Разрешающее правило PF для входящего vpn-соединения - forum.lissyara.su

Разрешающее правило PF для входящего vpn-соединения

Правила форума
Убедительная просьба юзать теги [code] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.

Ответить

Первое новое сообщение • 12 сообщений • Страница 1 из 1

gberc: ефрейтор; Сообщения: 50; Зарегистрирован: 2011-05-20 9:41:20

Разрешающее правило PF для входящего vpn-соединения

Непрочитанное сообщение gberc » 2011-07-02 18:25:26

Всех приветствую.
Есть: сервер с FreeBSD 8.2, на ней же настроен mpd 5 (актуальная версия) в качестве сервера L2TP, сейчас разбираюсь с PF и потихонечку настраиваю его.
Возник такой вот вопрос (нубский): никак не могу найти информацию, как написать правило, которое бы разрешало vpn-клиенту видеть локальную сеть за vpn-сервером.
Сейчас с включенным PF:
- подключение к mpd происходит, выдается ip в той же локальной сети.
- нет доступа к компьютерам локальной сети. НО если загрузить в PF правила "OPEN", то доступ к ресурсам локальной сети появляется - т.е. маршруты в порядке.

Код: Выделить всё

#_# интерфейс в локальную сеть
local_if="bge1"
#_# ip-адрес локального интерфейса
local_ip="192.168.2.11"
#_# порт для подключения к VPN-серверу
mpd_port="1701"

#_# по-умолчанию блокируем весь трафик
block all
pass quick on ng0 all
#_# разрешаем весь исходящий трафик с локальной машины
pass out on $local_if from $local_if to any
#_# разрешаем подключение к нашему VPN-серверу на порту UDP 1701 из любой сети
pass in log on $local_if proto udp from any to $local_ip port $mpd_port keep state

gberc

Хостинг HostFood.ru

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

gberc: ефрейтор; Сообщения: 50; Зарегистрирован: 2011-05-20 9:41:20

Re: Разрешающее правило PF для входящего vpn-соединения

Непрочитанное сообщение gberc » 2011-07-04 11:34:53

изменил правило

Код: Выделить всё

pass quick on ng0 all

на

Код: Выделить всё

pass in quick on ng0 from any to any
pass out quick on ng0 from any to any

Ничего не поменялось. Проверил, при подключении через vpn создается интерфейс ng0.

gberc

gberc: ефрейтор; Сообщения: 50; Зарегистрирован: 2011-05-20 9:41:20

Re: Разрешающее правило PF для входящего vpn-соединения

Непрочитанное сообщение gberc » 2011-07-06 14:34:22

А как вообще должна происходить обработка фаерволом PF поднятие интерфейса ng0?
Может нужно иметь 2 варианта правил: один для случая, когда нет подключений к mpd, а второй будет загружаться как start-up script в mpd при поднятии интерфейса ng0 ?
(я где-то встречал, что фаервол ругается на правила, где указан еще неподнятый интерфейс ng0. или я что-то путаю?).

gberc

homoadminus: рядовой; Сообщения: 41; Зарегистрирован: 2011-06-27 3:45:02

Re: Разрешающее правило PF для входящего vpn-соединения

Непрочитанное сообщение homoadminus » 2011-07-06 17:04:12

ну так адреса для ng* выдаются из известного диапазона?

что мешает просто написать правило без указания интерфейса?

homoadminus

gberc: ефрейтор; Сообщения: 50; Зарегистрирован: 2011-05-20 9:41:20

Re: Разрешающее правило PF для входящего vpn-соединения

Непрочитанное сообщение gberc » 2011-07-06 19:04:09

homoadminus, по твоему совету добавил правила

Код: Выделить всё

pass in on self from 192.168.3.201 to $local_lan
pass out on self from $local_lan to 192.168.3.201

192.168.3.201 - выдаваемый ip по vpn
local_lan = 192.168.2.0/23
Ситуация не изменилась.
Привожу еще такие логи
Закрытый фаервол:

Код: Выделить всё

FILTER RULES:
scrub in all fragment reassemble
block drop in log quick on ! bge1 inet from 192.168.2.0/23 to any
block drop in log quick on ! bge1 inet from 192.168.2.0/23 to any
block drop in log quick inet from 192.168.2.11 to any
block drop in log quick inet from 192.168.2.12 to any
block drop in log quick on ! bge0 inet from 192.168.105.0/27 to any
block drop in log quick inet from 192.168.105.1 to any
block drop all
pass in log quick on ng0 all flags S/SA keep state
pass out log quick on ng0 all flags S/SA keep state
pass in on self inet from 192.168.3.201 to 192.168.2.0/23 flags S/SA keep state
pass out on self inet from 192.168.2.0/23 to 192.168.3.201 flags S/SA keep state
pass log inet proto icmp all icmp-type echoreq keep state
pass log inet proto icmp all icmp-type unreach keep state
pass out on bge1 inet from 192.168.2.11 to any flags S/SA keep state
pass out on bge1 inet from 192.168.2.12 to any flags S/SA keep state
pass in quick on bge1 inet proto udp from 192.168.2.0/23 to 192.168.2.11 port = bootps keep state
pass in quick on bge1 inet proto udp from 192.168.2.0/23 to 192.168.2.11 port = bootpc keep state
pass in quick on bge1 inet proto udp from 192.168.2.0/23 to 192.168.2.12 port = bootps keep state
pass in quick on bge1 inet proto udp from 192.168.2.0/23 to 192.168.2.12 port = bootpc keep state
pass in quick on bge1 inet proto udp from 192.168.105.0/27 to 192.168.2.11 port = bootps keep state
pass in quick on bge1 inet proto udp from 192.168.105.0/27 to 192.168.2.11 port = bootpc keep state
pass in quick on bge1 inet proto udp from 192.168.105.0/27 to 192.168.2.12 port = bootps keep state
pass in quick on bge1 inet proto udp from 192.168.105.0/27 to 192.168.2.12 port = bootpc keep state
pass in on bge0 inet from 192.168.105.0/27 to any flags S/SA keep state
block drop in on bge0 inet from 192.168.105.0/27 to 192.168.2.0/23
pass in log on bge1 inet proto tcp from 195.78.60.0/24 to 192.168.2.11 port = 33333 flags S/SA keep state
pass in log on bge1 inet proto tcp from 195.78.60.0/24 to 192.168.2.12 port = 33333 flags S/SA keep state
pass in log on bge1 inet proto tcp from 192.168.2.0/23 to 192.168.2.11 port = 33333 flags S/SA keep state
pass in log on bge1 inet proto tcp from 192.168.2.0/23 to 192.168.2.12 port = 33333 flags S/SA keep state
pass in log quick on bge1 inet proto tcp from any to 192.168.2.12 port = ftp flags S/SA keep state
pass in log quick on bge1 inet proto tcp from any to 192.168.2.12 port 50000 >< 50050 flags S/SA keep state
pass in log quick on bge1 inet proto udp from any to 192.168.2.11 port = l2f keep state
pass in log quick on bge1 inet proto tcp from 192.168.2.0/23 to 192.168.2.11 port = 5006 flags S/SA keep state
No queue in use

