forum.opennet.ru

Составление сообщения

Исходное сообщение

"OpenVPN никак не ходит через pf :("
Отправлено UltraLaser, 17-Апр-10 14:55

Прошу помочь с таким вот вопросом- никак не пойму где неправ. Есть сервер (OpenBSD 4.6) который выполняет роль инет шлюза для небольшого офиса. На нем же запущен транспарентный Squid. На нем же запущен DHCP  и OpenVPN (хотя и правильнее было бы вынести и сквид и опенвпн вDMZ но реальность такова). И никак не могу наладить связь между двумя офисами OpenVPN- нормально запускается на сервере, но связь не идет. Очень прошу помочь. Клиент в данном случае Windows XP. На стороне клиента файрволл отключен. С маршрутизацией сетей можно пока не парится - мне сейчас главное установить соединение.
Вот конфиги

OpenVPN server
# 1. General settings
local 192.168.77.5
server 10.8.0.0 255.255.255.0
dev tun0
proto udp
port 9149
comp-lzo
verb 3
persist-key
persist-tun
keepalive 10 120
max-clients 100
client-to-client

# 2. Keys & certificates
# 2.1. Certificates
# Don't foget to assign appropriate modes for everey key or crt file
# chmod 700 /etc/openvpn/keys
# chmod 644 /etc/openvpn/keys/{ca.crt,dh1024.pem,server.crt}
# chmod 600 /etc/openvpn/keys/{server.key,ta.key}
ca /etc/openvpn/keys/server01/ca.crt
cert /etc/openvpn/keys/server01/server.crt
# 2.2. Keys
key /etc/openvpn/keys/server01/server.key
dh /etc/openvpn/keys/server01/dh1024.pem
# 2.3. Tls authentication
# If a tls-auth key is used on the server
# then every client must also have the key.
# 0 for server 1 for client
tls-server
tls-auth /etc/openvpn/keys/server01/ta.key 0
tls-timeout 120

# 3. Routing
push "route 192.168.77.0 255.255.255.0"
client-config-dir /etc/openvpn/ccd
route 10.8.0.0 255.255.255.0
route 192.168.99.0 255.255.255.0
route 192.168.33.0 255.255.255.0

# 4. Encryption
cipher BF-CBC
auth MD5

# 5. Security
# 5.1. Privilegies
# Downgrade privileges after initialization (non-Windows only)
#user _openvpn
#group _openvpn
# 5.2. Safe place to run
#chroot /var/empty
# 5.3. Logging
#status server01-status.log
#log openvpn.log

вывод OpenVPN при инициализации
Sat Apr 17 15:15:58 2010 OpenVPN 2.1_rc15 i386-unknown-openbsd4.6 [SSL] [LZO1] built on Jul  1 2009
Sat Apr 17 15:15:58 2010 WARNING: --keepalive option is missing from server config
Sat Apr 17 15:15:58 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Apr 17 15:15:58 2010 Diffie-Hellman initialized with 1024 bit key
Sat Apr 17 15:15:58 2010 Control Channel Authentication: using '/etc/openvpn/keys/server01/ta.key' as a OpenVPN static key file
Sat Apr 17 15:15:58 2010 Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Sat Apr 17 15:15:58 2010 Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Sat Apr 17 15:15:58 2010 TLS-Auth MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Sat Apr 17 15:15:58 2010 ROUTE default_gateway=xxx.xxx.xxx.xxx
Sat Apr 17 15:15:58 2010 /sbin/ifconfig tun0 destroy
Sat Apr 17 15:15:58 2010 /sbin/ifconfig tun0 create
Sat Apr 17 15:15:58 2010 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Sat Apr 17 15:15:58 2010 /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Sat Apr 17 15:15:58 2010 TUN/TAP device /dev/tun0 opened
Sat Apr 17 15:15:58 2010 /sbin/route add -net 10.8.0.0 10.8.0.2 -netmask 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2
Sat Apr 17 15:15:58 2010 /sbin/route add -net 192.168.99.0 10.8.0.2 -netmask 255.255.255.0
add net 192.168.99.0: gateway 10.8.0.2
Sat Apr 17 15:15:58 2010 /sbin/route add -net 192.168.33.0 10.8.0.2 -netmask 255.255.255.0
add net 192.168.33.0: gateway 10.8.0.2
Sat Apr 17 15:15:58 2010 /sbin/route add -net 10.8.0.0 10.8.0.2 -netmask 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2: File exists
Sat Apr 17 15:15:58 2010 ERROR: OpenBSD/NetBSD route add command failed: external program exited with error status: 1
Sat Apr 17 15:15:58 2010 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Apr 17 15:15:58 2010 Socket Buffers: R=[41600->65536] S=[9216->65536]
Sat Apr 17 15:15:58 2010 UDPv4 link local (bound): 192.168.77.5:9149
Sat Apr 17 15:15:58 2010 UDPv4 link remote: [undef]
Sat Apr 17 15:15:58 2010 MULTI: multi_init called, r=256 v=256
Sat Apr 17 15:15:58 2010 IFCONFIG POOL: base=10.8.0.4 size=62
Sat Apr 17 15:15:58 2010 Initialization Sequence Completed

