Страница 1 из 1
SQUID30
Добавлено: 2009-04-09 5:21:17
NN
Доброго времени!
Некоторая проблема с работой SQUID30, т.е. он все работает, но не работает загрузка файлов через прокси, т.е. допустим начинаешь прикреплять вложения на mail.ru и все, они не прикрепляются. Кто сталкивался с этим, помогите пожалуйста.
С Уважением!
Re: SQUID30
Добавлено: 2009-04-09 6:10:37
manefesto
а где конфиг ?
Re: SQUID30
Добавлено: 2009-04-09 6:40:27
Gendos
Встречал такае и не раз.
Код: Выделить всё
uname -r
cat /usr/local/etc/squid/squid.conf
ifconfig
1. Что ещё установленно на шлюзе?
2. После шлюза ничего не стоит?
3. Это появилось недавно или сразу после установки кальмара?
-------------------------
p/s мыло.ру зло
Re: SQUID30
Добавлено: 2009-04-09 6:46:26
NN
Gendos писал(а):Встречал такае и не раз.
Код: Выделить всё
uname -r
cat /usr/local/etc/squid/squid.conf
ifconfig
1. Что ещё установленно на шлюзе?
2. После шлюза ничего не стоит?
3. Это появилось недавно или сразу после установки кальмара?
-------------------------
p/s мыло.ру зло
uname -r
ifconfig
Код: Выделить всё
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:14:38:c5:f5:29
inet 212.ххх.ххх.ххх netmask 0xfffffff0 broadcast 212.хх.ххх.ххх
media: Ethernet autoselect (100baseTX <half-duplex>)
status: active
bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:14:38:c5:f5:28
inet 10.16.0.15 netmask 0xfffffc00 broadcast 10.16.3.255
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
Re: SQUID30
Добавлено: 2009-04-09 6:58:09
NN
Когда появилась проблема - незнаю, но вылезла только сейчас, на FreeBSD настроен IPFW, за сервером только провайдер.
вот squid.conf
Re: SQUID30
Добавлено: 2009-04-09 6:58:39
Gendos
Конфиг то где?
Re: SQUID30
Добавлено: 2009-04-09 7:03:16
NN
Gendos писал(а):Конфиг то где?
все добавил
Re: SQUID30
Добавлено: 2009-04-09 7:10:49
Gendos
Ок получил, посмотрею чуть позже.
Ехать надо к заказчику.
Re: SQUID30
Добавлено: 2009-04-09 8:57:30
Gendos
SAMS? верия
А данная аномалия только на mail.ru или везде?
Re: SQUID30
Добавлено: 2009-04-09 13:22:07
NN
Код: Выделить всё
proxy# /usr/local/sbin/squid -d 9
proxy# 2009/04/09 18:13:45| Starting Squid Cache version 3.0.STABLE13 for amd64-portbld-freebsd7.1...
2009/04/09 18:13:45| Process ID 4204
2009/04/09 18:13:45| With 11072 file descriptors available
2009/04/09 18:13:45| Performing DNS Tests...
2009/04/09 18:13:56| Successful DNS name lookup tests...
2009/04/09 18:13:56| helperOpenServers: Starting 5 'dnsserver' processes
2009/04/09 18:13:56| helperStatefulOpenServers: Starting 5 'ntlm_auth' processes
2009/04/09 18:13:56| helperOpenServers: Starting 5 'ntlm_auth' processes
2009/04/09 18:13:56| User-Agent logging is disabled.
2009/04/09 18:13:56| Referer logging is disabled.
2009/04/09 18:13:56| Unlinkd pipe opened on FD 27
2009/04/09 18:13:56| Swap maxSize 25600000 KB, estimated 1969230 objects
2009/04/09 18:13:56| Target number of buckets: 98461
2009/04/09 18:13:56| Using 131072 Store buckets
2009/04/09 18:13:56| Max Mem size: 2097152 KB
2009/04/09 18:13:56| Max Swap size: 25600000 KB
2009/04/09 18:13:56| Version 1 of swap file without LFS support detected...
2009/04/09 18:13:56| Rebuilding storage in /usr/local/squid/cache (CLEAN)
2009/04/09 18:13:56| Using Least Load store dir selection
2009/04/09 18:13:56| Set Current Directory to /usr/local/squid/cache
2009/04/09 18:13:56| Loaded Icons.