Это лог при закрытом фаерволе:

Код: Выделить всё

#tcpdump -i ng0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ng0, link-type NULL (BSD loopback), capture size 96 bytes
19:47:35.142306 IP 192.168.3.201.63664 > 239.255.255.250.1900: UDP, length 129
19:47:35.169042 IP 192.168.3.201.63664 > 239.255.255.250.1900: UDP, length 97
19:47:35.206924 IP 192.168.3.201.63664 > 239.255.255.250.1900: UDP, length 123
19:47:35.239100 IP 192.168.3.201.63664 > 239.255.255.250.1900: UDP, length 125
19:47:35.259868 IP 192.168.3.201.63664 > 239.255.255.250.1900: UDP, length 123
19:47:35.286926 IP 192.168.3.201.63664 > 239.255.255.250.1900: UDP, length 133
19:47:35.316030 IP 192.168.3.201.63664 > 239.255.255.250.1900: UDP, length 133
19:47:35.478962 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
19:47:35.490510 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
19:47:35.492413 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
19:47:35.541408 IP 192.168.3.201.64452 > 239.255.255.250.3702: UDP, length 656
19:47:35.609269 IP 192.168.3.201.64452 > 239.255.255.250.3702: UDP, length 656
19:47:35.808759 IP 192.168.3.201.55352 > 224.0.0.252.5355: UDP, length 22
19:47:35.908795 IP 192.168.3.201.55352 > 224.0.0.252.5355: UDP, length 22
19:47:36.119396 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:36.122030 IP 192.168.3.201.63664 > 239.255.255.250.1900: UDP, length 133
19:47:36.124111 IP 192.168.3.201.53581 > 224.0.0.252.5355: UDP, length 24
19:47:36.216104 IP 192.168.3.201.53581 > 224.0.0.252.5355: UDP, length 24
19:47:36.224264 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
19:47:36.240059 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
19:47:36.241815 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
19:47:36.418253 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:36.863411 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:36.977040 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
19:47:36.989759 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
19:47:36.991660 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
19:47:37.165410 IP 192.168.3.201.63664 > 239.255.255.250.1900: UDP, length 133
19:47:37.167895 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:37.616180 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:37.744280 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
19:47:37.920072 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:38.319217 IP 192.168.3.201.63664 > 239.255.255.250.1900: UDP, length 129
19:47:38.350942 IP 192.168.3.201.63664 > 239.255.255.250.1900: UDP, length 97
19:47:38.365572 IP 192.168.3.201.56589 > 192.168.3.197.domain: 28945+ A? www.msftncsi.com. (34)
19:47:38.367458 IP 192.168.3.201.59246 > 192.168.3.197.domain: 2885+ A? www.msftncsi.com. (34)
19:47:38.375503 IP 192.168.3.201.63664 > 239.255.255.250.1900: UDP, length 123
19:47:38.400513 IP 192.168.3.201.63664 > 239.255.255.250.1900: UDP, length 125
19:47:38.423330 IP 192.168.3.201.63664 > 239.255.255.250.1900: UDP, length 123
19:47:38.452434 IP 192.168.3.201.63664 > 239.255.255.250.1900: UDP, length 133
19:47:38.478614 IP 192.168.3.201.63664 > 239.255.255.250.1900: UDP, length 133
19:47:38.493972 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
19:47:38.667284 IP 192.168.3.201.59297 > 224.0.0.252.5355: UDP, length 24
19:47:38.768488 IP 192.168.3.201.59297 > 224.0.0.252.5355: UDP, length 24
19:47:38.839713 IP 192.168.3.201.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request, length 300
19:47:38.968854 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:39.243078 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
19:47:39.364060 IP 192.168.3.201.56589 > 192.168.3.197.domain: 28945+ A? www.msftncsi.com. (34)
19:47:39.367104 IP 192.168.3.201.59246 > 192.168.3.197.domain: 2885+ A? www.msftncsi.com. (34)
19:47:39.717674 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:39.787724 IP 192.168.3.201.51360 > 239.255.255.250.3702: UDP, length 624
19:47:39.904873 IP 192.168.3.201.51360 > 239.255.255.250.3702: UDP, length 624
19:47:39.993063 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
19:47:40.165348 IP 192.168.3.201.63664 > 239.255.255.250.1900: UDP, length 133
19:47:40.467820 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:40.744070 IP 192.168.3.201.netbios-dgm > 255.255.255.255.netbios-dgm: NBT UDP PACKET(138)
19:47:40.767613 IP 192.168.3.201.netbios-dgm > 255.255.255.255.netbios-dgm: NBT UDP PACKET(138)
19:47:41.222167 IP 192.168.3.201.63652 > 224.0.0.252.5355: UDP, length 24
19:47:41.321178 IP 192.168.3.201.63652 > 224.0.0.252.5355: UDP, length 24
19:47:41.523608 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:42.243319 IP 192.168.3.201.netbios-dgm > 255.255.255.255.netbios-dgm: NBT UDP PACKET(138)
19:47:42.271815 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:43.022850 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:43.165999 IP 192.168.3.201.63664 > 239.255.255.250.1900: UDP, length 133
19:47:43.743422 IP 192.168.3.201.netbios-dgm > 255.255.255.255.netbios-dgm: NBT UDP PACKET(138)
19:47:43.777771 IP 192.168.3.201.53436 > 224.0.0.252.5355: UDP, length 24
19:47:43.877093 IP 192.168.3.201.53436 > 224.0.0.252.5355: UDP, length 24
19:47:44.079785 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:44.636879 IP 192.168.3.201.61034 > 224.0.0.252.5355: UDP, length 22
19:47:44.736453 IP 192.168.3.201.61034 > 224.0.0.252.5355: UDP, length 22
19:47:44.823619 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:44.945600 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:45.149637 IP 192.168.3.201.50266 > 192.168.3.197.microsoft-ds: Flags [S], seq 3532174179, win 8192, options [mss 1320,nop,wscale 2,nop,nop,sackOK], length 0
19:47:45.243957 IP 192.168.3.201.netbios-dgm > 255.255.255.255.netbios-dgm: NBT UDP PACKET(138)
19:47:45.578750 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:45.687686 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:46.155836 IP 192.168.3.201.50267 > 192.168.3.197.microsoft-ds: Flags [S], seq 394426979, win 8192, options [mss 1320,nop,wscale 2,nop,nop,sackOK], length 0
19:47:46.161099 IP 192.168.3.201.50271 > 192.168.3.197.netbios-ssn: Flags [S], seq 2517564497, win 8192, options [mss 1320,nop,wscale 2,nop,nop,sackOK], length 0
19:47:46.323439 IP 192.168.3.201.50862 > 224.0.0.252.5355: UDP, length 24
19:47:46.424666 IP 192.168.3.201.50862 > 224.0.0.252.5355: UDP, length 24
19:47:46.443661 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:46.628525 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:47.202574 IP 192.168.3.201.50275 > 192.168.3.197.http: Flags [S], seq 2103677422, win 8192, options [mss 1320,nop,wscale 2,nop,nop,sackOK], length 0
19:47:47.376480 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:48.126004 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:48.161687 IP 192.168.3.201.50266 > 192.168.3.197.microsoft-ds: Flags [S], seq 3532174179, win 8192, options [mss 1320,nop,wscale 2,nop,nop,sackOK], length 0
19:47:48.876283 IP 192.168.3.201.55310 > 224.0.0.252.5355: UDP, length 24
19:47:48.976158 IP 192.168.3.201.55310 > 224.0.0.252.5355: UDP, length 24
19:47:49.146688 IP 192.168.3.201.50267 > 192.168.3.197.microsoft-ds: Flags [S], seq 394426979, win 8192, options [mss 1320,nop,wscale 2,nop,nop,sackOK], length 0
19:47:49.158534 IP 192.168.3.201.50271 > 192.168.3.197.netbios-ssn: Flags [S], seq 2517564497, win 8192, options [mss 1320,nop,wscale 2,nop,nop,sackOK], length 0
19:47:49.177254 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:49.928133 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:50.194002 IP 192.168.3.201.50275 > 192.168.3.197.http: Flags [S], seq 2103677422, win 8192, options [mss 1320,nop,wscale 2,nop,nop,sackOK], length 0
19:47:50.677670 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:51.427507 IP 192.168.3.201.60432 > 224.0.0.252.5355: UDP, length 24
19:47:51.527816 IP 192.168.3.201.60432 > 224.0.0.252.5355: UDP, length 24
19:47:51.730233 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:52.477906 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:53.229471 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
19:47:53.979906 IP 192.168.3.201.50301 > 224.0.0.252.5355: UDP, length 24
19:47:54.080203 IP 192.168.3.201.50301 > 224.0.0.252.5355: UDP, length 24
19:47:54.157864 IP 192.168.3.201.50266 > 192.168.3.197.microsoft-ds: Flags [S], seq 3532174179, win 8192, options [mss 1320,nop,nop,sackOK], length 0
19:47:54.283201 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
^C

