Проблемы с Proxy после обновления. Подскажите…
-
Имею две площадки связанные через 2 PFSense по OpenVPN и там и там установлены squid 2.7.9 pkg v.4.3.3 + squidGuard 1.4_4 pkg v.1.9.5 proxy в режиме Transparent proxy. Всё это досталось от прежнего сисадмина в рабочем состоянии. Proxy filter всё нормально фильтровал, при необходимости, а так же пускал в обход себя если требовалось. Недавно, после выхода обновлений обновил их до кофигурации 2.1-RELEASE (i386)
built on Wed Sep 11 18:16:50 EDT 2013
FreeBSD 8.3-RELEASE-p11После обновления, как бы у пользователей проблем не возникло. Недавно начальство потребовало ограничить доступ пользователей в интернет (ранее все ограничения были убраны (народ от начальства вытребовал) по чему я проблемы сразу и не заметил) и столкнулся я с проблемой, что фильтр ничего не фильтрует вообще, все станции свободно ходят во все адреса, даже если поставить all deny в CommonACL. Установил Lightsquid 1.8.2 pkg v.2.33 и видел только ошибки. Покопавшись на форуме поставил по верх имеющегося squid3 3.1.20 pkg 2.0.6 + squidGuard-squid3 1.4_4 pkg v.1.9.5 , но картина не изменилась, лишь Lightsquid стал показывать, что никакие пользователи прокси не пользуются. Удалил старые пакеты и переустановил squidGuard3 + squid3, но картина опять не изменилась.. Т.е. как я понимаю, рабочие станции у меня все ходят в иннет мимо прокси, и не пойму, что могло при обновлении нарушить работу. Подскажите, что мне теперь лучше сделать и как проблему разрешить? Где искать корень зла?
-
В Diagnostics -> Command выполните команду pfctl -sa | grep rdr | grep 127.0.0.1 и опубликуйте ее вывод здесь.
-
transparent
v23.routerSystem
Interfaces
Firewall
Services
VPN
Status
Diagnostics
HelpDiagnostics: Execute command help
$ pfctl -sa
TRANSLATION RULES:
no nat proto carp all
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on rl0 inet from 192.168.11.0/24 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
nat on rl0 inet from 10.11.12.0/24 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
nat on rl0 inet from 10.11.10.0/24 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
nat on rl0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
nat on rl0 inet from 0.0.0.0 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
nat on rl0 inet from 192.168.11.0/24 to any -> 10.0.2.73 port 1024:65535
nat on rl0 inet from 10.11.12.0/24 to any -> 10.0.2.73 port 1024:65535
nat on rl0 inet from 10.11.10.0/24 to any -> 10.0.2.73 port 1024:65535
nat on rl0 inet from 127.0.0.0/8 to any -> 10.0.2.73 port 1024:65535
nat on rl0 inet from 0.0.0.0 to any -> 10.0.2.73 port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/" all
rdr-anchor "tftp-proxy/" all
rdr on rl0 inet proto tcp from any to 10.0.2.73 port = pptp -> 192.168.11.110
rdr on rl0 inet proto gre from any to 10.0.2.73 -> 192.168.11.110
rdr on rl0 inet proto tcp from any to 10.0.2.73 port = http -> 192.168.11.105
rdr on rl0 inet proto tcp from any to 10.0.2.73 port = 8882 -> 192.168.11.105 port 80
rdr-anchor "miniupnpd" allFILTER RULES:
scrub on rl0 all fragment reassemble
scrub on fxp0 all fragment reassemble
anchor "relayd/" all
anchor "openvpn/" all
anchor "ipsec/" all
block drop in log quick inet6 all label "Block all IPv6"
block drop out log quick inet6 all label "Block all IPv6"
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
block drop quick inet proto tcp from any port = 0 to any
block drop quick inet proto tcp from any to any port = 0
block drop quick inet proto udp from any port = 0 to any
block drop quick inet proto udp from any to any port = 0
block drop quick inet6 proto tcp from any port = 0 to any
block drop quick inet6 proto tcp from any to any port = 0
block drop quick inet6 proto udp from any port = 0 to any
block drop quick inet6 proto udp from any to any port = 0
block drop quick from <snort2c>to any label "Block snort2c hosts"
block drop quick from any to <snort2c>label "Block snort2c hosts"
