gryu
дикий гусь | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору ---------------Ядро------------------- options IPFIREWALL options IPDIVERT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=5 options IPFIREWALL_NAT options LIBALIAS options ROUTETABLES=2 options DUMMYNET options HZ="1000" options IPFIREWALL_DEFAULT_TO_ACCEPT (ужо специально добавил) --------------------------- ---------------rc.conf------------ ifconfig_em0="inet xxx.xxx.xxx.xxx netmask 255.255.255.0" ifconfig_em1="inet 192.168.100.254 netmask 255.255.255.0" defaultrouter="xxx.xxx.xxx.xxy" gateway_enable="YES" firewall_enable="YES" firewall_nat_enable="YES" firewall_type="/etc/rc.firewall" -------------------------------------------------- ---------sysctl.conf весь какой есть на данном этапе---------------- net.inet.ip.fw.enable=1 (знаю что это дубль firewall_enable="YES". ставлю для того чтоб можно было при необходимости вообще отключить фаервол скомпилированный в ядре) net.inet.ip.fw.verbose=1 net.inet.ip.fw.verbose_limit=5 net.inet.ip.fw.one_pass=1 --------------------------------------- ----------rc.firewall весь какой есть на данном этапе------------------ #!/bin/sh - pre_com="ipfw -q" ex_face="em0" in_face="em1" ex_ip="xxx.xxx.xxx.xxx" in_ip="192.168.100.254" $pre_com -f flush $pre_com add 100 allow ip from any to any via lo0 $pre_com add 200 deny ip from any to 127.0.0.0/8 $pre_com add 300 deny ip from 127.0.0.0/8 to any $pre_com add 400 allow all from any to any via $in_face $pre_com nat 1 config log if $ex_face reset same_ports deny_in \ redirect_port tcp $ex_ip:20 20 \ redirect_port tcp $ex_ip:21 21 \ redirect_port tcp $ex_ip:22 22 \ redirect_port tcp 192.168.100.252:22 3350 \ $pre_com add 1030 nat 1 ip from any to any via $ex_face -------------------- Вообще говоря пока убрал deny_in . FTP с этой опцией и редиректом через НАТ не работает. ------------------------------------------------------------------------ # ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 25 2098 allow ip from any to any via em1 01030 1098 116375 nat 1 ip from any to any via em0 65535 7 648 allow ip from any to any -------------------- # ipfw nat show config ipfw nat 1 config if em0 log deny_in same_ports reset redirect_port tcp 192.168.100.252:22 3350 redirect_port tcp xxx.xxx.xxx.xxx:22 22 redirect_port tcp xxx.xxx.xxx.xxx:21 21 redirect_port tcp xxx.xxx.xxx.xxx:20 20 -------------- # tcpdump -i em1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes 18:11:18.104567 IP6 fe80::d54f:1c4b:5f5d:2c74.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit 18:11:19.105181 IP6 fe80::d54f:1c4b:5f5d:2c74.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit 18:11:19.900544 IP ppp94-29-32-36.pppoe.spdop.ru.50198 > 192.168.100.252.ssh: Flags [S ] seq 2175276496, win 8192, options [mss 1380,nop,wscale 2,nop,nop,sackOK], length 0 18:11:21.105918 IP6 fe80::d54f:1c4b:5f5d:2c74.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit 18:11:22.900756 IP ppp94-29-32-36.pppoe.spdop.ru.50198 > 192.168.100.252.ssh: Flags [S ] seq 2175276496, win 8192, options [mss 1380,nop,wscale 2,nop,nop,sackOK], length 0 18:11:25.107519 IP6 fe80::d54f:1c4b:5f5d:2c74.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit 18:11:28.903292 IP ppp94-29-32-36.pppoe.spdop.ru.50198 > 192.168.100.252.ssh: Flags [S ] seq 2175276496, win 8192, options [mss 1380,nop,nop,sackOK], length 0 18:11:33.110717 IP6 fe80::d54f:1c4b:5f5d:2c74.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit 18:11:36.923114 IP6 fe80::d54f:1c4b:5f5d:2c74.58889 > ff02::c.1900: UDP, length 119 18:11:36.923359 IP 192.168.100.100.58892 > 239.255.255.250.1900: UDP, length 125 18:11:36.924109 IP6 fe80::d54f:1c4b:5f5d:2c74.58889 > ff02::c.1900: UDP, length 117 18:11:36.924233 IP 192.168.100.100.58892 > 239.255.255.250.1900: UDP, length 123 18:11:39.924469 IP6 fe80::d54f:1c4b:5f5d:2c74.58889 > ff02::c.1900: UDP, length 119 18:11:39.924590 IP 192.168.100.100.58892 > 239.255.255.250.1900: UDP, length 125 ------------------ tcpdump на целевой машине 192.168.100.252 # tcpdump -i bge1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bge1, link-type EN10MB (Ethernet), capture size 96 bytes 01:03:45.295574 arp who-has 192.168.100.252 tell 192.168.100.254 01:03:45.295591 arp reply 192.168.100.252 is-at 00:14:5e:21:36:05 (oui Unknown) 01:03:45.295757 IP ppp94-29-32-36.pppoe.spdop.ru.53914 > 192.168.100.252.ssh: S 1384242307:1384242307(0) win 8192 <mss 1380,nop,wscale 2,nop,nop,sackOK> 01:03:48.295832 IP ppp94-29-32-36.pppoe.spdop.ru.53914 > 192.168.100.252.ssh: S 1384242307:1384242307(0) win 8192 <mss 1380,nop,wscale 2,nop,nop,sackOK> 01:03:54.294887 IP ppp94-29-32-36.pppoe.spdop.ru.53914 > 192.168.100.252.ssh: S 1384242307:1384242307(0) win 8192 <mss 1380,nop,nop,sackOK> | Всего записей: 13033 | Зарегистр. 15-03-2006 | Отправлено: 23:35 13-02-2014 | Исправлено: gryu, 01:55 14-02-2014 |
|