Открытый фаервол

Код: Выделить всё

FILTER RULES:
No queue in use

Это лог с фаерволом "OPEN"

Код: Выделить всё

20:00:31.111652 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 4839, win 64782, length 39SMB PACKET: SMBclose (REPLY)

20:00:31.136374 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 4488, win 4093, length 76WARNING: Short packet. Try increasing the snap length by 24
SMB PACKET: SMBtrans2 (REQUEST)

20:00:31.136516 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 4915, win 64706, length 39SMB PACKET: SMBtrans2 (REPLY)

20:00:31.147346 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 4527, win 4083, length 76WARNING: Short packet. Try increasing the snap length by 24
SMB PACKET: SMBtrans2 (REQUEST)

20:00:31.147488 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 4991, win 64630, length 39SMB PACKET: SMBtrans2 (REPLY)

20:00:31.158025 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 4566, win 4073, length 76WARNING: Short packet. Try increasing the snap length by 24
SMB PACKET: SMBtrans2 (REQUEST)

20:00:31.158167 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 5067, win 64554, length 39SMB PACKET: SMBtrans2 (REPLY)

20:00:31.161830 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
20:00:31.173102 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 4605, win 4063, length 104WARNING: Short packet. Try increasing the snap length by 52
SMB PACKET: SMBtrans (REQUEST)

20:00:31.173235 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 5171, win 64450, length 39SMB PACKET: SMBtrans (REPLY)

20:00:31.241396 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 4644, win 4054, length 76WARNING: Short packet. Try increasing the snap length by 24
SMB PACKET: SMBtrans2 (REQUEST)

20:00:31.241537 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 5247, win 64374, length 39SMB PACKET: SMBtrans2 (REPLY)

20:00:31.255439 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 4683, win 4044, length 76WARNING: Short packet. Try increasing the snap length by 24
SMB PACKET: SMBtrans2 (REQUEST)

20:00:31.255579 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 5323, win 64298, length 39SMB PACKET: SMBtrans2 (REPLY)

20:00:31.266555 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 4722, win 4034, length 76WARNING: Short packet. Try increasing the snap length by 24
SMB PACKET: SMBtrans2 (REQUEST)

20:00:31.266698 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 5399, win 64222, length 39SMB PACKET: SMBtrans2 (REPLY)

20:00:31.287326 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 4761, win 4024, length 104WARNING: Short packet. Try increasing the snap length by 52
SMB PACKET: SMBtrans (REQUEST)

20:00:31.287468 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 5503, win 65535, length 39SMB PACKET: SMBtrans (REPLY)

20:00:31.507444 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [.], ack 4800, win 4015, length 0
20:00:31.914183 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
20:00:32.395208 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 4800, win 4015, length 104WARNING: Short packet. Try increasing the snap length by 52
SMB PACKET: SMBntcreateX (REQUEST)

20:00:32.395627 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 5607, win 65431, length 139WARNING: Short packet. Try increasing the snap length by 87
SMB PACKET: SMBntcreateX (REPLY)

20:00:32.409673 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 4939, win 3980, length 76WARNING: Short packet. Try increasing the snap length by 24
SMB PACKET: SMBtrans2 (REQUEST)

