Господа усиленно гуглиг, но ничего невыгуглил!Стоит FreeBSD7.0 и pf в качестве файрвола
Конфигурация лаборатории такова:
локальная машина с winxp sp3 -> неуправляемый свитч Compex -> машина с FBSD c 2мя интерфейсами один из них с фиксированным внешним белым IP ->выход в инет.собрал сквид из сырцов с офф сайта (пробовал собирать 2.7stable5 и 2.6stable22- результат одинаковый)
./configure
--enable-auth="ntlm,basic"
--enable-basic-auth-helpers="PAM MSNT SMB"
--enable-external-acl-helpers="wbinfo_group"
--enable-delay-pools
--enable-pf-transparent
--enable-storeio=diskd,ufs
--disable-ident-lookups
--enable-snmp
--enable-removal-policies
--enable-ntlm-auth-helpers="SMB"сквид настроен без авторизации пропускать просто локальную сеть, слушает соединения на порту 3128 на внутреннем интерфейсе. в логе самого сквида ошибок никаких нету.
в логах /var/logs/messages стали валить постоянно следующие ошибки.19-11-2008 13:04:40 Nov 19 13:05:19 kernel: TCP: [192.168.0.1]:4985 to [192.168.0.2]:3128 tcpflags 0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_2: Received 27 bytes of data after socket was closed, sending RST and removing tcpcb
19-11-2008 13:04:10 Nov 19 13:04:49 kernel: TCP: [192.168.0.1]:4984 to [192.168.0.2]:3128 tcpflags 0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
19-11-2008 13:04:10 Nov 19 13:04:49 kernel: TCP: [192.168.0.1]:4984 to [192.168.0.2]:3128 tcpflags 0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_2: Received 27 bytes of data after socket was closed, sending RST and removing tcpcb
19-11-2008 13:02:20 Nov 19 13:02:59 kernel: TCP: [192.168.0.1]:4968 to [192.168.0.2]:3128 tcpflags 0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
19-11-2008 13:02:20 Nov 19 13:02:59 kernel: TCP: [192.168.0.1]:4968 to [192.168.0.2]:3128 tcpflags 0x18<PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
19-11-2008 13:02:20 Nov 19 13:02:59 kernel: TCP: [192.168.0.1]:4969 to [192.168.0.2]:3128 tcpflags 0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
19-11-2008 13:02:20 Nov 19 13:02:59 kernel: TCP: [192.168.0.1]:4969 to [192.168.0.2]:3128 tcpflags 0x18<PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
19-11-2008 13:02:09 Nov 19 13:02:48 kernel: TCP: [192.168.0.1]:4966 to [192.168.0.2]:3128 tcpflags 0x18<PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
19-11-2008 13:02:09 Nov 19 13:02:48 kernel: TCP: [192.168.0.1]:4967 to [192.168.0.2]:3128 tcpflags 0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
19-11-2008 13:02:09 Nov 19 13:02:48 kernel: TCP: [192.168.0.1]:4967 to [192.168.0.2]:3128 tcpflags 0x18<PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)и так постоянно, это идет соединение с локальной клинтской машины на сквид, при этом каких либо ненормальностей в самом соединении не наблюдается, просто расстраивают заваленные логи... Что делать?!
log_in_vain=0
или установка соответствующих sysctl переменных в 0 результата не дает.опции ядра:
machine i386
#cpu I486_CPU
#cpu I586_CPU
cpu I686_CPU
ident my_kern
maxusers 0#makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
options SCHED_4BSD # 4BSD scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
#options INET6 # IPv6 communications protocols
#options SCTP # Stream Control Transmission Protocol
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options UFS_GJOURNAL # Enable gjournal-based UFS journaling
#options MD_ROOT # MD is a potential root device
#options NFSCLIENT # Network Filesystem Client
#options NFSSERVER # Network Filesystem Server
#options NFS_ROOT # NFS usable as /, requires NFSCLIENT
#options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_LABEL # Provides labelization
options COMPAT_43TTY # BSD 4.3 TTY compat [KEEP THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options COMPAT_FREEBSD6 # Compatible with FreeBSD6
options KTRACE # ktrace(1) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options ADAPTIVE_GIANT # Giant mutex is adaptive.
