uchenik
NoDeny
Пользователь
Карма: 0
 Offline
Сообщений: 26
|
 |
« : 02 Сентября 2010, 18:43:09 » |
|
Установлена фря 7.2 р7 NoDeny 49.32.4,
вроде бы всё в норме,захожу в админку создаю клиента,
авторизуюсь а инета нет,пересмотрел все конфиги голова кипит не могу понять в чём причина помогите.
rc.conf
gateway_enable="YES"
hostname="kommunar.localdomain"
ifconfig_vr0="DHCP"
ifconfig_rl0="inet 172.16.1.199/24"
keymap="ru.koi8-r"
keyrate="normal"
mousechar_start="3"
saver="daemon"
scrnmap="koi8-r2cp866"
sshd_enable="YES"
defaultrouter="192.168.0.2"
sendmail_enable="NO"
fsck_y_enable="YES"
background_fsck="NO"
mysql_enable="YES"
apache22_enable="YES"
firewall_enable="YES"
nodeny_enable="YES"
nol2auth_enable="YES"
noserver_enable="YES"
pf_enable="YES"
ipcad_enable="YES"
radiusd_enable="YES"
named_enable="YES"
rc.firewall
#!/bin/sh -
f='/sbin/ipfw'
ifOut='vr0'
${f} -f flush
${f} add 50 allow tcp from any to me 22
${f} add 51 allow tcp from me 22 to any
${f} add 110 allow ip from any to any via lo0
${f} add 120 skipto 1000 ip from me to any
${f} add 130 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
${f} add 160 skipto 2000 ip from any to me
${f} add 200 skipto 500 ip from any to any via ${ifOut}
${f} add 300 skipto 4500 ip from any to any in
${f} add 400 skipto 450 ip from any to any recv ${ifOut}
${f} add 420 divert 1 ip from any to any
${f} add 450 divert 2 ip from any to any
${f} add 490 allow ip from any to any
${f} add 500 skipto 32500 ip from any to any in
${f} add 510 divert 1 ip from any to any
${f} add 540 allow ip from any to any
${f} add 1000 allow udp from any 53,7723 to any
${f} add 1010 allow tcp from any to any setup keep-state
${f} add 1020 allow udp from any to any keep-state
${f} add 1100 allow ip from any to any
${f} add 2000 check-state
${f} add 2010 allow icmp from any to any
${f} add 2020 allow tcp from any to any 80,443
${f} add 2050 deny ip from any to any via ${ifOut}
${f} add 2060 allow udp from any to any 53,7723
${f} add 2100 deny ip from any to any
${f} add 32490 deny ip from any to any
в логах nodeny пишет
01.09.2010 14:53:55 kernel: ! ====== - СТАРТ ЯДРА NODENY - ======
01.09.2010 14:53:55 kernel: 2 записей в базе и 0 доступ в инет блокирован, 1 не нужна авторизация
01.09.2010 14:53:55 kernel: Для 1 записей включен режим детального сохранения трафика.
|
|
|
|
« Последнее редактирование: 02 Сентября 2010, 18:44:45 от uchenik »
|
Записан
|
|
|
|
|
versus
|
|
« Ответ #1 : 02 Сентября 2010, 19:57:39 » |
|
ДХЦП на канале в инет ?? Конфиг ната дай, покажи что в 10 таблице файрвола.
|
|
|
|
|
Записан
|
|
|
|
uchenik
NoDeny
Пользователь
Карма: 0
Offline
Сообщений: 26
|
|
« Ответ #2 : 02 Сентября 2010, 20:25:24 » |
|
ifconfig[root@kommunar ~]# ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:30:84:25:7a:0a
inet 172.16.1.199 netmask 0xffffff00 broadcast 172.16.1.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=2808<VLAN_MTU,WOL_UCAST,WOL_MAGIC>
ether 00:13:8f:34:18:f4
inet 192.168.0.102 netmask 0xffffff00 broadcast 192.168.0.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet 127.0.0.1 netmask 0xff000000
pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128
pflog0: flags=0<> metric 0 mtu 33204
[root@kommunar ~]#
[root@kommunar ~]# ipfw show
00050 4556 334542 allow tcp from any to me dst-port 22
00051 5530 4311924 allow tcp from me 22 to any
00110 170452 10578622 allow ip from any to any via lo0
00120 1593 772001 skipto 1000 ip from me to any
00130 0 0 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00160 1477 225939 skipto 2000 ip from any to me
00200 833 122675 skipto 500 ip from any to any via vr0
00300 153 11934 skipto 4500 ip from any to any in
00400 0 0 skipto 450 ip from any to any recv vr0
00420 0 0 divert 1 ip from any to any
00450 0 0 divert 2 ip from any to any
00490 0 0 allow ip from any to any
00500 833 122675 skipto 32500 ip from any to any in
00510 0 0 divert 1 ip from any to any
00540 0 0 allow ip from any to any
01000 475 30694 allow udp from any 53,7723 to any
01010 82 68631 allow tcp from any to any setup keep-state
01020 94 9718 allow udp from any to any keep-state
01100 1030 735712 allow ip from any to any
02000 0 0 check-state
02010 56 4200 allow icmp from any to any
02020 841 127156 allow tcp from any to any dst-port 80,443
02050 13 628 deny ip from any to any via vr0
02060 479 21201 allow udp from any to any dst-port 53,7723
02100 0 0 deny ip from any to any
05000 48 3744 deny ip from not table(0) to any
05001 0 0 skipto 5010 ip from table(127) to table(126)
05002 105 8190 skipto 5030 ip from any to not table(2)
05003 0 0 deny ip from any to not table(1)
05004 0 0 pipe tablearg ip from table(21) to any
05005 0 0 deny ip from any to any
05010 0 0 pipe tablearg ip from table(127) to any
05030 0 0 deny tcp from table(15) to any dst-port 25
05400 105 8190 pipe tablearg ip from table(11) to any
32000 0 0 deny ip from any to any
32490 0 0 deny ip from any to any
33000 0 0 pipe tablearg ip from table(126) to table(127)
33001 833 122675 skipto 33010 ip from not table(2) to any
33002 0 0 pipe tablearg ip from any to table(20)
33003 0 0 deny ip from any to any
33400 0 0 pipe tablearg ip from any to table(10)
65535 836 123457 allow ip from any to any
[root@kommunar /usr/local/etc]# ipfw table 10 list
172.16.0.0/16 0
[root@kommunar /usr/local/etc]# ps ax|grep ipcad
1009 ?? I<s 0:04.56 /usr/local/bin/ipcad -rds -c /usr/local/etc/ipcad.conf
[root@kommunar /usr/local/etc]# ps ax|grep nodeny.pl
8439 ?? S< 1:55.76 perl nodeny.pl (perl5.8.9)
[root@kommunar /usr/local/etc]# ps ax|grep noserver.pl
1138 ?? S< 0:32.96 perl noserver.pl (perl5.8.9) [root@kommunar /usr/local/etc]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=56 time=50.987 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=57.776 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=64.445 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=61.190 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=56 time=61.414 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=56 time=57.629 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=56 time=69.891 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=56 time=65.305 ms
64 bytes from 8.8.8.8: icmp_seq=8 ttl=56 time=62.958 ms
[root@kommunar ~]# ping ya.ru
PING ya.ru (87.250.251.3): 56 data bytes
64 bytes from 87.250.251.3: icmp_seq=0 ttl=55 time=41.776 ms
64 bytes from 87.250.251.3: icmp_seq=1 ttl=55 time=39.968 ms
64 bytes from 87.250.251.3: icmp_seq=2 ttl=55 time=39.403 ms
64 bytes from 87.250.251.3: icmp_seq=3 ttl=55 time=41.598 ms
64 bytes from 87.250.251.3: icmp_seq=4 ttl=55 time=40.466 ms
64 bytes from 87.250.251.3: icmp_seq=5 ttl=55 time=39.437 ms
64 bytes from 87.250.251.3: icmp_seq=6 ttl=55 time=39.677 ms [root@kommunar ~]# ping 172.16.1.199
PING 172.16.1.199 (172.16.1.199): 56 data bytes
64 bytes from 172.16.1.199: icmp_seq=0 ttl=64 time=0.137 ms
64 bytes from 172.16.1.199: icmp_seq=1 ttl=64 time=0.090 ms
64 bytes from 172.16.1.199: icmp_seq=2 ttl=64 time=0.087 ms
64 bytes from 172.16.1.199: icmp_seq=3 ttl=64 time=0.088 ms
64 bytes from 172.16.1.199: icmp_seq=4 ttl=64 time=0.074 ms
64 bytes from 172.16.1.199: icmp_seq=5 ttl=64 time=0.090 ms
[root@kommunar ~]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=56 time=42.110 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=48.130 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=48.978 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=39.863 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=56 time=39.451 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=56 time=38.774 ms
[root@kommunar ~]# ping ya.ru
PING ya.ru (87.250.250.3): 56 data bytes
64 bytes from 87.250.250.3: icmp_seq=0 ttl=55 time=39.939 ms
64 bytes from 87.250.250.3: icmp_seq=1 ttl=55 time=39.101 ms
64 bytes from 87.250.250.3: icmp_seq=2 ttl=55 time=38.977 ms
64 bytes from 87.250.250.3: icmp_seq=3 ttl=55 time=39.662 ms
64 bytes from 87.250.250.3: icmp_seq=4 ttl=55 time=38.867 ms
[root@kommunar ~]# pfctl -s nat
nat pass on vr0 inet from 172.16.0.0/16 to any -> 192.168.0.102
[root@kommunar ~]# cat /etc/pf.conf
set limit states 128000
set optimization aggressive
#nat pass on em0 from 10.0.0.0/8 to any -> em0
nat pass on vr0 from 172.16.1.0/16 to any -> vr0 не подскажите почему pf.conf-172.16.1.0/16, а pfctl -s nat 172.16.0.0/16 cat /etc/rc.conf |grep pf[root@kommunar ~]# cat /etc/rc.conf |grep pf
pf_enable="YES"
|
|
|
|
|
Записан
|
|
|
|
uchenik
NoDeny
Пользователь
Карма: 0
Offline
Сообщений: 26
|
|
« Ответ #3 : 02 Сентября 2010, 20:26:49 » |
|
ДХЦП инет
|
|
|
|
|
Записан
|
|
|
|
uchenik
NoDeny
Пользователь
Карма: 0
Offline
Сообщений: 26
|
|
« Ответ #4 : 02 Сентября 2010, 20:51:39 » |
|
ipfw table 10 list[root@kommunar ~]# ipfw table 10 list
172.16.1.2/32 1008
|
|
|
|
|
Записан
|
|
|
|
smallcms
NoDeny
Старожил
Карма: 64
Offline
Сообщений: 279
|
|
« Ответ #5 : 02 Сентября 2010, 21:27:38 » |
|
а я не понял зачем серверу dhcp.  его владелец разве тупой как юзеры, чтобы работать от dhcp?  |
|
|
|
|
Записан
|
|
|
|
uchenik
NoDeny
Пользователь
Карма: 0
Offline
Сообщений: 26
|
|
« Ответ #6 : 02 Сентября 2010, 21:34:46 » |
|
лучше что нибудь умное подсказал  |
|
|
|
|
Записан
|
|
|
|
uchenik
NoDeny
Пользователь
Карма: 0
Offline
Сообщений: 26
|
|
« Ответ #7 : 02 Сентября 2010, 21:39:49 » |
|
в pf.conf
set limit states 128000
set optimization aggressive
#nat pass on em0 from 10.0.0.0/8 to any -> em0
nat pass on vr0 from 172.16.1.0/16 to any -> vr0
почему тогда
[root@kommunar ~]# pfctl -sn
nat pass on vr0 inet from 172.16.0.0/16 to any -> 192.168.0.102
где я ошибся
|
|
|
|
|
Записан
|
|
|
|
uchenik
NoDeny
Пользователь
Карма: 0
Offline
Сообщений: 26
|
|
« Ответ #8 : 02 Сентября 2010, 21:46:12 » |
|
pfctl -sa[root@kommunar ~]# pfctl -sa
TRANSLATION RULES:
nat pass on vr0 inet from 172.16.0.0/16 to any -> 192.168.0.102
FILTER RULES:
No queue in use
INFO:
Status: Enabled for 0 days 01:16:41 Debug: Urgent
State Table Total Rate
current entries 0
searches 11908 2.6/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 11908 2.6/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 37 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
TIMEOUTS:
tcp.first 30s
tcp.opening 5s
tcp.established 18000s
tcp.closing 60s
tcp.finwait 30s
tcp.closed 30s
tcp.tsdiff 10s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 76800 states
adaptive.end 153600 states
src.track 0s
LIMITS:
states hard limit 128000
src-nodes hard limit 10000
frags hard limit 5000
tables hard limit 1000
table-entries hard limit 200000
OS FINGERPRINTS:
696 fingerprints loaded
[root@kommunar ~]#
|
|
|
|
|
Записан
|
|
|
|
Cell
NoDeny
Спец
Карма: 52
Offline
Сообщений: 1407
|
|
« Ответ #9 : 03 Сентября 2010, 06:17:04 » |
|
Ты ошибся в том что 16 маску выдал на маскарад, что-то мне подсказывает, что она тебе понадобится лет через 100. поставь маску 24 и ты заметишь разницу )
|
|
|
|
|
Записан
|
|
|
|
|
versus
|
|
« Ответ #10 : 03 Сентября 2010, 09:39:02 » |
|
меня конечно смущает дхцп на аплинке, но еще больше смущает что трафикана дивертах нет
00420 0 0 divert 1 ip from any to any
00450 0 0 divert 2 ip from any to any
Модуль ipdivert запущен в ядре ?? или ты нам файрвол показал до авторизации пользователя и проб получить с него инет ?
|
|
|
|
|
Записан
|
|
|
|
uchenik
NoDeny
Пользователь
Карма: 0
Offline
Сообщений: 26
|
|
« Ответ #11 : 13 Сентября 2010, 17:18:57 » |
|
Прошу помощи не могу никак разобраться, переустановил фрю и биллинг,а инета на машине клиента так и нет. вылаживаю ещё раз все конфиги [elhan@kommunar ~]$ ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:30:84:25:7a:0a
inet 10.0.0.1 netmask 0xffffe100 broadcast 10.0.30.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
ste0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=2008<VLAN_MTU,WOL_MAGIC>
ether 00:26:18:ec:1c:31
media: Ethernet autoselect
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=2808<VLAN_MTU,WOL_UCAST,WOL_MAGIC>
ether 00:13:8f:34:18:f4
inet 192.168.0.102 netmask 0xffffff00 broadcast 192.168.0.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
pflog0: flags=0<> metric 0 mtu 33204
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet 127.0.0.1 netmask 0xff000000
pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128
[elhan@kommunar ~]$ cat /etc/rc.firewall
#!/bin/sh -
f='/sbin/ipfw'
ifOut='vr0'
${f} -f flush
${f} add 50 allow tcp from any to me 22
${f} add 51 allow tcp from me 22 to any
${f} add 110 allow ip from any to any via lo0
${f} add 120 skipto 1000 ip from me to any
${f} add 130 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
${f} add 160 skipto 2000 ip from any to me
${f} add 200 skipto 500 ip from any to any via ${ifOut}
${f} add 300 skipto 4500 ip from any to any in
${f} add 400 skipto 450 ip from any to any recv ${ifOut}
${f} add 420 divert 1 ip from any to any
${f} add 450 divert 2 ip from any to any
${f} add 490 allow ip from any to any
${f} add 500 skipto 32500 ip from any to any in
${f} add 510 divert 1 ip from any to any
${f} add 540 allow ip from any to any
${f} add 1000 allow udp from any 53,7723 to any
${f} add 1010 allow tcp from any to any setup keep-state
${f} add 1020 allow udp from any to any keep-state
${f} add 1100 allow ip from any to any
${f} add 2000 check-state
${f} add 2010 allow icmp from any to any
${f} add 2020 allow tcp from any to any 80,443
${f} add 2050 deny ip from any to any via ${ifOut}
${f} add 2060 allow udp from any to any 53,7723
${f} add 2100 deny ip from any to any
${f} add 32490 deny ip from any to any
[root@kommunar /home/elhan]# ipfw show
00050 1428 111862 allow tcp from any to me dst-port 22
00051 1924 246716 allow tcp from me 22 to any
00110 67500 4190138 allow ip from any to any via lo0
00120 486 31642 skipto 1000 ip from me to any
00130 0 0 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00160 490 25418 skipto 2000 ip from any to me
00200 30 8355 skipto 500 ip from any to any via vr0
00300 24 1872 skipto 4500 ip from any to any in
00400 0 0 skipto 450 ip from any to any recv vr0
00420 0 0 divert 1 ip from any to any
00450 0 0 divert 2 ip from any to any
00490 0 0 allow ip from any to any
00500 30 8355 skipto 32500 ip from any to any in
00510 0 0 divert 1 ip from any to any
00540 0 0 allow ip from any to any
01000 444 28819 allow udp from any 53,7723 to any
01010 0 0 allow tcp from any to any setup keep-state
01020 84 8382 allow udp from any to any keep-state
01100 0 0 allow ip from any to any
02000 0 0 check-state
02010 0 0 allow icmp from any to any
02020 0 0 allow tcp from any to any dst-port 80,443
02050 0 0 deny ip from any to any via vr0
02060 448 19859 allow udp from any to any dst-port 53,7723
02100 0 0 deny ip from any to any
05000 0 0 deny ip from not table(0) to any
05001 0 0 skipto 5010 ip from table(127) to table(126)
05002 24 1872 skipto 5030 ip from any to not table(2)
05003 0 0 deny ip from any to not table(1)
05004 0 0 pipe tablearg ip from table(21) to any
05005 0 0 deny ip from any to any
05010 0 0 pipe tablearg ip from table(127) to any
05030 0 0 deny tcp from table(15) to any dst-port 25
05400 24 1872 pipe tablearg ip from table(11) to any
32000 0 0 deny ip from any to any
32490 0 0 deny ip from any to any
33000 0 0 pipe tablearg ip from table(126) to table(127)
33001 30 8355 skipto 33010 ip from not table(2) to any
33002 0 0 pipe tablearg ip from any to table(20)
33003 0 0 deny ip from any to any
33400 0 0 pipe tablearg ip from any to table(10)
65535 30 8355 deny ip from any to any
[root@kommunar /home/elhan]# ipfw table 10 list
10.0.0.4/32 1004
[root@kommunar /home/elhan]# ps ax|grep ipcad
1222 ?? I<s 0:00.68 /usr/local/bin/ipcad -rds -c /usr/local/etc/ipcad.con
[root@kommunar /home/elhan]# ps ax|grep nodeny.pl
1318 ?? S< 1:07.23 perl nodeny.pl (perl5.10.1)
[root@kommunar /home/elhan]# ps ax|grep noserver.pl
1317 ?? S< 0:12.28 perl noserver.pl (perl5.10.1)
[root@kommunar /home/elhan]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=56 time=42.168 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=39.208 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=39.685 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=40.163 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=56 time=38.773 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=56 time=38.844 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=56 time=39.363 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=56 time=39.359 ms
64 bytes from 8.8.8.8: icmp_seq=8 ttl=56 time=38.655 ms
[root@kommunar /home/elhan]# ping ya.ru
PING ya.ru (87.250.250.3): 56 data bytes
64 bytes from 87.250.250.3: icmp_seq=0 ttl=55 time=46.676 ms
64 bytes from 87.250.250.3: icmp_seq=1 ttl=55 time=46.326 ms
64 bytes from 87.250.250.3: icmp_seq=2 ttl=55 time=47.591 ms
64 bytes from 87.250.250.3: icmp_seq=3 ttl=55 time=46.650 ms
64 bytes from 87.250.250.3: icmp_seq=4 ttl=55 time=38.116 ms
64 bytes from 87.250.250.3: icmp_seq=5 ttl=55 time=38.304 ms
[root@kommunar /home/elhan]# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=0.113 ms
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.091 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.085 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.088 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.089 ms
64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.091 ms
[root@kommunar /home/elhan]# pfctl -s nat
No ALTQ support in kernel
ALTQ related functions disabled
nat pass on vr0 inet from 10.0.0.0/24 to any -> (vr0) round-robin
[root@kommunar /home/elhan]# cat /etc/pf.conf
set limit states 128000
set optimization aggressive
scrub out all random-id max-mss 1440
nat pass on vr0 from 10.0.0.0/24 to any -> (vr0)
[root@kommunar /home/elhan]# cat /etc/rc.conf |grep pf
pf_enable="YES"
[root@kommunar /home/elhan]# cat /boot/loader.conf
pf_load="YES"
ipfw_load="YES"
ipdivert_load="YES"
dummynet_load="YES"
|
|
|
|
|
Записан
|
|
|
|
stix
NoDeny
Спец
Карма: 72
Offline
Сообщений: 1872
Nodeny Support Team
|
|
« Ответ #12 : 13 Сентября 2010, 18:24:17 » |
|
ipcad поставил?
|
|
|
|
|
Записан
|
|
|
|
uchenik
NoDeny
Пользователь
Карма: 0
Offline
Сообщений: 26
|
|
« Ответ #13 : 13 Сентября 2010, 20:40:54 » |
|
Поставил [root@kommunar /home/elhan]# ps ax|grep ipcad
1222 ?? I<s 0:00.68 /usr/local/bin/ipcad -rds -c /usr/local/etc/ipcad.con
[root@kommunar /home/elhan]# cat /usr/local/etc/ipcad.conf
capture-ports enable;
interface divert port 1 netflow-disable;
interface divert port 2 netflow-disable;
rsh enable at 127.0.0.1;
rsh root@127.0.0.1 admin;
rsh ttl = 3;
rsh timeout = 30;
dumpfile = ipcad.dump;
chroot = /tmp;
memory_limit = 50m;
|
|
|
|
« Последнее редактирование: 13 Сентября 2010, 20:46:49 от uchenik »
|
Записан
|
|
|
|
stix
NoDeny
Спец
Карма: 72
Offline
Сообщений: 1872
Nodeny Support Team
|
|
« Ответ #14 : 13 Сентября 2010, 20:52:43 » |
|
на счетчиках диверта должны быть пакеты, чето не доставил
|
|
|
|
|
Записан
|
|
|
|
|
