ipfw 8.2 vs 7.2

Простые/общие вопросы по UNIX системам. Спросите здесь, если вы новичок

Модераторы: vadim64, terminus

Правила форума
Убедительная просьба юзать теги [cоde] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
Zar
проходил мимо
Сообщения: 4
Зарегистрирован: 2008-01-23 4:15:33

ipfw 8.2 vs 7.2

Непрочитанное сообщение Zar » 2012-06-19 15:18:01

Дня! народ подскажите не могу понять, стоит сервак

Код: Выделить всё

[gateway]/sys/>#[gateway]/etc/>#uname -a
FreeBSD gateway.asdasdasd.local 7.0-RELEASE FreeBSD 7.0-RELEASE #1: Wed Oct 29 14:21:39 IRKT 2008     zar@gateway.asdasdasdasd.local:/usr/src/sys/i386/compile/GATEWAY  i386
работает как шлюз. все зашибись. все шерстит и крутится.
собрал второй сервак

Код: Выделить всё

CT2# uname -a
FreeBSD ctechn-CT2.local 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Apr 19 18:56:02 UTC 2012     zar@gateway02.VSEL.local:/usr/src/sys/amd64/compile/ZARKERN  amd64
пересобрал ядро все как надо.

создал файлик fw.sh
поправил ip все изменения
запускаю и отваливается ssh...
уже второй вечер сижу ни чего понять не могу...
скрипт отрабатывает без ошибок.
22 порт везде открыт
ни чего понять не могу...
в 8.2 ни каких случайно изменений синтаксиса ipfw не было?
я уже видать все глаза смозолил... тупо не вижу ошибку... (
нат поднят нормально вроде

кусок rc.conf

Код: Выделить всё

icmp_drop_redirect="YES"
icmp_log_redirect="YES"
tcp_extensions="NO"
tcp_drop_synfin="YES"
firewall_enable="YES"           # Set to YES to enable firewall functionality
firewall_script="/etc/fw.sh"    # Which script to run to set up the firewall
firewall_quiet="YES"            # Set to YES to suppress rule display
firewall_logging="YES"          # Set to YES to enable events logging

natd_enable="YES"
natd_interface="re0"
natd_flags="-f /etc/natd.conf"
#natd_flags="-redirect_port tcp 192.168.0.9:3389 3389"
gateway_enable="YES"

Код: Выделить всё

CT2# cat /etc/fire.sh
#!/bin/sh

#Begin Var section

#fwcmd="/sbin/ipfw -q "
#fwcmd="echo "
fwcmd="/sbin/ipfw -n "

oif="re0"               # out interface ethernet
onet="70.79.186.0"    #
omask="255.255.255.252" #
oip="70.79.186.2"     # out IP
aip="70.79.186.2"       # Alias out IP
NetOut="70.79.186.0/30"

iif="re1"               # in interface ethernet
inet="192.168.1.0"      #
imask="255.255.255.0"   #
iip="192.168.1.1"       # in ip
NetIn="192.168.1.0/24"

#Mail server ip
mss1="173.194.77.26"
msx1="209.85.225.27"
msp="25,110"

#Mail Exchange server
#moip="73.94.176.83"


#DNS Server ip
dnss1="8.8.8.8"






#ftp user
pftp="20,21"
uftp={2,3}


#Servers
srvport="20,21,123,80,3189,443"
grpsrv={2,3}


${fwcmd} -f flush
${fwcmd} -f pipe flush
${fwcmd} -f queue flush

#Begin Rules
 ${fwcmd} add allow ip from any to any via lo0

 ${fwcmd} add deny log ip from any to 127.0.0.0/8
 ${fwcmd} add deny log ip from 127.0.0.0/8 to any

 ${fwcmd} add deny log all from ${NetIn} to any in via ${oif}
 ${fwcmd} add deny log all from ${NetOut} to any in via ${iif}

 # Stop RFC1918 nets on the outside interface
 ${fwcmd} add deny log all from any to 10.0.0.0/8 via ${oif}
 ${fwcmd} add deny log all from any to 172.16.0.0/12 via ${oif}
 ${fwcmd} add deny log all from any to 192.168.0.0/16 via ${oif}

 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
 # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
 # on the outside interface
 ${fwcmd} add deny log all from any to 0.0.0.0/8 via ${oif}
 ${fwcmd} add deny log all from any to 169.254.0.0/16 via ${oif}
 ${fwcmd} add deny log all from any to 192.0.2.0/24 via ${oif}
 ${fwcmd} add deny log all from any to 224.0.0.0/4 via ${oif}
 ${fwcmd} add deny log all from any to 240.0.0.0/4 via ${oif}

 #Allow special system user
# ${fwcmd} add allow tcp from me to any uid root
# ${fwcmd} add allow tcp from me to any uid zar

