From owner-freebsd-current@freebsd.org Tue Aug 25 08:05:44 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6794B99AE6E for ; Tue, 25 Aug 2015 08:05:44 +0000 (UTC) (envelope-from admin@gyrec.cz) Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E719ECC5 for ; Tue, 25 Aug 2015 08:05:43 +0000 (UTC) (envelope-from admin@gyrec.cz) Received: by wicja10 with SMTP id ja10so6840234wic.1 for ; Tue, 25 Aug 2015 01:05:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type; bh=eSc1FMEw9aQBw2ZNNSewTMRW2EZVYec2ZIaC+KmS+4U=; b=TTz3Pu9/5qtARqaDd8Bo/dt8WprvaGLRQXYSNY3h9Scr+MLICJeZRYDrwcjgObqeR8 2pjBs5l8lpI/nSwJ36LEDdKPDcuKrPZD2hEh1vtM4uBXfV9wKgUSk3TvGYURIQkNLvZk c9l+QfXnPyIt1OtomOnkcvXlVuHOABzMt8JV5PKq9/hONXNeQDqE+ROz2H2zWgCTdKwU KjnxhCPqwuel8rRP8W4+XY+4ODDO0JNqRlO4XTit/yqBJqGRdwmdYbQOwSGlpNqOrBG7 KuVXIYjR7vxk5F4MaOuGNqWzfaxFSzFPm2ba5ORFm6+P8h5pfdR2+wfvE7g0FnFvR5Ew O6pQ== X-Gm-Message-State: ALoCoQl2r1XeyCcPD/X5lgE1pBnuSajbh1I8KTCiI3fI5Mh5/VD1EeqWXESUXyKA9XjboB7/ZQ/M X-Received: by 10.180.211.11 with SMTP id my11mr2425934wic.51.1440489935606; Tue, 25 Aug 2015 01:05:35 -0700 (PDT) Received: from [192.168.1.178] (gate.gyrec.cz. [86.49.91.98]) by smtp.gmail.com with ESMTPSA id p1sm26811267wjq.28.2015.08.25.01.05.34 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Aug 2015 01:05:34 -0700 (PDT) Message-ID: <55DC2130.9040004@gyrec.cz> Date: Tue, 25 Aug 2015 10:02:56 +0200 From: =?ISO-8859-2?Q?Petr_Chochol=E1=E8?= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: freebsd-current@freebsd.org Subject: Re: ipfw rules for connect port 993 References: <55DB16B7.2000602@gyrec.cz> <55DB1E79.9030108@freebsd.org> In-Reply-To: <55DB1E79.9030108@freebsd.org> Content-Type: multipart/mixed; boundary="------------040508020603000204040805" X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2015 08:05:44 -0000 This is a multi-part message in MIME format. --------------040508020603000204040805 Content-Type: text/plain; charset=iso-8859-2; format=flowed Content-Transfer-Encoding: 8bit Hello , thank you for your answer. ad1. i send my current firewall rules and record from tcpdump on re0 . My LAN is 172.16.0.0/22 (10... it was easy. I think it does not matter) My second LAN is 192.168.1.0/24(on this network connection to the IMAP port 993 works) My public IP is 86.49.91.98 ad2. Tcpdump on rl0 shows nothing ad3. Yes . I have gateway_enable="YES" in /etc/rc.conf ad4. I think yes... PS : Firewall is not my work . I inherited it. Thank you very much Petr Chocholac Dne 24.8.2015 v 15:39 Allan Jude napsal(a): > On 2015-08-24 09:05, Petr Chocholáč wrote: >> Hello, >> >> I would like to ask you for advice. I can not connect to imap.gmail.com >> on port 993 from my local network. My LAN is behind freeBSD server with >> IPFW. Server has two network cards rl0=Internet and >> re0=LAN(10.0.0.0/16). Tcpdump on re0 shows three SYN packets without >> answers. What rules should i create? >> >> I tried someting like this, without success: >> #ipfw add 01500 allow ip from 10.0.0.0/16 to any in via re0 >> >> >> >> Thank you very much for any advice and your patience >> >> Petr Chocholáč >> Brno, Czech Republic >> >> _______________________________________________ >> freebsd-current@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" > We would need to see all of your