URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID1
Нить номер: 94648
[ Назад ]

Исходное сообщение
"FreeBSD 8.1x64 IPFW Nat"

Отправлено Sindikat88 , 10-Май-13 13:39 
Камрады приветствую.
После добавления в IPFW правил типа

    $cmd 030 nat 123 ip from any to me in via $LanOut
    $cmd 800 nat 123 ip from $NetIn to any out via $LanOut

падает внешний интерфейс. Это произошло после перезагрузки сервака. До этого обновил Apache, PHP, PHP-Extension.

rc.conf

    # -- sysinstall generated deltas -- # Wed Dec  1 11:49:28 2010
    # Created: Wed Dec  1 11:49:28 2010
    # Enable network daemons for user convenience.
    # Please make all changes to this file, not to /etc/defaults/rc.conf.
    # This file now contains just the overrides from /etc/defaults/rc.conf.

    # -- sysinstall generated deltas -- # Wed Dec  1 11:07:55 2010
    ifconfig_bge0="inet 192.168.0.10  netmask 255.255.254.0"
    hostname="out"

    # -- sysinstall generated deltas -- # Thu Feb  3 10:00:11 2011
    ifconfig_bge1="inet 192.168.100.31  netmask 255.255.255.0"
    defaultrouter="192.168.100.1"
    hostname="out"

    gateway_enable="YES"
    keymap="ru.koi8-r"
    sshd_enable="YES"
    samba_enable="YES"
    apache22_enable="YES"
    squid_enable="YES"
    squid_chdir="/usr/squid/squid/logs"
    mysql_enable="YES"
    mysql_dbdir="/usr/squid/db/mysql"
    sams_enable="YES"
    firewall_enable="YES"
    firewall_quiet="YES"
    firewall_type="/etc/rc.firewall"
    firewall_flags="-p /bin/sh"
    firewall_logging="YES"
    dummynet_enable="YES"
    webmin_enable="YES"
    clamav_freshclam_enable="YES"
    havp_enable="YES"
    ntpdate_enable="YES"
    ntpdate_flags=192.168.0.11
    named_enable="YES"
    named_uid="bind"
    named_chrootdir=""
    named_flags="-s"
    postfix_enable="YES"
    openvpn_enable="YES" # YES or NO
    openvpn_if="tun" # driver(s) to load, set to "tun", "tap" or "tun tap"
    openvpn_configfile="/usr/local/etc/openvpn/server.conf" # --config file
    openvpn_dir="/usr/local/etc/openvpn" # --cd directory
    clamav_clamd_enable="YES"
    clamsmtpd_enable=YES
    spamd_enable="YES"
    sendmail_enable="NO"
    sendmail_outbond_enable="NO"
    sendmail_submit_enable="NO"
    sendmail_msp_queue_enable="NO"
    siproxd_enable="YES"
    arpwatch_enable="YES"
    arpwatch_interfaces="bge0"
    pureftpd_enable=YES

rc.firewall

    #!/bin/sh
    ipfw -f flush
    ipfw -f pipe flush
    ipfw -f queue flush
    #NAT
    #ipfw nat 123 config if bge1 log same_ports reset redirect_port tcp 192.168.1.94:10101 10101

    cmd="/sbin/ipfw add"

    LanOut="bge1" # Внешняя сетевуха
    NetOut="192.168.100.0/24" # внешняя сеть
    IpOut="192.168.100.31" # Внешний IP

    LanIn="bge0" # внутренняя сетевуха
    NetIn="192.168.0.0/23" # Внутренняя сеть
    ip_lan="192.168" # Шаблон внутреннего адреса
    openvpn_if="tun0"       #OpenVPN port
    IpVPN="10.10.200.0"
    skip="skipto 851"
    skip2="skipto 855"
    skip3="skipto 999"
    proxymac="20:cf:30:0e:a0:82"

    #local
    $cmd 005 allow all from any to any via $LanIn
    #VPN
    $cmd 006 allow all from any to any via tun0
    # loopback
    $cmd 010 allow all from any to any via lo0

