Здравствуйте.Подскажите как сделать прохождение нужных мне портов, я не знаю как это сделать.
Пользователи работают через Squid. Настройки прокси-сервера (т.е. адрес и порт подставляются при помощи DHCP, в настройках браузера ставлю галочку автоматическое определение параметров). Работает Sams2 когда заканчивается трафик он пользователя отключает.
При этом не работают почтовые клиенты, т.е. все не работает кроме http,https
Помогите пожалуйста, кто чем может.Конфиг IPFW
#!/bin/sh
# ipfw resetlog
int="em0"
ext="em1"
cmd="/sbin/ipfw -q add"
ks="keep-state"
inip="192.168.0.249"
extip="193.94.78.154"
inlan="192.168.0.0/25"
exlan="193.94.78.150/30"
dns="8.8.8.8"
#reset all rules
/sbin/ipfw -f flush
ipfw zero$cmd 0010 check-state
$cmd 100 allow all from any to any via lo0
$cmd 200 deny all from any to 127.0.0.0/8
$cmd 300 deny all from 127.0.0.0/8 to any
$cmd 700 allow tcp from any to any established
$cmd 710 allow ip from $extip to any out xmit $ext
$cmd 750 allow tcp from any to any 443 out via $ext setup $ks
$cmd 800 allow tcp from any to any 22 via $int setup $ks
$cmd 900 allow udp from any to any 53 via $ext
$cmd 1000 allow udp from any 53 to any via $ext
#$cmd 1050 allow udp from any to any in via $int
$cmd 1100 allow tcp from any to any 80 via $int
$cmd 1110 allow tcp from any to any 25 out via $ext
$cmd 1120 allow tcp from any to any 110 out via $ext
$cmd 1200 allow icmp from any to any icmptypes 0,8,11
$cmd 1300 allow tcp from any to any via $int
$cmd 1400 allow udp from any to any via $int
$cmd 1500 allow icmp from any to any via $int$cmd 1510 allow tcp from any to any 993 via $ext
$cmd 1520 allow tcp from any 993 to any via $ext
$cmd 1530 allow tcp from any to any 995 via $ext
$cmd 1540 allow tcp from any 995 to any via $ext
$cmd 1540 allow tcp from any 995 to any via $ext
$cmd 1550 allow tcp from any to any 465 via $ext
$cmd 1560 allow tcp from any 465 to any via $ext
$cmd 1570 allow tcp from any to any 143 via $ext
$cmd 1580 allow tcp from any 143 to any via $ext
$cmd 1600 deny icmp from any to any in via $ext
$cmd 1610 deny tcp from any to any 137 in via $ext
$cmd 1620 deny tcp from any to any 138 in via $ext
$cmd 1610 deny tcp from any to any 139 in via $ext
$cmd 1610 deny tcp from any to any 81 in via $ext
$cmd 3000 deny log logamount 1000 ip from any to any
Варианты:
1) google://freebsd ipfw nat
2) нанять толкового сисадмина
> Варианты:
> 1) google://freebsd ipfw nat
> 2) нанять толкового сисадминаДаже нечего добавить :)
> Здравствуйте.Покажите ipfw list, netstat -antu
>[оверквотинг удален]
> $cmd 1550 allow tcp from any to any 465 via $ext
> $cmd 1560 allow tcp from any 465 to any via $ext
> $cmd 1570 allow tcp from any to any 143 via $ext
> $cmd 1580 allow tcp from any 143 to any via $ext
> $cmd 1600 deny icmp from any to any in via $ext
> $cmd 1610 deny tcp from any to any 137 in via $ext
> $cmd 1620 deny tcp from any to any 138 in via $ext
> $cmd 1610 deny tcp from any to any 139 in via $ext
> $cmd 1610 deny tcp from any to any 81 in via $ext
> $cmd 3000 deny log logamount 1000 ip from any to any
>> Здравствуйте.