options STOP_NMI # Stop CPUS using NMI instead of IPI
options AUDIT # Security event auditing
options VGA_WIDTH90
options VESA
options SC_DFLT_FONT
makeoptions SC_DFLT_FONT=cp866
options SC_HISTORY_SIZE=1000
options SC_PIXEL_MODE
options SC_NORM_ATTR="(FG_GREEN|BG_BLACK)"
options SC_NORM_REV_ATTR="(FG_YELLOW|BG_GREEN)"
options SC_KERNEL_CONS_ATTR="(FG_RED|BG_BLACK)"
options SC_KERNEL_CONS_REV_ATTR="(FG_BLACK|BG_RED)"
options ALTQ
options ALTQ_CBQ # Class Bases Queueing
options ALTQ_RED # Random Early Detection
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler
options ALTQ_CDNR # Traffic conditioner
options ALTQ_PRIQ # Priority Queueing
options SC_DISABLE_REBOOT # Disable Ctrl+Alt+Del
options RANDOM_IP_ID # Enables random IP ID generation
^^^^^^^^^^^^
вот это не может быть причиной?!вот мой pf.conf
ext_if="fxp0" # macro for external interface - use tun0 for PPPoE
int_if="vr0" # replace with actual internal interface name i.e., dc1
table <LANclients> { 192.168.0.0/24 }
clients_tcp_ports =" {ftp, ssh, domain, pop3, nntp, \
https, http, 8000, 8080, 8081, 8082, pop3s,\
imap, imaps, 5190, ntp, 3128, 411, 3389 }"
clients_udp_ports = "{ domain,ntp }"
icmp_types = "{echoreq, unreach}"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, \
169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on { lo0, lo1 }scrub in all fragment reassemble
#### NAT and RDR SECTION START
nat-anchor "pftpx/*"
rdr-anchor "pftpx/*"
rdr-anchor miniupnpd
nat on $ext_if from <LANclients> -> ($ext_if)
# Redirect ftp traffic FROM LAN to proxy
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021# Redirect ftp traffic FROM WAN TO LAN to proxy
rdr pass on $ext_if proto tcp to port ftp -> 127.0.0.1 port 8021
#### FILTERING SECTION START
block log all
# pass all in\out traffic on internal IF
pass in quick on $int_if all
pass out quick on $int_if allanchor "pftpx/*"
block in quick from urpf-failed
antispoof for $ext_if
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians# block certain inet attacks specific to MY INTERNET SEGMENT
block drop in quick on $ext_if proto {tcp,udp} to port {137,138,139,445,67,1900}
block drop in quick on $ext_if proto {tcp,udp} from port {8086}
#logs all NMAP scans attempts
block in log quick from any os NMAP
block in quick on $ext_if inet proto tcp flags FUP/FUP
block in quick on $ext_if inet proto tcp flags SF/SFRA
block in quick on $ext_if inet proto tcp flags /SFRA
pass out on $ext_if proto udp from any to any port 33433 >< 33626
pass inet proto icmp icmp-type $icmp_types#allow incoming SSH to server
pass in on $ext_if proto tcp to $ext_if port 22
#passing traffic fron LAN clients to specified WAN ports.
pass out on $ext_if proto tcp to port $clients_tcp_ports
pass out on $ext_if proto udp to port $clients_udp_ports
pass out on $ext_if proto tcp from ($ext_if) port 3128 to any
pass in on $ext_if proto tcp from port {ftp, ftp-data}вот rc.conf
gateway_enable="YES"
hostname="nessy.home.local"
defaultrouter="195.64.xx.xx"
ifconfig_fxp0="inet 195.64.xx.xx netmask 255.255.255.192"
ifconfig_vr0="inet 192.168.0.2 netmask 255.255.255.0"
sshd_enable="YES"
dhcpd_enable="YES"
dhcpd_ifaces="vr0"
named_enable="yes"
pf_enable="YES" # Включить PF (загрузить модуль если необходимо)
pf_rules="/etc/pf.conf" # определение правил для pf
pf_flags="" # дополнительные флаги для запуска pfctl
pflog_enable="YES" # запустить pflogd(8)
pflog_logfile="/var/log/pf.log" # где pflogd должен сохранять протокол
pflog_flags="" # дополнительные флаги для запуска pflogd
pftpx_enable="YES"
pftpx_flags="-D 0 -f 192.168.0.1 -p 195.64.xx.xx"
keymap="ru.koi8-r"
mousechar_start="3"
scrnmap="NO"
allscreens_flags="-g 100x37 VESA_800x600"
font8x14="cp866-8x14"
font8x16="cp866b-8x16"
font8x8="cp866-8x8"
sendmail_enable="NONE"
portmap_enable="NO"
inetd_enable="NO"
clear_tmp_enable="YES"
syslogd_flags=""
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
log_in_vain="YES"
miniupnpd_enable="YES"
miniupnpd_config="/usr/local/etc/miniupnpd.conf"
miniupnpd_flags=""
icmp_bmcastecho="NO"
tcp_keepalive="YES"
tcp_drop_synfin="YES"
tcp_extensions="YES" # RFC 1323 - TCP Extensions for High Performance
fsck_y_enable="YES"
check_quotas="NO"
virecover_enable="NO"
update_motd="NO"
вот sysctl.conf
security.bsd.see_other_uids=0
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.ip.random_id=1
kern.ipc.somaxconn=16384
kern.ipc.nmbclusters=32768
kern.ipc.maxsockets=32768
kern.ipc.maxsockbuf=16777216
net.inet.tcp.rfc1323=1
net.inet.tcp.sendspace=1048576
net.inet.tcp.recvspace=1048576
net.inet.icmp.bmcastecho=0
kern.maxfiles=65536
kern.maxfilesperproc=32768
net.inet.ip.check_interface=1 # protection against spoof ip packets
net.inet.icmp.maskrepl=0
net.inet.tcp.rfc3042=1 # Enhancing TCP's Loss Recovery Using Limited Transmit
net.inet.tcp.rfc3390=1 # Increasing TCP's Initial Window
net.inet.tcp.sack.enable=1
net.inet.tcp.delayed_ack=0
net.inet.tcp.keepidle=300000
net.inet.tcp.keepintvl=150
net.inet.udp.recvspace=65535
net.inet.udp.blackhole=1
net.inet.udp.maxdgram=57344
net.local.stream.recvspace=65535
net.local.stream.sendspace=65535
обновился до ветки 8-current собрал мир пересобрал ядро без
options RANDOM_IP_ID # Enables random IP ID generationвсё равно.. прут те-же ошибки... идеи кончились...