    #Incoming traffic to NAT
    #$cmd 030 nat 123 ip from any to any in via $LanOut

    #Allow DYN rules
    $cmd 040 check-state

    # DNS resolve
    $cmd 052 $skip ip from any 53 to any via ${LanOut}
    $cmd 053 $skip ip from any to any 53 via ${LanOut}

    #WWW
    $cmd 054 $skip ip from any to me 4325 via $LanOut setup keep-state
    $cmd 055 $skip ip from any to me 4326 via $LanOut setup keep-state
    $cmd 056 $skip ip from any to me 2525 via $LanOut setup keep-state
    # Outgoing server to Internet
    $cmd 060 $skip ip from me to any out via $LanOut setup keep-state
    # Postal service
    $cmd 071 $skip tcp from any to me 25 via $LanOut setup keep-state
    $cmd 072 $skip tcp from any to 80.93.62.30 25 via $LanOut setup keep-state
    $cmd 073 $skip tcp from any to 80.93.62.23 110 via $LanOut setup keep-state

    # Taxcom
    $cmd 074 $skip tcp from any to host33.taxcom.ru 25,110,443 via $LanOut setup keep-state
    $cmd 075 $skip tcp from any to host28.taxcom.ru 25,110,443 via $LanOut setup keep-state
    $cmd 076 $skip ip from any to 213.24.62.98 491 via $LanOut setup keep-state

    #FTP
    $cmd 077 $skip ip from any to me 20-21,30000-50000 via $LanOut setup keep-state

    #banking service
    $cmd 090 $skip tcp from any to any 3290 out via $LanOut setup keep-state
    $cmd 094 $skip ip from any to any 1024,2046,55777 out via $LanOut keep-state
    $cmd 092 $skip tcp from any to any 2525 out via $LanOut setup keep-state
    $cmd 093 $skip tcp from any to 195.250.56.144 via $LanOut setup keep-state
    $cmd 095 $skip ip from any to 194.186.207.182 via $LanOut setup keep-state

    #Vipnet
    $cmd 164 $skip ip from any to any 55781,55777 via $LanOut

    # ICMP
    $cmd 100 $skip icmp from any to any out via $LanOut keep-state

    #OpenVPN
    $cmd 101 $skip tcp from any to ${IpOut} 2000 in via ${LanOut}
    $cmd 102 $skip tcp from ${IpOut} 2000 to any out via ${LanOut}
    $cmd 103 $skip all from any to any in via ${openvpn_if}
    $cmd 104 $skip all from any to any out via ${openvpn_if}

    #RDP
    $cmd 110 $skip ip from 192.168.1.135 to any 3389 out via $LanOut setup keep-state
    $cmd 111 $skip ip from 192.168.1.187 to any 3389 out via $LanOut setup keep-state
    $cmd 112 $skip ip from 192.168.1.25 to any 3389 out via $LanOut setup keep-state
    $cmd 113 $skip ip from 192.168.1.113 to any 3389 out via $LanOut setup keep-state
    $cmd 114 $skip ip from 192.168.1.39 to any 3389 out via $LanOut setup keep-state

    # Time
    $cmd 120 $skip udp from any to any 123 out via $LanOut keep-state
    # NAT for 192.168.0.11
    $cmd 130 $skip ip from 192.168.0.11 to any out via $LanOut setup keep-state
    $cmd 131 $skip ip from 192.168.1.25 to any out via $LanOut setup keep-state
    $cmd 132 $skip ip from 192.168.0.50 to any out via $LanOut setup keep-state

    #WSUS
    $cmd 133 $skip ip from 192.168.0.3 to any 80,443 out via $LanOut setup keep-state