Таблица маршрутеризации сервера
# netstat -rn
Routing tables
Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            xxx.xxx.xxx.xxx     UGS        5  9721041     -     8 vr0
10.8.0/24          10.8.0.2           UGS        0        0     -     8 tun0
10.8.0.2           10.8.0.1           UH         3        0     -     4 tun0
127/8              127.0.0.1          UGRS       0        0 33200     8 lo0
127.0.0.1          127.0.0.1          UH         1     1716 33200     4 lo0
192.168.33/24      10.8.0.2           UGS        0        0     -     8 tun0
192.168.77/24      link#2             UC         6        0     -     4 vr1
192.168.77.5       00:26:5a:05:d6:89  UHLc       0      132     -     4 lo0
192.168.77.6       00:21:29:0d:7d:88  UHLc       0  5292900     -     4 vr1
192.168.77.106     link#2             UHLc       1    14714     - L   4 vr1
192.168.77.111     00:1e:8c:00:5e:3b  UHLc       0  1436390     -     4 vr1
192.168.77.116     00:19:db:a8:3c:5e  UHLc       1    87266     -     4 vr1
192.168.77.132     00:19:e3:0e:6c:da  UHLc       0      168     -     4 vr1
192.168.99/24      10.8.0.2           UGS        0        0     -     8 tun0
xxx.xxx.xxx.xxx /30  link#1             UC         1        0     -     4 vr0
yyy.yyy.yyy.yyy     00:1e:f7:dd:e3:7f  UHLc       1        0     -     4 vr0
224/4              127.0.0.1          URS        0        0 33200     8 lo0
Internet6:
…

# ifconfig tun0 (на сервере)
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        priority: 0
        groups: tun
        media: Ethernet autoselect
        status: active
        inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
OpenVPN client конфиг
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx
port 9149
resolv-retry infinite
persist-key
persist-tun
ca ..\\easy-rsa\\keys\\alpha_v01\\ca.crt
cert ..\\easy-rsa\\keys\\alpha_v01\\mainoffice.crt
key ..\\easy-rsa\\keys\\alpha_v01\\mainoffice.key
tls-client
tls-auth ..\\easy-rsa\\keys\\alpha_v01\\ta.key 1
ns-cert-type server
cipher BF-CBC
auth MD5
comp-lzo
verb 3

Вывод клиента при запуске
Sat Apr 17 13:59:18 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Sat Apr 17 13:59:18 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Apr 17 13:59:18 2010 Control Channel Authentication: using '..\easy-rsa\keys\alpha_v01\ta.key' as a OpenVPN static key file
Sat Apr 17 13:59:18 2010 Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Sat Apr 17 13:59:18 2010 Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Sat Apr 17 13:59:18 2010 LZO compression initialized
Sat Apr 17 13:59:18 2010 Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Sat Apr 17 13:59:18 2010 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Apr 17 13:59:18 2010 Local Options hash (VER=V4): '03fa487d'
Sat Apr 17 13:59:18 2010 Expected Remote Options hash (VER=V4): '1056bce3'
Sat Apr 17 13:59:18 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Apr 17 13:59:18 2010 UDPv4 link local (bound): [undef]:9149
Sat Apr 17 13:59:18 2010 UDPv4 link remote: xxx.xxx.xxx.xxx:9149
Sat Apr 17 13:59:18 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Sat Apr 17 13:59:20 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
………….
(code=10054)
Sat Apr 17 13:59:48 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Sat Apr 17 14:00:14 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Sat Apr 17 14:00:16 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Sat Apr 17 14:00:18 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Apr 17 14:00:18 2010 TLS Error: TLS handshake failed
Sat Apr 17 14:00:18 2010 TCP/UDP: Closing socket
Sat Apr 17 14:00:18 2010 SIGUSR1[soft,tls-error] received, process restarting
Sat Apr 17 14:00:18 2010 Restart pause, 2 second(s)
Sat Apr 17 14:00:20 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Apr 17 14:00:20 2010 Re-using SSL/TLS context
Sat Apr 17 14:00:20 2010 LZO compression initialized
Sat Apr 17 14:00:20 2010 Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Sat Apr 17 14:00:20 2010 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Apr 17 14:00:20 2010 Local Options hash (VER=V4): '03fa487d'
Sat Apr 17 14:00:20 2010 Expected Remote Options hash (VER=V4): '1056bce3'
Sat Apr 17 14:00:20 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Apr 17 14:00:20 2010 UDPv4 link local (bound): [undef]:9149
Sat Apr 17 14:00:20 2010 UDPv4 link remote: xxx.xxx.xxx.xxx:9149
Sat Apr 17 14:00:20 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Sat Apr 17 14:00:22 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)

pf.conf
#############################################################################
## 1. Macros
## 1.1. Interfaces
ext_if = "vr0"
int_if = "vr1"
tun_if = "tun0"
## 1.2. Networks
vpn_remote_hosts = "{ 194.67.68.34, 194.67.68.35 }"
vpn_remote_net = "{ 10.8.0.0/24, 192.168.99.0/24, 192.168.33.0/24 }"
vpn_srv_addr_01 = "{ 192.168.77.5 }"
## 1.3. Ports and protos
tcp_udp = "{ tcp, udp }"
vpn_ext_port_01 = "9149"
vpn_srv_port_01 = "9149"
vpn_proto_01 = "udp"

## 1.4. ICMP
#ping and traceroute allowed only
icmp_good="icmp-type 8"
#############################################################################
## 2. Tables
table <rfc1918> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
                 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, \
                 0.0.0.0/8,  240.0.0.0/4, \
                !192.168.99.0/24, !192.168.77.0/24, !192.168.33.0/24, !10.8.0.0/24 }
table <broadcasts> {  255.255.255.255, 10.255.255.255, \
                      192.168.255.255, 127.255.255.255 }
table <bruteforce> persist file "/etc/bruteforce"
table <blocked> persist file "/etc/blocked"
table <int_net> { 192.168.77.0/24, 192.168.33.0/24, 192.168.99.0/24, 10.8.0.0/24 }
#############################################################################
## 3. Options
set block-policy drop
set debug misc
set optimization normal
#############################################################################
## 4. Scrub
match in all scrub (no-df)
#############################################################################
## 6. NAT, Redirection, Binat
## 6.0. Squid RDR - !important place BEFORE NAT
rdr on $int_if inet proto tcp from <int_net> to any port www -> 127.0.0.1 port 3128
## 6.1. Translation
nat on $ext_if from !$ext_if to any -> $ext_if
## 6.2. Redirection
no nat on lo0 from any to any
no rdr on lo0 from any to any

