AlexeiUttinov
Newbie | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору Ребята большая просьба о помощи. Имеем FreeBsd 6.2 2 сетевухи, одна к провайдеру другая в локалку. Задача сделать шлюз с нат, и выпускать через него пользователей локальной сети в инет + поставить фаервол, дабы из внешней сети не повадно было делать все что хочешь. Дописал в конфиге ядра options DUMMYNET options TCP_DROP_SYNFIN options SC_DISABLE_REBOOT options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPFIREWALL_FORWARD options IPDIVERT options BRIDGE и скомпилил с новыми параметрами. Здесь все ок. в rc.conf дописал: firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="open" firewall_quiet="YES" firewall_logging="YES" natd_enable="YES" natd_interface="xl1" natd_flags="" tcp_drop_synfin="YES" clear_tmp_enable="YES" inetd_enable="NO" если выбираю правило open, то инет работает у всех и все ок. У клиентов ip адреса раздаются по dhcp, также dhcp прописывает днс локального доменного сервака и шлюз к вряхе. если выбираю правило simple в скрипте rc.firewall, то инет перестает работать. [Ss][Ii][Mm][Pp][Ll][Ee]) ############ # This is a prototype setup for a simple firewall. Configure this # machine as a DNS and NTP server, and point all the machines # on the inside at this machine for those services. ############ # set these to your outside interface network and netmask and ip oif="xl1" onet="10.28.2.0" omask="255.255.255.0" oip="10.28.2.126" # set these to your inside interface network and netmask and ip iif="xl0" inet="192.168.10.0" imask="255.255.255.0" iip="192.168.10.250" setup_loopback # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface #${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP # address set to 192.0.2.1 then an incoming packet for it after being # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet originated from it before being translated would # match the `deny' rule below. case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add divert natd all from any to any via ${natd_interface} fi ;; esac # Stop RFC1918 nets on the outside interface #${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${oip} 25 setup # Allow setup of SSH ${fwcmd} add pass tcp from any to ${oip} 22 setup ${fwcmd} add pass tcp from any to ${iip} 22 setup # Allow access to our DNS ${fwcmd} add pass tcp from any to ${oip} 53 setup ${fwcmd} add pass udp from any to ${oip} 53 ${fwcmd} add pass udp from ${oip} 53 to any # Allow access to our WWW ${fwcmd} add pass tcp from any to ${oip} 80 setup ${fwcmd} add pass tcp from any to ${iip} 80 setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from ${oip} to any 53 keep-state # Allow NTP queries out in the world ${fwcmd} add pass udp from ${oip} to any 123 keep-state ${fwcmd} add pass icmp from any to any icmptypes 0,8,11 # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; Что можно сделать? Только пожалуйста подробно. Что добавить, а что удалить в правилах. Заранее спасибо |