несколько фаерволов одновременно

Dezz · Отправлено: **15:40, 08-12-2006** | #2

продолжаю тесты...

Фаерволы:

# ipfw list
# ng_nat
00005 allow ip from any to any via lo0
00100 netgraph 61 icmp from any to any in via lnc1
00200 netgraph 60 icmp from any to any out via lnc1
# считаем сколько суммарно icmp
00300 count icmp from any to any
00400 allow ip from any to any
65535 deny ip from any to any

# pfctl -s rules
No ALTQ support in kernel
ALTQ related functions disabled
block drop in log all
block drop out log all
# для ssh
pass quick on lnc0 inet proto tcp from any to 192.168.150.1 keep state
# внутренний интерфейс (для icmp)
pass log quick on lnc0 inet proto icmp from 192.168.150.164 to any
pass log quick on lnc0 inet proto icmp from any to 192.168.150.164
# внешний интерфейс (для icmp)
pass log quick on lnc1 inet proto icmp from 192.168.100.9 to any
pass log quick on lnc1 inet proto icmp from any to 192.168.100.9
# экспериментально определено
pass log quick on lnc1 inet proto icmp from any to 192.168.150.164

Отчищаем статистику ipfw:
# ipfw resetlog
Logging counts reset.
# ipfw zero
Accounting cleared.

пингуем с 192.168.150.164 хост 192.168.100.1 находящийся за маршрутизатором

C:\>ping 192.168.100.1

Обмен пакетами с 192.168.100.1 по 32 байт:

Ответ от 192.168.100.1: число байт=32 время=6мс TTL=127
Ответ от 192.168.100.1: число байт=32 время=3мс TTL=127
Ответ от 192.168.100.1: число байт=32 время=2мс TTL=127
Ответ от 192.168.100.1: число байт=32 время=3мс TTL=127

Статистика Ping для 192.168.100.1:
Пакетов: отправлено = 4, получено = 4, потеряно = 0 (0% потерь),
Приблизительное время приема-передачи в мс:
Минимальное = 2мсек, Максимальное = 6 мсек, Среднее = 3 мсек

статистика ipfw:
# ipfw show
00005 0 0 allow ip from any to any via lo0
00100 4 240 netgraph 61 icmp from any to any in via lnc1
00200 4 240 netgraph 60 icmp from any to any out via lnc1
00300 8 480 count icmp from any to any
00400 201 18552 allow ip from any to any
65535 0 0 deny ip from any to any

как часы.... 4 туда, 4 оттуда

логи pf'а:
# tcpdump -n -e -tt -i pflog0 -l | grep ICMP
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
1165514378.625827 rule 3/0(match): pass in on lnc0: 192.168.150.164 > 192.168.100.1: ICMP echo request, id 1024, seq 24064, length 40
1165514378.626475 rule 5/0(match): pass out on lnc1: 192.168.100.9 > 192.168.100.1: ICMP echo request, id 1024, seq 24064, length 40
1165514378.629896 rule 6/0(match): pass in on lnc1: 192.168.100.1 > 192.168.100.9: ICMP echo reply, id 1024, seq 24064, length 40
1165514378.629899 rule 7/0(match): pass in on lnc1: 192.168.100.1 > 192.168.150.164: ICMP echo reply, id 1024, seq 24064, length 40
1165514378.629902 rule 4/0(match): pass out on lnc0: 192.168.100.1 > 192.168.150.164: ICMP echo reply, id 1024, seq 24064, length 40
1165514379.140342 rule 3/0(match): pass in on lnc0: 192.168.150.164 > 192.168.100.1: ICMP echo request, id 1024, seq 24320, length 40
1165514379.140420 rule 5/0(match): pass out on lnc1: 192.168.100.9 > 192.168.100.1: ICMP echo request, id 1024, seq 24320, length 40
1165514379.141851 rule 6/0(match): pass in on lnc1: 192.168.100.1 > 192.168.100.9: ICMP echo reply, id 1024, seq 24320, length 40
1165514379.141854 rule 7/0(match): pass in on lnc1: 192.168.100.1 > 192.168.150.164: ICMP echo reply, id 1024, seq 24320, length 40
1165514379.141856 rule 4/0(match): pass out on lnc0: 192.168.100.1 > 192.168.150.164: ICMP echo reply, id 1024, seq 24320, length 40
1165514379.661402 rule 3/0(match): pass in on lnc0: 192.168.150.164 > 192.168.100.1: ICMP echo request, id 1024, seq 24576, length 40
1165514379.661808 rule 5/0(match): pass out on lnc1: 192.168.100.9 > 192.168.100.1: ICMP echo request, id 1024, seq 24576, length 40
1165514379.662866 rule 6/0(match): pass in on lnc1: 192.168.100.1 > 192.168.100.9: ICMP echo reply, id 1024, seq 24576, length 40
1165514379.662869 rule 7/0(match): pass in on lnc1: 192.168.100.1 > 192.168.150.164: ICMP echo reply, id 1024, seq 24576, length 40
1165514379.662871 rule 4/0(match): pass out on lnc0: 192.168.100.1 > 192.168.150.164: ICMP echo reply, id 1024, seq 24576, length 40
1165514380.180917 rule 3/0(match): pass in on lnc0: 192.168.150.164 > 192.168.100.1: ICMP echo request, id 1024, seq 24832, length 40
1165514380.181154 rule 5/0(match): pass out on lnc1: 192.168.100.9 > 192.168.100.1: ICMP echo request, id 1024, seq 24832, length 40
1165514380.182874 rule 6/0(match): pass in on lnc1: 192.168.100.1 > 192.168.100.9: ICMP echo reply, id 1024, seq 24832, length 40
1165514380.182877 rule 7/0(match): pass in on lnc1: 192.168.100.1 > 192.168.150.164: ICMP echo reply, id 1024, seq 24832, length 40
1165514380.182879 rule 4/0(match): pass out on lnc0: 192.168.100.1 > 192.168.150.164: ICMP echo reply, id 1024, seq 24832, length 40

по логам pf выглядит интересной эти строки:
1165514378.629896 rule 6/0(match): pass in on lnc1: 192.168.100.1 > 192.168.100.9: ICMP echo reply, id 1024, seq 24064, length 40
1165514378.629899 rule 7/0(match): pass in on lnc1: 192.168.100.1 > 192.168.150.164: ICMP echo reply, id 1024, seq 24064, length 40
это как в корпускулярно-волновой теории

одна частица проходит через две щели

это так... информация для размышления, щас полезу в код