заморочка с правилами ipfilter

[mclaud]

есть шлюз на freebsd 4.10 + ipfilter, 2 интерфейса rl0(int) + rl1(ext)
вот правила, там есть мои комментарии -надеюсь будет понятно что зачем
#block hack packets
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
#pass everything on loopback
pass in on lo0 all
pass out on lo0 all
#
#INTERNAL
#
#pass all outgoing from internal
block out on rl0 all head 100
block out from 127.0.0.1/8 to any group 100
#block incoming from intranet on internal 192.168.0.102
pass in on rl0 all head 200
block in from 127.0.0.1/8 to any group 200
block in from 192.168.0.111/32 to any group 200
pass in quick proto icmp from 192.168.0.0/24 to any keep state group 200
#pass from internal to proxy
pass in quick proto tcp from 192.168.0.0/24 to any port = 9876 keep state group 200
#pass mail,internet,cvs from 192.168.0.25
pass in quick proto tcp from 192.168.0.25/32 to any port = smtp keep state group 200
pass in quick proto tcp from 192.168.0.25/32 to any port = ftp keep state group 200
pass in quick proto tcp from 192.168.0.25/32 to any port = www keep state group 200
pass in quick proto tcp from 192.168.0.25/32 to any port = 5999 keep state group 200
#pass time,internet,dns from 192.168.0.100
pass in quick proto tcp from 192.168.0.100/32 to any port = ftp keep state group 200
pass in quick proto tcp from 192.168.0.100/32 to any port = ntp keep state group 200
pass in quick proto tcp from 192.168.0.100/32 to any port = www keep state group 200
pass in quick proto tcp from 192.168.0.100/32 to any port = 53 group 200
pass in quick proto udp from 192.168.0.100/32 to any port = 53 group 200
#pass dns from 192.168.0.101
pass in quick proto udp from 192.168.0.101/32 to any port = 53 keep frags group 200
pass in quick proto tcp from 192.168.0.101/32 to any port = 53 keep state keep frags group 200
#pass ftp, tracet
pass in quick proto tcp from 192.168.0.0/24 to any port > 1023 flags S keep state keep frags group 200
pass in quick proto udp from 192.168.0.0/24 to any port 3323 >< 33525 keep state keep frags group 200
#pass ssh
pass in quick proto tcp/udp from 192.168.0.39 to any port = ssh group 200
#
#EXTERNAL
#
#block all outgoing from external
block out quick on rl1 all head 300
block out from 127.0.0.1/8 to any group 300
block out from any to 127.0.0.1/8 group 300
#block out from any to 212.34.41.67/32 group 300
pass out quick proto icmp from any to any keep state group 300
#pass mail,internet,cvs from 192.168.0.25
pass out quick proto tcp from 192.168.0.25/32 to any port = smtp flags S keep state keep frags group 300
pass out quick proto tcp from 192.168.0.25/32 to any port = ftp flags S keep state keep frags group 300
pass out quick proto tcp from 192.168.0.25/32 to any port = www flags S keep state keep frags group 300
pass out quick proto tcp from 192.168.0.25/32 to any port = 5999 flags S keep state keep frags group 300
#pass time,internet,dns from 192.168.0.100
pass out quick proto tcp from 192.168.0.100/32 to any port = ftp flags S keep state keep frags group 300
pass out quick proto tcp/udp from 192.168.0.100/32 to any port = ntp keep frags group 300
pass out quick proto tcp from 192.168.0.100/32 to any port = www flags S keep state keep frags group 300
pass out quick proto udp from 192.168.0.100/32 to any port = 53 keep state keep frags group 300
pass out quick proto tcp from 192.168.0.100/32 to any port = 53 flags S keep state keep frags group 300
#pass dns from 192.168.0.101
pass out quick proto udp from 192.168.0.101/32 to any port = 53 keep frags group 300
pass out quick proto tcp from 192.168.0.101/32 to any port = 53 flags S keep state keep frags group 300
#pass ftp, tracet
#pass out quick proto tcp from 192.168.0.0/24 to any port > 1023 flags S keep state keep frags group 300
pass out quick proto udp from 192.168.0.0/24 to any port 3323 >< 33525 keep state keep frags group 300
#block hack packets
#block return-rst in log proto tcp from any to any flags S/SA group 300
#block incoming from intranet on internal 192.168.0.11
block in on rl1 all head 400
block in from 127.0.0.1/8 to any group 400
pass in quick proto icmp from any to any keep state group 400
pass in quick proto tcp from any to any port = www keep state group 400
pass in quick proto tcp from any to any port = smtp keep state group 400
pass in quick proto tcp from any to any port = 443 keep state group 400
#block hack packets
block return-rst in log proto tcp from any to any flags S/SA group 400
block return-icmp in proto udp all group 400
так вот проблема - если на внут. интерфейсе ставить pass in all то все прекрасно работает, в том числе и ipnat. Если block- тогда тормозит ssh, сама машина не разрешает имена с внут. ДНС, хотя вроде все правила есть. В чем ошибка?

[Stranger03]

прекрасно работает, в том числе и ipnat. Если block- тогда тормозит ssh, сама машина не разрешает имена с внут. ДНС, хотя вроде все правила есть. В чем ошибка?

Обычно внутренний трафик всегда разрешается. Не морочте себе голову.