 #Allow me to any LocalNet
 ${fwcmd} add allow all from me to any via ${iif}

 # Network Address Translation.  This rule is placed here deliberately
 # so that it does not interfere with the surrounding address-checking
 # rules.  If for example one of your internal LAN machines had its IP
 # address set to 192.0.2.1 then an incoming packet for it after being
 # translated by natd(8) would match the `deny' rule above.  Similarly
 # an outgoing packet originated from it before being translated would
 # match the `deny' rule below.
 ${fwcmd} add divert natd all from ${inet}/24 to any via ${oif}
 ${fwcmd} add divert natd all from any to ${oip} in via ${oif}

 # Stop RFC1918 nets on the outside interface
 ${fwcmd} add deny log all from 10.0.0.0/8 to any via ${oif}
 ${fwcmd} add deny log all from 172.16.0.0/12 to any via ${oif}
 ${fwcmd} add deny log all from 192.168.0.0/16 to any via ${oif}

 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
 # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
 # on the outside interface
 ${fwcmd} add deny log all from 0.0.0.0/8 to any via ${oif}
 ${fwcmd} add deny log all from 169.254.0.0/16 to any via ${oif}
 ${fwcmd} add deny log all from 192.0.2.0/24 to any via ${oif}
 ${fwcmd} add deny log all from 224.0.0.0/4 to any via ${oif}
 ${fwcmd} add deny log all from 240.0.0.0/4 to any via ${oif}
 ${fwcmd} add deny log ip from any to 10.0.0.0/8 in via ${oif}
 ${fwcmd} add deny log ip from any to 172.16.0.0/12 in via ${oif}
#${fwcmd} add deny log ip from any to 192.168.0.0/16 in via ${oif}
 ${fwcmd} add deny log ip from any to 0.0.0.0/8 in via ${oif}
 #Deny autoconfigure Private network
 ${fwcmd} add deny log ip from any to 169.254.0.0/16 in via ${oif}
 #Deny multicast
 ${fwcmd} add deny log ip from any to 224.0.0.0/4 in via ${oif}
 # deny log multicast
 ${fwcmd} add deny log ip from any to 240.0.0.0/4 in via ${oif}
 # deny log fragmentation icmp
 ${fwcmd} add deny log icmp from any to any frag
 # deny log fragmantation icmp in out interface
 ${fwcmd} add deny log icmp from any to 255.255.255.255 in via ${oif}
 ${fwcmd} add deny log icmp from any to 255.255.255.255 out via ${oif}


 #Allow icmp traffic
 ${fwcmd} add allow icmp from any to any icmptypes 0,8,11

 # Allow TCP through if setup succeeded
 ${fwcmd} add pass tcp from any to any established

 # Allow IP fragments to pass through
 ${fwcmd} add pass all from any to any frag

 #Allow ping
 ${fwcmd} add pass icmp from any to any out via $oif

 #Allow access to SSH
 ${fwcmd} add pass all from 70.79.186.2 to any 22
 ${fwcmd} add pass all from ${NetIn} to any 22
 ${fwcmd} add pass all from any to any 22
 ${fwcmd} add allow all from me 22 to any
 ${fwcmd} add allow all from any to me 22


 #Ftp to special group
 ${fwcmd} add allow all from ${NetIn}${uftp} to any ${pftp}
 ${fwcmd} add allow all from any ${pftp} to ${NetIn}${uftp}

 #Servers
 ${fwcmd} add allow all from ${NetIn}${grpsrv} to any ${srvport}
 ${fwcmd} add allow all from any ${srvport} to ${NetIn}${grpsrv}


 # Allow Mail
 ${fwcmd} add allow tcp from ${NetIn} to ${mss1} ${msp} via ${iif} setup
 ${fwcmd} add allow tcp from ${mss1} ${msp} to ${NetIn} setup

 # Allow Mail Exchange
# ${fwcmd} add allow all from ${msx1} to any 25,9000
# ${fwcmd} add allow all from any 25,9000 to ${msx1}
# ${fwcmd} add allow all from any to ${msx1} 25,9000

 #Allow Mail


 #Priv user zar
 ${fwcmd} add allow all from any to 192.168.0.2
  ${fwcmd} add allow all from 192.168.0.2 to any

  ${fwcmd} add allow all from any to 192.168.0.13
  ${fwcmd} add allow all from 192.168.0.13 to any


#ssl thawte.com
 ${fwcmd} add allow all from ${NetIn} to 69.58.181.130
 ${fwcmd} add allow all from 69.58.181.130 to ${NetIn}


 # Reject&Log all setup of incoming connections from the outside
 ${fwcmd} add deny log tcp from any to any in via ${oif} setup

 # Allow setup of any other TCP connection
# ${fwcmd} add pass tcp from any to any setup

 #
 # ${fwcmd} add allow all from me to any in via ${iif}
 # ${fwcmd} add allow all from me to any out via ${iif}

 # Allow access to our WWW
 ${fwcmd} add pass tcp from any to ${oip} 80 setup
 ${fwcmd} add pass tcp from any to ${oip} 443 setup
 ${fwcmd} add allow all from me to any 80
 ${fwcmd} add allow all from me to any 443
# ${fwcmd} add allow log all from me to any