> Покажите ipfw list, netstat -anturoot@guest:/etc # ipfw list
00010 check-state
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00700 allow tcp from any to any established
00710 allow ip from 193.94.78.154 to any out xmit em1
00750 allow tcp from any to any dst-port 443 out via em1 setup keep-state
00800 allow tcp from any to any dst-port 22 via em0 setup keep-state
00900 allow udp from any to any dst-port 53 via em1
01000 allow udp from any 53 to any via em1
01100 allow tcp from any to any dst-port 80 via em0
01110 allow tcp from any to any dst-port 25 out via em1
01120 allow tcp from any to any dst-port 110 out via em1
01200 allow icmp from any to any icmptypes 0,8,11
01300 allow tcp from any to any via em0
01400 allow udp from any to any via em0
01500 allow icmp from any to any via em0
01510 allow tcp from any to any dst-port 993 via em1
01520 allow tcp from any 993 to any via em1
01530 allow tcp from any to any dst-port 995 via em1
01540 allow tcp from any 995 to any via em1
01550 allow tcp from any to any dst-port 465 via em1
01560 allow tcp from any 465 to any via em1
01570 allow tcp from any to any dst-port 143 via em1
01580 allow tcp from any 143 to any via em1
01600 deny icmp from any to any in via em1
01610 deny tcp from any to any dst-port 137 in via em1
01610 deny tcp from any to any dst-port 139 in via em1
01610 deny tcp from any to any dst-port 81 in via em1
01620 deny tcp from any to any dst-port 138 in via em1
03000 deny log logamount 1000 ip from any to any
65535 allow ip from any to any
>[оверквотинг удален]
> 00010 check-state
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 00700 allow tcp from any to any established
> 00710 allow ip from 193.94.78.154 to any out xmit em1
> 00750 allow tcp from any to any dst-port 443 out via em1
> setup keep-state
> 00800 allow tcp from any to any dst-port 22 via em0 setup
> keep-stateУ вас нет ната совсем....
Попробуйте ввести 4 комманды с консоли из под root...
/sbin/ipfw table 100 add 192.168.0.0/25
/sbin/ipfw nat 100 config if em1 log reset same_ports unreg_only
/sbin/ipfw add 00350 nat 100 all from table\(100\) to any out via em1
/sbin/ipfw add 00351 nat 100 all from any to 193.94.78.150 in via em1>[оверквотинг удален]
> 01560 allow tcp from any 465 to any via em1
> 01570 allow tcp from any to any dst-port 143 via em1
> 01580 allow tcp from any 143 to any via em1
> 01600 deny icmp from any to any in via em1
> 01610 deny tcp from any to any dst-port 137 in via em1
> 01610 deny tcp from any to any dst-port 139 in via em1
> 01610 deny tcp from any to any dst-port 81 in via em1
> 01620 deny tcp from any to any dst-port 138 in via em1
> 03000 deny log logamount 1000 ip from any to any
> 65535 allow ip from any to any
> У вас нет ната совсем....
> Попробуйте ввести 4 комманды с консоли из под root...
> /sbin/ipfw table 100 add 192.168.0.0/25
> /sbin/ipfw nat 100 config if em1 log reset same_ports unreg_only
> /sbin/ipfw add 00350 nat 100 all from table\(100\) to any out via
> em1
> /sbin/ipfw add 00351 nat 100 all from any to 193.94.78.150 in via
> em1Да так НАТ работает, но тогда будет проходить все, а мне нужно пропустить только http, https, imap, smtp, pop3.
>> У вас нет ната совсем....
>> Попробуйте ввести 4 комманды с консоли из под root...
>> /sbin/ipfw table 100 add 192.168.0.0/25
>> /sbin/ipfw nat 100 config if em1 log reset same_ports unreg_only
>> /sbin/ipfw add 00350 nat 100 all from table\(100\) to any out via
>> em1
>> /sbin/ipfw add 00351 nat 100 all from any to 193.94.78.150 in via
>> em1
> Да так НАТ работает, но тогда будет проходить все, а мне нужно
> пропустить только http, https, imap, smtp, pop3./sbin/ipfw add 65500 deny all from any to any
>> Да так НАТ работает, но тогда будет проходить все, а мне нужно
>> пропустить только http, https, imap, smtp, pop3.
> /sbin/ipfw add 65500 deny all from any to anyУ меня стоит это правило под номером 03000, это разве не одно и тоже?
03000 0 0 deny log logamount 1000 ip from any to anyпричем закрыть нужно со стороны локальной сети.
Может так?
${ipfw} add 02000 allow tcp from $локальная сеть to any 80, 21, 25, 53 keep-state
${ipfw} add 03000 deny ip from any to any
>[оверквотинг удален]
>> /sbin/ipfw add 65500 deny all from any to any
> У меня стоит это правило под номером 03000, это разве не одно
> и тоже?
> 03000 0 0 deny log logamount
> 1000 ip from any to any
> причем закрыть нужно со стороны локальной сети.
> Может так?
> ${ipfw} add 02000 allow tcp from $локальная сеть to any 80, 21,
> 25, 53 keep-state
> ${ipfw} add 03000 deny ip from any to anyПоднимаем нат,
прокрвыриваем дырки которые нужны с помощью allow,
{ipfw} add allow tcp from any to any established
{ipfw} add allow tcp from 192.168.0.0/25 to any 25,80,110,143,443,465,993,995
остальное запрещаем последним правилом.... add 03000 deny ip from any to anyбез ната почта не полетит ))))
>> Здравствуйте.
