Название: Агент фаерволла не шейпит пользователей авторизированых как"Только сеть"
Отправлено: Andrey Zentavr от 23 Июня 2010, 19:54:30
На данный момент большая часть абонентов для авторизации использует авторизатор-ключик. Заметили такую ситуацию, что когда абонент включает режим "Доступ только в локальную сеть" - то на него перестаёт работать шейпер. То есть абонент начинает кочегарить канал на все сто. :) В какое место скрипта управления доступом посмотреть чтобы исправить ситуацию? Наличие IP в таблице при разных состояниях авторизации: | Таблица | Online | Only LAN | Off | | 0 | + | + | - | | 1 | + | + | - | | 2 | + | + | + | | 10 | + | - | - | | 11 | + | - | - | | 20 | + | - | - | | 21 | + | - | - |
И проблема №2: почему-то вообще не рубится аплоад. Где косяк? Технические данные сервера: Операционная система:[root@gw /usr/local/nodeny]# uname -a
FreeBSD gw.linet.zp.ua 7.2-RELEASE-p4 FreeBSD 7.2-RELEASE-p4 #0: Fri Nov 13 21:46:30 EET 2009 root@gw3.serv.linet:/usr/obj/usr/src/sys/LINET32YANDEX i386
cpu I686_CPU
ident LINET32YANDEX
options NETGRAPH
options NETGRAPH_ETHER
options NETGRAPH_TEE
options NETGRAPH_NETFLOW
options NETGRAPH_PPTPGRE
options NETGRAPH_PPP
options NETGRAPH_SOCKET
options NETGRAPH_IPFW
options NETGRAPH_KSOCKET
options NETGRAPH_IFACE
options NETGRAPH_TCPMSS
options NETGRAPH_PPPOE
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPDIVERT
options IPFILTER
options DUMMYNET
options IPFIREWALL_DEFAULT_TO_ACCEPT
options LIBALIAS
options KDB_UNATTENDED
makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
options SCHED_ULE
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
options INET6 # IPv6 communications protocols
options SCTP # Stream Control Transmission Protocol
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options UFS_GJOURNAL # Enable gjournal-based UFS journaling
options MD_ROOT # MD is a potential root device
options NFSCLIENT # Network Filesystem Client
options NFSSERVER # Network Filesystem Server
options NFS_ROOT # NFS usable as /, requires NFSCLIENT
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_LABEL # Provides labelization
options COMPAT_43TTY # BSD 4.3 TTY compat [KEEP THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options COMPAT_FREEBSD6 # Compatible with FreeBSD6
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options ADAPTIVE_GIANT # Giant mutex is adaptive.
options STOP_NMI # Stop CPUS using NMI instead of IPI
options AUDIT # Security event auditing
options SMP # Symmetric MultiProcessor Kernel
device apic # I/O APIC
device cpufreq
device pci
device ata
device atadisk # ATA disk drives
device ataraid # ATA RAID drives
device atapicd # ATAPI CDROM drives
device scbus # SCSI bus (required for SCSI)
device ch # SCSI media changers
device da # Direct Access (disks)
device cd # CD
device pass # Passthrough device (direct SCSI access)
device ses # SCSI Environmental Services (and SAF-TE)
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device kbdmux # keyboard multiplexer
device vga # VGA video card driver
device splash # Splash screen and screen saver support
device sc
device agp # support several AGP chipsets
device pmtimer
device sio # 8250, 16[45]50 based serial ports
device uart # Generic UART driver
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device sl # Kernel SLIP
device ppp # Kernel PPP
device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
device md # Memory "disks"
