В конторе два шлюза, один на оффтоп ISA, второй FreeBSD 7.2. От первого нужно избавиться. Чтобы от него избавиться нужно, чтобы на втором работало всё, а там косяк с несчастным банк-клиентом, работающим по ftp. В настройках соединения банк-клиента стоит пассивный режим. На другие ftp через BSD хожу без проблем.
ifconfig:
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:11:6b:32:87:af
inet 192.168.0.100 netmask 0xffffff00 broadcast 192.168.0.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:04:ac:25:fb:ed
inet 192.168.100.111 netmask 0xffffff00 broadcast 192.168.100.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
00100 check-state
00200 allow ip from any to any via lo0
00300 deny ip from any to 127.0.0.0/8
00400 deny ip from 127.0.0.0/8 to any
00500 deny ip from any to 10.0.0.0/8 in via rl0
00600 deny ip from any to 172.16.0.0/12 in via rl0
00700 deny ip from any to 0.0.0.0/8 in via rl0
00800 deny ip from any to 169.254.0.0/16 in via rl0
00900 deny ip from any to 240.0.0.0/4 in via rl0
01000 deny icmp from any to any frag
01100 deny log icmp from any to 255.255.255.255 in via rl0
01200 deny log icmp from any to 255.255.255.255 out via rl0
01300 divert 8668 ip from 192.168.100.0/24 to any out via rl0
01400 divert 8668 ip from any to 192.168.0.100 in via rl0
01500 deny ip from 10.0.0.0/8 to any out via rl0
01600 deny ip from 172.16.0.0/12 to any out via rl0
01700 deny ip from 0.0.0.0/8 to any out via rl0
01800 deny ip from 169.254.0.0/16 to any out via rl0
01900 deny ip from 224.0.0.0/4 to any out via rl0
02000 deny ip from 240.0.0.0/4 to any out via rl0
02100 allow tcp from any to any established
02200 allow ip from 192.168.0.100 to any out xmit rl0
02300 allow udp from any 53 to any via rl0
02400 allow udp from any to any dst-port 53 via rl0
02500 allow udp from any to any dst-port 123 via rl0
02600 allow tcp from any to 192.168.0.100 dst-port 21 via rl0
02700 allow tcp from any to 192.168.0.100 dst-port 49152-65535 via rl0
02800 allow icmp from any to any icmptypes 0,8,11
02900 allow tcp from any to 192.168.0.100 dst-port 22 via rl0
03000 allow gre from any to any via rl0
03100 allow gre from any to any via fxp0
03200 allow tcp from any to any via fxp0
03300 allow udp from any to any via fxp0
03400 allow icmp from any to any via fxp0
03500 deny ip from any to any
65535 allow ip from any to any
tcpdump при попытке подключения:
17:07:44.352754 IP 192.168.0.100.3466 > 91.197.214.149.21: S 245692730:245692730(0) win 65535 <mss 1460,nop,nop,sackOK>
17:07:44.354064 IP 91.197.214.149.21 > 192.168.0.100.3466: S 3898631004:3898631004(0) ack 245692731 win 65535 <mss 1460,sackOK,eol>
17:07:44.354834 IP 192.168.0.100.3466 > 91.197.214.149.21: . ack 1 win 65535
17:07:44.368960 IP 91.197.214.149.21 > 192.168.0.100.3466: P 1:11(10) ack 1 win 65535
17:07:44.370729 IP 192.168.0.100.3466 > 91.197.214.149.21: P 1:15(14) ack 11 win 65525
17:07:44.383375 IP 91.197.214.149.21 > 192.168.0.100.3466: P 11:47(36) ack 15 win 65535
17:07:44.385724 IP 192.168.0.100.3466 > 91.197.214.149.21: P 15:30(15) ack 47 win 65489
17:07:44.396749 IP 91.197.214.149.21 > 192.168.0.100.3466: P 47:76(29) ack 30 win 65535
17:07:44.398747 IP 192.168.0.100.3466 > 91.197.214.149.21: P 30:37(7) ack 76 win 65460
17:07:44.402618 IP 91.197.214.149.21 > 192.168.0.100.3466: P 76:104(28) ack 37 win 65535
17:07:44.404724 IP 192.168.0.100.3466 > 91.197.214.149.21: P 37:48(11) ack 104 win 65432
17:07:44.410967 IP 91.197.214.149.21 > 192.168.0.100.3466: P 104:132(28) ack 48 win 65535
17:07:44.412738 IP 192.168.0.100.3466 > 91.197.214.149.21: P 48:57(9) ack 132 win 65404
17:07:44.416843 IP 91.197.214.149.21 > 192.168.0.100.3466: P 132:160(28) ack 57 win 65535
17:07:44.418722 IP 192.168.0.100.3466 > 91.197.214.149.21: P 57:63(6) ack 160 win 65376
17:07:44.421784 IP 91.197.214.149.21 > 192.168.0.100.3466: P 160:209(49) ack 63 win 65535
17:07:44.424921 IP 192.168.0.100.3467 > 91.197.214.149.52195: S 9126995:9126995(0) win 65535 <mss 1460,nop,nop,sackOK>
17:07:44.604891 IP 192.168.0.100.3466 > 91.197.214.149.21: . ack 209 win 65327
17:07:47.421310 IP 192.168.0.100.3467 > 91.197.214.149.52195: S 9126995:9126995(0) win 65535 <mss 1460,nop,nop,sackOK>
17:07:53.455221 IP 192.168.0.100.3467 > 91.197.214.149.52195: S 9126995:9126995(0) win 65535 <mss 1460,nop,nop,sackOK>
На шлюзе с ISA внешний IP, а bsdшный сам за двумя шлюзами, может здесь собака порылась?
