Страница 1 из 1
pf RULE && VPN vs. admin
Добавлено: 2010-01-21 20:42:37
Soldier
привет всем.
подскажите, где баг.
Есть сервер доступа - платформа FreeBSD, на ней MPD5+pf.
Проблема вот в чем.
пользователь поднимает pptp туннель и работает. В определенный момент (так надо) - биллинг посылает запрос на сервер доступа с командой:
По идее должен перестать идти трафик.
Самое интересное, что обратная команда - add, выполняется.
Подскажите что и куда?
Второй день на ушах стою с ним.
Заранее благодарен.
ЗЫ. извиняюсь, что без конфига.
может какие общие рекомендации будут?
Re: pf RULE && VPN vs. admin
Добавлено: 2010-01-22 10:37:06
Soldier
Вот правила pf:
Код: Выделить всё
scrub in all fragment reassemble
pass quick on lo all flags S/SA keep state
block drop in quick on em0 from <rfcnets> to any
pass in quick inet proto icmp from any to 10.10.2.2 icmp-type echoreq keep state
pass in quick inet proto tcp from any to 10.10.2.2 port = ssh flags S/SA keep state
pass in quick inet proto tcp from any to 10.10.2.2 port = https flags S/SA keep state
pass in quick inet proto tcp from any to 10.10.2.2 port = http flags S/SA keep state
pass in quick proto tcp from any to <me> port = domain flags S/SA keep state
pass in quick proto udp from any to <me> port = domain keep state
pass in quick inet proto gre from 172.16.0.0/16 to <me> keep state
pass in quick proto tcp from any to <me> port = 5006 flags S/SA keep state
pass in quick proto tcp from any to <me> port = pptp flags S/SA keep state
pass in quick inet proto tcp from 10.10.0.2 to 10.10.2.2 port = pptp flags S/SA keep state
pass in quick inet proto udp from 10.10.0.2 to 10.10.2.2 port = 1723 keep state
block drop in quick from any to <me>
block drop quick inet from 172.16.0.0/16 to 172.16.0.0/16
pass in quick inet from <vpn> to any flags S/SA keep state
pass in quick inet from any to <vpn> flags S/SA keep state
block drop in quick all
block drop out quick on em0 from <rfcnets> to any
pass out quick from <me> to any flags S/SA keep state
pass out quick from any to <vpn> flags S/SA keep state
pass out quick from <vpn> to any flags S/SA keep state
block drop all
Суть такая, что после
траффик все равно идет.
Код: Выделить всё
nas# pfctl -t vpn -Ts | grep 172.16.0.99
172.16.0.99
Код: Выделить всё
nas# pfctl -s s | grep 172.16.0.99
all tcp 91.203.99.45:80 <- 172.16.0.99:3372 ESTABLISHED:ESTABLISHED
all tcp 172.16.0.99:3372 -> xxx.xxx.xxx.251:50703 -> 91.203.99.45:80 ESTABLISHED:ESTABLISHED
all tcp 91.203.99.45:80 <- 172.16.0.99:3374 ESTABLISHED:ESTABLISHED
all tcp 172.16.0.99:3374 -> xxx.xxx.xxx.251:54822 -> 91.203.99.45:80 ESTABLISHED:ESTABLISHED
all tcp 91.203.99.45:80 <- 172.16.0.99:4404 ESTABLISHED:ESTABLISHED
all tcp 172.16.0.99:4404 -> xxx.xxx.xxx.251:52846 -> 91.203.99.45:80 ESTABLISHED:ESTABLISHED
all tcp 91.203.99.45:80 <- 172.16.0.99:4408 ESTABLISHED:ESTABLISHED
all tcp 172.16.0.99:4408 -> xxx.xxx.xxx.251:60220 -> 91.203.99.45:80 ESTABLISHED:ESTABLISHED
all tcp 205.188.8.25:5190 <- 172.16.0.99:4553 ESTABLISHED:ESTABLISHED
all tcp 172.16.0.99:4553 -> xxx.xxx.xxx.251:59798 -> 205.188.8.25:5190 ESTABLISHED:ESTABLISHED
all tcp 91.203.99.45:80 <- 172.16.0.99:1949 ESTABLISHED:CLOSING
all tcp 172.16.0.99:1949 -> xxx.xxx.xxx.251:58803 -> 91.203.99.45:80 CLOSING:ESTABLISHED
all udp 62.165.32.250:53 <- 172.16.0.99:62070 MULTIPLE:MULTIPLE
all udp 172.16.0.99:62070 -> xxx.xxx.xxx.251:64518 -> 62.165.32.250:53 MULTIPLE:MULTIPLE
all udp 62.165.33.250:53 <- 172.16.0.99:62070 MULTIPLE:MULTIPLE
all udp 172.16.0.99:62070 -> xxx.xxx.xxx.251:60306 -> 62.165.33.250:53 MULTIPLE:MULTIPLE
all tcp 66.102.13.17:80 <- 172.16.0.99:2016 ESTABLISHED:ESTABLISHED
all tcp 172.16.0.99:2016 -> xxx.xxx.xxx.251:55215 -> 66.102.13.17:80 ESTABLISHED:ESTABLISHED
А это после delete:
Код: Выделить всё
nas# pfctl -s s | grep 172.16.0.99
all tcp 91.203.99.45:80 <- 172.16.0.99:3372 ESTABLISHED:ESTABLISHED
all tcp 172.16.0.99:3372 -> xxx.xxx.xxx.251:50703 -> 91.203.99.45:80 ESTABLISHED:ESTABLISHED