20:00:32.409814 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 5683, win 65355, length 88WARNING: Short packet. Try increasing the snap length by 36
SMB PACKET: SMBtrans2 (REPLY)

20:00:32.578459 IP 192.168.3.201.netbios-ns > 192.168.3.51.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
20:00:32.578498 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.51 unreachable, length 36
20:00:32.663131 IP 192.168.3.201.49839 > 224.0.0.252.5355: UDP, length 24
20:00:32.762437 IP 192.168.3.201.49839 > 224.0.0.252.5355: UDP, length 24
20:00:32.767994 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 4939, win 3980, length 76WARNING: Short packet. Try increasing the snap length by 24
SMB PACKET: SMBtrans2 (REQUEST)

20:00:32.768137 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [.], ack 5683, win 65355, length 0
20:00:32.967954 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
20:00:33.080399 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 5683, win 65355, length 88WARNING: Short packet. Try increasing the snap length by 36
SMB PACKET: SMBtrans2 (REPLY)

20:00:33.091659 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 5027, win 4290, length 184WARNING: Short packet. Try increasing the snap length by 132
SMB PACKET: SMBwriteX (REQUEST)

20:00:33.091801 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 5867, win 65171, length 51SMB PACKET: SMBwriteX (REPLY)

20:00:33.105408 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 5078, win 4277, length 63WARNING: Short packet. Try increasing the snap length by 11
SMB PACKET: SMBreadX (REQUEST)

20:00:33.105550 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 5930, win 65108, length 156WARNING: Short packet. Try increasing the snap length by 104
SMB PACKET: SMBreadX (REPLY)

20:00:33.116234 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 5234, win 4238, length 168WARNING: Short packet. Try increasing the snap length by 116
SMB PACKET: SMBwriteX (REQUEST)

20:00:33.116376 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 6098, win 64940, length 51SMB PACKET: SMBwriteX (REPLY)

20:00:33.127644 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 5285, win 4225, length 63WARNING: Short packet. Try increasing the snap length by 11
SMB PACKET: SMBreadX (REQUEST)

20:00:33.127800 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 6161, win 64877, length 1088WARNING: Short packet. Try increasing the snap length by 1036
SMB PACKET: SMBreadX (REPLY)

20:00:33.147537 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 6373, win 4290, length 63WARNING: Short packet. Try increasing the snap length by 11
SMB PACKET: SMBreadX (REQUEST)

20:00:33.147679 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 6224, win 64814, length 92WARNING: Short packet. Try increasing the snap length by 40
SMB PACKET: SMBreadX (REPLY)

20:00:33.162312 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 6465, win 4267, length 45SMB PACKET: SMBclose (REQUEST)

20:00:33.162453 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 6269, win 64769, length 39SMB PACKET: SMBclose (REPLY)

20:00:33.204142 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 6504, win 4257, length 40SMB PACKET: SMBntcancel (REQUEST)

20:00:33.204284 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 6309, win 64729, length 39SMB PACKET: SMBnttrans (REPLY)

20:00:33.215552 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 6543, win 4247, length 45SMB PACKET: SMBclose (REQUEST)

20:00:33.215841 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 6354, win 64684, length 39SMB PACKET: SMBclose (REPLY)

20:00:33.445181 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [.], ack 6582, win 4237, length 0
20:00:33.724808 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
20:00:34.079633 IP 192.168.3.201.netbios-ns > 192.168.3.51.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
20:00:34.079676 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.51 unreachable, length 36
20:00:34.466027 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
20:00:34.608757 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 6582, win 4237, length 80WARNING: Short packet. Try increasing the snap length by 28
SMB PACKET: SMBtrans2 (REQUEST)

20:00:34.609047 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 6434, win 64604, length 104WARNING: Short packet. Try increasing the snap length by 52
SMB PACKET: SMBtrans2 (REPLY)

20:00:34.619877 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 6686, win 4211, length 80WARNING: Short packet. Try increasing the snap length by 28
SMB PACKET: SMBtrans2 (REQUEST)

20:00:34.620018 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 6514, win 64524, length 88WARNING: Short packet. Try increasing the snap length by 36
SMB PACKET: SMBtrans2 (REPLY)

20:00:34.670336 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 6774, win 4189, length 90WARNING: Short packet. Try increasing the snap length by 38
SMB PACKET: SMBntcreateX (REQUEST)

20:00:34.670625 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 6604, win 64434, length 139WARNING: Short packet. Try increasing the snap length by 87
SMB PACKET: SMBntcreateX (REPLY)

20:00:34.682624 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 6774, win 4189, length 114WARNING: Short packet. Try increasing the snap length by 62
SMB PACKET: SMBntcreateX (REQUEST)

20:00:34.682914 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 6718, win 64320, length 39SMB PACKET: SMBntcreateX (REPLY)

20:00:34.685414 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 6913, win 4155, length 76WARNING: Short packet. Try increasing the snap length by 24
SMB PACKET: SMBtrans2 (REQUEST)

20:00:34.685549 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 6794, win 64244, length 72WARNING: Short packet. Try increasing the snap length by 20
SMB PACKET: SMBtrans2 (REPLY)

20:00:34.701644 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [.], ack 7024, win 4127, length 0
20:00:34.704424 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 7024, win 4127, length 88WARNING: Short packet. Try increasing the snap length by 36
SMB PACKET: SMBnttrans (REQUEST)

20:00:34.830345 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [.], ack 6882, win 65535, length 0
20:00:34.840604 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 7024, win 4127, length 90WARNING: Short packet. Try increasing the snap length by 38
SMB PACKET: SMBntcreateX (REQUEST)

20:00:34.840882 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 6972, win 65445, length 139WARNING: Short packet. Try increasing the snap length by 87
SMB PACKET: SMBntcreateX (REPLY)

20:00:34.852443 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 7163, win 4092, length 90WARNING: Short packet. Try increasing the snap length by 38
SMB PACKET: SMBtrans2 (REQUEST)

20:00:34.852877 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 7062, win 65355, length 984WARNING: Short packet. Try increasing the snap length by 932
SMB PACKET: SMBtrans2 (REPLY)

20:00:34.863121 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 8147, win 4290, length 45SMB PACKET: SMBclose (REQUEST)

20:00:34.863264 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 7107, win 65310, length 39SMB PACKET: SMBclose (REPLY)

20:00:35.017570 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 8186, win 4280, length 76WARNING: Short packet. Try increasing the snap length by 24
SMB PACKET: SMBtrans2 (REQUEST)