block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
block drop in log quick proto tcp from <webconfiguratorlockout>to any port = http label "webConfiguratorlockout"
block drop in quick from <virusprot>to any label "virusprot overload table"
block drop in on ! rl0 inet from 10.0.0.0/22 to any
block drop in inet from 10.0.2.73 to any
block drop in on ! fxp0 inet from 192.168.11.0/24 to any
block drop in inet from 192.168.11.200 to any
block drop in on rl0 inet6 from fe80::230:84ff:fe89:4ce0 to any
block drop in on fxp0 inet6 from fe80::2d0:b7ff:fee6:eab9 to any
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (rl0 10.0.0.1) inet from 10.0.2.73 to ! 10.0.0.0/22 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on fxp0 proto tcp from any to (fxp0) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on fxp0 proto tcp from any to (fxp0) port = ssh flags S/SA keep state label "anti-lockout rule"
anchor "userrules/" all
pass in quick on openvpn all flags S/SA keep state label "USER_RULE"
pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto gre from any to 192.168.11.110 keep state label "USER_RULE: NAT MAP PPTP to server"
pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto icmp from any to 10.0.2.73 keep state label "USER_RULE: MAP ping to router"
pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 10.0.2.73 port = la-maint flags S/SA keep state label "USER_RULE: IPSec"
pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto udp from any to 10.0.2.73 port = isakmp keep state label "USER_RULE: IPSec"
pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 10.0.2.73 port 11899 >< 11951 flags S/SA keep state label "USER_RULE: OpenVPN"
pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto udp from any to 10.0.2.73 port 11899 >< 11951 keep state label "USER_RULE: OpenVPN"
pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 192.168.11.110 port = pptp flags S/SA keep state label "USER_RULE: NAT MAP PPTP to server"
pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 192.168.11.105 port = http flags S/SA keep state label "USER_RULE: NAT HTTP"
pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 192.168.11.105 port = http flags S/SA keep state label "USER_RULE: NAT HTTP for 103"
pass in quick on fxp0 inet from any to 192.168.11.0/24 flags S/SA keep state label "USER_RULE"
pass in quick on fxp0 inet from 192.168.11.0/24 to <lansubnets>flags S/SA keep state label "USER_RULE"
pass in quick on fxp0 from <vpnclients>to <lansubnets>flags S/SA keep state label "USER_RULE"
pass in quick on fxp0 inet proto icmp from any to 192.168.11.200 keep state label "USER_RULE"
pass in quick on fxp0 inet proto tcp from <server>to any port = domain flags S/SA keep state label "USER_RULE: NAT server DNS"
pass in quick on fxp0 inet proto udp from <server>to any port = domain keep state label "USER_RULE: NAT server DNS"
pass in quick on fxp0 inet proto icmp from <server>to any keep state label "USER_RULE: NAT server ping"
pass in quick on fxp0 inet proto tcp from <server>to any port = pptp flags S/SA keep state label "USER_RULE: NAT server PPTP"
pass in quick on fxp0 inet proto gre from <server>to any keep state label "USER_RULE: NAT server PPTP"
pass in quick on fxp0 inet proto tcp from <server>to any port = ntp flags S/SA keep state label "USER_RULE: NAT server NTP"
pass in quick on fxp0 inet proto udp from <server>to any port = ntp keep state label "USER_RULE: NAT server NTP"
pass in quick on fxp0 proto tcp from <vpnusers>to any port = pptp flags S/SA keep state label "USER_RULE: NAT VPN PPTP"
pass in quick on fxp0 proto gre from <vpnusers>to any keep state label "USER_RULE: NAT VPN PPTP"
pass in quick on fxp0 proto tcp from <workstation>to any port = ftp flags S/SA keep state label "USER_RULE: NAT FTP workstation"
pass in quick on fxp0 proto tcp from <vpnclients>to any port = ftp flags S/SA keep state label "USER_RULE: NAT FTP PPTPclient"
