Добрый день, мужики спасайте,

достал он уже. Короче есть роутер всего предприятия, должен делать нат, и выпускать изнутри сервера, плюс он обслуживает днс, почту редериктами на порты. Вроде сделал как обычно всё, а ничего не работает. Вот конфиги все, спасайте, ГОРИТ....

bash-2.05b# cat /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.tcp.rfc1323=1
net.inet.tcp.strict_rfc1948=1
net.inet.tcp.newreno=1
net.inet.tcp.inflight_enable=1
net.inet.tcp.inflight_min=6144
net.inet.tcp.sendspace=32768
net.inet.tcp.recvspace=65535
net.inet.tcp.log_in_vain=1
net.inet.tcp.always_keepalive=1
net.inet.tcp.blackhole=2
net.inet.tcp.drop_synfin=1
net.inet.tcp.delayed_ack=1
net.inet.tcp.strict_rfc1948=1
net.inet.tcp.isn_reseed_interval=1800
net.inet.tcp.syncookies=0
net.inet.tcp.syncache.hashsize=512
net.inet.tcp.syncache.cachelimit=15359
net.inet.tcp.syncache.bucketlimit=30
net.inet.tcp.syncache.rexmtlimit=3
net.inet.tcp.msl=7500
net.inet.icmp.maskrepl=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.icmplim=300
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=1
net.inet.udp.sendspace=32768
net.inet.udp.recvspace=32768
net.inet.udp.maxdgram=28672
net.inet.udp.blackhole=1
net.inet.udp.log_in_vain=1
net.inet.ip.ttl=255
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
net.inet.ip.rtexpire=60
net.inet.ip.rtminexpire=10
net.inet.ip.check_interface=1
net.inet.ip.portrange.last=30000
net.inet.ip.redirect=0
net.inet.ip.random_id=1
net.inet.raw.maxdgram=57344
net.inet.raw.recvspace=65536
net.local.dgram.maxdgram=57344
net.local.dgram.recvspace=65536
net.local.stream.recvspace=65536
net.local.stream.sendspace=65536
net.link.ether.inet.max_age=1200
vfs.vmiodirenable=1
kern.coredump=1
security.bsd.see_other_uids=0
kern.maxprocperuid=512
kern.maxfilesperproc=1024
kern.maxfiles=65536
kern.somaxconn=512
kern.ipc.somaxconn=4096
kern.ipc.maxsockbuf=384000
kern.ipc.nmbclusters=4096
kern.ipc.maxsockets=4096
kern.polling.enable=1
kern.fallback_elf_brand=3
kern_securelevel=1
kern.corefile="/var/tmp/%U.%N.core"

bash-2.05b# cat /etc/pf.conf
ext_if = "xl0"
int_if = "vlan0"
vlan1_if ="vlan1"
vlan2_if ="vlan2"

ext_net ="{195.7.xxx.222, 195.7.xxx.218, 195.7.xxx.219, 195.7.xxx.220, 195.7.xxx.221}"
int_net ="192.168.0.12"
dmz_net ="10.0.0.3"
roi1_net ="192.168.56.2"
roi ="192.168.56.0/255.255.255.248"
NETBIOS ="{ 137, 138, 139 }"
icmp_types = "{ 8, 11 }"
spoofed1 ="{127.0.0.1/8, 172.16.0.0/12, 192.168.0.0/24, 192.168.55.0/24, 255.255.255.255/32 }"
spoofed2 ="{127.0.0.1/8, 10.0.0.0/8, 255.255.255.255/32 }"
dmz ="{10.0.0.0/8 }"

set block-policy drop
set optimization normal
set fingerprints "/etc/pf.os"
set loginterface $ext_if
scrub in all no-df fragment reassemble random-id
#scrub out all random-id