20:00:35.017708 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 7183, win 65234, length 39SMB PACKET: SMBtrans2 (REPLY)

20:00:35.028538 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 8225, win 4270, length 76WARNING: Short packet. Try increasing the snap length by 24
SMB PACKET: SMBtrans2 (REQUEST)

20:00:35.028680 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 7259, win 65158, length 39SMB PACKET: SMBtrans2 (REPLY)

20:00:35.041120 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 8264, win 4260, length 76WARNING: Short packet. Try increasing the snap length by 24
SMB PACKET: SMBtrans2 (REQUEST)

20:00:35.041260 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 7335, win 65082, length 39SMB PACKET: SMBtrans2 (REPLY)

20:00:35.217503 IP 192.168.3.201.63652 > 224.0.0.252.5355: UDP, length 24
20:00:35.318270 IP 192.168.3.201.63652 > 224.0.0.252.5355: UDP, length 24
20:00:35.349421 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 8264, win 4260, length 76WARNING: Short packet. Try increasing the snap length by 24
SMB PACKET: SMBtrans2 (REQUEST)

20:00:35.349564 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [.], ack 7335, win 65082, length 0
20:00:35.377210 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 7335, win 65082, length 39SMB PACKET: SMBtrans2 (REPLY)

20:00:35.389355 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 8303, win 4251, length 104WARNING: Short packet. Try increasing the snap length by 52
SMB PACKET: SMBtrans (REQUEST)

20:00:35.389495 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 7439, win 64978, length 39SMB PACKET: SMBtrans (REPLY)

20:00:35.525810 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
20:00:35.658605 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [.], ack 8342, win 4241, length 0
20:00:35.663288 IP 192.168.3.201.63652 > 224.0.0.252.5355: UDP, length 22
20:00:35.745628 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 8342, win 4241, length 104WARNING: Short packet. Try increasing the snap length by 52
SMB PACKET: SMBntcreateX (REQUEST)

20:00:35.746064 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 7543, win 64874, length 139WARNING: Short packet. Try increasing the snap length by 87
SMB PACKET: SMBntcreateX (REPLY)

20:00:35.756016 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 8481, win 4206, length 76WARNING: Short packet. Try increasing the snap length by 24
SMB PACKET: SMBtrans2 (REQUEST)

20:00:35.756158 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 7619, win 64798, length 88WARNING: Short packet. Try increasing the snap length by 36
SMB PACKET: SMBtrans2 (REPLY)

20:00:35.764939 IP 192.168.3.201.63652 > 224.0.0.252.5355: UDP, length 22
20:00:35.767865 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 8569, win 4184, length 184WARNING: Short packet. Try increasing the snap length by 132
SMB PACKET: SMBwriteX (REQUEST)

20:00:35.768007 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 7803, win 64614, length 51SMB PACKET: SMBwriteX (REPLY)

20:00:35.782786 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 8620, win 4171, length 63WARNING: Short packet. Try increasing the snap length by 11
SMB PACKET: SMBreadX (REQUEST)

20:00:35.782929 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 7866, win 64551, length 156WARNING: Short packet. Try increasing the snap length by 104
SMB PACKET: SMBreadX (REPLY)

20:00:35.797853 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 8776, win 4132, length 168WARNING: Short packet. Try increasing the snap length by 116
SMB PACKET: SMBwriteX (REQUEST)

20:00:35.797995 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 8034, win 64383, length 51SMB PACKET: SMBwriteX (REPLY)

20:00:35.812628 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 8827, win 4120, length 63WARNING: Short packet. Try increasing the snap length by 11
SMB PACKET: SMBreadX (REQUEST)

20:00:35.812769 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 8097, win 64320, length 1088WARNING: Short packet. Try increasing the snap length by 1036
SMB PACKET: SMBreadX (REPLY)

20:00:35.823600 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 9915, win 4290, length 63WARNING: Short packet. Try increasing the snap length by 11
SMB PACKET: SMBreadX (REQUEST)

20:00:35.823741 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 8160, win 64257, length 92WARNING: Short packet. Try increasing the snap length by 40
SMB PACKET: SMBreadX (REPLY)

20:00:35.842926 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 10007, win 4267, length 45SMB PACKET: SMBclose (REQUEST)

20:00:35.843053 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 8205, win 65535, length 39SMB PACKET: SMBclose (REPLY)

20:00:35.874951 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 10046, win 4257, length 40SMB PACKET: SMBntcancel (REQUEST)

20:00:35.875087 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 8245, win 65495, length 39SMB PACKET: SMBnttrans (REPLY)

20:00:35.891621 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [P.], ack 10085, win 4247, length 45SMB PACKET: SMBclose (REQUEST)

20:00:35.891762 IP 192.168.3.29.microsoft-ds > 192.168.3.201.51945: Flags [P.], ack 8290, win 65450, length 39SMB PACKET: SMBclose (REPLY)

20:00:35.965190 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
20:00:36.148881 IP 192.168.3.201.51945 > 192.168.3.29.microsoft-ds: Flags [.], ack 10124, win 4237, length 0
20:00:36.271588 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
20:00:36.713566 IP 192.168.3.201.netbios-ns > 255.255.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
^C

PS даже при уже существующем подключении по vpn можно сбросить правила фильтрации и доступ в локальную сеть появится....

gberc

Dark_ASU: сержант; Сообщения: 258; Зарегистрирован: 2009-10-31 22:13:04; Контактная информация:
Контактная информация пользователя Dark_ASU

ICQ

Re: Разрешающее правило PF для входящего vpn-соединения

Непрочитанное сообщение Dark_ASU » 2011-07-06 21:36:26

незабываем прописывать протокол GRE

Dark_ASU

gberc: ефрейтор; Сообщения: 50; Зарегистрирован: 2011-05-20 9:41:20

Re: Разрешающее правило PF для входящего vpn-соединения

Непрочитанное сообщение gberc » 2011-07-07 7:32:12

так gre используется в pptp, а у меня подключение l2tp.

gberc

gberc: ефрейтор; Сообщения: 50; Зарегистрирован: 2011-05-20 9:41:20

Re: Разрешающее правило PF для входящего vpn-соединения

Непрочитанное сообщение gberc » 2011-07-23 19:37:41

Появилось время и я вернулся к проблеме.
Снова привожу логи для случая PF с правилами:
PF.conf

Код: Выделить всё

#_# интерфейс в локальную сеть
local_if="bge1"
#_# локальная сеть
local_lan="192.168.2.0/23"
#_# ip-адрес локального интерфейса
local_ip="192.168.2.11"
#_# порт для поключения по SSH
ssh_port="0000"
#_# порт для подключения к VPN-серверу
mpd_port="1701"

