sintetic

Имеется роутер на freebsd 4.11release, ipfw, squid(прозрачный), dns, ipa, samba написал вот такой список правил для ipfw: Код: #!/bin/sh out_ip="" out_iface="fxp0" local_ip="192.168.1.1" localnet="192.168.1.0/24" local_net="192.168.1." local_iface="fxp1" localback_ip="127.0.0.0/8" localback_iface="lo0" ipfw="/sbin/ipfw" #### flush rules #### ${ipfw} -f flush #### allow localback #### ${ipfw} add 00005 pass all from any to any via ${localback_iface} ${ipfw} add 00006 deny all from any to ${localback_ip} #### eternal freedom for ping #### ${ipfw} add 00025 pass icmp from any to any #### counters #### ${ipfw} add 00101 count tcp from me 137,138,139 to ${local_net}123 via ${local_iface} ${ipfw} add 00102 count ip from me to ${local_net}123 via ${local_iface} ${ipfw} add 00103 count ip from ${local_net}123 to not 192.168.1.0/24 via ${out_iface} ${ipfw} add 00510 count ip from any to ${local_net}123 via ${out_iface} ############ #### allow localnet #### ${ipfw} add 00200 pass all from ${localnet} to any via ${local_iface} ${ipfw} add 00201 pass all from any to ${localnet} via ${local_iface} #### allow nat #### ${ipfw} add 00300 fwd 127.0.0.1,8888 tcp from ${localnet} to any 80 via ${out_iface} ${ipfw} add 00301 divert natd all from ${localnet} to not ${localnet} via ${out_iface} ${ipfw} add 00302 divert natd all from any to ${out_ip} via ${out_iface} #### allow FTP #### ${ipfw} add 01000 pass tcp from me 1025-65535 to any 20 via ${out_iface} ${ipfw} add 01001 pass tcp from any 20 to me 1025-65535 via ${out_iface} ${ipfw} add 01002 pass tcp from me 1025-65535 to any 21 via ${out_iface} ${ipfw} add 01003 pass tcp from any 21 to me 1025-65535 via ${out_iface} ${ipfw} add 01004 pass tcp from ${localnet} 1025-65535 to any 20 via ${out_iface} ${ipfw} add 01005 pass tcp from any 20 to ${localnet} 1025-65535 via ${out_iface} ${ipfw} add 01006 pass tcp from ${localnet} 1025-65535 to any 21 via ${out_iface} ${ipfw} add 01007 pass tcp from any 21 to ${localnet} 1025-65535 via ${out_iface} #### allow SSH #### ${ipfw} add 01100 pass tcp from X 1025-65535 to me 22 via ${out_iface} ${ipfw} add 01101 pass tcp from me 22 to X 1025-65535 via ${out_iface} established #### allow SMTP #### ${ipfw} add 01200 pass tcp from me 1025-65535 to any 25 via ${out_iface} ${ipfw} add 01201 pass tcp from ${localnet} 1025-65535 to any 25 via ${out_iface} ${ipfw} add 01202 pass tcp from any 25 to ${localnet} 1025-65535 via ${out_iface} established #### allow DNS #### ${ipfw} add 01300 pass udp from me 1025-65535 to any 53 via ${out_iface} ${ipfw} add 01301 pass udp from any 53 to me 1025-65535 via ${out_iface} ${ipfw} add 01302 pass udp from any 53 to ${localnet} 1025-65535 via ${out_iface} #### allow HTTP #### ${ipfw} add 01400 pass tcp from me 1025-65535 to any 80 via ${out_iface} ${ipfw} add 01401 pass tcp from any 80 to me 1025-65535 via ${out_iface} established ${ipfw} add 01402 pass tcp from any 80 to ${localnet} 1025-65535 via ${out_iface} established #### POP3 #### ${ipfw} add 01500 pass tcp from me 1025-65535 to any 110 via ${out_iface} ${ipfw} add 01501 pass tcp from ${localnet} 1025-65535 to any 110 via ${out_iface} ${ipfw} add 01502 pass tcp from any 110 to ${localnet} 1025-65535 via ${out_iface} #### HTTPS #### ${ipfw} add 01600 pass tcp from me 1025-65535 to any 443 via ${out_iface} ${ipfw} add 01601 pass tcp from ${localnet} 1025-65535 to any 443 via ${out_iface} ${ipfw} add 01602 pass tcp from any 443 to ${localnet} 1025-65535 via ${out_iface} established #### ICQ #### ${ipfw} add 01700 pass tcp from ${localnet} 1025-65535 to any 5000-5100 out via ${out_iface} ${ipfw} add 01701 pass tcp from any 5000-5100 to ${localnet} 1025-65535 via ${out_iface} established #### MSN #### ${ipfw} add 01800 pass tcp from ${localnet} 1025-65535 to any 6891-6900 out via ${out_iface} ${ipfw} add 01801 pass tcp from any 6891-6900 to ${localnet} 1025-65535 via ${out_iface} established #### security #### ${ipfw} add 65000 pass tcp from me 1025-65535 to any via ${out_iface} ${ipfw} add 65501 pass tcp from any to ${localnet} 1025-65535 via ${out_iface} #yanki, go home ${ipfw} add 65534 deny all from any to any ############### ############### #sleep 60 #${ipfw} -f flush #/bin/sh /etc/rc.firewall ipa.conf: Код: global { update_db_time = 1m30s # db_owner = nobody:nogroup # db_perm = u+r db_dir = /var/ipa lock_wait_time = 1m maxchunk = 10G } startup { } rule test-in { ipfw = 00102 -00101 00510 info = incoming trafic } rule test-out { ipfw = 00103 info = outgoming trafic } Считаю весь трафик с роутера на юзера с портов 137-139 (небиос), потом считаю общий трафик с роутера, и весь трафик идущий с внешнего интерфеса... потом ipa суммирует весь входящий трафик и вычитает весь нетбиос-трафик получаются входящие. и правило 103 - исходящий трафик. Начал тестить вроде сходилось. а сёня начал качать с нета (~200 метров), а статистика показала тока 12 метров. в чём косяк - то? вроде все по ману делал Sad PS: может заодно покритикуете правила?