Где управлять портами? [РЕШЕНО]
Добавлено: 17 янв 2011, 11:01
Спасибо!
Спасибо!
Форум сообщества системных администраторов и просто людей, которым не безразличен их компьютер.
https://sysadmins.ws/
Вот что меня там... что там прописать надо?..Raven писал(а):Ответы ipfw show и cat /etc/rc.conf дай (только ипы конечно замаскируй)
Код: Выделить всё
[kanat@super ~]$ sudo cat /etc/rc.conf
# -- sysinstall generated deltas -- # Sat Dec 27 19:08:39 2008
# Created: Sat Dec 27 19:08:39 2008
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
gateway_enable="YES"
hostname="super.local"
ifconfig_vr0="inet 192.168.0.1 netmask 255.255.255.0"
sshd_enable="YES"
ifconfig_rl0="inet 212.112.*.* netmask 255.255.255.248"
defaultrouter="212.112.*.*"
named_enable="YES"
sendmail_enable="NONE"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
squid_enable="YES"
gateway_enable="YES"
mysql_enable="YES"
ng_ipacct_enable="YES"
dhcpd_enable="YES"
apache_enable="YES"а что за PacketFilter?...Raven писал(а):Ясно, используется PacketFilter. Дай вывод cat /etc/pf.conf, только IP пожалуйста на этот раз сам замаскируй, а то мало ли...
Код: Выделить всё
[root@super ~]$ cat /etc/pf.conf
ext_if="rl0"
int_if="vr0"
lan="192.168.0.0/24"
ext_addr="212.112.*.*"
int_addr="192.168.0.1"
adm_host="{IP-addresses}"
ispdns="{ DNS-servers}"
tcpports="{ 25, 110, 995, 80, 443, 53, 22, 21, 5190 }"
table <nonroute> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152,64.0/23, 224.0.0.0/3, 20.20.20.0/24 }
table <office> persist file "/usr/local/etc/squid/office.acl"
table <office_lim> persist file "/usr/local/etc/squid/office_lim.acl"
table <kg_zone> persist file "/usr/local/etc/squid/kg.acl"
table <mra> persist file "/usr/local/etc/squid/mra.acl"
mra_ports="{ 5190, 443,2041,2042 }"
#set block-policy drop
#set loginterface $ext_if
#scrub in all fragment reassemble
# Nat
nat on $ext_if from <office_lim> to <kg_zone> -> $ext_addr
nat on $ext_if from <office> to any -> $ext_addr
rdr proto tcp from <office> to !$lan port {80,8080,3128} -> 192.168.0.1 port 3128
#rdr on $ext_if proto tcp from $adm_host to $ext_addr port 3389 tag RADM -> 192.168.0 .2
#pass in quick on $ext_if proto tcp from $adm_host to $ext_addr port=3389 tagged RADM flags S/SA synproxy state
# Deny port scanners for OS detecting
block in quick proto tcp from any to $ext_addr flags SF/SFRA
#block in quick proto tcp from any to $ext_addr flags SFUP/SFRAU
block in quick proto tcp from any to $ext_addr flags FPU/SFRAUP
block in quick proto tcp from any to $ext_addr flags F/SFRA
block in quick proto tcp from any to $ext_addr flags U/SFRAU
block in quick proto tcp from any to $ext_addr flags P/P
# Allow Active FTP
pass in quick proto tcp from any port=20 to any keep state
# Deny nonroute ips
block in quick on $ext_if from <nonroute> to $ext_addr
block out quick on $ext_if from any to <nonroute>
# Deny ports
block in quick on $ext_if proto udp from any to $ext_addr/32 port=514
block in quick on $ext_if proto tcp from any to $ext_addr/32 port 135><140
block in quick on $ext_if proto udp from any to $ext_addr/32 port 135><140
block in quick on $ext_if proto tcp from any to $ext_addr/32 port=901
block in quick on $ext_if proto tcp from any to $ext_addr/32 port=587
block in quick on $ext_if proto tcp from any to $ext_addr/32 port=3306
block in quick on $ext_if proto tcp from any to $ext_addr/32 port=67
block in quick on $ext_if proto udp from any to $ext_addr/32 port=67
block in quick on $ext_if proto udp from any to $ext_addr/32 port=161
block in quick on $ext_if proto tcp from any to $ext_addr/32 port=953
#block in quick on $ext_if proto tcp from any to $ext_addr/32 port=445
block in quick on $ext_if proto tcp from any to $ext_addr/32 port=5432
block in quick on $ext_if proto tcp from any to $ext_addr/32 port=161
block in quick on $ext_if proto udp from any to $ext_addr/32 port=161
block in quick on $int_if proto tcp from any to $int_addr/32 port=161
block in quick on $int_if proto udp from any to $int_addr/32 port=161
block in quick on $ext_if proto tcp from any to $ext_addr/32 port=3128
#Block bad clients
block out quick on $int_if proto tcp from $lan to <mra> port $mra_ports
#block out quick on $int_if proto tcp from $lan to <kg_zone> port 6881
#block out quick on $int_if proto tcp from $lan port 6881 to <kg_zone>
# Block office_limit
pass quick on $int_if from <office_lim> to <kg_zone> keep state
pass quick on $int_if from $lan to $lan keep state
block quick on $int_if from <office_lim> to !<kg_zone>
block quick on $int_if from !<kg_zone> to <office>
# Allow services
pass in quick on $ext_if proto tcp from $adm_host to $ext_addr/32 port=80 flags S/SA keep state
pass in quick on $ext_if proto tcp from $adm_host to $ext_addr/32 port=22 keep state
pass in quick on $ext_if proto tcp from any to $ext_addr/32 port=2223 keep state
# Allow loopback
pass quick on lo0 all
# Allow ICMP
pass quick proto icmp
#pass in quick proto icmp from any to $ext_addr icmp-type echoreq
#pass in quick proto icmp from any to $ext_addr icmp-type echorep
#pass out quick proto icmp from any to $ext_addr icmp-type echoreq
#pass out quick proto icmp from any to $ext_addr icmp-type echorep
# DNS
pass out quick on $ext_if proto tcp from $ext_addr to $ispdns port=53 keep state
pass out quick on $ext_if proto udp from $ext_addr to $ispdns port=53 keep state
# Allow office_new
#pass out quick on $int_if proto tcp from <office> to <kg_zone> keep state
#pass out quick on $int_if proto udp from <office> to <kg_zone> keep state
#pass out quick on $int_if proto tcp from <office> to any port $tcpports keep state
#pass out quick on $int_if proto udp from <office> to any port 53 keep state
# Allow office
pass out quick on $ext_if proto tcp from $ext_addr to any keep state
pass out quick on $int_if proto tcp from <office> to any keep state
pass out quick on $ext_if proto udp from $ext_addr to any keep state
pass out quick on $int_if proto udp from <office> to any keep state
# Deny all
block in quick on $ext_if proto tcp from any to $ext_addr flags S/SAFRP
block in quick on $ext_if proto udp from any to $ext_addr
Код: Выделить всё
pass out quick on $ext_if proto tcp from $ext_addr to any port=7777 keep stateКод: Выделить всё
acl SSL_ports port 7777
acl Safe_ports port 7777