iMP viSiOn
26-01-2005, 14:27
В сети стоит FTP сервер, firewall'ом выставлен freeBSD. Необходимо настроить PASV режим для доступа из вне на этот сервер.
Правила ipnat:
map rl1 192.168.0.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map rl1 192.168.0.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map rl1 192.168.0.0/24 -> 0.0.0.0/32
rdr rl1 0.0.0.0/0 port 20 -> 192.168.0.10 port 20 tcp
rdr rl1 0.0.0.0/0 port 21 -> 192.168.0.10 port 21 tcp
rdr rl1 0.0.0.0/0 port 80 -> 192.168.0.10 port 80 tcp
rdr rl1 0.0.0.0/0 port 3306 -> 192.168.0.10 port 3306 tcp
rdr rl1 0.0.0.0/0 port 8080 -> 192.168.0.10 port 8080 tcp
rdr rl1 0.0.0.0/0 port 4661- 4665 -> 192.168.0.10 port 4661 tcp/udp
Правла ipf:
@1 pass out quick on lo0 from any to any
@2 pass out quick on rl0 proto udp from 192.168.0.1/32 port = 67 to any port = 68
@3 pass out quick on rl1 proto udp from any port = 68 to any port = 67
@4 pass out quick on rl0 from any to any keep state
@5 pass out quick on rl1 from any to any keep state
@6 block out quick from any to any
@1 pass in quick on lo0 from any to any
@2 block in quick from any to any with short
@3 block in quick from any to any with ipopt
@4 pass in quick on rl0 proto udp from any port = 68 to 255.255.255.255/32 port = 67
@5 pass in quick on rl0 proto udp from any port = 68 to 192.168.0.1/32 port = 67
@6 block in quick on rl1 from 192.168.0.0/24 to any
@7 block in quick on rl1 proto udp from any port = 67 to 192.168.0.0/24 port = 68
@8 pass in quick on rl1 proto udp from any port = 67 to any port = 68
@9 block in quick on rl0 from !192.168.0.0/24 to any
@10 block in quick on rl1 from 10.0.0.0/8 to any
@11 block in quick on rl1 from 127.0.0.0/8 to any
@12 block in quick on rl1 from 172.16.0.0/12 to any
@13 block in quick on rl1 from 192.168.0.0/16 to any
@14 skip 1 in proto tcp from any to any flags S/FSRA
@15 block in quick proto tcp from any to any
@16 block in quick on rl0 from any to any head 100
@1 pass in quick from 192.168.0.0/24 to 192.168.0.1/32 keep state group 100
@2 pass in quick proto icmp from 192.168.0.0/24 to any keep state group 100
@3 pass in quick proto tcp/udp from 192.168.0.0/24 to any port = domain keep state group 100
@4 pass in quick proto tcp from 192.168.0.0/24 to any port = 80 keep state group 100
@5 pass in quick proto tcp from 192.168.0.0/24 to any port = 443 keep state group 100
@6 pass in log quick proto tcp from 192.168.0.0/24 to any port 19 >< 22 keep state group 100
@7 pass in quick proto tcp from 192.168.0.0/24 to any port = 22 keep state group 100
@8 pass in quick proto tcp from 192.168.0.0/24 to any port = 23 keep state group 100
@9 pass in quick proto tcp from 192.168.0.0/24 to any port = 25 keep state group 100
@10 pass in quick proto tcp from 192.168.0.0/24 to any port = 110 keep state group 100
@11 pass in quick proto tcp/udp from 192.168.0.0/24 to any port = snmp keep state group 100
@12 pass in quick proto tcp from 192.168.0.0/24 to any port = 5190 keep state group 100
@13 pass in quick proto tcp from 192.168.0.0/24 to any port 6889 >< 6901 keep state group 100
@14 pass in quick proto tcp/udp from 192.168.0.0/24 to any port 7999 >< 8025 keep state group 100
@15 pass in quick proto tcp/udp from 192.168.0.0/24 to any port = 4000 keep state group 100
@16 pass in quick proto tcp/udp from 192.168.0.0/24 to any port 6111 >< 6120 keep state group 100
@17 pass in quick proto tcp/udp from 192.168.0.0/24 to any port 26999 >< 27051 keep state group 100
@18 pass in quick proto tcp/udp from 192.168.0.10/32 to any port 4660 >< 4666 keep state group 100
@17 block in quick on rl1 from any to any head 200
@1 pass in quick proto tcp from any to 192.168.0.10/32 port 19 >< 22 keep state group 200
@2 pass in quick proto tcp from any to 192.168.0.10/32 port = 80 keep state group 200
@3 pass in quick proto tcp from any to 192.168.0.10/32 port = 3306 keep state group 200
@4 pass in quick proto tcp/udp from any to 192.168.0.10/32 port 4660 >< 4666 keep state group 200
@5 pass in quick proto tcp from any to 192.168.0.10/32 port = 8080 keep state group 200
@18 block in quick from any to any
P.S. На данный момент при обращении к ФТП и после воода данных на вход выкидывает по тайм-аут-у.
