Хотелось бы узнать от старых зубров-юниксоидов в какую сторону копать и выслушать дельные советы - как делать надо и НЕ надо
железо: P4-3гига, Ram-1гиг
конфиги:
sysctl.conf - пуст
uname -a:
Код: Выделить всё
FreeBSD gw 7.3-RELEASE FreeBSD 7.3-RELEASE #2: Mon Apr 19 11:05:40 NOVST 2010Код: Выделить всё
ifconfig_rl0="inet *.*.*.* netmask 255.255.255.240"
ifconfig_rl1="inet 10.0.0.206 netmask 255.255.255.0"
route_vpn="-net 192.168.254.0/24 92.63.72.116"
static_routes="vpn"
local_startup="/usr/local/etc/rc.d" - пуст
keymap="ru.koi8-r"
keyrate="fast"
font8x8="cp866-8x8"
font8x14="cp866-8x14"
font8x16="cp866b-8x16"
mousechar_start="3"
saver="blank"
scrnmap="koi8-r2cp866"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
icmp_bmcastecho="NO"
tcp_drop_synfin="YES"
named_enable="YES"
named_conf="/etc/namedb/named.conf"
ntpdate_enable="YES"
ntpdate_flags="-b *.*.*.*"
router_enable="YES"
router="/sbin/routed"
router_flags="-s"
firewall_enable="YES"
firewall_script="/etc/rc.ipfw"
firewall_logging="YES"
firewall_nat_enable="YES"
firewall_nat_iface="rl0"
#dummynet_enable="YES"
sshd_enable="YES"
dhcpd_enable="YES"
dhcpd_interface="rl1"
mpd_enable="YES"
mpd_flags="-b"
Код: Выделить всё
cmd="/sbin/ipfw -q add"
oif="rl0"
oip="*.*.*.*"
iif="rl1"
iip="10.0.0.206"
net="10.0.0.0"
vpn="192.168.254.0"
skip="skipto 10000"
sks="setup keep-state"
/sbin/ipfw -q -f flush
$cmd 1 allow all from any to any via lo0
$cmd 2 deny ip from any to 127.0.0.0/8
$cmd 3 deny ip from 127.0.0.108 to any
$cmd 10 allow all from any to any via $iif
$cmd 40 allow ip from any to any via ng\*
$cmd 50 allow tcp from me 1723 to any keep-state
$cmd 60 allow gre from any to any
/sbin/ipfw -q nat 1 config ip $oip
$cmd 200 nat 1 ip from any to any in via $oif
$cmd 300 check-state
$cmd 400 $skip udp from any to *.*.*.* 53 out via $oif $sks
$cmd 500 $skip tcp from any to any 80 out via $oif $sks
$cmd 501 $skip tcp from any to any 443 out via $oif $sks
$cmd 502 $skip tcp from any to any 25 out via $oif $sks
$cmd 503 $skip tcp from any to any 110 out via $oif $sks
$cmd 504 $skip tcp from any to any 143 out via $oif $sks
$cmd 505 $skip tcp from any to any 993 out via $oif $sks
$cmd 506 $skip tcp from any to any 995 out via $oif $sks
$cmd 507 $skip udp from any to any 123 out via $oif $sks
$cmd 509 $skip tcp from any to any 21 out via $oif $sks
$cmd 511 $skip tcp from any to any 5190 out via $oif $sks
$cmd 525 $skip icmp from any to any icmptypes 0,8,11 keep-state
$cmd 555 $skip tcp from any to any out via $oif $sks uid root
$cmd 600 deny all from 10.0.0.0/8 to any in via $oif
$cmd 601 deny all from 192.168.0.0/16 to any in via $oif
$cmd 602 deny all from 172.16.0.0/12 to any in via $oif
$cmd 603 deny all from 0.0.0.0/8 to any in via $oif
$cmd 604 deny all from 127.0.0.0/8 to any in via $oif
$cmd 605 deny all from 169.254.0.0/16 to any in via $oif
$cmd 606 deny all from 192.0.2.0/24 to any in via $oif
$cmd 607 deny all from 204.152.64.0/23 to any in via $oif
$cmd 608 deny all from 224.0.0.0/3 to any in via $oif
$cmd 609 deny all from not $net/24 to me 22 in via $oif
$cmd 610 deny all from not $vpn/24 to me 22 in via $oif
$cmd 700 deny tcp from any to any 113 in via $oif
$cmd 701 deny tcp from any to any 137 in via $oif
$cmd 702 deny tcp from any to any 138 in via $oif
$cmd 703 deny tcp from any to any 139 in via $oif
$cmd 704 deny tcp from any to any 81 in via $oif
$cmd 705 deny tcp from any to any 445 in via $oif
$cmd 706 deny tcp from any to any 1028 in via $oif
$cmd 708 deny tcp from any to any 113 in via $oif
$cmd 709 deny tcp from any to any 67 in via $oif
$cmd 710 deny tcp from any to any 68 in via $oif
$cmd 800 deny all from any to any frag
$cmd 900 deny tcp from any to any established in via $oif
/sbin/ipfw -q nat 1 config ip $oip
$cmd 10000 nat 1 ip from any to any out via $oif
$cmd 10002 nat 1 ip from any to $oip via $oif
$cmd 10003 allow ip from any to any
$cmd 15000 deny log all from any to any via $oif
$cmd 65000 deny log all from any to any
Код: Выделить всё
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_FORWARD
options IPFIREWALL_NAT
options IPDIVERT
options DUMMYNET
options LIBALIAS
options NETGRAPH
options NETGRAPH_ETHER
options NETGRAPH_SOCKET
options NETGRAPH_TEE
options NETGRAPH_MPPC_ENCRYPTION
#options NETGRAPH_MPPC_COMPRESSION
#options NETGRAPH_BPF
#options NETGRAPH_IFACE
#options NETGRAPH_KSOCKET
#options NETGRAPH_PPP
options NETGRAPH_PPTPGRE
#options NETGRAPH_TCPMSS
#options NETGRAPH_VJC
#options NETGRAPH_ONE2MANY
#options NETGRAPH_RFC1490
#options NETGRAPH_TTY
#options NETGRAPH_UI
Код: Выделить всё
default:
load pptp_server
pptp_server:
# Define dynamic IP address pool.
set ippool add pool1 192.168.254.10 192.168.254.250
# Create clonable bundle template named B
create bundle template B
set iface enable proxy-arp
set iface idle 1800
set iface enable tcpmssfix
set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
set ipcp ranges 192.168.254.255/32 ippool pool1
set ipcp dns 82.200.70.8
# set ipcp nbns 192.168.1.4
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
set bundle enable compression
set ccp yes mppc
set mppc yes e40
set mppc yes e128
set mppc yes stateless
# Create clonable link template named L
create link template L pptp
# Set bundle template to use
set link action bundle B
# Multilink adds some overhead, but gives full 1500 MTU.
set link enable multilink
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link keep-alive 10 60
# We reducing link mtu to avoid GRE packet fragmentation.
set link mtu 1460
# Configure PPTP
set pptp self *.*.*.*
# Allow to accept calls
set link enable incoming
ЗЫ: а может просто железки слабые?
