>
>>Класс ... ответ просто супер. Большой респект за ответ.
>>По поводу интерфейса для natd в rc.conf то там все в порядке.
>>Я прочему то начинаю склонятся к мысли, что divert не понимает
>>какие то особенности 2-го уровня модели ОСИ.
>>У меня на одной сетевухе два вилана --- два интерфейса, на которых
>>крутится вся кухня с маршрутизацией.
>>Все работает, а эти сообщения валятся иногда, но с завидным постоянством. Поэтому
>>на НАТД
>>я грешить бы не стал ... А вот с правилами ipfw надо
>>кардинально переделать ...
>>Все таки думаю что divert ругается из-за того что интерфейсы -
>>vlan.
>
>
>Блин! Я торможу, у тебя же правило стоит
>$cmd add divert natd all from any to any
>Оно же у тебя срабатывает кучу раз на одних и тех же
>пакетах!!!! Ведь у тебя оно стоит до правил с разрешением и
>запрещением, получается что пакеты после natd снова попадают на natd и
>так по кругу, вместо того чтоб быть убитыми или пропущенными они
>у тебя постоянно попадают на natd !
>Короче вся загвоздка в этом правиле, убери его и всё будет нормально!!!
>
Да нету у меня там такого правила ....
Показываю полностью весь конфиг при котором я получаю что нету дайверт тага ....
#!/bin/sh
#Quietly flush out rules
/sbin/ipfw -q -f flush#Set command prefix (add "-q" option after development to turn on quiet mode)
cmd="/sbin/ipfw add"
# set outside and inside network interfaces
oif="vlan102"
iif="vlan101"
# set private IP of this server and the netmask of the whole LAN side
server="X.X.X.X"
inside="X.X.X.0/24"
######Localhost stuff
#
#allow the computer to talk to itself
$cmd allow ip from any to any via lo0
#don't let anything from the "outside" talk to localhost
$cmd deny ip from any to 127.0.0.0/8
#don't let the computer talk other computers as localhost
$cmd deny log ip from 127.0.0.0/8 to any
#
#######
####### DHCP stuff
#
# you need this to be able to renew your DHCP lease from your ISP
# $cmd 00083 allow udp from any 67 to any 68 in recv rl0
#
#####
######### deny-and-log bogus packets by tcpflags
#
# XMAS tree
$cmd deny log tcp from any to any in tcpflags fin,psh,urg recv $oif
# NULL scan (no flag set at all)
$cmd deny log tcp from any to any in tcpflags !fin,!syn,!rst,!psh,!ack,!urg recv $oif
# SYN flood (SYN,FIN)
$cmd deny log tcp from any to any in tcpflags syn,fin recv $oif
# Stealth FIN scan (FIN,RST)
$cmd deny log tcp from any to any in tcpflags fin,rst recv $oif
# forced packet routing
$cmd deny log ip from any to any in ipoptions ssrr,lsrr,rr,ts recv $oif
$cmd add pass all from me to any via $oif
#
#######
######### Things served via this machine directly
######### Any services on this machine should be placed here,
######### before the NAT Divert rule
#
#HTTP
$cmd allow tcp from any to any 80 in via $oif
#SSH
$cmd allow tcp from any to any 22 in via $oif
#FTP
$cmd allow ip from any to any 20 in via $oif
$cmd allow ip from any to any 21 in via $oif
$cmd allow tcp from any 21 to any out via $oif
#OPENVPN
$cmd allow udp from any to any 1194 in via $oif
#POP3
$cmd allow tcp from any to any 110 in via $oif setup
#SMTP
$cmd allow tcp from any to any 25 in via $oif
#
####
#####NATD stuff
#natd Divert rule
# $cmd divert natd all from any to any via $oif
$cmd divert natd all from me to any via $oif
$cmd divert natd all from X.X.X.0/28 to any via $oif
$cmd divert natd all from X.X.X.1 to any via $oif
$cmd divert natd all from X.X.X.2 to any via $oif
$cmd divert natd all from X.X.X.3 to any via $oif
$cmd divert natd all from X.X.X.4 to any via $oif
$cmd divert natd all from any to any in via $oif
######
####All connections originating from my network are allowed
# check to see if a dynamic rule has been created that matches this packet
$cmd check-state
# let everything on your internal network talk to the firewall
$cmd allow all from any to any via $iif keep-state
# setup a dynamic rule for any connections being started from inside
$cmd allow all from any to any out via $oif keep-state
# deny ACK packets that did not match the dynamic rule table - do not log, too many false positives
$cmd deny tcp from any to any established in via $oif
#deny fragments as bogus packets
$cmd deny log all from any to any frag in via $oif
#####
####### ICMP stuff
#allow path-mtu in both directions
$cmd allow icmp from any to any icmptypes 3
#allow source quench in and out
$cmd allow icmp from any to any icmptypes 4
#allow outbound traceroutes
$cmd allow icmp from any to any icmptypes 11 in
#allow outbound pings and incoming ping responses
$cmd allow icmp from any to any icmptypes 8
$cmd allow icmp from any to any icmptypes 0 in
########
##### This section is for exposing services to the internet from the LAN
##### It is placed AFTER the NATD Divert rule, so these services can be
##### diverted in /etc/natd.conf
# Remote desktop - allow it, but log connection attempts (though DON'T log traffic for established sessions)
$cmd allow log tcp from any to any 3389,58585,58586 in setup
$cmd allow tcp from any to any 3389,58585,58586 in
$cmd allow ip from any to $inside 58586 in via $oif
####
######## SOME THINGS ARE TOO NOISY TO LIVE
######## In this section we deny things that would be denied anyway, but that we just
######## don't want logged. Be careful with this - in general, you probably want to
######## avoid putting anything in here that doesn't specify a known source address that
######## is relatively trustworthy. You also want to be very careful about who knows
######## what this section of your firewall configs looks like, because they can then
######## use the info to craft probes and attacks they know you won't see or log.
# Don't bother logging IGMP crap from the ISP
$cmd deny igmp from M.M.M.M to any in via $oif
# Don't bother logging DNS garbage inbound from the ISP's DNS boxes
$cmd deny udp from M.M.M.M 53 to any dst-port 50000-65535 in via $oif
#####
######## Stealth scans of closed ports
######## this section is to deny and log stealth scans that we can't really deny
######## on open ports because doing so would disrupt legitimate services.
# ACK scan (ACK,RST)
$cmd deny log tcp from any to any in tcpflags ack,rst recv $oif
#####
#############
############# DEFAULT RULE - deny it, and log it, 'cause we're secure like that.
#############
#
$cmd 65000 deny log all from any to any