IPFW+NAT+DNS

[dmitr-avdeev]

И так! Ну во первых всем день добрый!
Во вторых начал осваивать FreeBSD и появились маленькие проблемки с которыми самому трудновато справится!
Самая большая проблема с которой я столкнулся, это почему-то не работает DNS сервер.
Задача стоит простая настроить обычный шлюз в интернет для локальной сети.
Теперь по порядку:
1. FreeBSD установил и настроил. Проблем нет
2. DHCP установил и настроил проблем нет все работает
3. Firewall установил настроил. (Мне кажется я что-то забыл там настроить)
4. DNS вроде стартует, но нельзя обратится из локальной сети по именам, только по IP (это говорит что нат работает)
Привожу примеры конфигов:
rc.conf

Код: Выделить всё

keymap="ru.koi8-r"
moused_enable="YES"
sshd_enable="YES"
ifconfig_em0="inet 83.888.18.6 netmask 255.255.255.248"
ifconfig_em1="inet 192.168.0.1 netmask 255.255.255.0"
dhcpd_enable="YES"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_flags="-q"   # отключаем вывод копирайта при старте DHCP
dhcpd_ifaces="em1" # сетевой интерфейс на котором рабоатет DHCP
firewall_enable="YES"
firewall_nat_enable="YES"
dummynet_enable="YES"
firewall_script="/etc/firewall-nat"

firewall-nat

Код: Выделить всё

#!/bin/sh
fwcmd="/sbin/ipfw -q"
${fwcmd} flush

${fwcmd} add 10120 allow ip from any to any via em1
${fwcmd} add 10121 allow ip from any to any via lo0

# SSH
${fwcmd} add 10122 allow tcp from any to me 22 in via em0
# DNS
${fwcmd} add 10123 allow udp from any to any via em1
# pings
${fwcmd} add 10135 allow icmp from any to me icmptypes 8 in recv em0
${fwcmd} add 10135 allow icmp from any to me icmptypes 8 in recv em1
# Nastroika nat
${fwcmd} nat 1 config log if em0 reset same_ports deny_in
${fwcmd} add 10160 nat 1 ip from any to any via em0
${fwcmd} add 65534 deny log all from any to any 

resolv.conf

Код: Выделить всё

domain  freebsd2883.internet
nameserver 127.0.0.1

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[dmitr-avdeev]

named.conf

Код: Выделить всё

// $FreeBSD: src/etc/namedb/named.conf,v 1.29.2.3.4.1 2010/12/21 17:09:25 kensmith Exp $
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/share/doc/bind9 for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works.  Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.
acl "lan" {192.168.0.1/255.255.255.0;127.0.0.1;};
options {
        // All file and path names are relative to the chroot directory,
        // if any, and should be fully qualified.
        directory       "/etc/namedb";//рабочая директория
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        listen-on {lan;};
        allow-query {lan;};


// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver.  To give access to the network, specify
// an IPv6 address, or the keyword "any".
//      listen-on-v6    { ::1; };

// These zones are already covered by the empty zones listed below.
// If you remove the related empty zones below, comment these lines out.
//      disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
//      disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
//      disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";

// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below.  This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.

        forwarders {lan;};//83.888.22.14;83.888.19.126;};
        allow-recursion {
                127.0.0.1;
                192.168.0.0/16;
                };
                recursive-clients 30000;
};
acl "trusted-dns" {
                83.888.19.126;
};
//logging {
//              category lame-servers {null;};
};

// If the 'forwarders' clause is not empty the default is to 'forward first'
// which will fall back to sending a query from your local server if the name
// servers in 'forwarders' do not have the answer.  Alternatively you can
// force your name server to never initiate queries of its own by enabling the
// following line:
//      forward only;

// If you wish to have forwarding configured automatically based on
// the entries in /etc/resolv.conf, uncomment the following line and
// set named_auto_forward=yes in /etc/rc.conf.  You can also enable
// named_auto_forward_only (the effect of which is described above).
//      include "/etc/namedb/auto_forward.conf";

        /*
           Modern versions of BIND use a random UDP port for each outgoing
           query by default in order to dramatically reduce the possibility
           of cache poisoning.  All users are strongly encouraged to utilize
           this feature, and to configure their firewalls to accommodate it.

