Всем привет!
Вот настроил сабж для учета трафика 6 машин. Стоит машина с FreeBSD и натит адреса. Сегодня смотрю на общий трафик а там аж 4 гига Хотя если смотреть по конкретным адресам (внутренним), то все в принципе как обычно в пределах разумного.Может я чего не так описал вот не знаю! помогите пожалуйста разобраться
1. gate# ipfw show
00100 2415912 2826137117 count ip from any to any in recv rl0
00101 350809 94630417 count ip from any to any out xmit rl0
00201 45540 35701804 count ip from 192.168.0.2 to any out xmit rl0
00202 83724 36433730 count ip from 192.168.0.3 to any out xmit rl0
00203 33377 4584656 count ip from 192.168.0.4 to any out xmit rl0
00204 47384 5868775 count ip from 192.168.0.5 to any out xmit rl0
00205 39516 3838451 count ip from 192.168.0.6 to any out xmit rl0
00206 57613 5023938 count ip from 192.168.0.7 to any out xmit rl0
00207 38098 2507565 count ip from 192.168.0.10 to any out xmit rl0
00300 2766721 2920767534 divert 8668 ip from any to any via rl0
00301 43808 24473215 count ip from any to 192.168.0.2 in recv rl0
00302 55151 18369964 count ip from any to 192.168.0.3 in recv rl0
00303 30003 25156483 count ip from any to 192.168.0.4 in recv rl0
00304 51049 45220631 count ip from any to 192.168.0.5 in recv rl0
00305 42398 40097736 count ip from any to 192.168.0.6 in recv rl0
00306 64988 66387161 count ip from any to 192.168.0.7 in recv rl0
00307 17013 9745958 count ip from any to 192.168.0.10 in recv rl0
00407 564 23688 allow ip from any to any via lo0
00507 669125 325344849 allow ip from any to any via xl0
00607 24021 2011796 allow icmp from any to any icmptype 0,3,4,8,11,12
00707 28256 1356288 allow tcp from any to any out xmit rl0 setup
00807 526531 308259466 allow tcp from any to any via rl0 established
00907 7 336 allow tcp from any to any 22 setup
01007 10 500 allow tcp from any to any 21 via rl0
01107 0 0 allow tcp from any 21 to any via rl0
01207 12 576 allow tcp from any to any 25 via rl0
01307 0 0 allow tcp from any 25 to any via rl0
01407 11 636 reset log logamount 32 tcp from any to any 113 in recv rl0
01507 72123 4514747 allow udp from any to any 53 via rl0
01607 2919 603298 allow udp from any 53 to any via rl0
01707 737 56012 allow udp from any to any 123 via rl0
65435 2112094 2603963879 deny log logamount 32 ip from any to any
65535 2 146 deny ip from any to any
2. # Firewall rules
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference. Helps to make it easier to read.
fwcmd="/sbin/ipfw"
