FreeBSD做网关后QQ的问题

sh1970

我这有一网吧用FreeBSD+ipfilter 3.1做网关,下面的电脑的QQ常收不到消息,如果把QQ离线再上线那没收到的消息就会一下子出来,QQ换过版本了重装也这样,但其它游戏很正常,不知道各位有无这方面的经验共享一下,谢谢!!!

我的ipf规则(rl1接外网,是光钎公网地址):
block in quick all with ipopts
block in quick all with frag
block in quick all with short

block in quick proto tcp/udp from any to any port 134 >;< 140
block in quick proto tcp/udp from any to any port = 445
block in quick proto tcp/udp from any to any port = 593
block in quick proto tcp/udp from any to any port = 1434

pass in quick on rl0 all
pass out quick on rl0 all
pass in quick on lo0 all
pass out quick on lo0 all

block out quick on rl1 all head 11
pass out quick on rl1 from any to any keep state group 11

block in quick on rl1 all head 12
pass in quick on rl1 proto tcp from any to any port = 22 flags S keep state group 12

james_h

pass in quick on rl1 proto udp from any to any port = 4000 keep state

另外，你的 ipnat 规则呢？

lhm_3000

我也是试过这样的问题；有时会这样，有时又不会；请问如何解决？
加入这一句就行了吗：pass in quick on rl1 proto udp from any to any port = 4000 keep state

sh1970

我的ipnat.conf规则是:
map rl1 192.168.0.0/24 ->; 0/32 proxy port 21   ftp/tcp
map rl1 192.168.0.0/24 ->; 0/32 proxy port 1720 h323/tcp
map rl1 192.168.0.0/24 ->; 0/32 portmap tcp/udp auto
map rl1 192.168.0.0/24 ->; 0/32

同样的配置在有些地方又没问题,真搞不明白.

另外我想我的
pass out quick on rl1 from any to any keep state group 11
已包含了james_h朋友说的
pass in quick on rl1 proto udp from any to any port = 4000 keep state

sh1970

我的ipnat.conf规则是:
map rl1 192.168.0.0/24 ->; 0/32 proxy port 21   ftp/tcp
map rl1 192.168.0.0/24 ->; 0/32 proxy port 1720 h323/tcp
map rl1 192.168.0.0/24 ->; 0/32 portmap tcp/udp auto
map rl1 192.168.0.0/24 ->; 0/32

同样的配置在有些地方又没问题,真搞不明白.

另外我想我的
pass out quick on rl1 from any to any keep state group 11
已包含了james_h朋友说的
pass in quick on rl1 proto udp from any to any port = 4000 keep state

sh1970

我的ipnat.conf规则是:
map rl1 192.168.0.0/24 ->; 0/32 proxy port 21   ftp/tcp
map rl1 192.168.0.0/24 ->; 0/32 proxy port 1720 h323/tcp
map rl1 192.168.0.0/24 ->; 0/32 portmap tcp/udp auto
map rl1 192.168.0.0/24 ->; 0/32

同样的配置在有些地方又没问题,真搞不明白.

另外我想我的
pass out quick on rl1 from any to any keep state group 11
已包含了james_h朋友说的
pass in quick on rl1 proto udp from any to any port = 4000 keep state

llzqq

有的QQ走的是PORT：8000

snow123456

我过去也在网吧做过这FreeBSD代理也出现这种情况，解决的办法是换代理
用RedHat，估计这是FreeBSD版本的问题

sh1970

根据测试,基本确定与ipfilter的版本有关系,我做的有两个地方用ipfilter 3.4.31的都有这个问题,其中一个地方换为ipfilter 3.4.35后现象基本消失,配置都没变.另外一个地方用ipfilter 3.4.31的还没测试.
其他我做的很多用的ipfilter 3.4.33的也没这个问题,搜索了一下网上的文章,有反应ipfilter 3.4.31的状态表有些问题,不知道大家认为如何