Подскажите плиииз...
Прочитал этот пост, статьи на сайте, еще кое чего (маны и т.д.), но чет не получается...
Есть задача - пробросить udp/nat с локальной машины ( cisco vpn client) на внешнюю в инет.
Конфиги:
Ядро собрано как положено.
настройка файрвола
Код: Выделить всё
fwcmd="/sbin/ipfw -q"
# set these to your outside interface network and netmask and ip
oif="xl1"
oip="1.2.3.4"
# set these to your inside interface network and netmask and ip
iif="xl2"
inet="192.168.2.0"
imask="255.255.255.0"
iip="192.168.2.252"
# set these to your inside admin network netmask and ip
iadmip="192.168.2.15"
#
${fwcmd} flush
#
${fwcmd} add allow ip from any to any via lo0
${fwcmd} add deny ip from any to 127.0.0.0/8
#
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
#
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
${fwcmd} add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
${fwcmd} add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
${fwcmd} add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
${fwcmd} add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
${fwcmd} add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
#
# Deny, but no log multicast traffic
#
${fwcmd} add deny all from any to 224.0.0.0:255.0.0.0 via ${iif}
${fwcmd} add deny all from any to 224.0.0.0:255.0.0.0 via ${oif}
#
# Allow TCP through if setup succeeded
${fwcmd} add allow tcp from any to any frag
${fwcmd} add allow tcp from any to any established
#
# Allow setup of any other TCP outgoing connection
${fwcmd} add allow tcp from ${oip} to any setup
# Allow access to WWW server
${fwcmd} add allow tcp from ${inet}:${imask} to ${iip} 80 setup
#
# Allow passw through SQUID proxy
${fwcmd} add allow tcp from ${inet}:${imask} to ${iip} 3128 setup
#
# for passive ftp connections
#
##${fwcmd} add allow tcp from any to any 40000-43999 setup
${fwcmd} add allow tcp from ${inet}:${imask} 40000-43999 to ${iip} setup
#
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
${fwcmd} add deny log tcp from any to any in via ${iif} setup
#
# Block any other connections
#
${fwcmd} add deny log tcp from any to any
#
#---------------------------------
# UDP section
#---------------------------------
# Allow NAT udp out from adm mashine
${fwcmd} add allow log ip from any to any via ${iif}
${fwcmd} nat 10 config log if ${oif} reset same_ports deny_in redirect_port udp ${oip}:500 500
${fwcmd} add nat 10 log ip from any to any out xmit ${oif}
${fwcmd} add nat 10 log ip from any to any in recv ${oif}
#
# Deny broadcasts (don't log it!)
${fwcmd} add deny udp from any to 255.255.255.255
#
# Deny and log other UDP packets
${fwcmd} add deny log udp from any to any
${fwcmd} add pass icmp from any to ${iip}
${fwcmd} add pass icmp from any to ${oip}
${fwcmd} add pass icmp from ${iip} to any
${fwcmd} add pass icmp from ${oip} to any
# Everything else is denied as default.
${fwcmd} add 65534 deny log ip from any to any
#
на xl2 отключен -rxcsum , а на xl1 не могу, так как он выдается по DHCP провайдером.
в rc.conf
Стоит
Так вот при таком конфиге при запуске прибора с локальной машины в логах следующее
Код: Выделить всё
Dec 1 11:52:01 sterlet kernel: ipfw: 3000 Nat UDP 1.2.3.4:123 80.93.56.210:123 out via xl1
Dec 1 11:55:34 sterlet kernel: ipfw: 2600 Deny TCP 94.251.88.39:4543 94.251.116.107:445 in via xl1
Dec 1 11:55:38 sterlet kernel: ipfw: 2900 Accept UDP 192.168.2.15:1603 5.6.7.8:500 in via xl2
Dec 1 11:55:43 sterlet kernel: ipfw: 2900 Accept UDP 192.168.2.15:1603 5.6.7.8:500 in via xl2
Dec 1 11:55:48 sterlet kernel: ipfw: 2900 Accept UDP 192.168.2.15:1603 5.6.7.8:500 in via xl2
Dec 1 11:55:53 sterlet kernel: ipfw: 2900 Accept UDP 192.168.2.15:1603 5.6.7.8:500 in via xl2
Dec 1 11:56:19 sterlet kernel: ipfw: 3000 Nat UDP 1.2.3.4:123 80.93.56.210:123 out via xl1
Dec 1 11:56:31 sterlet kernel: ipfw: 3000 Nat UDP 1.2.3.4:123 83.229.137.52:123 out via xl1
Dec 1 11:56:43 sterlet kernel: ipfw: 3000 Nat UDP 1.2.3.4:123 207.46.232.182:123 out via xl1
Dec 1 11:57:03 sterlet kernel: ipfw: 3000 Nat UDP 1.2.3.4:123 193.125.143.173:123 out via xl1
Dec 1 11:57:14 sterlet kernel: ipfw: 3000 Nat UDP 1.2.3.4:123 77.234.200.98:123 out via xl1
Dec 1 11:57:22 sterlet kernel: ipfw: 2600 Deny TCP 94.19.4.213:1877 1.2.3.4:135 in via xl1
Dec 1 11:57:25 sterlet kernel: ipfw: 2600 Deny TCP 94.19.4.213:1877 1.2.3.4:135 in via xl1
Dec 1 11:57:44 sterlet kernel: ipfw: 3000 Nat UDP 1.2.3.4:65507 81.1.192.5:53 out via xl1
Dec 1 11:57:44 sterlet kernel: ipfw: 3000 Nat UDP 1.2.3.4:65507 81.1.192.5:53 out via xl1
На xl2 есть пакеты , а на xl1 есть все кроме нужных
Конфиги ната
Код: Выделить всё
sterlet# ipfw nat show
nat 10: icmp=0, udp=4, tcp=0, pptp=0, proto=0, frag_id=0 frag_ptr=0 / tot=4
sterlet#
Код: Выделить всё
sterlet# ipfw nat show config
ipfw nat 10 config if xl1 log deny_in same_ports reset redirect_port udp 1.2.3.4:500 500
sterlet#
Почему ничего нет касаемо 500 порта на xl1 и можно ли посмотреть как-то в логах более подробно прохождение пакетов по нату??? И можно ли отключить rxcsum на интерфейсе при выдаче ему всех сетевых реквизитов по DHCP?