Товарищи, помогите пожалуйста, и заодно поправьте что не так написал в конфиге, т.к. я во фрибсд можно сказать новичок и только учусь всем премудростям этой замечательной системы, поэтому могу накосячить чего попало.
Привожу необходимую инфу:
Код: Выделить всё
[root@serv /etc/firewall]# ifconfig
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:0a:48:10:0a:2d
inet 192.168.1.253 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:0e:2e:72:41:00
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
media: Ethernet autoselect (none)
status: no carrier
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
Код: Выделить всё
[root@serv /etc/firewall]# cat /etc/firewall/rc.firewal
#!/bin/sh
# Registering all variables
fw="/sbin/ipfw"
lanout="rl0"
lanin="nfe0"
ipout="192.168.2.254"
ipin="192.168.1.253"
netmask="24"
netin="192.168.1.0"
nout="192.168.1.1"
comp="192.168.1.2"
# Reset all rules
${fw} -f flush
${fw} -f pipe flush
${fw} -f queue flush
###########################################################
# Shaping
# Creating pipes
#${fw} add pipe 2 ip from ${nout} to ${ipin} out
#${fw} add pipe 1 ip from ${ipin} to ${nout} in
#${fw} add pipe 4 ip from ${comp} to ${ipin} in
#${fw} add pipe 3 ip from ${ipin} to ${comp} out
# Spec tryba dlja melkix paketov!!!
#${fw} add pipe 5 ip from from any to any tcpflags ack iplen 0-128
#${fw} pipe 5 config bw 100Mbit/s
#${fw} add skipto 39999 ip from any to any tcpflags ack iplen 0-128
# Configuring pipes
###########################################
#${fw} pipe 1 config bw 120Kbit/s queue 100 gred 0.002/10/30/0.1
#${fw} pipe 2 config bw 120Kbit/s queue 100
#${fw} queue 10 config pipe 1 weight 30 queue 5 mask src-ip 0x000000ff
#${fw} queue 20 config pipe 1 weight 30 queue 5 mask dst-ip 0x000000ff
#${fw} add queue 10 ip from any to ${ipin} in via ${lanin}
#${fw} add queue 20 ip from ${ipin} to any out via ${lanin}
#############################
###########################################
#${fw} pipe 1 config bw 128Kbit/s
#${fw} pipe 2 config bw 102Mbit/s
#${fw} pipe 3 config bw 128Kbit/s
#${fw} pipe 4 config bw 104Mbit/s
###### 2-nd variant
#${fw} add queue 1 ip from me to ${nout}
#${fw} add queue 1 ip from ${nout} to me
#${fw} queue 1 config weight 5 pipe 1 mask dst-ip 0x000000ff
#${fw} pipe 1 config bw 32Kbit/s queue 25
##### 3-d variant
${fw} add pipe 1 form any to ${nout} out
${fw} add pipe 2 form ${nout} to any in
${fw} pipe 1 config bw 28Kbit/s delay 0ms
${fw} pipe 2 config bw 28Kbit/s delay 0ms
############################################################
# Proverka na sootvetstvie paketa dinamicheskim pravilam
${fw} add check-state
# Razreshaem ves' traffic po vnytrennemy interfeisy (lo0)
${fw} add allow ip from any to any via lo0
# Zapreshaem lubie paketi V lo0 i iz lo0
${fw} add deny ip from any to 127.0.0.0/8
${fw} add deny ip from 127.0.0.0/8 to any
##########################################################################################
# Perenapravljaem vse na squid #
# Perenapravljaen vse na NAT #
#${fw} add fwd 127.0.0.1,3128 tcp from ${netin}/${netmask} to any out 80 via ${lanout} #squid #
${fw} add divert natd ip from ${netin}/${netmask} to any out via ${lanout}# NAT #
${fw} add divert natd ip from any to ${ipout} in via ${lanout} # NAT #
##########################################################################################
