Неужели никто не знает? ;-0
Во FreeBSD 5.0 не работают правила с указанием владельца-отправителя пакета:
Правила вида
ipfw add 900 deny ip from any to www.ru uid www
(вместо www пробывал указывать и цифровой id)
не работают для пользователя www, а иногда, как не странно, срабатывают для всех пользователей сразу (последнее - на другой машине).
вот пример:
# ipfw show
00100 878 101308 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
65000 50619 8882772 allow ip from any to any
65535 1 84 deny ip from any to any
# ipfw add 900 deny ip from any to www.ru uid www 00900 deny ip from any to 194.87.0.50 uid www
# ipfw show
00100 932 107202 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00900 0 0 deny ip from any to 194.87.0.50 uid www
65000 50629 8884872 allow ip from any to any
65535 1 84 deny ip from any to any
# su www
$ whoami
www
$ wget www.ru
--00:57:05-- http://www.ru/
=> `index.html'
Resolving www.ru... done.
Connecting to www.ru[194.87.0.50]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /eng/index.html [following]
--00:57:05-- http://www.ru/eng/index.html
=> `index.html'
Connecting to www.ru[194.87.0.50]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12,177 [text/html]
100%[========================>] 12,177 16.49K/s ETA 00:00
00:57:06 (16.49 KB/s) - `index.html' saved [12177/12177]
В чем тут может быть дело?
Вот конфиг ядра:
===================================================================
machine i386
cpu I686_CPU
ident test1
maxusers 512
options NMBCLUSTERS=65536
device bpf # Berkeley packet filter
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options QUOTA
options INET #InterNETworking
options FFS #Berkeley Fast Filesystem
options SOFTUPDATES #Enable FFS soft updates support
options UFS_ACL #Support for access control lists
options UFS_DIRHASH #Improve performance on big directories
options NFSCLIENT #Network Filesystem Client
options CD9660 #ISO 9660 Filesystem
options PROCFS #Process filesystem (requires PSEUDOFS)
options PSEUDOFS #Pseudo-filesystem framework
options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]
options COMPAT_FREEBSD4 #Compatible with FreeBSD4
options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI
options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
options INVARIANT_SUPPORT #Extra sanity checks of internal structures, required by INVARIANTS
options SMP # Symmetric MultiProcessor Kernel
options APIC_IO # Symmetric (APIC) I/O
device isa
device pci
device ata
device atapicd # ATAPI CDROM drives
options ATA_STATIC_ID #Static device numbering
device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
device scbus # SCSI bus (required)
device da # Direct Access (disks)
device cd # CD
device pass # Passthrough device (direct SCSI access)
device ses # SCSI Environmental Services (and SAF-TE)
device aac # Adaptec FSA RAID
device aacp # SCSI passthrough for aac (requires CAM)
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device vga # VGA video card driver
device sc
device npx
device pmtimer
device sio # 8250, 16[45]50 based serial ports
device miibus # MII bus support
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
device random # Entropy device
device loop # Network loopback
device ether # Ethernet support
device sl # Kernel SLIP
device ppp # Kernel PPP
device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
================================================================