Поднял я сервер FreeBSD 5.4 STABLE, работает в качестве фаервола, ната в домашней сетке, в интернет ходит через adsl (pppoe)(mpd+netgraph). Проблема в следующем - внутри сети интернет работает ужасно, единственная вещь, которая на удивление работает нормально - ICQ. Все остальные сервисы "зависают", например, гугль открывается нормально, а вот opennet открывается только куском - видно хидер с заголовком и все. Почта тоже - установилось соединение с сервером и на этом конец. Но если установить VPN (PPTP) соединение с внутрисетевой машины на удаленную - то все ок. С самого сервера все тоже работает нормально.
Привожу конфиги:
ipfw:
externalif="ng0"
internalif="rl0"
# Clear all rules:
/sbin/ipfw -f flush
#Prevent spoofing attack:
/sbin/ipfw add 10 allow all from any to any via lo0
/sbin/ipfw add 10 deny all from any to 127.0.0.0/8
/sbin/ipfw add 10 deny ip from 127.0.0.0/8 to any
# Prevent fragmentation attacks:
/sbin/ipfw add 20 deny log ip from any to any via ${externalif} frag
# Allow local traffic
/sbin/ipfw add 40 allow ip from ${localip} to ${localip} via ${internalif}
# Allow incoming mail from anywhere:
/sbin/ipfw add 50 allow tcp from any to ${globalip} 25 setup keep-state
# Allow incoming SSH connections (access from most IPs denied in file /etc/hosts.allow)
/sbin/ipfw add 60 allow tcp from any to ${globalip} 22 setup keep-state
# Deny outgoing tcp connections to quake4 registration:
#q4master.idsoftware.com has address 192.246.40.28
/sbin/ipfw add 70 deny tcp from any to 192.246.40.28
# Allow outgoing tcp connections from local host:
/sbin/ipfw add 70 allow tcp from ${globalip} to any keep-state setup
# Allow outgoing UDP packets (ntp, DNS) from local host:
/sbin/ipfw add 80 allow udp from ${globalip} to any keep-state
# Allow outgoing pings from local host
/sbin/ipfw add 90 allow icmp from ${globalip} to any keep-state
#
# Allow outgoing connections via NAT
#
# first, we should accept packets from internal interface:
/sbin/ipfw add 100 allow ip from ${localip} to any in recv ${internalif}
# second, we should divert to natd all packets passing via external interface:
/sbin/ipfw add 110 divert natd all from any to any via ${externalif}
#/sbin/ipfw add 110 divert 8668 ip from any to any via ${externalif}
# third, we should allow the same packets which go to natd
# (natd will deny and log all unauthorized IP activity):
/sbin/ipfw add 120 allow ip from any to any via ${externalif}
# and forth, we should allow packets, retuned back via natd, to enter
# the local network:
/sbin/ipfw add 130 allow ip from any to ${localip} out xmit ${internalif}
#
# That's all!
# Outgoing traceroute from the firewall router should go via NAT,
# i.e. with the source IP of internal interface (traceroute -s)
==========================================================================
natd.conf:
log no
deny_incoming yes
use_sockets yes
same_ports yes
interface ng0
log_denied yes
log_facility security
==========================================================================
mpd.conf
new -i ng0 PPPoE PPPoE
set iface disable on-demand
set iface idle 0
set iface session 0
set iface route default
set bundle disable multilink
set bundle authname "mylogin"
set bundle password "mypassword"
set link yes acfcomp protocomp
set link no pap chap
set link accept chap
set link mtu 1492
set link keep-alive 10 75
set ipcp ranges 0/0 10.0.0.138/0
set iface up-script /usr/local/pppoe-up.sh
open
==========================================================================
mpd.links
PPPoE:
set link type pppoe
set pppoe iface ed0
set pppoe service ""
set pppoe disable incoming
set pppoe enable originate
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
(??) on
07-Дек-05, 22:29 (MSK)