# Vvodim zapreti na chastnie seti iz vneshnego interfeisa
${fw} add deny ip from any to 10.0.0.0/8 in via ${lanout}
${fw} add deny ip from any to 172.16.0.0/12 in via ${lanout}
${fw} add deny ip from any to 192.168.0.0/16 in via ${lanout}
${fw} add deny ip from any to 0.0.0.0/8 in via ${lanout}
# Zapreshaem avtokofigyrennyu chast' seti
${fw} add deny ip from any to 169.254.0.0/16 in via ${lanout}
# ZAPRET priema multicastovih rassilok iz vne
${fw} add deny ip from any to 240.0.0.0/4 in via ${lanout}
# Razreshaem vse soedinenija ved' kak-to je oni ystanovilis'...
${fw} add allow tcp from any to any established
# Razreshaem ves' ishodjashii traffic (servery dlja vihoda v inet)
${fw} add allow ip from ${ipout} to any out xmit ${lanout}
# Razreshaem DNS
${fw} add allow udp from any 53 to any via ${lanout}
# Razreshaem vhodjashii DNS
${fw} add allow udp from any to any 53 via ${lanout}
# Razr. sinhoniz. Time
${fw} add allow udp from any to any 123 via ${lanout}
# Razr. FTP 21 snaryzhi
${fw} add allow tcp from any to ${ipout} 21 via ${lanout}
${fw} add allow tcp from any to ${ipout} 49152-65535 via ${lanout}
# Razr. ICMP - echo: zapros, otvet; vremja jizni paketa isteklo
${fw} add allow icmp from any to any icmptypes 0, 8, 11
${fw} add allow udp from me to any via ${lanout}
# WWW 80 port snaryzhi dlja www
${fw} add allow tcp from any to ${ipout} 80 via ${lanout}
# Razr. SMTP 25 pochta
${fw} add allow tcp from any to ${ipout} 25 via ${lanout}
# Razr. SSH 22
${fw} add allow tcp from any to ${ipout} 22 via ${lanout}
#${fw} add allow tcp from any to ${ipout} 22 via ${lanin}
#${fw} add allow tcp from any to any 22 via ${lanout}
${fw} add allow tcp from any to ${ipin} 25 via ${lanin}
# Razr. IMAP 134 pochta
${fw} add allow tcp from any to ${ipout} 143 via ${lanout}
# Razr. POP 110 pochta
${fw} add allow tcp from any to ${ipout} 110 via ${lanout}
# Razr. ves' traf. v lokalke
${fw} add allow ip from any to any via ${lanin}
Код: Выделить всё
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.1.252 UGS 0 477 nfe0
127.0.0.1 127.0.0.1 UH 0 0 lo0
192.168.1.0/24 link#1 UC 0 0 nfe0
192.168.1.21 00:1f:c6:23:a3:07 UHLW 1 277 nfe0 877
192.168.1.252 00:1c:f0:a3:2f:b9 UHLW 2 8 nfe0 1154
192.168.2.0/24 link#2 UC 0 0 rl0
Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UHL lo0
fe80::%lo0/64 fe80::1%lo0 U lo0
fe80::1%lo0 link#4 UHL lo0
ff01:4::/32 fe80::1%lo0 UC lo0
ff02::%lo0/32 fe80::1%lo0 UC lo0
Код: Выделить всё
[root@serv /etc/firewall]# cat /etc/sysctl
cat: /etc/sysctl: No such file or directory
[root@serv /etc/firewall]# cat /etc/sysctl.conf
# $FreeBSD: src/etc/sysctl.conf,v 1.8 2003/03/13 18:43:50 mux Exp $
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
#
# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
net.inet.ip.fw.enable=1
net.inet.ip.fw_onepass=0
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
А, вот еще что! У меня стоит 2 сетевки, но реально работает только одна nfe0, а rl0 пока отдыхает, что то устала она .... То есть и нат происходит на нае же... В правилах фаера ошибка, но пробовал и так и так все равно...
Кстати, пробовал шейпить Сквидом, но тот-же эффект - выхватывается полный канал. Если надо приведу конфиг сквида, но хотелось бы через фаервол все это настроить.....
С уважением Лунатик