#############################################################################
## 7. Filtration
## 7.1. Initial policy
block in log quick inet6 all
block in all
block out all
block quick from <bruteforce> to any

pass in on $int_if from <int_net> to $int_if keep state
pass out on $int_if from $int_if to <int_net> keep state
pass quick on $tun_if all
## 7.2. Loopback
pass quick on lo0 all

## 7.3. RFC 1918 accordance
block in quick on $ext_if inet from <rfc1918> to any
block out quick on $ext_if inet from any to <rfc1981>
## 7.4. Anti hackers rules
## 7.4.1. Antisoofing
antispoof log quick for $ext_if inet
antispoof log quick for $int_if inet
## 7.4.2. Bruteforce
pass inet proto tcp from any to <int_net> keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> flush global)
pass out log quick on $ext_if inet proto tcp from $ext_if port ssh to any keep state
## 7.6. ICMP
pass in  quick inet proto icmp all $icmp_good keep state
pass out quick inet proto icmp all $icmp_good keep state

#7.6.1. Traceroute
pass out on $ext_if inet proto udp from $ext_if to any port 33433 >< 33626 keep state
pass in on $int_if inet proto udp from <int_net> to any port 33433 >< 33626 keep state
## 7.7. Internet porno browsing
pass in quick on $int_if inet proto tcp from <int_net> to 127.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state
pass out quick on $ext_if inet proto $tcp_udp from $ext_if to any keep state
pass out quick on $int_if inet proto $tcp_udp from <int_net> to any keep state

## 7.12 Vpn
pass in quick log on $ext_if inet proto $vpn_proto_01 from \
    any to $ext_if port $vpn_ext_port_01 keep state
pass out log quick on $int_if proto $vpn_proto_01 from \
    any to $vpn_srv_addr_01 port $vpn_srv_port_01 keep state

