периодически пропадает сеть при этом если запустить tcpdump
tcpdump -i ste0
Код: Выделить всё
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ste0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:33:18.769631
Код: Выделить всё
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rl0, link-type EN10MB (Ethernet), capture size 65535 bytes
Код: Выделить всё
int_if="age0" #lan
ext_if_2="ste0" #wan2
ext_if_1="rl0" #wan
internal_net="10.0.8.0/24" #
local_if="lo0" # 127.0.0.1
ext_addr_1="109.206.у.у" # IPS_1 wan
ext_addr_2="95.128.xx" # IPS_2 wan
int_addr="10.0.8.20" # LAN IP
gw_1="109.206.w.w" # IPS_1 gw
gw_2="95.128.q.q" # IPS_2 gw
tcp_svc="{ssh, www}" # разрешенные порты на внешних интерфейсах.
set block-policy drop
set skip on lo0
set fingerprints "/etc/pf.os"
set debug urgent
set require-order yes
set loginterface $ext_if_1
set loginterface $ext_if_2
set timeout { frag 10, tcp.established 3600 udp.first 300, udp.single 150, udp.multiple 900 }
icmp_types="{ echoreq, unreach }"
table <internal_net> {10.0.8.2/31, 10.0.8.4/30, 10.0.8.8/30, 10.0.8.12/31, 10.0.8.40, 10.0.8.41, 10.0.8.42, 10.0.8.43, 10.0.8.44, 10.0.8.45, 10.0.8.46, 10.0.8.47, 10.0.8.48, 10.0.8.49, 10.0.8.80, 10.0.8.81, 10.0.8.82 10.0.8.85, 10.0.8.86, 10.0.8.87, 10.0.8.88, 10.0.8.89, 10.0.8.90, 10.0.8.91 10.0.8.89 10.0.8.254}
scrub in all fragment reassemble
scrub out all random-id
nat-anchor "ftp-proxy/*"
nat on $ext_if_1 from <internal_net> to any -> ($ext_if_1) static-port
nat on $ext_if_2 from <internal_net> to any -> ($ext_if_2) static-port
rdr-anchor "ftp-proxy/*"
#RDR
rdr on $ext_if_2 proto tcp from any to $ext_addr_2 port 21 -> 127.0.0.1 port 8021
rdr on $ext_if_1 proto tcp from any to $ext_addr_1 port 21 -> 127.0.0.1 port 8021
#sqdid
rdr on $int_if proto tcp from $internal_net to any port 80 -> 10.0.8.20 port 3128
#telefon
rdr on $ext_if_1 proto { tcp udp } from any to $ext_addr_1 port 5060:5070 tag EXT_IF_A -> 10.0.8.8
rdr on $ext_if_1 proto { tcp udp } from any to $ext_addr_1 port 17000:30000 tag EXT_IF_A -> 10.0.8.8
rdr on $ext_if_2 proto { tcp udp } from any to $ext_addr_2 port 5060:5070 tag EXT_IF_B -> 10.0.8.8
rdr on $ext_if_2 proto { tcp udp } from any to $ext_addr_2 port 17000:30000 tag EXT_IF_B -> 10.0.8.8
##
block all
block in quick from urpf-failed label uRPF
block in quick from any os nmap to any
block in log quick proto tcp from any to any flags /S
block in log quick proto tcp from any to any flags /SFRA
block in log quick proto tcp from any to any flags /SFRAU
block in log quick proto tcp from any to any flags A/A
block in log quick proto tcp from any to any flags F/SFRA
block in log quick proto tcp from any to any flags U/SFRAU
block in log quick proto tcp from any to any flags SF/SF
block in log quick proto tcp from any to any flags SF/SFRA
block in log quick proto tcp from any to any flags SR/SR
block in log quick proto tcp from any to any flags FUP/FUP
block in log quick proto tcp from any to any flags FUP/SFRAUPEW
block in log quick proto tcp from any to any flags SFRAU/SFRAU
