Изпечатай

[bozho]

freebsd с 2 мрежови карти
 едната идва интернет от adsl (нат с линукс работи - не е проблемът в adsl-a)
ifconfig_bge0="inet 192.168.1.2  netmask 255.255.255.0"
defaultrouter="192.168.1.1"

на другата трябва да излязат 2 подмрежи
192.168.2.0 и 192.168.4.0
ifconfig_bge1="inet 192.168.2.1  netmask 255.255.255.0"
ifconfig_bge1_alias0="inet 192.168.4.1  netmask 255.255.255.0"
имам още
gateway_enable="YES"
pf_enable="YES"                 # Enable PF (load module if required)
pf_rules="/etc/pf.conf"         # rules definition file for pf
pf_flags=""                     # additional flags for pfctl startup
pflog_enable="YES"              # start pflogd(
pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
pflog_flags=""
в rc.conf
в pf.conf опитах

ext_if="bge0"   # replace with actual external interface name i.e., dc0
int_if="bge1"   # replace with actual internal interface name i.e., dc1
internal_net_1="192.168.2.0/16"
internal_net_2="192.168.4.0/16"
external_addr="192.168.1.2"
IP gateway=YES

# tables
table <firewall> const { self }


# options
set block-policy drop
set state-policy if-bound


# scrub incoming packets
scrub all reassemble tcp fragment reassemble


# nat
nat on $ext_if from $internal_net_1 to any -> ($ext_if)
nat on $ext_if from $internal_net_2 to any -> ($ext_if)

# setup a default deny policy
block drop log all


но явно не е правилно - нат- а го няма
не можах да открия про подобна ситуация как се прави нат-а  

[Hapkoc]

Така като гледам - не си разрешил нищо.

В момента всички пакети се блокират в резултат на реда:

block drop log all

Ако сложиш NAT-а така:

nat pass on $ext_if from $internal_net_1 to !$internal_net_1 -> ($ext_if)

мисля, че трябва да работи.

Втората корекция - да не е 'to any' е с цел пакети за вътрешната мрежа да не се пускат през NAT-а.

[bozho]

хмм
то аз съм пропуснал, ама мислех, че тоя редове
pass in on $int_if inet proto tcp from $internal_net_1 to !<firewall> flags S/SA modulate state
pass in  on $int_if inet proto udp from $internal_net_1 to !<firewall> keep state
#
pass in  on $int_if inet proto tcp from $internal_net_2 to !<firewall> flags S/SA modulate state
pass in  on $int_if inet proto udp from $internal_net_2 to !<firewall> keep state
(END)                          

ще разрешат трафика въпреки
                               block drop log all
но може да са ми сбъркани.
Обаче махнах всякакви блокове, опитах както каза, ама явлението е много странно. Нет няма, но като се логнах на отдалечена машина и пуснах tcpdum  видях, че до нея идват заявките от вътрешната мрежа! Но обратната връзка яно не се получава?!?
Дане би (забравих да кажа - freebsd 6.1) да има някакъв филтър по подразбиране, който не съм махнал?

[Hapkoc]

Нещо се омотах и аз малко.

Можеш ли да пуснеш цялата конфигурация на PF, че така на парчета не стоплям какво се случва.

[bozho]

Примерен код

# Macros: define common values, so they can be referenced and changed easily. ext_if="bge0"   # replace with actual external interface name i.e., dc0 int_if="bge1"   # replace with actual internal interface name i.e., dc1 internal_net_1="192.168.2.0/16" internal_net_2="192.168.4.0/16" external_addr="192.168.1.2" IP gateway=YES # tables table <firewall> const { self } # options #set block-policy drop #set state-policy if-bound # scrub incoming packets scrub all reassemble tcp fragment reassemble # setup a default deny policy #block drop log all   # nat nat on $ext_if from $internal_net_1 to any -> ($ext_if) nat on $ext_if from $internal_net_2 to any -> ($ext_if) # pass traffic #nat pass on $ext_if from $internal_net_1 to !$internal_net_1 -> ($ext_if) #nat pass on $ext_if from $internal_net_2 to !$internal_net_2 -> ($ext_if) # pass traffic on the loopback interface in either direction pass quick on lo0 all # options #set block-policy drop #set state-policy if-bound # scrub incoming packets scrub all reassemble tcp fragment reassemble   # pass traffic on the loopback interface in either direction pass quick on lo0 all # pass traffic nat pass on $ext_if from $internal_net_1 to !$internal_net_1 -> ($ext_if) # bootp pass out log-all quick on $ext_if inet proto udp from any port 68 to any port 67 keep state # dns, ntp pass out quick on $ext_if inet proto udp from ($ext_if) to any port {53, 123 } keep state # outgoing from firewall pass out log quick on $ext_if inet proto tcp from ($ext_if) to any flags S/SA keep state pass out log quick on $ext_if inet proto { udp, icmp } from ($ext_if) to any keep state # incoming, ssh, http (uncomment next line to enable) pass in  on $ext_if inet proto tcp from any to ($ext_if) port { 22, 80 } flags S/SA keep state # incoming active ftp-data (this is required for active ftp to work) ##pass in  on $ext_if inet proto tcp from any port 20 to ($ext_if) port >= 1024 flags S/SA keep state # incoming tcp and udp from the internal network to the internet pass in on $int_if inet proto tcp from $internal_net_1 to !<firewall> flags S/SA modulate state pass in  on $int_if inet proto udp from $internal_net_1 to !<firewall> keep state # pass in  on $int_if inet proto tcp from $internal_net_2 to !<firewall> flags S/SA modulate state pass in  on $int_if inet proto udp from $internal_net_2 to !<firewall> keep state

а иначе опитах и така:

Примерен код

# Macros: define common values, so they can be referenced and changed easily. ext_if="bge0"   # replace with actual external interface name i.e., dc0 int_if="bge1"   # replace with actual internal interface name i.e., dc1 internal_net_1="192.168.2.0/16" internal_net_2="192.168.4.0/16" external_addr="192.168.1.2" IP gateway=YES # tables #table <firewall> const { self } # options set block-policy drop set state-policy if-bound # scrub incoming packets scrub all reassemble tcp fragment reassemble # nat nat pass on $ext_if from $internal_net_1 to !$internal_net_1 -> ($ext_if) nat pass on $ext_if from $internal_net_2 to !$internal_net_2 -> ($ext_if) # pass traffic on the loopback interface in either direction pass quick on lo0 all # tables #table <firewall> const { self } # scrub incoming packets scrub all reassemble tcp fragment reassemble   # pass traffic on the loopback interface in either direction pass quick on lo0 all # bootp pass out log-all quick on $ext_if inet proto udp from any port 68 to any port 67 keep state # dns, ntp pass out quick on $ext_if inet proto udp from ($ext_if) to any port {53, 123 } keep state

[bozho]

sorry
аз съм говедото:
" If you are installing altq on a multiprocessor system, add options ALTQ_NOPPC "

като позачистих след това и грешките в pf.conf тръгнаха нещата
Благодаря Hapkoc за отделеното внимание и съжалявам, че ти изгубих времето   '>

[Hapkoc]

Хахахахаххах, няма проблеми, радвам се, че са тръгнали нещата. :)