Агент фаерволла не шейпит пользователей авторизированых как"Только сеть"

[Andrey Zentavr]

На данный момент большая часть абонентов для авторизации использует авторизатор-ключик. Заметили такую ситуацию, что когда абонент включает режим "Доступ только в локальную сеть" - то на него перестаёт работать шейпер. То есть абонент начинает кочегарить канал на все сто.

В какое место скрипта управления доступом посмотреть чтобы исправить ситуацию?
Наличие IP в таблице при разных состояниях авторизации:

Таблица	Online	Only LAN	Off
0	+	+	-
1	+	+	-
2	+	+	+
10	+	-	-
11	+	-	-
20	+	-	-
21	+	-	-

И проблема №2: почему-то вообще не рубится аплоад. Где косяк?

Технические данные сервера:

Операционная система:

Код:

[root@gw /usr/local/nodeny]# uname -a
FreeBSD gw.linet.zp.ua 7.2-RELEASE-p4 FreeBSD 7.2-RELEASE-p4 #0: Fri Nov 13 21:46:30 EET 2009     root@gw3.serv.linet:/usr/obj/usr/src/sys/LINET32YANDEX  i386

Конфиг ядра:

Код:

cpu             I686_CPU
ident           LINET32YANDEX


options         NETGRAPH
options         NETGRAPH_ETHER
options         NETGRAPH_TEE
options         NETGRAPH_NETFLOW
options         NETGRAPH_PPTPGRE
options         NETGRAPH_PPP
options         NETGRAPH_SOCKET
options         NETGRAPH_IPFW
options         NETGRAPH_KSOCKET
options         NETGRAPH_IFACE
options         NETGRAPH_TCPMSS
options         NETGRAPH_PPPOE

options         IPFIREWALL
options         IPFIREWALL_FORWARD
options         IPDIVERT
options         IPFILTER
options         DUMMYNET
options         IPFIREWALL_DEFAULT_TO_ACCEPT
options         LIBALIAS


options         KDB_UNATTENDED
makeoptions     DEBUG=-g                # Build kernel with gdb(1) debug symbols

options         SCHED_ULE
options         PREEMPTION              # Enable kernel thread preemption
options         INET                    # InterNETworking
options         INET6                   # IPv6 communications protocols
options         SCTP                    # Stream Control Transmission Protocol
options         FFS                     # Berkeley Fast Filesystem
options         SOFTUPDATES             # Enable FFS soft updates support
options         UFS_ACL                 # Support for access control lists
options         UFS_DIRHASH             # Improve performance on big directories
options         UFS_GJOURNAL            # Enable gjournal-based UFS journaling
options         MD_ROOT                 # MD is a potential root device
options         NFSCLIENT               # Network Filesystem Client
options         NFSSERVER               # Network Filesystem Server
options         NFS_ROOT                # NFS usable as /, requires NFSCLIENT
options         MSDOSFS                 # MSDOS Filesystem
options         CD9660                  # ISO 9660 Filesystem
options         PROCFS                  # Process filesystem (requires PSEUDOFS)
options         PSEUDOFS                # Pseudo-filesystem framework
options         GEOM_PART_GPT           # GUID Partition Tables.
options         GEOM_LABEL              # Provides labelization
options         COMPAT_43TTY            # BSD 4.3 TTY compat [KEEP THIS!]
options         COMPAT_FREEBSD4         # Compatible with FreeBSD4
options         COMPAT_FREEBSD5         # Compatible with FreeBSD5
options         COMPAT_FREEBSD6         # Compatible with FreeBSD6
options         SCSI_DELAY=5000         # Delay (in ms) before probing SCSI
options         KTRACE                  # ktrace(1) support
options         SYSVSHM                 # SYSV-style shared memory
options         SYSVMSG                 # SYSV-style message queues
options         SYSVSEM                 # SYSV-style semaphores
options         _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options         KBD_INSTALL_CDEV        # install a CDEV entry in /dev
options         ADAPTIVE_GIANT          # Giant mutex is adaptive.
options         STOP_NMI                # Stop CPUS using NMI instead of IPI
options         AUDIT                   # Security event auditing

options         SMP                     # Symmetric MultiProcessor Kernel
device          apic                    # I/O APIC

device          cpufreq

device          pci


device          ata
device          atadisk         # ATA disk drives
device          ataraid         # ATA RAID drives
device          atapicd         # ATAPI CDROM drives


device          scbus           # SCSI bus (required for SCSI)
device          ch              # SCSI media changers
device          da              # Direct Access (disks)
device          cd              # CD
device          pass            # Passthrough device (direct SCSI access)
device          ses             # SCSI Environmental Services (and SAF-TE)


