Доброго дня.
Проблема така ж, тому вирішив нову тему не відкривати.
Пробую налаштувати 49.32.
Отож...
Поки тестую на одному клієнтові, який намагається пінгувати lib.ru
%uname -a
FreeBSD billy.lutsk.ukrpack.net 8.2-STABLE FreeBSD 8.2-STABLE #3: Mon Dec 12 17:31:40 EET 2011 root@billy.lutsk.ukrpack.net:/usr/obj/usr/src/sys/BILLY i386
%cat /sys/i386/conf/BILLY
# $FreeBSD: src/sys/i386/conf/BILLY,v 1.519.2.17 2011/11/07 13:45:18 marius Exp $
cpu I686_CPU
ident BILLY
makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
options SCHED_ULE # ULE scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
options INET6 # IPv6 communications protocols
options SCTP # Stream Control Transmission Protocol
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options UFS_GJOURNAL # Enable gjournal-based UFS journaling
options MD_ROOT # MD is a potential root device
options NFSCLIENT # Network Filesystem Client
options NFSSERVER # Network Filesystem Server
options NFSLOCKD # Network Lock Manager
options NFS_ROOT # NFS usable as /, requires NFSCLIENT
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_LABEL # Provides labelization
options COMPAT_43TTY # BSD 4.3 TTY compat (sgtty)
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options COMPAT_FREEBSD6 # Compatible with FreeBSD6
options COMPAT_FREEBSD7 # Compatible with FreeBSD7
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options STACK # stack(9) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options P1003_1B_SEMAPHORES # POSIX-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed.
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
options AUDIT # Security event auditing
options MAC # TrustedBSD MAC Framework
#options KDTRACE_HOOKS # Kernel DTrace hooks
options INCLUDE_CONFIG_FILE # Include this file in kernel
options KDB # Kernel debugger related code
options KDB_TRACE # Print a stack trace for a panic
# To make an SMP kernel, the next two lines are needed
options SMP # Symmetric MultiProcessor Kernel
device apic # I/O APIC
# CPU frequency control
device cpufreq
# Bus support.
device acpi
device eisa
device pci
# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
device ataraid # ATA RAID drives
device atapicd # ATAPI CDROM drives
options ATA_STATIC_ID # Static device numbering
# SCSI peripherals
device scbus # SCSI bus (required for SCSI)
device da # Direct Access (disks)
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device kbdmux # keyboard multiplexer
device vga # VGA video card driver
device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console
device sc
device agp # support several AGP chipsets
# Power management support (see NOTES for more options)
#device apm
# Add suspend/resume support for the i8254.
device pmtimer
# Serial (COM) ports
device uart # Generic UART driver
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
device bge # Broadcom BCM570xx Gigabit Ethernet
# Pseudo devices.
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device vlan # 802.1Q VLAN support
device tun # Packet tunnel.
device pty # BSD-style compatibility pseudo ttys
device md # Memory "disks"
device gif # IPv6 and IPv4 tunneling
device faith # IPv6-to-IPv4 relaying (translation)
device firmware # firmware assist module
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device bpf # Berkeley packet filter
# USB support
options USB_DEBUG # enable debug msgs
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device usb # USB Bus (required)
device ukbd # Keyboard
device umass # Disks/Mass storage - Requires scbus and da
device ums # Mouse
# Netgraph
options NETGRAPH
