Страница 1 из 1
ipfw + squid + sams
Добавлено: 2010-01-30 15:01:29
Spook1680
Est'
Freebsd 7.2 (PC-BSD)
polzovatelej pustit chez proksi. // avtorizaciya po loginu porolu
192.168.21.2 - adres usera .3 .4 .5
77.108.99.210 - adres provajdera
87.245.190.122 - DNS
192.168.21.1 - proksi
/U usera vistavil shluz i DNS 192.168.21.1
/etc/rc.firewall // sdelal bakap
Propisal svoj varian/ POCHTU i ICQ - PUSTIL CHEREZ NAT
rc.firewall
Код: Выделить всё
ournet='192.168.21.0/24'
uprefix='192.168.21'
ifout='sis0'
ifuser='rl0'
ports=pop3,ftp
vse=192.168.21.2
vip2=192.168.21.3
vip=192.168.21.4,192.168.21.5
allowedports="22,25,53,110,143"
natusers="192.168.21.2,192.168.21.3,192.168.21.4"
icq_users="192.168.21.2,192.168.21.3"
msn_users="192.168.21.2,192.168.21.3"
icq_port="5190,5180,5181"
msn_port="1863,443"
jabber="5222,5223,7777"
allowed_nets="77.108.99.0/24"
ipfw add 50 divert natd all from ${natusers} to any ${allowedports},${jabber},${icq_port},${msn_port} out via sis0
ipfw add 51 divert natd all from ${icq_users} to any ${icq_port} out via sis0
ipfw add 52 divert natd all from ${msn_users} to any ${msn_port} out via sis0
ipfw add 53 divert natd icmp from ${natusers} to any out via sis0
ipfw add 54 divert natd all from ${natusers} to any ftp,1024-65535 out via sis0
ipfw add 60 divert natd all from any to 192.168.0.100 in via sis0
${fwcmd} add 97 allow all from any to me ssh
#${fwcmd} add 200 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
${fwcmd} add 210 allow all from 10.220.138.221 to me
${fwcmd} add 220 allow all from me to 10.220.138.221
${fwcmd} add 230 drop all from any to me 3128 via ${ifout}
${fwcmd} add 300 allow ip from any to any via lo0
${fwcmd} add 310 allow tcp from me to any keep-state via ${ifout}
${fwcmd} add 320 allow icmp from any to any
${fwcmd} add 330 allow udp from me to any domain keep-state
${fwcmd} add 340 allow udp from any to me domain
${fwcmd} add 350 allow ip from me to any
${fwcmd} add 49 fwd 127.0.0.1,3128 tcp from ${ournet} to any http out via ${ifout}
${fwcmd} add 400 allow all from 192.168.10.0/24 to any 5222,5223,5269,10015,5262,7777 via sis0
${fwcmd} add allow all from any to me http,https,ssh,ftp,smtp,pop3,5222,5223,5269,10015,5262,7777
#${fwcmd} add deny all from any to me via sis0
#${fwcmd} add 1000 allow all from ${ournet} to me
ipfw pipe 1 config mask dst-ip 0xffffffff bw 19Kbit/s
ipfw pipe 11 config mask src-ip 0xffffffff bw 19Kbit/s
ipfw queue 1 config pipe 1 weight 50 queue 20 mask dst-ip 0xffffffff
ipfw queue 11 config pipe 11 weight 50 queue 20 mask src-ip 0xffffffff
ipfw pipe 2 config mask dst-ip 0xffffffff bw 33Kbit/s
ipfw pipe 22 config mask src-ip 0xffffffff bw 33Kbit/s
ipfw queue 2 config pipe 2 weight 50 queue 20 mask dst-ip 0xffffffff
ipfw queue 22 config pipe 22 weight 50 queue 20 mask src-ip 0xffffffff
ipfw pipe 3 config mask dst-ip 0xffffffff bw 256Kbit/s
ipfw pipe 33 config mask src-ip 0xffffffff bw 256Kbit/s
ipfw queue 3 config pipe 3 weight 100 queue 40 mask dst-ip 0xffffffff
ipfw queue 33 config pipe 33 weight 100 queue 40 mask src-ip 0xffffffff
ipfw add reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg
ipfw add reject tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg
ipfw add reject log tcp from any to any not established tcpflags fin
ipfw add deny log ip from any to any not verrevpath in via sis0
ipfw add count all from any to any
${fwcmd} add 1001 queue 3 all from ${allowed_nets} to ${natusers} via sis0
${fwcmd} add 1002 queue 33 all from ${natusers} to ${allowed_nets} via sis0
${fwcmd} add 1003 queue 2 all from any to ${natusers} via sis0
${fwcmd} add 1004 queue 22 all from ${natusers} to any via sis0
${fwcmd} add 1005 pass all from ${natusers} to any
${fwcmd} add 1006 pass all from any to ${natusers}
Profi Podskaghite gde lohanulsya
1. icq i Pochta - rabotaut tolko esli ukazivayu DNS provajdera - a ne proksi/
2. ne vighu trafik pochti i icq v squid
rc.conf
Код: Выделить всё
# Enable the firewall
#pf_rules="/etc/pf.conf"
#pf_rules_enable="YES"
#pf_enable="YES"
#pflog_logfile="/var/log/pf.log"
#pf_flags=""
# Enable ipfw and open it by default since we have PF
firewall_enable="YES"
firewall_type="closed"
firewall_type="/etc/rc.firewall"
snddetect_enable="YES"
mixer_enable="YES"
bsdstats_enable="YES"
hostname="pcbsd"
ifconfig_rl0="inet 192.168.21.1 netmask 255.255.255.0"
ifconfig_sis0="inet 77.108.99.210 netmask 255.255.255.0"
defaultrouter="192.168.0.1"
natd_enable="YES"
natd_interface="sis0"
natd_flags=" -m -s -u -punch_fw 5000:5200"
gateway_enable="YES"
apache_enable="YES"
squid_enable="YES"
mysql_enable="YES"
sams_enable="YES"
Re: ipfw + squid + sams
Добавлено: 2010-01-30 15:44:24
Morty
1. icq i Pochta - rabotaut tolko esli ukazivayu DNS provajdera - a ne proksi/
2. ne vighu trafik pochti i icq v squid
1. проверяй
dig @192.168.21.1 ya.ru
если не работает : настраивай /etc/resolv.conf или named
2. трафика почты в сквиде не будет , squid -
HTTP proxy
Re: ipfw + squid + sams
Добавлено: 2010-01-31 0:16:45
Spook1680
Morty писал(а):1. icq i Pochta - rabotaut tolko esli ukazivayu DNS provajdera - a ne proksi/
2. ne vighu trafik pochti i icq v squid
1. проверяй
dig @192.168.21.1 ya.ru
если не работает : настраивай /etc/resolv.conf или named
2. трафика почты в сквиде не будет , squid -
HTTP proxy
Morty! vot chto poluchayu nabiraya comandu
# dig @192.168.21.1 ya.ru
; <<>> DiG 9.4.3-P1 <<>> @192.168.21.1 ya.ru
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
#
/etc/resolv.conf
ameserver 10.44.0.101
nameserver 212.45.15.18
# ps axw | grep named
38089 p0 R+ 0:00,00 grep named
#
Chto moghno predprinyat esche
Re: ipfw + squid + sams
Добавлено: 2010-01-31 0:31:12
Morty
значит настрой named
как forward-only
зоны я думаю тебе не нужны
---
в /etc/namedb/named.conf
укажи forwarders ипы Днсов провайдера
и раскоменть
forward only;
ипы на каких слушать запросы
и корневую зону "."
остальное можно удалить
ну и запустить в итоге named
Re: ipfw + squid + sams
Добавлено: 2010-01-31 2:03:52
Spook1680
Morty писал(а):значит настрой named
как forward-only
зоны я думаю тебе не нужны
---
в /etc/namedb/named.conf
укажи forwarders ипы Днсов провайдера
и раскоменть
forward only;
ипы на каких слушать запросы
и корневую зону "."
