Народ подскажите пожалуйста, прблема собствено до конца неясна. Проборос портов внутрь локалки работает нормально, но до поры до времени. и как обычно в самый нужный момент всё перестает рабоать. Вот и сейчас так, с утра всё работало отлично, а через час всё отвалилось, просто не пускает на локальную машину внутрь локалки, хотя до этого работало всё отлично потом перестало... в чём может быть проблема не понимаю...
вылаживаю на всеобщее обозрение настройки:
Код: Выделить всё
/home/anykey/>uname -a
FreeBSD mydomain.ua 6.2-RELEASE FreeBSD 6.2-RELEASE #21: Thu Feb 21 02:02:04 EET 2008 anykey@mydomain.ua:/usr/obj/usr/src/sys/server i386
Код: Выделить всё
/home/anykey/>cat /etc/rc.conf
# -- sysinstall generated deltas -- # Mon Jul 16 14:44:10 2007
# Created: Mon Jul 16 14:44:10 2007
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
natd_enable="YES"
natd_flags="-f /etc/natd0.conf"
natd2_enable="YES"
natd2_flags="-f /etc/natd1.conf"
firewall_enable="YES"
firewall_script="/etc/firewall"
defaultrouter="xxx.xxx.xxx.xxx"
gateway_enable="YES"
hostname="mydomain.ua"
named_enable="YES"
# Интерфейс смотрящий в инет
ifconfig_vr0="inet yyy.yyy.yyy.yyy netmask 255.255.255.248"
# Интерфейс смотрящий в локалку конторы
ifconfig_em0="inet 192.168.10.1 netmask 255.255.255.0"
ifconfig_em0_alias0="inet 192.168.20.1 netmask 255.255.255.0"
# Интерфейс смотрящий в локалку провайдера
ifconfig_em1="inet 192.168.115.2 netmask 255.255.255.0"
inetd_enable="NO"
tcp_extensions="NO"
tcp_drop_synfin="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
icmp_bmcastecho="NO"
portmap_enable="NO"
clear_tmp_enable="YES"
log_in_vain="YES"
fsck_y_enable="YES"
syslogd_enable="YES"
syslogd_flags="-ss"
# Кодовая страница для
font8x14="cp866-8x14"
font8x16="cp866b-8x16"
font8x8="cp866-8x8"
keymap="ru.cp1251"
linux_enable="YES"
mousechar_start="3"
scrnmap="win2cpp866"
sendmail_enable="NONE"
sshd_enable="YES"
usbd_enable="NO"
# MySQL server
mysql_enable="YES"
ng_ipacct_enable=YES
Код: Выделить всё
/home/anykey/>cat /etc/natd0.conf
interface vr0
log yes
use_sockets yes
same_ports yes
port 8668
unregistered_only yes
redirect_port tcp 192.168.10.220:6502 6535
redirect_port udp 192.168.10.220:6502 6535
redirect_port tcp 192.168.10.221:6502 6536
redirect_port udp 192.168.10.221:6502 6536
redirect_port tcp 192.168.10.223:6502 6537
redirect_port udp 192.168.10.223:6502 6537
redirect_port tcp 192.168.10.224:6502 6538
redirect_port udp 192.168.10.224:6502 6538
redirect_port tcp 192.168.10.226:6502 6539
redirect_port udp 192.168.10.226:6502 6539
redirect_port tcp 192.168.10.227:6502 6540
redirect_port udp 192.168.10.227:6502 6540
Код: Выделить всё
#!/bin/sh
FwCMD="/sbin/ipfw"
LanOut0="vr0" # внешний интерфейс смотрящий в инет
LanOut1="em1" # внешний интерфейс смотрящий в локалку провайдера
LanIn="em0" # внутрений интерфейс смотрящий в локальную сеть предприятия
IpOut0="yyy.yyy.yyy.yyy" # внешние IP сервака
IpOut1="192.168.115.2"
IpIn1="192.168.10.1" # внутренние IP сервака
IpIn2="192.168.20.1"
NetMask0="29"
NetMask1="24" # маска сети
IpNet1="192.168.10"
IpNet2="192.168.20"
# Внутренние сети
Net1="192.168.10.0"
Net2="192.168.20.0"
www_port="80,443"
ftp_port="20,21"
dns_port="53"
ssh_port="22"
icq_port="5190"
irc_port="6667"
mail_port="25,110"
mail_port_tls="465,995"
netbios_port="445"
