есть шлюз на freebsd 4.10 + ipfilter, 2 интерфейса rl0(int) + rl1(ext) 
вот правила, там есть мои комментарии -надеюсь будет понятно что зачем 
#block hack packets 
block in log quick from any to any with ipopts 
block in log quick proto tcp from any to any with short 
#pass everything on loopback 
pass in on lo0 all 
pass out on lo0 all 
# 
#INTERNAL 
# 
#pass all outgoing from internal 
block out on rl0 all head 100 
block out from 127.0.0.1/8 to any group 100 
#block incoming from intranet on internal 192.168.0.102 
pass in on rl0 all head 200 
block in from 127.0.0.1/8 to any group 200 
block in from 192.168.0.111/32 to any group 200 
pass in quick proto icmp from 192.168.0.0/24 to any keep state group 200 
#pass from internal to proxy 
pass in quick proto tcp from 192.168.0.0/24 to any port = 9876 keep state group 200 
#pass mail,internet,cvs from 192.168.0.25 
pass in quick proto tcp from 192.168.0.25/32 to any port = smtp keep state group 200 
pass in quick proto tcp from 192.168.0.25/32 to any port = ftp keep state group 200 
pass in quick proto tcp from 192.168.0.25/32 to any port = www keep state group 200 
pass in quick proto tcp from 192.168.0.25/32 to any port = 5999 keep state group 200 
#pass time,internet,dns from 192.168.0.100 
pass in quick proto tcp from 192.168.0.100/32 to any port = ftp keep state group 200 
pass in quick proto tcp from 192.168.0.100/32 to any port = ntp keep state group 200 
pass in quick proto tcp from 192.168.0.100/32 to any port = www keep state group 200 
pass in quick proto tcp from 192.168.0.100/32 to any port = 53 group 200 
pass in quick proto udp from 192.168.0.100/32 to any port = 53 group 200 
#pass dns from 192.168.0.101 
pass in quick proto udp from 192.168.0.101/32 to any port = 53 keep frags group 200 
pass in quick proto tcp from 192.168.0.101/32 to any port = 53 keep state keep frags group 200 
#pass ftp, tracet 
pass in quick proto tcp from 192.168.0.0/24 to any port > 1023 flags S keep state keep frags group 200 
pass in quick proto udp from 192.168.0.0/24 to any port 3323 >< 33525 keep state keep frags group 200 
#pass ssh 
pass in quick proto tcp/udp from 192.168.0.39 to any port = ssh group 200 
# 
#EXTERNAL 
# 
#block all outgoing from external 
block out quick on rl1 all head 300 
block out from 127.0.0.1/8 to any group 300 
block out from any to 127.0.0.1/8 group 300 
#block out from any to 212.34.41.67/32 group 300 
pass out quick proto icmp from any to any keep state group 300 
#pass mail,internet,cvs from 192.168.0.25 
pass out quick proto tcp from 192.168.0.25/32 to any port = smtp flags S keep state keep frags group 300 
pass out quick proto tcp from 192.168.0.25/32 to any port = ftp flags S keep state keep frags group 300 
pass out quick proto tcp from 192.168.0.25/32 to any port = www flags S keep state keep frags group 300 
pass out quick proto tcp from 192.168.0.25/32 to any port = 5999 flags S keep state keep frags group 300 
#pass time,internet,dns from 192.168.0.100 
pass out quick proto tcp from 192.168.0.100/32 to any port = ftp flags S keep state keep frags group 300 
pass out quick proto tcp/udp from 192.168.0.100/32 to any port = ntp keep frags group 300 
pass out quick proto tcp from 192.168.0.100/32 to any port = www flags S keep state keep frags group 300 
pass out quick proto udp from 192.168.0.100/32 to any port = 53 keep state keep frags group 300 
pass out quick proto tcp from 192.168.0.100/32 to any port = 53 flags S keep state keep frags group 300 
#pass dns from 192.168.0.101 
pass out quick proto udp from 192.168.0.101/32 to any port = 53 keep frags group 300 
pass out quick proto tcp from 192.168.0.101/32 to any port = 53 flags S keep state keep frags group 300 
#pass ftp, tracet 
#pass out quick proto tcp from 192.168.0.0/24 to any port > 1023 flags S keep state keep frags group 300 
pass out quick proto udp from 192.168.0.0/24 to any port 3323 >< 33525 keep state keep frags group 300 
#block hack packets 
#block return-rst in log proto tcp from any to any flags S/SA group 300 
#block incoming from intranet on internal 192.168.0.11 
block in on rl1 all head 400 
block in from 127.0.0.1/8 to any group 400 
pass in quick proto icmp from any to any keep state group 400 
pass in quick proto tcp from any to any port = www keep state group 400 
pass in quick proto tcp from any to any port = smtp keep state group 400 
pass in quick proto tcp from any to any port = 443 keep state group 400 
#block hack packets 
block return-rst in log proto tcp from any to any flags S/SA group 400 
block return-icmp in proto udp all group 400 
так вот проблема - если на внут. интерфейсе ставить pass in all то все прекрасно работает, в том числе и ipnat. Если block- тогда тормозит ssh, сама машина не разрешает имена с внут. ДНС, хотя вроде все правила есть. В чем ошибка?
			
			
									
									
						заморочка с правилами ipfilter
Модераторы: Trinity admin`s, Free-lance moderator`s
- Stranger03
- Сотрудник Тринити 
- Сообщения: 12979
- Зарегистрирован: 14 ноя 2003, 16:25
- Откуда: СПб, Екатеринбург
- Контактная информация:
Re: заморочка с правилами ipfilter
Обычно внутренний трафик всегда разрешается. Не морочте себе голову.mclaud писал(а):прекрасно работает, в том числе и ipnat. Если block- тогда тормозит ssh, сама машина не разрешает имена с внут. ДНС, хотя вроде все правила есть. В чем ошибка?
Кто сейчас на конференции
Сейчас этот форум просматривают: Google [Bot] и 4 гостя