остальное можно удалить
ну и запустить в итоге named
named.conf
nastroil
Код: Выделить всё
// the proper IP address, or delete this option.
listen-on { 127.0.0.1; };
listen-on { 192.168.21.1; };
listen-on { 192.168.21.2; };
dalee propisal
forward only;
// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below. This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
/*
forwarders {
10.44.0.101;
212.45.15.18;
};
Zakomentil
// The traditional root hints mechanism. Use this, OR the slave zones below.
//zone "." { type hint; file "named.root"; };
Proverau
# ps -ax | grep named
1041 ?? Ss 0:00,04 /usr/sbin/syslogd -l /var/run/log -l /var/named/var/run/log -s
12936 p0 R+ 0:00,00 grep named
Dau komandu
# dig @192.168.21.1 ya.ru
; <<>> DiG 9.4.3-P1 <<>> @192.168.21.1 ya.ru
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
#
squid ? Moghet tam chto upustil
dns_nameserver ne ukazival
servera provajderov beret po umolchaniyu s resolv.conf
Re: ipfw + squid + sams
Добавлено: 2010-01-31 11:14:43
goshanecr
У тебя named не стартует. Выложи просто конфиг named.conf без своих пометок. И дай ещё содержимое лог файла в /var/named/var/log/named.log. Там должно быть написано почему не стартует. Как настроишь named, в resolv.conf укажи nameserver 127.0.0.1, а у клиентов в качестве dns: 192.168.21.1
Зачем listen-on { 192.168.21.2; }; ? Это же адрес пользователя?
Такой конфиг думаю у тебя должен сработать:
Код: Выделить всё
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
listen-on {
127.0.0.1;
192.168.21.1;
};
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
forward only;
forwarders {
87.245.190.122
};
};
zone "." { type hint; file "named.root"; };
logging {
channel bindlog {
file "/var/log/named.log";
severity debug 127;
print-time yes;
};
category default {
bindlog;
};
};
// RFC 1912
zone "localhost" { type master; file "master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.db"; };
zone "255.in-addr.arpa" { type master; file "master/empty.db"; };
// "This" Network (RFCs 1912 and 3330)
zone "0.in-addr.arpa" { type master; file "master/empty.db"; };
// Private Use Networks (RFC 1918)
zone "10.in-addr.arpa" { type master; file "master/empty.db"; };
zone "16.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "17.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "18.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "19.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "20.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "21.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "22.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "23.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "24.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "25.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "26.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "27.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "28.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "29.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "30.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "31.172.in-addr.arpa" { type master; file "master/empty.db"; };
#zone "168.192.in-addr.arpa" { type master; file "master/empty.db"; };
// Link-local/APIPA (RFCs 3330 and 3927)
zone "254.169.in-addr.arpa" { type master; file "master/empty.db"; };
// TEST-NET for Documentation (RFC 3330)
zone "2.0.192.in-addr.arpa" { type master; file "master/empty.db"; };
// Router Benchmark Testing (RFC 3330)
zone "18.198.in-addr.arpa" { type master; file "master/empty.db"; };
zone "19.198.in-addr.arpa" { type master; file "master/empty.db"; };
// IANA Reserved - Old Class E Space
zone "240.in-addr.arpa" { type master; file "master/empty.db"; };
zone "241.in-addr.arpa" { type master; file "master/empty.db"; };
zone "242.in-addr.arpa" { type master; file "master/empty.db"; };
zone "243.in-addr.arpa" { type master; file "master/empty.db"; };
zone "244.in-addr.arpa" { type master; file "master/empty.db"; };
zone "245.in-addr.arpa" { type master; file "master/empty.db"; };
zone "246.in-addr.arpa" { type master; file "master/empty.db"; };
zone "247.in-addr.arpa" { type master; file "master/empty.db"; };
zone "248.in-addr.arpa" { type master; file "master/empty.db"; };
zone "249.in-addr.arpa" { type master; file "master/empty.db"; };
zone "250.in-addr.arpa" { type master; file "master/empty.db"; };
zone "251.in-addr.arpa" { type master; file "master/empty.db"; };
zone "252.in-addr.arpa" { type master; file "master/empty.db"; };
zone "253.in-addr.arpa" { type master; file "master/empty.db"; };
zone "254.in-addr.arpa" { type master; file "master/empty.db"; };
Re: ipfw + squid + sams
Добавлено: 2010-01-31 11:25:36
Spook1680
goshanecr писал(а):У тебя named не стартует. Выложи просто конфиг named.conf без своих пометок. И дай ещё содержимое лог файла в /var/named/var/log/named.log. Там должно быть написано почему не стартует. Как настроишь named, в resolv.conf укажи nameserver 127.0.0.1, а у клиентов в качестве dns: 192.168.21.1
Зачем listen-on { 192.168.21.2; }; ? Это же адрес пользователя?
