= Сообщение: 4750 из 10763 ===================================== RU.UNIX.BSD = От : Dmitry Dolzenko 2:5020/400 28 Oct 16 18:55:42 Кому : All 28 Oct 16 18:55:42 Тема : ipfw + nat проброс UDP трафика FGHI : area://RU.UNIX.BSD?msgid=<1187506373@ddt.demos.su>+72fb3e46 = Кодировка сообщения определена как: CP866 ================================== Ответ: area://RU.UNIX.BSD?msgid=2:5020/290.22+58138b50 ============================================================================== From: Dmitry Dolzenko <dol@mig.phys.msu.ru>
Привет!
Есть LAN с приватными ip за freebsd роутером. Hа сервере ipfw + kernel nat
Подскажите - корректно ли так разрешать проход UDP трафика к внешнему серверу и обратно к клиенту.
Трафик UDP нужен для работы ntp и whatsapp
(net.inet.ip.fw.one_pass=0 т.е. после nat пакет опять идет в ipfw) ----------------------------- ...... # WAN $fwcmd add skipto 40000 ip from any to any via em0 .......
$fwcmd add 40000 count all from any to any // em0 section =WAN=
# ==== NAT ===== $fwcmd nat 300 config ip ${rinet_ip} log # $fwcmd add nat 300 ip from 192.168.0.0/16 to any $fwcmd add nat 300 ip from any to ${rinet_ip} # ==== NAT =====
# Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag
# Allow UDP !!!!!!!!!!!!!!!!!!!!!!!!!!!!! ${fwcmd} add pass udp from ${rinet_ip} to any out keep-state ${fwcmd} add pass udp from any to 192.168.0.0/24 # Allow UDP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$fwcmd add pass tcp from any to ${rinet_ip} 80,443,25,65025,110,995,21,20022 setup
$fwcmd add pass tcp from any to ${rinet_ip} 49152-65535 setup // ftpd passive mode
# Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via em0 setup
# Allow setup of any other TCP connection (outgoing from LAN) ${fwcmd} add pass tcp from any to any setup
--- ifmail v.2.15dev5.4 * Origin: Demos online service (2:5020/400)