gryu
дикий гусь | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору
---------------Ядро-------------------
options IPFIREWALL
options IPDIVERT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options IPFIREWALL_NAT
options LIBALIAS
options ROUTETABLES=2
options DUMMYNET
options HZ="1000"
options IPFIREWALL_DEFAULT_TO_ACCEPT (ужо специально добавил)
---------------------------
---------------rc.conf------------
ifconfig_em0="inet xxx.xxx.xxx.xxx netmask 255.255.255.0"
ifconfig_em1="inet 192.168.100.254 netmask 255.255.255.0"
defaultrouter="xxx.xxx.xxx.xxy"
gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_type="/etc/rc.firewall"
--------------------------------------------------
---------sysctl.conf весь какой есть на данном этапе----------------
net.inet.ip.fw.enable=1 (знаю что это дубль firewall_enable="YES". ставлю для того чтоб можно было при необходимости вообще отключить фаервол скомпилированный в ядре)
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
net.inet.ip.fw.one_pass=1
---------------------------------------
----------rc.firewall весь какой есть на данном этапе------------------
#!/bin/sh -
pre_com="ipfw -q"
ex_face="em0"
in_face="em1"
ex_ip="xxx.xxx.xxx.xxx"
in_ip="192.168.100.254"
$pre_com -f flush
$pre_com add 100 allow ip from any to any via lo0
$pre_com add 200 deny ip from any to 127.0.0.0/8
$pre_com add 300 deny ip from 127.0.0.0/8 to any
$pre_com add 400 allow all from any to any via $in_face
$pre_com nat 1 config log if $ex_face reset same_ports deny_in \
redirect_port tcp $ex_ip:20 20 \
redirect_port tcp $ex_ip:21 21 \
redirect_port tcp $ex_ip:22 22 \
redirect_port tcp 192.168.100.252:22 3350 \
$pre_com add 1030 nat 1 ip from any to any via $ex_face
--------------------
Вообще говоря пока убрал deny_in . FTP с этой опцией и редиректом через НАТ не работает.
------------------------------------------------------------------------
# ipfw show
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 25 2098 allow ip from any to any via em1
01030 1098 116375 nat 1 ip from any to any via em0
65535 7 648 allow ip from any to any
--------------------
# ipfw nat show config
ipfw nat 1 config if em0 log deny_in same_ports reset redirect_port tcp 192.168.100.252:22 3350 redirect_port tcp xxx.xxx.xxx.xxx:22 22 redirect_port tcp xxx.xxx.xxx.xxx:21 21 redirect_port tcp xxx.xxx.xxx.xxx:20 20
--------------
# tcpdump -i em1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
18:11:18.104567 IP6 fe80::d54f:1c4b:5f5d:2c74.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
18:11:19.105181 IP6 fe80::d54f:1c4b:5f5d:2c74.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
18:11:19.900544 IP ppp94-29-32-36.pppoe.spdop.ru.50198 > 192.168.100.252.ssh: Flags [S ] seq 2175276496, win 8192, options [mss 1380,nop,wscale 2,nop,nop,sackOK], length 0
18:11:21.105918 IP6 fe80::d54f:1c4b:5f5d:2c74.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
18:11:22.900756 IP ppp94-29-32-36.pppoe.spdop.ru.50198 > 192.168.100.252.ssh: Flags [S ] seq 2175276496, win 8192, options [mss 1380,nop,wscale 2,nop,nop,sackOK], length 0
18:11:25.107519 IP6 fe80::d54f:1c4b:5f5d:2c74.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
18:11:28.903292 IP ppp94-29-32-36.pppoe.spdop.ru.50198 > 192.168.100.252.ssh: Flags [S ] seq 2175276496, win 8192, options [mss 1380,nop,nop,sackOK], length 0
18:11:33.110717 IP6 fe80::d54f:1c4b:5f5d:2c74.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
18:11:36.923114 IP6 fe80::d54f:1c4b:5f5d:2c74.58889 > ff02::c.1900: UDP, length 119
18:11:36.923359 IP 192.168.100.100.58892 > 239.255.255.250.1900: UDP, length 125
18:11:36.924109 IP6 fe80::d54f:1c4b:5f5d:2c74.58889 > ff02::c.1900: UDP, length 117
18:11:36.924233 IP 192.168.100.100.58892 > 239.255.255.250.1900: UDP, length 123
18:11:39.924469 IP6 fe80::d54f:1c4b:5f5d:2c74.58889 > ff02::c.1900: UDP, length 119
18:11:39.924590 IP 192.168.100.100.58892 > 239.255.255.250.1900: UDP, length 125
------------------
tcpdump на целевой машине 192.168.100.252
# tcpdump -i bge1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bge1, link-type EN10MB (Ethernet), capture size 96 bytes
01:03:45.295574 arp who-has 192.168.100.252 tell 192.168.100.254
01:03:45.295591 arp reply 192.168.100.252 is-at 00:14:5e:21:36:05 (oui Unknown)
01:03:45.295757 IP ppp94-29-32-36.pppoe.spdop.ru.53914 > 192.168.100.252.ssh: S 1384242307:1384242307(0) win 8192 <mss 1380,nop,wscale 2,nop,nop,sackOK>
01:03:48.295832 IP ppp94-29-32-36.pppoe.spdop.ru.53914 > 192.168.100.252.ssh: S 1384242307:1384242307(0) win 8192 <mss 1380,nop,wscale 2,nop,nop,sackOK>
01:03:54.294887 IP ppp94-29-32-36.pppoe.spdop.ru.53914 > 192.168.100.252.ssh: S 1384242307:1384242307(0) win 8192 <mss 1380,nop,nop,sackOK>
|
Всего записей: 13033 | Зарегистр. 15-03-2006 | Отправлено: 23:35 13-02-2014 | Исправлено: gryu, 01:55 14-02-2014 |
|
