Доброго дня!ребята, сломали всю голову не можем понять, вообщем достался сервер от предыдущего админа, на серваке фря 6.2 сквид ипфв и нат. после переезда отказалось работать аська, и не можем соедениться с такскомом по 25 и 110 порту с компов пользователей, с роутера все работает, т.е. соединение есть, в чем косяк никак не пойму.
выкладываю конфиги:
mail# cat /etc/rc.conf
hostname="mail.triss.ru"
network_interfaces="lo0 lan0 int0"
ifconfig_rl0_name="lan0"
ifconfig_lan0="inet 192.168.0.1 netmask 255.255.255.0"
ifconfig_re0_name="int0"
ifconfig_int0="inet 89.63.207.210 netmask 255.255.255.248"
defaultrouter="89.63.207.209"
gateway_enable="YES"
firewall_enable="YES"
#firewall_type="/etc/firewall.conf"
firewall_quiet="YES"
firewall_logging="YES"
ipv6_enable="NO"
ipv6_firewall_enable="NO"
tcp_drop_synfin="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
icmp_bmcastecho="NO"
fsck_y_enable="YES"
rcshutdown_timeout="120"
check_quotas="NO"
sendmail_enable="NO"
named_enable="YES"
named_flags="-4"
sshd_enable="YES"
syslogd_enable="YES"
syslogd_flags="-ss"
ldconfig_paths="/usr/lib/compat /usr/X11R6/lib /usr/local/lib /usr/local/lib/compat/pkg /usr/local/mysql/lib/mysql /usr/local/clamav/lib"
natd_enable="YES"
natd_interface="int0"
natd_flags=" -p 8668 -same_ports -use_sockets -redirect_port tcp 192.168.0.2:3389 3389"
#natd_flags="-u -s -m"
font8x14="cp866-8x14"
font8x16="cp866b-8x16"
font8x8="cp866-8x8"
keymap="ru.koi8-r"
keyrate="normal"
cursor="destructive"
scrnmap="koi8-r2cp866"
# -- sysinstall generated deltas -- # Sun Sep 27 22:18:02 2009
ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248"
defaultrouter="83.69.207.210"
hostname="mail.triss.ru"
# -- sysinstall generated deltas -- # Sun Sep 27 22:24:16 2009
ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248"
defaultrouter="83.69.207.210"
hostname="mail.triss.ru"
# -- sysinstall generated deltas -- # Sun Sep 27 22:29:38 2009
ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248"
defaultrouter="83.69.207.210"
hostname="mail.triss.ru"
# -- sysinstall generated deltas -- # Thu Oct 1 09:54:12 2009
ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248"
defaultrouter="83.69.207.210"
hostname="mail.triss.ru"
# -- sysinstall generated deltas -- # Thu Oct 1 10:30:49 2009
ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248"
defaultrouter="83.69.207.210"
hostname="mail.triss.ru"
# -- sysinstall generated deltas -- # Thu Oct 1 10:35:53 2009
ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248"
defaultrouter="83.69.207.210"
hostname="mail.triss.ru"
# -- sysinstall generated deltas -- # Thu Oct 1 10:49:25 2009
ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248"
defaultrouter="83.69.207.209"
hostname="mail.triss.ru"
# -- sysinstall generated deltas -- # Thu Oct 1 11:22:32 2009
defaultrouter="83.69.207.209"
hostname="mail.triss.ru"
# -- sysinstall generated deltas -- # Thu Oct 1 11:27:44 2009
ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248"
ifconfig_lan0="inet 192.168.0.1 netmask 255.255.255.0"
defaultrouter="83.69.207.209"
hostname="mail.triss.ru"