> Покажите ipfw list, netstat -anturoot@guest:/etc # netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 guest.44003 topf8.l.smailru..http ESTABLISHED
tcp4 0 0 guest.26969 topf8.l.smailru..http ESTABLISHED
tcp4 0 0 guest.3128 192.168.0.78.3915 ESTABLISHED
tcp4 0 0 guest.3128 192.168.0.78.3913 ESTABLISHED
tcp4 0 0 guest.22832 top-fwz1.mail.ru.http ESTABLISHED
tcp4 0 0 guest.18527 top-fwz1.mail.ru.http ESTABLISHED
tcp4 0 0 guest.3128 192.168.0.78.3911 ESTABLISHED
tcp4 0 0 guest.3128 192.168.0.78.3910 ESTABLISHED
tcp4 0 0 guest.3128 192.168.0.78.3908 ESTABLISHED
tcp4 0 0 guest.3128 192.168.0.78.3905 ESTABLISHED
tcp4 0 0 guest.25153 opennet.ru.http ESTABLISHED
tcp4 0 0 guest.3128 192.168.0.78.3903 ESTABLISHED
tcp4 0 0 guest.59809 opennet.ru.http ESTABLISHED
tcp4 0 0 guest.3128 192.168.0.78.3901 ESTABLISHED
tcp4 0 0 guest.55051 82.145.215.17.https ESTABLISHED
tcp4 0 0 guest.3128 192.168.0.78.3895 TIME_WAIT
tcp4 0 0 guest.3128 192.168.0.78.3893 ESTABLISHED
tcp4 0 64 guest.ssh 192.168.0.78.3891 ESTABLISHED
tcp4 0 0 guest.3128 192.168.0.78.3877 TIME_WAIT
tcp4 0 0 guest.3128 192.168.0.78.3875 TIME_WAIT
tcp4 0 0 guest.3128 192.168.0.78.3867 TIME_WAIT
tcp4 0 0 guest.3128 192.168.0.78.3863 TIME_WAIT
tcp4 0 0 localhost.smtp *.* LISTEN
tcp4 0 0 *.http *.* LISTEN
tcp4 0 0 *.ssh *.* LISTEN
tcp6 0 0 *.ssh *.* LISTEN
tcp4 0 0 localhost.9000 *.* LISTEN
tcp4 0 0 *.mysql *.* LISTEN
tcp4 0 0 *.3128 *.* LISTEN
udp4 0 0 localhost.9999 *.*
udp4 0 0 *.51340 *.*
udp4 0 0 *.bootps *.*
udp6 0 0 *.61966 *.*
udp4 0 0 *.14389 *.*
udp4 0 0 localhost.ntp *.*
udp6 0 0 fe80::1%lo0.ntp *.*
udp6 0 0 localhost.ntp *.*
udp6 0 0 fe80::20c:29ff:f.ntp *.*
udp4 0 0 guest.ntp *.*
udp6 0 0 fe80::20c:29ff:f.ntp *.*
udp4 0 0 guest.ntp *.*
udp6 0 0 *.ntp *.*
udp4 0 0 *.ntp *.*
udp4 0 0 *.syslog *.*
udp6 0 0 *.syslog *.*
icm4 0 0 *.* *.*
Active UNIX domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
c3c19c18 stream 0 0 0 c3c1a4b4 0 0 /tmp/mysql.sock
c3c1a4b4 stream 0 0 0 c3c19c18 0 0
c3c23000 stream 0 0 0 c3c230ac 0 0
c3c230ac stream 0 0 0 c3c23000 0 0
c3c1a60c stream 0 0 0 0 0 0
c3c1a764 stream 0 0 c3cc39fc 0 0 0 /tmp/mysql.sock
c3c23204 stream 0 0 0 c3c232b0 0 0 /var/run/devd.pipe
c3c232b0 stream 0 0 0 c3c23204 0 0
c3c1a968 stream 0 0 c3c1fc34 0 0 0 /var/run/devd.pipe
c3c22c18 dgram 0 0 0 c3c2335c 0 c3c22cc4
c3c22cc4 dgram 0 0 0 c3c2335c 0 c3c22e1c
c3c22d70 dgram 0 0 0 c3c23408 0 c3c22ec8
c3c22e1c dgram 0 0 0 c3c2335c 0 c3c1a6b8
c3c22ec8 dgram 0 0 0 c3c23408 0 c3c23158
c3c1a6b8 dgram 0 0 0 c3c2335c 0 c3c1a810
c3c23158 dgram 0 0 0 c3c23408 0 0
c3c1a810 dgram 0 0 0 c3c2335c 0 c3c1a8bc
c3c1a8bc dgram 0 0 0 c3c2335c 0 0
c3c2335c dgram 0 0 c3a47b18 0 c3c22c18 0 /var/run/logpriv
c3c23408 dgram 0 0 c3a47c34 0 c3c22d70 0 /var/run/log
>> Здравствуйте.