named.conf
Код: Выделить всё
// $FreeBSD: src/etc/namedb/named.conf,v 1.26.2.2 2008/07/16 10:02:15 dougb Exp $
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/share/doc/bind9 for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works. Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.
options {
// Relative to the chroot directory, if any
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
listen-on { 127.0.0.1; };
listen-on { 192.168.21.1; };
listen-on { 192.168.21.2; };
// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver. To give access to the network, specify
// an IPv6 address, or the keyword "any".
// listen-on-v6 { ::1; };
// These zones are already covered by the empty zones listed below.
// If you remove the related empty zones below, comment these lines out.
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
// In addition to the "forwarders" clause, you can force your name
// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:
//
forward only;
// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below. This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
/*
forwarders { 127.0.0.1;
10.44.0.101;
212.45.15.18;
};
*/
/*
Modern versions of BIND use a random UDP port for each outgoing
query by default in order to dramatically reduce the possibility
of cache poisoning. All users are strongly encouraged to utilize
this feature, and to configure their firewalls to accommodate it.
AS A LAST RESORT in order to get around a restrictive firewall
policy you can try enabling the option below. Use of this option
will significantly reduce your ability to withstand cache poisoning
attacks, and should be avoided if at all possible.
Replace NNNNN in the example with a number between 49160 and 65530.
*/
// query-source address * port NNNNN;
};
// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.
// The traditional root hints mechanism. Use this, OR the slave zones below.
//zone "." { type hint; file "named.root"; };
/* Slaving the following zones from the root name servers has some
significant advantages:
1. Faster local resolution for your users
2. No spurious traffic will be sent from your network to the roots
3. Greater resilience to any potential root server failure/DDoS
On the other hand, this method requires more monitoring than the
hints file to be sure that an unexpected failure mode has not
incapacitated your server. Name servers that are serving a lot
of clients will benefit more from this approach than individual
hosts. Use with caution.
To use this mechanism, uncomment the entries below, and comment
the hint zone above.
*/
/*
zone "." {
type slave;
file "slave/root.slave";
masters {
192.5.5.241; // F.ROOT-SERVERS.NET.
};
notify no;
};
zone "arpa" {
type slave;
file "slave/arpa.slave";
masters {
192.5.5.241; // F.ROOT-SERVERS.NET.
};
notify no;
};
zone "in-addr.arpa" {
type slave;
file "slave/in-addr.arpa.slave";
masters {
192.5.5.241; // F.ROOT-SERVERS.NET.
