forum.lissyara.su

Русские солдаты не умирают - они отсутпают в рай, на перегруппировку
https://forum.lissyara.su/

Pf блокирует VPN трафик

https://forum.lissyara.su/viewtopic.php?f=53&t=42149

Страница 1 из 1

Pf блокирует VPN трафик

Добавлено: 2014-09-11 11:07:56
Access_Denied
Pf блокирует VPN трафик.

Просьба помочь вот в каком вопросе.
Сервер с FreeBSD 9.2-RELEASE-p3.
Pf блокирует VPN трафик при подключении к этому серверу с Windows. На сервере mpd5 (mpd5-5.7). Компьютер с windows к серверу подключается, получает IP, и всё. Нет даже пинга на шлюз. Функции сервера: шлюз для локальной сети (выход в интернет), почтовый сервер (Communigate), сервер VPN для удалённых точек (Racoon), web-сервер.
С PF первый раз, поэтому, может, правила не оптимизированы.
Вот pf.conf:

Код: Выделить всё

# interfaces

ext_if="rl0"
int_if="vr0"
ext_ip="xxx.xxx.xxx.xxx"
int_ip="10.10.1.1"
int_net="10.10.0.0/16"
table <net_pp> const { некоторые IP }
# IPSEC ip shop
tunnel_pp="{ 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24, 10.1.4.0/24, 10.1.5.0/24, \
    10.1.6.0/24, 10.1.7.0/24, 10.1.8.0/24, 10.1.9.0/24, 10.1.10.0/24, \
    10.1.11.0/24, 10.1.12.0/24 }"
table <SITETABLE> const { некоторые IP }

# allowed ports
allowed_lan_tcp_services="{ https, nfsd, rpcbind, 80, 883:885, 119, 443, 995, 1723, 5190, 5938, 443, 3128, \
5000:5500, 4662, 4672, 7111, 47777, 47778, 32167 }"
allowed_lan_udp_services="{ https, rpcbind, 883:885, 4899, 5938, 4662, 4672, 7111 }"
allowed_wan_tcp_services="{ https, 20, 21, 22, 25, 80, 110, 143, 465, 95, 993, 1723, 5000:5500, \
4899, 4662, 4672,  5938, 5190, 5223, 5222, 7111 }"
allowed_wan_udp_services="{ https, 5501, 4662, 4672, 4899, 5938, 7111 }"
torrent_ports="{ 47777, 47778, 32167, 4662, 4672, 7111 }"
torrent_client="{ 10.10.1.2, 10.10.1.41 }"
admin_ip="{ 10.10.1.59, 10.10.1.41 }"

# allow ICMP types
allowed_icmp_types="{ echoreq, unreach, echorep }"
non_route_nets_inet="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, \
192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

table <BRUTEFORCERS>	persist

# Global options
set block-policy return # reset connection softly
set skip on lo0 # skip rules on loopback
set skip on $int_if # skip rules on internal interface
set limit states 20000

# Timeout Options
set timeout { frag 10, tcp.established 3600 } # time of state TCP connection

# normalisation
scrub in all # normalise all packets in all interfaces - defragment packets

# NAT
nat on $ext_if from $int_if:network to any -> ($ext_if)
#nat on ng0 from 10.10.0.0/16 to any -> (ext_if)
# redirect to torrent host
rdr pass on $ext_if proto { tcp, udp } from any to any port $torrent_ports -> $torrent_client

# 
block log all
# pass all

# block antispoofing
antispoof log quick for { lo0, $int_if, $ext_if }

# block non routable ips
block drop in log quick on $ext_if from $non_route_nets_inet to any

# block other network nets
block drop in log quick on $int_if from !$int_if:network to any

# block those breacking us on port 25
# block drop in log quick on { $int_if, $ext_if } proto tcp from any to any port smtp
# block sites - vk.com etc
block drop in log on $ext_if from <SITETABLE> to any
block drop out log on $ext_if from any to <SITETABLE>
# block bruteforcers ssh
block drop log quick from <BRUTEFORCERS>