device gif # IPv6 and IPv4 tunneling
device faith # IPv6-to-IPv4 relaying (translation)
device firmware # firmware assist module
device bpf # Berkeley packet filter
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device usb # USB Bus (required)
device ugen # Generic
device uhid # "Human Interface Devices"
device ukbd # Keyboard
device umass # Disks/Mass storage - Requires scbus and da
device ums # Mouse
#security.bsd.see_other_uids=0
net.inet.tcp.sendspace=3217968
net.inet.tcp.recvspace=3217968
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.tcp.nolocaltimewait=1
net.inet.ip.fastforwarding=1
net.inet.ip.intr_queue_maxlen=5000
net.inet.ip.portrange.first=1024
net.inet.tcp.log_in_vain=0
net.inet.udp.log_in_vain=0
net.inet.tcp.rfc1323=1
net.inet.ip.redirect=0
net.inet.ip.portrange.randomized=0
net.inet.ip.dummynet.hash_size=2048
net.inet.ip.dummynet.io_fast=1
net.inet.ip.fw.one_pass=1
net.inet.ip.fw.dyn_buckets=2048
net.inet.ip.fw.dyn_max=8192
net.isr.direct=1
kern.maxfiles=204800
kern.maxfilesperproc=200000
kern.ipc.maxsockbuf=8388608
kern.ipc.somaxconn=4096
kern.ipc.nmbclusters=262144
kern.ipc.maxsockets=204800
net.inet.tcp.maxtcptw=40960
kern.sync_on_panic=1
kern.coredump=0
net.graph.maxdgram=128000
net.graph.recvspace=128000
#### em tuning
dev.em.0.rx_int_delay=250
dev.em.0.tx_int_delay=250
dev.em.0.rx_abs_int_delay=250
dev.em.0.tx_abs_int_delay=250
dev.em.0.rx_kthreads=4
#!/bin/sh
############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac
ext_if="lagg0"
downlink_if="vlan150"
${fwcmd} -f flush
#${fwcmd} -f table all flush
${fwcmd} -f queue flush
${fwcmd} -f pipe flush
# Add some local networks to table(5)
${fwcmd} table 5 flush
${fwcmd} table 5 add 10.0.0.0/8
${fwcmd} table 5 add 178.218.64.0/20
${fwcmd} table 5 add 194.126.204.0/24
${fwcmd} table 5 add 192.168.0.0/16
${fwcmd} add 1 pass all from any to any via lo0
${fwcmd} add 2 deny all from any to 127.0.0.0/8
${fwcmd} add 3 deny ip from 127.0.0.0/8 to any
# Allow some trafic from me
${fwcmd} add 101 allow tcp from me 14120 to 194.126.204.100
${fwcmd} add 102 allow tcp from 194.126.204.100 to me dst-port 14120
${fwcmd} add 103 allow tcp from me 14121 to 194.126.204.100
${fwcmd} add 104 allow tcp from 194.126.204.100 to me dst-port 14121
${fwcmd} add 105 allow all from me to 10.1.10.200
${fwcmd} add 105 allow all from 10.1.10.200 to me
${fwcmd} add 106 allow ip from me to me
${fwcmd} add 107 allow ospf from any to any via ${ext_if}
${fwcmd} add 107 allow igmp from any to any via ${ext_if}
${fwcmd} add 107 allow ip from any to 224.0.0.0/4 via ${ext_if}
${fwcmd} add 107 allow ospf from any to any via ${downlink_if}
${fwcmd} add 107 allow igmp from any to any via ${downlink_if}
${fwcmd} add 107 allow ip from any to 224.0.0.0/4 via ${downlink_if}
${fwcmd} add 108 allow ip from me 22 to 'table(5)'
${fwcmd} add 108 allow ip from 'table(5)' to me 22
${fwcmd} add 109 allow icmp from me to 'table(5)' icmptype 0,3,4,8,11,12
${fwcmd} add 109 allow icmp from 'table(5)' to me icmptype 0,3,4,8,11,12
${fwcmd} add 110 allow udp from 194.126.204.96/27 to me 161 in via ${ext_if}
${fwcmd} add 110 allow udp from me 161 to 194.126.204.96/27 out via ${ext_if}
${fwcmd} add 111 allow tcp from 194.126.204.96/27 to me 9102 in via ${ext_if}
${fwcmd} add 111 allow tcp from me 9102 to 194.126.204.96/27 out via ${ext_if}
# Redirect users with no NoDeny connection to special web page
${fwcmd} add 120 skipto 130 all from 'table(1)' to any out via ${ext_if}