2009/04/09 18:13:56| Installing accept filter 'httpready' on FD 29
2009/04/09 18:13:56| SO_ACCEPTFILTER 'httpready': '(2) No such file or directory
2009/04/09 18:13:56| Accepting HTTP connections at 10.16.0.15, port 3128, FD 29.
2009/04/09 18:13:56| Accepting ICP messages at 0.0.0.0, port 3130, FD 30.
2009/04/09 18:13:56| HTCP Disabled.
2009/04/09 18:13:56| Pinger socket opened on FD 32
2009/04/09 18:13:56| NETDB state reloaded; 843 entries, 16 msec
2009/04/09 18:13:56| Ready to serve requests.
2009/04/09 18:13:56| Store rebuilding is 1.64% complete
2009/04/09 18:13:58| Done reading /usr/local/squid/cache swaplog (249005 entries)
2009/04/09 18:13:58| Finished rebuilding storage from disk.
2009/04/09 18:13:58| 249005 Entries scanned
2009/04/09 18:13:58| 0 Invalid entries.
2009/04/09 18:13:58| 0 With invalid flags.
2009/04/09 18:13:58| 249005 Objects loaded.
2009/04/09 18:13:58| 0 Objects expired.
2009/04/09 18:13:58| 0 Objects cancelled.
2009/04/09 18:13:58| 0 Duplicate URLs purged.
2009/04/09 18:13:58| 0 Swapfile clashes avoided.
2009/04/09 18:13:58| Took 1.85 seconds (134946.70 objects/sec).
2009/04/09 18:13:58| Beginning Validation Procedure
2009/04/09 18:13:58| Completed Validation Procedure
2009/04/09 18:13:58| Validated 498033 Entries
2009/04/09 18:13:58| store_swap_size = 3425010
2009/04/09 18:13:58| storeLateRelease: released 0 objects
SAMS? верия
1.4
А данная аномалия только на mail.ru или везде?
да везде
Re: SQUID30
Добавлено: 2009-04-09 19:12:34
Gendos
Пока заметна только одна аномалия
Код: Выделить всё
2009/04/09 18:13:56| Installing accept filter 'httpready' on FD 29
2009/04/09 18:13:56| SO_ACCEPTFILTER 'httpready': '(2) No such file or directory
в конфиге она стоит тут
Закоментируй, перезапусти кальмара.
Неуверен пока пишу это, что собака здесь порылась.
Re: SQUID30
Добавлено: 2009-04-09 19:18:50
Gendos
Или так
Проверяем подгрузился ли он
Перезапускаем кальмара проверяем, если всё в порядке тогда
Код: Выделить всё
echo accf_http_load=”YES” >> /boot/loader.conf
Re: SQUID30
Добавлено: 2009-04-10 3:45:50
NN
закоментил я
kldstat
Код: Выделить всё
Id Refs Address Size Name
1 10 0xffffffff80100000 b4be40 kernel
2 1 0xffffffff80c4c000 39f0 ipfw_nat.ko
3 2 0xffffffff80c50000 b940 libalias.ko
4 3 0xffffffff80c5c000 15de8 ipfw.ko
5 1 0xffffffffb0830000 14dd ipdivert.ko
6 1 0xffffffffb0832000 18a44 linux.ko
7 1 0xffffffffb0b2a000 82e accf_http.ko
,
все без изменений
Re: SQUID30
Добавлено: 2009-04-10 5:18:06
Gendos
или закоментить или подгрузить модуль, чтонибудь одно
после останови кальмара и дай вывод
попробуй приаттачить файл на мыло.ру и дай вывод access.log (полностью ненадо только кусок по времени
)
и ipfw правила давай, можно в личку.
и ещё вопрос, на шлюзе поднят свой dns?
--------------------------------------------------
а что за проброс портов?