device          atkbdc          # AT keyboard controller
device          atkbd           # AT keyboard
device          psm             # PS/2 mouse

device          kbdmux          # keyboard multiplexer

device          vga             # VGA video card driver
device          splash          # Splash screen and screen saver support
device          sc
device          agp             # support several AGP chipsets

device          pmtimer


device          sio             # 8250, 16[45]50 based serial ports
device          uart            # Generic UART driver

device          loop            # Network loopback
device          random          # Entropy device
device          ether           # Ethernet support
device          sl              # Kernel SLIP
device          ppp             # Kernel PPP
device          tun             # Packet tunnel.
device          pty             # Pseudo-ttys (telnet etc)
device          md              # Memory "disks"
device          gif             # IPv6 and IPv4 tunneling
device          faith           # IPv6-to-IPv4 relaying (translation)
device          firmware        # firmware assist module

device          bpf             # Berkeley packet filter

device          uhci            # UHCI PCI->USB interface
device          ohci            # OHCI PCI->USB interface
device          ehci            # EHCI PCI->USB interface (USB 2.0)
device          usb             # USB Bus (required)
device          ugen            # Generic
device          uhid            # "Human Interface Devices"
device          ukbd            # Keyboard
device          umass           # Disks/Mass storage - Requires scbus and da
device          ums             # Mouse

/etc/sysctl.conf

Код:

#security.bsd.see_other_uids=0

net.inet.tcp.sendspace=3217968
net.inet.tcp.recvspace=3217968
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.tcp.nolocaltimewait=1
net.inet.ip.fastforwarding=1
net.inet.ip.intr_queue_maxlen=5000
net.inet.ip.portrange.first=1024
net.inet.tcp.log_in_vain=0
net.inet.udp.log_in_vain=0
net.inet.tcp.rfc1323=1
net.inet.ip.redirect=0
net.inet.ip.portrange.randomized=0

net.inet.ip.dummynet.hash_size=2048
net.inet.ip.dummynet.io_fast=1
net.inet.ip.fw.one_pass=1
net.inet.ip.fw.dyn_buckets=2048
net.inet.ip.fw.dyn_max=8192

net.isr.direct=1

kern.maxfiles=204800
kern.maxfilesperproc=200000
kern.ipc.maxsockbuf=8388608
kern.ipc.somaxconn=4096
kern.ipc.nmbclusters=262144
kern.ipc.maxsockets=204800
net.inet.tcp.maxtcptw=40960
kern.sync_on_panic=1
kern.coredump=0

net.graph.maxdgram=128000
net.graph.recvspace=128000

#### em tuning
dev.em.0.rx_int_delay=250
dev.em.0.tx_int_delay=250
dev.em.0.rx_abs_int_delay=250
dev.em.0.tx_abs_int_delay=250
dev.em.0.rx_kthreads=4

/etc/rc.firewall:

Код:

#!/bin/sh

############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
    fwcmd="/sbin/ipfw -q"
    ;;
*)
    fwcmd="/sbin/ipfw"
    ;;
esac

ext_if="lagg0"
downlink_if="vlan150"

${fwcmd} -f flush
#${fwcmd} -f table all flush
${fwcmd} -f queue flush
${fwcmd} -f pipe flush

# Add some local networks to table(5)
${fwcmd} table 5 flush
${fwcmd} table 5 add 10.0.0.0/8
${fwcmd} table 5 add 178.218.64.0/20
${fwcmd} table 5 add 194.126.204.0/24
${fwcmd} table 5 add 192.168.0.0/16

${fwcmd} add 1 pass all from any to any via lo0
${fwcmd} add 2 deny all from any to 127.0.0.0/8
${fwcmd} add 3 deny ip from 127.0.0.0/8 to any

