Hello, Andrey!
On Fri, Oct 25, 2013 at 09:08:17AM +0300
[email protected] wrote about "[freebsd] IPFW":
> Доброго времени суток.
> Не могу понять почему для XP/2003 нормально нат работает пинги ходят в мир и
> сайтики открываются без проблем, а под win7 только пинг работает причем на
> разных ноутбуках с win7 одно и тоже. В другой сети на win7 все ок.
Советы:
1. воспользуйтесь tcpdump и смотрите куда винда7 делает запросы и
почему они не работают. Проверьте днс-севера какие указаны.
2. В файерволе стремитесь к минимуму правил, правила 450-453 и тд
можно сократить в одно правило такого типа
... ip from table(12) to any out xmit ..
А адреса внести в таблицу.
3. тоже с правилами 200,205,210,220 -- порты можно перечислить через
запятую и ограничиться одним только правилом.
Проврьте еще route print , ipconfig /all на комах где не работает.
Удачи.
> net.inet.ip.fw.one_pass: 1
> net.link.ether.ipfw: 1
>
>
> win7
> ${FwCMD} add 00452 nat 1 ip from 192.168.1.201 to any out xmit ${LanOut}
>
> 2003
> ${FwCMD} add 00451 nat 1 ip from 192.168.1.200 to any out xmit ${LanOut}
>
> XP
> ${FwCMD} add 00499 nat 1 ip from 192.168.1.250 to any out xmit ${LanOut}
>
>
> Правила IPFW
> #!/bin/sh
> FwCMD="/sbin/ipfw"
> LanOut="alc0"
> LanIn="fxp0"
> LanIn2="fxp1"
>
> IpOut="193.238.aaa.bbb"
> NetOut="193.238.zzz.xxx"
> NetOutMask="29"
>
> IpIn="192.168.1.240"
> NetIn="192.168.1.0"
> NetInMask="24"
>
> IpIn2="172.16.0.1"
> NetIn2="172.16.0.0"
> NetInMask2="12"
>
> ${FwCMD} -f flush
>
> #arp
> ${FwCMD} add 5 allow mac-type 0x0806
> ${FwCMD} add 10 skipto 500 all from any to any layer2 in
> ${FwCMD} add 20 skipto 100 all from any to any not layer2 in
> ${FwCMD} add 30 skipto 100 all from any to any not layer2 out
> ${FwCMD} add 40 skipto 500 all from any to any layer2 out
>
> ${FwCMD} add 00100 check-state
>
> ${FwCMD} add 00101 count ip from any to any in via ${LanOut}
> ${FwCMD} add 00102 count ip from any to any out via ${LanOut}
>
> ${FwCMD} add 00103 count ip from any to any in via ${LanIn}
> ${FwCMD} add 00104 count ip from any to any out via ${LanIn}
>
> ${FwCMD} add 00105 count ip from any to any in via ${LanIn2}
> ${FwCMD} add 00106 count ip from any to any out via ${LanIn2}
>
> #Allow any to any for lo0 and LanIn
> ${FwCMD} add 00115 allow ip from any to any via lo0
>
> ${FwCMD} add 00116 deny ip from ${NetIn}/${NetInMask} to
> ${NetIn2}/${NetInMask2} via ${LanIn}
> ${FwCMD} add 00117 deny ip from ${NetIn2}/${NetInMask2} to
> ${NetIn}/${NetInMask} via ${LanIn}
>
> ${FwCMD} add 00118 deny ip from ${NetIn2}/${NetInMask2} to
> ${NetIn}/${NetInMask} via ${LanIn2}
> ${FwCMD} add 00119 deny ip from ${NetIn}/${NetInMask} to
> ${NetIn2}/${NetInMask2} via ${LanIn2}
>
> ${FwCMD} add 00120 allow ip from any to any via ${LanIn}
> ${FwCMD} add 00121 allow ip from any to any via ${LanIn2}
>
> #Service on LanOut
> ${FwCMD} add 00200 allow tcp from any to ${IpOut} dst-port 2112 via ${LanOut}
> keep-state
> ${FwCMD} add 00205 allow tcp from any to ${IpOut} dst-port 2332 via ${LanOut}
> keep-state
> ${FwCMD} add 00210 allow tcp from any to ${IpOut} dst-port 80 via ${LanOut}
> keep-state
> ${FwCMD} add 00215 allow udp from any to ${IpOut} dst-port 53 via ${LanOut}
> keep-state
> ${FwCMD} add 00220 allow tcp from any to ${IpOut} dst-port 25 via ${LanOut}
> keep-state
>
> ${FwCMD} add 00290 allow tcp from any to ${IpOut} dst-port 48995-48998 via
> ${LanOut} keep-state
>
> ${FwCMD} add 00295 allow tcp from any to ${IpOut} 49152-65535 via ${LanOut}
> keep-state
>
> #Nat
> ${FwCMD} nat 1 config ip ${IpOut} log reset same_ports deny_in
> ${FwCMD} add 00400 nat 1 ip from any to ${IpOut} in recv ${LanOut}
> ${FwCMD} add 00410 nat 1 ip from ${IpOut} to any out xmit ${LanOut}
> ${FwCMD} add 00415 nat 1 ip from ${NetIn2}/${NetInMask2} to any out xmit
> ${LanOut}
> ${FwCMD} add 00450 nat 1 ip from 192.168.1.235 to any out xmit ${LanOut}
> ${FwCMD} add 00451 nat 1 ip from 192.168.1.200 to any out xmit ${LanOut}
> ${FwCMD} add 00452 nat 1 ip from 192.168.1.201 to any out xmit ${LanOut}
> ${FwCMD} add 00453 nat 1 ip from 192.168.1.202 to any out xmit ${LanOut}
> ${FwCMD} add 00497 nat 1 ip from 192.168.1.248 to any out xmit ${LanOut}
> ${FwCMD} add 00498 nat 1 ip from 192.168.1.249 to any out xmit ${LanOut}
> ${FwCMD} add 00499 nat 1 ip from 192.168.1.250 to any out xmit ${LanOut}
>
> ###### LAYER 2 #######
> #Allow any to any for lo0 and LanOut on Layer2
> ${FwCMD} add 00500 allow ip from any to me layer2 in recv ${LanOut}
> ${FwCMD} add 00505 allow ip from me to any layer2 out xmit ${LanOut}
> ${FwCMD} add 00510 allow ip from any to me layer2 in recv lo0
> ${FwCMD} add 00515 allow ip from me to any layer2 out xmit lo0
>
> ${FwCMD} add 00600 allow ip from any to any layer2 via ${LanIn}
> ${FwCMD} add 00605 allow ip from any to any layer2 via ${LanIn2}
>
> ###########
> ${FwCMD} add 65533 deny log logamount 0 ip from any to any not layer2
> ${FwCMD} add 65534 deny log logamount 0 ip from any to any layer2
--
Lystopad Aleksandr
