Код: Выделить всё
vpn2# uname -a
FreeBSD vpn2.test.me 8.3-RELEASE FreeBSD 8.3-RELEASE #0: Tue Mar 5 11:25:13 UTC 2013 root@vpn2:/usr/obj/usr/src/sys/GENERIC i386
Код: Выделить всё
options><------>IPFIREWALL # firewall
options><------>IPFIREWALL_VERBOSE # enable logging to syslogd(8)
options><------>IPDIVERT
options><------>IPFIREWALL_FORWARD
options><------>DUMMYNET
options><------>IPFIREWALL_NAT # ipfw kernel nat support
options><------>LIBALIAS
options><------>NETGRAPH
options><------>NETGRAPH_ETHER
options><------>NETGRAPH_SOCKET
options><------>NETGRAPH_TEE
options><------>NETGRAPH_MPPC_ENCRYPTION
Код: Выделить всё
startup:
set user pass pass admin
set console self 127.0.0.1 5005
set console open
#set web self 0.0.0.0 5006
#set web open
set netflow peer 10.10.0.4 9996
default:
load pptp_server
pptp_server:
# Create clonable bundle template named B
create bundle template B
set iface enable proxy-arp
set iface enable netflow-in
set iface enable netflow-out
set iface idle 1800
set iface enable tcpmssfix
set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
set ipcp ranges 172.16.0.1/32 0.0.0.0/0
set ipcp dns 172.16.0.1
set bundle disable compression
#set ccp yes mppc
#set mppc yes e40
#set mppc yes e128
#set mppc yes stateless
# Create clonable link template named L
create link template L pptp
# Set bundle template to use
set link action bundle B
# Multilink adds some overhead, but gives full 1500 MTU.
set link enable multilink
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
# We can use use RADIUS authentication/accounting by including
# another config section with label 'radius'.
load radius
set link keep-alive 10 60
# We reducing link mtu to avoid GRE packet fragmentation.
set link mtu 1460
# Configure PPTP
set pptp self 10.10.0.1
# Allow to accept calls
set link enable incoming
radius:
# You can use radius.conf(5), its useful, because you can share the
# same config with userland-ppp and other apps.
set radius config /etc/radius.conf
# or specify the server directly here
set radius server 10.10.0.4 1812 1813
set radius retries 3
set radius timeout 3
# send the given IP in the RAD_NAS_IP_ADDRESS attribute to the server.
set radius me 10.10.0.1
# send accounting updates every 5 minutes
set auth acct-update 300
# enable RADIUS, and fallback to mpd.secret, if RADIUS auth failed
set auth enable radius-auth
# enable RADIUS accounting
set auth enable radius-acct
# protect our requests with the message-authenticator
set radius enable message-authentic
set auth max-logins 1
set link enable peer-as-calling
rc.conf
Код: Выделить всё
keymap="ru.koi8-r"
hostname="vpn2.test.me"
cloned_interfaces="vlan10 vlan101 vlan4020"
ifconfig_lo0_alias0="172.16.0.1/32"
ifconfig_igb1="up"
ifconfig_vlan10="*.*.214.228 netmask 255.255.255.0 vlan 10 vlandev igb1 up" //внешка
ifconfig_vlan10_alias0="*.*.214.192/24"
ifconfig_vlan10_alias1="*.*.214.193/24"
ifconfig_vlan10_alias2="*.*.214.194/24"
ifconfig_vlan10_alias3="*.*.214.195/24"
ifconfig_vlan10_alias4="*.*.214.196/24"
ifconfig_igb0="up"
