Est bsd 4.5 + ipfw1. Problema v etom firewalle: subnet REAL IP adresov schitaytsya dva raza. Real IP (clientskiy) na mashiny popadaet poje cherez PPTP soedinenie.
Trafik : dva raza osidaet bolshe trafiky, chem skachenno, v ipacctd. Etot bolshoy v dra raza trafic trafik, esli ego razdelit' bydet raven = real trafic + real technical data + real trafik eshe raz.
Est podozrenie, chto pravilo 2300 (zavorot incoming diverta cherez moi transportniy IP, ego i schitaet vtoroy raz).
No kak iskluchit' zavorot real IP subnet, cherez etot divert? Uma ne priloju. Na vse dopolnitelnie voprosi otvechy. Pomogite mne reshit' etu konkretnyi problemy.
Sam firewall takoy:
############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
# Set these to your outside interface network and netmask and ip.
oif="fxp0"
onet="80.255.xxx.xxx/30"
omask="255.255.255.240"
oip="80.255.xxx.xxx"
# Set our real ip network 64 addrr
rif="fxp0"
rnet="80.255.xxx.xxx/26"
rmask="255.255.255.192"
rip="80.255.xxx.xxx"
# Set these to your inside interface network and netmask and ip.
iif="fxp1"
inet="10.0.0.0/8"
imask="255.0.0.0"
iip="10.10.10.1"
# Set the fucking granch network
gif="sbni0"
gip="192.168.4.1"
gnet="192.168.4.0/24"
gmask="255.255.255.0"
# Set the MS VPN network
vip="172.16.0.1"
vnet="172.16.0.0/12"
vmask="255.240.0.0"
# Stop fucking SAMBA and broadcast
${fwcmd} add 350 deny udp from any to any 137,138,139
${fwcmd} add 350 deny udp from any 137,138,139 to any
${fwcmd} add 350 deny all from any to 255.255.255.255
# Stop spoofing
${fwcmd} add 400 deny log all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add 500 deny log all from ${onet}:${omask} to any in via ${iif}
${fwcmd} add 550 deny log all from ${onet}:${omask} to any in via ${gif}
# Stop OUT real IP net from fxp1 and granch
${fwcmd} add 551 deny log all from ${rnet}:${rmask} to any in via ${iif}
${fwcmd} add 552 deny log all from ${rnet}:${rmask} to any in via ${gif}
# Stop our A,C class network to acces VPN
${fwcmd} add 560 deny all from ${inet}:{$imask} to ${vnet}:${vmask}
${fwcmd} add 570 deny all from ${gnet}:{$gmask} to ${vnet}:${vmask}
# Stop RFC1918 nets on the outside interface
# (includes RESERVED-1, DHCP auto-configuration, NET-TEST,
# MULTICAST (class D), and class E)
${fwcmd} add 600 deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add 700 deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add 800 deny all from any to 192.168.0.0/16 via ${oif}
${fwcmd} add 900 deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add 1000 deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add 1100 deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add 1200 deny all from any to 240.0.0.0/4 via ${oif}
# Allow real IP and Deny net to outbound, if it not enabled
${fwcmd} add 1300 divert 11000 ip from ${rnet}:${rmask} to any
${fwcmd} add 1400 divert 11000 ip from any to ${rnet}:${rmask}
${fwcmd} add 1500 pass all from any to ${rnet}:${rmask} in via ${oif}
${fwcmd} add 1600 pass all from ${rnet}:${rmask} to any out via ${oif}
# Count and Divert Virtual VPN network to Internet
${fwcmd} add 2000 divert 10000 ip from ${vnet}:${vmask} to any
${fwcmd} add 2100 divert 10000 ip from any to ${vnet}:${vmask}
${fwcmd} add 2200 divert natd ip from ${vnet}:${vmask} to any out via ${oif}
${fwcmd} add 2300 divert natd ip from any to ${oip} in via ${oif}
# Stop RFC1918 nets on the outside interface
# (includes RESERVED-1, DHCP auto-configuration, NET-TEST,
# MULTICAST (class D), and class E)
${fwcmd} add 3000 deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add 3100 deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add 3200 deny all from 192.168.0.0/16 to any via ${oif}