# -- sysinstall generated deltas -- # Thu Oct 1 11:50:01 2009
ifconfig_int0="inet 83.69.207.210 netmask 255.255.255.248"
defaultrouter="83.69.207.209"
hostname="mail.triss.ru"
mail#
mail# cat /etc/firewall.conf
#add 50 deny all from any to 84.204.3.255 via int0
add 100 allow ip from any to any via lo
add 110 deny log ip from 192.168.0.0/24 to any in via int0
add 115 allow all from any to 255.255.255.255:67 via lan0
add 120 deny log ip from not 192.168.0.0/24 to any in via lan0
add 140 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
add 145 allow icmp from any to any
add 4200 fwd 127.0.0.1,3128 tcp from 192.168.0.0/24 to not 192.168.0.0/24 80 out xmit int0
add 4210 divert 8668 ip from 192.168.0.0/24 to any out via int0
add 4220 divert 8668 ip from any to 83.69.207.209 in via int0
add 4260 allow all from 87.245.135.160 to me 3389
add 4261 allow all from 87.245.135.160 to 192.168.0.2 3389
add 4261 allow all from 87.245.135.160 to 192.168.0.9 3389
add 4262 allow all from 194.67.255.242 to me 3389
add 4263 allow all from 194.67.255.242 to 192.168.0.9 3389
add 4265 deny all from any to me 3389
add 4266 deny ip from any to 192.168.0.2 dst-port 3389
add 4300 allow all from me to any
add 4305 allow tcp from any to me 22,25,26,80,110,443,1025-65535
#add 4307 allow all from any to any 5190
#add 4308 allow all from any 5190 to any
add 4310 allow ip from me to any 53
add 4315 allow ip from any 53 to me
add 4320 allow ip from any to me 53
add 4325 allow ip from me 53 to any
add 4326 allow ip from any to me 67 via lan0
add 4327 allow ip from me 67 to any via lan0
add 4330 allow ip from me to any 123,6277
add 4335 allow ip from any 123,6277 to me
add 4340 allow ip from 192.168.0.2 to any 123
add 4341 allow ip from any 123 to 192.168.0.2
add 4342 allow ip from 192.168.0.22 to any 123
add 4343 allow ip from any 123 to 192.168.0.22
#add 4520 allow tcp from 192.168.0.0/24 to any via lan0
add 4520 allow tcp from any to 192.168.0.0/24 via int0
#add 11002 allow tcp from 192.168.0.2 to not 192.168.0.0/24 via lan0
#add 11003 allow tcp from 192.168.0.3 to not 192.168.0.0/24 via lan0
#add 11004 allow tcp from 192.168.0.4 to not 192.168.0.0/24 via lan0
#add 11005 allow tcp from 192.168.0.5 to not 192.168.0.0/24 via lan0
#add 11006 allow tcp from 192.168.0.6 to not 192.168.0.0/24 via lan0
#add 11007 allow tcp from 192.168.0.7 to not 192.168.0.0/24 via lan0
#add 11008 allow tcp from 192.168.0.8 to not 192.168.0.0/24 via lan0
#add 12002 allow tcp from not 192.168.0.0/24 to 192.168.0.2 via lan0
#add 12003 allow tcp from not 192.168.0.0/24 to 192.168.0.3 via lan0
#add 12004 allow tcp from not 192.168.0.0/24 to 192.168.0.4 via lan0
#add 12005 allow tcp from not 192.168.0.0/24 to 192.168.0.5 via lan0
#add 12006 allow tcp from not 192.168.0.0/24 to 192.168.0.6 via lan0
#add 12007 allow tcp from not 192.168.0.0/24 to 192.168.0.7 via lan0
#add 12008 allow tcp from not 192.168.0.0/24 to 192.168.0.8 via lan0
add 12100 allow tcp from 195.161.42.230 to 192.168.0.5 25,110
add 12110 allow tcp from 192.168.0.5 to 195.161.42.230 25,110
add 65000 allow gre from any to any
#add 65534 deny log ip from any to any
add 65534 allow all from any to any
mail#