# Force a flushing of the current rules before we reload.
$fwcmd -f flush
#Statistic out
$fwcmd add 100 count ip from any to any in via rl0
$fwcmd add 101 count ip from any to any out via rl0
$fwcmd add 201 count ip from 192.168.0.2 to any out via rl0
$fwcmd add 202 count ip from 192.168.0.3 to any out via rl0
$fwcmd add 203 count ip from 192.168.0.4 to any out via rl0
$fwcmd add 204 count ip from 192.168.0.5 to any out via rl0
$fwcmd add 205 count ip from 192.168.0.6 to any out via rl0
$fwcmd add 206 count ip from 192.168.0.7 to any out via rl0
$fwcmd add 207 count ip from 192.168.0.10 to any out via rl0
# Divert all packets through the tunnel interface.
$fwcmd add 300 divert natd all from any to any via rl0
#Statistic in
$fwcmd add 301 count ip from any to 192.168.0.2 in via rl0
$fwcmd add 302 count ip from any to 192.168.0.3 in via rl0
$fwcmd add 303 count ip from any to 192.168.0.4 in via rl0
$fwcmd add 304 count ip from any to 192.168.0.5 in via rl0
$fwcmd add 305 count ip from any to 192.168.0.6 in via rl0
$fwcmd add 306 count ip from any to 192.168.0.7 in via rl0
$fwcmd add 307 count ip from any to 192.168.0.10 in via rl0
# Allow all data from my network card and localhost. Make sure you
# change your network card (mine was fxp0) before you reboot.
$fwcmd add allow ip from any to any via lo0
$fwcmd add allow ip from any to any via xl0
#Ping
$fwcmd add allow icmp from any to any icmptypes 0,3,4,8,11,12
# Allow all connections that I initiate.
$fwcmd add allow tcp from any to any out xmit rl0 setup
# Once connections are made, allow them to stay open.
$fwcmd add allow tcp from any to any via rl0 established
# Everyone on the internet is allowed to connect to the following
# services on the machine. This example shows that people may connect
# to ssh and apache.
#$fwcmd add allow tcp from any to any 80 setup
$fwcmd add allow tcp from any to any 22 setup
# Rules for FTP
#$fwcmd add allow tcp from any to any 20 via rl0
#$fwcmd add allow tcp from any 20 to any via rl0
$fwcmd add allow tcp from any to any 21 via rl0
$fwcmd add allow tcp from any 21 to any via rl0
# Rules for SMTP
$fwcmd add allow tcp from any to any 25 via rl0
$fwcmd add allow tcp from any 25 to any via rl0
# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to any 113 in recv rl0
#DNS
$fwcmd add allow udp from any to any 53 via rl0
$fwcmd add allow udp from any 53 to any via rl0
#DalNet Rules
#$fwcmd add allow tcp from any to any 6667 via rl0
#NTP
$fwcmd add allow udp from any to any 123 via rl0
# Deny all the rest.
$fwcmd add 65435 deny log ip from any to any
3. ipa.conf
# Default configuration file for ipa(8).
# @(#)$Id: ipa.conf.default,v 1.6 2002/12/19 18:56:05 simon Exp $
#
global {
update_db_time = 30s
db_dir=/var/ipa
db_group = wheel
maxchunk = 500M
append_db_time = 1h
}
rule inet_in {
ipfw = 00100
info = traffic_in
}
rule inet_out {
ipfw = 00101
info = traffic_out
}
rule inet_all {
ipfw = 00100 00101
info = nepashet
}
rule 2_in {
ipfw = 00301
info = traffic in for 192.168.0.2
}
rule 2_out {
ipfw = 00201
info = traffic out for 192.168.0.2
}
rule 3_in {
ipfw = 00302
info = traffic in for 192.168.0.3
}
rule 3_out {
ipfw = 00202
info = traffic out for 192.168.0.3
}
rule 4_in {
ipfw = 00303
info = traffic in for 192.168.0.4
}
rule 4_out {
ipfw = 00203
info = traffic out for 192.168.0.4
}
rule 5_in {
ipfw = 00304
info = traffic in for 192.168.0.5
}
rule 5_out {
ipfw = 00204
info = traffic out for 192.168.0.5
}
rule 6_in {
ipfw = 00305
info = traffic in for 192.168.0.6
}
rule 6_out {
ipfw = 00205
info = traffic out for 192.168.0.6
}
rule 7_in {
ipfw = 00306
info = traffic in for 192.168.0.7
}
rule 7_out {
ipfw = 00206
info = traffic out for 192.168.0.7
}
rule 10_in {
ipfw = 00307
info = traffic in for Domain
}
rule 10_out {
ipfw = 00207
info = traffic out for Domain
}
4.ipastat
+----------+----------+---------------------+---------------------+
| Rule | Info | From | To |
+----------+----------+---------------------+---------------------+
| inet_all | nepashet | 2004.07.01/00:00:00 | 2004.07.31/24:00:00 |
+----------+----------+---------------------+---------------------+
+------------+------------+--------+
| Date | Bytes | Mbytes |
+------------+------------+--------+
| 2004.07.01 | 1133241607 | 1081 |
| 2004.07.02 | 74655762 | 71 |
| 2004.07.03 | 71909256 | 69 |
| 2004.07.04 | 104445458 | 100 |
| 2004.07.05 | 410670749 | 392 |
| 2004.07.06 | 2190639528 | 2089 |
| 2004.07.07 | 82337289 | 79 |
+------------+------------+--------+
| | 4067899649 | 3880 |
+------------+------------+--------+
* 7 days *
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
(ok) on
07-Июл-04, 18:25 (MSK)