# сбрасываем все правила
${FwCMD} -f flush
# сбрасываем все pipe
${FwCMD} -f pipe flush
# сбрасываем очереди
${FwCMD} -f queue flush
# Разрешаем весь траффик по внутреннему интерфейсу (петле)
# Вообще я во многих местах читал что без него может ничё не заработать вообще
${FwCMD} add allow ip from any to any via lo0
# рубим попытки lo0 куда-то лезть и откуда-то лезть на lo0
${FwCMD} add deny ip from any to 127.0.0.0/8
${FwCMD} add deny ip from 127.0.0.0/8 to any
# Вводим запреты:
# режем частные сети на внешнем интерфейсе - по легенде он у нас
# смотрит в интернет, а значит пакетам этим браться неоткуда на нём.
# рубим частные сeти
${FwCMD} add deny ip from any to 0.0.0.0/8 in recv ${LanOut0}
${FwCMD} add deny ip from any to 0.0.0.0/8 in recv ${LanOut1}
${FwCMD} add deny ip from any to 10.0.0.0/8 in recv ${LanOut0}
${FwCMD} add deny ip from any to 10.0.0.0/8 in recv ${LanOut1}
${FwCMD} add deny ip from any to 14.0.0.0/8 in recv ${LanOut0}
${FwCMD} add deny ip from any to 14.0.0.0/8 in recv ${LanOut1}
${FwCMD} add deny ip from any to 23.0.0.0/8 in recv ${LanOut0}
${FwCMD} add deny ip from any to 23.0.0.0/8 in recv ${LanOut1}
${FwCMD} add deny ip from any to 24.0.0.0/8 in recv ${LanOut0}
${FwCMD} add deny ip from any to 24.0.0.0/8 in recv ${LanOut1}
${FwCMD} add deny ip from any to 27.0.0.0/8 in recv ${LanOut0}
${FwCMD} add deny ip from any to 27.0.0.0/8 in recv ${LanOut1}
${FwCMD} add deny ip from any to 31.0.0.0/8 in recv ${LanOut0}
${FwCMD} add deny ip from any to 31.0.0.0/8 in recv ${LanOut1}
${FwCMD} add deny ip from any to 36.0.0.0/7 in recv ${LanOut0}
${FwCMD} add deny ip from any to 36.0.0.0/7 in recv ${LanOut1}
${FwCMD} add deny ip from any to 39.0.0.0/8 in recv ${LanOut0}
${FwCMD} add deny ip from any to 39.0.0.0/8 in recv ${LanOut1}
${FwCMD} add deny ip from any to 42.0.0.0/8 in recv ${LanOut0}
${FwCMD} add deny ip from any to 42.0.0.0/8 in recv ${LanOut1}
${FwCMD} add deny ip from any to 46.0.0.0/8 in recv ${LanOut0}
${FwCMD} add deny ip from any to 46.0.0.0/8 in recv ${LanOut1}
${FwCMD} add deny ip from any to 49.0.0.0/8 in recv ${LanOut0}
${FwCMD} add deny ip from any to 49.0.0.0/8 in recv ${LanOut1}
${FwCMD} add deny ip from any to 50.0.0.0/8 in recv ${LanOut0}
${FwCMD} add deny ip from any to 50.0.0.0/8 in recv ${LanOut1}
${FwCMD} add deny ip from any to 100.0.0.0/6 in recv ${LanOut0}
${FwCMD} add deny ip from any to 100.0.0.0/6 in recv ${LanOut1}
${FwCMD} add deny ip from any to 104.0.0.0/5 in recv ${LanOut0}
${FwCMD} add deny ip from any to 104.0.0.0/5 in recv ${LanOut1}
${FwCMD} add deny ip from any to 112.0.0.0/7 in recv ${LanOut0}
${FwCMD} add deny ip from any to 112.0.0.0/7 in recv ${LanOut1}
${FwCMD} add deny ip from any to 127.0.0.0/8 in recv ${LanOut0}
${FwCMD} add deny ip from any to 127.0.0.0/8 in recv ${LanOut1}
