ipfw и smtp/pop3

[Oniks]

Добрый день, может кто нить подсказать в чем косяк с конфигом ipfw. Есть связка squid 3.5+ipfw+kernel nat, все это на FreeBSD 10.1. Сквид настроен в качестве прозрачного прокси, в ipfw правило для него есть, у клиентов инет есть. Проблема в следующем: не работают почтовые программы outlook, bat и тому подобные. В ipfw правила есть, в чем может быть косяк и где недоглядел.
Конфиги
rc.conf

Код: Выделить всё

hostname="gazmash_fw"
ifconfig_hn0="inet 192.168.0.206 netmask 255.255.255.0"
ifconfig_hn1="inet 192.168.7.1 netmask 255.255.255.0"
defaultrouter="192.168.0.1"
getawey_enable="YES"
sshd_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_script="/etc/ipfw.conf"
firewall_logging="YES"
dumpdev="AUTO"
apache24_enable="YES"
squid_enable="YES"
mysql_enable="YES"
samsd_enable="YES"
local_unbound_enable="YES"
webmin_enable="YES"

ipfw.conf

Код: Выделить всё

#!/bin/sh 
ipfw="/sbin/ipfw -q" 

out_net="192.168.0.0/24" 
out_ip="192.168.0.206" 
out_if="hn0" 

in_net="192.168.7.0/24" 
in_ip="192.168.7.1" 
in_if="hn1" 

nating="192.168.7.2" 

${ipfw} -f flush 
${ipfw} add check-state 

${ipfw} add pass all from any to any via lo0 
${ipfw} add deny all from any to 127.0.0.0/8 
${ipfw} add deny ip from 127.0.0.0/8 to any 
#NAT 
${ipfw} nat 1 config ip ${out_ip} log same_ports 
${ipfw} add nat 1 log ip4 from ${in_net} to any via ${out_if} 

#Allow All trough local net interface 
${ipfw} add pass all from ${in_net} to me via ${in_if} 
${ipfw} add pass all from me to ${in_net} via ${in_if} 

${ipfw} add fwd 127.0.0.1,3129 tcp from 192.168.7.0/24 to any 80 via ${in_if}
${ipfw} add fwd 127.0.0.1,3130 tcp from 192.168.7.0/24 to any 443,5190 via ${in_if}
#mail  
${ipfw} add allow log all from ${in_net} not 0-1024 to any 110 setup via ${out_if} 
${ipfw} add allow log all from ${in_net} not 0-1024 to any 25 setup via ${out_if} 
#Allow TCP through if setup succeeded 
${ipfw} add pass tcp from any to any established 

#Allow server to Internet 
${ipfw} add pass tcp from ${out_ip} to any via ${out_if} 

# Allow SSH queries out in the world - 
${ipfw} add pass udp from ${out_ip} to any 53 keep-state 

# Allow NTP queries out in the world -
${ipfw} add pass udp from ${out_ip} to any 123 keep-state 

# Allow SSH queries out in the world 
${ipfw} add pass tcp from ${out_ip} to me 22 keep-state 

#Allow ICMP from any to any 
${ipfw} add pass icmp from any to any 

#Deny all 
#${ipfw} add deny log ip from any to any

ipfw list

Код: Выделить всё

root@gazmash_fw:~ # ipfw list
00100 check-state
00200 allow ip from any to any via lo0
00300 deny ip from any to 127.0.0.0/8
00400 deny ip from 127.0.0.0/8 to any
00500 nat 1 log logamount 600 ip4 from 192.168.7.0/24 to any via hn0
00600 allow ip from 192.168.7.0/24 to me via hn1
00700 allow ip from me to 192.168.7.0/24 via hn1
00800 fwd 127.0.0.1,3129 tcp from 192.168.7.0/24 to any dst-port 80 via hn1
00900 fwd 127.0.0.1,3130 tcp from 192.168.7.0/24 to any dst-port 443,5190 via hn1
01000 allow log logamount 600 ip from 192.168.7.0/24 not 0-1024 to any dst-port 110 setup via hn0
01100 allow log logamount 600 ip from 192.168.7.0/24 not 0-1024 to any dst-port 25 setup via hn0
01200 allow tcp from any to any established
01300 allow tcp from 192.168.0.206 to any via hn0
01400 allow udp from 192.168.0.206 to any dst-port 53 keep-state
01500 allow udp from 192.168.0.206 to any dst-port 123 keep-state
01600 allow tcp from 192.168.0.206 to me dst-port 22 keep-state
01700 allow icmp from any to any
65535 allow ip from any to any

ipfw show

Код: Выделить всё

root@gazmash_fw:~ # ipfw show
00100     0       0 check-state
00200    92   18742 allow ip from any to any via lo0
00300     0       0 deny ip from any to 127.0.0.0/8
00400     0       0 deny ip from 127.0.0.0/8 to any
00500    22    2143 nat 1 log logamount 600 ip4 from 192.168.7.0/24 to any via hn0
00600     4     285 allow ip from 192.168.7.0/24 to me via hn1
00700     4    1196 allow ip from me to 192.168.7.0/24 via hn1
00800    11     940 fwd 127.0.0.1,3129 tcp from 192.168.7.0/24 to any dst-port 80 via hn1
00900    20    5183 fwd 127.0.0.1,3130 tcp from 192.168.7.0/24 to any dst-port 443,5190 via hn1
01000     0       0 allow log logamount 600 ip from 192.168.7.0/24 not 0-1024 to any dst-port 110 setup via hn0
01100     0       0 allow log logamount 600 ip from 192.168.7.0/24 not 0-1024 to any dst-port 25 setup via hn0
01200   370  103271 allow tcp from any to any established
01300     3     180 allow tcp from 192.168.0.206 to any via hn0
01400    60    6742 allow udp from 192.168.0.206 to any dst-port 53 keep-state
01500     0       0 allow udp from 192.168.0.206 to any dst-port 123 keep-state
01600     0       0 allow tcp from 192.168.0.206 to me dst-port 22 keep-state
01700     2     176 allow icmp from any to any
65535 52525 8241018 allow ip from any to any

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[Гость]

правило ната для исх. трафика в Вашем случае должно быть чуть ли не последним.

[Oniks]

правило ната для исх. трафика в Вашем случае должно быть чуть ли не последним.

сделал его последним эффекта ноль(