Исходное сообщение
"OpenVPN никак не ходит через pf :(" Отправлено UltraLaser, 17-Апр-10 14:55
Прошу помочь с таким вот вопросом- никак не пойму где неправ. Есть сервер (OpenBSD 4.6) который выполняет роль инет шлюза для небольшого офиса. На нем же запущен транспарентный Squid. На нем же запущен DHCP и OpenVPN (хотя и правильнее было бы вынести и сквид и опенвпн вDMZ но реальность такова). И никак не могу наладить связь между двумя офисами OpenVPN- нормально запускается на сервере, но связь не идет. Очень прошу помочь. Клиент в данном случае Windows XP. На стороне клиента файрволл отключен. С маршрутизацией сетей можно пока не парится - мне сейчас главное установить соединение. Вот конфиги OpenVPN server # 1. General settings local 192.168.77.5 server 10.8.0.0 255.255.255.0 dev tun0 proto udp port 9149 comp-lzo verb 3 persist-key persist-tun keepalive 10 120 max-clients 100 client-to-client # 2. Keys & certificates # 2.1. Certificates # Don't foget to assign appropriate modes for everey key or crt file # chmod 700 /etc/openvpn/keys # chmod 644 /etc/openvpn/keys/{ca.crt,dh1024.pem,server.crt} # chmod 600 /etc/openvpn/keys/{server.key,ta.key} ca /etc/openvpn/keys/server01/ca.crt cert /etc/openvpn/keys/server01/server.crt # 2.2. Keys key /etc/openvpn/keys/server01/server.key dh /etc/openvpn/keys/server01/dh1024.pem # 2.3. Tls authentication # If a tls-auth key is used on the server # then every client must also have the key. # 0 for server 1 for client tls-server tls-auth /etc/openvpn/keys/server01/ta.key 0 tls-timeout 120 # 3. Routing push "route 192.168.77.0 255.255.255.0" client-config-dir /etc/openvpn/ccd route 10.8.0.0 255.255.255.0 route 192.168.99.0 255.255.255.0 route 192.168.33.0 255.255.255.0 # 4. Encryption cipher BF-CBC auth MD5 # 5. Security # 5.1. Privilegies # Downgrade privileges after initialization (non-Windows only) #user _openvpn #group _openvpn # 5.2. Safe place to run #chroot /var/empty # 5.3. Logging #status server01-status.log #log openvpn.log вывод OpenVPN при инициализации Sat Apr 17 15:15:58 2010 OpenVPN 2.1_rc15 i386-unknown-openbsd4.6 [SSL] [LZO1] built on Jul 1 2009 Sat Apr 17 15:15:58 2010 WARNING: --keepalive option is missing from server config Sat Apr 17 15:15:58 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Sat Apr 17 15:15:58 2010 Diffie-Hellman initialized with 1024 bit key Sat Apr 17 15:15:58 2010 Control Channel Authentication: using '/etc/openvpn/keys/server01/ta.key' as a OpenVPN static key file Sat Apr 17 15:15:58 2010 Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication Sat Apr 17 15:15:58 2010 Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication Sat Apr 17 15:15:58 2010 TLS-Auth MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ] Sat Apr 17 15:15:58 2010 ROUTE default_gateway=xxx.xxx.xxx.xxx Sat Apr 17 15:15:58 2010 /sbin/ifconfig tun0 destroy Sat Apr 17 15:15:58 2010 /sbin/ifconfig tun0 create Sat Apr 17 15:15:58 2010 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure Sat Apr 17 15:15:58 2010 /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up Sat Apr 17 15:15:58 2010 TUN/TAP device /dev/tun0 opened Sat Apr 17 15:15:58 2010 /sbin/route add -net 10.8.0.0 10.8.0.2 -netmask 255.255.255.0 add net 10.8.0.0: gateway 10.8.0.2 Sat Apr 17 15:15:58 2010 /sbin/route add -net 192.168.99.0 10.8.0.2 -netmask 255.255.255.0 add net 192.168.99.0: gateway 10.8.0.2 Sat Apr 17 15:15:58 2010 /sbin/route add -net 192.168.33.0 10.8.0.2 -netmask 255.255.255.0 add net 192.168.33.0: gateway 10.8.0.2 Sat Apr 17 15:15:58 2010 /sbin/route add -net 10.8.0.0 10.8.0.2 -netmask 255.255.255.0 add net 10.8.0.0: gateway 10.8.0.2: File exists Sat Apr 17 15:15:58 2010 ERROR: OpenBSD/NetBSD route add command failed: external program exited with error status: 1 Sat Apr 17 15:15:58 2010 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ] Sat Apr 17 15:15:58 2010 Socket Buffers: R=[41600->65536] S=[9216->65536] Sat Apr 17 15:15:58 2010 UDPv4 link local (bound): 192.168.77.5:9149 Sat Apr 17 15:15:58 2010 UDPv4 link remote: [undef] Sat Apr 17 15:15:58 2010 MULTI: multi_init called, r=256 v=256 Sat Apr 17 15:15:58 2010 IFCONFIG POOL: base=10.8.0.4 size=62 Sat Apr 17 15:15:58 2010 Initialization Sequence Completed Таблица маршрутеризации сервера # netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default xxx.xxx.xxx.xxx UGS 5 9721041 - 8 vr0 10.8.0/24 10.8.0.2 UGS 0 0 - 8 tun0 10.8.0.2 10.8.0.1 UH 3 0 - 4 tun0 127/8 127.0.0.1 UGRS 0 0 33200 8 lo0 127.0.0.1 127.0.0.1 UH 1 1716 33200 4 lo0 192.168.33/24 10.8.0.2 UGS 0 0 - 8 tun0 192.168.77/24 link#2 UC 6 0 - 4 vr1 192.168.77.5 00:26:5a:05:d6:89 UHLc 0 132 - 4 lo0 192.168.77.6 00:21:29:0d:7d:88 UHLc 0 5292900 - 4 vr1 192.168.77.106 link#2 UHLc 1 14714 - L 4 vr1 192.168.77.111 00:1e:8c:00:5e:3b UHLc 0 1436390 - 4 vr1 192.168.77.116 00:19:db:a8:3c:5e UHLc 1 87266 - 4 vr1 192.168.77.132 00:19:e3:0e:6c:da UHLc 0 168 - 4 vr1 192.168.99/24 10.8.0.2 UGS 0 0 - 8 tun0 xxx.xxx.xxx.xxx /30 link#1 UC 1 0 - 4 vr0 yyy.yyy.yyy.yyy 00:1e:f7:dd:e3:7f UHLc 1 0 - 4 vr0 224/4 127.0.0.1 URS 0 0 33200 8 lo0 Internet6: … # ifconfig tun0 (на сервере) tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 priority: 0 groups: tun media: Ethernet autoselect status: active inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff OpenVPN client конфиг client dev tun proto udp remote xxx.xxx.xxx.xxx port 9149 resolv-retry infinite persist-key persist-tun ca ..\\easy-rsa\\keys\\alpha_v01\\ca.crt cert ..\\easy-rsa\\keys\\alpha_v01\\mainoffice.crt key ..\\easy-rsa\\keys\\alpha_v01\\mainoffice.key tls-client tls-auth ..\\easy-rsa\\keys\\alpha_v01\\ta.key 1 ns-cert-type server cipher BF-CBC auth MD5 comp-lzo verb 3 Вывод клиента при запуске Sat Apr 17 13:59:18 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009 Sat Apr 17 13:59:18 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Sat Apr 17 13:59:18 2010 Control Channel Authentication: using '..