вот содержимое sysctl.conf:
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
kern.ipc.somaxconn=1024
net.inet.icmp.icmplim=30
net.inet.icmp.icmplim_output=0
net.inet.icmp.log_redirect=1
net.link.ether.inet.max_age=1200
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
net.inet.icmp.maskrepl=0
net.inet.icmp.bmcastecho=0
kern.maxfiles=8192
kern.maxfilesperproc=8192
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=1
net.inet.ip.redirect=0
vfs.vmiodirenable=1
kern.ipc.maxsockbuf=20977152
kern.ipc.somaxconn=8192
net.inet.tcp.rfc1323=1
net.inet.tcp.delayed_ack=1
net.inet.tcp.sendspace=65535
net.inet.tcp.recvspace=65535
net.inet.udp.recvspace=65535
net.inet.udp.maxdgram=57344
net.local.stream.sendspace=65535
net.local.stream.recvspace=65535
natd.conf:
same_ports yes
use_sockets yes
redirect_port udp 172.16.0.2:137 137
redirect_port udp 172.16.0.2:138 138
redirect_port tcp 172.16.0.2:139 139
redirect_port tcp 172.16.0.2:55554 55554
redirect_port tcp 172.16.0.2:10001 10001
redirect_port tcp 172.16.0.2:22 22222
ipfirewall.sh:
ms=172.16.0.2
fwcmd="ipfw -q"
maf="fxp0"
gode="fxp1"
psi="fxp2"
mafnet="172.16.0.0/24"
godenet="192.168.26.0/24"
${fwcmd} -f flush
${fwcmd} add drop all from any to 192.168.20.255 via ${psi}
${fwcmd} add drop all from any to 213.247.237.255 via ${psi}
${fwcmd} add divert 8669 ip from ${mafnet} to any out via ${gode}
${fwcmd} add divert 8669 ip from any to me in via ${gode}
${fwcmd} add allow tcp from any to any via ${gode} established
${fwcmd} add allow udp from any to any via ${gode}
${fwcmd} add divert 8668 ip from ${mafnet} to any out via ${psi}
${fwcmd} add divert 8668 ip from any to me in via ${psi}
${fwcmd} add divert 8668 ip from ${godenet} to any out via ${psi}
${fwcmd} add divert 8668 ip from any to me in via ${psi}
${fwcmd} add allow tcp from any to any via ${psi} established
${fwcmd} add allow udp from any to any via ${psi}
${fwcmd} add allow all from ${godenet} to any via ${psi}
${fwcmd} add allow all from ${mafnet} to any via ${psi}
${fwcmd} add allow all from any to any via ${maf}
${fwcmd} add allow all from me to any
${fwcmd} add allow tcp from any to me 22
${fwcmd} add allow udp from any to me 53
${fwcmd} add allow tcp from any to ${ms} 22,55554,22222
${fwcmd} add allow tcp from 192.168.0.0/16 to ${ms} 21,80,139
${fwcmd} add allow tcp from 213.247.237.0/24 to ${ms} 21,80,139
${fwcmd} add allow tcp from 212.5.79.128/25 to ${ms} 21,80,139
${fwcmd} add allow tcp from 213.247.198.192/26 to ${ms} 21,80,139
${fwcmd} add allow udp from 192.168.0.0/16 to ${ms} 137,138
${fwcmd} add allow udp from 213.247.237.0/24 to ${ms} 137,138
${fwcmd} add allow udp from 212.5.79.128/25 to ${ms} 137,138
${fwcmd} add allow udp from 213.247.198.192/26 to ${ms} 137,138
${fwcmd} add allow all from any to any via lo0
${fwcmd} add drop all from any to 127.0.0.0/8
${fwcmd} add drop all from 127.0.0.0/8 to any
${fwcmd} add drop icmp from any to any in icmptype 5,9,13,14,15,16,17
${fwcmd} add drop icmp from any to any frag
${fwcmd} add allow icmp from any to any
${fwcmd} add allow all from ${godenet} to 255.255.255.255
${fwcmd} add allow all from any to 192.168.26.255 via ${gode}
${fwcmd} add drop log all from any to any
natd.sh:
/sbin/natd -p 8668 -n fxp2 -m -f /etc/natd.conf -P /var/run/natd_fxp2.pid
/sbin/natd -p 8669 -n fxp1 -m -f /etc/natd.conf -P /var/run/natd_fxp1.pid
#конфигурация ядра
#My options
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPDIVERT
options DUMMYNET
options HZ=1000
options SC_DISABLE_REBOOT
options TCP_DROP_SYNFIN
вот.. может кто тут обнаружет чтонить неладное.. ещё вопрос по поводу псевдоустройства bpf .. гдето читал что надо ещё парочку добавить устройств.. мож кто подскажет?
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
(ok) on
24-Окт-05, 10:03 (MSK)