# SSH for local network users
pass in on $int_if proto tcp from $int_if:network to $int_if port ssh \
synproxy state ( max-src-conn-rate 5/300, overload <BRUTEFORCERS> flush global )
# SSH for internet userS
pass in on $ext_if proto tcp from any to $ext_if port ssh \
synproxy state ( max-src-conn-rate 5/300, overload <BRUTEFORCERS> flush global )

# allow www trafic
pass in on $int_if proto tcp from $int_if:network to any port { 80, 81, 443, 8080, 8008, 8090 }

# synchronyse time
pass in on $int_if proto udp from $int_if:network to any port ntp keep state

# DNS request
pass in on $int_if proto udp from $int_if:network to any port domain keep state

# allow outcoming ntp trafic from server
pass out on $ext_if proto udp from $ext_if to any port ntp keep state
# allow outcoming www trafic
pass out on $ext_if proto tcp from $ext_if to any port { www, https } modulate state
# allow outcoming dns trafic from server
pass out on $ext_if proto udp from $ext_if to any port domain keep state

# icmp
pass log inet proto icmp all icmp-type $allowed_icmp_types

# traceroute
pass out on $ext_if proto udp from any to any port 33433 >< 33626 keep state

# allowed services from any
pass in quick on $ext_if proto tcp to port $allowed_wan_tcp_services
pass in quick on $ext_if proto udp to port $allowed_wan_udp_services
# allowed services from network
pass in quick on $ext_if proto tcp from $ext_if:network to port $allowed_lan_tcp_services
pass in quick on $ext_if proto udp from $ext_if:network to port $allowed_lan_udp_services

# allow torrent
pass out quick on $int_if inet proto { tcp, udp } from $int_if to $torrent_client flags S/SA keep state
pass out quick on $ext_if inet proto { tcp, udp } from $ext_if to any flags S/SA keep state

pass out quick on $int_if inet proto { tcp, udp } from $int_if to $admin_ip flags S/SA keep state
pass out quick on $ext_if inet proto { tcp, udp } from $admin_ip to any flags S/SA keep state

# VPN shop
pass out quick on $ext_if inet proto udp from ($ext_if) port isakmp to { <net_pp> } port isakmp
pass out quick on $ext_if inet proto esp from ($ext_if) to { <net_pp> }
pass out quick on $ext_if inet proto ipencap from ($ext_if) to { <net_pp> }

pass in quick on $ext_if inet proto udp from { <net_pp> } port isakmp to ($ext_if) port isakmp
pass in quick on $ext_if inet proto esp from { <net_pp> } to ($ext_if)
pass in quick on $ext_if inet proto ipencap from { <net_pp> } to ($ext_if)

#pptp from inet/lan ВОТ ПРАВИЛА для MPD, что НЕ ТАК?
pass in on $ext_if inet proto { tcp, udp } from any to (self) port { 500, 1701, 1723, 4500 }
pass in on $ext_if inet proto esp from any to $ext_if
pass in on $ext_if inet proto gre from any to $ext_if

# pass out on ng0 all keep state

# MAIL
pass in quick on $ext_if proto tcp from any to $ext_ip port smtp
pass out on $ext_if proto tcp from $ext_ip to any port smtp
pass in on $int_if proto tcp from { $tunnel_pp } to $ext_ip port smtp
Вот часть rc.conf:

Код: Выделить всё

linux_enable="YES"
gateway_enable="YES"
#natd_enable="YES"
#natd_intarface="vr0"
hostname="mail.amarket"
#keymap="ru.koi8-r.win.kbd"
keymap="ru.koi8-r"
font8x14="koi8-r-8x14"
font8x16="koi8-r-8x16"
keyrate="fast"
defaultrouter="xxx.xxx.xxx.xxx"
ifconfig_rl0="inet xxx.xxx.xxx.xxx netmask 255.255.255.248"
ifconfig_vr0="inet 10.10.1.1 netmask 255.255.0.0"
sshd_enable="YES"
moused_enable="YES"
ntpd_enable="YES"
squid_enable="YES"
named_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
mpd_enable="YES"
mpd_flags="-b"
#ntpd_enable="YES"
#ntpd_program=
pf_enable="YES"
pf_program="/sbin/pfctl"
pf_flags=""
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pf.log"
pflog_program="sbin/pflogd"
pflog_flags=""

