Код: Выделить всё
[gateway]/sys/>#[gateway]/etc/>#uname -a
FreeBSD gateway.asdasdasd.local 7.0-RELEASE FreeBSD 7.0-RELEASE #1: Wed Oct 29 14:21:39 IRKT 2008 zar@gateway.asdasdasdasd.local:/usr/src/sys/i386/compile/GATEWAY i386
собрал второй сервак
Код: Выделить всё
CT2# uname -a
FreeBSD ctechn-CT2.local 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Apr 19 18:56:02 UTC 2012 zar@gateway02.VSEL.local:/usr/src/sys/amd64/compile/ZARKERN amd64
создал файлик fw.sh
поправил ip все изменения
запускаю и отваливается ssh...
уже второй вечер сижу ни чего понять не могу...
скрипт отрабатывает без ошибок.
22 порт везде открыт
ни чего понять не могу...
в 8.2 ни каких случайно изменений синтаксиса ipfw не было?
я уже видать все глаза смозолил... тупо не вижу ошибку... (
нат поднят нормально вроде
кусок rc.conf
Код: Выделить всё
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
tcp_extensions="NO"
tcp_drop_synfin="YES"
firewall_enable="YES" # Set to YES to enable firewall functionality
firewall_script="/etc/fw.sh" # Which script to run to set up the firewall
firewall_quiet="YES" # Set to YES to suppress rule display
firewall_logging="YES" # Set to YES to enable events logging
natd_enable="YES"
natd_interface="re0"
natd_flags="-f /etc/natd.conf"
#natd_flags="-redirect_port tcp 192.168.0.9:3389 3389"
gateway_enable="YES"
Код: Выделить всё
CT2# cat /etc/fire.sh
#!/bin/sh
#Begin Var section
#fwcmd="/sbin/ipfw -q "
#fwcmd="echo "
fwcmd="/sbin/ipfw -n "
oif="re0" # out interface ethernet
onet="70.79.186.0" #
omask="255.255.255.252" #
oip="70.79.186.2" # out IP
aip="70.79.186.2" # Alias out IP
NetOut="70.79.186.0/30"
iif="re1" # in interface ethernet
inet="192.168.1.0" #
imask="255.255.255.0" #
iip="192.168.1.1" # in ip
NetIn="192.168.1.0/24"
#Mail server ip
mss1="173.194.77.26"
msx1="209.85.225.27"
msp="25,110"
#Mail Exchange server
#moip="73.94.176.83"
#DNS Server ip
dnss1="8.8.8.8"
#ftp user
pftp="20,21"
uftp={2,3}
#Servers
srvport="20,21,123,80,3189,443"
grpsrv={2,3}
${fwcmd} -f flush
${fwcmd} -f pipe flush
${fwcmd} -f queue flush
#Begin Rules
${fwcmd} add allow ip from any to any via lo0
${fwcmd} add deny log ip from any to 127.0.0.0/8
${fwcmd} add deny log ip from 127.0.0.0/8 to any
${fwcmd} add deny log all from ${NetIn} to any in via ${oif}
${fwcmd} add deny log all from ${NetOut} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny log all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny log all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny log all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny log all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny log all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny log all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny log all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny log all from any to 240.0.0.0/4 via ${oif}
#Allow special system user
# ${fwcmd} add allow tcp from me to any uid root
# ${fwcmd} add allow tcp from me to any uid zar
#Allow me to any LocalNet
${fwcmd} add allow all from me to any via ${iif}
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
${fwcmd} add divert natd all from ${inet}/24 to any via ${oif}
${fwcmd} add divert natd all from any to ${oip} in via ${oif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny log all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny log all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny log all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny log all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny log all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny log all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny log all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny log all from 240.0.0.0/4 to any via ${oif}
${fwcmd} add deny log ip from any to 10.0.0.0/8 in via ${oif}
${fwcmd} add deny log ip from any to 172.16.0.0/12 in via ${oif}
#${fwcmd} add deny log ip from any to 192.168.0.0/16 in via ${oif}
${fwcmd} add deny log ip from any to 0.0.0.0/8 in via ${oif}
#Deny autoconfigure Private network
${fwcmd} add deny log ip from any to 169.254.0.0/16 in via ${oif}
#Deny multicast
${fwcmd} add deny log ip from any to 224.0.0.0/4 in via ${oif}
# deny log multicast
${fwcmd} add deny log ip from any to 240.0.0.0/4 in via ${oif}
