[Tygra]

Доброго времени суток форумчане , помогите найти куда деваются входящие пакеты в фаерволе .

 

Дано

shape# uname -a
FreeBSD shape.snet.stv 8.2-RELEASE FreeBSD 8.2-RELEASE #1: Tue Feb 22 14:56:00 UTC 2011     root@shape.snet.stv:/usr/obj/usr/src/sys/SAT  amd64

 

Система представляет из себя большой прозрачный мост - шейпер , имеет 6 интерфейсов езернет , 3 интеловские карты по 2 порта каждая , плюс встроенная карта в мать для контроля , в мосту не учавствующая .

 

IPFW

 

shape# ipfw list
00100 allow ip from any to any via msk0
00102 allow ip from any to any via lo0
00105 allow udp from any to any dst-port 67,68
00106 deny icmp from 255.255.255.255 to any
00107 deny icmp from any to 255.255.255.255
00110 deny ip from 240.0.0.0/4 to any
00111 deny ip from any to 240.0.0.0/4
00112 deny icmp from any to any frag
00113 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00115 skipto 150 ip from 192.168.0.0/16 to 192.168.0.0/16
00117 deny ip from any to any
00150 skipto 300 tcp from any to 192.168.0.9
00151 skipto 300 tcp from 192.168.0.9 to any
00152 skipto 300 tcp from any to 192.168.0.3
00160 skipto 300 tcp from 192.168.0.3 to any
00170 skipto 300 udp from any to 192.168.0.3
00180 skipto 300 udp from 192.168.0.3 to any
00185 deny tcp from any 139,445,5357,5358,2869,3587 to any
00188 deny tcp from any to any dst-port 139,445,5357,5358,2869,3587
00190 deny udp from any 137,138,5355,3702,1900,3540,5000,6771 to any
00195 deny udp from any to any dst-port 137,138,5355,3702,1900,3540,5000,6771
00300 skipto 400 ip from any to any in via em0
00301 skipto 450 ip from any to any out via em0
00302 skipto 500 ip from any to any via em1
00303 skipto 600 ip from any to any via em2
00304 skipto 700 ip from any to any via em3
00305 deny ip from any to any
00400 queue 111 tcp from any to 192.168.0.6
00401 queue 111 tcp from 192.168.0.6 to any
00402 queue 112 tcp from any to 192.168.0.8
00403 queue 112 tcp from 192.168.0.8 to any
00404 queue 113 tcp from any to any dst-port 22,23,25,80,9750
00405 queue 113 tcp from any 22,23,25,80,9750 to any
00406 queue 114 tcp from any to any
00407 queue 116 ip from 192.168.0.8 to any
00408 queue 116 ip from any to 192.168.0.8
00409 queue 115 log logamount 50 ip from any to any
00450 queue 211 tcp from any to 192.168.0.6
00451 queue 211 tcp from 192.168.0.6 to any
00452 queue 212 tcp from any to 192.168.0.8
00453 queue 212 tcp from 192.168.0.8 to any
00454 queue 213 tcp from any to any dst-port 22,23,25,80,9750
00455 queue 213 tcp from any 22,23,25,80,9750 to any
00456 queue 214 tcp from any to any
00457 queue 216 ip from 192.168.0.8 to any
00458 queue 216 ip from any to 192.168.0.8
00459 queue 215 ip from any to any
00460 deny ip from any to any
00500 queue 311 tcp from any to 192.168.0.6 out via em1
00501 queue 311 tcp from 192.168.0.6 to any out via em1
00502 queue 312 tcp from any to 192.168.0.8 out via em1
00503 queue 312 tcp from 192.168.0.8 to any out via em1
00504 queue 313 tcp from any to any dst-port 22,23,25,80,9750 out via em1
.......

 

ipfw show

 