};
notify no;
};
*/
/* Serving the following zones locally will prevent any queries
for these zones leaving your network and going to the root
name servers. This has two significant advantages:
1. Faster local resolution for your users
2. No spurious traffic will be sent from your network to the roots
*/
// RFC 1912
zone "localhost" { type master; file "master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.db"; };
zone "255.in-addr.arpa" { type master; file "master/empty.db"; };
// RFC 1912-style zone for IPv6 localhost address
zone "0.ip6.arpa" { type master; file "master/localhost-reverse.db"; };
// "This" Network (RFCs 1912 and 3330)
zone "0.in-addr.arpa" { type master; file "master/empty.db"; };
// Private Use Networks (RFC 1918)
zone "10.in-addr.arpa" { type master; file "master/empty.db"; };
zone "16.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "17.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "18.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "19.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "20.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "21.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "22.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "23.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "24.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "25.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "26.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "27.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "28.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "29.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "30.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "31.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "168.192.in-addr.arpa" { type master; file "master/empty.db"; };
// Link-local/APIPA (RFCs 3330 and 3927)
zone "254.169.in-addr.arpa" { type master; file "master/empty.db"; };
// TEST-NET for Documentation (RFC 3330)
zone "2.0.192.in-addr.arpa" { type master; file "master/empty.db"; };
// Router Benchmark Testing (RFC 3330)
zone "18.198.in-addr.arpa" { type master; file "master/empty.db"; };
zone "19.198.in-addr.arpa" { type master; file "master/empty.db"; };
// IANA Reserved - Old Class E Space
zone "240.in-addr.arpa" { type master; file "master/empty.db"; };
zone "241.in-addr.arpa" { type master; file "master/empty.db"; };
zone "242.in-addr.arpa" { type master; file "master/empty.db"; };
zone "243.in-addr.arpa" { type master; file "master/empty.db"; };
zone "244.in-addr.arpa" { type master; file "master/empty.db"; };
zone "245.in-addr.arpa" { type master; file "master/empty.db"; };
zone "246.in-addr.arpa" { type master; file "master/empty.db"; };
zone "247.in-addr.arpa" { type master; file "master/empty.db"; };
zone "248.in-addr.arpa" { type master; file "master/empty.db"; };
zone "249.in-addr.arpa" { type master; file "master/empty.db"; };
zone "250.in-addr.arpa" { type master; file "master/empty.db"; };
zone "251.in-addr.arpa" { type master; file "master/empty.db"; };
zone "252.in-addr.arpa" { type master; file "master/empty.db"; };
zone "253.in-addr.arpa" { type master; file "master/empty.db"; };
zone "254.in-addr.arpa" { type master; file "master/empty.db"; };
// IPv6 Unassigned Addresses (RFC 4291)
zone "1.ip6.arpa" { type master; file "master/empty.db"; };
zone "3.ip6.arpa" { type master; file "master/empty.db"; };
zone "4.ip6.arpa" { type master; file "master/empty.db"; };
zone "5.ip6.arpa" { type master; file "master/empty.db"; };
zone "6.ip6.arpa" { type master; file "master/empty.db"; };
zone "7.ip6.arpa" { type master; file "master/empty.db"; };
zone "8.ip6.arpa" { type master; file "master/empty.db"; };
zone "9.ip6.arpa" { type master; file "master/empty.db"; };
zone "a.ip6.arpa" { type master; file "master/empty.db"; };
zone "b.ip6.arpa" { type master; file "master/empty.db"; };
zone "c.ip6.arpa" { type master; file "master/empty.db"; };
zone "d.ip6.arpa" { type master; file "master/empty.db"; };
zone "e.ip6.arpa" { type master; file "master/empty.db"; };
zone "0.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "1.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "2.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "3.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "4.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "5.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "6.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "7.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "8.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "9.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "a.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "b.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "0.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "1.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "2.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "3.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "4.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "5.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "6.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "7.e.f.ip6.arpa" { type master; file "master/empty.db"; };
// IPv6 ULA (RFC 4193)
zone "c.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "d.f.ip6.arpa" { type master; file "master/empty.db"; };
// IPv6 Link Local (RFC 4291)
zone "8.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "9.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "a.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "b.e.f.ip6.arpa" { type master; file "master/empty.db"; };
// IPv6 Deprecated Site-Local Addresses (RFC 3879)
zone "c.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "d.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "e.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "f.e.f.ip6.arpa" { type master; file "master/empty.db"; };
// IP6.INT is Deprecated (RFC 4159)
zone "ip6.int" { type master; file "master/empty.db"; };
// NB: Do not use the IP addresses below, they are faked, and only
// serve demonstration/documentation purposes!