\easy-rsa\keys\alpha_v01\ta.key' as a OpenVPN static key file Sat Apr 17 13:59:18 2010 Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication Sat Apr 17 13:59:18 2010 Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication Sat Apr 17 13:59:18 2010 LZO compression initialized Sat Apr 17 13:59:18 2010 Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ] Sat Apr 17 13:59:18 2010 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ] Sat Apr 17 13:59:18 2010 Local Options hash (VER=V4): '03fa487d' Sat Apr 17 13:59:18 2010 Expected Remote Options hash (VER=V4): '1056bce3' Sat Apr 17 13:59:18 2010 Socket Buffers: R=[8192->8192] S=[8192->8192] Sat Apr 17 13:59:18 2010 UDPv4 link local (bound): [undef]:9149 Sat Apr 17 13:59:18 2010 UDPv4 link remote: xxx.xxx.xxx.xxx:9149 Sat Apr 17 13:59:18 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) Sat Apr 17 13:59:20 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) …………. (code=10054) Sat Apr 17 13:59:48 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) Sat Apr 17 14:00:14 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) Sat Apr 17 14:00:16 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) Sat Apr 17 14:00:18 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sat Apr 17 14:00:18 2010 TLS Error: TLS handshake failed Sat Apr 17 14:00:18 2010 TCP/UDP: Closing socket Sat Apr 17 14:00:18 2010 SIGUSR1[soft,tls-error] received, process restarting Sat Apr 17 14:00:18 2010 Restart pause, 2 second(s) Sat Apr 17 14:00:20 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Sat Apr 17 14:00:20 2010 Re-using SSL/TLS context Sat Apr 17 14:00:20 2010 LZO compression initialized Sat Apr 17 14:00:20 2010 Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ] Sat Apr 17 14:00:20 2010 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ] Sat Apr 17 14:00:20 2010 Local Options hash (VER=V4): '03fa487d' Sat Apr 17 14:00:20 2010 Expected Remote Options hash (VER=V4): '1056bce3' Sat Apr 17 14:00:20 2010 Socket Buffers: R=[8192->8192] S=[8192->8192] Sat Apr 17 14:00:20 2010 UDPv4 link local (bound): [undef]:9149 Sat Apr 17 14:00:20 2010 UDPv4 link remote: xxx.xxx.xxx.xxx:9149 Sat Apr 17 14:00:20 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) Sat Apr 17 14:00:22 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) pf.conf ############################################################################# ## 1. Macros ## 1.1. Interfaces ext_if = "vr0" int_if = "vr1" tun_if = "tun0" ## 1.2. Networks vpn_remote_hosts = "{ 194.67.68.34, 194.67.68.35 }" vpn_remote_net = "{ 10.8.0.0/24, 192.168.99.0/24, 192.168.33.0/24 }" vpn_srv_addr_01 = "{ 192.168.77.5 }" ## 1.3. Ports and protos tcp_udp = "{ tcp, udp }" vpn_ext_port_01 = "9149" vpn_srv_port_01 = "9149" vpn_proto_01 = "udp" ## 1.4. ICMP #ping and traceroute allowed only icmp_good="icmp-type 8" ############################################################################# ## 2. Tables table <rfc1918> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, \ 0.0.0.0/8, 240.0.0.0/4, \ !192.168.99.0/24, !192.168.77.0/24, !192.168.33.0/24, !10.8.0.0/24 } table <broadcasts> { 255.255.255.255, 10.255.255.255, \ 192.168.255.255, 127.255.255.255 } table <bruteforce> persist file "/etc/bruteforce" table <blocked> persist file "/etc/blocked" table <int_net> { 192.168.77.0/24, 192.168.33.0/24, 192.168.99.0/24, 10.8.0.0/24 } ############################################################################# ## 3. Options set block-policy drop set debug misc set optimization normal ############################################################################# ## 4. Scrub match in all scrub (no-df) ############################################################################# ## 6. NAT, Redirection, Binat ## 6.0. Squid RDR - !important place BEFORE NAT rdr on $int_if inet proto tcp from <int_net> to any port www -> 127.0.0.1 port 3128 ## 6.1. Translation nat on $ext_if from !$ext_if to any -> $ext_if ## 6.2. Redirection no nat on lo0 from any to any no rdr on lo0 from any to any ############################################################################# ## 7. Filtration ## 7.1. Initial policy block in log quick inet6 all block in all block out all block quick from <bruteforce> to any pass in on $int_if from <int_net> to $int_if keep state pass out on $int_if from $int_if to <int_net> keep state pass quick on $tun_if all ## 7.2. Loopback pass quick on lo0 all ## 7.3. RFC 1918 accordance block in quick on $ext_if inet from <rfc1918> to any block out quick on $ext_if inet from any to <rfc1981> ## 7.4. Anti hackers rules ## 7.4.1. Antisoofing antispoof log quick for $ext_if inet antispoof log quick for $int_if inet ## 7.4.2. Bruteforce pass inet proto tcp from any to <int_net> keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> flush global) pass out log quick on $ext_if inet proto tcp from $ext_if port ssh to any keep state ## 7.6. ICMP pass in quick inet proto icmp all $icmp_good keep state pass out quick inet proto icmp all $icmp_good keep state #7.6.1. Traceroute pass out on $ext_if inet proto udp from $ext_if to any port 33433 >< 33626 keep state pass in on $int_if inet proto udp from <int_net> to any port 33433 >< 33626 keep state ## 7.7. Internet porno browsing pass in quick on $int_if inet proto tcp from <int_net> to 127.0.0.1 port 3128 keep state pass out on $ext_if inet proto tcp from any to any port www keep state pass out quick on $ext_if inet proto $tcp_udp from $ext_if to any keep state pass out quick on $int_if inet proto $tcp_udp from <int_net> to any keep state ## 7.12 Vpn pass in quick log on $ext_if inet proto $vpn_proto_01 from \ any to $ext_if port $vpn_ext_port_01 keep state pass out log quick on $int_if proto $vpn_proto_01 from \ any to $vpn_srv_addr_01 port $vpn_srv_port_01 keep state