           AS A LAST RESORT in order to get around a restrictive firewall
           policy you can try enabling the option below.  Use of this option
           will significantly reduce your ability to withstand cache poisoning
           attacks, and should be avoided if at all possible.

           Replace NNNNN in the example with a number between 49160 and 65530.
        */
        // query-source address * port NNNNN;

// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.

// The traditional root hints mechanism. Use this, OR the slave zones below.
zone "." { type hint; file "/etc/namedb/named.root"; };

/*      Slaving the following zones from the root name servers has some
        significant advantages:
        1. Faster local resolution for your users
        2. No spurious traffic will be sent from your network to the roots
        3. Greater resilience to any potential root server failure/DDoS

        On the other hand, this method requires more monitoring than the
        hints file to be sure that an unexpected failure mode has not
        incapacitated your server.  Name servers that are serving a lot
        of clients will benefit more from this approach than individual
        hosts.  Use with caution.

        To use this mechanism, uncomment the entries below, and comment
        the hint zone above.
*/
/*
zone "." {
        type slave;
        file "/etc/namedb/slave/root.slave";
        masters {
                192.5.5.241;    // F.ROOT-SERVERS.NET.
        };
        notify no;
};
zone "arpa" {
        type slave;
        file "/etc/namedb/slave/arpa.slave";
        masters {
                192.5.5.241;    // F.ROOT-SERVERS.NET.
        };
        notify no;
};
zone "in-addr.arpa" {
        type slave;
        file "/etc/namedb/slave/in-addr.arpa.slave";
        masters {
                192.5.5.241;    // F.ROOT-SERVERS.NET.
        };
        notify no;
};
*/

/*      Serving the following zones locally will prevent any queries
        for these zones leaving your network and going to the root
        name servers.  This has two significant advantages:
        1. Faster local resolution for your users
        2. No spurious traffic will be sent from your network to the roots
*/
// RFC 1912 (and BCP 32 for localhost)
zone "localhost"        { type master; file "/etc/namedb/master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; };
zone "255.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };

// RFC 1912-style zone for IPv6 localhost address
zone "0.ip6.arpa"       { type master; file "/etc/namedb/master/localhost-reverse.db"; };

// "This" Network (RFCs 1912 and 3330)
zone "0.in-addr.arpa"   { type master; file "/etc/namedb/master/empty.db"; };

// Private Use Networks (RFC 1918)
zone "10.in-addr.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "31.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "168.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };

// Link-local/APIPA (RFCs 3330 and 3927)
zone "254.169.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };

// TEST-NET-[1-3] for Documentation (RFC 5737)
zone "2.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "100.51.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "113.0.203.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };

// IPv6 Range for Documentation (RFC 3849)
zone "0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };

// Domain Names for Documentation and Testing (BCP 32)
zone "test" { type master; file "/etc/namedb/master/empty.db"; };
zone "example" { type master; file "/etc/namedb/master/empty.db"; };
zone "invalid" { type master; file "/etc/namedb/master/empty.db"; };
zone "example.com" { type master; file "/etc/namedb/master/empty.db"; };
zone "example.net" { type master; file "/etc/namedb/master/empty.db"; };
zone "example.org" { type master; file "/etc/namedb/master/empty.db"; };

// Router Benchmark Testing (RFC 3330)
zone "18.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "19.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };

// IANA Reserved - Old Class E Space
zone "240.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "241.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "242.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "243.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "244.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "245.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "246.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "247.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "248.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "249.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "250.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "251.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "252.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "253.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "254.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };

// IPv6 Unassigned Addresses (RFC 4291)
zone "1.ip6.arpa"       { type master; file "/etc/namedb/master/empty.db"; };
zone "3.ip6.arpa"       { type master; file "/etc/namedb/master/empty.db"; };
zone "4.ip6.arpa"       { type master; file "/etc/namedb/master/empty.db"; };
zone "5.ip6.arpa"       { type master; file "/etc/namedb/master/empty.db"; };
zone "6.ip6.arpa"       { type master; file "/etc/namedb/master/empty.db"; };
zone "7.ip6.arpa"       { type master; file "/etc/namedb/master/empty.db"; };
zone "8.ip6.arpa"       { type master; file "/etc/namedb/master/empty.db"; };
zone "9.ip6.arpa"       { type master; file "/etc/namedb/master/empty.db"; };
zone "a.ip6.arpa"       { type master; file "/etc/namedb/master/empty.db"; };
zone "b.ip6.arpa"       { type master; file "/etc/namedb/master/empty.db"; };
zone "c.ip6.arpa"       { type master; file "/etc/namedb/master/empty.db"; };
zone "d.ip6.arpa"       { type master; file "/etc/namedb/master/empty.db"; };
zone "e.ip6.arpa"       { type master; file "/etc/namedb/master/empty.db"; };
zone "0.f.ip6.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
zone "1.f.ip6.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
zone "2.f.ip6.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
zone "3.f.ip6.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
zone "4.f.ip6.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
zone "5.f.ip6.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
zone "6.f.ip6.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
zone "7.f.ip6.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
zone "8.f.ip6.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
zone "9.f.ip6.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
zone "a.f.ip6.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
zone "b.f.ip6.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
zone "0.e.f.ip6.arpa"   { type master; file "/etc/namedb/master/empty.db"; };
zone "1.e.f.ip6.arpa"   { type master; file "/etc/namedb/master/empty.db"; };
zone "2.e.f.ip6.arpa"   { type master; file "/etc/namedb/master/empty.db"; };
zone "3.e.f.ip6.arpa"   { type master; file "/etc/namedb/master/empty.db"; };
zone "4.e.f.ip6.arpa"   { type master; file "/etc/namedb/master/empty.db"; };
zone "5.e.f.ip6.arpa"   { type master; file "/etc/namedb/master/empty.db"; };
zone "6.e.f.ip6.arpa"   { type master; file "/etc/namedb/master/empty.db"; };
zone "7.e.f.ip6.arpa"   { type master; file "/etc/namedb/master/empty.db"; };

// IPv6 ULA (RFC 4193)
zone "c.f.ip6.arpa"     { type master; file "/etc/namedb/master/empty.db"; };
zone "d.f.ip6.arpa"     { type master; file "/etc/namedb/master/empty.db"; };

// IPv6 Link Local (RFC 4291)
zone "8.e.f.ip6.arpa"   { type master; file "/etc/namedb/master/empty.db"; };
zone "9.e.f.ip6.arpa"   { type master; file "/etc/namedb/master/empty.db"; };
zone "a.e.f.ip6.arpa"   { type master; file "/etc/namedb/master/empty.db"; };
zone "b.e.f.ip6.arpa"   { type master; file "/etc/namedb/master/empty.db"; };

// IPv6 Deprecated Site-Local Addresses (RFC 3879)
zone "c.e.f.ip6.arpa"   { type master; file "/etc/namedb/master/empty.db"; };
zone "d.e.f.ip6.arpa"   { type master; file "/etc/namedb/master/empty.db"; };
zone "e.e.f.ip6.arpa"   { type master; file "/etc/namedb/master/empty.db"; };
zone "f.e.f.ip6.arpa"   { type master; file "/etc/namedb/master/empty.db"; };

// IP6.INT is Deprecated (RFC 4159)
zone "ip6.int"          { type master; file "/etc/namedb/master/empty.db"; };

// NB: Do not use the IP addresses below, they are faked, and only
// serve demonstration/documentation purposes!
//
// Example slave zone config entries.  It can be convenient to become
// a slave at least for the zone your own domain is in.  Ask
// your network administrator for the IP address of the responsible
// master name server.
//
// Do not forget to include the reverse lookup zone!
// This is named after the first bytes of the IP address, in reverse
// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6.
//
// Before starting to set up a master zone, make sure you fully
// understand how DNS and BIND work.  There are sometimes
// non-obvious pitfalls.  Setting up a slave zone is usually simpler.
//
// NB: Don't blindly enable the examples below. :-)  Use actual names
// and addresses instead.