block in log quick proto tcp from any to any flags SFRAUP/SFRAUP
block in log quick proto tcp from any to any flags FPU/SFRAUP
block in log quick proto tcp from any to any flags F/SFRA
block in log quick proto tcp from any to any flags P/P
#####
pass out log on $ext_if_1 from any to any
pass out log on $ext_if_2 from any to any
# OUTGOING ROUTE
# Маршрутизирем исходящий трафик
pass out route-to ($ext_if_1 $gw_1) inet from ($ext_if_1)
pass out route-to ($ext_if_2 $gw_2) inet from ($ext_if_2)
pass out inet from { $ext_if_1 $ext_if_2 } to (self:network)
pass out on {$ext_if_1, $ext_if_1} from any to any
pass in on $int_if from $internal_net to $int_if
pass out on $int_if from $internal_net to $int_if
pass in on $int_if from $int_if to $internal_net
pass out on $int_if from $int_if to $internal_net
#
antispoof quick for $int_if inet
# ICMP
# IPS_1
pass in on $ext_if_1 reply-to ($ext_if_1 $gw_1) inet proto icmp to ($ext_if_1) icmp-type $icmp_types
pass in on $ext_if_1 inet proto icmp from ($ext_if_1:network) to ($ext_if_1) icmp-type $icmp_types
# IPS_2
pass in on $ext_if_2 reply-to ($ext_if_2 $gw_2) inet proto icmp to ($ext_if_2) icmp-type $icmp_types
pass in on $ext_if_2 inet proto icmp from ($ext_if_2:network) to ($ext_if_2) icmp-type $icmp_types
# allow tcp ports
# IPS_1
pass in on $ext_if_1 reply-to ($ext_if_1 $gw_1) inet proto tcp to ($ext_if_1) port $tcp_svc
pass in on $ext_if_1 inet proto tcp from ($ext_if_1:network) to ($ext_if_1) port $tcp_svc
# IPS_2
pass in on $ext_if_2 reply-to ($ext_if_2 $gw_2) inet proto tcp to ($ext_if_2) port $tcp_svc
pass in on $ext_if_2 inet proto tcp from ($ext_if_2:network) to ($ext_if_2) port $tcp_svc
# INCOMING ROUTE
# IPS_1
pass in quick from ($ext_if_1:network) tagged EXT_IF_A keep state
pass in quick reply-to ($ext_if_1 $gw_1) tagged EXT_IF_A keep state
# IPS_2
pass in quick from ($ext_if_2:network) tagged EXT_IF_B keep state
pass in quick reply-to ($ext_if_2 $gw_2) tagged EXT_IF_B keep state
# FIREWALL
# разрешаем все во внутреннем пространстве шлюза
pass out inet from (self:network)
pass in inet proto icmp to (self:network)
# OUTGOING ROUTE
# Маршрутизирем исходящий трафик
pass out route-to ($ext_if_1 $gw_1) inet from ($ext_if_1)
pass out route-to ($ext_if_2 $gw_2) inet from ($ext_if_2)
pass out inet from { $ext_if_1 $ext_if_2 } to (self:network)
# LOCAL NETWORK
# Разрешаем весь трафик на выход из локальной сети
pass out on $int_if proto tcp from any to any port 80
pass in on $int_if proto tcp from any to any port 80
pass out on $int_if proto tcp from any to any port 3128
pass in on $int_if proto tcp from any to any port 3128
pass out on $int_if proto tcp from any to any port 443
pass in on $int_if proto tcp from any to any port 443
pass out on $int_if proto udp from any to any port 53
pass in on $int_if proto udp from any to any port 53
pass out on $int_if proto { tcp udp } from any to any port 123
pass in on $int_if proto { tcp udp } from any to any port 123
pass out on $int_if proto { tcp udp } from any to any port 67:69
