Проблема с фаерволом после обновления до 8.0-STABLE

[Suslick]

Доброго времени суток, вобщем суть проблемы:

На сервере стояла FreeBSD 8.0-RELEASE все работало без проблем, возникла необходимость обновиться до 8.0-STABLE (проблемы с mpd5).

В результате перестал работать нат
В системе появился интерфейс:

Код: Выделить всё

ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536

Подскажите куда копать, теряюсь в догадках

Код: Выделить всё

uname -a
FreeBSD MainServer 8.0-STABLE FreeBSD 8.0-STABLE #0: Mon Apr 26 18:23:07 OMSST 2010

Правила фаервола ( до обновления работали )

Код: Выделить всё

ipfw="/sbin/ipfw"

${ipfw} -f flush

${ipfw} add 1 allow gre from any to any

##################     Pidors   #######################

${ipfw} add 10 deny all from 10.3.5.38 to any
${ipfw} add 11 deny all from 10.3.5.228 to any

#######################################################

${ipfw} add 12 skipto 30 all from 10.3.35.1 to any via ng0
${ipfw} add 13 skipto 30 all from 10.3.35.2 to any via ng0
${ipfw} add 14 skipto 30 all from 10.3.35.3 to any via ng0
${ipfw} add 15 skipto 30 all from 10.3.35.4 to any via ng0
${ipfw} add 16 skipto 30 all from 10.3.35.5 to any via ng0

${ipfw} add 19 skipto 30 all from any to 10.120.37.0/24 via ng0

${ipfw} add 20 deny all from 10.3.35.0/24 to any via ng0

${ipfw} add 30 allow all from any to any via ng0
${ipfw} add 40 allow all from any to any via em1
${ipfw} add 41 allow all from any to any via lo0

${ipfw} add 42 deny ip from any to 127.0.0.0/8
${ipfw} add 43 deny ip from 127.0.0.0/8 to any

${ipfw} add 49 skipto 60 all from 10.3.1.65 to any
${ipfw} add 49 skipto 60 all from 10.3.1.66 to any

${ipfw} add 50 fwd 10.3.33.33,3129 tcp from not 10.3.34.252 to not 10.0.0.0/8 80

${ipfw} add 60 divert natd all from any to any in via em0

${ipfw} add 100 check-state

############## Outgoing ################

${ipfw} add 1000 skipto 10000 icmp from any to any keep-state

${ipfw} add 1100 skipto 10000 udp from any to any 123 out via em0 keep-state

${ipfw} add 1200 skipto 10000 udp from any to any 53 out via em0 keep-state
${ipfw} add 1300 skipto 10000 tcp from any to any 53 out via em0 setup keep-state


${ipfw} add 1500 skipto 10000 tcp from 10.0.0.0/8 to any 20 out via em0 setup keep-state
${ipfw} add 1510 skipto 10000 tcp from 10.0.0.0/8 to any 21 out via em0 setup keep-state
${ipfw} add 1520 skipto 10000 udp from 10.0.0.0/8 to any 20 out via em0 keep-state
${ipfw} add 1530 skipto 10000 udp from 10.0.0.0/8 to any 21 out via em0 keep-state
${ipfw} add 1540 skipto 10000 tcp from 10.0.0.0/8 to any 22 out via em0 setup keep-state
${ipfw} add 1550 skipto 10000 tcp from 10.0.0.0/8 to any 23 out via em0 setup keep-state
${ipfw} add 1560 skipto 10000 tcp from 10.0.0.0/8 to any 25 out via em0 setup keep-state
${ipfw} add 1570 skipto 10000 tcp from 10.0.0.0/8 to any 110 out via em0 setup keep-state
${ipfw} add 1580 skipto 10000 tcp from 10.0.0.0/8 to any 143 out via em0 setup keep-state
${ipfw} add 1590 skipto 10000 tcp from 10.0.0.0/8 to any 443 out via em0 setup keep-state
${ipfw} add 1600 skipto 10000 tcp from 10.0.0.0/8 to any 540 out via em0 setup keep-state
${ipfw} add 1610 skipto 10000 tcp from 10.0.0.0/8 to any 1433 out via em0 setup keep-state
${ipfw} add 1620 skipto 10000 udp from 10.0.0.0/8 to any 1434 out via em0 keep-state
${ipfw} add 1630 skipto 10000 tcp from 10.0.0.0/8 to any 1723 out via em0 setup keep-state
${ipfw} add 1640 skipto 10000 tcp from 10.0.0.0/8 to any 2041 out via em0 setup keep-state
${ipfw} add 1650 skipto 10000 tcp from 10.0.0.0/8 to any 2042 out via em0 setup keep-state
${ipfw} add 1660 skipto 10000 tcp from 10.0.0.0/8 to any 2802 out via em0 setup keep-state
${ipfw} add 1670 skipto 10000 tcp from 10.0.0.0/8 to any 3306 out via em0 setup keep-state
${ipfw} add 1680 skipto 10000 tcp from 10.0.0.0/8 to any 4005 out via em0 setup keep-state
${ipfw} add 1690 skipto 10000 tcp from 10.0.0.0/8 to any 5000 out via em0 setup keep-state
${ipfw} add 1700 skipto 10000 tcp from 10.0.0.0/8 to any 5190 out via em0 setup keep-state
${ipfw} add 1710 skipto 10000 tcp from 10.0.0.0/8 to any 5222 out via em0 setup keep-state
${ipfw} add 1720 skipto 10000 tcp from 10.0.0.0/8 to any 6099 out via em0 setup keep-state
${ipfw} add 1730 skipto 10000 tcp from 10.0.0.0/8 to any 6667 out via em0 setup keep-state
${ipfw} add 1740 skipto 10000 tcp from 10.0.0.0/8 to any 7438 out via em0 setup keep-state
${ipfw} add 1750 skipto 10000 tcp from 10.0.0.0/8 to any 8080 out via em0 setup keep-state
${ipfw} add 1760 skipto 10000 tcp from 10.0.0.0/8 to any 8081 out via em0 setup keep-state
${ipfw} add 1770 skipto 10000 tcp from 10.0.0.0/8 to any 8585 out via em0 setup keep-state
${ipfw} add 1780 skipto 10000 tcp from 10.0.0.0/8 to any 28512 out via em0 setup keep-state
${ipfw} add 1790 skipto 10000 tcp from 10.0.0.0/8 to any 28513 out via em0 setup keep-state


