Добрый день всем!Достался мне в наследство шлюз с FreeBSD и 1С за ним. Я предпочитаю ipfw, а тут - pf. Пожаловался на днях 1С-ник, что не может связаться с какими-то сервисами. Через прокси почему-то 1С ходить не хочет - только в лоб, напрямую. Прописал я в секции rdr-nat по аналогии с другими такое правило:
nat on $ext_if proto tcp from $1C to {89.111.148.68, 89.188.115.186, 91.239.5.33, 91.239.5.113} port {80, 110, 443, 465} ->$ext_if
С 1С-а связи нет. :( Смотрю на внешнем интерфейсе и вижу интересную картину:
19:09:02.553514 IP XXX.XXX.XX.150.53269 > 91.239.5.113.443: Flags [SEW], seq 3411709067, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
19:09:02.595774 IP 91.239.5.113.443 > XXX.XXX.XX.150.53269: Flags [S.], seq 2538216453, ack 3411709068, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
19:09:02.595800 IP XXX.XXX.XX.150 > 91.239.5.113: ICMP host XXX.XXX.XX.150 unreachable, length 60
19:09:05.553257 IP XXX.XXX.XX.150.53269 > 91.239.5.113.443: Flags [SEW], seq 3411709067, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
19:09:11.555666 IP XXX.XXX.XX.150.53269 > 91.239.5.113.443: Flags [S], seq 3411709067, win 8192, options [mss 1460,nop,nop,sackOK], length 0
Вот третий по счёту пакет и рвёт сессию.
Я пытался явно в секции правил прописать разрешение на входящие от 91.239.5.113, прописывал и в начале секции, и в конце (по ман-у ведь, срабатывать должен последнее совпадающее правило) - не помогает. :(
Помогите - обо что "спотыкается" сессия? Второй день курю ман и интернет - не понимаю! :(
pf.conf:ext_if="fxp0"
int_if="re0"
int_ip="192.168.0.8/32"
ext_ip="XXX.XXX.XX.150/32"
lhost="127.0.0.1"
#1C="{192.168.0.164,192.168.10.164}"
1C="{192.168.0.163, 192.168.0.164}"
1C_in="192.168.10.164"
localnet="{192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24}"
stb="{10.0.0.230/32, 10.0.0.231/32, 10.0.0.232/32}"
video_srv="10.0.0.246"
srv="{192.168.0.1, 192.168.0.2, 192.168.0.5, 192.168.0.8, 192.168.0.155, 192.168.0.12, 192.168.0.14, 192.168.0.29, 192.168.0.30}"
mail_port="{25, 110, 465, 587, 993, 995}"
www_port="{80, 443}"
mail_nic_ru="{194.85.88.224/27, 91.189.116.32/28}"
mail_ru="{94.100.180.74, 94.100.180.160, 217.69.139.160}"
www_mail_nic_ru="{31.177.76.19, 31.177.80.19}"
forp_ip="{193.238.109.227,91.200.46.58,188.124.225.14}"########## Tables ###########
##
table <spammers> persist file "/var/db/pf/spammers"
##
table <bruteforce> persist file "/var/db/pf/bruteforce"
table <mgmt> persist file "/var/db/pf/mgmt"
# Remote Admins
table <RAs> persist file "/var/db/pf/RAs"
##########
set skip on lo0
set block-policy drop
set ruleset-optimization basic
set skip on $int_if
### Normalization ###
scrub in all
### ALTQ ###
#No rules
###NAT and Port forvading #
nat on $ext_if from $localnet to $mail_nic_ru port $mail_port ->$ext_if
nat on $ext_if from $localnet to $mail_ru port $mail_port ->$ext_if
nat on $ext_if from $localnet to $www_mail_nic_ru port $www_port ->$ext_if
nat on $ext_if from $srv to any ->$ext_if
nat on $ext_if from $video_srv to 195.3.245.85/32 port 8000 ->$ext_if
### NAT Ag
nat on $ext_if from 192.168.15.4/28 to any ->$ext_if
### Melm
nat on $ext_if from 192.168.15.5/28 to any ->$ext_if
### NAT hnya
nat on $ext_if from 192.168.50.2/30 to any ->$ext_if
### Disp
nat on $ext_if from 192.168.1.62/32 to any ->$ext_if
nat on $ext_if from 192.168.20.101/32 to any ->$ext_if
nat on $ext_if from $stb to $mail_nic_ru port $mail_port ->$ext_if
rdr on $ext_if inet proto tcp from any to $ext_ip port 41523 ->192.168.0.29
rdr on $ext_if inet proto tcp from any to $ext_ip port 47365 ->192.168.0.1
rdr on $ext_if inet proto tcp from <rdp_1C> to $ext_ip port 64128 ->$1C_in port 3389
rdr on $ext_if inet proto tcp from any to $ext_ip port 1923 ->192.168.0.1 port 22
rdr on $ext_if inet proto tcp from any to $ext_ip port 1922 ->$ext_ip port 22
######
nat on $ext_if proto icmp from 192.168.0.2/32 to any ->$ext_if
#######
## 1C keydisk.ru
nat on $ext_if proto tcp from $1C to 31.13.60.76 port {25, 110, 465, 995} ->$ext_if
nat on $ext_if proto tcp from $1C to {89.111.148.68, 89.188.115.186, 91.239.5.33, 91.239.5.113} port {80, 110, 443, 465} ->$ext_if
# 1C downloads.1c.ru
nat on $ext_if proto tcp from $1C to 89.111.148.68 port {80, 443} ->$ext_if
# 1C RPN, FTS
nat on $ext_if proto tcp from $1C to {37.16.80.199, 77.108.76.27} port {80, 110, 443, 465} ->$ext_if
## 1C *.fss.ru (docs, cabinets, portal)
nat on $ext_if proto tcp from $1C to {193.148.44.186, 193.148.44.187, 193.148.44.188} port {80, 443} ->$ext_if
########## Rules #########
block in log all
block out log all
block quick proto ipv6
block proto icmp6 all
block out quick on $ext_if proto tcp from $ext_ip to <RAs>
antispoof quick for $ext_if
pass log quick from $srv to any
pass in on $ext_if inet proto tcp from <mgmt> to $ext_ip port 22
pass out on $ext_if inet proto {tcp ,udp} from $ext_ip to any keep state
pass in on $ext_if inet proto tcp from $forp_ip to $ext_ip port 22
pass in on $ext_if inet proto tcp from $forp_ip to 192.168.0.1 port 22
pass in on $ext_if inet proto tcp from <rdp_1C> to $ext_ip port 64128
pass in on $ext_if inet proto tcp from <rdp_1C> to $1C_in port 3389
pass log quick from lo0 to any keep state
pass on $ext_if inet proto tcp from any to 192.168.0.29 port 41523 synproxy state
pass on $ext_if inet proto tcp from any to 192.168.0.1 port 47365 synproxy state
#
#????
pass on $ext_if inet from 195.3.245.85 to $ext_ip
############
### ICMP ###
############
pass in log on $ext_if inet proto icmp from any to $ext_ip icmp-type {echoreq, unreach, echorep}
pass out log on $ext_if inet proto icmp from $ext_ip icmp-type {echoreq, unreach, echorep}
pass on $ext_if from any to lo0 keep state