    # Direktor
    $cmd 134 $skip ip from 192.168.1.236 to any out via $LanOut setup keep-state
    #Iphone
    $cmd 135 $skip ip from 192.168.1.119 to any out via $LanOut setup keep-state
    $cmd 137 $skip ip from 192.168.0.132 to any out via $LanOut setup keep-state
    #Puzikov
    $cmd 136 $skip ip from 192.168.1.57 to any out via $LanOut setup keep-state
    #WoT
    $cmd 138 $skip ip from any to any 20013-20018,32801-32825 out via $LanOut keep-state
    #Petukhova
    $cmd 139 $skip ip from 192.168.0.43 to any out via $LanOut setup keep-state


    # ATS
    $cmd 140 $skip udp from 192.168.0.95 to any 5060,7070-7089,1024-65535 out via $LanOut keep-state
    $cmd 141 $skip2 tcp from 192.168.0.95 155 to any via $LanOut

    #Videonablyudenie
    $cmd 151 $skip ip from any to 192.168.1.94 10101 in via $LanOut

    #Videokamera
    $cmd 152 $skip ip from any 5000-5010 to any via ${LanOut}
    $cmd 153 $skip ip from any to any 5000-5010 via ${LanOut}

    #Televizor
    $cmd 154 $skip ip from 192.168.0.45 to any out via $LanOut setup keep-state

    # Deny all inbound traffic from non-routable reserved address spaces
    $cmd 200 deny all from 192.168.0.0/16 to any in via $LanOut
    $cmd 201 deny all from 172.16.0.0/12 to any in via $LanOut
    $cmd 202 deny all from 10.0.0.0/8 to any in via $LanOut
    $cmd 203 deny all from 127.0.0.0/8 to any in via $LanOut
    $cmd 204 deny all from 0.0.0.0/8 to any in via $LanOut
    $cmd 205 deny all from 169.254.0.0/16 to any in via $LanOut
    $cmd 206 deny all from 192.0.2.0/24 to any in via $LanOut
    $cmd 207 deny all from 204.152.64.0/23 to any in via $LanOut
    $cmd 208 deny all from 224.0.0.0/3 to any in via $LanOut

    # Deny ident
    $cmd 209 deny tcp from any to any 113 in via $LanOut

    #Netbios
    $cmd 210 deny tcp from any to any 137 via $LanOut
    $cmd 211 deny tcp from any to any 138 via $LanOut
    $cmd 212 deny tcp from any to any 139 via $LanOut
    $cmd 213 deny tcp from any to any 81 via $LanOut

    # Deny fragments packets
    $cmd 214 deny all from any to any frag in via $LanOut

    # Deny ACK packets that did not match the dynamic rule table
    $cmd 215 deny tcp from any to any established in via $LanOut

    # Allow in ssh from Internet
    $cmd 300 allow tcp from xxx.xxx.xxx.xxx to me 22 in via $LanOut setup limit src-addr 1

    # Reject incomming traffic from Inet
    #$cmd 400 deny log all from any to any in via $LanOut

    # Reject outgoing traffic to Inet
    #$cmd 410 deny log all from any to any out via $LanOut

    # NAT from local to Inet
    #$cmd 851 nat 123 ip from $NetIn to any out via $LanOut

    $cmd 806 allow ip from any to any

    $cmd 853 allow ip from any to any
    $cmd 854 $skip3 ip from any to any

    #$cmd 855 nat 123 ip from $NetIn to any via $LanOut
    $cmd 856 allow ip from any to any

    #$cmd 999 deny log all from any to any


Как только я включаю любое правило содержащее "nat", внешняя сетевая (bge1) сразу же падает.

В какую примерно сторону копать?


Содержание

Сообщения в этом обсуждении
"FreeBSD 8.1x64 IPFW Nat"
Отправлено DeadLoco , 12-Май-13 22:56 
> блаблабла
> rc.firewall
>     #!/bin/sh
>     ipfw -f flush
>     ipfw -f pipe flush
>     ipfw -f queue flush
>     #NAT
>     #ipfw nat 123 config if bge1 log same_ports reset redirect_port tcp 192.168.1.94:10101 10101
> блаблабла

Есть мнение, что выбрасывание пакетов в несозданный инстанс кернел ната, да еще и на восьмерке - дело весьма чреватое...