# Allow some trafic from me
${fwcmd} add 101 allow tcp from me 14120 to 194.126.204.100
${fwcmd} add 102 allow tcp from 194.126.204.100 to me dst-port 14120
${fwcmd} add 103 allow tcp from me 14121 to 194.126.204.100
${fwcmd} add 104 allow tcp from 194.126.204.100 to me dst-port 14121
${fwcmd} add 105 allow all from me to 10.1.10.200
${fwcmd} add 105 allow all from 10.1.10.200 to me
${fwcmd} add 106 allow ip from me to me
${fwcmd} add 107 allow ospf from any to any via ${ext_if}
${fwcmd} add 107 allow igmp from any to any via ${ext_if}
${fwcmd} add 107 allow ip from any to 224.0.0.0/4 via ${ext_if}
${fwcmd} add 107 allow ospf from any to any via ${downlink_if}
${fwcmd} add 107 allow igmp from any to any via ${downlink_if}
${fwcmd} add 107 allow ip from any to 224.0.0.0/4 via ${downlink_if}
${fwcmd} add 108 allow ip from me 22 to 'table(5)'
${fwcmd} add 108 allow ip from 'table(5)' to me 22
${fwcmd} add 109 allow icmp from me to 'table(5)' icmptype 0,3,4,8,11,12
${fwcmd} add 109 allow icmp from 'table(5)' to me icmptype 0,3,4,8,11,12
${fwcmd} add 110 allow udp from 194.126.204.96/27 to me 161 in via ${ext_if}
${fwcmd} add 110 allow udp from me 161 to 194.126.204.96/27 out via ${ext_if}
${fwcmd} add 111 allow tcp from 194.126.204.96/27 to me 9102 in via ${ext_if}
${fwcmd} add 111 allow tcp from me 9102 to 194.126.204.96/27 out via ${ext_if}


# Redirect users with no NoDeny connection to special web page
${fwcmd} add 120 skipto 130 all from 'table(1)' to any out via ${ext_if}
${fwcmd} add 121 skipto 130 all from any to 'table(1)' in  via ${ext_if}
${fwcmd} add 122 divert natd tcp from 'table(5)' to not 194.126.204.100,194.126.204.116 dst-port 80 out via ${ext_if}
${fwcmd} add 123 divert natd tcp from 194.126.204.100 10080 to me in via ${ext_if}
${fwcmd} add 124 allow tcp from 'table(5)' to any dst-port 80
${fwcmd} add 125 allow tcp from any 80 to 'table(5)'

${fwcmd} add 130 skipto 1000 ip from me to any
${fwcmd} add 135 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
${fwcmd} add 140 skipto 2000 ip from any to me

# Allow only billing and local DNS for table 5 users (... banned users)
# downloads.linet
${fwcmd} add 156 allow tcp from 'table(5)' to 194.126.204.116 80
${fwcmd} add 156 allow tcp from 194.126.204.116 80 to 'table(5)'
# Nodeny host
${fwcmd} add 157 allow ip from 'table(5)' to 194.126.204.100
${fwcmd} add 157 allow ip from 194.126.204.100 to 'table(5)'
# Local DNS IP
${fwcmd} add 158 allow udp from 'table(5)' to 10.0.0.0/8 53
${fwcmd} add 158 allow udp from 10.0.0.0/8 53 to 'table(5)'
# Global DNS IP
${fwcmd} add 159 allow udp from 'table(5)' to 194.126.204.0/26 53
${fwcmd} add 159 allow udp from 194.126.204.0/26 53 to 'table(5)'
${fwcmd} add 160 allow udp from 'table(5)' to 178.218.64.0/20 53
${fwcmd} add 160 allow udp from 178.218.64.0/20 53 to 'table(5)'
#${fwcmd} add 200 deny ip from 'table(33)' to any
#${fwcmd} add 200 deny ip from any to 'table(33)'

# Table10 - fills by UTM automatically (Table 10 for allowed local free trafic)
# Allow FTP Servers Connection limit
${fwcmd} add 170 allow tcp from 'table(1)' to 194.126.204.125 20 setup limit src-addr 2
${fwcmd} add 170 allow tcp from 'table(1)' to 194.126.204.125  21 setup limit src-addr 2
${fwcmd} add 170 allow tcp from 'table(1)' to 194.126.204.110 20 setup limit src-addr 2
${fwcmd} add 170 allow tcp from 'table(1)' to 194.126.204.110 21 setup limit src-addr 2
${fwcmd} add 170 allow tcp from 'table(1)' to 194.126.204.126  20 setup limit src-addr 2
${fwcmd} add 170 allow tcp from 'table(1)' to 194.126.204.126  21 setup limit src-addr 2

#### Linet Pay Services
###${fwcmd} add 350 skipto 4999 all from 10.1.10.200 to 'table(10)'
###${fwcmd} add 350 skipto 4999 all from 'table(10)' to 10.1.10.200
#### End of Linet Pay Services

${fwcmd} add 200 skipto 500 ip from any to any via ${ext_if}

${fwcmd} add 300 skipto 4500 ip from any to any in

${fwcmd} add 400 ngtee 100 ip from any to any
${fwcmd} add 490 allow ip from any to any