current firewall rules (ipfw show) > > You'll want to tcpdump on rl0, to see if the packet is being forwarded. > > Do you have the machine configured as a gateway? (gateway_enable="YES" > in /etc/rc.conf) > > Are you doing NAT (Network Address Translation) to remap the internal > (10.0.0.0/16) addresses to your internet routable IP? > --------------040508020603000204040805 Content-Type: text/plain; charset=windows-1250; name="ipfwshow.txt" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="ipfwshow.txt" 00100 9036394 8499055198 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 134 9313 allow udp from any to 86.49.91.110 dst-port 53 keep-state 00500 0 0 allow udp from 86.49.91.110 53 to any keep-state 00600 0 0 allow tcp from 86.49.91.107 to any dst-port 25 setup 00700 0 0 allow tcp from 86.49.91.98 25 to any dst-port 25 setup 00800 0 0 allow udp from 86.49.91.110 53 to any keep-state 00900 956234 80342962 allow icmp from 86.49.91.98 to any keep-state 01000 17235 1324207 allow icmp from any to 86.49.91.98 keep-state 01100 14068 1530257 allow udp from 86.49.91.98 53 to any keep-state 01200 7759 554809 allow ip from 172.16.0.0/24 to 86.49.91.96/28 01300 946 72736 allow ip from 86.49.91.96/28 to 172.16.0.0/24 01400 0 0 allow ip from 172.16.0.0/16 to 195.113.191.160/28 dst-port 8080,26,55555,10943,22,26,3128,61085,514,25,53 01500 0 0 allow ip from 172.16.0.0/16 to 86.49.91.96/28 dst-port 8080,26,55555,10943,22,26,3128,61085,514,25,53,993 01600 722 38642 deny log ip from 218.0.0.0/8 to any via rl0 01700 0 0 deny log ip from 221.6.178.0/24{0-63} to any via rl0 01800 0 0 deny log ip from 210.68.8.128/25 to any via rl0 01900 12 845 deny log ip from 121.8.0.0/13 to any via rl0 02000 0 0 deny log ip from 58.208.0.0/20 to any via rl0 02100 0 0 deny log ip from 62.193.235.47 to any via rl0 02200 0 0 deny log ip from 74.208.164.166 to any via rl0 02300 0 0 deny log ip from any to 74.208.164.166 02400 0 0 deny log ip from 61.78.0.0/16 to any via rl0 02500 0 0 deny log ip from 91.200.108.0/24 to any dst-port 25 via rl0 02600 0 0 allow ip from 172.16.2.0/24 to any dst-port 53 keep-state 02700 67565 11649052 allow ip from 172.16.2.0/23 to any dst-port 53 keep-state 02800 240 17484 allow log logamount 2 udp from 172.16.0.99 to any dst-port 53 out via rl0 keep-state 02900 0 0 allow log logamount 2 udp from any 53 to 172.16.0.99 in via rl0 keep-state 03000 0 0 allow log logamount 2 udp from any 53 to 192.168.1.1 in via rl0 keep-state 03100 23 1493 allow log logamount 100 udp from 192.168.1.1 53 to any keep-state 03200 0 0 fwd 172.16.0.99,8080 tcp from 172.16.2.0/24 to any dst-port 80 out via rl0 03300 2543961 222167859 fwd 172.16.0.99,8080 tcp from 172.16.2.0/23 to any dst-port 80 out via rl0 03400 0 0 allow tcp from 172.16.2.0/23 to 172.16.0.2 setup 03500 0 0 allow tcp from 172.16.2.0/24 to 172.16.0.2 setup 03600 0 0 allow ip from 172.16.2.0/23 to 172.16.0.2 setup 03700 0 0 allow ip from 172.16.2.0/24 to 172.16.0.2 setup 03800 0 0 allow tcp from 172.16.2.0/24 to 192.168.1.1 setup 03900 0 0 allow tcp from 172.16.2.0/24 to 192.168.1.1 setup 04000 29654 1806084 allow tcp from 172.16.2.0/23 to any dst-port 8080,80,3128 setup 04100 0 0 allow udp from 172.16.2.0/23 to any dst-port 53 keep-state 04200 0 0 allow tcp from 172.16.1.0/24 to any