> Покажите ipfw list, netstat -anturoot@guest:/etc # netstat -n
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 193.94.78.154.43241 217.69.136.175.80 ESTABLISHED
tcp4 0 0 193.94.78.154.26744 217.69.136.175.80 ESTABLISHED
tcp4 0 0 193.94.78.154.46969 217.69.136.175.80 ESTABLISHED
tcp4 0 0 193.94.78.154.26411 217.69.136.175.80 ESTABLISHED
tcp4 0 0 193.94.78.154.21130 68.232.35.121.80 ESTABLISHED
tcp4 0 0 192.168.0.249.3128 192.168.0.78.3930 ESTABLISHED
tcp4 0 0 193.94.78.154.13742 68.232.35.121.80 ESTABLISHED
tcp4 0 0 192.168.0.249.3128 192.168.0.78.3928 ESTABLISHED
tcp4 0 0 193.94.78.154.13668 77.234.201.242.80 ESTABLISHED
tcp4 0 0 193.94.78.154.65231 77.234.201.242.80 ESTABLISHED
tcp4 0 0 193.94.78.154.42579 217.69.133.145.80 TIME_WAIT
tcp4 0 0 193.94.78.154.62969 217.69.133.145.80 TIME_WAIT
tcp4 0 0 192.168.0.249.3128 192.168.0.78.3926 ESTABLISHED
tcp4 0 0 192.168.0.249.3128 192.168.0.78.3924 ESTABLISHED
tcp4 0 0 193.94.78.154.45756 217.69.133.148.80 TIME_WAIT
tcp4 0 0 193.94.78.154.12739 217.69.133.148.80 TIME_WAIT
tcp4 0 0 192.168.0.249.3128 192.168.0.78.3922 ESTABLISHED
tcp4 0 0 193.94.78.154.46974 77.234.201.242.80 TIME_WAIT
tcp4 0 0 193.94.78.154.38049 77.234.201.242.80 TIME_WAIT
tcp4 0 0 192.168.0.249.3128 192.168.0.78.3911 ESTABLISHED
tcp4 0 0 192.168.0.249.3128 192.168.0.78.3908 ESTABLISHED
tcp4 0 0 192.168.0.249.3128 192.168.0.78.3905 ESTABLISHED
tcp4 0 0 192.168.0.249.3128 192.168.0.78.3903 ESTABLISHED
tcp4 0 0 192.168.0.249.3128 192.168.0.78.3901 ESTABLISHED
tcp4 0 0 193.94.78.154.55051 82.145.215.17.443 TIME_WAIT
tcp4 0 64 192.168.0.249.22 192.168.0.78.3891 ESTABLISHED
udp4 0 0 127.0.0.1.9999 *.*
udp4 0 0 127.0.0.1.123 *.*
udp6 0 0 fe80::1%lo0.123 *.*
udp6 0 0 ::1.123 *.*
udp6 0 0 fe80::20c:29ff:f.123 *.*
udp4 0 0 193.94.78.154.123 *.*
udp6 0 0 fe80::20c:29ff:f.123 *.*
udp4 0 0 192.168.0.249.123 *.*
Active UNIX domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
c3c19c18 stream 0 0 0 c3c1a4b4 0 0 /tmp/mysql.sock
c3c1a4b4 stream 0 0 0 c3c19c18 0 0
c3c23000 stream 0 0 0 c3c230ac 0 0
c3c230ac stream 0 0 0 c3c23000 0 0
c3c1a60c stream 0 0 0 0 0 0
c3c1a764 stream 0 0 c3cc39fc 0 0 0 /tmp/mysql.sock
c3c23204 stream 0 0 0 c3c232b0 0 0 /var/run/devd.pipe
c3c232b0 stream 0 0 0 c3c23204 0 0
c3c1a968 stream 0 0 c3c1fc34 0 0 0 /var/run/devd.pipe
c3c22c18 dgram 0 0 0 c3c2335c 0 c3c22cc4
c3c22cc4 dgram 0 0 0 c3c2335c 0 c3c22e1c
c3c22d70 dgram 0 0 0 c3c23408 0 c3c22ec8
c3c22e1c dgram 0 0 0 c3c2335c 0 c3c1a6b8
c3c22ec8 dgram 0 0 0 c3c23408 0 c3c23158
c3c1a6b8 dgram 0 0 0 c3c2335c 0 c3c1a810
c3c23158 dgram 0 0 0 c3c23408 0 0
c3c1a810 dgram 0 0 0 c3c2335c 0 c3c1a8bc
c3c1a8bc dgram 0 0 0 c3c2335c 0 0
c3c2335c dgram 0 0 c3a47b18 0 c3c22c18 0 /var/run/logpriv
c3c23408 dgram 0 0 c3a47c34 0 c3c22d70 0 /var/run/log
root@guest:/etc #