${fwcmd} add 500 skipto 32500 ip from any to any in
${fwcmd} add 510 ngtee 100 ip from any to any
${fwcmd} add 540 allow ip from any to any

${fwcmd} add 1000 allow udp from any 53,7723 to any
${fwcmd} add 1010 allow tcp from any to any setup keep-state
${fwcmd} add 1020 allow udp from any to any keep-state
${fwcmd} add 1100 allow ip from any to any

${fwcmd} add 2000 check-state
${fwcmd} add 2010 allow icmp from any to any
${fwcmd} add 2020 allow tcp from any to any 80,443
${fwcmd} add 2050 deny ip from any to any via ${ext_if}
${fwcmd} add 2060 allow udp from any to any 53,7723

${fwcmd} add 2100 deny ip from any to any

${fwcmd} add 32490 deny ip from any to any

/boot/loader.conf:

Код:

autoboot_delay="2"

kernel="kernel.yandex"
bootfile="kernel"

if_lagg_load="YES"
if_em_load="YES"

hw.em.rxd=3072
hw.em.txd=3072

[Andrey Zentavr]

Правила фаерволла в рабочем состоянии:

Код:

[root@gw /usr/src/sys/i386/conf]# ipfw show
00001       838267        69293197 allow ip from any to any via lo0
00002           79            5720 deny ip from any to 127.0.0.0/8
00003            0               0 deny ip from 127.0.0.0/8 to any
00101         7715          484895 allow tcp from me 14120 to 194.126.204.100
00102         6462          362085 allow tcp from 194.126.204.100 to me dst-port 14120
00103          469           27431 allow tcp from me 14121 to 194.126.204.100
00104          421           23573 allow tcp from 194.126.204.100 to me dst-port 14121
00105         2197          162860 allow ip from me to 10.1.10.200
00105       118241         8369098 allow ip from 10.1.10.200 to me
00106            0               0 allow ip from me to me
00107      6888661       735280136 allow ospf from any to any via lagg0
00107           95           43640 allow igmp from any to any via lagg0
00107            0               0 allow ip from any to 224.0.0.0/4 via lagg0
00107       538898        45064272 allow ospf from any to any via vlan150
00107           16             512 allow igmp from any to any via vlan150
00107            0               0 allow ip from any to 224.0.0.0/4 via vlan150
00108      4058959      2832028124 allow ip from me 22 to table(5)
00108      2485674       115364712 allow ip from table(5) to me dst-port 22
00109      1379446        99877833 allow icmp from me to table(5) icmptypes 0,3,4,8,11,12
00109       839550        65570611 allow icmp from table(5) to me icmptypes 0,3,4,8,11,12
00110        93841        12077357 allow udp from 194.126.204.96/27 to me dst-port 161 in via lagg0
00110        64405        13686438 allow udp from me 161 to 194.126.204.96/27 out via lagg0
00111           21            1123 allow udp from 10.1.7.2 1024-65535 to me dst-port 69 in
00111        23460        12724565 allow udp from me 1024-65535 to 10.1.7.2 dst-port 1024-65535 out
00111        23450          777071 allow udp from 10.1.7.2 1024-65535 to me dst-port 1024-65535 in
00111         1126          218751 allow tcp from me 9102 to 194.126.204.96/27 out via lagg0
00111         1347          321884 allow tcp from 194.126.204.96/27 to me dst-port 9102 in via lagg0
00120 137991223013  77504054543714 skipto 130 ip from table(1) to any out via lagg0
00121 132130421997 107525625546287 skipto 130 ip from any to table(1) in via lagg0
00122     25879770      1260824895 divert 8668 tcp from table(5) to not 194.126.204.100,194.126.204.116 dst-port 80 out via lagg0
00123            0               0 divert 8668 tcp from 194.126.204.100 10080 to me in via lagg0
00124  13950948505   1387603441970 allow tcp from table(5) to any dst-port 80
00125  21266616333  27639439565177 allow tcp from any 80 to table(5)
00130    435720275 begin_of_the_skype_highlighting              435720275      end_of_the_skype_highlighting    433847957277 skipto 1000 ip from me to any
00135        37165        38974435 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00140    151957420     78036677487 skipto 2000 ip from any to me
00156        22875         1030750 allow tcp from table(5) to 194.126.204.116 dst-port 80
00156        46922        66779508 allow tcp from 194.126.204.116 80 to table(5)
00157    206282419     10652959452 allow ip from table(5) to 194.126.204.100
00157    305803339     26099763157 allow ip from 194.126.204.100 to table(5)
00158      1298671       166541313 allow udp from table(5) to 10.0.0.0/8 dst-port 53
00158       605590        38624112 allow udp from 10.0.0.0/8 53 to table(5)
00159    267502331     16884467113 allow udp from table(5) to 194.126.204.0/26 dst-port 53
00159    263642849     52585836155 allow udp from 194.126.204.0/26 53 to table(5)
00160            4             232 allow udp from table(5) to 178.218.64.0/20 dst-port 53