${fwcmd} add 121 skipto 130 all from any to 'table(1)' in via ${ext_if}
${fwcmd} add 122 divert natd tcp from 'table(5)' to not 194.126.204.100,194.126.204.116 dst-port 80 out via ${ext_if}
${fwcmd} add 123 divert natd tcp from 194.126.204.100 10080 to me in via ${ext_if}
${fwcmd} add 124 allow tcp from 'table(5)' to any dst-port 80
${fwcmd} add 125 allow tcp from any 80 to 'table(5)'
${fwcmd} add 130 skipto 1000 ip from me to any
${fwcmd} add 135 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
${fwcmd} add 140 skipto 2000 ip from any to me
# Allow only billing and local DNS for table 5 users (... banned users)
# downloads.linet
${fwcmd} add 156 allow tcp from 'table(5)' to 194.126.204.116 80
${fwcmd} add 156 allow tcp from 194.126.204.116 80 to 'table(5)'
# Nodeny host
${fwcmd} add 157 allow ip from 'table(5)' to 194.126.204.100
${fwcmd} add 157 allow ip from 194.126.204.100 to 'table(5)'
# Local DNS IP
${fwcmd} add 158 allow udp from 'table(5)' to 10.0.0.0/8 53
${fwcmd} add 158 allow udp from 10.0.0.0/8 53 to 'table(5)'
# Global DNS IP
${fwcmd} add 159 allow udp from 'table(5)' to 194.126.204.0/26 53
${fwcmd} add 159 allow udp from 194.126.204.0/26 53 to 'table(5)'
${fwcmd} add 160 allow udp from 'table(5)' to 178.218.64.0/20 53
${fwcmd} add 160 allow udp from 178.218.64.0/20 53 to 'table(5)'
#${fwcmd} add 200 deny ip from 'table(33)' to any
#${fwcmd} add 200 deny ip from any to 'table(33)'
# Table10 - fills by UTM automatically (Table 10 for allowed local free trafic)
# Allow FTP Servers Connection limit
${fwcmd} add 170 allow tcp from 'table(1)' to 194.126.204.125 20 setup limit src-addr 2
${fwcmd} add 170 allow tcp from 'table(1)' to 194.126.204.125 21 setup limit src-addr 2
${fwcmd} add 170 allow tcp from 'table(1)' to 194.126.204.110 20 setup limit src-addr 2
${fwcmd} add 170 allow tcp from 'table(1)' to 194.126.204.110 21 setup limit src-addr 2
${fwcmd} add 170 allow tcp from 'table(1)' to 194.126.204.126 20 setup limit src-addr 2
${fwcmd} add 170 allow tcp from 'table(1)' to 194.126.204.126 21 setup limit src-addr 2
#### Linet Pay Services
###${fwcmd} add 350 skipto 4999 all from 10.1.10.200 to 'table(10)'
###${fwcmd} add 350 skipto 4999 all from 'table(10)' to 10.1.10.200
#### End of Linet Pay Services
${fwcmd} add 200 skipto 500 ip from any to any via ${ext_if}
${fwcmd} add 300 skipto 4500 ip from any to any in
${fwcmd} add 400 ngtee 100 ip from any to any
${fwcmd} add 490 allow ip from any to any
${fwcmd} add 500 skipto 32500 ip from any to any in
${fwcmd} add 510 ngtee 100 ip from any to any
${fwcmd} add 540 allow ip from any to any
${fwcmd} add 1000 allow udp from any 53,7723 to any
${fwcmd} add 1010 allow tcp from any to any setup keep-state
${fwcmd} add 1020 allow udp from any to any keep-state
${fwcmd} add 1100 allow ip from any to any
${fwcmd} add 2000 check-state
${fwcmd} add 2010 allow icmp from any to any
${fwcmd} add 2020 allow tcp from any to any 80,443
${fwcmd} add 2050 deny ip from any to any via ${ext_if}
${fwcmd} add 2060 allow udp from any to any 53,7723
${fwcmd} add 2100 deny ip from any to any
${fwcmd} add 32490 deny ip from any to any
autoboot_delay="2"
kernel="kernel.yandex"
bootfile="kernel"
if_lagg_load="YES"
if_em_load="YES"
hw.em.rxd=3072
hw.em.txd=3072
Название: Re: Агент фаерволла не шейпит пользователей авторизированых как"Только сеть"
Отправлено: Andrey Zentavr от 23 Июня 2010, 19:55:34
Правила фаерволла в рабочем состоянии:[root@gw /usr/src/sys/i386/conf]# ipfw show
00001 838267 69293197 allow ip from any to any via lo0
00002 79 5720 deny ip from any to 127.0.0.0/8
00003 0 0 deny ip from 127.0.0.0/8 to any
00101 7715 484895 allow tcp from me 14120 to 194.126.204.100
00102 6462 362085 allow tcp from 194.126.204.100 to me dst-port 14120
00103 469 27431 allow tcp from me 14121 to 194.126.204.100
00104 421 23573 allow tcp from 194.126.204.100 to me dst-port 14121
00105 2197 162860 allow ip from me to 10.1.10.200
00105 118241 8369098 allow ip from 10.1.10.200 to me
00106 0 0 allow ip from me to me
00107 6888661 735280136 allow ospf from any to any via lagg0
00107 95 43640 allow igmp from any to any via lagg0
00107 0 0 allow ip from any to 224.0.0.0/4 via lagg0
00107 538898 45064272 allow ospf from any to any via vlan150
00107 16 512 allow igmp from any to any via vlan150
00107 0 0 allow ip from any to 224.0.0.0/4 via vlan150
00108 4058959 2832028124 allow ip from me 22 to table(5)
00108 2485674 115364712 allow ip from table(5) to me dst-port 22
00109 1379446 99877833 allow icmp from me to table(5) icmptypes 0,3,4,8,11,12
00109 839550 65570611 allow icmp from table(5) to me icmptypes 0,3,4,8,11,12
00110 93841 12077357 allow udp from 194.126.204.96/27 to me dst-port 161 in via lagg0
00110 64405 13686438 allow udp from me 161 to 194.126.204.96/27 out via lagg0
00111 21 1123 allow udp from 10.1.7.2 1024-65535 to me dst-port 69 in
00111 23460 12724565 allow udp from me 1024-65535 to 10.1.7.2 dst-port 1024-65535 out
00111 23450 777071 allow udp from 10.1.7.2 1024-65535 to me dst-port 1024-65535 in
00111 1126 218751 allow tcp from me 9102 to 194.126.204.96/27 out via lagg0
00111 1347 321884 allow tcp from 194.126.204.96/27 to me dst-port 9102 in via lagg0
00120 137991223013 77504054543714 skipto 130 ip from table(1) to any out via lagg0
00121 132130421997 107525625546287 skipto 130 ip from any to table(1) in via lagg0
00122 25879770 1260824895 divert 8668 tcp from table(5) to not 194.126.204.100,194.126.204.116 dst-port 80 out via lagg0
00123 0 0 divert 8668 tcp from 194.126.204.100 10080 to me in via lagg0
00124 13950948505 1387603441970 allow tcp from table(5) to any dst-port 80
00125 21266616333 27639439565177 allow tcp from any 80 to table(5)
00130 435720275 begin_of_the_skype_highlighting 435720275 end_of_the_skype_highlighting 433847957277 skipto 1000 ip from me to any
00135 37165 38974435 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00140 151957420 78036677487 skipto 2000 ip from any to me
00156 22875 1030750 allow tcp from table(5) to 194.126.204.116 dst-port 80
00156 46922 66779508 allow tcp from 194.126.204.116 80 to table(5)
00157 206282419 10652959452 allow ip from table(5) to 194.126.204.100
00157 305803339 26099763157 allow ip from 194.126.204.100 to table(5)
00158 1298671 166541313 allow udp from table(5) to 10.0.0.0/8 dst-port 53
00158 605590 38624112 allow udp from 10.0.0.0/8 53 to table(5)
00159 267502331 16884467113 allow udp from table(5) to 194.126.204.0/26 dst-port 53
00159 263642849 52585836155 allow udp from 194.126.204.0/26 53 to table(5)
00160 4 232 allow udp from table(5) to 178.218.64.0/20 dst-port 53
00160 182 28322 allow udp from 178.218.64.0/20 53 to table(5)
00170 0 0 allow tcp from table(1) to 194.126.204.125 dst-port 20 setup limit src-addr 2
00170 2916393 155145507 allow tcp from table(1) to 194.126.204.125 dst-port 21 setup limit src-addr 2
00170 0 0 allow tcp from table(1) to 194.126.204.110 dst-port 20 setup limit src-addr 2
00170 507183 28415870 allow tcp from table(1) to 194.126.204.110 dst-port 21 setup limit src-addr 2
00170 0 0 allow tcp from table(1) to 194.126.204.126 dst-port 20 setup limit src-addr 2
00170 2044740 120585168 allow tcp from table(1) to 194.126.204.126 dst-port 21 setup limit src-addr 2
00200 269237581603 184438509264135 skipto 500 ip from any to any via lagg0
00300 187587262378 136606521530881 skipto 4500 ip from any to any in
00400 169024421527 136410483675143 ngtee 100 ip from any to any
00490 0 0 allow ip from any to any
00500 131941855498 107401047332790 skipto 32500 ip from any to any in
00510 137374518395 77061978521040 ngtee 100 ip from any to any
00540 0 0 allow ip from any to any
01000 58998522 11681055825 allow udp from any 53,7723 to any
01010 100741759 69264017831 allow tcp from any to any setup keep-state
01020 359586324 426605170149 allow udp from any to any keep-state
01100 2648690 129117810 allow ip from any to any
02000 0 0 check-state
02010 302378 43589890 allow icmp from any to any
02020 793 39216 allow tcp from any to any dst-port 80,443
02050 1776325 143966018 deny ip from any to any via lagg0
02060 60947449 3865055884 allow udp from any to any dst-port 53,7723
02100 2670985 150842623 deny ip from any to any
05000 116406673 7007094116 deny ip from not table(0) to any
05001 0 0 skipto 5010 ip from table(127) to table(126)
05002 52459801885 35470101503823 skipto 5030 ip from any to not table(2)
05003 29506387 1689108163 deny ip from any to not table(1)
05004 28220814444 23343937039375 pipe tablearg ip from table(21) to any
05005 50 17595 deny ip from any to any
05010 0 0 pipe tablearg ip from table(127) to any
05030 1109085 58916664 deny tcp from table(15) to any dst-port 25,135,465,587
05132 0 0 allow ip from table(33) to table(32)
05134 0 0 allow ip from table(35) to table(34)
05136 0 0 allow ip from table(37) to table(36)
05138 0 0 allow ip from table(39) to table(38)
05140 0 0 allow ip from table(41) to table(40)
05148 0 0 allow ip from table(49) to table(48)
05150 0 0 allow ip from table(51) to table(50)
05152 0 0 allow ip from table(53) to table(52)
05158 0 0 allow ip from table(59) to table(58)
05160 0 0 allow ip from table(61) to table(60)
05162 0 0 allow ip from table(63) to table(62)
05400 52450022455 35473535064375 pipe tablearg ip from table(11) to any
32000 202 23648 deny ip from any to any
32490 86616 14626271 deny ip from any to any
33000 0 0 pipe tablearg ip from table(126) to table(127)
33001 51564085063 35351714377856 skipto 33010 ip from not table(2) to any
33002 10438884316 15079875560610 pipe tablearg ip from any to table(20)
33003 6282911 304100869 deny ip from any to any
33132 0 0 allow ip from table(32) to table(33)
33134 0 0 allow ip from table(34) to table(35)
33136 0 0 allow ip from table(36) to table(37)
33138 0 0 allow ip from table(38) to table(39)
33140 0 0 allow ip from table(40) to table(41)
33148 0 0 allow ip from table(48) to table(49)
33150 0 0 allow ip from table(50) to table(51)
33152 0 0 allow ip from table(52) to table(53)
33158 0 0 allow ip from table(58) to table(59)
33160 0 0 allow ip from table(60) to table(61)
33162 0 0 allow ip from table(62) to table(63)
33400 50030555572 33387953440637 pipe tablearg ip from any to table(10)
65535 3398858448 4339041098429 allow ip from any to any
|