Если делать ping на тот же ip с сервера, то потерь нету.
Между внутренним компьютером и интернетом есть pf конфиг ниже
Код: Выделить всё
ext_if = "fxp0"
dmz_if = "vr1"
int_if = "vr0"
trusted_tcp_from_int = "{ ssh http https ftp smtp smtps pop3s pop3 aol nicname }"
trusted_udp_from_int = "{ domain }"
# 3. options
# packet is silently dropped
set block-policy drop
# don't filter on the loopback interface
set skip on lo0
# 4. scrub
# scrub incoming packets
scrub in all
# nat
nat on $ext_if inet from $int_if:network:0 to any -> $ext_if
nat on $ext_if inet from $dmz_if:network:0 to any -> $ext_if
# 7. filter
# activate spoofing protection for all interfaces
block in quick from urpf-failed
pass out quick inet from { self } to any
# pass
# int_if
# trusted
pass in quick on $int_if proto udp from $int_if:network:0 to any port domain
pass in quick on $int_if proto tcp from $int_if:network:0 to any port $trusted_tcp_from_int
# icmp
pass in quick on $int_if proto icmp from $int_if:network:0 to any
pass out quick on $dmz_if proto icmp from $int_if:network:0 to $dmz_if:network:0
# tcp
pass in quick on $dmz_if proto tcp from $dmz_if:network:0 to any port $trusted_tcp_from_int
# icmp
pass out quick log on $int_if proto icmp from $dmz_if:network:0 to $int_if:network:0
pass in quick log on $ext_if proto tcp from any to 172.116.172.1/32 port { http ftp ssh } synproxy state
pass out quick log on $int_if proto tcp from any to 172.116.172.1/32 port { http ftp ssh }
# setup a default deny policy
block log all
tcpdump -n -e -ttt -i pflog0 | grep 172.116.172.85 <--ip компа внутри сети, ни чего не дает
Спасибо.
