я еще пока начинающий админ FreeBSD. У меня возниквопрос: есть у меня шлюз, вроде все работает... все было гут пока кто-то из внутренней сети вдруг решил подключиться через шлюз к VPN где то в недрах Инета.
Шлюз построен на основе статьи с сайта Лиса (за что ему премного благодарен)
пробовал рыть сам.... но ни чего стоящего не нарыл
ipfw rules:
Код: Выделить всё
FwCMD="/sbin/ipfw"
${FwCMD} -f flush
${FwCMD} add check-state
${FwCMD} add allow gre from any to any
${FwCMD} add deny ip from any to any not verrevpath in via ed0
${FwCMD} add deny ip from any to any not verrevpath in via rl0
${FwCMD} add allow ip from any to any via lo0
${FwCMD} add deny ip from any to 127.0.0.0/8
${FwCMD} add deny ip from 127.0.0.0/8 to any
${FwCMD} add deny ip from any to 10.0.0.0/8 in via ed0
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ed0
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ed0
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ed0
${FwCMD} add deny icmp from any to any frag
${FwCMD} add deny icmp from any to 255.255.255.255 in via ed0
${FwCMD} add deny icmp from any to 255.255.255.255 out via ed0
${FwCMD} add divert natd ip from 192.168.0.0/24 to any out via ed0
${FwCMD} add divert natd ip from any to 172.16.201.67 in via ed0
${FwCMD} add deny ip from 10.0.0.0/8 to any out via ed0
${FwCMD} add deny ip from 0.0.0.0/8 to any out via ed0
${FwCMD} add deny ip from 169.254.0.0/16 to any out via ed0
${FwCMD} add deny ip from 224.0.0.0/4 to any out via ed0
${FwCMD} add deny ip from 240.0.0.0/4 to any out via ed0
${FwCMD} add allow tcp from any to any established
${FwCMD} add allow tcp from 172.16.57.48 to 192.168.0.99 5060 via ed0
${FwCMD} add allow ip from 172.16.201.67 to any out xmit ed0
${FwCMD} add allow udp from 172.16.250.63 to any via ed0
${FwCMD} add allow udp from 78.108.68.68 53 to any via ed0
${FwCMD} add allow udp from 78.108.68.108 53 to any via ed0
${FwCMD} add allow udp from any to any 123 via ed0
${FwCMD} add allow icmp from any to any icmptypes 0,8,11
${FwCMD} add allow tcp from 172.16.57.48 to 172.16.201.67 22 via ed0
${FwCMD} add allow ip from any to 192.168.0.58 via rl0
${FwCMD} add allow ip from 192.168.0.58 to any via rl0
${FwCMD} add allow ip from any to 192.168.0.3 via rl0
${FwCMD} add allow ip from any to 192.168.0.5 via rl0
${FwCMD} add allow ip from any to 192.168.0.153 via rl0
${FwCMD} add allow ip from any to 192.168.0.154 via rl0
${FwCMD} add allow ip from any to 192.168.0.155 via rl0
${FwCMD} add allow ip from any to 192.168.0.156 via rl0
${FwCMD} add allow ip from any to 192.168.0.157 via rl0
${FwCMD} add allow ip from any to 192.168.0.158 via rl0
${FwCMD} add allow ip from any to 192.168.0.159 via rl0
${FwCMD} add allow ip from any to 192.168.0.99 via rl0
${FwCMD} add allow ip from 192.168.0.153 to any via rl0
${FwCMD} add allow ip from 192.168.0.154 to any via rl0
${FwCMD} add allow ip from 192.168.0.155 to any via rl0
${FwCMD} add allow ip from 192.168.0.156 to any via rl0
${FwCMD} add allow ip from 192.168.0.157 to any via rl0
${FwCMD} add allow ip from 192.168.0.158 to any via rl0
${FwCMD} add allow ip from 192.168.0.159 to any via rl0
${FwCMD} add allow ip from 192.168.0.99 to any via rl0
${FwCMD} add allow ip from 192.168.0.3 to any via rl0
${FwCMD} add allow ip from 192.168.0.5 to any via rl0
${FwCMD} add deny ip from any to anyrl0 - внутренняя сеть
пробовал отдельно открывать в обе стороны порт 1723 - без результатно
tcpdump анализ тоже ни чего не дал....
пакеты уходят на внешний интерфейс.... и на ип к которому надо подключиться
и вроде как ответ есть.... но соединение не устанавливается
а не важно пробовал и так и так......