Есть шлюз инета на freebsd 4.10. Поднят squid, named, ppp, trafd, inetd. Открыты необходимые порты для почты и icq. Сеть много сегментная. Все нормально работает.
Решил убрать внешний NAT, и использовать ppp_nat. В rc.conf останавил natd, разрешил ppp_nat, из rc.firewall уберал divert nat.
Все прекрасно продолжает работать. Кроме машин которые находятся в сегменте вместе с шлюзом(192.168.0.1). В инет они выходят, но не почта ни аська у них неработает.
Может кто подскажет?
Исходные конфиги
rc.conf
#!/bin/sh
# -- sysinstall generated deltas -- # Thu Jun 30 15:55:27 2005
# Created: Thu Jun 30 15:55:27 2005
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
local_startup="/usr/local/etc/rc.d"
hostname="ast"
#network_interfaces="avto"
ifconfig_lo0="inet 127.0.0.1"
ifconfig_xl0="inet 192.168.0.1 netmask 255.255.255.0" #3c590
gateway_enable="YES"
#
ppp_enable="YES"
ppp_mode="ddial"
#ppp_nat="YES"
ppp_profile="gts"
#
inetd_enable="YES"
inetd_flags="-l -wW"
#
named_enable="YES"
named_program="named"
named_flags="-u root"
#-g bind"
squid_enable="YES"
squid_program="/usr/local/squid/sbin/squid" natd_enable="YES"
natd_program="/sbin/natd"
#natd_interface="80.254.125.146"
natd_flags="-f /etc/natd.conf"
sendmail_enable="NONE"
sendmail_fags="-bd -q5m -o DeliveryMode=q"
sshd_enable="YES"
#telnet_enable="YES"
cron_enable="YES"
#route_enable="YES"
#route_program="routed"
#route_flag="-q"
#static_routes=""
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
Firewall_type="MY"
firewall_type="/etc/ipfw.rules"
firewall_quiet="no"
#defaultrouter="80.254.125.145"
static_routes="net1 net2 net3 net4 net5 net6 net7"
route_net1="-net 192.168.1.0/24 192.168.0.252"
route_net2="-net 192.168.2.0/24 192.168.0.252"
route_net3="-net 192.168.3.0/24 192.168.0.252"
route_net4="-net 192.168.4.0/24 192.168.0.252"
route_net5="-net 192.168.5.0/24 192.168.0.252"
route_net6="-net 192.168.6.0/24 192.168.0.252"
route_net7="-net 192.168.7.0/24 192.168.0.250"
tcp_drop_synfin="YES"
tcp_restrict_rst="YES"
icmp_drop_redirect="YES"
icmp_bmcastecho="NO"
tcp_extensions="NO"
tcp_keepalive="YES"
amd_enable="NO"
blanktime="300"
ibcs2_enable="YES"
kern_securelevel_enable="NO"
keymap="ru.koi8-r"
linux_enable="YES"
nfs_reserved_port_only="YES"
saver="daemon"
scrnmap="NO"
svr4_enable="YES"
rc.firewall
${fwcmd} add 45 divert natd all from any to any via tun0
#Enable local interface
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
${fwcmd} add 350 fwd 192.168.0.1,3128 tcp from 192.168.0.0/16 to any 80 via xl0
#Protect atack spoofing
${fwcmd} add deny tcp from 10.0.0.0/8 to any via tun0 setup
${fwcmd} add deny tcp from 172.16.0.0/12 to any via tun0 setup
${fwcmd} add deny tcp from 192.168.0.0/24 to any via tun0 setup
#Protect internal net from out net
${fwcmd} add allow tcp from any to any 22,23 via xl0
${fwcmd} add allow tcp from any 22,23 to any via xl0
${fwcmd} add allow tcp from any to any 25,110
#via xl0
${fwcmd} add allow tcp from any 25,110 to any
#via xl0
${fwcmd} add allow tcp from any 8448 to any
${fwcmd} add allow tcp from any to any 8448
${fwcmd} add allow tcp from any 443 to any
${fwcmd} add allow tcp from any to any 443
${fwcmd} add allow tcp from any 8022,8023 to any
${fwcmd} add allow tcp from any to any 8022,8023
${fwcmd} add deny icmp from any to any frag
${fwcmd} add pass icmp from any to any via xl0
#Open HTTP
${fwcmd} add pass tcp from any 80 to any
${fwcmd} add pass tcp from any to any 80
${fwcmd} add pass tcp from any 5190 to any
${fwcmd} add pass tcp from any to any 5190
#Open ports
${fwcmd} add pass tcp from any 33000-34000 to any
${fwcmd} add pass tcp from any to any 33000-34000
${fwcmd} add pass udp from any 33000-34000 to any
${fwcmd} add pass udp from any to any 33000-34000
${fwcmd} add pass tcp from any 1024-1100 to any
${fwcmd} add pass tcp from any to any 1024-1100
#Open DNS
${fwcmd} add pass udp from any to any 53
${fwcmd} add pass udp from any 53 to any
#${fwcmd} add pass tcp from any to any 53
#${fwcmd} add pass tcp from any 53 to any
#Open port for internal net proxy
${fwcmd} add pass tcp from any to any 3128 via xl0
${fwcmd} add pass tcp from any 3128 to any via xl0