ifconfig_vlan101="10.10.0.2 netmask 255.255.0.0 vlan 101 vlandev igb0 up"
ifconfig_vlan4020="172.20.2.14 netmask 255.255.255.240 vlan 4020 vlandev igb0"
defaultrouter="*.*.214.1"
static_routes="dns ar1 ar2 ar3 ar4 ar5 ar6 ar7"
route_dns="172.20.1.1 172.20.2.1"
route_ar1="10.1.0.0/16 172.20.2.1"
route_ar2="10.2.0.0/16 172.20.2.2"
route_ar3="10.3.0.0/16 172.20.2.3"
route_ar4="10.4.0.0/16 172.20.2.4"
route_ar5="10.5.0.0/16 172.20.2.5"
route_ar6="10.6.0.0/16 172.20.2.6"
route_ar7="10.7.0.0/16 172.20.2.7"
route_ar8="10.8.0.0/16 172.20.2.8"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.sh"
sshd_enable="YES"
mpd_enable="YES"
mpd_flags="-b"
named_enable="YES"
Код: Выделить всё
#!/bin/sh
PATH="/bin:/sbin:/usr/bin:/usr/sbin"
ipfw=echo
ipfw=ipfw
$ipfw -f flush
add="$ipfw add"
IF_WAN=vlan10
IF_LAN101=vlan101
IF_LAN=vlan4020
IP_NAT1=*.*.214.192
IP_NAT2=*.*.214.193
IP_NAT3=*.*.214.194
IP_NAT4=*.*.214.195
IP_NAT5=*.*.214.196
IP_LAN101=10.10.0.2
$ipfw nat 1 config ip $IP_NAT1
$ipfw nat 2 config ip $IP_NAT2
$ipfw nat 3 config ip $IP_NAT3
$ipfw nat 4 config ip $IP_NAT4
$ipfw nat 5 config ip $IP_NAT5
# Трафик через интерфейс lo0
$add 10 allow ip from any to any via lo0
$add 15 allow icmp from any to me
# Входящий трафик из интернета
$add 20 skipto 10000 ip from any to any in recv $IF_WAN
# Исходящий трафик в интернет
$add 30 skipto 20000 ip from any to any out xmit $IF_WAN
# Входящий трафик из локальной сети
$add 40 skipto 30000 ip from any to any in recv vlan4020
$add 41 skipto 30000 ip from any to any in recv vlan101
$add 42 skipto 30000 ip from any to any in recv vlan4050
# Входящий трафик из vpn подключений
$add 50 skipto 40000 ip from any to any in recv "ng*"
# Разрешаем весь исходящий трафик
$add 60 allow ip from any to any out
# Запрещаем все остальное
$add 70 deny log ip from any to any
# Входящий трафик из интернета
$add 10000 deny ip from 10.0.0.0/8 to any
$add 10010 allow ip from $IP_TRUST to me
$add 10020 check-state
$add 10100 nat 1 ip from any to $IP_NAT1
$add 10110 nat 2 ip from any to $IP_NAT2
$add 10120 nat 3 ip from any to $IP_NAT3
$add 10130 nat 4 ip from any to $IP_NAT4
$add 10140 nat 5 ip from any to $IP_NAT5
$add 11000 deny log ip from any to any
# Исходящий трафик в интернет
$add 20000 nat 1 ip from 172.16.0.0/23 to any
$add 20010 nat 2 ip from 172.16.2.0/23 to any
$add 20020 nat 3 ip from 172.16.4.0/23 to any
$add 20030 nat 4 ip from 172.16.6.0/23 to any
$add 20040 nat 5 ip from 172.16.8.0/22 to any
$add 21000 allow ip from me to any keep-state
$add 22000 deny log ip from me to any
# Входящий трафик из локальной сети
$add 30000 allow ip from any to me
$add 30010 allow ip from 10.50.1.0/24 to 172.20.2.0/28
$add 30020 allow ip from 172.20.2.0/28 to 10.50.1.0/24
$add 31000 deny log ip from any to any
# Входящий трафик из vpn подключений
$add 40000 deny ip from any to any dst-port 35691
$add 40010 deny tcp from any to 'table(10)' dst-port 80
# $add 40020 deny log ip from any to 10.0.0.0/8
$add 41000 allow ip from 172.16.0.0/16 to any # xmit $IF_WAN
$add 41010 deny log ip from any to any