Есть сервер :
FreeBSD server 8.1-RELEASE FreeBSD 8.1-RELEASE + apache22 + natd(ядерный) + postfix + IPFW (ядерный) + squid(прозрачный)
Стоят две lan карточки. Одна в локалку смотрит, другая внешняя со статик ip.
Поставил Roundcube для почты.
Проблема в том, что когда захожу из вне на Roundcube то очень долго грузится страничка. Может висеть минут 10. Плюс процесс natd в это время(когда страница грузит) загружается по полной. По локалке всё грузит быстро.
Если отключить natd, то всё летает.
Вот правила IPFW
Код: Выделить всё
server# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01100 deny ip from 192.168.1.14 to any in via em1
01200 deny ip from 94.230.163.130 to any in via em0
01300 deny ip from any to 10.0.0.0/8 via em1
01400 deny ip from any to 172.16.0.0/12 via em1
01500 deny ip from any to 192.168.0.0/16 via em1
01600 deny ip from any to 0.0.0.0/8 via em1
01700 deny ip from any to 169.254.0.0/16 via em1
01800 deny ip from any to 192.0.2.0/24 via em1
01900 deny ip from any to 224.0.0.0/4 via em1
02000 deny ip from any to 240.0.0.0/4 via em1
02100 fwd 127.0.0.1,3128 tcp from 192.168.1.0/24 to any dst-port 80 via em0
02200 divert 8668 log ip4 from any to any via em1
02300 deny ip from 10.0.0.0/8 to any via em1
02400 deny ip from 172.16.0.0/12 to any via em1
02500 deny ip from 192.168.0.0/16 to any via em1
02600 deny ip from 0.0.0.0/8 to any via em1
02700 deny ip from 169.254.0.0/16 to any via em1
02800 deny ip from 192.0.2.0/24 to any via em1
02900 deny ip from 224.0.0.0/4 to any via em1
03000 deny ip from 240.0.0.0/4 to any via em1
03100 allow tcp from any to any established
03200 allow ip from any to any frag
03300 allow tcp from any to me dst-port 25 setup
03400 allow tcp from any to me dst-port 110 setup
03500 allow tcp from any to me dst-port 53 setup
03600 allow udp from any to me dst-port 53
03700 allow udp from me 53 to any
03800 allow tcp from any to me dst-port 80 setup
03900 allow icmp from any to any icmptypes 8
04000 allow icmp from any to any icmptypes 0
04100 allow tcp from any to me dst-port 22 keep-state
04400 allow tcp from any to 94.230.163.131 dst-port 49489 keep-state
04500 allow udp from 192.168.1.0/24 to 192.168.1.0/24 dst-port 137,138,139,445
04600 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 dst-port 137,138,139,445
04700 deny log ip4 from any to any in via em1 setup proto tcp
04800 allow tcp from any to any setup
04900 allow udp from me to any dst-port 53 keep-state
05000 allow udp from me to any dst-port 123 keep-state
65535 deny ip from any to any
Код: Выделить всё
defaultrouter="94.230.163.129"
ifconfig_em0="inet 192.168.1.14 netmask 255.255.255.0"
ifconfig_em1="inet xx.xx.xx.xx netmask 255.255.255.248"
keymap="ru.koi8-r"
sshd_enable="YES"
mysql_enable="YES"
courier_authdaemond_enable="YES"
courier_imap_pop3d_enable="YES"
courier_imap_imapd_enable="YES"
natd_enable="YES"
natd_interface="em1"
postfix_enable="YES"
apache22_enable="YES"
squid_enable="YES"
firewall_enable="YES"
#firewall_type="open"
firewall_type="simple"
gateway_enable="YES"
samba_enable="YES"
hostname="server"
named_enable="YES"
#No Sendmail - POSTFIX - Rulezzz Wink
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_eneble="NO"
dumpdev="NO"