shape# ipfw show
00100    65414    4674052 allow ip from any to any via msk0
00102        0          0 allow ip from any to any via lo0
00105     2083     685645 allow udp from any to any dst-port 67,68
00106        0          0 deny icmp from 255.255.255.255 to any
00107        0          0 deny icmp from any to 255.255.255.255
00110        0          0 deny ip from 240.0.0.0/4 to any
00111      481      24811 deny ip from any to 240.0.0.0/4
00112        0          0 deny icmp from any to any frag
00113        0          0 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00115   305479  140683223 skipto 150 ip from 192.168.0.0/16 to 192.168.0.0/16
00117   182370   30051886 deny ip from any to any
00150        0          0 skipto 300 tcp from any to 192.168.0.9
00151        0          0 skipto 300 tcp from 192.168.0.9 to any
00152     7774     411495 skipto 300 tcp from any to 192.168.0.3
00160    14216   18502471 skipto 300 tcp from 192.168.0.3 to any
00170        0          0 skipto 300 udp from any to 192.168.0.3
00180        0          0 skipto 300 udp from 192.168.0.3 to any
00185        0          0 deny tcp from any 139,445,5357,5358,2869,3587 to any
00188        2         96 deny tcp from any to any dst-port 139,445,5357,5358,2869,3587
00190   121685   10121154 deny udp from any 137,138,5355,3702,1900,3540,5000,6771 to any
00195        0          0 deny udp from any to any dst-port 137,138,5355,3702,1900,3540,5000,6771
00300        0          0 skipto 400 ip from any to any in via em0
00301    48861    2163936 skipto 450 ip from any to any out via em0
00302    11542     625769 skipto 500 ip from any to any via em1
00303    88761  125894643 skipto 600 ip from any to any via em2
00304    11542     625769 skipto 700 ip from any to any via em3
00305    23084    1251538 deny ip from any to any
00400        0          0 queue 111 tcp from any to 192.168.0.6
00401        0          0 queue 111 tcp from 192.168.0.6 to any
00402        0          0 queue 112 tcp from any to 192.168.0.8
00403        0          0 queue 112 tcp from 192.168.0.8 to any
00404        0          0 queue 113 tcp from any to any dst-port 22,23,25,80,9750
00405        0          0 queue 113 tcp from any 22,23,25,80,9750 to any
00406        0          0 queue 114 tcp from any to any
00407        0          0 queue 116 ip from 192.168.0.8 to any
00408        0          0 queue 116 ip from any to 192.168.0.8
00409        0          0 queue 115 log logamount 50 ip from any to any
00450    38790    1556785 queue 211 tcp from any to 192.168.0.6
00451        0          0 queue 211 tcp from 192.168.0.6 to any
00452     1308      52521 queue 212 tcp from any to 192.168.0.8
00453        0          0 queue 212 tcp from 192.168.0.8 to any
00454      642      87136 queue 213 tcp from any to any dst-port 22,23,25,80,9750
00455        0          0 queue 213 tcp from any 22,23,25,80,9750 to any
00456     7780     412102 queue 214 tcp from any to any
00457        0          0 queue 216 ip from 192.168.0.8 to any
00458        0          0 queue 216 ip from any to 192.168.0.8
00459      341      55392 queue 215 ip from any to any
00460        0          0 deny ip from any to any
00500     9200     369429 queue 311 tcp from any to 192.168.0.6 out via em1
00501        0          0 queue 311 tcp from 192.168.0.6 to any out via em1
00502      908      36469 queue 312 tcp from any to 192.168.0.8 out via em1
00503      680     114153 queue 312 tcp from 192.168.0.8 to any out via em1

 

не могу отловить входящие пакеты , есть исходящие , мост работает , входящих нет , может я чтото не понимаю в логике мостов на фрибсд , опыта с фаерволами можно сказать никакого , помогите понять .

 

00300 0 0 skipto 400 ip from any to any in via em0

00301 48861 2163936 skipto 450 ip from any to any out via em0

 

net.link.ether.ipfw: 1

net.link.bridge.ipfw: 1

net.link.bridge.pfil_member: 0

 

Интерфейсы

shape# ifconfig
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
        ether 00:1b:21:84:67:08
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
        ether 00:1b:21:84:67:09
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
em2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
        ether 00:1b:21:90:06:0e
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
em3: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
        ether 00:1b:21:90:06:0f
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
em4: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
        ether 00:1b:21:84:63:92
        media: Ethernet autoselect
        status: no carrier
em5: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
        ether 00:1b:21:84:63:93
        media: Ethernet autoselect
        status: no carrier
msk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c011a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING,TSO4,VLAN_HWTSO,LINKSTATE>
        ether 00:24:8c:3f:7b:ef
        inet 192.168.3.200 netmask 0xffff0000 broadcast 192.168.255.255
        media: Ethernet autoselect (100baseTX <full-duplex,flowcontrol,rxpause,txpause>)
        status: active
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 127.0.0.1 netmask 0xff000000
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 6a:82:56:cf:62:d5
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: em5 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 6 priority 128 path cost 2000000
        member: em4 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 5 priority 128 path cost 2000000
        member: em3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 4 priority 128 path cost 2000000
        member: em2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 3 priority 128 path cost 2000000
        member: em1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 2 priority 128 path cost 2000000
        member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 1 priority 128 path cost 2000000

 

em0 внешний интерфейс , остальные внутренние , на данной статистике идет поток с 192.168.0.6 на клиента ( IPTV )

Изменено 27 февраля, 2011 пользователем Tygra

[Tygra]

чтото я не "догоняю" в логике работы фаера в мосту , опишу что есть , могет меня просто уже клинит :

 

с ем0 проходит поток тв на ем1 ,

делаем

ipfw add 100 deny all from any to any in via em0

я так понимаю что для фаера поток идущий с ем0 на ем1 , является входящим на ем0 .

НО о чудо , поток все равно идет , без задержек и потерь , как будто так и должно быть . Нифига не понимаю

[Tygra]

Все всем спасибо кто хотяб прочитал что я написал , задача решена , в чем проблема найдено , терь вроде как надо заработал , счас бу проверять .