options NETGRAPH_IPFW
options NETGRAPH_PPPOE
options NETGRAPH_SOCKET
options NETGRAPH_CISCO
options NETGRAPH_ECHO
options NETGRAPH_FRAME_RELAY
options NETGRAPH_HOLE
options NETGRAPH_KSOCKET
options NETGRAPH_LMI
options NETGRAPH_RFC1490
options NETGRAPH_TTY
options NETGRAPH_ASYNC
options NETGRAPH_BPF
options NETGRAPH_ETHER
options NETGRAPH_IFACE
options NETGRAPH_KSOCKET
options NETGRAPH_L2TP
options NETGRAPH_MPPC_ENCRYPTION
options NETGRAPH_PPP
options NETGRAPH_PPTPGRE
options NETGRAPH_TEE
options NETGRAPH_UI
options NETGRAPH_VJC
# PF
device pf
options ALTQ
options ALTQ_CBQ # Class Bases Queuing (CBQ)
options ALTQ_RED # Random Early Detection (RED)
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options ALTQ_PRIQ # Priority Queuing (PRIQ)
options IPFIREWALL
options IPDIVERT
options IPFIREWALL_FORWARD
options DUMMYNET
options DEVICE_POLLING
options HZ=1000
%cat /etc/rc.conf
# -- sysinstall generated deltas -- # Mon Nov 21 21:03:48 2011
# Created: Mon Nov 21 21:03:48 2011
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter="212.1.102.14"
font8x14="cp866u-8x14"
font8x16="cp866u-8x16"
font8x8="cp866u-8x8"
gateway_enable="YES"
hostname="billy.lutsk.ukrpack.net"
ifconfig_bge0="inet 212.1.102.12 netmask 255.255.255.240"
# Cloned interfaces
cloned_interfaces="vlan317 vlan316"
#WiFi client antenas admin
ifconfig_vlan317="vlan 317 vlandev bge0 172.29.133.1 netmask 255.255.255.0"
#WiFi clients
ifconfig_vlan316="vlan 316 vlandev bge0 10.10.25.1 netmask 255.255.255.0"
inetd_enable="YES"
keymap="ua.koi8-u.shift.alt"
mousechar_start="3"
scrnmap="koi8-u2cp866u"
ntpdate_enable="YES"
ntpdate_flags="ua.pool.ntp.org"
scrnmap="koi8-u2cp866u"
sshd_enable="YES"
apache22_enable="YES"
mysql_enable="YES"
mpd_enable="YES"
sendmail_enable="NO"
ftpd_enable="YES"
# NAT interfaces
ifconfig_bge0_alias0="212.1.102.23/32"
##FireWall
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
#firewall_type="open"
firewall_quiet="NO"
firewall_logging="YES"
firewall_simple_oif="bge0"
bruteblockd_enable="YES"
bruteblockd_table="40"
bruteblockd_flags="-s 5"
pf_enable="YES"
pf_rules="/etc/pf.conf"
ipcad_enable="YES"
%cat /etc/sysctl.conf
# $FreeBSD: src/etc/sysctl.conf,v 1.8.34.1.6.1 2010/12/21 17:09:25 kensmith Exp $
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
#
# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
net.inet.ip.fw.one_pass=0
net.inet.ip.dummynet.hash_size=256
net.inet.ip.forwarding=1
#for mpd
net.graph.maxdgram=128000
net.graph.recvspace=128000
%cat /boot/loader.conf
kern.maxdsiz="1G"
kern.dfldsiz="1G"
accf_http_load="YES"
ipdivert_load="YES"
dummynet_load="YES"
#mpd
kern.ipc.nmbclusters=16384
kern.ipc.maxsockets=16384
net.graph.maxalloc=2048
kern.maxusers=512
kern.ipc.maxpipekva=32000000
%ps ax | grep perl
2188 ?? S< 0:55.21 perl nol2auth.pl (perl5.10.1)
2189 ?? S< 0:56.46 perl nodeny.pl (perl5.10.1)
2190 ?? S< 0:13.60 perl noserver.pl (perl5.10.1)
26390 0 S+ 0:00.00 grep perl
%ps ax | grep ipcad
1996 ?? I<s 0:00.59 /usr/local/bin/ipcad -rds -c /usr/local/etc/ipcad.conf
26392 0 S+ 0:00.00 grep ipcad
%cat /etc/pf.conf
set limit states 128000
set optimization aggressive
nat on bge0 from 10.10.25.0/24 to any -> bge0
pass quick all
%sudo pfctl -sn
nat on bge0 inet from 10.10.25.0/24 to any -> { 212.1.102.12, 212.1.102.23 } round-robin%sudo ipfw table all list
---table(0)---
10.10.25.3/32 0
---table(1)---
10.10.25.3/32 0
---table(2)---
10.10.25.2/32 0
10.10.25.3/32 0
---table(10)---
10.10.25.3/32 1004
---table(11)---
10.10.25.3/32 1005
---table(15)---
10.10.25.3/32 0
---table(20)---
10.10.25.3/32 1004
---table(21)---
10.10.25.3/32 1005
---table(120)---
172.16.0.0/16 0
172.17.0.0/16 0
172.18.0.0/16 0
172.19.0.0/16 0
172.20.0.0/16 0
172.21.0.0/16 0
172.22.0.0/16 0
172.23.0.0/16 0
172.24.0.0/16 0
172.25.0.0/16 0
172.26.0.0/16 0
172.27.0.0/16 0
172.28.0.0/16 0
172.30.0.0/16 0
172.31.0.0/16 0
172.32.0.0/16 0
192.168.0.0/16 0
224.0.0.0/4 0
%sudo ipfw show
00010 0 0 deny ip from table(40) to any
00011 0 0 deny ip from any to table(40)
00020 0 0 deny ip from table(120) to any
00021 1 56 deny ip from any to table(120)
00050 435 25512 allow tcp from any to me dst-port 22
00051 1373 232952 allow tcp from me 22 to any
00100 0 0 deny tcp from any to any dst-port 445
00110 0 0 allow ip from any to any via lo0
00120 136 37451 skipto 1000 ip from me to any
00130 0 0 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00160 149 26572 skipto 2000 ip from any to me
00200 4 1312 skipto 500 ip from any to any via bge0
00300 902 64263 skipto 4500 ip from any to any in
00400 0 0 skipto 450 ip from any to any recv bge0
00420 0 0 divert 1 ip from any to any
00450 0 0 divert 2 ip from any to any
00490 0 0 allow ip from any to any
00500 4 1312 skipto 32500 ip from any to any in
00510 0 0 divert 1 ip from any to any
00540 0 0 allow ip from any to any
01000 0 0 allow udp from any 53,7723 to any
01010 0 0 allow tcp from any to any setup keep-state
01020 0 0 allow udp from any to any keep-state
01100 136 37451 allow ip from any to any
02000 0 0 check-state
02010 2 128 allow icmp from any to any
02020 147 26444 allow tcp from any to any dst-port 80,443
02050 0 0 deny ip from any to any via bge0
02060 0 0 allow udp from any to any dst-port 53,7723
02100 0 0 deny ip from any to any
05000 3 959 deny ip from not table(0) to any
05001 0 0 skipto 5010 ip from table(127) to table(126)
05002 899 63304 skipto 5030 ip from any to not table(2)
05003 0 0 deny ip from any to not table(1)
05004 0 0 pipe tablearg ip from table(21) to any
05005 0 0 deny ip from any to any
05010 0 0 pipe tablearg ip from table(127) to any
05030 0 0 deny tcp from table(15) to any dst-port 25
05400 899 63304 pipe tablearg ip from table(11) to any
32000 899 63304 deny ip from any to any
32490 0 0 deny ip from any to any
33000 0 0 pipe tablearg ip from table(126) to table(127)
33001 4 1312 skipto 33010 ip from not table(2) to any
33002 0 0 pipe tablearg ip from any to table(20)
33003 0 0 deny ip from any to any
33400 0 0 pipe tablearg ip from any to table(10)
65535 4 1312 deny ip from any to any
IPCAD збирав з портів.
%cat /usr/local/etc/ipcad.conf
capture-ports enable;
interface divert port 1 netflow-disable;
interface divert port 2 netflow-disable;
rsh enable at 127.0.0.1;
rsh root@127.0.0.1 admin;
rsh ttl = 3;
rsh timeout = 30;
dumpfile = ipcad.dump;
chroot = /tmp;
memory_limit = 50m;
%sudo rsh localhost show ip acco
Source Destination Packets Bytes SrcPt DstPt Proto IF
Accounting data age is 0
Accounting data age exact 4
Accounting data saved 1323766350
Interface 2: received ??, 5 m average 0 bytes/sec, 0 pkts/sec, dropped ??
Interface 1: received ??, 5 m average 0 bytes/sec, 0 pkts/sec, dropped ??
Flow entries made: 0
Memory usage: 0% (0 from 52428800)
Free slots for rsh clients: 9
IPCAD uptime is 16:50
billy.lutsk.ukrpack.net uptime is 16:51
tcpdump -i bge0
10:38:14.621718 IP 10.10.25.3 > 81.176.66.163: ICMP echo request, id 302, seq 1033, length 64
10:38:15.622631 IP 10.10.25.3 > 81.176.66.163: ICMP echo request, id 302, seq 1034, length 64
при "ipfw add 161 allow ip from any to any" інет на клієнті зявляється.
40-ва таблиця використовується для bruteblock. зручна штучка.
divert на tee пробував міняти. ситуація не змінилась.
є в кого якісь ідеї?