/* An example dynamic zone
key "exampleorgkey" {
        algorithm hmac-md5;
        secret "sf87HJqjkqh8ac87a02lla==";
};
zone "example.org" {
        type master;
        allow-update {
                key "exampleorgkey";
        };
        file "/etc/namedb/dynamic/example.org";
};
*/

/* Example of a slave reverse zone
zone "1.168.192.in-addr.arpa" {
        type slave;
        file "/etc/namedb/slave/1.168.192.in-addr.arpa";
        masters {
                192.168.1.1;
        };
};
*/

[snorlov]

А где в rc.conf

Код: Выделить всё

named_enable="yes"

а вы говорите, что вроде он стартует
Хотелось бы увидеть вывод

Код: Выделить всё

uname -a
ps   -ax | grep named

[dmitr-avdeev]

Добавил
в rc.conf

Код: Выделить всё

defaultrouter="83.888.18.1"
hostname="freebsd2883.internet"
named_enable="YES"
named_program="/usr/sbin/named"
named_flags="-u bind -c /etc/namedb/named.conf"
gateway_enable="YES"
keymap="ru.koi8-r"
moused_enable="YES"
sshd_enable="YES"
ifconfig_em0="inet 83.888.18.6 netmask 255.255.255.248"
ifconfig_em1="inet 192.168.0.1 netmask 255.255.255.0"
dhcpd_enable="YES"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_flags="-q"   # отключаем вывод копирайта при старте DHCP
dhcpd_ifaces="em1" # сетевой интерфейс на котором рабоатет DHCP
firewall_enable="YES"
firewall_nat_enable="YES"
dummynet_enable="YES"
firewall_script="/etc/firewall-nat"

[dmitr-avdeev]

uname -a

Код: Выделить всё

FreeBSD freebsd2883.internet 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:45:57 UTC 2011     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

ps -ax | grep named

Код: Выделить всё

qrep: Command not found.

[dmitr-avdeev]

Есть косяк в named.conf
при загрузки вываливается ошибка
dmesg -a

Код: Выделить всё

/etc/namedb/named.conf:10: expected prefix length near '255.255.255.0'
/etc/rc: ERROR: named-checkconf for $named_conf failed

Ушел править ошибки. Скоро вернусь!))))

[dmitr-avdeev]

uname -a

Код: Выделить всё

FreeBSD freebsd2883.internet 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:45:57 UTC 2011     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

ps -ax | grep named

Код: Выделить всё

qrep: Command not found.

Неправильно ввел команду grep

[dmitr-avdeev]

Код: Выделить всё

freebsd2883# ps -ax | grep named
  770  ??  Ss     0:00.01 /usr/sbin/syslogd -l /var/run/log -l /var/named/var/r
  854  ??  Is     0:00.08 /usr/sbin/named -u bind -c /etc/namedb/named.conf -t

[dmitr-avdeev]

Ошибки были в named.conf и все синтаксические почти))) DNS заработал, только выдал ошибку на rndc not found key.
Перехожу к установке и настройке SQUID. Буду описывать свои шаги если что нет так поправляйте. Спасибо всем кто уже помог и еще поможет!!!

[dmitr-avdeev]

За основу для настройки SQUID взял статью http://www.lissyara.su/articles/freebsd ... ams+rejik/

[dmitr-avdeev]

В соответствии со статьей не прошла команда

Код: Выделить всё

/usr/local/bin/htpasswd -c /usr/local/etc/squid/ncsa.sams vash_user
password:*******

Как дальше быть????

[vadim64]

что значит "не прошла?"