${fwcmd} add 3300 deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add 3400 deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add 3500 deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add 3600 deny all from 240.0.0.0/4 to any via ${oif}
# Allow admin IP adress pass to any service on core
${fwcmd} add 3999 pass all from 192.168.4.237 to ${gip}
${fwcmd} add 3999 pass all from 10.11.138.7 to ${iip}
${fwcmd} add 3999 pass all from 10.11.7.7 to ${iip}
${fwcmd} add 3999 pass all from 10.10.10.37 to ${iip}
# Allow pass anything on the intranet interfaces
# But deny ftp, ssh, sendmail, pop3, snmpd
${fwcmd} add 4000 deny tcp from any to ${iip} 21,22,25,80,110,161
${fwcmd} add 4100 deny tcp from any to ${gip} 21,22,25,80,110,161
${fwcmd} add 4200 deny tcp from any to ${vip} 21,22,161,80
# Allow pass inet <> gnet
${fwcmd} add 4300 pass ip from ${inet} to ${gnet}
${fwcmd} add 4400 pass ip from ${gnet} to ${inet}
# Allow, all other, pass from this net
${fwcmd} add 4800 pass all from any to any via ${iif}
${fwcmd} add 4900 pass all from any to any via ${gif}
# Now allow pass anything out from our real /30 network
${fwcmd} add 5100 pass all from ${onet}:${omask} to any out via ${oif}
# Deny anything outbound from other nets.
${fwcmd} add 5200 deny log all from any to any out via ${oif}
# Allow TCP through if setup succeeded.
${fwcmd} add 5300 pass tcp from any to any established
# Allow inbound ftp, ssh, email, tcp-dns, http, https, pop3, pop3s.
${fwcmd} add 5400 pass tcp from any to ${oip} 25,53,6667,6669 setup in via ${oif}
#${fwcmd} add 5500 pass tcp from any to ${oip} 110,443,995 setup in via ${oif}
# Deny inbound auth and netbios without logging.
# Deny some chatty UDP broadcast protocols without logging.
${fwcmd} add 5800 deny tcp from any to ${oip} 113,139 setup in via ${oif}
${fwcmd} add 5900 deny udp from any 137,138,513,525 to any in via ${oif}
${fwcmd} add 6000 deny udp from any to any 137 in via ${oif}
${fwcmd} add 6100 pass udp from any to ${iip} 53 in via ${iif}
# Allow inbound DNS and NTP replies. This is somewhat of a hole,
# since we're looking at the incoming port number, which can be
# faked, but that's just the way DNS and NTP work.
${fwcmd} add 6200 pass udp from any 53 to ${oip} in via ${oif}
${fwcmd} add 6300 pass udp from any 123 to ${oip} in via ${oif}
# Allow inbound DNS queries.
${fwcmd} add 6400 pass udp from any to ${oip} 53 in via ${oif}
# Deny inbound NTP queries without logging.
${fwcmd} add 6500 deny udp from any to ${oip} 123 in via ${oif}
# Allow traceroute to function, but not to get in.
${fwcmd} add 6600 unreach port udp from any to ${oip} 33435-33524 in via ${oif}
# Allow some inbound icmps - echo reply, dest unreach, source quench,
# echo, ttl exceeded.
${fwcmd} add 6700 pass icmp from any to any in via ${oif} icmptypes 0,3,4,8,11
# Broadcasts are denied and not logged.
${fwcmd} add 9000 deny all from any to 255.255.255.255
# Allow real net, pass from any to any
${fwcmd} add 9998 allow ip from ${rnet}:${rmask} to any
${fwcmd} add 9998 allow ip from any to ${rnet}:${rmask}
# Allow virtual net, pass from any to any
${fwcmd} add 9999 pass all from ${vnet} to any
${fwcmd} add 9999 pass all from any to ${vnet}
# Everything else is denied and logged.
${fwcmd} add 65000 deny log all from any to any
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
on
11-Окт-02, 11:56 (MSK)