mail# ipfw list
00100 allow ip from any to any via lo
00110 deny log logamount 1000 ip from 192.168.0.0/24 to any in via int0
00115 allow ip from any to 0.0.0.67:0.0.0.67 via lan0
00120 deny log logamount 1000 ip from not 192.168.0.0/24 to any in via lan0
00140 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00145 allow icmp from any to any
02000 allow tcp from 192.168.0.253 to not 192.168.0.0/24 dst-port 80
04200 fwd 127.0.0.1,3128 tcp from 192.168.0.0/24 to not 192.168.0.0/24 dst-port 80 out xmit int0
04210 divert 8668 ip from 192.168.0.0/24 to any out via int0
04220 divert 8668 ip from any to 83.69.207.209 in via int0
04260 allow ip from 87.245.135.160 to me dst-port 3389
04261 allow ip from 87.245.135.160 to 192.168.0.2 dst-port 3389
04261 allow ip from 87.245.135.160 to 192.168.0.9 dst-port 3389
04262 allow ip from 194.67.255.242 to me dst-port 3389
04263 allow ip from 194.67.255.242 to 192.168.0.9 dst-port 3389
04265 deny ip from any to me dst-port 3389
04266 deny ip from any to 192.168.0.2 dst-port 3389
04300 allow ip from me to any
04305 allow tcp from any to me dst-port 22,25,26,80,110,443,1025-65535
04310 allow ip from me to any dst-port 53
04315 allow ip from any 53 to me
04320 allow ip from any to me dst-port 53
04325 allow ip from me 53 to any
04326 allow ip from any to me dst-port 67 via lan0
04327 allow ip from me 67 to any via lan0
04330 allow ip from me to any dst-port 123,6277
04335 allow ip from any 123,6277 to me
04340 allow ip from 192.168.0.2 to any dst-port 123
04341 allow ip from any 123 to 192.168.0.2
04342 allow ip from 192.168.0.22 to any dst-port 123
04343 allow ip from any 123 to 192.168.0.22
04520 allow tcp from any to 192.168.0.0/24 via int0
12100 allow tcp from 195.161.42.230 to 192.168.0.5 dst-port 25,110
12110 allow tcp from 192.168.0.5 to 195.161.42.230 dst-port 25,110
15000 allow tcp from 192.168.0.15 to not 192.168.0.0/24 via lan0
15001 allow tcp from 192.168.0.10 to not 192.168.0.0/24 via lan0
15002 allow tcp from 192.168.0.23 to not 192.168.0.0/24 via lan0
15003 allow tcp from 192.168.0.33 to not 192.168.0.0/24 via lan0
15004 allow tcp from 192.168.0.13 to not 192.168.0.0/24 via lan0
15005 allow tcp from 192.168.0.29 to not 192.168.0.0/24 via lan0
15006 allow tcp from 192.168.0.22 to not 192.168.0.0/24 via lan0
15007 allow tcp from 192.168.0.20 to not 192.168.0.0/24 via lan0
15008 allow tcp from 192.168.0.18 to not 192.168.0.0/24 via lan0
15009 allow tcp from 192.168.0.3 to not 192.168.0.0/24 via lan0
15010 allow tcp from 192.168.0.2 to not 192.168.0.0/24 via lan0
15011 allow tcp from 192.168.0.252 to not 192.168.0.0/24 via lan0
15012 allow tcp from 192.168.0.6 to not 192.168.0.0/24 via lan0
15013 allow tcp from 192.168.0.24 to not 192.168.0.0/24 via lan0
15014 allow tcp from 192.168.0.30 to not 192.168.0.0/24 via lan0
15015 allow tcp from 192.168.0.5 to not 192.168.0.0/24 via lan0
15016 allow tcp from 192.168.0.34 to not 192.168.0.0/24 via lan0
15017 allow tcp from 192.168.0.14 to not 192.168.0.0/24 via lan0
15018 allow tcp from 192.168.0.11 to not 192.168.0.0/24 via lan0
15019 allow tcp from 192.168.0.16 to not 192.168.0.0/24 via lan0