Ваше сообщение

Имя*:

EMail:

Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.

Заголовок*:

Сообщение*:

> Прошу помочь с таким вот вопросом- никак не пойму где неправ. Есть 
> сервер (OpenBSD 4.6) который выполняет роль инет шлюза для небольшого офиса. 
> На нем же запущен транспарентный Squid. На нем же запущен DHCP 
>  и OpenVPN (хотя и правильнее было бы вынести и сквид 
> и опенвпн вDMZ но реальность такова). И никак не могу наладить 
> связь между двумя офисами OpenVPN- нормально запускается на сервере, но связь 
> не идет. Очень прошу помочь. Клиент в данном случае Windows XP. 
> На стороне клиента файрволл отключен. С маршрутизацией сетей можно пока не 
> парится - мне сейчас главное установить соединение.

> Вот конфиги

> OpenVPN server 
> # 1. General settings 
> local 192.168.77.5 
> server 10.8.0.0 255.255.255.0 
> dev tun0 
> proto udp 
> port 9149 
> comp-lzo 
> verb 3 
> persist-key 
> persist-tun 
> keepalive 10 120 
> max-clients 100 
> client-to-client

> # 2. Keys & certificates 
> # 2.1. Certificates 
> # Don't foget to assign appropriate modes for everey key or crt 
> file 
> # chmod 700 /etc/openvpn/keys 
> # chmod 644 /etc/openvpn/keys/{ca.crt,dh1024.pem,server.crt} 
> # chmod 600 /etc/openvpn/keys/{server.key,ta.key}

> ca /etc/openvpn/keys/server01/ca.crt 
> cert /etc/openvpn/keys/server01/server.crt

> # 2.2. Keys 
> key /etc/openvpn/keys/server01/server.key 
> dh /etc/openvpn/keys/server01/dh1024.pem

> # 2.3. Tls authentication 
> # If a tls-auth key is used on the server 
> # then every client must also have the key.
> # 0 for server 1 for client

> tls-server 
> tls-auth /etc/openvpn/keys/server01/ta.key 0 
> tls-timeout 120

> # 3. Routing 
> push "route 192.168.77.0 255.255.255.0" 
> client-config-dir /etc/openvpn/ccd 
> route 10.8.0.0 255.255.255.0 
> route 192.168.99.0 255.255.255.0 
> route 192.168.33.0 255.255.255.0

> # 4. Encryption 
> cipher BF-CBC 
> auth MD5

> # 5. Security 
> # 5.1. Privilegies 
> # Downgrade privileges after initialization (non-Windows only) 
> #user _openvpn 
> #group _openvpn

> # 5.2. Safe place to run 
> #chroot /var/empty

> # 5.3. Logging 
> #status server01-status.log 
> #log openvpn.log

> вывод OpenVPN при инициализации 
> Sat Apr 17 15:15:58 2010 OpenVPN 2.1_rc15 i386-unknown-openbsd4.6 [SSL] [LZO1] built on 
> Jul  1 2009 
> Sat Apr 17 15:15:58 2010 WARNING: --keepalive option is missing from server 
> config 
> Sat Apr 17 15:15:58 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or 
> higher to call user-defined scripts or executables 
> Sat Apr 17 15:15:58 2010 Diffie-Hellman initialized with 1024 bit key 
> Sat Apr 17 15:15:58 2010 Control Channel Authentication: using '/etc/openvpn/keys/server01/ta.key' 
> as a OpenVPN static key file 
> Sat Apr 17 15:15:58 2010 Outgoing Control Channel Authentication: Using 128 bit 
> message hash 'MD5' for HMAC authentication 
> Sat Apr 17 15:15:58 2010 Incoming Control Channel Authentication: Using 128 bit 
> message hash 'MD5' for HMAC authentication 
> Sat Apr 17 15:15:58 2010 TLS-Auth MTU parms [ L:1538 D:162 EF:62 
> EB:0 ET:0 EL:0 ] 
> Sat Apr 17 15:15:58 2010 ROUTE default_gateway=xxx.xxx.xxx.xxx 
> Sat Apr 17 15:15:58 2010 /sbin/ifconfig tun0 destroy 
> Sat Apr 17 15:15:58 2010 /sbin/ifconfig tun0 create 
> Sat Apr 17 15:15:58 2010 NOTE: Tried to delete pre-existing tun/tap instance 
> -- No Problem if failure 
> Sat Apr 17 15:15:58 2010 /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 
> 255.255.255.255 up 
> Sat Apr 17 15:15:58 2010 TUN/TAP device /dev/tun0 opened 
> Sat Apr 17 15:15:58 2010 /sbin/route add -net 10.8.0.0 10.8.0.2 -netmask 255.255.255.0 
 
> add net 10.8.0.0: gateway 10.8.0.2 
> Sat Apr 17 15:15:58 2010 /sbin/route add -net 192.168.99.0 10.8.0.2 -netmask 255.255.255.0 
 
> add net 192.168.99.0: gateway 10.8.0.2 
> Sat Apr 17 15:15:58 2010 /sbin/route add -net 192.168.33.0 10.8.0.2 -netmask 255.255.255.0 
 
> add net 192.168.33.0: gateway 10.8.0.2 
> Sat Apr 17 15:15:58 2010 /sbin/route add -net 10.8.0.0 10.8.0.2 -netmask 255.255.255.0 
 
> add net 10.8.0.0: gateway 10.8.0.2: File exists 
> Sat Apr 17 15:15:58 2010 ERROR: OpenBSD/NetBSD route add command failed: external 
> program exited with error status: 1 
> Sat Apr 17 15:15:58 2010 Data Channel MTU parms [ L:1538 D:1450 
> EF:38 EB:135 ET:0 EL:0 AF:3/1 ] 
> Sat Apr 17 15:15:58 2010 Socket Buffers: R=[41600->65536] S=[9216->65536] 
> Sat Apr 17 15:15:58 2010 UDPv4 link local (bound): 192.168.77.5:9149 
> Sat Apr 17 15:15:58 2010 UDPv4 link remote: [undef] 
> Sat Apr 17 15:15:58 2010 MULTI: multi_init called, r=256 v=256 
> Sat Apr 17 15:15:58 2010 IFCONFIG POOL: base=10.8.0.4 size=62 
> Sat Apr 17 15:15:58 2010 Initialization Sequence Completed

