect_port tcp 192.168.1.94:10101 10101
> блаблаблаЕсть мнение, что выбрасывание пакетов в несозданный инстанс кернел ната, да еще и на восьмерке - дело весьма чреватое...