Frozen Fido : RU.UNIX.BSD : ipfw limit

ru.unix.bsd

 
 - RU.UNIX.BSD ------------------------------------------------------------------
 From : Sergey Zabolotny                     2:469/122.1    09 Apr 2007  17:43:56
 To : All
 Subject : ipfw limit
 --------------------------------------------------------------------------------

 
 имеем такой набор правил:
 
 00100 allow ip from 192.168.65.0/24 to 192.168.65.0/24 via fxp0
 40000 divert 8668 ip from any to any in recv fxp1
 40010 divert 8668 ip from any to any out xmit fxp1
 55000 allow ip from any to any via lo0
 55010 deny ip from any to 127.0.0.0/8
 55030 allow log ip from any to any
 65535 deny ip from any to any
 
 в этом случае все работает. в логах следующее:
 Apr  9 18:07:51 Internet kernel: ipfw: 55030 Accept TCP 192.168.15.67:2532
 193.68.167.166:7127 in via ng9
 Apr  9 18:07:51 Internet kernel: ipfw: 55030 Accept TCP 89.41.xx.xxx:2532
 193.68.167.166:7127 out via fxp1
 Apr  9 18:07:51 Internet kernel: ipfw: 55030 Accept TCP 192.168.15.51:1227
 86.106.214.170:38022 in via ng6
 Apr  9 18:07:51 Internet kernel: ipfw: 55030 Accept TCP 89.41.xx.xxx:1227
 86.106.214.170:38022 out via fxp1
 Apr  9 18:07:51 Internet kernel: ipfw: 55030 Accept TCP 192.168.15.67:2532
 193.68.167.166:7127 in via ng9
 Apr  9 18:07:51 Internet kernel: ipfw: 55030 Accept TCP 89.41.xx.xxx:2532
 193.68.167.166:7127 out via fxp1
 Apr  9 18:07:51 Internet kernel: ipfw: 55030 Accept TCP 193.68.167.166:7127
 192.168.15.67:2532 in via fxp1
 Apr  9 18:07:51 Internet kernel: ipfw: 55030 Accept TCP 193.68.167.166:7127
 192.168.15.67:2532 out via ng9
 Apr  9 18:07:51 Internet kernel: ipfw: 55030 Accept TCP 192.168.15.67:2532
 193.68.167.166:7127 in via ng9
 Apr  9 18:07:51 Internet kernel: ipfw: 55030 Accept TCP 89.41.xx.xxx:2532
 193.68.167.166:7127 out via fxp1
 Apr  9 18:07:51 Internet kernel: ipfw: 55030 Accept TCP 192.168.15.51:4000
 87.248.165.131:23344 in via ng6
 Apr  9 18:07:51 Internet kernel: ipfw: 55030 Accept TCP 89.41.xx.xxx:4000
 87.248.165.131:23344 out via fxp1
 Apr  9 18:07:51 Internet kernel: ipfw: 55030 Accept TCP 193.68.167.166:7127
 192.168.15.67:2532 in via fxp1
 Apr  9 18:07:51 Internet kernel: ipfw: 55030 Accept TCP 193.68.167.166:7127
 192.168.15.67:2532 out via ng9
 Apr  9 18:07:51 Internet kernel: ipfw: 55030 Accept TCP 192.168.15.67:2532
 193.68.167.166:7127 in via ng9
 Apr  9 18:07:51 Internet kernel: ipfw: 55030 Accept TCP 89.41.xx.xxx:2532
 193.68.167.166:7127 out via fxp1
 т.е. пакет нормально пришел изнутри, отдивертился и ушел внаружу.
 пытаюсь ограничить количество сессий:
 00100 allow ip from 192.168.65.0/24 to 192.168.65.0/24 via fxp0
 40000 divert 8668 ip from any to any in recv fxp1
 40010 divert 8668 ip from any to any out xmit fxp1
 55000 allow ip from any to any via lo0
 55010 deny ip from any to 127.0.0.0/8
 55030 allow log ip from 192.168.15.1 to any setup in limit src-addr 50
 55040 allow log ip from any to any
 65535 deny ip from any to any
 в итоге соединене установить не удается. в логах такое:
 
 Apr  9 18:40:45 Internet kernel: ipfw: 55030 Accept TCP 192.168.15.1:3224
 195.22.230.27:21 in via ng1
 Apr  9 18:40:45 Internet kernel: ipfw: 55030 Accept TCP 192.168.15.1:3224
 195.22.230.27:21 out via fxp1
 Apr  9 18:40:45 Internet kernel: ipfw: 55040 Accept UDP 192.168.15.67:20134
 60.48.216.60:9916 in via ng9
 Apr  9 18:40:45 Internet kernel: ipfw: 55040 Accept UDP 89.41.xx.xxx:20134
 60.48.216.60:9916 out via fxp1
 Apr  9 18:40:45 Internet kernel: ipfw: 55040 Accept P:47 89.41.xx.xxx
 83.218.197.242 out via fxp1
 Apr  9 18:40:45 Internet kernel: ipfw: 55040 Accept UDP 192.168.15.67:20134
 80.233.178.23:19335 in via ng9
 Apr  9 18:40:45 Internet kernel: ipfw: 55040 Accept UDP 89.41.xx.xxx:20134
 80.233.178.23:19335 out via fxp1
 Apr  9 18:40:45 Internet kernel: ipfw: 55040 Accept TCP 192.168.15.51:1269
 86.106.231.186:11236 in via ng6
 Apr  9 18:40:45 Internet kernel: ipfw: 55040 Accept TCP 89.41.xx.xxx:1269
 86.106.231.186:11236 out via fxp1
 
 не видно, чтоб пакет прошел через диверт. поправьте где я не прав.
 ps: freebsd 6.1
 
 --- GoldED+ 1.1.5-040321 (WinNT 5.1.2600-Service_Pack_2 i686)
  * Origin: [icq:122018120] [mailto:zabolotny[at]hotbox.ru] (2:469/122.1)

Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор

Тема:	Автор:	Дата:
ipfw limit	Sergey Zabolotny	09 Apr 2007 17:43:56
Re: ipfw limit	Vadim Goncharov	20 Apr 2007 16:56:17

Архивное /ru.unix.bsd/2735461a61ea.html, оценка 2 из 5, голосов 10