Модератор: terminus
Код: Выделить всё
root@unix:~ # curl https://acme-v02.api.letsencrypt.org/
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443
Код: Выделить всё
curl -v https://acme-v02.api.letsencrypt.org/Код: Выделить всё
* Trying 172.65.32.248...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.0 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (IN), TLS handshake, Server finished (14):
* TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.0 (OUT), TLS change cipher, Client hello (1):
* TLSv1.0 (OUT), TLS handshake, Finished (20):
* TLSv1.0 (IN), TLS change cipher, Client hello (1):
* TLSv1.0 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / AES128-SHA
* Server certificate:
* subject: CN=acme-v01.api.letsencrypt.org
* start date: Oct 9 17:18:22 2019 GMT
* expire date: Jan 7 17:18:22 2020 GMT
* subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.49.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Wed, 30 Oct 2019 13:08:00 GMT
< Content-Type: text/html
< Content-Length: 2174
< Last-Modified: Wed, 09 Oct 2019 18:16:22 GMT
< Connection: keep-alive
< ETag: "5d9e23f6-87e"
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< Accept-Ranges: bytes
<
<!DOCTYPE html>
<html lang="en">
<head>...................Код: Выделить всё
* CAfile: /usr/local/share/certs/ca-root-nss.crtКод: Выделить всё
* Trying 172.65.32.248...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443
Код: Выделить всё
# Сетевая карта WIF смотрит в ИНЕТ
${fwcmd} add 3520 allow log tcp from 172.65.32.248 to me 443 in via $WIF
${fwcmd} add 3525 allow log tcp from me 443 to 172.65.32.248 out via $WIF
Не совсем понял, что нужно сделать?Еще может потребоваться обновить
* CAfile: /usr/local/share/certs/ca-root-nss.crt
Код: Выделить всё
ls /usr/local/share/certs/ca-root-nss.crt
-rw-r--r-- 1 root wheel 931926 Jul 20 2016 /usr/local/share/certs/ca-root-nss.crt
Код: Выделить всё
curl -v https://acme-v02.api.letsencrypt.org/
* Trying 172.65.32.248...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=acme-v01.api.letsencrypt.org
* start date: Sep 13 17:57:16 2019 GMT
* expire date: Dec 12 17:57:16 2019 GMT
* subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.57.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Thu, 31 Oct 2019 08:01:45 GMT
< Content-Type: text/html
< Content-Length: 2174
< Last-Modified: Mon, 25 Feb 2019 20:15:27 GMT
< Connection: keep-alive
< ETag: "5c744cdf-87e"
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< Accept-Ranges: bytes
<
<!DOCTYPE html>
<html lang="en">
<head>и моих
Код: Выделить всё
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1Код: Выделить всё
# echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443Код: Выделить всё
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = acme-v01.api.letsencrypt.org
verify return:1
---
Certificate chain
0 s:/CN=acme-v01.api.letsencrypt.org
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIG1DCCBbygAwIBAgISAzKEt6yP1yVfX0M3Rp6s4O7WMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA5MTMxNzU3MTZaFw0x
OTEyMTIxNzU3MTZaMCcxJTAjBgNVBAMTHGFjbWUtdjAxLmFwaS5sZXRzZW5jcnlw
dC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+yd/GgtohYjgU
idTNoJMCv8Pz97PfPYceCg4WYAkMb6jZ73ruPmJr3AuPclzHdJbAQz7dkkPwnhce
qk/ALrkn4I8iXBzgDhor7iuOBUOiQo3nI3n45McvTuk8C3rvRwN0kznvAcwLRBMZ
LjANmSsVmLPVoiEK9XK1YtlOTLtKFV/8d2U75M/wc//4xCYR166YJquZuJ26wZJA
5FeySxGpDT5kZof+unM7BS994iCxJcDyv/gYjYqnwQy+Ksys5DIVoL2sVm7NpWLG
PCleYDToG/2vuAcdvrTExHcLSnbGoTgRaGP6tK+P//IV1/0qZYkO1nZZJWxtVfIS
eXt1FhypAgMBAAGjggPVMIID0TAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFAi111sz
WIMzLhb7rAPBFqvcVJOOMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyh
MG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgz
LmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgz
LmxldHNlbmNyeXB0Lm9yZy8wggGJBgNVHREEggGAMIIBfIIeYWNtZS12MDEtMS5h
cGkubGV0c2VuY3J5cHQub3Jngh5hY21lLXYwMS0yLmFwaS5sZXRzZW5jcnlwdC5v
cmeCHmFjbWUtdjAxLTMuYXBpLmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDEtNC5h
cGkubGV0c2VuY3J5cHQub3Jngh5hY21lLXYwMS01LmFwaS5sZXRzZW5jcnlwdC5v
cmeCHGFjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTEuYXBp
LmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItMi5hcGkubGV0c2VuY3J5cHQub3Jn
gh5hY21lLXYwMi0zLmFwaS5sZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTQuYXBp
LmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItNS5hcGkubGV0c2VuY3J5cHQub3Jn
ghxhY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnMEwGA1UdIARFMEMwCAYGZ4EM
AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0
c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYA4mlLribo6UAJ
6IYbtjuD1D7n/nSI+6SPKJMBnd3x2/4AAAFtK/yTawAABAMARzBFAiAmT0CZ5ff5
kp/CBRWawfX5qwj1FgyRqDxsKew6dKgPRgIhALawUK/wuryKtaWkrDzau1FKaZ4G
B9hmqXzgWSpDkKZIAHYAY/Lbzeg7zCzPC3KEJ1drM6SNYXePvXWmOLHHaFRL2I0A
AAFtK/yThwAABAMARzBFAiEAsjDJQ2tfNdm3fVnNU5m9yvMTR85taCSpY877ubZ8
diwCIFBL+Ww6ukV9tH8jJTivMMHHibWWG9O4KYEIvkni3VaQMA0GCSqGSIb3DQEB
CwUAA4IBAQBGF7IH58J0xBywHgdXDUcggGN4r9QgFcNoA/Hy5QA5zUQ/It3Ow/eE
3EwJPdB1At1cYIQ7hWfy4XXxcsH5rT8wgqfeLqxnCmNEzJL0GtZjpi2rtdiwpLFc
dDYshZLSeuctTb5BOcN7Qd1fGs/qJbE1JJiEGkIZ8JMpRi0feN60RW88EVZx0b4w
OnpUpwH3fbGF2X+l12ckUaAZzKQIMiozYFLIjMXKq6mC7UzxEUxnpf5Zr0/VviyN
SUQWZ7Ghl7RGWaLqVttQKnbonYQp7GDQUcRl6nXz5QzhD3rmiGOaoQU7QCmlj9gO
9UKkcygubib+lMhs8j3xPUjattHfkCpM
-----END CERTIFICATE-----
subject=/CN=acme-v01.api.letsencrypt.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3441 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: C23813918F1766D897A486F715B801CEC6F396954621C45D0A8D7483722B3341
Session-ID-ctx:
Master-Key: 86E058EDF8C0203BADAAA36FD7D7249D97DDDE997C3EFA2B2CD67F14FCBDEC3A1AED90FE14FF54EB4447BB1C71D2DC14
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1572509644
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
#Код: Выделить всё
ls /usr/local/share/certs/ca-root-nss.crt
-rw-r--r-- 1 root wheel 821046 8 янв. 2018 /usr/local/share/certs/ca-root-nss.crtВроде судя по https://lists.freebsd.org/pipermail/fre ... 70602.html
Код: Выделить всё
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3548 bytes data]
* TLSv1.2 (OUT), TLS alert, Server hello (2):
} [2 bytes data]
* SSL certificate problem: self signed certificate in certificate chain
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--0
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in certificate chainКод: Выделить всё
curl: (60) SSL certificate problem: self signed certificate in certificate chainКод: Выделить всё
We are trying to establish ssl connection with a server.
We notice that SSL_CONNECT is failing with error code "SSL_ERROR_SYSCALL".
This is usually the case if the other side is simply closing the connection.
Microsoft SChannel does this on many kind of handshake problems instead of sending a TLS alert back.
This can happen for problems like invalid protocol or no common ciphers etc.
It also can happen if you try to do a TLS handshake with a server which does not speak TLS at all on this port.
Look at logs at the server side for problems.
Of course it can also be something different so you might check the errno to get more details about the problem.
It might also help if you do a packet capture to check what's going on on the wire.