# deny log fragmentation icmp
${fwcmd} add deny log icmp from any to any frag
# deny log fragmantation icmp in out interface
${fwcmd} add deny log icmp from any to 255.255.255.255 in via ${oif}
${fwcmd} add deny log icmp from any to 255.255.255.255 out via ${oif}
#Allow icmp traffic
${fwcmd} add allow icmp from any to any icmptypes 0,8,11
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
#Allow ping
${fwcmd} add pass icmp from any to any out via $oif
#Allow access to SSH
${fwcmd} add pass all from 70.79.186.2 to any 22
${fwcmd} add pass all from ${NetIn} to any 22
${fwcmd} add pass all from any to any 22
${fwcmd} add allow all from me 22 to any
${fwcmd} add allow all from any to me 22
#Ftp to special group
${fwcmd} add allow all from ${NetIn}${uftp} to any ${pftp}
${fwcmd} add allow all from any ${pftp} to ${NetIn}${uftp}
#Servers
${fwcmd} add allow all from ${NetIn}${grpsrv} to any ${srvport}
${fwcmd} add allow all from any ${srvport} to ${NetIn}${grpsrv}
# Allow Mail
${fwcmd} add allow tcp from ${NetIn} to ${mss1} ${msp} via ${iif} setup
${fwcmd} add allow tcp from ${mss1} ${msp} to ${NetIn} setup
# Allow Mail Exchange
# ${fwcmd} add allow all from ${msx1} to any 25,9000
# ${fwcmd} add allow all from any 25,9000 to ${msx1}
# ${fwcmd} add allow all from any to ${msx1} 25,9000
#Allow Mail
#Priv user zar
${fwcmd} add allow all from any to 192.168.0.2
${fwcmd} add allow all from 192.168.0.2 to any
${fwcmd} add allow all from any to 192.168.0.13
${fwcmd} add allow all from 192.168.0.13 to any
#ssl thawte.com
${fwcmd} add allow all from ${NetIn} to 69.58.181.130
${fwcmd} add allow all from 69.58.181.130 to ${NetIn}
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
# ${fwcmd} add pass tcp from any to any setup
#
# ${fwcmd} add allow all from me to any in via ${iif}
# ${fwcmd} add allow all from me to any out via ${iif}
# Allow access to our WWW
${fwcmd} add pass tcp from any to ${oip} 80 setup
${fwcmd} add pass tcp from any to ${oip} 443 setup
${fwcmd} add allow all from me to any 80
${fwcmd} add allow all from me to any 443
# ${fwcmd} add allow log all from me to any
#Allow Mail
# ${fwcmd} add allow tcp from any to ${moip} 110
# ${fwcmd} add allow tcp from any to ${moip} 25
#Allow Mail
${fwcmd} add allow tcp from me to any 110
${fwcmd} add allow tcp from me to any 25
#Allow FTP
${fwcmd} add allow tcp from me to any ${pftp}
# Allow DNS queries out in the world
${fwcmd} add pass udp from ${oip} to any 53 keep-state
${fwcmd} add pass udp from any 53 to ${oip} keep-state
${fwcmd} add pass udp from ${aip} to any 53 keep-state
${fwcmd} add pass udp from any 53 to ${aip} keep-state
#Allow DNS queries out in the Lan
${fwcmd} add pass udp from any to ${iip} 53 keep-state
${fwcmd} add pass udp from ${iip} 53 to any keep-state
${fwcmd} add pass tcp from ${oip} to any 43 keep-state
${fwcmd} add pass udp from me to any 53
# Allow squid queries in in the world
${fwcmd} add pass all from ${NetIn} to me 3128
${fwcmd} add pass all from me 3128 to ${NetIn}
# Allow NTP queries out in the world
${fwcmd} add pass udp from any to me 123
${fwcmd} add pass tcp from any to me 123
${fwcmd} add pass udp from me 123 to any
${fwcmd} add pass tcp from me 123 to any
${fwcmd} add pass udp from any 123 to me
${fwcmd} add pass tcp from any 123 to me
${fwcmd} add pass udp from me to any 123
${fwcmd} add pass tcp from me to any 123
${fwcmd} add pass udp from any to me 525
${fwcmd} add pass tcp from any to me 525
${fwcmd} add pass udp from me 525 to any
${fwcmd} add pass tcp from me 525 to any
#Allow access SSH to any
${fwcmd} add allow all from me to any 22
# ${fwcmd} add allow all from me 22 to any
# ${fwcmd} add allow all from any to me 22
#FTP from me
${fwcmd} add allow all from me to any ${pftp}
# Allow all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
${fwcmd} add allow all from any 137 to me in via $iif
${fwcmd} add allow all from any 389 to me in via $iif
${fwcmd} add allow all from any 138 to me in via $iif
${fwcmd} add allow all from any 139 to me in via $iif
${fwcmd} add allow all from any 88 to me in via $iif
${fwcmd} add allow all from any to any 81 in via $iif
${fwcmd} add allow all from me to any
#Deny all Log
${fwcmd} add deny log ip from any to any
направьте неудачника...
.