dst-port 8080,80,3128 setup 04300 0 0 allow udp from 172.16.1.0/24 to any dst-port 53 keep-state 04400 0 0 allow log udp from 172.16.0.0/24 to any dst-port 53 keep-state 04500 0 0 allow log ip from any to 83.240.84.57 setup 04600 0 0 deny log ip from 172.16.1.0/24 to any not dst-port 443,8080,80,3128,53,1935 04700 65767 4520394 deny log ip from 172.16.2.0/23 to any not dst-port 443,8080,80,3128,53,1935 04800 600 60337 deny log ip from 192.168.1.223 to any not dst-port 80,443,8080,3128,53,1935,993,10943 04900 10 778 deny ip from 61.79.0.0/16 to any via rl0 05000 0 0 deny ip from 61.80.0.0/16 to any via rl0 05100 1 40 deny ip from 61.81.0.0/16 to any via rl0 05200 0 0 deny ip from 61.82.0.0/16 to any via rl0 05300 0 0 deny ip from 61.83.0.0/16 to any via rl0 05400 0 0 deny ip from 61.84.0.0/16 to any via rl0 05500 0 0 deny ip from 61.85.0.0/16 to any via rl0 05600 0 0 deny ip from 195.23.121.0/24 to any via rl0 05700 1 48 allow tcp from any to 86.49.91.98 dst-port 444 setup via rl0 05800 0 0 allow tcp from any to 86.49.91.98 dst-port 444 via rl0 05900 777 40028 allow tcp from any to 86.49.91.98 dst-port 80 setup via rl0 06000 3382 340639 allow tcp from any to 86.49.91.98 dst-port 80 via rl0 06100 0 0 allow tcp from any to { 195.113.191.171 or 86.49.91.107 } dst-port 3049 setup 06200 45 1956 allow tcp from any to { 195.113.191.171 or 86.49.91.107 } dst-port 443 setup 06300 0 0 allow tcp from any to { 195.113.191.171 or 86.49.91.107 } dst-port 443 06400 167 6992 allow tcp from any to { 195.113.191.171 or 86.49.91.107 } dst-port 80 setup 06500 1 44 allow tcp from any to { 195.113.191.171 or 86.49.91.107 } dst-port 80 06600 0 0 allow tcp from 83.240.0.0/16 to 86.49.91.98 dst-port 443 setup via rl0 06700 0 0 allow tcp from 83.240.1.249 to 86.49.91.98 dst-port 443 setup via rl0 06800 0 0 allow tcp from 89.176.0.0/15 to 86.49.91.98 dst-port 80 setup via rl0 06900 0 0 allow tcp from 89.176.0.0/15 to 86.49.91.98 dst-port 443 setup via rl0 07000 0 0 allow tcp from 62.245.96.0/19 to 86.49.91.98 dst-port 80 setup via rl0 07100 0 0 allow tcp from 62.245.100.0/24 to 86.49.91.98 dst-port 80 setup via rl0 07200 0 0 allow tcp from 62.245.101.0/24 to 86.49.91.98 dst-port 80 setup via rl0 07300 0 0 allow tcp from 62.245.102.0/24 to 86.49.91.98 dst-port 80 setup via rl0 07400 0 0 allow tcp from 62.245.103.0/24 to 86.49.91.98 dst-port 80 setup via rl0 07500 0 0 allow tcp from 62.245.96.0/19 to 86.49.91.98 dst-port 443 setup via rl0 07600 0 0 allow tcp from 62.245.100.0/24 to 86.49.91.98 dst-port 443 setup via rl0 07700 0 0 allow tcp from 62.245.101.0/24 to 86.49.91.98 dst-port 443 setup via rl0 07800 0 0 allow tcp from 62.245.102.0/24 to 86.49.91.98 dst-port 443 setup via rl0 07900 0 0 allow tcp from 62.245.103.0/24 to 86.49.91.98 dst-port 443 setup via rl0 08000 0 0 allow tcp from 62.245.104.0/24 to 86.49.91.98 dst-port 443 setup via rl0 08100 0 0 allow tcp from 62.245.105.0/24 to 86.49.91.98 dst-port 443 setup via rl0 08200 0 0 allow tcp from 62.245.106.0/24 to 86.49.91.98 dst-port 443 setup via rl0 08300 0 0 allow tcp from 62.245.107.0/24 to 86.49.91.98 dst-port 443 setup via rl0 08400 0 0 allow tcp from 62.245.108.0/24 to 86.49.91.98 dst-port 443 setup via rl0 08500 0 0 allow tcp from 62.245.109.0/24 to 86.49.91.98 dst-port 443 setup via rl0 08600 