Best would be to do this capture on the client and server side to make sure that no middlebox like a firewall is tampering with the connection.Код: Выделить всё
curl --version
curl 7.57.0 (amd64-portbld-freebsd11.1) libcurl/7.57.0 OpenSSL/1.0.2n zlib/1.2.11
Release-Date: 2017-11-29
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets HTTPS-proxy
Код: Выделить всё
Curl version
curl --version
curl 7.57.0 (x86_64-apple-darwin17.2.0) libcurl/7.57.0 SecureTransport zlib/1.2.11
Osx 10.13.2
benoittgt commented Jan 22, 2018
I update with brew, libressl, openssl and curl and reboot my machine. It's now working.
Вот тут я опасаюсь увести вопрос в дебри или сбить с толку ТС.
Код: Выделить всё
pkg info -d curl-7.57.0
curl-7.57.0:
ca_root_nss-3.34.1
Код: Выделить всё
curl у меня собран с опцией "SSL/TLS support via OpenSSL"Код: Выделить всё
cat /var/db/ports/ftp_curl/options
# This file is auto-generated by 'make config'.
# Options for curl-7.57.0
_OPTIONS_READ=curl-7.57.0
_FILE_COMPLETE_OPTIONS_LIST=CA_BUNDLE COOKIES CURL_DEBUG DEBUG DOCS EXAMPLES
HTTP2 IDN IPV6 LDAP LDAPS LIBSSH2 METALINK PROXY PSL RTMP SMB TLS_SRP GSSAPI_BASE
GSSAPI_HEIMDAL GSSAPI_MIT GSSAPI_NONE CARES THREADED_RESOLVER GNUTLS NSS OPENSSL POLARSSL WOLFSSL
OPTIONS_FILE_SET+=CA_BUNDLE
OPTIONS_FILE_SET+=COOKIES
OPTIONS_FILE_UNSET+=CURL_DEBUG
OPTIONS_FILE_UNSET+=DEBUG
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_SET+=EXAMPLES
OPTIONS_FILE_UNSET+=HTTP2
OPTIONS_FILE_UNSET+=IDN
OPTIONS_FILE_SET+=IPV6
OPTIONS_FILE_UNSET+=LDAP
OPTIONS_FILE_UNSET+=LDAPS
OPTIONS_FILE_UNSET+=LIBSSH2
OPTIONS_FILE_UNSET+=METALINK
OPTIONS_FILE_SET+=PROXY
OPTIONS_FILE_UNSET+=PSL
OPTIONS_FILE_UNSET+=RTMP
OPTIONS_FILE_UNSET+=SMB
OPTIONS_FILE_SET+=TLS_SRP
OPTIONS_FILE_SET+=GSSAPI_BASE
OPTIONS_FILE_UNSET+=GSSAPI_HEIMDAL
OPTIONS_FILE_UNSET+=GSSAPI_MIT
OPTIONS_FILE_UNSET+=GSSAPI_NONE
OPTIONS_FILE_UNSET+=CARES
OPTIONS_FILE_SET+=THREADED_RESOLVER
OPTIONS_FILE_UNSET+=GNUTLS
OPTIONS_FILE_UNSET+=NSS
OPTIONS_FILE_SET+=OPENSSL
OPTIONS_FILE_UNSET+=POLARSSL
OPTIONS_FILE_UNSET+=WOLFSSLКод: Выделить всё
x lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x
x x [x] CA_BUNDLE Install CA bundle for OpenSSL x x
x x [x] COOKIES Cookies support x x
x x [ ] CURL_DEBUG cURL debug memory tracking x x
x x [ ] DEBUG Build with debugging support x x
x x [x] DOCS Build and/or install documentation x x
x x [x] EXAMPLES Build and/or install examples x x
x x [ ] HTTP2 HTTP protocol version 2.0 support x x
x x [ ] IDN International Domain Names support x x
x x [x] IPV6 IPv6 protocol support x x
x x [ ] LDAP LDAP protocol support x x
x x [ ] LDAPS LDAP protocol over SSL support x x
x x [ ] LIBSSH2 SCP/SFTP support via libssh2 x x
x x [ ] METALINK Metalink support x x
x x [x] PROXY Proxy support x x
x x [ ] PSL Public Suffix List support x x
x x [ ] RTMP RTMP protocol support via librtmp x x
x x [ ] SMB SMB/CIFS support x x
x x [x] TLS_SRP TLS-SRP (Secure Remote Password) support x x
x xqqqqqqqqqqqqqqqqqqqqqqq GSSAPI Security API support qqqqqqqqqqqqqqqqqqqqqqx x
x x (*) GSSAPI_BASE GSSAPI support via base system (needs Kerberos) x x