${FwCMD} add deny ip from any to 128.0.0.0/16 in recv ${LanOut0}
${FwCMD} add deny ip from any to 128.0.0.0/16 in recv ${LanOut}
${FwCMD} add deny ip from any to 169.254.0.0/16 in recv ${LanOut0}
${FwCMD} add deny ip from any to 169.254.0.0/16 in recv ${LanOut1}
${FwCMD} add deny ip from any to 172.16.0.0/12 in recv ${LanOut0}
${FwCMD} add deny ip from any to 172.16.0.0/12 in recv ${LanOut1}
${FwCMD} add deny ip from any to 175.0.0.0/8 in recv ${LanOut0}
${FwCMD} add deny ip from any to 175.0.0.0/8 in recv ${LanOut1}
${FwCMD} add deny ip from any to 176.0.0.0/5 in recv ${LanOut0}
${FwCMD} add deny ip from any to 176.0.0.0/5 in recv ${LanOut1}
${FwCMD} add deny ip from any to 184.0.0.0/7 in recv ${LanOut0}
${FwCMD} add deny ip from any to 184.0.0.0/7 in recv ${LanOut1}
${FwCMD} add deny ip from any to 191.255.0.0/16 in recv ${LanOut0}
${FwCMD} add deny ip from any to 191.255.0.0/16 in recv ${LanOut1}
${FwCMD} add deny ip from any to 192.0.0.0/24 in recv ${LanOut0}
${FwCMD} add deny ip from any to 192.0.0.0/24 in recv ${LanOut1}
${FwCMD} add deny ip from any to 192.0.2.0/24 in recv ${LanOut0}
${FwCMD} add deny ip from any to 192.0.2.0/24 in recv ${LanOut1}
${FwCMD} add deny ip from any to 192.88.99.0/24 in recv ${LanOut0}
${FwCMD} add deny ip from any to 192.88.99.0/24 in recv ${LanOut1}
${FwCMD} add deny ip from any to 192.18.0.0/15 in recv ${LanOut0}
${FwCMD} add deny ip from any to 192.18.0.0/15 in recv ${LanOut1}
${FwCMD} add deny ip from any to 192.168.0.0/16 in recv ${LanOut0}
${FwCMD} add deny ip from any to 223.255.255.0/24 in recv ${LanOut0}
${FwCMD} add deny ip from any to 223.255.255.0/24 in recv ${LanOut1}
${FwCMD} add deny ip from any to 240.0.0.0/4 in recv ${LanOut0}
${FwCMD} add deny ip from any to 240.0.0.0/4 in recv ${LanOut1}
# рубим фрагментированные icmp
${FwCMD} add deny icmp from any to any frag
# рубим широковещательные icmp на внешнем интерфейсе
${FwCMD} add deny log icmp from any to 255.255.255.255 in recv ${LanOut0}
${FwCMD} add deny log icmp from any to 255.255.255.255 in recv ${LanOut1}
${FwCMD} add deny log icmp from any to 255.255.255.255 out xmit ${LanOut0}
${FwCMD} add deny log icmp from any to 255.255.255.255 out xmit ${LanOut1}
# пропускаем траффик через трансляцию сетевых адресов (NAT)
# natd0 - yyy.yyy.yyy.yyy
ipfw add divert 8668 ip from ${Net1}/${NetMask1} to any out xmit vr0
ipfw add divert 8668 ip from ${Net2}/${NetMask1} to any out xmit vr0
ipfw add divert 8668 ip from any to ${IpOut0} in recv vr0
# natd1
ipfw add divert 8669 ip from ${Net1}/${NetMask1} to any out xmit em1
ipfw add divert 8669 ip from ${Net2}/${NetMask1} to any out xmit em1
ipfw add divert 8669 ip from any to ${IpOut1} in recv em1
# рубим траффик к частным сетям через внешний интерфейс
# заметтьте - эти правила отличаются от тех что были выше!
${FwCMD} add deny ip from 10.0.0.0/8 to any out via ${LanOut0}
