Имеется роутер на FreeBSD c 2мя интерфейсами и большой нагрузкой. fxp1 -- к провайдеру и fxp0 в DMZ моей локальной сети. Конфиг ip filter v3.4.27 выглядит примерно так...
--- Begin ---
# fxp0 - 192.0.2.1/24 My LAN
# fxp1 - 213.3.8.2/30 Provider
###########################################################################
#
# INBOUND TRAFFIC VIA fxp1
#
block in log on fxp1
block out log on fxp1
#
# Block IP short
block in log quick on fxp1 all with short
#
# TCP Services
#
# FTP from an outside hosts to my ftp servers
pass in quick on fxp1 proto tcp from any port > 1023 to 192.0.2.3/32 port = 21 flags S keep state keep frags
#
# SSH from an outside hosts to my ssh hosts
pass in quick on fxp1 proto tcp from any to 192.0.2.141/32 port = 22 flags S keep state keep frags
#
# SMTP from an outside hosts to my smtp servers
pass in quick on fxp1 proto tcp from any port > 1023 to 192.0.2.10/32 Port = 25 flags S keep state keep frags
#
# HTTP from an outside hosts to my http servers
pass in quick on fxp1 proto tcp from any port > 1023 to 192.0.2.47/32 port = 80 flags S keep state keep frags
pass in quick on fxp1 proto tcp from any port > 1023 to 192.0.2.52/32 port = 80 flags S keep state keep frags
pass in quick on fxp1 proto tcp from any port > 1023 to 192.0.2.71/32 port = 80 flags S keep state keep frags
pass in quick on fxp1 proto tcp from any port > 1023 to 192.0.2.72/32 port = 80 flags S keep state keep frags
pass in quick on fxp1 proto tcp from any port > 1023 to 192.0.2.157/32 port = 80 flags S keep state keep frags
pass in quick on fxp1 proto tcp from any port > 1023 to 192.0.2.158/32 port = 80 flags S keep state keep frags
#
# POP3 from an outside hosts to my pop3 servers
pass in quick on fxp1 proto tcp from any port > 1023 to 192.0.2.10/32 port = 110 flags S keep state keep frags
#
#
# stop AUTH from an outside hosts to my auth hosts (without logging)
block return-rst in quick on fxp1 proto tcp from any to 192.0.2.0/24 port = 113
#
# UDP Services
#
# DNS from an outside hosts to my dns servers
pass in quick on fxp1 proto udp from any to 192.0.2.5/32 port = 53 keep state
#
# stop and return port-unreachable another UDP services
block return-icmp(port-unr) in log quick on fxp1 proto udp from any to 192.0.2.0/24
#
# ICMP
pass out quick on fxp1 proto icmp from 192.0.2.0/24 to any icmp-type 0
pass out quick on fxp1 proto icmp from 192.0.2.0/24 to any icmp-type 3
pass out quick on fxp1 proto icmp from 192.0.2.0/24 to any icmp-type 4
pass out quick on fxp1 proto icmp from 192.0.2.0/24 to any icmp-type 8
pass out quick on fxp1 proto icmp from 192.0.2.0/24 to any icmp-type 9
pass out quick on fxp1 proto icmp from 192.0.2.0/24 to any icmp-type 10
pass out quick on fxp1 proto icmp from 192.0.2.0/24 to any icmp-type 11
#
# OUTBOUND TRAFFIC VIA fxp0 (connected to LAN DMZ)
#
block in log on fxp0 all
#
# TCP Services
#
# All TCP services
pass in quick on fxp0 proto tcp from 192.0.2.0/24 to any flags S keep state keep frags
#
# UDP Services
#
# stop DHCP from my hosts to outside
block in log on fxp0 proto udp from any port = 67 to any port = 68
block in log on fxp0 proto udp from any port = 68 to any port = 67
#
# stop NETBIOS from hosts to outside
block in log on fxp0 proto udp from any port = 137 to any port = 137
#
# All UDP services
pass in quick on fxp0 proto udp from 192.0.2.0/24 to any keep state
#
# ICMP
pass in quick on fxp0 proto icmp from 192.0.2.0/24 to any
--- End ---
С точки зрения пользователей всё работает замечательно, НО!
В логах большая куча записей о блокированых tcp пакетах. Исключительно с www
портов моих хостов. Законных которые по keep state должны бы были быть
пропущенными.
Mar 1 08:20:46 gate ipmon[51]: 08:20:45.991042 fxp0 @0:24 b 192.0.2.47,80 -> 213.158.1.206,1596 PR tcp len 20 576 -A IN
Mar 1 08:26:10 gate ipmon[51]: 08:26:09.999962 2x fxp0 @0:24 b 192.0.2.47,80 -> 62.105.157.1,4089 PR tcp len 20 576 -A IN
Mar 1 08:26:11 gate ipmon[51]: 08:26:10.192281 3x fxp0 @0:24 b 192.0.2.47,80 -> 62.105.157.1,4089 PR tcp len 20 576 -A IN
Mar 1 08:34:35 gate ipmon[51]: 08:34:34.493155 fxp0 @0:24 b 192.0.2.52,80 -> 217.174.226.209,1323 PR tcp len 20 1500 -A IN
Mar 1 08:34:35 gate ipmon[51]: 08:34:34.589807 fxp0 @0:24 b 192.0.2.52,80 -> 217.174.226.209,1323 PR tcp len 20 880 -AP IN
Mar 1 08:36:03 gate ipmon[51]: 08:36:03.251797 4x fxp0 @0:24 b 192.0.2.52,80 -> 217.174.226.209,1327 PR tcp len 20 1500 -A IN
Mar 1 08:36:18 gate ipmon[51]: 08:36:17.128533 fxp0 @0:24 b 192.0.2.47,80 -> 195.112.233.203,1095 PR tcp len 20 1500 -A IN
Mar 1 08:40:03 gate ipmon[51]: 08:40:02.767531 3x fxp0 @0:24 b 192.0.2.47,80 -> 195.72.250.4,38231 PR tcp len 20 1500 -A IN
Mar 1 08:40:04 gate ipmon[51]: 08:40:03.377154 4x fxp0 @0:24 b 192.0.2.47,80 -> 195.72.250.4,38231 PR tcp len 20 1500 -A IN
И эта куча настолько большая, что при попытке создать из этого лога отчёт, в этом отчёте трудно разглядеть пакеты которые действительно были блокированы "по делу".
Во всех примерах которые я видел, правила для входящих и исходящих из сети пакетов, расписаны на одном внешнем интерфейсе. Настраивая ipfilter таким образом, я исходил из того что если из моей сети идёт пакет который я не хочу выпускать наружу, то лучше его заблокировать на том интерфейсе на который он пришёл, не обрабатывая его стеком и не маршрутизируя по таблице роутинга.
при попытке перенастроить ipfilter на один интерфейс количество подобных записей в логах уменьшается на порядок, а изменение net.inet.ipf.fr_tcpclosed: ни на что не повлияло.
Так подскажите где я всётаки не прав?
Заранее спасибо.