--------------------------------------------------
может по принципу отрежем ненужное:
1. остановить кальмара
2. снять заворот в правилах на него, перегрузить правила
3. попробовать и посмотреть - решится проблемма или нет
Re: SQUID30
Добавлено: 2009-04-10 8:55:12
NN
Gendos писал(а):или закоментить или подгрузить модуль, чтонибудь одно
после останови кальмара и дай вывод
попробуй приаттачить файл на мыло.ру и дай вывод access.log (полностью ненадо только кусок по времени
)
и ipfw правила давай, можно в личку.
и ещё вопрос, на шлюзе поднят свой dns?
--------------------------------------------------
а что за проброс портов?
--------------------------------------------------
может по принципу отрежем ненужное:
1. остановить кальмара
2. снять заворот в правилах на него, перегрузить правила
3. попробовать и посмотреть - решится проблемма или нет
Код: Выделить всё
proxy# cat /etc/rc.conf
# -- sysinstall generated deltas -- # Thu Feb 5 01:11:09 2009
# Created: Thu Feb 5 01:11:09 2009
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
keymap="ru.koi8-r"
font8x14="cp866-8x14"
font8x16="cp866b-8x16"
font8x8="cp866-8x8"
scrnmap="koi8-r2cp866"
sshd_enable="YES"
ifconfig_bge1="inet 10.16.0.15 netmask 255.255.252.0"
ifconfig_bge0="inet 212.xxx.xxx.xxx netmask 255.255.255.240"
defaultrouter="212.xxx.xxx.xxx"
hostname="proxy.rgcom.loc"
static_routes="lan_1 lan_2 lan_3 lan_4"
route_lan_1="-net 10.16.13.0/24 10.16.3.251"
route_lan_2="-net 10.16.42.0/24 10.16.3.250"
route_lan_3="-net 10.16.63.0/24 10.16.3.251"
route_lan_4="-net 10.16.8.0/24 10.16.3.251"
firewall_enable="YES"
firewall_type="simple"
natd_enable="YES"
natd_interface="bge0"
inetd_enable="YES"
keymap="ru.koi8-r"
keyrate="fast"
linux_enable="YES"
rpcbind_enable="YES"
accounting_enable="YES"
samba_enable="YES"
mysql_enable="YES"
apache_enable="YES"
squid_enable="YES"
sams_enable="YES"
webmin_enable="YES"
proftpd_enable="YES"
portfwd_enable="YES"
icecast_enable="YES"
icecast_flags="-b -c /usr/local/etc/icecast.xml"
ices0_enable="YES"
Re: SQUID30
Добавлено: 2009-04-10 8:55:57
NN
firewall
Код: Выделить всё
#!/bin/sh -
#
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD: src/etc/rc.firewall,v 1.52.4.1 2008/01/29 00:22:32 dougb Exp $
#
#
# Setup system for ipfw(4) firewall service.
#
# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
############
# Define the firewall type in /etc/rc.conf. Valid values are:
# open - will allow anyone in
# client - will try to protect just this machine
# simple - will try to protect a whole network
# closed - totally disables IP services except via lo0 interface
# workstation - will try to protect just this machine using statefull
# firewalling. See below for rc.conf variables used
# UNKNOWN - disables the loading of firewall rules.
# filename - will load the rules in the given filename (full path required)
#
# For ``client'' and ``simple'' the entries below should be customized
# appropriately.
############
#
# If you don't know enough about packet filtering, we suggest that you
# take time to read this book:
#
# Building Internet Firewalls, 2nd Edition
# Brent Chapman and Elizabeth Zwicky
#
# O'Reilly & Associates, Inc
# ISBN 1-56592-871-7
# http://www.ora.com/
# http://www.oreilly.com/catalog/fire2/
#
# For a more advanced treatment of Internet Security read:
#
# Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Edition
# William R. Cheswick, Steven M. Bellowin, Aviel D. Rubin
#
# Addison-Wesley / Prentice Hall
# ISBN 0-201-63466-X
# http://www.pearsonhighered.com/
# http://www.pearsonhighered.com/educator/academic/product/0,3110,020163466X,00.html
#
setup_loopback () {
############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
${fwcmd} add 400 pass all from any to any via bge1
}
if [ -n "${1}" ]; then
firewall_type="${1}"