${FwCMD} add deny ip from 10.0.0.0/8 to any out via ${LanOut1}
${FwCMD} add deny ip from 172.16.0.0/12 to any out via ${LanOut0}
${FwCMD} add deny ip from 172.16.0.0/12 to any out via ${LanOut1}
${FwCMD} add deny ip from 192.168.0.0/16 to any out via ${LanOut0}
${FwCMD} add deny ip from 0.0.0.0/8 to any out via ${LanOut0}
${FwCMD} add deny ip from 0.0.0.0/8 to any out via ${LanOut1}
${FwCMD} add deny ip from 169.254.0.0/16 to any out via ${LanOut0}
${FwCMD} add deny ip from 169.254.0.0/16 to any out via ${LanOut1}
${FwCMD} add deny ip from 224.0.0.0/4 to any out via ${LanOut0}
${FwCMD} add deny ip from 224.0.0.0/4 to any out via ${LanOut1}
${FwCMD} add deny ip from 240.0.0.0/4 to any out via ${LanOut0}
${FwCMD} add deny ip from 240.0.0.0/4 to any out via ${LanOut1}
# блокируем некоторые попытки скана и спуфинг
${FwCMD} add deny log ip from any to any not verrevpath in
#Запрещаем пакеты с некорректными TCP-флагами
# nmap -sN <host> : TCP Null
${FwCMD} add deny log tcp from any to any tcpflags !'fin',!'syn',!'rst',!'psh',!'ack',!'urg'
${FwCMD} add deny log tcp from any to any tcpflags !'syn',!'ack',!'rst'
# nmap -sX <host> : Xmas scans
${FwCMD} add deny log tcp from any to any tcpflags fin,syn,rst,psh,ack,urg
${FwCMD} add deny log tcp from any to any tcpflags syn,fin,urg,psh,!'ack'
${FwCMD} add deny log tcp from any to any tcpflags syn,fin,!'ack'
${FwCMD} add deny log tcp from any to any tcpflags fin,urg,psh,!'ack'
${FwCMD} add deny log tcp from any to any tcpflags fin,!'ack'
${FwCMD} add deny log tcp from any to any tcpflags urg,!'ack'
${FwCMD} add deny log tcp from any to any tcpflags psh,!'ack'
${FwCMD} add deny log tcp from any to any tcpflags syn,fin
# nmap -sF <host> : FIN scan
${fwcmd} add deny log tcp from any to any not established tcpflags fin
# Deny Stealth scans: nmap -sS <host> : TCP SYN stealth port scan (best all-around TCP scan)
${FwCMD} add deny log tcp from any to any not established tcpflags syn,ack
${FwCMD} add deny tcp from any to any tcpflags !'fin',!'syn',!'rst',!'ack'
${FwCMD} add deny tcp from any to any tcpflags !'fin',!'syn',!'rst',!'psh',!'ack',!'urg'
${FwCMD} add deny tcp from any to any tcpflags fin,!'syn',!'ack'
${FwCMD} add deny tcp from any to any tcpflags fin,!syn,!'rst',!'ack'
${FwCMD} add deny tcp from any to any tcpflags fin,psh,urg
${FwCMD} add deny tcp from any to any tcpflags fin,psh,urg,!'syn',!'rst',!'ack'
${FwCMD} add deny tcp from any to any tcpflags fin,psh,urg,!'syn',!'rst',!'ack'
${FwCMD} add deny tcp from any to any tcpflags fin,syn,!'ack'
${FwCMD} add deny tcp from any to any tcpflags fin,syn,!'rst',!'ack'
${FwCMD} add deny tcp from any to any tcpflags fin,syn,psh,urg,!'rst',!'ack'