0 0 allow tcp from 62.245.110.0/24 to 86.49.91.98 dst-port 443 setup via rl0 08700 0 0 allow tcp from 62.245.111.0/24 to 86.49.91.98 dst-port 443 setup via rl0 08800 0 0 allow tcp from 85.70.0.0/16 to 86.49.91.98 dst-port 443 setup via rl0 08900 0 0 allow tcp from 85.71.0.0/16 to 86.49.91.98 dst-port 443 setup via rl0 09000 0 0 allow tcp from 84.42.232.0/21 to 86.49.91.98 dst-port 443 setup via rl0 09100 0 0 allow tcp from 84.42.240.0/20 to 86.49.91.98 dst-port 443 setup via rl0 09200 0 0 allow tcp from 80.188.157.0/24 to 86.49.91.98 dst-port 443 setup via rl0 09300 0 0 allow tcp from 89.102.9.0/24 to 86.49.91.98 dst-port 443 setup via rl0 09400 0 0 allow tcp from 89.102.0.0/16 to 86.49.91.98 dst-port 443 setup via rl0 09500 0 0 allow tcp from 81.27.192.0/20 to 86.49.91.98 dst-port 443 setup via rl0 09600 0 0 allow tcp from 81.19.32.0/20 to 86.49.91.98 dst-port 443 setup via rl0 09700 0 0 allow tcp from 89.103.88.0/24 to 86.49.91.98 dst-port 443 setup via rl0 09800 0 0 allow tcp from 89.102.207.0/24 to 86.49.91.98 dst-port 443 setup via rl0 09900 0 0 allow tcp from 94.112.0.0/15 to 86.49.91.98 dst-port 443 setup via rl0 10000 0 0 allow tcp from 94.112.0.0/14 to 86.49.91.98 dst-port 443 setup via rl0 10100 0 0 allow tcp from 78.44.0.0/15 to 86.49.91.98 dst-port 443 setup via rl0 10200 0 0 allow tcp from 78.45.0.0/16 to 86.49.91.98 dst-port 443 setup via rl0 10300 0 0 allow tcp from 78.102.0.0/15 to 86.49.91.98 dst-port 443 setup via rl0 10400 0 0 allow tcp from 78.102.0.0/16 to 86.49.91.98 dst-port 443 setup via rl0 10500 0 0 allow tcp from 84.42.224.0/20 to 86.49.91.98 dst-port 443 setup via rl0 10600 0 0 allow tcp from 84.42.128.0/17 to 86.49.91.98 dst-port 443 setup via rl0 10700 0 0 allow tcp from 77.240.184.0/21 to 86.49.91.98 dst-port 993 setup via rl0 10800 0 0 allow tcp from 81.19.8.114 to 86.49.91.98 dst-port 993 setup via rl0 10900 0 0 allow tcp from 81.19.8.114 to 86.49.91.98 dst-port 993 via rl0 11000 0 0 allow tcp from 176.74.128.0/17 to 86.49.91.98 dst-port 993 setup via rl0 11100 0 0 allow tcp from 176.74.157.135 to 86.49.91.98 dst-port 993 setup via rl0 11200 0 0 deny log ip from any to 149.20.56.33 11300 0 0 deny log ip from any to 149.20.56.32 11400 0 0 deny log ip from any to 143.215.143.11 11500 0 0 deny log ip from any to 143.215.129.26 11600 0 0 deny log ip from any to 149.20.56.34 11700 0 0 deny log ip from any to 143.215.130.33 11800 0 0 deny log ip from any to 87.106.24.200 11900 0 0 deny log ip from any to 149.20.56.33 12000 6501 301558 deny log ip from any to 86.49.91.96/28 dst-port 3306,8080,26,55555,10943,22,26,61085,514 via rl0 12100 941 37928 deny log ip from any to 86.49.91.96/28 dst-port 3128 via rl0 12200 85603 8017309 allow log ip from any to 86.49.91.96/28 via re0 12300 0 0 allow log ip from any to 86.49.91.96/28 via re0 12400 85456 59560204 allow log ip from 86.49.91.96/28 to any via re0 12500 465 20568 deny ip from any to 10.0.0.0/8 via rl0 12600 0 0 deny ip from any to 0.0.0.0/8 via rl0 12700 0 0 deny ip from any to 169.254.0.0/16 via rl0 12800 0 0 deny ip from any to 192.0.2.0/24 via rl0 12900 248 17840 deny ip from any to 224.0.0.0/4 via rl0 13000 10 3710 deny ip from any to 240.0.0.0/4 via rl0 13100 62 4652 skipto 14000 tcp from 192.168.1.251 to any dst-port 80 13200 0 0 fwd 192.168.1.1,3128 