# Tunnel


#racoon
racoon_enable="YES"
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
racoon_flags="-4 -l /var/log/racoon.log"
nginx_enable="YES"
php_fpm_enable="YES"
mysql_enable="YES"
pf.log:

Код: Выделить всё

00:00:00.209218 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.750697 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.752625 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.749780 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.747530 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.749257 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.754472 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.289870 rule 2..16777216/0(match): block in on ng0: 10.10.1.47 > 10.10.1.1: ICMP echo request, id 1, seq 161, length 40
00:00:00.451975 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.184124 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.745320 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.756444 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.752458 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.749198 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.736710 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.764978 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.736460 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:01.502920 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.757369 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.532952 rule 2..16777216/0(match): block in on ng0: 10.10.1.47 > 10.10.1.1: ICMP echo request, id 1, seq 163, length 40
00:00:00.213381 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.754173 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.750206 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.742162 rule 2..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.751959 rule 3..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:01.499515 rule 3..16777216/0(match): block in on ng0: 10.10.1.47.137 > 255.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.298314 rule 3..16777216/0(match): block in on ng0: 10.10.1.47 > 10.10.1.1: ICMP echo request, id 1, seq 164, length 40
При pfctl -d удалённый комп подключается, получает IP, пинг в сеть есть.

ifconfig -a при подключении:

Код: Выделить всё

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=2008<VLAN_MTU,WOL_MAGIC>
        ether 00:19:d1:3f:1a:61
        inet xxx.xxx.xxx.xxx netmask 0xfffffff8 broadcast xxx.xxx.xxx.xxx
        inet6 fe80::219:d1ff:fe3f:1a61%rl0 prefixlen 64 scopeid 0x4
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=82808<VLAN_MTU,WOL_UCAST,WOL_MAGIC,LINKSTATE>
        ether 00:21:91:91:e5:fb
        inet 10.10.1.1 netmask 0xffff0000 broadcast 10.10.255.255
        inet6 fe80::221:91ff:fe91:e5fb%vr0 prefixlen 64 scopeid 0x5
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33200
        nd6 options=9<PERFORMNUD,IFDISABLED>
pfsync0: flags=0<> metric 0 mtu 1500
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        syncpeer: 0.0.0.0 maxupd: 128
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x9
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1392
        inet 10.10.1.1 --> 10.10.1.47 netmask 0xffffffff
        inet6 fe80::219:d1ff:fe3f:1a61%ng0 prefixlen 64 scopeid 0x16
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
Пробовал:

Код: Выделить всё

table <VPN_CLIENT> const {10.10.1.47, 10.10.1.50, 10.10.1.51, 10.10.1.52, 10.10.1.53, \
    10.10.1.54, 10.10.1.55, 10.10.1.46, 10.10.1.49, 10.10.1.48, 10.10.1.125 }
pass in on $ext_if from { <VPN_CLIENT> } to ng0
pass out on $ext_if from ng0 to any
pass in on ng0
pass on $ext_if from ($ext_if) to { <VPN_CLIENT> }
pass on $ext_if from ($int_if) to { <VPN_CLIENT> }
pass on $ext_if from  { <VPN_CLIENT> } to any

Код: Выделить всё

pptp="{ng0, ng1, ng2}"
pass quick on $pptp all
Вот mpd.conf:

Код: Выделить всё

startup:
	set console self 127.0.0.1 5005
	set console open

default:
        load l2tp_server
        load pptp_standart

l2tp_server:
# Define dynamic IP address pool
	set ippool add pool1 10.10.1.120 10.10.1.135
# Create clonable  bundle template name L
	create bundle template L
	set iface enable proxy-arp
	set iface route default
# 	 set iface route 10.10.1.1/16
	set iface idle 1800
	set iface enable tcpmssfix
	set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment
	set ipcp ranges 10.10.1.1/32 ippool pool1
	set ipcp dns 10.10.1.7
# The five lines below enable Microsoft point-to-point encryption
# (MPPE) using the ng_mppc(8) netgraph node type
	set bundle enable compression
	set ccp yes mppc
	set mppc yes e40
	set mppc yes e128
	set mppc yes stateless
# Create clonable link template named N
	create link template N l2tp
# Set bundle template to use
	set link action bundle L
# Multilink adds some overhead, but gives full 1500 MTU
	set link enable multilink
	set link yes acfcomp protocomp
	set link no pap chap
	set link enable chap
	set link keep-alive 10	60
# We reducing link mtu avoid GRE packet fragmentation
	set link mtu 1396
# Configure l2tp IP
	set l2tp self xxx.xxx.xxx.xxx
# Allow to accept calls
	set link enable incoming

pptp_standart:
# define dynamic IP address pool
	set ippool add pool2 10.10.1.136 10.10.1.155
# Create clonable bundle template named P
	create bundle template P
	set iface enable proxy-arp
	set iface route default
#	 set iface route 10.10.1.1/32
	set iface idle 1800
	set iface enable tcpmssfix
	set ipcp yes vjcomp
# Specify IP address pool for dynamic assigmenet
	set ipcp ranges 10.10.1.1/32 ippool pool2
	set ipcp dns 10.10.1.7
# The five lines below enable Microsoft point-to-point encryption
# (MPPE) using the ng_mppc (8) netgraph node type
	set bundle enable compression
	set ccp yes mppc
	set mppc yes e40
	set mppc yes e128
	set mppc yes stateless
# Create clonable link template named T
	create link template T pptp
# Set bundle template to use
	set link action bundle P
# Multilink adds some overhead, but gives full 1500 MTU
	set link enable multilink
	set link yes acfcomp protocomp
	set link no pap chap
	set link enable chap
	set link keep-alive 10	60
# We reducing link mtu to avoid GRE packet fragmentation
	set link mtu 1396
# Configure PPTP
	set pptp self xxx.xxx.xxx.xxx
# Allow to accept calls
	set link enable incoming
	set pptp disable windowing
	set pptp enable always-ack
Выручите советом, пожалуйста.., толкните в нужную сторону, или укажите, где косяк.

Re: Pf блокирует VPN трафик

Добавлено: 2014-09-11 23:39:40
Neus
47 протокол

Re: Pf блокирует VPN трафик

Добавлено: 2014-09-11 23:55:49
Access_Denied
Neus писал(а):47 протокол
GRE?
так есть же

Код: Выделить всё

pass in on $ext_if inet proto esp from any to $ext_if
pass in on $ext_if inet proto gre from any to $ext_if
Что ещё дописать нужно?

Re: Pf блокирует VPN трафик

Добавлено: 2014-09-12 9:27:25
gumeniuc
попробуйте для начала

Код: Выделить всё

pass from <VPN_CLIENT> to any
pass from any to <VPN_CLIENT>
ну а затем уже конкретику подключайте

Re: Pf блокирует VPN трафик

Добавлено: 2014-09-12 21:37:05
Neus
Упс.. Просмотрел

Re: Pf блокирует VPN трафик

Добавлено: 2014-09-12 23:56:43
Access_Denied
gumeniuc писал(а):попробуйте для начала

Код: Выделить всё

pass from <VPN_CLIENT> to any
pass from any to <VPN_CLIENT>
ну а затем уже конкретику подключайте
Результата нет.
Если закомментировать строки:

Код: Выделить всё

# block antispoofing
antispoof log quick for { lo0, $int_if, $ext_if }
   
# block non routable ips
block drop in log quick on $ext_if from $non_route_nets_inet to any
	       
# block other network nets
block drop in log
то пинг есть, и в сеть, хотя в логе эти NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST всё равно блокируются.
К тому же, пинга на этот 10.10.1.47 с сервера нет.

Re: Pf блокирует VPN трафик

Добавлено: 2014-09-15 13:48:55
Access_Denied
Помогло правило

Код: Выделить всё

pass quick log on ng0 all flags S/SA keep state
, добавленное в начале правил, после

Код: Выделить всё

block log all
.
Спасибо участвующим.
Часовой пояс: UTC+03:00
Страница 1 из 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/