${FwCMD} add deny tcp from any to any tcpflags fin,syn,psh,urg,!'rst',!'ack'
${FwCMD} add deny tcp from any to any tcpflags psh,!'fin',!'syn',!'rst',!'ack',!'urg'
${FwCMD} add deny tcp from any to any tcpflags psh,!'fin',!'syn',!'rst',!'ack',!'urg'
${FwCMD} add deny tcp from any to any tcpflags rst,!'fin',!'syn'
${FwCMD} add deny tcp from any to any tcpflags urg,!'fin',!'syn',!'rst',!'ack'
# Отбрасываем пакеты с нестандартными IP-опциями
${FwCMD} add deny log ip from any to any ipoptions ssrr
${FwCMD} add deny log ip from any to any ipoptions lsrr
${FwCMD} add deny log ip from any to any ipoptions rr
# Запрещаем пакеты с Timestampf
${FwCMD} add deny log ip from any to any ipoptions ts
${FwCMD} add deny icmp from any to any via vr0
# запрещаем форвардинг между сетями
${FwCMD} add deny ip from ${Net2}/${NetMask1} to ${Net1}/${NetMask1} via em0
${FwCMD} add deny ip from ${Net1}/${NetMask1} to ${Net2}/${NetMask1} via em0
# разрешаем DNS запросы - Server
${FwCMD} add allow udp from any to ${IpOut0} ${dns_port} in recv vr0
${FwCMD} add allow udp from ${IpOut0} ${dns_port} to any out xmit vr0
${FwCMD} add allow udp from any ${dns_port} to ${IpOut0} in recv vr0
${FwCMD} add allow udp from ${IpOut0} to any ${dns_port} out xmit vr0
${FwCMD} add allow tcp from any to ${IpOut0} ${dns_port} in recv vr0 setup
${FwCMD} add allow udp from 192.168.10.0/24 to 192.168.10.1 53 in recv em0
${FwCMD} add allow udp from 192.168.10.1 53 to 192.168.10.0/24 out xmit em0
${FwCMD} add allow udp from 192.168.20.0/24 to 192.168.20.1 53 in recv em0
${FwCMD} add allow udp from 192.168.20.1 53 to 192.168.20.0 53 out xmit em0
# блокируем все попытки подключения снаружи к серверу
${FwCMD} add allow ip from ${IpOut0} to any out xmit vr0
${FwCMD} add deny log all from any to ${IpOut0} 22 in recv vr0
${FwCMD} add deny ip from any to ${IpOut0} in recv vr0
# разрешаем серверу ходить в локалку прова
${FwCMD} add allow tcp from ${IpOut1} to any out xmit em1
#SSH
${FwCMD} add allow tcp from 192.168.115.3 to ${IpOut1} ${ssh_port} in recv em1
${FwCMD} add deny ip from any to ${IpOut1} in recv em1
${FwCMD} add allow ip from 192.168.10.2 to any
${FwCMD} add allow ip from any to 192.168.10.2 via vr0
${FwCMD} add allow ip from any to 192.168.10.2 via em0
${FwCMD} add allow ip from any to 192.168.10.2 via em1
${FwCMD} add allow tcp from ${IpNet1}.16 to any ${ftp_port},${www_port} in recv em0
${FwCMD} add allow tcp from any ${ftp_port},${www_port} to ${IpNet1}.16 out xmit em0
${FwCMD} add allow tcp from any ${ftp_port},${www_port} to ${IpNet1}.16 in recv vr0
${FwCMD} add allow tcp from ${IpNet1}.17 to any ${ftp_port},${www_port} in recv em0
${FwCMD} add allow tcp from any ${ftp_port},${www_port} to ${IpNet1}.17 out xmit em0
${FwCMD} add allow tcp from any ${ftp_port},${www_port} to ${IpNet1}.17 in recv vr0
.....