#_# полностью пропускает проверку на петлевом интерфейсе
set skip on lo0

#_# нормализует-собирает все входящие пакеты на всех интерфейсах
scrub in all

#_# по-умолчанию блокируем весь трафик
block all

#_# разрешаем весь исходящий трафик с локальной машины
pass out on $local_if from $local_if to any

#_# разрешаем подключение по SSH на порту, только из локальной сети и с ip-адресов friends_ssh
pass in log on $local_if proto tcp from $friends_ssh to $local_if port $ssh_port
pass in log on $local_if proto tcp from $local_lan to $local_if port $ssh_port keep state

#_# разрешаем подключение к нашему VPN-серверу на порту UDP 1701 из любой сети
pass in log quick on $local_if proto udp from any to $local_ip port $mpd_port
#_# разрешаем подключение к веб-интерфейсу VPN-серверу по адресу 192.168.2.11 по http на порту mpd_port, только из локальной сети
pass in log quick on $local_if proto tcp from $local_lan to $local_ip port $mpd_web_port

#_# пропуск трафика во все стороны для vpn-интерфейса ng0
#_# про дублирующие друг друга правила знаю  :pardon: 
pass quick on ng0 all
pass in log quick on ng0 from any to any
pass out log quick on ng0 from any to any

pass in on self from 192.168.3.201 to $local_lan
pass out on self from $local_lan to 192.168.3.201

#tcpdump -i bge1 (интерфейс bge1 смотрит в локальную сеть)

Код: Выделить всё

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bge1, link-type EN10MB (Ethernet), capture size 96 bytes
20:18:51.652365 IP JA.nex.local.57862 > 143-dynamic-pool2.orel.puzzle.su.49415: Flags [P.], ack 2138072272, win 8212, length 116
20:18:51.652443 IP JA.nex.local.57862 > 143-dynamic-pool2.orel.puzzle.su.49415: Flags [P.], ack 1, win 8212, length 116
20:18:51.654850 IP 143-dynamic-pool2.orel.puzzle.su.49415 > JA.nex.local.57862: Flags [.], ack 116, win 68, length 0
20:18:51.873069 IP 143-dynamic-pool2.orel.puzzle.su.49415 > JA.nex.local.57862: Flags [.], ack 232, win 67, length 0
20:18:52.312252 IP 143-dynamic-pool2.orel.puzzle.su.l2f > JA.nex.local.l2f:  l2tp:[L](6484/23174) {IP 192.168.3.201 > 192.168.3.11: ICMP echo request, id 1, seq 458, length 40}
20:18:52.312372 IP JA.nex.local.l2f > 143-dynamic-pool2.orel.puzzle.su.l2f:  l2tp:[S](2/1)Ns=141,Nr=0 {IP 192.168.2.1 > 192.168.3.201: [|icmp]}
20:18:52.652621 IP JA.nex.local.10925 > 192.168.3.128.domain: 3598+ PTR? 143.60.78.195.in-addr.arpa. (44)
20:18:52.654047 IP 192.168.3.128.domain > JA.nex.local.10925: 3598* 1/2/2 (158)
20:18:52.654499 IP JA.nex.local.57862 > 143-dynamic-pool2.orel.puzzle.su.49415: Flags [P.], ack 1, win 8212, length 180
20:18:52.654586 IP JA.nex.local.57862 > 143-dynamic-pool2.orel.puzzle.su.49415: Flags [P.], ack 1, win 8212, length 164
20:18:52.654672 IP JA.nex.local.57862 > 143-dynamic-pool2.orel.puzzle.su.49415: Flags [P.], ack 1, win 8212, length 164
20:18:52.654742 IP JA.nex.local.57862 > 143-dynamic-pool2.orel.puzzle.su.49415: Flags [P.], ack 1, win 8212, length 164
20:18:52.654949 IP JA.nex.local.47068 > 192.168.3.128.domain: 3599+ PTR? 11.3.168.192.in-addr.arpa. (43)
20:18:52.656390 IP 192.168.3.128.domain > JA.nex.local.47068: 3599 NXDomain* 0/1/0 (95)
20:18:52.656562 IP JA.nex.local.18299 > 192.168.3.128.domain: 3600+ PTR? 201.3.168.192.in-addr.arpa. (44)
20:18:52.657999 IP 192.168.3.128.domain > JA.nex.local.18299: 3600 NXDomain* 0/1/0 (96)
20:18:52.658014 IP 143-dynamic-pool2.orel.puzzle.su.49415 > JA.nex.local.57862: Flags [.], ack 576, win 66, length 0
20:18:52.658147 IP 143-dynamic-pool2.orel.puzzle.su.49415 > JA.nex.local.57862: Flags [.], ack 904, win 65, length 0
20:18:52.658235 IP JA.nex.local.57862 > 143-dynamic-pool2.orel.puzzle.su.49415: Flags [P.], ack 1, win 8212, length 228
20:18:52.658444 IP JA.nex.local.26529 > 192.168.3.128.domain: 3601+ PTR? 1.2.168.192.in-addr.arpa. (42)
20:18:52.659759 IP 192.168.3.128.domain > JA.nex.local.26529: 3601 NXDomain* 0/1/0 (94)
20:18:52.659934 IP JA.nex.local.57862 > 143-dynamic-pool2.orel.puzzle.su.49415: Flags [P.], ack 1, win 8212, length 196
20:18:52.662245 IP 143-dynamic-pool2.orel.puzzle.su.49415 > JA.nex.local.57862: Flags [.], ack 1328, win 63, length 0
20:18:53.310439 IP 143-dynamic-pool2.orel.puzzle.su.l2f > JA.nex.local.l2f:  l2tp:[L](6484/23174) {IP 192.168.3.201 > 192.168.3.11: ICMP echo request, id 1, seq 459, length 40}
20:18:53.310555 IP JA.nex.local.l2f > 143-dynamic-pool2.orel.puzzle.su.l2f:  l2tp:[S](2/1)Ns=142,Nr=0 {IP 192.168.2.1 > 192.168.3.201: [|icmp]}
20:18:53.659190 IP JA.nex.local.36018 > 192.168.3.128.domain: 3602+ PTR? 128.3.168.192.in-addr.arpa. (44)
20:18:53.660565 IP 192.168.3.128.domain > JA.nex.local.36018: 3602 NXDomain* 0/1/0 (96)
20:18:53.661113 IP JA.nex.local.57862 > 143-dynamic-pool2.orel.puzzle.su.49415: Flags [.], ack 1, win 8212, length 1460
20:18:53.661129 IP JA.nex.local.57862 > 143-dynamic-pool2.orel.puzzle.su.49415: Flags [P.], ack 1, win 8212, length 608
20:18:53.661219 IP JA.nex.local.57862 > 143-dynamic-pool2.orel.puzzle.su.49415: Flags [P.], ack 1, win 8212, length 212
20:18:53.664661 IP 143-dynamic-pool2.orel.puzzle.su.49415 > JA.nex.local.57862: Flags [.], ack 3396, win 68, length 0
20:18:53.666562 IP 143-dynamic-pool2.orel.puzzle.su.49415 > JA.nex.local.57862: Flags [P.], ack 3608, win 67, length 84
20:18:53.666643 IP JA.nex.local.57862 > 143-dynamic-pool2.orel.puzzle.su.49415: Flags [P.], ack 85, win 8212, length 36
20:18:53.666709 IP 143-dynamic-pool2.orel.puzzle.su.49415 > JA.nex.local.57862: Flags [P.], ack 3608, win 67, length 52
20:18:53.765950 IP JA.nex.local.57862 > 143-dynamic-pool2.orel.puzzle.su.49415: Flags [.], ack 137, win 8212, length 0
20:18:53.885943 IP 143-dynamic-pool2.orel.puzzle.su.49415 > JA.nex.local.57862: Flags [.], ack 3644, win 67, length 0
20:18:54.308759 IP 143-dynamic-pool2.orel.puzzle.su.l2f > JA.nex.local.l2f:  l2tp:[L](6484/23174) {IP 192.168.3.201 > 192.168.3.11: ICMP echo request, id 1, seq 460, length 40}
20:18:54.308862 IP JA.nex.local.l2f > 143-dynamic-pool2.orel.puzzle.su.l2f:  l2tp:[S](2/1)Ns=143,Nr=0 {IP 192.168.2.1 > 192.168.3.201: [|icmp]}
^C