pass in on $int_if proto { tcp udp } from any to any port 67:69
pass in on $int_if proto { tcp, udp } from any to any port 161
pass out on $int_if proto { tcp, udp } from any to any port 161
anchor "ftp-proxy/*"
Код: Выделить всё
age0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c319b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MCAST,WOL_MAGIC,VLAN_HWTSO,LINKSTATE>
ether 00:1d:60:7c:1d:d6
inet 10.0.8.20 netmask 0xffff0000 broadcast 10.0.255.255
inet6 fe80::21d:60ff:fe7c:1dd6%age0 prefixlen 64 scopeid 0x1
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
ste0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=82008<VLAN_MTU,WOL_MAGIC,LINKSTATE>
ether 00:22:15:d6:4c:03
inet 95.128.xx netmask 0xfffffff8 broadcast 95.128.xxx.xxx
inet6 fe80::222:15ff:fed6:4c03%ste0 prefixlen 64 scopeid 0x2
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=2008<VLAN_MTU,WOL_MAGIC>
ether 00:c0:26:2c:00:04
inet 109.206.у.у netmask 0xffffff00 broadcast 109.206.yyy.yyy
inet6 fe80::2c0:26ff:fe2c:4%rl0 prefixlen 64 scopeid 0x3
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
Код: Выделить всё
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 109.206.w.w UGS 0 439 rl0
10.0.0.0/16 link#1 U 0 0 age0
10.0.8.20 link#1 UHS 0 0 lo0
95.128.xx/29 link#2 U 0 0 ste0
95.128.xx link#2 UHS 0 0 lo0
109.206.у.у/24 link#3 U 0 0 rl0
109.206.у.у link#3 UHS 0 0 lo0
127.0.0.1 link#6 UH 0 0 lo0
Код: Выделить всё
#!/usr/bin/perl -w
use strict;
use warnings;
use Net::Ping;
# 1 - автоматический режим переключение канала
# 2 - принудительное переключение на второй канал.
my $action = 1;
my $p = Net::Ping->new("icmp");
my $host_gw = "109.206.w.w"; # default gw
my $gw = "995.128.q.q";
my $now = localtime time;
my $google = "8.8.8.8";
if($action == 1){
my $command = `netstat -rn | grep default`;
my @b = split('\s+',$command,0.05);
if ($p->ping($google,4)){
print "host $host_gw is ok\n";
if($b[1] ne $host_gw){
if($b[1] eq ""){
`route add default 109.206.w.w`;
}else{
`route change default 109.206.w.w`;
open(LOG,">>./change_route.log");
print LOG "[!] $now Route change to 109.206.w.w\n";
close(LOG);
}
}
}else{
print "host $host_gw is bad.\n";
if($b[1] ne $gw){
`route change default 95.128.q.q`;
open(LOG,">>./change_route.log");
print LOG "[!] $now Route change to 95.128.q.q\n";
close(LOG);
}
}
$p->close();
}
if($action == 2){
my $command = `netstat -rn | grep default`;
my @b = split('\s+',$command,3);
if($b[1] ne $gw){
if($b[1] eq ""){
`route add default 95.128.q.q`;
}else{
`route change default 95.128.q.q`;
open(LOG,">>./change_route.log");
print LOG "[!] $now Route change to 95.128.q.q\n";
close(LOG);
}
}
}
/usr/scripts/route.sh
Код: Выделить всё
host 109.206.w.w is bad.
netstat -rn
Код: Выделить всё
default 95.128.q.q UGS 0 451 ste0
10.0.0.0/16 link#1 U 0 0 age0
10.0.0.0/16 link#1 U 0 0 age0
10.0.8.20 link#1 UHS 0 0 lo0
95.128.xx/29 link#2 U 0 0 ste0
95.128.xx link#2 UHS 0 0 lo0
109.206.у.у/24 link#3 U 0 0 rl0
109.206.у.у link#3 UHS 0 0 lo0
127.0.0.1 link#6 UH 0 0 lo0
Код: Выделить всё
host 109.206.w.w is ok