Доброе время суток!!!
Когда пытаюсь подключиться к серверу FreeBSD 6.3 из внутренней сети по ssh то при следующих натсройках ipfw:
ipfw="/sbin/ipfw -q"
LanOut="sis0"
LanIn="dc0"
IpIn="**.**.**.**"
IpOut="**.**.**.**"
${ipfw} -f flush
${ipfw} add 200 deny ip from any to any frag
${ipfw} add 300 allow ip from any to any via lo0
${ipfw} add 400 deny ip from any to 127.0.0.0/8
${ipfw} add 500 deny ip from 127.0.0.0/8 to any${ipfw} add 600 allow ip from any to ${IpOut} 20,21 via ${LanOut}
${ipfw} add 700 allow ip from ${IpOut} 20,21 to any via ${LanOut}
${ipfw} add 800 allow all from ${IpIn} 20,21 to any via ${LanIn}
${ipfw} add 900 allow all from any to ${IpIn} 20,21 via ${LanIn}
${ipfw} add 1000 allow all from any to any via ${LanIn}
${ipfw} add 1100 allow ip from ${IpOut} to any via ${LanOut}
${ipfw} add 1200 deny ip from any to 10.0.0.0/8 in via ${LanOut}
${ipfw} add 1300 deny ip from any to 172.16.0.0/12 in via ${LanOut}
${ipfw} add 1400 deny ip from any to 192.168.0.0/16 in via ${LanOut}
${ipfw} add 1500 deny ip from any to 0.0.0.0/8 in via ${LanOut}
${ipfw} add 1600 deny ip from any to 169.254.0.0/16 in via ${LanOut}
${ipfw} add 1700 deny ip from any to 240.0.0.0/4 in via ${LanOut}
${ipfw} add 1800 deny ip from 10.0.0.0/8 to any out via ${LanOut}
${ipfw} add 1900 deny ip from 172.16.0.0/12 to any out via ${LanOut}
${ipfw} add 2000 deny ip from 192.168.0.0/16 to any out via ${LanOut}
${ipfw} add 2100 deny ip from 0.0.0.0/8 to any out via ${LanOut}
${ipfw} add 2200 deny ip from 169.254.0.0/16 to any out via ${LanOut}
${ipfw} add 2300 deny ip from 224.0.0.0/4 to any out via ${LanOut}
${ipfw} add 2400 deny ip from 240.0.0.0/4 to any out via ${LanOut}
${ipfw} add 2600 deny log icmp from any to 255.255.255.255 via ${LanOut}
${ipfw} add 2700 deny log icmp from any to 255.255.255.255 out via ${LanOut}
${ipfw} add 2800 allow tcp from any to any established
${ipfw} add 2900 allow ip from ${IpOut} to any out xmit ${LanOut}
${ipfw} add 3000 allow ip from any to ${IpOut} 1723
${ipfw} add 3100 allow gre from any to ${IpOut}
${ipfw} add 3200 allow gre from ${IpOut} to any
${ipfw} add 3300 allow ip from ${IpOut} to any establised
${ipfw} add 3400 allow ip from 10.140.140.48/29 to any
${ipfw} add 3500 allow ip from any to 10.140.140.48/29
${ipfw} add 3600 reject tcp from any to any tcpflags !'syn', !'fin', !'ack', !'psh', !'rst', !'urg'
${ipfw} add 3700 reject tcp from any to any tcpflags syn, fin, ack, psh, rst, urg
${ipfw} add 3800 reject tcp from any to any not established tcpflags fin
${ipfw} add 3900 deny ip from any to any not verrevpath in
${ipfw} add 65000 deny ip from any to any
после приглашения ввода логина строчку для ввода пароля приходится ожитать очень долго.
Если прописываю строку разрешающую весь трафик: ${ipfw} add allow ip from any to any
подключение происходит быстро. Если убираю все правила и оставляю только правило №1000 и правило № 65000, то все равно подключаюсь долго.
ЧТо не так в натсройках ipfw? Может ли быть проблема в порядке правил?
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
(ok) on 18-Апр-08, 05:02 