00160          182           28322 allow udp from 178.218.64.0/20 53 to table(5)
00170            0               0 allow tcp from table(1) to 194.126.204.125 dst-port 20 setup limit src-addr 2
00170      2916393       155145507 allow tcp from table(1) to 194.126.204.125 dst-port 21 setup limit src-addr 2
00170            0               0 allow tcp from table(1) to 194.126.204.110 dst-port 20 setup limit src-addr 2
00170       507183        28415870 allow tcp from table(1) to 194.126.204.110 dst-port 21 setup limit src-addr 2
00170            0               0 allow tcp from table(1) to 194.126.204.126 dst-port 20 setup limit src-addr 2
00170      2044740       120585168 allow tcp from table(1) to 194.126.204.126 dst-port 21 setup limit src-addr 2
00200 269237581603 184438509264135 skipto 500 ip from any to any via lagg0
00300 187587262378 136606521530881 skipto 4500 ip from any to any in
00400 169024421527 136410483675143 ngtee 100 ip from any to any
00490            0               0 allow ip from any to any
00500 131941855498 107401047332790 skipto 32500 ip from any to any in
00510 137374518395  77061978521040 ngtee 100 ip from any to any
00540            0               0 allow ip from any to any
01000     58998522     11681055825 allow udp from any 53,7723 to any
01010    100741759     69264017831 allow tcp from any to any setup keep-state
01020    359586324    426605170149 allow udp from any to any keep-state
01100      2648690       129117810 allow ip from any to any
02000            0               0 check-state
02010       302378        43589890 allow icmp from any to any
02020          793           39216 allow tcp from any to any dst-port 80,443
02050      1776325       143966018 deny ip from any to any via lagg0
02060     60947449      3865055884 allow udp from any to any dst-port 53,7723
02100      2670985       150842623 deny ip from any to any
05000    116406673      7007094116 deny ip from not table(0) to any
05001            0               0 skipto 5010 ip from table(127) to table(126)
05002  52459801885  35470101503823 skipto 5030 ip from any to not table(2)
05003     29506387      1689108163 deny ip from any to not table(1)
05004  28220814444  23343937039375 pipe tablearg ip from table(21) to any
05005           50           17595 deny ip from any to any
05010            0               0 pipe tablearg ip from table(127) to any
05030      1109085        58916664 deny tcp from table(15) to any dst-port 25,135,465,587
05132            0               0 allow ip from table(33) to table(32)
05134            0               0 allow ip from table(35) to table(34)
05136            0               0 allow ip from table(37) to table(36)
05138            0               0 allow ip from table(39) to table(38)
05140            0               0 allow ip from table(41) to table(40)
05148            0               0 allow ip from table(49) to table(48)
05150            0               0 allow ip from table(51) to table(50)
05152            0               0 allow ip from table(53) to table(52)
05158            0               0 allow ip from table(59) to table(58)
05160            0               0 allow ip from table(61) to table(60)
05162            0               0 allow ip from table(63) to table(62)
05400  52450022455  35473535064375 pipe tablearg ip from table(11) to any
32000          202           23648 deny ip from any to any
32490        86616        14626271 deny ip from any to any
33000            0               0 pipe tablearg ip from table(126) to table(127)
33001  51564085063  35351714377856 skipto 33010 ip from not table(2) to any
33002  10438884316  15079875560610 pipe tablearg ip from any to table(20)
33003      6282911       304100869 deny ip from any to any
33132            0               0 allow ip from table(32) to table(33)
33134            0               0 allow ip from table(34) to table(35)
33136            0               0 allow ip from table(36) to table(37)
33138            0               0 allow ip from table(38) to table(39)
33140            0               0 allow ip from table(40) to table(41)
33148            0               0 allow ip from table(48) to table(49)
33150            0               0 allow ip from table(50) to table(51)
33152            0               0 allow ip from table(52) to table(53)
33158            0               0 allow ip from table(58) to table(59)
33160            0               0 allow ip from table(60) to table(61)
33162            0               0 allow ip from table(62) to table(63)
33400  50030555572  33387953440637 pipe tablearg ip from any to table(10)
65535   3398858448   4339041098429 allow ip from any to any