tcp from 172.16.1.0/24 to any dst-port 80 out via rl0 13300 0 0 fwd 192.168.1.1,3128 tcp from 172.16.2.0/23 to any dst-port 80 out via rl0 14000 0 0 allow tcp from 192.168.1.223 to any dst-port 25 14100 0 0 allow tcp from 192.168.1.253 to any dst-port 25 14200 0 0 allow tcp from 192.168.1.199 to any dst-port 25 14300 0 0 allow tcp from any to 192.168.1.199 dst-port 25 14400 0 0 deny log tcp from 172.16.1.0/24 to any dst-port 25 14500 0 0 deny log tcp from 172.16.2.0/24 to any dst-port 25 14600 6 2046 deny log udp from any to { 195.113.191.160/28 or 86.49.91.96/28 } dst-port 67 via rl0 14700 0 0 deny tcp from not 192.168.1.0/24{164,251} to { 195.113.191.169 or 86.49.91.105 } dst-port 22 via re0 14800 0 0 allow tcp from 192.168.1.223 to any dst-port 25 14900 0 0 allow tcp from 192.168.1.253 to any dst-port 25 15000 0 0 allow tcp from 192.168.1.251 to 192.168.1.1 dst-port 25 setup 15100 0 0 allow tcp from 192.168.1.111 to 192.168.1.1 dst-port 25 15200 0 0 deny log udp from any to { 195.113.191.160/28 or 86.49.91.96/28 } dst-port 67 via rl0 15300 0 0 deny tcp from not 192.168.1.0/24{164,251} to { 195.113.191.169 or 86.49.91.105 } dst-port 22 via re0 15400 20999597 16135713820 divert 8668 ip from any to any via rl0 15500 73 4900 allow icmp from 172.16.0.0/24 to any 15600 0 0 allow icmp from 172.16.0.0/24 to any keep-state 15700 0 0 allow udp from 172.16.0.99 to any via re0 keep-state 15800 0 0 allow udp from any to 172.16.0.99 via rl0 keep-state 15900 0 0 allow udp from any to 172.16.0.99 via re0 keep-state 16000 0 0 allow tcp from 172.16.0.0/24 to any setup 16100 208138 13112674 allow icmp from 192.168.1.0/24 to any icmptypes 0,8 via re0 16200 0 0 allow icmp from any to 192.168.1.0/24 icmptypes 0,8 via re0 16300 0 0 allow icmp from any to 192.168.1.0/24 icmptypes 0,8 via rl0 16400 0 0 allow icmp from 213.29.21.68 to { 195.113.191.160/28 or 86.49.91.96/28 } icmptypes 0,8 via rl0 16500 0 0 allow icmp from any to 192.168.1.0/24 icmptypes 0,8 via re0 16600 0 0 allow icmp from any to 192.168.1.0/24 icmptypes 0,8 via rl0 16700 0 0 allow icmp from 213.29.21.68 to { 195.113.191.160/28 or 86.49.91.96/28 } icmptypes 0,8 via rl0 16800 0 0 allow icmp from 86.49.91.97 to { 195.113.191.160/28 or 86.49.91.96/28 } icmptypes 0,8 via rl0 16900 37 2532 allow icmp from { 195.113.191.160/28 or 86.49.91.96/28 } to any icmptypes 0,8 via rl0 17000 111716 5874040 allow tcp from 86.49.91.98 to any setup 17100 0 0 allow tcp from { 195.113.191.167 or 86.49.91.103 } to any setup 17200 0 0 deny ip from 0.0.0.0/8 to any via rl0 17300 0 0 deny ip from 169.254.0.0/16 to any via rl0 17400 0 0 deny ip from 192.0.2.0/24 to any via rl0 17500 0 0 deny ip from 224.0.0.0/4 to any via rl0 17600 0 0 deny ip from 240.0.0.0/4 to any via rl0 17700 399559319 339151751085 allow tcp from any to any established 17800 2 522 allow ip from any to any frag 17900 0 0 deny log tcp from any to 86.49.91.98 dst-port 80 18000 916 44672 allow tcp from any to 86.49.91.107 dst-port 25,26 setup 18100 0 0 allow tcp from any to 86.49.91.98 dst-port 25 setup 18200 0 0 allow tcp from any to { 195.113.191.171 or 86.49.91.107 } dst-port 25 setup 18300 269 13068 allow tcp from any to { 195.113.191.164 or 86.49.91.100 } dst-port 25 setup 18400 0 0 allow tcp from 192.168.1.223 to 192.168.1.1 