fi
############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac
############
# Flush out the list before we begin.
#
${fwcmd} -f flush
setup_loopback
############
# Network Address Translation. All packets are passed to natd(8)
# before they encounter your remaining rules. The firewall rules
# will then be run again on each packet after translation by natd
# starting at the rule number following the divert rule.
#
# For ``simple'' firewall type the divert rule should be put to a
# different place to not interfere with address-checking rules.
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
fi
;;
esac
case ${firewall_nat_enable} in
[Yy][Ee][Ss])
if [ -n "${firewall_nat_interface}" ]; then
${fwcmd} nat 123 config if ${firewall_nat_interface} log
${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
fi
;;
esac
esac
############
# If you just configured ipfw in the kernel as a tool to solve network
# problems or you just want to disallow some particular kinds of traffic
# then you will want to change the default policy to open. You can also
# do this as your only action by setting the firewall_type to ``open''.
#
# ${fwcmd} add 65000 pass all from any to any
# Prototype setups.
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
${fwcmd} add 65000 pass all from any to any
;;
[Cc][Ll][Ii][Ee][Nn][Tt])
############
# This is a prototype setup that will protect your system somewhat
# against people from outside your own network.
############
# set these to your network and netmask and ip
net="192.0.2.0"
mask="255.255.255.0"
ip="192.0.2.1"
# Allow any traffic to or from my own net.
${fwcmd} add pass all from ${ip} to ${net}:${mask}
${fwcmd} add pass all from ${net}:${mask} to ${ip}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
${fwcmd} add pass tcp from any to me 25 setup
# Allow setup of outgoing TCP connections only
${fwcmd} add pass tcp from me to any setup
# Disallow setup of all other TCP connections
${fwcmd} add deny tcp from any to any setup
u
# Allow DNS queries out in the world
${fwcmd} add pass udp from me to any 53 keep-state
# Allow uNTP queries out in the world
${fwcmd} add pass udp from me to any 123 keep-state
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
[Ss][Ii][Mm][Pp][Ll][Ee])
############
# This is a prototype setup for a simple firewall. Configure this
# machine as a DNS and NTP server, and point all the machines
# on the inside at this machine for those services.
############
# set these to your outside interface network and netmask and ip
oif="bge0"
onet="xxx.xxx.xxx.xxx"
omask="255.255.255.240"
oip="212.xxx.xxx.xxx"
# set these to your inside interface network and netmask and ip
iif="bge1"
inet="10.16.0.0/22"
imask="255.255.252.0"
iip="10.16.0.15"
# Stop spoofing
# ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
# ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
# ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
# ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
# ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
# ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
# ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
# ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
# ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
# ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
drweb="www.drweb.com,esuite.msk3.drweb.com,esuite.msk.drweb.com,esuite.jp.drweb.com,esuite.msk4.drweb.com,esuite.us.drweb.com,218.45.29.98,78.107.100.10,81.176.67.171,83.102.130.174,81.176.67.170"
ke="kontur-extern.ru, r42.kontur-extern.ru, r42-2.kontur-extern.ru, atlas.regit.ru, 81.176.70.69"
finam="195.128.76.171,195.128.76.188,194.67.27.188,81.177.147.54,81.177.147.55,194.67.27.186,194.67.27.187,195.128.76.170"
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd ip from 10.16.1.5to not ${inet} out xmit ${natd_interface}
${fwcmd} add divert natd ip from 10.16.1.10, to ${drweb} out xmit ${natd_interface}
${fwcmd} add divert natd ip from 10.16.1.21 to ${ke} out xmit ${natd_interface}
# $(fwcmd) add divert natd ip from $(inet) to $(finam) out xmit $(natd_interface)
${fwcmd} add divert natd ip from not ${inet} to ${oip} in recv ${natd_interface}
${fwcmd} add divert natd ip from 10.16.1.12 to ${finam} out xmit ${natd_interface}
fi
;;
esac
# Stop RFC1918 nets on the outside interface
# ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
# ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
${fwcmd} add pass tcp from 212.xxx.xxx.0/24 to ${oip} 25
# Allow access to our DNS
${fwcmd} add pass tcp from any to ${oip} 53 setup
# ${fwcmd} add pass tcp from any to ${oip} 80 setup
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oip} 53 to any
#NN
${fwcmd} add pass tcp from 10.xxx.xxx.xxx to ${oip}
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from ${oip} to any 53 keep-state
# Allow NTP queries out in the world
${fwcmd} add pass udp from ${oip} to any 123 keep-state
${fwcmd} add pass all from any to any
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
[Ww][Oo][Rr][Kk][Ss][Tt][Aa][Tt][Ii][Oo][Nn])