//
// Example slave zone config entries. It can be convenient to become
// a slave at least for the zone your own domain is in. Ask
// your network administrator for the IP address of the responsible
// master name server.
//
// Do not forget to include the reverse lookup zone!
// This is named after the first bytes of the IP address, in reverse
// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6.
//
// Before starting to set up a master zone, make sure you fully
// understand how DNS and BIND work. There are sometimes
// non-obvious pitfalls. Setting up a slave zone is usually simpler.
//
// NB: Don't blindly enable the examples below. :-) Use actual names
// and addresses instead.
/* An example dynamic zone
key "exampleorgkey" {
algorithm hmac-md5;
secret "sf87HJqjkqh8ac87a02lla==";
};
zone "example.org" {
type master;
allow-update {
key "exampleorgkey";
};
file "dynamic/example.org";
};
*/
/* Example of a slave reverse zone
zone "1.168.192.in-addr.arpa" {
type slave;
file "slave/1.168.192.in-addr.arpa";
masters {
192.168.1.1;
};
};
*/
A etogo fila net
((
named.log.
Re: ipfw + squid + sams
Добавлено: 2010-01-31 11:29:19
goshanecr
Я там сообщение выше дополнил, там пример конфига выложен, мне кажется должен тебе подойти.
Re: ipfw + squid + sams
Добавлено: 2010-01-31 11:32:06
goshanecr
В выложеном тобою конфиге во-первых закомментированы адреса на куда будут отправляться запросы, и описание корневой зоны
Код: Выделить всё
/*
forwarders { 127.0.0.1;
10.44.0.101;
212.45.15.18;
};
*/
/*
zone "." {
type slave;
file "slave/root.slave";
masters {
192.5.5.241; // F.ROOT-SERVERS.NET.
};
notify no;
};*/
Re: ipfw + squid + sams
Добавлено: 2010-01-31 11:39:50
goshanecr
Ох, что-то я проснуться всё никак не могу
Корневая зона закомменчена у тебя конечно же здесь:
Код: Выделить всё
//zone "." { type hint; file "named.root"; };
В общем попробуй мой конфиг а там посмотрим.
Re: ipfw + squid + sams
Добавлено: 2010-01-31 12:29:38
Spook1680
goshanecr писал(а):В выложеном тобою конфиге во-первых закомментированы адреса на куда будут отправляться запросы, и описание корневой зоны
Код: Выделить всё
/*
forwarders { 127.0.0.1;
10.44.0.101;
212.45.15.18;
};
*/
/*
zone "." {
type slave;
file "slave/root.slave";
masters {
192.5.5.241; // F.ROOT-SERVERS.NET.
};
notify no;
};*/
ya otredoktiroval vot tak
Код: Выделить всё
// $FreeBSD: src/etc/namedb/named.conf,v 1.26.2.2 2008/07/16 10:02:15 dougb Exp $
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/share/doc/bind9 for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works. Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.
options {
// Relative to the chroot directory, if any
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
listen-on {
127.0.0.1;
192.168.21.1;
};
// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver. To give access to the network, specify
// an IPv6 address, or the keyword "any".
// listen-on-v6 { ::1; };
// These zones are already covered by the empty zones listed below.
// If you remove the related empty zones below, comment these lines out.
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
// In addition to the "forwarders" clause, you can force your name
// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:
//
forward only;
// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below. This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
forwarders {
10.44.0.101;
212.45.15.18;
};
/*
Modern versions of BIND use a random UDP port for each outgoing
query by default in order to dramatically reduce the possibility
of cache poisoning. All users are strongly encouraged to utilize
this feature, and to configure their firewalls to accommodate it.