> Таблица маршрутеризации сервера 
> # netstat -rn 
> Routing tables

> Internet: 
> Destination        Gateway    
>         Flags   
> Refs      Use   Mtu  
> Prio Iface 
> default            
> xxx.xxx.xxx.xxx     UGS      
>   5  9721041     -  
>    8 vr0 
> 10.8.0/24          10.8.0.2  
>          UGS  
>       0     
>    0     -   
>   8 tun0 
> 10.8.0.2           10.8.0.1 
>           UH 
>         3   
>      0     - 
>     4 tun0 
> 127/8            
>   127.0.0.1         
>  UGRS       0   
>      0 33200     
> 8 lo0 
> 127.0.0.1          127.0.0.1  
>         UH   
>       1     
> 1716 33200     4 lo0 
> 192.168.33/24      10.8.0.2      
>      UGS      
>   0        0 
>     -     8 tun0 
 
> 192.168.77/24      link#2      
>        UC    
>      6      
>   0     -    
>  4 vr1 
> 192.168.77.5       00:26:5a:05:d6:89  UHLc   
>     0      132 
>     -     4 lo0 
 
> 192.168.77.6       00:21:29:0d:7d:88  UHLc   
>     0  5292900     
> -     4 vr1 
> 192.168.77.106     link#2       
>       UHLc     
>   1    14714     
> - L   4 vr1 
> 192.168.77.111     00:1e:8c:00:5e:3b  UHLc     
>   0  1436390     -  
>    4 vr1 
> 192.168.77.116     00:19:db:a8:3c:5e  UHLc     
>   1    87266     
> -     4 vr1 
> 192.168.77.132     00:19:e3:0e:6c:da  UHLc     
>   0      168   
>   -     4 vr1 
> 192.168.99/24      10.8.0.2      
>      UGS      
>   0        0 
>     -     8 tun0 
 
> xxx.xxx.xxx.xxx /30  link#1         
>     UC       
>   1        0 
>     -     4 vr0 
 
> yyy.yyy.yyy.yyy     00:1e:f7:dd:e3:7f  UHLc     
>   1        0 
>     -     4 vr0 
 
> 224/4            
>   127.0.0.1         
>  URS        0  
>       0 33200    
>  8 lo0

> Internet6: 
> …

> # ifconfig tun0 (на сервере) 
> tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 
>         priority: 0 
>         groups: tun 
>         media: Ethernet autoselect 
>         status: active 
>         inet 10.8.0.1 --> 10.8.0.2 
> netmask 0xffffffff

> OpenVPN client конфиг

> client 
> dev tun 
> proto udp 
> remote xxx.xxx.xxx.xxx 
> port 9149 
> resolv-retry infinite 
> persist-key 
> persist-tun

> ca ..\\easy-rsa\\keys\\alpha_v01\\ca.crt 
> cert ..\\easy-rsa\\keys\\alpha_v01\\mainoffice.crt 
> key ..\\easy-rsa\\keys\\alpha_v01\\mainoffice.key 
> tls-client 
> tls-auth ..\\easy-rsa\\keys\\alpha_v01\\ta.key 1

> ns-cert-type server 
> cipher BF-CBC 
> auth MD5 
> comp-lzo 
> verb 3

> Вывод клиента при запуске

> Sat Apr 17 13:59:18 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built 
> on Dec 11 2009 
> Sat Apr 17 13:59:18 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or 
> higher to call user-defined scripts or executables 
> Sat Apr 17 13:59:18 2010 Control Channel Authentication: using '..\easy-rsa\keys\alpha_v01\ta.key' 
> as a OpenVPN static key file 
> Sat Apr 17 13:59:18 2010 Outgoing Control Channel Authentication: Using 128 bit 
> message hash 'MD5' for HMAC authentication 
> Sat Apr 17 13:59:18 2010 Incoming Control Channel Authentication: Using 128 bit 
> message hash 'MD5' for HMAC authentication 
> Sat Apr 17 13:59:18 2010 LZO compression initialized 
> Sat Apr 17 13:59:18 2010 Control Channel MTU parms [ L:1538 D:162 
> EF:62 EB:0 ET:0 EL:0 ] 
> Sat Apr 17 13:59:18 2010 Data Channel MTU parms [ L:1538 D:1450 
> EF:38 EB:135 ET:0 EL:0 AF:3/1 ] 
> Sat Apr 17 13:59:18 2010 Local Options hash (VER=V4): '03fa487d' 
> Sat Apr 17 13:59:18 2010 Expected Remote Options hash (VER=V4): '1056bce3' 
> Sat Apr 17 13:59:18 2010 Socket Buffers: R=[8192->8192] S=[8192->8192] 
> Sat Apr 17 13:59:18 2010 UDPv4 link local (bound): [undef]:9149 
> Sat Apr 17 13:59:18 2010 UDPv4 link remote: xxx.xxx.xxx.xxx:9149 
> Sat Apr 17 13:59:18 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) 
> (code=10054) 
> Sat Apr 17 13:59:20 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) 
> (code=10054)

