Имею шлюз на FreeBSD 7.2 + IPFW + NATD
Изнутри сети все бегает шустро, при попытке зайти снаружи на сервер по ssh или www все жутко тормозит (mc открывается квадратами, http странички грузятся по минуте), подскажите где может быть косяк.
rc.conf:
Код: Выделить всё
ifconfig_em0="inet 172.16.26.28 netmask 255.255.255.0"
ifconfig_rl0="inet 192.168.0.1 netmask 255.255.0.0"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
natd_enable="YES"
natd_interface="em0"
natd_flags="-f /etc/natd.conf"
Код: Выделить всё
#!/bin/sh
FwCMD="/sbin/ipfw" # собственно где лежит бинарник ipfw
LanOut="em0" # внешний интерфейс
LanIn="rl0" # внутренний интерфейс
IpOut="172.16.26.28" # внешний IP адрес машины
IpIn="192.168.0.1" # внутренний IP машины
NetMaskOut="24" # маска внешней подсети
NetMaskIn="16" # маска внутренне сети
NetIn="192.168.0.0" # Внутренняя сеть
${FwCMD} -f flush
${FwCMD} -f table 0 flush
${FwCMD} add check-state
${FwCMD} add allow ip from any to any via lo0
${FwCMD} add deny ip from any to 127.0.0.0/8
${FwCMD} add deny ip from 127.0.0.0/8 to any
${FwCMD} add deny ip from any to 10.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 192.168.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${LanOut}
${FwCMD} add deny icmp from any to any frag
${FwCMD} add deny log icmp from any to 255.255.255.255 in via ${LanOut}
${FwCMD} add deny log icmp from any to 255.255.255.255 out via ${LanOut}
${FwCMD} add divert 199 ip from ${NetIn}/${NetMaskIn} to any out via ${LanOut}
${FwCMD} add divert natd ip from ${NetIn}/${NetMaskIn} to any out via ${LanOut}
${FwCMD} add divert natd ip from any to ${IpOut} in via ${LanOut}
${FwCMD} add divert 199 ip from any to ${NetIn}/${NetMaskIn} in via ${LanOut}
${FwCMD} add deny ip from 10.0.0.0/8 to any out via ${LanOut}
${FwCMD} add deny ip from 192.168.0.0/16 to any out via ${LanOut}
${FwCMD} add deny ip from 0.0.0.0/8 to any out via ${LanOut}
${FwCMD} add deny ip from 169.254.0.0/16 to any out via ${LanOut}
${FwCMD} add deny ip from 224.0.0.0/4 to any out via ${LanOut}
${FwCMD} add deny ip from 240.0.0.0/4 to any out via ${LanOut}
${FwCMD} add allow tcp from any to any established
${FwCMD} add allow ip from ${IpOut} to any out xmit ${LanOut}
${FwCMD} add allow udp from any 53 to any via ${LanOut}
${FwCMD} add allow udp from any to any 53 via ${LanOut}
${FwCMD} add allow udp from any to any 123 via ${LanOut}
${FwCMD} add allow icmp from any to any icmptypes 0,8,11
${FwCMD} add allow tcp from any to ${IpOut} 80 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 443 via ${LanOut}
#${FwCMD} add allow tcp from any to ${IpOut} 25 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 22 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 5432 via ${LanOut}
${FwCMD} add allow tcp from any to ${NetIn}/${NetMaskIn} via ${LanOut}
${FwCMD} add allow tcp from any to any via ${LanIn}
${FwCMD} add allow udp from any to any via ${LanIn}
${FwCMD} add allow icmp from any to any via ${LanIn}
${FwCMD} add deny ip from any to any
Код: Выделить всё
same_ports yes
use_sockets yes
redirect_port tcp 192.168.0.3:80 80 #www