Правила ipnat:
map rl1 192.168.0.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map rl1 192.168.0.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map rl1 192.168.0.0/24 -> 0.0.0.0/32
rdr rl1 0.0.0.0/0 port 20 -> 192.168.0.10 port 20 tcp
rdr rl1 0.0.0.0/0 port 21 -> 192.168.0.10 port 21 tcp
rdr rl1 0.0.0.0/0 port 80 -> 192.168.0.10 port 80 tcp
rdr rl1 0.0.0.0/0 port 3306 -> 192.168.0.10 port 3306 tcp
rdr rl1 0.0.0.0/0 port 8080 -> 192.168.0.10 port 8080 tcp
rdr rl1 0.0.0.0/0 port 4661- 4665 -> 192.168.0.10 port 4661 tcp/udp
Правла ipf:
@1 pass out quick on lo0 from any to any
@2 pass out quick on rl0 proto udp from 192.168.0.1/32 port = 67 to any port = 68
@3 pass out quick on rl1 proto udp from any port = 68 to any port = 67
@4 pass out quick on rl0 from any to any keep state
@5 pass out quick on rl1 from any to any keep state
@6 block out quick from any to any
@1 pass in quick on lo0 from any to any
@2 block in quick from any to any with short
@3 block in quick from any to any with ipopt
@4 pass in quick on rl0 proto udp from any port = 68 to 255.255.255.255/32 port = 67
@5 pass in quick on rl0 proto udp from any port = 68 to 192.168.0.1/32 port = 67
@6 block in quick on rl1 from 192.168.0.0/24 to any
@7 block in quick on rl1 proto udp from any port = 67 to 192.168.0.0/24 port = 68
@8 pass in quick on rl1 proto udp from any port = 67 to any port = 68
@9 block in quick on rl0 from !192.168.0.0/24 to any
@10 block in quick on rl1 from 10.0.0.0/8 to any
@11 block in quick on rl1 from 127.0.0.0/8 to any
@12 block in quick on rl1 from 172.16.0.0/12 to any
@13 block in quick on rl1 from 192.168.0.0/16 to any
@14 skip 1 in proto tcp from any to any flags S/FSRA
@15 block in quick proto tcp from any to any
@16 block in quick on rl0 from any to any head 100
@1 pass in quick from 192.168.0.0/24 to 192.168.0.1/32 keep state group 100
@2 pass in quick proto icmp from 192.168.0.0/24 to any keep state group 100
@3 pass in quick proto tcp/udp from 192.168.0.0/24 to any port = domain keep state group 100
@4 pass in quick proto tcp from 192.168.0.0/24 to any port = 80 keep state group 100
@5 pass in quick proto tcp from 192.168.0.0/24 to any port = 443 keep state group 100
@6 pass in log quick proto tcp from 192.168.0.0/24 to any port 19 >< 22 keep state group 100
@7 pass in quick proto tcp from 192.168.0.0/24 to any port = 22 keep state group 100
@8 pass in quick proto tcp from 192.168.0.0/24 to any port = 23 keep state group 100
@9 pass in quick proto tcp from 192.168.0.0/24 to any port = 25 keep state group 100
@10 pass in quick proto tcp from 192.168.0.0/24 to any port = 110 keep state group 100
@11 pass in quick proto tcp/udp from 192.168.0.0/24 to any port = snmp keep state group 100
@12 pass in quick proto tcp from 192.168.0.0/24 to any port = 5190 keep state group 100
@13 pass in quick proto tcp from 192.168.0.0/24 to any port 6889 >< 6901 keep state group 100
@14 pass in quick proto tcp/udp from 192.168.0.0/24 to any port 7999 >< 8025 keep state group 100
@15 pass in quick proto tcp/udp from 192.168.0.0/24 to any port = 4000 keep state group 100
@16 pass in quick proto tcp/udp from 192.168.0.0/24 to any port 6111 >< 6120 keep state group 100
@17 pass in quick proto tcp/udp from 192.168.0.0/24 to any port 26999 >< 27051 keep state group 100
@18 pass in quick proto tcp/udp from 192.168.0.10/32 to any port 4660 >< 4666 keep state group 100
@17 block in quick on rl1 from any to any head 200
@1 pass in quick proto tcp from any to 192.168.0.10/32 port 19 >< 22 keep state group 200
@2 pass in quick proto tcp from any to 192.168.0.10/32 port = 80 keep state group 200
@3 pass in quick proto tcp from any to 192.168.0.10/32 port = 3306 keep state group 200
@4 pass in quick proto tcp/udp from any to 192.168.0.10/32 port 4660 >< 4666 keep state group 200
@5 pass in quick proto tcp from any to 192.168.0.10/32 port = 8080 keep state group 200
@18 block in quick from any to any
P.S. На данный момент при обращении к ФТП и после воода данных на вход выкидывает по тайм-аут-у.