dst-port 2049,111 via re0 setup 18500 0 0 allow tcp from 192.168.1.251 to 192.168.1.1 dst-port 2049,111 via re0 setup 18600 22 1024 deny tcp from any to any dst-port 2049,111 18700 0 0 allow udp from 192.168.1.223 to 192.168.1.1 dst-port 111,2049 via re0 keep-state 18800 0 0 allow udp from 192.168.1.251 to 192.168.1.1 dst-port 111,2049 via re0 keep-state 18900 88 6008 deny udp from any to any dst-port 2049,111 19000 36499 1936092 allow log tcp from 192.168.1.0/24 to any via re0 setup 19100 0 0 allow log tcp from 192.168.1.0/24 to any via re0 19200 486010 58558185 allow log udp from 192.168.1.0/24 to any via re0 keep-state 19300 17384 1048620 allow log logamount 2 tcp from 172.16.0.0/12 to any via re0 setup 19400 151549 11770225 allow log logamount 2 udp from 172.16.0.0/12 to any via re0 19500 0 0 allow tcp from any to 172.16.0.2 via re0 setup 19600 0 0 allow tcp from any to 172.16.0.251 via re0 setup 19700 0 0 allow tcp from 192.168.1.0/24 to { 195.113.191.160/28 or 86.49.91.96/28 } dst-port 3128 setup 19800 0 0 allow udp from 192.168.1.0/24 to { 195.113.191.160/28 or 86.49.91.96/28 } dst-port 3128 19900 0 0 allow udp from 192.168.1.0/24 to any dst-port 3130 20000 0 0 allow tcp from { 195.113.191.160/28 or 86.49.91.96/28 } to 86.49.91.98 dst-port 3128 setup via re0 20100 0 0 allow tcp from 192.168.1.0/24 to { 195.113.191.164 or 86.49.91.100 } dst-port 22 setup 20200 0 0 allow tcp from any to 172.16.0.253 dst-port 22 setup 20300 0 0 allow tcp from any 80 to 192.168.1.0/24 20400 0 0 allow tcp from { 195.113.191.167 or 86.49.91.103 } to 86.49.91.98 dst-port 5432 via re0 setup 20500 23184 1292000 allow tcp from any to { 195.113.191.169 or 86.49.91.105 } dst-port 80 setup 20600 0 0 allow tcp from any to { 195.113.191.169 or 86.49.91.105 } dst-port 3049 setup 20700 922 50916 allow tcp from any to { 195.113.191.173 or 86.49.91.109 } dst-port 80 setup 20800 0 0 allow tcp from any to { 195.113.191.171 or 86.49.91.107 } dst-port 80 setup 20900 1 40 allow tcp from any to { 195.113.191.171 or 86.49.91.107 } dst-port 443 setup 21000 0 0 allow tcp from { 195.113.191.166 or 86.49.91.102 } to { 195.113.191.169 or 86.49.91.105 } dst-port 22 via re0 setup 21100 0 0 allow tcp from any to { 195.113.191.168 or 86.49.91.104 } dst-port 115 setup 21200 0 0 allow tcp from { 195.113.191.160/28 or 86.49.91.96/28 } to { 195.113.191.168 or 86.49.91.104 } dst-port 22 setup 21300 0 0 allow tcp from 81.19.11.196 to { 195.113.191.168 or 86.49.91.104 } dst-port 22 setup 21400 0 0 allow tcp from any to { 195.113.191.167 or 86.49.91.103 } dst-port 3049 setup 21500 0 0 allow tcp from any to { 195.113.191.167 or 86.49.91.103 } dst-port 3049 21600 0 0 allow tcp from any to { 195.113.191.169 or 86.49.91.105 } dst-port 3049 setup 21700 0 0 allow tcp from 176.74.157.135 to { 195.113.191.169 or 86.49.91.105 } dst-port 3049 21800 612 33880 allow tcp from any to { 195.113.191.167 or 86.49.91.103 } dst-port 443 setup 21900 0 0 allow tcp from any to { 195.113.191.167 or 86.49.91.103 } dst-port 443 setup 22000 0 0 allow tcp from any to { 195.113.191.171 or 86.49.91.107 } dst-port 443 setup 22100 0 0 allow tcp from any to { 195.113.191.171 or 86.49.91.107 } dst-port 80 setup 22200 183 7728 allow tcp from any to { 195.113.191.174 or 86.49.91.110 } dst-port 80 setup 22300 0 0 allow