AS A LAST RESORT in order to get around a restrictive firewall
policy you can try enabling the option below. Use of this option
will significantly reduce your ability to withstand cache poisoning
attacks, and should be avoided if at all possible.
Replace NNNNN in the example with a number between 49160 and 65530.
*/
// query-source address * port NNNNN;
};
// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.
// The traditional root hints mechanism. Use this, OR the slave zones below.
zone "." { type hint; file "named.root"; };
/* Slaving the following zones from the root name servers has some
significant advantages:
1. Faster local resolution for your users
2. No spurious traffic will be sent from your network to the roots
3. Greater resilience to any potential root server failure/DDoS
On the other hand, this method requires more monitoring than the
hints file to be sure that an unexpected failure mode has not
incapacitated your server. Name servers that are serving a lot
of clients will benefit more from this approach than individual
hosts. Use with caution.
To use this mechanism, uncomment the entries below, and comment
the hint zone above.
*/
logging {
channel bindlog {
file "/var/log/named.log";
sererity debug 127;
print-time yes;
};
category default {
bindlog;
};
Re: ipfw + squid + sams
Добавлено: 2010-01-31 12:31:39
goshanecr
У тебя закрывающей фигурной скобки не хватает в самом конце для logging
Re: ipfw + squid + sams
Добавлено: 2010-01-31 12:34:26
Spook1680
Код: Выделить всё
zone "." {
type slave;
file "slave/root.slave";
masters {
192.5.5.241; // F.ROOT-SERVERS.NET.
};
notify no;
};*/
mne vot etot razdel odin neponyten
IP servera nado ukazivat?
# dig @ 192.168.21.1 ya.ru
dig: couldn't get address for '': not found
#
teper pri teste takoe
Re: ipfw + squid + sams
Добавлено: 2010-01-31 12:35:45
goshanecr
нет, этот раздел вообще не нужен.
Re: ipfw + squid + sams
Добавлено: 2010-01-31 12:36:30
goshanecr
У тебя named вообще запустился?
Покажи ps -ax | grep named
Re: ipfw + squid + sams
Добавлено: 2010-01-31 12:55:10
Spook1680
goshanecr писал(а):У тебя named вообще запустился?
Покажи ps -ax | grep named
# ps -ax | grep named
1040 ?? Ss 0:00,03 /usr/sbin/syslogd -l /var/run/log -l /var/named/var/ru
#
Re: ipfw + squid + sams
Добавлено: 2010-01-31 13:00:13
goshanecr
У тебя named так и не запустился. Ты добавил в конец конфига закрывающую фигурную скобку?
Покажи grep named /etc/rc.conf
ещё ls -la /var/named
ls -la /var/named/var/log
Попробуй перезапустить named и покажи вывод
/etc/rc.d/named/restart
tail /var/log/messages
tail /var/named/var/log/named.log
Re: ipfw + squid + sams
Добавлено: 2010-01-31 13:05:42
Spook1680
goshanecr писал(а):У тебя named так и не запустился. Ты добавил в конец конфига закрывающую фигурную скобку?
Покажи grep named /etc/rc.conf
ещё ls -la /var/named
ls -la /var/named/var/log
Попробуй перезапустить named и покажи вывод
/etc/rc.d/named/restart
tail /var/log/messages
tail /var/named/var/log/named.log
# grep named /etc/rc.conf
named_enable="YES"
# ls -la /var/named
total 9
drwxr-xr-x 5 root wheel 512 18 мар 2009 .
drwxr-xr-x 25 root wheel 512 31 янв 15:50 ..
dr-xr-xr-x 4 root wheel 512 31 янв 12:50 dev
drwxr-xr-x 3 root wheel 512 31 янв 01:18 etc
drwxr-xr-x 6 root wheel 512 18 мар 2009 var
# ls -la /var/namded/var/log
ls: /var/namded/var/log: No such file or directory
#
Re: ipfw + squid + sams
Добавлено: 2010-01-31 13:08:53
Spook1680
goshanecr писал(а):У тебя named так и не запустился. Ты добавил в конец конфига закрывающую фигурную скобку?
Покажи grep named /etc/rc.conf
ещё ls -la /var/named
ls -la /var/named/var/log
Попробуй перезапустить named и покажи вывод
/etc/rc.d/named/restart
tail /var/log/messages
tail /var/named/var/log/named.log
Код: Выделить всё
# /etc/rc.d/named/restart
/etc/rc.d/named/restart: Not a directory.
# /etc/rc.d/named restart
named not running? (check /var/run/named/pid).
Starting named.
# tail /var/log/messages
Jan 31 12:52:16 pcbsd kernel: pid 1883 (nepomukservicestub), uid 1001: exited onsignal 6
Jan 31 12:54:05 pcbsd su: sasha to root on /dev/ttyp0
Jan 31 12:55:08 pcbsd ntpd[1288]: time reset +0.366377 s
Jan 31 12:55:08 pcbsd ntpd[1288]: kernel time sync status change 2001
Jan 31 12:56:28 pcbsd power_profile: changed to 'performance'
Jan 31 12:57:33 pcbsd squid[5762]: Squid Parent: child process 5764 started
Jan 31 13:06:28 pcbsd named[13243]: starting BIND 9.4.3-P1 -t /var/named -u bind
Jan 31 13:06:28 pcbsd named[13243]: /etc/namedb/named.conf:39: no matching 'forwarders' statement
Jan 31 13:06:28 pcbsd named[13243]: loading configuration: failure
Jan 31 13:06:28 pcbsd named[13243]: exiting (due to fatal error)
# tail /var/named/var/log/named.log
#
# ps -ax | grep named
1040 ?? Ss 0:00,03 /usr/sbin/syslogd -l /var/run/log -l /var/named/var/ru
14021 p0 R+ 0:00,00 grep named
Re: ipfw + squid + sams
Добавлено: 2010-01-31 13:16:09
goshanecr
Код: Выделить всё
mkdir /var/named/var/{dump,log,run,stats}
chown -R bind:wheel /var/named/var
chmod -R 755 /var/named/var
В
/etc/rc.conf
И ты всё=же дополнил named.conf или нет? Когда ты последний раз выкладывал тут конфиг, там в конце не хватало
};
После всего этого повторяй снова перезапуск named, потом ps -ax | grep named потом ls -la /var/named/var/log и если там появился log файл, то выкладывай сюда его содержимое
Вот собственно и ошибка:
Код: Выделить всё
/etc/namedb/named.conf:39: no matching 'forwarders' statement
Выкладывай сюда named.conf только полностью пожалуйста
И убери пожалуйста из конфига лишние комментарии, чтобы читать было легче
Re: ipfw + squid + sams
Добавлено: 2010-01-31 13:21:08
goshanecr
Попробуй конфиг ровно вот такой:
Код: Выделить всё
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
listen-on {
127.0.0.1;
192.168.21.1;
};
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
forward only;
forwarders {
87.245.190.122;
};
};
zone "." { type hint; file "named.root"; };
logging {
channel bindlog {
file "/var/log/named.log";
severity debug 127;
print-time yes;
};
category default {
bindlog;
};
};
Re: ipfw + squid + sams
Добавлено: 2010-01-31 13:27:01
Spook1680
goshanecr писал(а):Попробуй конфиг ровно вот такой:
Код: Выделить всё
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
listen-on {
127.0.0.1;
192.168.21.1;
};
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
forward only;
forwarders {
87.245.190.122;
};
};
zone "." { type hint; file "named.root"; };
logging {
channel bindlog {
file "/var/log/named.log";
severity debug 127;
print-time yes;
};
category default {
bindlog;
};
};
)) Sdelal kak ti skazal vrode poka vse rabotaet))) esche ne perezagrughal komp ))) poprobuy/ Poka vse klassno))) SPASIBO SAM BI NE RAZOBRALSYA
Re: ipfw + squid + sams
Добавлено: 2010-01-31 13:39:03
goshanecr
Хорошо
Успехов!