#Allow Mail
# ${fwcmd} add allow tcp from any to ${moip} 110
# ${fwcmd} add allow tcp from any to ${moip} 25

 #Allow Mail
 ${fwcmd} add allow tcp from me to any 110
 ${fwcmd} add allow tcp from me to any 25


 #Allow FTP
 ${fwcmd} add allow tcp from me to any ${pftp}

 # Allow DNS queries out in the world
 ${fwcmd} add pass udp from ${oip} to any 53 keep-state
 ${fwcmd} add pass udp from any 53 to ${oip} keep-state
 ${fwcmd} add pass udp from ${aip} to any 53 keep-state
 ${fwcmd} add pass udp from any 53 to ${aip} keep-state

 #Allow DNS queries out in the Lan
 ${fwcmd} add pass udp from any to ${iip} 53 keep-state
 ${fwcmd} add pass udp from ${iip} 53 to any keep-state

 ${fwcmd} add pass tcp from ${oip} to any 43 keep-state
 ${fwcmd} add pass udp from me to any 53

 # Allow squid queries in in the world
 ${fwcmd} add pass all from ${NetIn} to me 3128
 ${fwcmd} add pass all from me 3128 to ${NetIn}

 # Allow NTP queries out in the world
 ${fwcmd} add pass udp from any to me 123
 ${fwcmd} add pass tcp from any to me 123
 ${fwcmd} add pass udp from me 123 to any
 ${fwcmd} add pass tcp from me 123 to any

 ${fwcmd} add pass udp from any 123 to me
 ${fwcmd} add pass tcp from any 123 to me
 ${fwcmd} add pass udp from me to any 123
 ${fwcmd} add pass tcp from me to any 123





 ${fwcmd} add pass udp from any to me 525
 ${fwcmd} add pass tcp from any to me 525
 ${fwcmd} add pass udp from me 525 to any
 ${fwcmd} add pass tcp from me 525 to any






 #Allow access SSH to any
 ${fwcmd} add allow all from me to any 22
# ${fwcmd} add allow all from me 22 to any
# ${fwcmd} add allow all from any to me 22

 #FTP from me
 ${fwcmd} add allow all from me to any ${pftp}

 # Allow all Netbios service. 137=name, 138=datagram, 139=session
 # Netbios is MS/Windows sharing services.
 # Block MS/Windows hosts2 name server requests 81
 ${fwcmd} add allow all from any 137 to me in via $iif
 ${fwcmd} add allow all from any 389 to me in via $iif
 ${fwcmd} add allow all from any 138 to me in via $iif
 ${fwcmd} add allow all from any 139 to me in via $iif
 ${fwcmd} add allow all from any 88 to me in via $iif
 ${fwcmd} add allow all from any to any 81 in  via $iif

 ${fwcmd} add allow all from me to any

#Deny all Log

${fwcmd} add deny log ip from any to any


направьте неудачника...
Последний раз редактировалось f_andrey 2012-06-19 21:25:46, всего редактировалось 1 раз.
Причина: Автору, выбирайте пожалуйста раздел соответствуюший тематике вашего сообщения.

Хостинговая компания Host-Food.ru
Хостинг HostFood.ru
 

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

snorlov
подполковник
Сообщения: 3846
Зарегистрирован: 2008-09-04 11:51:25
Откуда: Санкт-Петербург

Re: ipfw 8.2 vs 7.2

Непрочитанное сообщение snorlov » 2012-06-19 21:11:57

Смотри на тему

Код: Выделить всё

/etc/sysctl.conf: net.inet.ip.fw.one_pass= 0

Zar
проходил мимо
Сообщения: 4
Зарегистрирован: 2008-01-23 4:15:33

Re: ipfw 8.2 vs 7.2

Непрочитанное сообщение Zar » 2012-06-20 19:26:58

snorlov писал(а):Смотри на тему

Код: Выделить всё

/etc/sysctl.conf: net.inet.ip.fw.one_pass= 0
на сервере который работает установлен 1. т.е. все работает без этой настройки.. :( .

еще варианты какие нить есть?

snorlov
подполковник
Сообщения: 3846
Зарегистрирован: 2008-09-04 11:51:25
Откуда: Санкт-Петербург

Re: ipfw 8.2 vs 7.2

Непрочитанное сообщение snorlov » 2012-06-20 21:04:42

Сам же сказал про изменения, вот и почитай доки причем про 8.0 ... сравни rc.firewall, поставляемые по умолчанию, в крайнем случае дай команду

Код: Выделить всё

ipfw disable one_pass
, вдруг заработает...

amdcooper
рядовой
Сообщения: 27
Зарегистрирован: 2007-12-06 14:29:24

Re: ipfw 8.2 vs 7.2

Непрочитанное сообщение amdcooper » 2012-06-21 1:10:00

Вопрос SSH отваливается кода ты запускаешь этот файл? А какие правила остаются? Я почти уверен что там остаётся только одно правило закрыто всё для всех. Если это так то всё просто скрипт сбрасывает все правила SSH сессия закрывается и исполнение файла обрывается решение в этом случае использовать screen