# Configuration:
# firewall_myservices: List of TCP ports on which this host
# offers services.
# firewall_allowservices: List of IPs which has access to
# $firewall_myservices.
# firewall_trusted: List of IPs which has full access
# to this host. Be very carefull
# when setting this. This option can
# seriously degrade the level of
# protection provided by the firewall.
# firewall_logdeny: Boolean (YES/NO) specifying if the
# default denied packets should be
# logged (in /var/log/security).
# firewall_nologports: List of TCP/UDP ports for which
# denied incomming packets are not
# logged.
# Allow packets for which a state has been built.
${fwcmd} add check-state
# For services permitted below.
${fwcmd} add pass tcp from me to any established
# Allow any connection out, adding state for each.
${fwcmd} add pass tcp from me to any setup keep-state
${fwcmd} add pass udp from me to any keep-state
${fwcmd} add pass icmp from me to any keep-state
# Allow DHCP.
${fwcmd} add pass udp from 0.0.0.0 68 to 255.255.255.255 67 out
${fwcmd} add pass udp from any 67 to me 68 in
${fwcmd} add pass udp from any 67 to 255.255.255.255 68 in
# Some servers will ping the IP while trying to decide if it's
# still in use.
${fwcmd} add pass icmp from any to any icmptype 8
# Allow "mandatory" ICMP in.
${fwcmd} add pass icmp from any to any icmptype 3,4,11
# Add permits for this workstations published services below
# Only IPs and nets in firewall_allowservices is allowed in.
# If you really wish to let anyone use services on your
# workstation, then set "firewall_allowservices='any'" in /etc/rc.conf
#
# Note: We don't use keep-state as that would allow DoS of
# our statetable.
# You can add 'keep-state' to the lines for slightly
# better performance if you fell that DoS of your
# workstation won't be a problem.
#
for i in ${firewall_allowservices} ; do
for j in ${firewall_myservices} ; do
${fwcmd} add pass tcp from $i to me $j
done
done
# Allow all connections from trusted IPs.
# Playing with the content of firewall_trusted could seriously
# degrade the level of protection provided by the firewall.
for i in ${firewall_trusted} ; do
${fwcmd} add pass ip from $i to me
done
${fwcmd} add 65000 count ip from any to any
# Drop packets to ports where we don't want logging
for i in ${firewall_nologports} ; do
${fwcmd} add deny { tcp or udp } from any to any $i in
done
# Broadcasts and muticasts
${fwcmd} add deny ip from any to 255.255.255.255
${fwcmd} add deny ip from any to 224.0.0.0/24 in # XXX
# Noise from routers
${fwcmd} add deny udp from any to any 520 in
# Noise from webbrowsing.
# The statefull filter is a bit agressive, and will cause some
# connection teardowns to be logged.
${fwcmd} add deny tcp from any 80,443 to any 1024-65535 in
# Deny and (if wanted) log the rest unconditionally.
log=""
if [ ${firewall_logdeny:-x} = "YES" -o ${firewall_logdeny:-x} = "yes" ] ; then
log="log logamount 500" # The default of 100 is too low.