all tcp 91.203.99.45:80 <- 172.16.0.99:3374 ESTABLISHED:ESTABLISHED
all tcp 172.16.0.99:3374 -> xxx.xxx.xxx.251:54822 -> 91.203.99.45:80 ESTABLISHED:ESTABLISHED
all tcp 91.203.99.45:80 <- 172.16.0.99:4404 ESTABLISHED:ESTABLISHED
all tcp 172.16.0.99:4404 -> xxx.xxx.xxx.251:52846 -> 91.203.99.45:80 ESTABLISHED:ESTABLISHED
all tcp 91.203.99.45:80 <- 172.16.0.99:4408 ESTABLISHED:ESTABLISHED
all tcp 172.16.0.99:4408 -> xxx.xxx.xxx.251:60220 -> 91.203.99.45:80 ESTABLISHED:ESTABLISHED
all tcp 205.188.8.25:5190 <- 172.16.0.99:4553 ESTABLISHED:ESTABLISHED
all tcp 172.16.0.99:4553 -> xxx.xxx.xxx.251:59798 -> 205.188.8.25:5190 ESTABLISHED:ESTABLISHED
all tcp 91.203.99.45:80 <- 172.16.0.99:1949 ESTABLISHED:CLOSING
all tcp 172.16.0.99:1949 -> xxx.xxx.xxx.251:58803 -> 91.203.99.45:80 CLOSING:ESTABLISHED
all udp 62.165.32.250:53 <- 172.16.0.99:62070 MULTIPLE:MULTIPLE
all udp 172.16.0.99:62070 -> xxx.xxx.xxx.251:64518 -> 62.165.32.250:53 MULTIPLE:MULTIPLE
all udp 62.165.33.250:53 <- 172.16.0.99:62070 MULTIPLE:MULTIPLE
all udp 172.16.0.99:62070 -> xxx.xxx.xxx.251:60306 -> 62.165.33.250:53 MULTIPLE:MULTIPLE
all tcp 66.102.13.17:80 <- 172.16.0.99:2136 ESTABLISHED:ESTABLISHED
all tcp 172.16.0.99:2136 -> xxx.xxx.xxx.251:53631 -> 66.102.13.17:80 ESTABLISHED:ESTABLISHED
Re: pf RULE && VPN vs. admin
Добавлено: 2010-01-22 10:40:21
Soldier
Собственно сам pf.conf
Код: Выделить всё
table <rfcnets> {10.0.0.0/8, !192.168.1.0/24, 192.168.0.0/16, !172.16.0.0/16, 172.16.0.0/12 }
table <vpn> persist
#table <vpn> {172.16.0.0/24}
table <me> { self, 172.16.0.1}
# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 5 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 50000, frags 5000 }
set loginterface none
#set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
#set state-policy if-bound
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
nat on em0 from 172.16.0.0/16 to any -> em0
# Разрешаем loopback (а куда без него?)
pass quick on lo from any to any
# ЗДЕСЬ ОПИСЫВАЕМ ВСЕ IN ПРАВИЛА
#запрещаем локальные сети на внешнем интерфейсе
block in quick on em0 from <rfcnets> to any
# Этот блок правил обеспечивает работу только сервисов на самом сервере
# icmp
pass in quick inet proto icmp from any to 10.10.2.2 icmp-type echoreq keep state
# ssh
pass in quick proto tcp from any to 10.10.2.2 port 22 flags S/SA keep state
#pass in quick proto tcp from any to any port 22 flags S/SA keep state
# http,https
pass in quick proto tcp from any to 10.10.2.2 port {443, 80} flags S/SA keep state
# dns
pass in quick proto {tcp, udp} from any to <me> port domain flags S/SA keep state
#pass in quick proto {tcp, udp} from any to any port domain flags S/SA keep state
# GRE наружу
pass in quick proto gre from 172.16.0.0/16 to <me> keep state
# MPD
pass in quick proto tcp from any to <me> port 5006 flags S/SA keep state
# pptp
pass in quick proto tcp from any to <me> port 1723 flags S/SA keep state
# all from 10.10.0.2
pass in quick proto {tcp, udp} from 10.10.0.2 to 10.10.2.2 port 1723 flags S/SA keep state
# Все остальное ко мне закрываем нахрен
block in quick from any to <me>
block quick from 172.16.0.0/16 to 172.16.0.0/16
# Разрешаем ВПН
pass in quick inet from <vpn> to any
pass in quick inet from any to <vpn>
# остатки входящего блокируем и логгируем нафиг
block in quick all
# ЗДЕСЬ ОПИСЫВАЕМ ВСЕ OUT ПРАВИЛА
# RFC сети на исходящем интерфейсе??? В песду
block out quick on em0 from <rfcnets> to any
#от меня
pass out quick from <me> to any keep state
# навыход пускаем всё что дошло до сюда
#pass out quick from <rfcnets> to <rfcnets>
# и от клиентов
pass out quick from any to <vpn>
pass out quick from <vpn> to any
# А че на выход не описали - блокируем нах до полного разбора
block all
Из вне все закрыто.
Re: pf RULE && VPN vs. admin
Добавлено: 2010-01-22 17:20:01
AzureZ
Re: pf RULE && VPN vs. admin
Добавлено: 2010-01-22 19:56:54
Soldier
в том и дело, что надо одной командой отщелкивать.