Компьютерный форум OSzone.net  

Компьютерный форум OSzone.net (http://forum.oszone.net/index.php)
-   Общий по FreeBSD (http://forum.oszone.net/forumdisplay.php?f=10)
-   -   PASV режим и NAT (http://forum.oszone.net/showthread.php?t=44469)

iMP viSiOn 26-01-2005 14:27 292278
PASV режим и NAT
 
В сети стоит FTP сервер, firewall'ом выставлен freeBSD. Необходимо настроить PASV режим для доступа из вне на этот сервер.

Правила ipnat:
map rl1 192.168.0.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map rl1 192.168.0.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map rl1 192.168.0.0/24 -> 0.0.0.0/32
rdr rl1 0.0.0.0/0 port 20 -> 192.168.0.10 port 20 tcp
rdr rl1 0.0.0.0/0 port 21 -> 192.168.0.10 port 21 tcp
rdr rl1 0.0.0.0/0 port 80 -> 192.168.0.10 port 80 tcp
rdr rl1 0.0.0.0/0 port 3306 -> 192.168.0.10 port 3306 tcp
rdr rl1 0.0.0.0/0 port 8080 -> 192.168.0.10 port 8080 tcp
rdr rl1 0.0.0.0/0 port 4661- 4665 -> 192.168.0.10 port 4661 tcp/udp

Правла ipf:
@1 pass out quick on lo0 from any to any
@2 pass out quick on rl0 proto udp from 192.168.0.1/32 port = 67 to any port = 68
@3 pass out quick on rl1 proto udp from any port = 68 to any port = 67
@4 pass out quick on rl0 from any to any keep state
@5 pass out quick on rl1 from any to any keep state
@6 block out quick from any to any
@1 pass in quick on lo0 from any to any
@2 block in quick from any to any with short
@3 block in quick from any to any with ipopt
@4 pass in quick on rl0 proto udp from any port = 68 to 255.255.255.255/32 port = 67
@5 pass in quick on rl0 proto udp from any port = 68 to 192.168.0.1/32 port = 67
@6 block in quick on rl1 from 192.168.0.0/24 to any
@7 block in quick on rl1 proto udp from any port = 67 to 192.168.0.0/24 port = 68
@8 pass in quick on rl1 proto udp from any port = 67 to any port = 68
@9 block in quick on rl0 from !192.168.0.0/24 to any
@10 block in quick on rl1 from 10.0.0.0/8 to any
@11 block in quick on rl1 from 127.0.0.0/8 to any
@12 block in quick on rl1 from 172.16.0.0/12 to any
@13 block in quick on rl1 from 192.168.0.0/16 to any
@14 skip 1 in proto tcp from any to any flags S/FSRA
@15 block in quick proto tcp from any to any
@16 block in quick on rl0 from any to any head 100
@1 pass in quick from 192.168.0.0/24 to 192.168.0.1/32 keep state group 100
@2 pass in quick proto icmp from 192.168.0.0/24 to any keep state group 100
@3 pass in quick proto tcp/udp from 192.168.0.0/24 to any port = domain keep state group 100
@4 pass in quick proto tcp from 192.168.0.0/24 to any port = 80 keep state group 100
@5 pass in quick proto tcp from 192.168.0.0/24 to any port = 443 keep state group 100
@6 pass in log quick proto tcp from 192.168.0.0/24 to any port 19 >< 22 keep state group 100
@7 pass in quick proto tcp from 192.168.0.0/24 to any port = 22 keep state group 100
@8 pass in quick proto tcp from 192.168.0.0/24 to any port = 23 keep state group 100
@9 pass in quick proto tcp from 192.168.0.0/24 to any port = 25 keep state group 100
@10 pass in quick proto tcp from 192.168.0.0/24 to any port = 110 keep state group 100
@11 pass in quick proto tcp/udp from 192.168.0.0/24 to any port = snmp keep state group 100
@12 pass in quick proto tcp from 192.168.0.0/24 to any port = 5190 keep state group 100
@13 pass in quick proto tcp from 192.168.0.0/24 to any port 6889 >< 6901 keep state group 100
@14 pass in quick proto tcp/udp from 192.168.0.0/24 to any port 7999 >< 8025 keep state group 100
@15 pass in quick proto tcp/udp from 192.168.0.0/24 to any port = 4000 keep state group 100
@16 pass in quick proto tcp/udp from 192.168.0.0/24 to any port 6111 >< 6120 keep state group 100
@17 pass in quick proto tcp/udp from 192.168.0.0/24 to any port 26999 >< 27051 keep state group 100
@18 pass in quick proto tcp/udp from 192.168.0.10/32 to any port 4660 >< 4666 keep state group 100
@17 block in quick on rl1 from any to any head 200
@1 pass in quick proto tcp from any to 192.168.0.10/32 port 19 >< 22 keep state group 200
@2 pass in quick proto tcp from any to 192.168.0.10/32 port = 80 keep state group 200
@3 pass in quick proto tcp from any to 192.168.0.10/32 port = 3306 keep state group 200
@4 pass in quick proto tcp/udp from any to 192.168.0.10/32 port 4660 >< 4666 keep state group 200
@5 pass in quick proto tcp from any to 192.168.0.10/32 port = 8080 keep state group 200
@18 block in quick from any to any

P.S. На данный момент при обращении к ФТП и после воода данных на вход выкидывает по тайм-аут-у.

FrIcE 27-01-2005 15:17 292658
добавить для ipnat перед правилами редиректа

map <внешний интерфейс> from 0.0.0.0 to <ваш внешний IP или подсеть> -> 0.0.0.0 (здесь можно явно указать внешний IP, если нужно) proxy port ftp ftp/tcp

iMP viSiOn 27-01-2005 16:29 292682
Sednja ve4erkom poprobuju :) thx ;)

NightRider 26-04-2009 00:18 1104322
UP
гуглил, но ничего дельного не нашел. Кто знает, есть ли какой-либо ftp-proxy чтобы работал в связке с ipf?

зы: ос freebsd 7.1


Время: 11:58.

Время: 11:58.
© OSzone.net 2001-