Есть роутер FreeBSD 8.1, на котором стоит 2 сетевухи (rl0 и re0). rl0(с реальником) смотрит в инет, re0 - в локаль. Используется IPFW NAT.
Прочитал инфу о том, что в 8.1 поломан net.inet.ip.fw.one_pass. Победил, путем
Код: Выделить всё
В файле /usr/src/sys/netinet/ipfw/ip_fw_pfil.c найдите строчку case IP_FW_NAT: и добавте после неё
if (V_fw_one_pass)
break;
goto again;
Затем пересоберите ядро после чего one_pass работает как положено.
Ядро собрано с опциями:
Код: Выделить всё
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_NAT
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options LIBALIAS
options ROUTETABLES=2
options DUMMYNET
options HZ="1000"
Код: Выделить всё
net.inet.ip.fw.one_pass=1
Код: Выделить всё
gateway_enable="YES"
hostname="xxx.org.ua"
ifconfig_re0="inet 172.16.100.1 netmask 255.255.255.0"
ifconfig_rl0="inet 109.87.xxx.yyy netmask 255.255.255.0"
defaultrouter="109.87.xxx.zzz"
firewall_enable="YES"
firewall_script="/etc/rc.ipfw"
Код: Выделить всё
#!/bin/sh
FwCMD="/sbin/ipfw -q"
oif="rl0"
iif="re0"
oip="109.87.xxx.yyy"
iip="172.16.100.1"
${FwCMD} -f flush
#---------------------------------------------------------
# Loopback
${FwCMD} add allow ip from any to any via lo0
${FwCMD} add deny ip from any to 127.0.0.0/8
${FwCMD} add deny ip from 127.0.0.0/8 to any
#---------------------------------------------------------
# Allow all trafic via local network
${FwCMD} add allow ip from any to any via ${iif}
# Allow all trafic via OpenVPN interface
${FwCMD} add allow ip from any to any via tun0
#----------------------------------------------------------
# IPTV (udpxy)
${FwCMD} add allow igmp from any to any
${FwCMD} add allow udp from any to 224.0.0.0/4
#${FwCMD} add allow udp from 224.0.0.0/4 to any
#----------------------------------------------------------
# Deny private networks on external interface
${FwCMD} add deny ip from any to 192.168.0.0/16 in recv ${oif}
${FwCMD} add deny ip from 192.168.0.0/16 to any in recv ${oif}
${FwCMD} add deny ip from any to 172.16.0.0/12 in recv ${oif}
${FwCMD} add deny ip from 172.16.0.0/12 to any in recv ${oif}
${FwCMD} add deny ip from any to 10.0.0.0/8 in recv ${oif}
${FwCMD} add deny ip from 10.0.0.0/8 to any in recv ${oif}
${FwCMD} add deny ip from any to 169.254.0.0/16 in recv ${oif}
${FwCMD} add deny ip from 169.254.0.0/16 to any in recv ${oif}
#-----------------------------------------------------------
# OPEN Ports
#-----------------------------------------------------------
# FTP
${FwCMD} add allow tcp from any to me 21 in via ${oif}
# SSH
${FwCMD} add allow tcp from any to me 22 in via ${oif}
# SMTP
${FwCMD} add allow tcp from any to me 25 in via ${oif}
# DNS(Named)
${FwCMD} add allow tcp from any to me 53 in via ${oif}
# HTTP
${FwCMD} add allow tcp from any to me 80 in via ${oif}
# POP3
${FwCMD} add allow tcp from any to me 110 in via ${oif}
# VPN PPTP
${FwCMD} add allow tcp from any to me 1723 in via ${oif}
# OpenVPN
${FwCMD} add allow udp from any to me 2000 in via ${oif}
# VPN Web Interface
${FwCMD} add allow tcp from any to me 5006 in via ${oif}
# Transmission Remote GUI
${FwCMD} add allow tcp from any to me 9091 in via ${oif}
# Passive FTP
${FwCMD} add allow tcp from any to me 50000-50500 in via ${oif}
# Transmission
${FwCMD} add allow tcp from any to me 55555 in via ${oif}
${FwCMD} add allow udp from any to me 55555 in via ${oif}
# VPN PPTP
${FwCMD}add allow udp from any to me 1701 in via ${oif}
#----------------------------------------------------------------
# Nat Configure + redirect ports
${FwCMD} nat 1 config log if ${oif} reset same_ports deny_in redirect_port tcp 172.16.100.2:4444 4444
# NAT Rules
${FwCMD} add nat 1 ip from any to any via ${oif}
#----------------------------------------------------------------
# Deny all
${FwCMD} add deny log all from any to any
При такой конфигурации все нормально работает, пинги из локалки в мир проходят. Решил разрешить ICMP из мира на сам роутер, добавил
Код: Выделить всё
# Incoming Pings
#${FwCMD} add allow log icmp from any to me in via ${oif}
Код: Выделить всё
# VPN PPTP
${FwCMD}add allow udp from any to me 1701 in via ${oif}
Добавление после NATа
не помогает. Убрать${FwCMD} add aloow icmp from any to any
Код: Выделить всё
deny_in
ipfw show:
Код: Выделить всё
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 1742 218095 allow ip from any to any via re0
00500 196 29880 allow ip from any to any via tun0
00600 0 0 allow igmp from any to any
00700 0 0 allow udp from any to 224.0.0.0/4
00800 0 0 deny ip from any to 192.168.0.0/16 in recv rl0
00900 0 0 deny ip from 192.168.0.0/16 to any in recv rl0
01000 0 0 deny ip from any to 172.16.0.0/12 in recv rl0
01100 0 0 deny ip from 172.16.0.0/12 to any in recv rl0
01200 0 0 deny ip from any to 10.0.0.0/8 in recv rl0
01300 0 0 deny ip from 10.0.0.0/8 to any in recv rl0
01400 0 0 deny ip from any to 169.254.0.0/16 in recv rl0
01500 0 0 deny ip from 169.254.0.0/16 to any in recv rl0
01600 0 0 allow tcp from any to me dst-port 21 in via rl0
01700 0 0 allow tcp from any to me dst-port 22 in via rl0
01800 0 0 allow tcp from any to me dst-port 25 in via rl0
01900 0 0 allow tcp from any to me dst-port 53 in via rl0
02000 0 0 allow tcp from any to me dst-port 80 in via rl0
02100 0 0 allow tcp from any to me dst-port 110 in via rl0
02200 0 0 allow tcp from any to me dst-port 1723 in via rl0
02300 105 28117 allow udp from any to me dst-port 2000 in via rl0
02400 0 0 allow tcp from any to me dst-port 5006 in via rl0
02500 0 0 allow tcp from any to me dst-port 9091 in via rl0
02600 0 0 allow tcp from any to me dst-port 50000-50500 in via rl0
02700 3426 156133 allow tcp from any to me dst-port 55555 in via rl0
02800 313 54054 allow udp from any to me dst-port 55555 in via rl0
02900 0 0 allow udp from any to me dst-port 1701 in via rl0
03000 29 2230 allow log logamount 100 icmp from any to me in via rl0
03100 9651 11593635 nat 1 ip from any to any via rl0
03200 0 0 deny log logamount 100 ip from any to any
65535 0 0 allow ip from any to any
Код: Выделить всё
${FwCMD} add allow all from any to any via ${oif}
Уважаемые гуру, подскажите, пожалуйста, где ошибка или что не так сделано?
Зараннее благодарен, с ув. Pinkerton