x x ( ) GSSAPI_HEIMDAL GSSAPI support via security/heimdal x x
x x ( ) GSSAPI_MIT GSSAPI support via security/krb5 x x
x x ( ) GSSAPI_NONE Disable GSSAPI support x x
x xqqqqqqqqqqqqqqqqqqqqqqqqqq DNS resolving options qqqqqqqqqqqqqqqqqqqqqqqqqx x
x x ( ) CARES Asynchronous DNS resolution via c-ares x x
x x (*) THREADED_RESOLVER Threaded DNS resolver x x
x xqqqqqqqqqqqqqqqqqqqqqqqqqqq SSL protocol support qqqqqqqqqqqqqqqqqqqqqqqqqx x
x x ( ) GNUTLS SSL/TLS support via GnuTLS x x
x x ( ) NSS SSL/TLS support via NSS x x
x x (*) OPENSSL SSL/TLS support via OpenSSL x x
x x ( ) POLARSSL SSL/TLS support via PolarSSL x x
x x ( ) WOLFSSL SSL/TLS support via wolfSSL x x
x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x
Код: Выделить всё
# openssl version
OpenSSL 0.9.8zg-freebsd 11 Jun 2015Код: Выделить всё
01200 7 224 deny ip from 192.168.0.0/24 to any in via igb0
02060 820 331322 deny log ip from any to 240.0.0.0/4 in via igb0
03014 22 954 deny log icmp from any to any in via igb0
03320 2031 154089 deny ip from any to any 123 via igb0
03450 407 21804 deny tcp from any to me 22
03505 25 1020 deny tcp from any to me 81
03506 6 240 deny tcp from any to me 3390
А вот это уже интересно... Номера правил для натинга у Вас какие будут?
Код: Выделить всё
ipfw -d show|grep div
10900 3293111 568139696 divert 8668 ip from 192.168.1.0/24,192.168.2.0/24,192.168.3.2,192.168.4.0/24 to any out via em1
10950 8238443 6655085218 divert 8668 ip from any to 1.2.3.4 in via em1Код: Выделить всё
${fwcmd} nat 1 config log if $WIF reset same_ports deny_in redirect_port tcp 192.168.0.
25:25 25 redirect_port tcp 192.168.0.25:80 80
${fwcmd} add 10000 nat 1 all from any to any via $WIF
Подождите про обновления...
Код: Выделить всё
# Сетевая карта WIF смотрит в ИНЕТ
${fwcmd} add 3520 allow log tcp from 172.65.32.248 to me 443 in via $WIF
${fwcmd} add 3525 allow log tcp from me 443 to 172.65.32.248 out via $WIFТеперь я их добавил:"разрешить от меня к 172.65.32.248 на порт 443"
"разрешить от 172.65.32.248 порт 443 ко мне"
Код: Выделить всё
${fwcmd} add 3540 allow log tcp from me to 172.65.32.248 443 in via $WIF
${fwcmd} add 3545 allow log tcp from 172.65.32.248 443 to me out via $WIF
Согласен, но ему нужно разобраться почему он не видит пакеты, Это первое.
А второе, In и Out нужно поменять местами. Т.е. привести к виду
Так понятно?${fwcmd} add 3540 allow log tcp from me to 172.65.32.248 443 out via $WIF
${fwcmd} add 3545 allow log tcp from 172.65.32.248 443 to me in via $WIF
Вот это гораздо серьезнее...Demis писал(а): ↑2019-11-01 9:43:34Согласен, но ему нужно разобраться почему он не видит пакеты, Это первое.
Reken писал(а): ↑
01 ноя 2019 10:44
${fwcmd} add 3540 allow log tcp from me to 172.65.32.248 443 in via $WIF
${fwcmd} add 3545 allow log tcp from 172.65.32.248 443 to me out via $WIF
А второе, In и Out нужно поменять местами. Т.е. привести к виду
${fwcmd} add 3540 allow log tcp from me to 172.65.32.248 443 out via $WIF
${fwcmd} add 3545 allow log tcp from 172.65.32.248 443 to me in via $WIF
Так понятно?
И кстати, помоему были траблы таким написанием и особенно когда в скрипте шли вперемешку (via и пары "out xmit" и "in recv").