#tcpdump -i ng0 host 192.168.3.201

Код: Выделить всё

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ng0, link-type NULL (BSD loopback), capture size 96 bytes
20:19:00.299610 IP 192.168.3.201 > 192.168.3.11: ICMP echo request, id 1, seq 466, length 40
20:19:00.299659 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.11 unreachable, length 36
20:19:01.298082 IP 192.168.3.201 > 192.168.3.11: ICMP echo request, id 1, seq 467, length 40
20:19:01.298128 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.11 unreachable, length 36
20:19:02.296089 IP 192.168.3.201 > 192.168.3.11: ICMP echo request, id 1, seq 468, length 40
20:19:02.296128 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.11 unreachable, length 36
20:19:03.294832 IP 192.168.3.201 > 192.168.3.11: ICMP echo request, id 1, seq 469, length 40
20:19:03.294865 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.11 unreachable, length 36
20:19:04.292899 IP 192.168.3.201 > 192.168.3.11: ICMP echo request, id 1, seq 470, length 40
20:19:04.292948 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.11 unreachable, length 36
20:19:05.291488 IP 192.168.3.201 > 192.168.3.11: ICMP echo request, id 1, seq 471, length 40
20:19:05.291531 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.11 unreachable, length 36
c20:19:06.289643 IP 192.168.3.201 > 192.168.3.11: ICMP echo request, id 1, seq 472, length 40
20:19:06.289683 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.11 unreachable, length 36
20:19:07.288111 IP 192.168.3.201 > 192.168.3.11: ICMP echo request, id 1, seq 473, length 40
20:19:07.288145 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.11 unreachable, length 36
^C

#tcpdump -i lo0

Код: Выделить всё

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

#tcpdump -i bge1 host 192.168.3.201

Код: Выделить всё

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bge1, link-type EN10MB (Ethernet), capture size 96 bytes
^C
0 packets captured
58 packets received by filter
0 packets dropped by kernel

#ifconfig

Код: Выделить всё

bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE>
        ether 00:0b:cd:ae:9d:47
        inet 192.168.105.1 netmask 0xffffffe0 broadcast 192.168.105.31
        media: Ethernet autoselect (1000baseT <full-duplex,flowcontrol,rxpause,txpause>)
        status: active
bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE>
        ether 00:0b:cd:ae:9e:5b
        inet 192.168.2.11 netmask 0xfffffe00 broadcast 192.168.3.255
        inet 192.168.2.12 netmask 0xfffffe00 broadcast 192.168.3.255
        media: Ethernet autoselect (1000baseT <full-duplex,flowcontrol,rxpause,txpause>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33200
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1360
        inet 192.168.2.1 --> 192.168.3.201 netmask 0xffffffff

не понимаю. почему не возвращаются пакеты от удаленного хоста?
и что значит эта строка?

Код: Выделить всё

20:34:00.913395 IP JA.nex.local.l2f > 143-dynamic-pool2.orel.puzzle.su.l2f:  l2tp:[S](2/1)Ns=1050,Nr=0 {IP 192.168.2.1 > 192.168.3.201: [|icmp]}

по адресу 192.168.2.1 находится офисная АТС.

gberc

gberc: ефрейтор; Сообщения: 50; Зарегистрирован: 2011-05-20 9:41:20

Re: Разрешающее правило PF для входящего vpn-соединения

Непрочитанное сообщение gberc » 2011-07-23 19:59:28

сейчас обнаружилось, что пинги идут до удаленного хоста идут. а подключение через rdp и расшаренные папки - нет.
в конфиге PF дописано:

Код: Выделить всё

#_# разрешенные типы сообщений icmp
icmp_types="{echoreq, unreach}"
#_# разрешаем icmp трафик установленных типов.
pass log inet proto icmp all icmp-type $icmp_types