${FwCMD} add allow tcp from ${IpNet1}.61 to any ${ftp_port},${www_port} in recv em0
${FwCMD} add allow tcp from any ${ftp_port},${www_port} to ${IpNet1}.61 out xmit em0
${FwCMD} add allow tcp from any ${ftp_port},${www_port} to ${IpNet1}.61 in recv vr0
${FwCMD} add allow tcp from ${IpNet1}.61 to any 445 in recv em0
${FwCMD} add allow tcp from any 445 to ${IpNet1}.61 out xmit em0
${FwCMD} add allow tcp from any 445 to ${IpNet1}.61 in recv em1
#ВОТ на эти машины и делаецо проброс портов
${FwCMD} add allow ip from 192.168.10.220 to any
${FwCMD} add allow tcp from any to 192.168.10.220 6502 in recv vr0
${FwCMD} add allow udp from any to 192.168.10.220 6502 in recv vr0
${FwCMD} add allow ip from any to 192.168.10.220 via vr0
${FwCMD} add allow ip from any to 192.168.10.220 via em0
${FwCMD} add allow ip from 192.168.10.221 to any
${FwCMD} add allow tcp from any to 192.168.10.221 6502 in recv vr0
${FwCMD} add allow udp from any to 192.168.10.221 6502 in recv vr0
${FwCMD} add allow ip from any to 192.168.10.221 via vr0
${FwCMD} add allow ip from any to 192.168.10.221 via em0
${FwCMD} add allow ip from 192.168.10.223 to any
${FwCMD} add allow tcp from any to 192.168.10.223 6502 in recv vr0
${FwCMD} add allow udp from any to 192.168.10.223 6502 in recv vr0
${FwCMD} add allow ip from any to 192.168.10.223 via vr0
${FwCMD} add allow ip from any to 192.168.10.223 via em0
${FwCMD} add allow ip from 192.168.10.224 to any
${FwCMD} add allow tcp from any to 192.168.10.224 6502 in recv vr0
${FwCMD} add allow udp from any to 192.168.10.224 6502 in recv vr0
${FwCMD} add allow ip from any to 192.168.10.224 via vr0
${FwCMD} add allow ip from any to 192.168.10.224 via em0
${FwCMD} add allow ip from 192.168.10.226 to any
${FwCMD} add allow tcp from any to 192.168.10.226 6502 in ercv vr0
${FwCMD} add allow udp from any to 192.168.10.226 6502 in recv vr0
${FwCMD} add allow ip from any to 192.168.10.226 via vr0
${FwCMD} add allow ip from any to 192.168.10.226 via em0
${FwCMD} add allow ip from 192.168.10.227 to any
${FwCMD} add allow tcp from any to 192.168.10.226 6502 in ercv vr0
${FwCMD} add allow udp from any to 192.168.10.226 6502 in recv vr0
${FwCMD} add allow ip from any to 192.168.10.227 via vr0
${FwCMD} add allow ip from any to 192.168.10.227 via em0
${FwCMD} add allow tcp from ${IpNet2}.11 to any ${ftp_port},${www_port},${mail_port},${icq_port} in recv em0
${FwCMD} add allow tcp from any ${ftp_port},${www_port},${mail_port},${icq_port} to ${IpNet2}.11 out xmit em0
${FwCMD} add allow tcp from any ${ftp_port},${www_port},${mail_port},${icq_port} to ${IpNet2}.11 in recv vr0
${FwCMD} add allow tcp from ${IpNet2}.11 to any 445 in recv em0
${FwCMD} add allow tcp from any 445 to ${IpNet2}.11 out xmit em0
${FwCMD} add allow tcp from any 445 to ${IpNet2}.11 in recv em1
Народ подскажите ПЛЗ. а то мой моск отказываецо понимать чего либо
Может у кого есть какие идеи на этот счёт?
Заранее благодарен всем за оказаную помощь.