sysctl net.inet.ip.fw.verbose=1 >/dev/null
fi
${fwcmd} add deny $log ip from any to any
;;
[Cc][Ll][Oo][Ss][Ee][Dd])
${fwcmd} add 65000 deny ip from any to any
;;
[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
;;
*)
if [ -r "${firewall_type}" ]; then
${fwcmd} ${firewall_flags} ${firewall_type}
fi
;;
esac
Re: SQUID30
Добавлено: 2009-04-10 9:06:08
NN
про ДНС, служба запущена, но не настраивал
Re: SQUID30
Добавлено: 2009-04-11 20:13:39
Gendos
В правилах ipfw не разрешен не один ICMP пакет
типа так
Код: Выделить всё
${FwCMD} add allow icmp from any to any icmptypes 0,8,11
до того как добавь эти два где то до заворота на кальмара
Код: Выделить всё
${FwCMD} add deny icmp from any to any frag
${FwCMD} add deny log icmp from any to 255.255.255.255 in via ${LanOut}
${FwCMD} add deny log icmp from any to 255.255.255.255 out via ${LanOut}
в конце разреши ICMP пакеты всем внутри локалки
Код: Выделить всё
${FwCMD} add allow icmp from any to any via ${LanIn}
----------------------------------------------------------------------------------------------
ещё раз пересмотрел, можно взглянуть
Re: SQUID30
Добавлено: 2009-04-12 3:09:22
NN
Gendos писал(а):В правилах ipfw не разрешен не один ICMP пакет
типа так
Код: Выделить всё
${FwCMD} add allow icmp from any to any icmptypes 0,8,11
до того как добавь эти два где то до заворота на кальмара
Код: Выделить всё
${FwCMD} add deny icmp from any to any frag
${FwCMD} add deny log icmp from any to 255.255.255.255 in via ${LanOut}
${FwCMD} add deny log icmp from any to 255.255.255.255 out via ${LanOut}
в конце разреши ICMP пакеты всем внутри локалки
Код: Выделить всё
${FwCMD} add allow icmp from any to any via ${LanIn}
----------------------------------------------------------------------------------------------
ещё раз пересмотрел, можно взглянуть
правила пока не добавлял
Код: Выделить всё
ipfw show
00100 14884 4678240 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 1846182 600794950 allow ip from any to any via bge1
00500 0 0 divert 8668 ip from 10.16.0.9 to 10.16.0.0/22 out via bge0
00600 0 0 divert 8668 ip from 10.16.0.0/22 to 212.ххх.ххх.ххх out via bge0
00700 0 0 deny ip from 172.16.0.0/12 to any via bge0
00800 0 0 deny ip from 169.254.0.0/16 to any via bge0
00900 0 0 deny ip from 192.0.2.0/24 to any via bge0
01000 0 0 deny ip from 224.0.0.0/4 to any via bge0
01100 0 0 deny ip from 240.0.0.0/4 to any via bge0
01200 226274 161893723 allow tcp from any to any established
01300 0 0 allow ip from any to any frag
01400 0 0 allow tcp from any to 212.ххх.ххх.ххх dst-port 53 setup
01500 0 0 allow udp from any to 212.ххх.ххх.ххх dst-port 53
01600 0 0 allow udp from 212.ххх.ххх.ххх 53 to any
01700 2 96 allow tcp from 10.ххх.ххх.ххх to 212.ххх.ххх.ххх
01800 154 7708 deny log logamount 10 tcp from any to any in via bge0 setup
01900 2237 134148 allow tcp from any to any setup
02000 0 0 allow udp from 212.ххх.ххх.ххх to any dst-port 53 keep-state
02100 0 0 allow udp from 212.ххх.ххх.ххх to any dst-port 123 keep-state
02200 13117 1202510 allow ip from any to any
02300 0 0 divert 8668 ip from 10.16.0.0/22 to any out via bge0
02400 0 0 divert 8668 ip from any to 10.16.0.9 in via bge0
65535 0 0 deny ip from any to any
Re: SQUID30
Добавлено: 2009-04-13 13:06:04
Gendos
Так добавь
В правилах заворота на кальмара где?
что нибудь подобное в правилах
Код: Выделить всё
${FwCMD} add fwd 127.0.0.1,3128 tcp from ${внутрення сеть}/${маска} to any http via ${интерфейс наружу}
Re: SQUID30
Добавлено: 2009-04-17 9:35:03
NN
Gendos писал(а):Так добавь
В правилах заворота на кальмара где?
что нибудь подобное в правилах
Код: Выделить всё
${FwCMD} add fwd 127.0.0.1,3128 tcp from ${внутрення сеть}/${маска} to any http via ${интерфейс наружу}
дело не в firewall, я его отключал, ситуация такаяже
Re: SQUID30
Добавлено: 2009-04-20 8:34:05
NN
Ситуация, что я в воскресенье тестировал, все загружалось и большие и маленькие файлы, сегодня на 100% загрузки файла выдает авторизацию(, может есть у кого какие идеи?