${ipfw} add 2960 skipto 10000 tcp from 10.120.57.111 to any out via em0 setup keep-state
${ipfw} add 2961 skipto 10000 udp from 10.120.57.111 to any out via em0 keep-state

${ipfw} add 2962 skipto 10000 tcp from 10.3.5.50 to any out via em0 setup keep-state
${ipfw} add 2963 skipto 10000 udp from 10.3.5.50 to any out via em0 keep-state

${ipfw} add 2964 skipto 10000 tcp from 10.3.1.65 to any out via em0 setup keep-state
${ipfw} add 2965 skipto 10000 udp from 10.3.1.65 to any out via em0 keep-state

${ipfw} add 2966 skipto 10000 tcp from 10.3.1.66 to any out via em0 setup keep-state
${ipfw} add 2967 skipto 10000 udp from 10.3.1.66 to any out via em0 keep-state


${ipfw} add 3000 skipto 10000 tcp from 10.0.0.0/8 to ftp.d-link.ru out via em0 setup keep-s
${ipfw} add 3001 skipto 10000 tcp from 10.0.0.0/8 to ftp.apcc.com out via em0 setup keep-st
${ipfw} add 3002 skipto 10000 tcp from 10.0.0.0/8 to ftp.freebsd.org out via em0 setup keep
${ipfw} add 3003 skipto 10000 tcp from 10.0.0.0/8 to 194.67.52.58 out via em0 setup keep-st
${ipfw} add 3004 skipto 10000 tcp from 10.0.0.0/8 to medeya-omsk.ru out via em0 setup keep-


${ipfw} add 5000 skipto 10000 tcp from any to any 6501 out via em0 setup keep-state
${ipfw} add 5100 skipto 10000 udp from any to any 55777 out via em0 keep-state
${ipfw} add 5555 skipto 10000 tcp from 10.3.34.252 to any out via em0 setup keep-state
${ipfw} add 5556 skipto 10000 udp from 10.3.34.252 to any out via em0 keep-state

############# Incoming ################

${ipfw} add 6215 deny tcp from any to any 113 in via em0

${ipfw} add 6220 deny tcp from any to any 137 in via em0
${ipfw} add 6221 deny tcp from any to any 138 in via em0
${ipfw} add 6222 deny tcp from any to any 139 in via emo
${ipfw} add 6223 deny tcp from any to any 81  in via emo

${ipfw} add 6300 allow icmp from any to 10.3.34.252 in via em0 icmptypes 0,8,11

${ipfw} add 6500 allow tcp from any to 10.3.34.252 80 in via em0 setup

${ipfw} add 6560 allow tcp from any to 10.3.34.252 1723 in via em0 setup
${ipfw} add 6570 allow udp from any to 10.3.34.252 1723 in via em0 setup


${ipfw} add 6580 allow tcp from any to 10.3.34.252 20 in via em0 setup
${ipfw} add 6590 allow tcp from any to 10.3.34.252 21 in via em0 setup
${ipfw} add 6595 allow udp from any to 10.3.34.252 20 in via em0 setup
${ipfw} add 6600 allow udp from any to 10.3.34.252 21 in via em0 setup


${ipfw} add 7000 skipto 10000 tcp from any to any 6501 in via em0 setup keep-state
${ipfw} add 7100 skipto 10000 udp from any to any 55777 in via em0 keep-state


${ipfw} add 7777 allow all from any to any established

###########################################################################################

${ipfw} add 7800 deny all from any to any 25,110,445,139,135,137

${ipfw} add 8000 deny log all from any to any

${ipfw} add 10000 divert natd all from not 10.3.34.252 to any out via em0

###########################################################################################

em0 - 10.3.34.252 внешний ip
em1 - 10.3.33.33 локалка

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[Suslick]

забыл пояснить ng0 - это интерфейс mpd5

[Alex Keda]

natd запущен хоть?

[Suslick]

Конечно)))

Пакеты почему то не доходят до правила 10000, никак не могу понять, может схема прохождения трафика изменилась?

Фантазии уже не хватает

[Suslick]

http://forum.nag.ru/forum/lofiversion/i ... 56011.html

Не утешает