#tcpdump -i ng0 host 192.168.3.201

Код: Выделить всё

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ng0, link-type NULL (BSD loopback), capture size 96 bytes
20:56:25.289819 IP 192.168.3.201 > 192.168.3.29: ICMP echo request, id 1, seq 2256, length 40
20:56:25.290064 IP 192.168.3.29 > 192.168.3.201: ICMP echo reply, id 1, seq 2256, length 40
20:56:26.281986 IP 192.168.3.201 > 192.168.3.29: ICMP echo request, id 1, seq 2257, length 40
20:56:26.282248 IP 192.168.3.29 > 192.168.3.201: ICMP echo reply, id 1, seq 2257, length 40
20:56:27.280171 IP 192.168.3.201 > 192.168.3.29: ICMP echo request, id 1, seq 2258, length 40
20:56:27.280426 IP 192.168.3.29 > 192.168.3.201: ICMP echo reply, id 1, seq 2258, length 40
20:56:28.278941 IP 192.168.3.201 > 192.168.3.29: ICMP echo request, id 1, seq 2259, length 40
20:56:28.279189 IP 192.168.3.29 > 192.168.3.201: ICMP echo reply, id 1, seq 2259, length 40
20:56:34.621607 IP 192.168.3.201.49643 > 192.168.3.29.rdp: Flags [S], seq 2084849982, win 8192, options [mss 1320,nop,wscale 8,nop,nop,sackOK], length 0
20:56:34.621676 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.29 unreachable, length 60
20:56:37.622564 IP 192.168.3.201.49643 > 192.168.3.29.rdp: Flags [S], seq 2084849982, win 8192, options [mss 1320,nop,wscale 8,nop,nop,sackOK], length 0
20:56:37.622619 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.29 unreachable, length 60
20:56:43.628564 IP 192.168.3.201.49643 > 192.168.3.29.rdp: Flags [S], seq 2084849982, win 8192, options [mss 1320,nop,nop,sackOK], length 0
20:56:43.628628 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.29 unreachable, length 56
20:57:02.215017 IP 192.168.3.201.56170 > 239.255.255.250.1900: UDP, length 97
20:57:02.227968 IP 192.168.3.201.53897 > 239.255.255.250.3702: UDP, length 624
20:57:02.246543 IP 192.168.3.201.56170 > 239.255.255.250.1900: UDP, length 129
20:57:02.460223 IP 192.168.3.201.53897 > 239.255.255.250.3702: UDP, length 624
20:57:05.219150 IP 192.168.3.201.56170 > 239.255.255.250.1900: UDP, length 97
20:57:05.250565 IP 192.168.3.201.56170 > 239.255.255.250.1900: UDP, length 129
20:57:08.230344 IP 192.168.3.201.56170 > 239.255.255.250.1900: UDP, length 97
20:57:08.261315 IP 192.168.3.201.56170 > 239.255.255.250.1900: UDP, length 129
20:57:10.150335 IP 192.168.3.201.49650 > 192.168.3.29.microsoft-ds: Flags [S], seq 3925837728, win 8192, options [mss 1320,nop,wscale 8,nop,nop,sackOK], length 0
20:57:10.150401 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.29 unreachable, length 60
20:57:11.242402 IP 192.168.3.201.49651 > 192.168.3.29.microsoft-ds: Flags [S], seq 4262441561, win 8192, options [mss 1320,nop,wscale 8,nop,nop,sackOK], length 0
20:57:11.242449 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.29 unreachable, length 60
20:57:11.252327 IP 192.168.3.201.49655 > 192.168.3.29.netbios-ssn: Flags [S], seq 1354212774, win 8192, options [mss 1320,nop,wscale 8,nop,nop,sackOK], length 0
20:57:11.252350 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.29 unreachable, length 60
20:57:13.159202 IP 192.168.3.201.49650 > 192.168.3.29.microsoft-ds: Flags [S], seq 3925837728, win 8192, options [mss 1320,nop,wscale 8,nop,nop,sackOK], length 0
20:57:13.159254 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.29 unreachable, length 60
20:57:14.251111 IP 192.168.3.201.49651 > 192.168.3.29.microsoft-ds: Flags [S], seq 4262441561, win 8192, options [mss 1320,nop,wscale 8,nop,nop,sackOK], length 0
20:57:14.251154 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.29 unreachable, length 60
20:57:14.251818 IP 192.168.3.201.49655 > 192.168.3.29.netbios-ssn: Flags [S], seq 1354212774, win 8192, options [mss 1320,nop,wscale 8,nop,nop,sackOK], length 0
20:57:14.251839 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.29 unreachable, length 60
20:57:19.164927 IP 192.168.3.201.49650 > 192.168.3.29.microsoft-ds: Flags [S], seq 3925837728, win 8192, options [mss 1320,nop,nop,sackOK], length 0
20:57:19.164988 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.29 unreachable, length 56
20:57:20.256960 IP 192.168.3.201.49651 > 192.168.3.29.microsoft-ds: Flags [S], seq 4262441561, win 8192, options [mss 1320,nop,nop,sackOK], length 0
20:57:20.257001 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.29 unreachable, length 56
20:57:20.257521 IP 192.168.3.201.49655 > 192.168.3.29.netbios-ssn: Flags [S], seq 1354212774, win 8192, options [mss 1320,nop,nop,sackOK], length 0
20:57:20.257541 IP 192.168.2.1 > 192.168.3.201: ICMP host 192.168.3.29 unreachable, length 56
^C
40 packets captured
40 packets received by filter
0 packets dropped by kernel

что-то лыжи совсем не едут.

gberc

gberc: ефрейтор; Сообщения: 50; Зарегистрирован: 2011-05-20 9:41:20

Re: Разрешающее правило PF для входящего vpn-соединения

Непрочитанное сообщение gberc » 2011-07-25 19:46:16

добавил правило для gre

Код: Выделить всё

pass quick proto gre from any to any?

ситуация не изменилась

gberc

gberc: ефрейтор; Сообщения: 50; Зарегистрирован: 2011-05-20 9:41:20

Re: Разрешающее правило PF для входящего vpn-соединения

Непрочитанное сообщение gberc » 2011-07-25 20:12:17

может проблема в этом?
STATES:
all udp 192.168.2.11:1701 <- 195.78.60.143:1701 MULTIPLE:MULTIPLE
all udp 192.168.2.11:32540 -> 192.168.3.128:53 MULTIPLE:SINGLE
all udp 192.168.2.11:22299 -> 192.168.3.128:53 MULTIPLE:SINGLE

gberc

gberc: ефрейтор; Сообщения: 50; Зарегистрирован: 2011-05-20 9:41:20

Re: Разрешающее правило PF для входящего vpn-соединения

Непрочитанное сообщение gberc » 2011-08-11 14:56:13

Подставил костыли, и заработало:
- первое правило в фаерволе "pass all"
- а ниже уже блокировал нужный трафик.
помоему,это назвается открытый тип фаервола.

gberc

Ответить

12 сообщений • Страница 1 из 1

Вернуться в «Networks»