URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID1
Нить номер: 84369
[ Назад ]

Исходное сообщение
"Настройка ipfw над pppoe"

Отправлено mss_sarvarbek , 05-Мрт-09 11:59 
Привет всем знатокам. FreeBSD 7.0 + ipfw. Ниже указан правили файервола которые нормально работал. Вдруг появился PPPoE . Изменил интерфейс смотрящий в Инет на интерфейс PPPoE - все перестает работать. Добавлю

ipfw add allow all from any to any

все ОК. Помогите пожалуйста, как нормально настроит ipfw над PPPoE? Заранее спасибо
Полное правило:))

#!/bin/sh -
cmd="ipfw -q add"
#LocalAdapter
lad="sk0"
iplad="192.168.5.0"
#InternetAdapter
iad="rl0"
#iad="tun0"
good_tcpo="22,25,37,43,53,80,443,110,119"
agentports="2041,2042,5190,443"
skip="skipto 1500"
#ipiad="169.1.0.1"
mask="24"
#DNS i
dns1="x.x.x.x"
dns2="x.x.x.x"
ipfw -q -a flush
# All to Local
$cmd 0004 allow all from any to any via $lad
# All on Server
$cmd 0008 allow all from any to any via lo0
# NAT dostup vsem
$cmd 0018 divert natd ip from any to any in via $iad
$cmd 0019 check-state
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~ Out Rules to Internet from Server ~
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# DNS
$cmd 0020 $skip tcp from any to $dns1  53 out via $iad setup keep-state
$cmd 0022 $skip udp from any to $dns1  53 out via $iad keep-state
# DHCP , esli u tebya ip beryotsya c provaydera
#$cmd 0024 allow log udp from any to any 67 out via $iad keep-state
#$cmd 0026 allow udp from any to x.x.x.x 67 out via $iad keep-state
#WWW out
$cmd 0028 $skip tcp from any to any 80 out via $iad setup keep-state
#https
$cmd 0029 $skip tcp from any to any 443 out via iad setup keep-state
#pochta
$cmd 0030 $skip tcp from any to any 25 out via $iad setup keep-state
$cmd 0031 $skip tcp from any to any 110 out via $iad setup keep-state
#FBSD (make install) dostup
$cmd 0033 $skip tcp from me to any out via $iad keep-state uid root
#ping
$cmd 0034 $skip icmp from any to any out via $iad keep-state
#Time
$cmd 0035 $skip tcp from any to any 37 out via $iad setup keep-state
#nttp news
$cmd 0036 $skip tcp from any to any 119 out via $iad setup keep-state
#FTP,Telnet
$cmd 0037 $skip tcp from any to any 22 out via $iad setup keep-state
#whois
$cmd 0038 $skip tcp from any to any 43 out via $iad setup keep-state
#mail agent
$cmd 0039 $skip tcp from any to any $agentports out via $iad setup keep-state
#Udalyonniy rabochiy stol
$cmd 0044 $skip tcp from any to any 3389 out via $iad setup keep-state
#Others to log and deny
$cmd 0050 deny log all from any to any out via $iad setup keep-state
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~In Rules from Internet to Server ~
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$cmd 0055 deny all from 192.168.0.0/16 to any in via $iad
$cmd 0056 deny all from 172.16.0.0/12 to any in via $iad
$cmd 0057 deny all from 10.0.0.0/8 to any in via $iad
$cmd 0058 deny all from 127.0.0.0/8 to any in via $iad #loopback
$cmd 0059 deny all from 0.0.0.0/8 to any in via $iad #loopback
$cmd 0060 deny all from 169.254.0.0/16 to any in via $iad #DHCP auto config
$cmd 0061 deny all from 192.0.2.0/24 to any in via $iad #reserved for docs
$cmd 0062 deny all from 204.152.64.0/23 to any in via $iad #Sun cluster interconnect
$cmd 0063 deny all from 224.0.0.0/3 to any in via $iad #Class D&E multicast

# ping in
$cmd 0064 allow icmp from any to any icmptypes 0,3,4,8,10,11,30 in via $iad
# Netbios
$cmd 0065 deny tcp from any to any 137 in via $iad
$cmd 0066 deny tcp from any to any 138 in via $iad
$cmd 0067 deny tcp from any to any 139 in via $iad
$cmd 0068 deny tcp from any to any 81 in via $iad
$cmd 0069 deny all from any to any frag in via $iad
#VPN
$cmd 0080 allow tcp from any to me 1723
$cmd 0081 allow tcp from me 1723 to any keep-state #established
$cmd 0082 allow gre from any to any
$cmd 0083 allow ip from any to any via ng0
$cmd 0084 allow ip from any to any via ng1
$cmd 0085 allow ip from any to any via ng2
# deny ACK not in dynamic tables
$cmd 0130 deny tcp from any to any established in via $iad
# allow to DHCP ack from Provider
# $cmd 0135 allow udp from to x.x.x.x 67 in via $iad keep-state
# in www
$cmd 0138 allow tcp from any to me 80 in via $iad setup limit src-addr 2
# FTP,Telnet,ssh
$cmd 0140 allow tcp from any to me 22,21 in via $iad setup limit src-addr 2
# Squid
$cmd 0144 fwd 127.0.0.1,3128 tcp from $iplad/$mask to any 80 via $iad
#Test
#$cmd 0145 allow tcp from 2097 any to me in via $iad limit src-addr 3
# Vot eto Vremenniy all allow
$cmd 0148 allow all from any to any
# All in packets to LOG file
$cmd 0150 deny log all from any to any in via $iad

$cmd 0999 deny log all from any to any

#BlockAll
$cmd 1200 deny ip from any to any

#NAT out
$cmd 1500 divert natd ip from any to any out via rl0
$cmd 1510 allow ip from any to any

Результати ifconfig:

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:0e:2e:ac:81:g6
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
sk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=b<RXCSUM,TXCSUM,VLAN_MTU>
        ether 00:1a:92:90:ba:5c
        inet 192.168.5.1 netmask 0xffffff00 broadcast 192.168.5.255
        media: Ethernet autoselect (100baseTX <full-duplex,flag0,flag1>)
        status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
        inet *.*.*.73 --> *.*.*.56 netmask 0xffffffff
        Opened by PID 410


Содержание

Сообщения в этом обсуждении
"Настройка ipfw над pppoe"
Отправлено yalur , 05-Мрт-09 16:17 
Что-то тут не то:
iad="rl0"
#iad="tun0"
Может сделать iad1="rl0" и iad2="tun0" и ввести оба правила.


Зачем писать вот это, усли и так по умолчанию оно deny?
$cmd 0055 deny all from 192.168.0.0/16 to any in via $iad
$cmd 0056 deny all from 172.16.0.0/12 to any in via $iad
$cmd 0057 deny all from 10.0.0.0/8 to any in via $iad
$cmd 0058 deny all from 127.0.0.0/8 to any in via $iad #loopback
$cmd 0059 deny all from 0.0.0.0/8 to any in via $iad #loopback
$cmd 0060 deny all from 169.254.0.0/16 to any in via $iad #DHCP auto config
$cmd 0061 deny all from 192.0.2.0/24 to any in via $iad #reserved for docs
$cmd 0062 deny all from 204.152.64.0/23 to any in via $iad #Sun cluster interconnect
$cmd 0063 deny all from 224.0.0.0/3 to any in via $iad #Class D&E multicast