Имеется роутер на freebsd 4.11release, ipfw, squid(прозрачный), dns, ipa, samba
написал вот такой список правил для ipfw:
Код:
#!/bin/sh
out_ip=""
out_iface="fxp0"
local_ip="192.168.1.1"
localnet="192.168.1.0/24"
local_net="192.168.1."
local_iface="fxp1"
localback_ip="127.0.0.0/8"
localback_iface="lo0"
ipfw="/sbin/ipfw"
#### flush rules ####
${ipfw} -f flush
#### allow localback ####
${ipfw} add 00005 pass all from any to any via ${localback_iface}
${ipfw} add 00006 deny all from any to ${localback_ip}
#### eternal freedom for ping ####
${ipfw} add 00025 pass icmp from any to any
#### counters ####
${ipfw} add 00101 count tcp from me 137,138,139 to ${local_net}123 via ${local_iface}
${ipfw} add 00102 count ip from me to ${local_net}123 via ${local_iface}
${ipfw} add 00103 count ip from ${local_net}123 to not 192.168.1.0/24 via ${out_iface}
${ipfw} add 00510 count ip from any to ${local_net}123 via ${out_iface}
############
#### allow localnet ####
${ipfw} add 00200 pass all from ${localnet} to any via ${local_iface}
${ipfw} add 00201 pass all from any to ${localnet} via ${local_iface}
#### allow nat ####
${ipfw} add 00300 fwd 127.0.0.1,8888 tcp from ${localnet} to any 80 via ${out_iface}
${ipfw} add 00301 divert natd all from ${localnet} to not ${localnet} via ${out_iface}
${ipfw} add 00302 divert natd all from any to ${out_ip} via ${out_iface}
#### allow FTP ####
${ipfw} add 01000 pass tcp from me 1025-65535 to any 20 via ${out_iface}
${ipfw} add 01001 pass tcp from any 20 to me 1025-65535 via ${out_iface}
${ipfw} add 01002 pass tcp from me 1025-65535 to any 21 via ${out_iface}
${ipfw} add 01003 pass tcp from any 21 to me 1025-65535 via ${out_iface}
${ipfw} add 01004 pass tcp from ${localnet} 1025-65535 to any 20 via ${out_iface}
${ipfw} add 01005 pass tcp from any 20 to ${localnet} 1025-65535 via ${out_iface}
${ipfw} add 01006 pass tcp from ${localnet} 1025-65535 to any 21 via ${out_iface}
${ipfw} add 01007 pass tcp from any 21 to ${localnet} 1025-65535 via ${out_iface}
#### allow SSH ####
${ipfw} add 01100 pass tcp from X 1025-65535 to me 22 via ${out_iface}
${ipfw} add 01101 pass tcp from me 22 to X 1025-65535 via ${out_iface} established
#### allow SMTP ####
${ipfw} add 01200 pass tcp from me 1025-65535 to any 25 via ${out_iface}
${ipfw} add 01201 pass tcp from ${localnet} 1025-65535 to any 25 via ${out_iface}
${ipfw} add 01202 pass tcp from any 25 to ${localnet} 1025-65535 via ${out_iface} established
#### allow DNS ####
${ipfw} add 01300 pass udp from me 1025-65535 to any 53 via ${out_iface}
${ipfw} add 01301 pass udp from any 53 to me 1025-65535 via ${out_iface}
${ipfw} add 01302 pass udp from any 53 to ${localnet} 1025-65535 via ${out_iface}
#### allow HTTP ####
${ipfw} add 01400 pass tcp from me 1025-65535 to any 80 via ${out_iface}
${ipfw} add 01401 pass tcp from any 80 to me 1025-65535 via ${out_iface} established
${ipfw} add 01402 pass tcp from any 80 to ${localnet} 1025-65535 via ${out_iface} established
#### POP3 ####
${ipfw} add 01500 pass tcp from me 1025-65535 to any 110 via ${out_iface}
${ipfw} add 01501 pass tcp from ${localnet} 1025-65535 to any 110 via ${out_iface}
${ipfw} add 01502 pass tcp from any 110 to ${localnet} 1025-65535 via ${out_iface}
#### HTTPS ####
${ipfw} add 01600 pass tcp from me 1025-65535 to any 443 via ${out_iface}
${ipfw} add 01601 pass tcp from ${localnet} 1025-65535 to any 443 via ${out_iface}
${ipfw} add 01602 pass tcp from any 443 to ${localnet} 1025-65535 via ${out_iface} established
#### ICQ ####
${ipfw} add 01700 pass tcp from ${localnet} 1025-65535 to any 5000-5100 out via ${out_iface}
${ipfw} add 01701 pass tcp from any 5000-5100 to ${localnet} 1025-65535 via ${out_iface} established
#### MSN ####
${ipfw} add 01800 pass tcp from ${localnet} 1025-65535 to any 6891-6900 out via ${out_iface}
${ipfw} add 01801 pass tcp from any 6891-6900 to ${localnet} 1025-65535 via ${out_iface} established
#### security ####
${ipfw} add 65000 pass tcp from me 1025-65535 to any via ${out_iface}
${ipfw} add 65501 pass tcp from any to ${localnet} 1025-65535 via ${out_iface}
#yanki, go home
${ipfw} add 65534 deny all from any to any
###############
###############
#sleep 60
#${ipfw} -f flush
#/bin/sh /etc/rc.firewall
ipa.conf:
Код:
global {
update_db_time = 1m30s
# db_owner = nobody:nogroup
# db_perm = u+r
db_dir = /var/ipa
lock_wait_time = 1m
maxchunk = 10G
}
startup {
}
rule test-in {
ipfw = 00102 -00101 00510
info = incoming trafic
}
rule test-out {
ipfw = 00103
info = outgoming trafic
}
Считаю весь трафик с роутера на юзера с портов 137-139 (небиос), потом считаю общий трафик с роутера, и весь трафик идущий с внешнего интерфеса... потом ipa суммирует весь входящий трафик и вычитает весь нетбиос-трафик получаются входящие. и правило 103 - исходящий трафик.
Начал тестить вроде сходилось. а сёня начал качать с нета (~200 метров), а статистика показала тока 12 метров.
в чём косяк - то? вроде все по ману делал Sad
PS: может заодно покритикуете правила?