> ………….
>  (code=10054) 
> Sat Apr 17 13:59:48 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) 
> (code=10054) 
> Sat Apr 17 14:00:14 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) 
> (code=10054) 
> Sat Apr 17 14:00:16 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) 
> (code=10054) 
> Sat Apr 17 14:00:18 2010 TLS Error: TLS key negotiation failed to 
> occur within 60 seconds (check your network connectivity) 
> Sat Apr 17 14:00:18 2010 TLS Error: TLS handshake failed 
> Sat Apr 17 14:00:18 2010 TCP/UDP: Closing socket 
> Sat Apr 17 14:00:18 2010 SIGUSR1[soft,tls-error] received, process restarting 
> Sat Apr 17 14:00:18 2010 Restart pause, 2 second(s) 
> Sat Apr 17 14:00:20 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or 
> higher to call user-defined scripts or executables 
> Sat Apr 17 14:00:20 2010 Re-using SSL/TLS context 
> Sat Apr 17 14:00:20 2010 LZO compression initialized 
> Sat Apr 17 14:00:20 2010 Control Channel MTU parms [ L:1538 D:162 
> EF:62 EB:0 ET:0 EL:0 ] 
> Sat Apr 17 14:00:20 2010 Data Channel MTU parms [ L:1538 D:1450 
> EF:38 EB:135 ET:0 EL:0 AF:3/1 ] 
> Sat Apr 17 14:00:20 2010 Local Options hash (VER=V4): '03fa487d' 
> Sat Apr 17 14:00:20 2010 Expected Remote Options hash (VER=V4): '1056bce3' 
> Sat Apr 17 14:00:20 2010 Socket Buffers: R=[8192->8192] S=[8192->8192] 
> Sat Apr 17 14:00:20 2010 UDPv4 link local (bound): [undef]:9149 
> Sat Apr 17 14:00:20 2010 UDPv4 link remote: xxx.xxx.xxx.xxx:9149 
> Sat Apr 17 14:00:20 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) 
> (code=10054) 
> Sat Apr 17 14:00:22 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) 
> (code=10054)

> pf.conf

> ############################################################################# 
 
> ## 1. Macros 
> ## 1.1. Interfaces 
> ext_if = "vr0" 
> int_if = "vr1" 
> tun_if = "tun0"

> ## 1.2. Networks 
> vpn_remote_hosts = "{ 194.67.68.34, 194.67.68.35 }" 
> vpn_remote_net = "{ 10.8.0.0/24, 192.168.99.0/24, 192.168.33.0/24 }" 
> vpn_srv_addr_01 = "{ 192.168.77.5 }"

> ## 1.3. Ports and protos 
> tcp_udp = "{ tcp, udp }" 
> vpn_ext_port_01 = "9149" 
> vpn_srv_port_01 = "9149" 
> vpn_proto_01 = "udp"

> ## 1.4. ICMP 
> #ping and traceroute allowed only 
> icmp_good="icmp-type 8"

> ############################################################################# 
 
> ## 2. Tables

> table <rfc1918> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 
>             
>      10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, \ 
>             
>      0.0.0.0/8,  240.0.0.0/4, \ 
>             
>     !192.168.99.0/24, !192.168.77.0/24, !192.168.33.0/24, !10.8.0.0/24 }

> table <broadcasts> {  255.255.255.255, 10.255.255.255, \ 
>             
>           192.168.255.255, 
> 127.255.255.255 }

> table <bruteforce> persist file "/etc/bruteforce" 
> table <blocked> persist file "/etc/blocked"

> table <int_net> { 192.168.77.0/24, 192.168.33.0/24, 192.168.99.0/24, 10.8.0.0/24 }

> ############################################################################# 
 
> ## 3. Options 
> set block-policy drop 
> set debug misc 
> set optimization normal

> ############################################################################# 
 
> ## 4. Scrub 
> match in all scrub (no-df)

> ############################################################################# 
 
> ## 6. NAT, Redirection, Binat 
> ## 6.0. Squid RDR - !important place BEFORE NAT 
> rdr on $int_if inet proto tcp from <int_net> to any port www 
> -> 127.0.0.1 port 3128

> ## 6.1. Translation 
> nat on $ext_if from !$ext_if to any -> $ext_if

> ## 6.2. Redirection 
> no nat on lo0 from any to any 
> no rdr on lo0 from any to any

> ############################################################################# 
 
> ## 7. Filtration 
> ## 7.1. Initial policy 
> block in log quick inet6 all 
> block in all 
> block out all 
> block quick from <bruteforce> to any

> pass in on $int_if from <int_net> to $int_if keep state 
> pass out on $int_if from $int_if to <int_net> keep state

> pass quick on $tun_if all

> ## 7.2. Loopback 
> pass quick on lo0 all

> ## 7.3. RFC 1918 accordance 
> block in quick on $ext_if inet from <rfc1918> to any 
> block out quick on $ext_if inet from any to <rfc1981>

> ## 7.4. Anti hackers rules 
> ## 7.4.1. Antisoofing 
> antispoof log quick for $ext_if inet 
> antispoof log quick for $int_if inet

> ## 7.4.2. Bruteforce 
> pass inet proto tcp from any to <int_net> keep state (max-src-conn 100, 
> max-src-conn-rate 15/5, overload <bruteforce> flush global)

> pass out log quick on $ext_if inet proto tcp from $ext_if port 
> ssh to any keep state

> ## 7.6. ICMP

> pass in  quick inet proto icmp all $icmp_good keep state 
> pass out quick inet proto icmp all $icmp_good keep state

> #7.6.1. Traceroute 
> pass out on $ext_if inet proto udp from $ext_if to any port 
> 33433 >< 33626 keep state

> pass in on $int_if inet proto udp from <int_net> to any port 
> 33433 >< 33626 keep state

> ## 7.7. Internet porno browsing

> pass in quick on $int_if inet proto tcp from <int_net> to 127.0.0.1 
> port 3128 keep state 
> pass out on $ext_if inet proto tcp from any to any port 
> www keep state

> pass out quick on $ext_if inet proto $tcp_udp from $ext_if to any 
> keep state 
> pass out quick on $int_if inet proto $tcp_udp from <int_net> to any 
> keep state

> ## 7.12 Vpn 
> pass in quick log on $ext_if inet proto $vpn_proto_01 from \ 
>  any to $ext_if port $vpn_ext_port_01 keep state

> pass out log quick on $int_if proto $vpn_proto_01 from \ 
>  any to $vpn_srv_addr_01 port $vpn_srv_port_01 keep state

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру