сменился внешний ip, в правила прописал новый и О УЖАС, извне перестали быть доступны сервисы на локальной машине, а те что работают на другой машине(почта) продолжают нормально работать. Проверял - если пробрасывать ssh на вторую машину - нормально коннектится, а на локальную не хочет. Из внутренней сети провайдера доступ получаю нормально,
ЗЫ: до смены работало нормально.
Подскажите, где искать?
вот конфиг pf:
cat pf_cut.conf
int_if = "re0"
ext_if = "stge0"
second_net_if = "vr0" #внутренняя сеть провайдера
second_net_addr = "192.168.4.238/32"
second_net_network = "{192.168.0.0/16, 10.0.0.0/8}"
to_second_net_network = "{172.16.0.25}"
second_net_port = "{22,80,27015,27016}"nat_addr = "{172.16.0.1, 172.16.0.25, 172.16.0.26, 172.16.0.37}"
mail_server = "172.16.0.1/32"
mail_server_ports = "{smtp, pop3, auth, imap, 8081, 8082}"
ext_addr = "192.166.x.y/32"
ext_server_ports = "{22, 80}"
icmp_types="{ echoreq, unreach}"
trusted_lan="172.16.0.0/24"
localnet="127.0.0.0/8"
set block-policy return
set skip on lo0
set skip on $int_if
scrub in all
rdr on $ext_if proto { tcp } from any to $ext_addr port $mail_server_ports -> $mail_server
nat on $ext_if from $nat_addr to !$trusted_lan -> $ext_addr
nat on $second_net_if from $to_second_net_network to $second_net_network -> $second_net_addr
antispoof quick for $ext_if
block all ## запрет всего по-умолчанию
pass out on $second_net_if from $second_net_if to $second_net_network keep state
pass in on $second_net_if proto {tcp} from $second_net_network to $second_net_addr port $second_net_port keep state
pass out on $ext_if from $ext_addr to any keep state
pass in on $ext_if inet proto { tcp } from any to $ext_addr keep state
pass out on $ext_if from $trusted_lan to any keep state
pass in on $ext_if proto { tcp } from any to $mail_server port $mail_server_ports keep state
pass log inet proto icmp all icmp-type $icmp_types
table <bruteforce> persist file "/var/db/blacklist"
pass in proto tcp from any to any port ssh flags S/SA keep state (source-track rule, max-src-conn-rate 2/10, overload <bruteforce> flush global)
block drop in quick from <bruteforce> to any
block out quick from any to <bruteforce>
##############################################################
да, nmap хоста извне:
PORT STATE SERVICE
22/tcp filtered ssh
25/tcp open smtp
80/tcp filtered http
#ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
ether 40:61:86:0c:62:93
inet 172.16.0.2 netmask 0xffffff00 broadcast 172.16.0.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
stge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=820db<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,POLLING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
ether 00:18:f3:5a:aa:36
inet 192.166.x.y netmask 0xfffffffc broadcast 192.166.x.135
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=82848<VLAN_MTU,POLLING,WOL_UCAST,WOL_MAGIC,LINKSTATE>
ether 1c:bd:b9:83:73:5d
inet 192.168.4.238 netmask 0xffffff00 broadcast 192.168.4.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33152
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
#uname -a
FreeBSD host 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Wed Mar 30 03:39:33 EEST 2011 tabr@host:/usr/src/sys/amd64/compile/MY20110330 amd64
ipfw собран с
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
options DUMMYNET
заранее спасибо
Вариант для распечатки
(ok) on 11-Май-11, 21:56 