15020 allow tcp from 192.168.0.8 to not 192.168.0.0/24 via lan0
15021 allow tcp from 192.168.0.32 to not 192.168.0.0/24 via lan0
15022 allow tcp from 192.168.0.26 to not 192.168.0.0/24 via lan0
15023 allow tcp from 192.168.0.27 to not 192.168.0.0/24 via lan0
15024 allow tcp from 192.168.0.19 to not 192.168.0.0/24 via lan0
15025 allow tcp from 192.168.0.9 to not 192.168.0.0/24 via lan0
15026 allow tcp from 192.168.0.35 to not 192.168.0.0/24 via lan0
15027 allow tcp from 192.168.0.253 to not 192.168.0.0/24 via lan0
15028 allow tcp from 192.168.0.31 to not 192.168.0.0/24 via lan0
15029 allow tcp from 192.168.0.21 to not 192.168.0.0/24 via lan0
15030 allow tcp from 192.168.0.12 to not 192.168.0.0/24 via lan0
15031 allow tcp from 192.168.0.4 to not 192.168.0.0/24 via lan0
16000 allow tcp from not 192.168.0.0/24 to 192.168.0.15 via lan0
16001 allow tcp from not 192.168.0.0/24 to 192.168.0.10 via lan0
16002 allow tcp from not 192.168.0.0/24 to 192.168.0.23 via lan0
16003 allow tcp from not 192.168.0.0/24 to 192.168.0.33 via lan0
16004 allow tcp from not 192.168.0.0/24 to 192.168.0.13 via lan0
16005 allow tcp from not 192.168.0.0/24 to 192.168.0.29 via lan0
16006 allow tcp from not 192.168.0.0/24 to 192.168.0.22 via lan0
16007 allow tcp from not 192.168.0.0/24 to 192.168.0.20 via lan0
16008 allow tcp from not 192.168.0.0/24 to 192.168.0.18 via lan0
16009 allow tcp from not 192.168.0.0/24 to 192.168.0.3 via lan0
16010 allow tcp from not 192.168.0.0/24 to 192.168.0.2 via lan0
16011 allow tcp from not 192.168.0.0/24 to 192.168.0.252 via lan0
16012 allow tcp from not 192.168.0.0/24 to 192.168.0.6 via lan0
16013 allow tcp from not 192.168.0.0/24 to 192.168.0.24 via lan0
16014 allow tcp from not 192.168.0.0/24 to 192.168.0.30 via lan0
16015 allow tcp from not 192.168.0.0/24 to 192.168.0.5 via lan0
16016 allow tcp from not 192.168.0.0/24 to 192.168.0.34 via lan0
16017 allow tcp from not 192.168.0.0/24 to 192.168.0.14 via lan0
16018 allow tcp from not 192.168.0.0/24 to 192.168.0.11 via lan0
16019 allow tcp from not 192.168.0.0/24 to 192.168.0.16 via lan0
16020 allow tcp from not 192.168.0.0/24 to 192.168.0.8 via lan0
16021 allow tcp from not 192.168.0.0/24 to 192.168.0.32 via lan0
16022 allow tcp from not 192.168.0.0/24 to 192.168.0.26 via lan0
16023 allow tcp from not 192.168.0.0/24 to 192.168.0.27 via lan0
16024 allow tcp from not 192.168.0.0/24 to 192.168.0.19 via lan0
16025 allow tcp from not 192.168.0.0/24 to 192.168.0.9 via lan0
16026 allow tcp from not 192.168.0.0/24 to 192.168.0.35 via lan0
16027 allow tcp from not 192.168.0.0/24 to 192.168.0.253 via lan0
16028 allow tcp from not 192.168.0.0/24 to 192.168.0.31 via lan0
16029 allow tcp from not 192.168.0.0/24 to 192.168.0.21 via lan0
16030 allow tcp from not 192.168.0.0/24 to 192.168.0.12 via lan0
16031 allow tcp from not 192.168.0.0/24 to 192.168.0.4 via lan0
65000 allow gre from any to any
65535 deny ip from any to any
mail#
содержание конфига от загруженных правил отличается, вопрос, от куда онир грузяться и каким боком блочат нам соединения, или куда смотреть хоть если это не фаер виновен.
Надеюсьна вашу помощь!!!