#############
# NAT
#############
nat on $ext_if from $dmz to any -> 195.7.xxx.218
rdr pass on $ext_if inet proto tcp from any to 195.7.xxx.218 port 53 -> 10.0.0.5 port 53
rdr pass on $ext_if inet proto udp from any to 195.7.xxx.218 port 53 -> 10.0.0.5 port 53
rdr pass on $ext_if inet proto tcp from any to 195.7.xxx.222 port 25 -> 10.0.0.26 port 25
rdr pass on $ext_if inet proto tcp from any to 195.7.xxx.222 port 110 -> 10.0.0.26 port 110

block in log all
block out log all
block inet6 all

##################################
# loopback packets left unmolested
##################################
pass in quick on lo0 all
pass out quick on lo0 all

#########################
# Fuzz any 'nmap' attempt
#########################
block in log quick inet proto tcp from any to any flags FUP/FUP
block in log quick inet proto tcp from any to any flags SF/SFRA
block in log quick inet proto tcp from any to any flags /SFRA
block in log quick inet proto tcp from any to any flags SAFRPU/SAFRPU
block in log quick inet proto tcp from any to any flags SAFRU/SAFRU
block in log quick inet proto tcp from any to any flags SF/SF
block in log quick inet proto tcp from any to any flags SR/SR
block in log quick os NMAP

####################################
# Drop broadcasts (cable modem noice)
####################################
block in from any to 255.255.255.255

###############
# Drop netbios
###############
block in quick inet proto { tcp udp } from any to any port $NETBIOS

#################################
# Pass only special types of icmp
#################################
pass in inet proto icmp all icmp-type $icmp_types keep state
pass out inet proto icmp all icmp-type $icmp_types keep state

##############
# rules
###############

#почта
pass in on $ext_if inet proto tcp from any to 10.0.0.26 port smtp keep state
#pass in on $ext_if inet proto tcp from any to 10.0.0.26 port imap keep state
pass in on $ext_if inet proto tcp from any to 10.0.0.26 port pop3 keep state

#веб
pass in on $ext_if inet proto tcp from any to 10.0.0.9 port 80 keep state
pass in on $ext_if inet proto tcp from any to 10.0.0.4 port 80 keep state
pass in on $ext_if inet proto tcp from any to 10.0.0.14 port 80 keep state

#dns
pass in on $ext_if inet proto tcp from any to 10.0.0.5 port 53 keep state
pass in on $ext_if inet proto udp from any to 10.0.0.5 port 53 keep state

#ssh
pass in on $vlan1_if inet proto tcp from any to $dmz_net port ssh keep state

#выпускаем всё
pass out on $int_if from {192.168.0.9, 192.168.0.11}  to any keep state
pass out on $ext_if from 195.7.xxx.222 to any keep state
pass out on $ext_if from { 10.0.0.3, 10.0.0.5, 10.0.0.26, 10.0.0.2, 10.0.0.4, 10.0.0.6} to any keep state
#pass out on $vlan1_if from {10.0.0.3, 10.0.0.5, 10.0.0.26, 10.0.0.2, 10.0.0.4, 10.0.0.6} to any keep state
pass out on $vlan1_if from any to any keep state
pass out on $ext_if from any to any keep state
#pass in on $vlan1_if from any to any keep state
pass out on $vlan1_if from any to any keep state

bash-2.05b# cat /etc/rc.conf
gateway_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
ifconfig_xl0="inet 195.7.xxx.222 netmask 255.255.255.248"
#ifconfig_bge0="inet 192.168.0.12 netmask 255.255.255.0"
ifconfig bge0 up
cloned_interfaces="vlan0 vlan1 vlan2"
ifconfig_vlan0="inet 192.168.0.12 netmask 255.255.255.0 vlan 1 vlandev bge0"
ifconfig_vlan1="inet 10.0.0.3 netmask 255.255.255.0 vlan 9 vlandev bge0"
ifconfig_vlan2="inet 192.168.56.2 netmask 255.255.255.248 vlan 20 vlandev bge0"

hostname="nх2.xxxxx.ru"
defaultrouter="195.7.xxx.2xx"
fsck_y_enable="YES"
ifconfig xl0 alias 195.7.xxx.218 netmask 255.255.255.0

Что может не так?

• FreeBSD Роутер. Достал!!!, Byte, 13:14 , 26-Сен-05, (1)