tcp from any to { 195.113.191.173 or 86.49.91.109 } dst-port 80 setup 22400 0 0 allow tcp from 77.240.184.0/21 to { 195.113.191.168 or 86.49.91.104 } setup 22500 0 0 allow tcp from 176.74.128.0/17 to { 195.113.191.168 or 86.49.91.104 } setup 22600 343 16840 allow tcp from any to { 195.113.191.168 or 86.49.91.104 } dst-port 80 setup 22700 175 7308 allow tcp from any to { 195.113.191.166 or 86.49.91.102 } dst-port 80 setup 22800 6 256 allow tcp from any to { 195.113.191.168 or 86.49.91.104 } dst-port 110 setup 22900 3 120 allow tcp from any to { 195.113.191.168 or 86.49.91.104 } dst-port 3129 setup 23000 14 612 allow tcp from any to { 195.113.191.168 or 86.49.91.104 } dst-port 8000 setup 23100 129 6884 allow tcp from any to { 195.113.191.168 or 86.49.91.104 } dst-port 443 setup 23200 0 0 allow tcp from any to 172.16.1.0/24 setup 23300 0 0 allow tcp from any to 172.16.2.0/23 setup 23400 0 0 allow udp from any to 172.16.1.0/24 23500 0 0 allow udp from any to 172.16.2.0/23 23600 0 0 allow udp from any to 172.16.0.2 23700 0 0 allow udp from any to 172.16.0.3 23800 0 0 allow tcp from any to 172.16.0.2 setup 23900 0 0 allow tcp from any to 172.16.0.3 setup 24000 15 888 allow tcp from any to 86.49.91.98 dst-port 53 setup 24100 1023 65626 allow udp from any to 86.49.91.98 dst-port 53 24200 0 0 allow tcp from any to 86.49.91.98 dst-port 53 setup 24300 0 0 allow udp from any to 86.49.91.98 dst-port 53 24400 307023 51681967 allow udp from any to any dst-port 53 keep-state 24500 115056 12704240 allow udp from any 53 to any keep-state 24600 0 0 allow udp from 86.49.91.98 to any dst-port 53 keep-state 24700 0 0 allow udp from 86.49.91.98 53 to any keep-state 24800 0 0 allow ip from any to 172.16.0.99 keep-state 24900 0 0 allow ip from 172.16.0.99 to any keep-state 25000 0 0 allow log logamount 2 udp from not 172.16.0.99 to any dst-port 53 via re0 keep-state 25100 0 0 allow udp from any 53 to any via re0 keep-state 25200 154706 11757656 allow udp from 86.49.91.98 to any dst-port 123 keep-state 25300 21293 1563407 allow udp from any to any dst-port 123 keep-state 25400 557050 171076733 allow log logamount 100 ip from any to any via re0 25500 3860 185648 allow log logamount 2 ip from any to { 195.113.191.174 or 86.49.91.110 } setup 25600 39627 1963136 deny log logamount 100 tcp from any to any via rl0 setup 25700 6691 1610703 deny log logamount 100 udp from any to any via rl0 25800 8424 639068 deny log logamount 2 icmp from any to any 25900 0 0 deny log logamount 100 ip from any to any dst-port 68 via re0 26000 0 0 deny log logamount 100 ip from any to any dst-port 67 via re0 65535 370105 114020634 deny ip from any to any --------------040508020603000204040805 Content-Type: text/plain; charset=windows-1250; name="tcpdump.txt" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="tcpdump.txt" 08:43:12.529990 IP 172.16.3.130.57564 > 64.233.184.109.993: Flags [S], seq 1047705988, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 08:43:15.541589 IP 172.16.3.130.57564 > 64.233.184.109.993: Flags [S], seq 1047705988, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 08:43:21.545748 IP 172.16.3.130.57564 > 64.233.184.109.993: Flags [S], seq 1047705988, win 8192, options [mss 1460,nop,nop,sackOK], length 0 --------------040508020603000204040805--