Проблема с PF
Добавлено: 2008-04-15 18:15:09
При скачивании больших файлов по http (ftp не проверял) происходит остановка скачивания (скачано x из y, x не меняестся) и начинает падать скорость скачивания, потом происходит обрыв. На сервере pure-ftpd, ipsec, pf всё.
6.2-RELEASE-p11 FreeBSD 6.2-RELEASE-p11 #1: /usr/obj/usr/src/sys/FIREWOOL i386
Отличие от GENERIC
Файл настроек pf
6.2-RELEASE-p11 FreeBSD 6.2-RELEASE-p11 #1: /usr/obj/usr/src/sys/FIREWOOL i386
Отличие от GENERIC
Код: Выделить всё
FIREWOOL KERNEL 2008_03_11
machine i386
#cpu I486_CPU
#cpu I586_CPU
cpu I686_CPU
ident FIREWOOL
#My differents PF + IPSEC
#PF
device pf
device pflog
#device pfsync
options ALTQ
#IPSEC
options IPSEC
options IPSEC_ESP
Код: Выделить всё
# cat /etc/pf.conf
# macros
ext_if="rl0"
int_if="em0"
vpn_if="gif0"
spb_addr="x.x.x.x"
int_net="192.168.1.0/24"
mail_server="192.168.1.102"
mail_ports="{ 25, 110 }"
icmp_types="echoreq"
# options
set block-policy return
set skip on lo0
# scrub
scrub in
# nat/rdr
nat on $ext_if from !$ext_if -> $ext_if:0
rdr on $int_if proto tcp from $int_net to any port 21 -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to $ext_if port $mail_ports -> $mail_server
# filter rules
block in
pass out keep state
antispoof quick for { lo0 $int_if }
pass in on $ext_if inet proto tcp from any to $mail_server port $mail_ports flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $ext_if port 130 keep state
pass in on $ext_if proto tcp from any to $ext_if port 21 keep state
pass in on $ext_if proto tcp from any to $ext_if port > 49151 keep state
pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if keep state
# vpn filter rules
pass on $vpn_if
pass in inet proto udp from $spb_addr to $ext_if port 500
pass in on $ext_if proto esp from $spb_addr to $ext_if
pass in on $ext_if proto ipencap from $spb_addr to $ext_if