pass in quick on fxp0 proto tcp from <workstation>to any port = http flags S/SA keep state label "USER_RULE: NAT HTTP workstation"
pass in quick on fxp0 proto tcp from <workstation>to any port = 8882 flags S/SA keep state label "USER_RULE: NAT HTTP workstation"
pass in quick on fxp0 proto tcp from <vpnclients>to any port = http flags S/SA keep state label "USER_RULE: NAT HTTP PPTPclient"
pass in quick on fxp0 proto tcp from <workstation>to any port = https flags S/SA keep state label "USER_RULE: NAT HTTPS workstation"
pass in quick on fxp0 proto tcp from <vpnclients>to any port = https flags S/SA keep state label "USER_RULE: NAT HTTPS PPTPclient"
pass in quick on fxp0 proto icmp from <workstation>to any keep state label "USER_RULE: NAT ping workstation"
pass in quick on fxp0 proto tcp from <workstation>to any port 2040 >< 2043 flags S/SA keep state label "USER_RULE: NAT port workstation"
pass in quick on fxp0 proto tcp from <workstation>to any port = 2305 flags S/SA keep state label "USER_RULE: NAT port workstation"
pass in quick on fxp0 proto tcp from <workstation>to any port = jabber-client flags S/SA keep state label "USER_RULE: NAT port workstation"
pass in quick on fxp0 proto tcp from <workstation>to any port = 8080 flags S/SA keep state label "USER_RULE: NAT port workstation"
pass in quick on fxp0 proto tcp from <workstation>to any port = 27015 flags S/SA keep state label "USER_RULE: hl"
pass in quick on fxp0 proto udp from <workstation>to any port = 27015 keep state label "USER_RULE: hl"
pass in quick on fxp0 proto tcp from <workstation>to any port = aol flags S/SA keep state label "USER_RULE: ICQ"
pass in quick on fxp0 proto tcp from <workstation>to any port = 8000 flags S/SA keep state label "USER_RULE: Muzic"
pass in quick on fxp0 proto udp from <workstation>to any port = 8000 keep state label "USER_RULE: Muzic"
pass in quick on fxp0 inet proto tcp from 192.168.11.105 to any port = smtp flags S/SA keep state label "USER_RULE"
pass in quick on fxp0 proto tcp from <workstation>to any port = dsf flags S/SA keep state label "USER_RULE: Test RDP"
anchor "tftp-proxy/*" all
pass in quick on fxp0 proto tcp from any to ! (fxp0) port = http flags S/SA keep state
pass in quick on fxp0 proto tcp from any to ! (fxp0) port = 3128 flags S/SA keep state
No queue in useSTATES:
rl0 icmp 10.0.2.73:2891 -> 10.0.0.1 0:0
fxp0 icmp 192.168.11.200:2891 -> 192.168.11.1 0:0
fxp0 tcp 213.199.179.172:443 <- 192.168.11.9:51143 ESTABLISHED:ESTABLISHED
rl0 tcp 192.168.11.9:51143 -> 10.0.2.73:58588 -> 213.199.179.172:443 ESTABLISHED:ESTABLISHED
fxp0 tcp 91.190.218.66:443 <- 192.168.11.9:51158 ESTABLISHED:ESTABLISHED
rl0 tcp 192.168.11.9:51158 -> 10.0.2.73:43537 -> 91.190.218.66:443 ESTABLISHED:ESTABLISHED
fxp0 tcp 195.239.111.145:5222 <- 192.168.11.9:53322 ESTABLISHED:ESTABLISHED
rl0 tcp 192.168.11.9:53322 -> 10.0.2.73:10573 -> 195.239.111.145:5222 ESTABLISHED:ESTABLISHED
fxp0 tcp 94.100.190.238:2042 <- 192.168.11.9:56871 ESTABLISHED:ESTABLISHED
rl0 tcp 192.168.11.9:56871 -> 10.0.2.73:27635 -> 94.100.190.238:2042 ESTABLISHED:ESTABLISHED
fxp0 tcp 217.69.141.247:2042 <- 192.168.11.9:57107 ESTABLISHED:ESTABLISHED
rl0 tcp 192.168.11.9:57107 -> 10.0.2.73:23484 -> 217.69.141.247:2042 ESTABLISHED:ESTABLISHED
fxp0 tcp 134.170.25.42:443 <- 192.168.11.9:65438 ESTABLISHED:ESTABLISHED
rl0 tcp 192.168.11.9:65438 -> 10.0.2.73:41729 -> 134.170.25.42:443 ESTABLISHED:ESTABLISHED
rl0 tcp 10.0.2.73:11912 <- 5.19.244.122:28930 ESTABLISHED:ESTABLISHED
fxp0 tcp 64.12.30.48:5190 <- 192.168.11.9:59400 ESTABLISHED:ESTABLISHED
rl0 tcp 192.168.11.9:59400 -> 10.0.2.73:59839 -> 64.12.30.48:5190 ESTABLISHED:ESTABLISHED
fxp0 tcp 192.168.12.100:445 <- 192.168.11.133:62151 ESTABLISHED:ESTABLISHED
ovpns1 tcp 192.168.11.133:62151 -> 192.168.12.100:445 ESTABLISHED:ESTABLISHED
fxp0 tcp 217.69.141.244:2042 <- 192.168.11.11:56434 ESTABLISHED:ESTABLISHED
rl0 tcp 192.168.11.11:56434 -> 10.0.2.73:39079 -> 217.69.141.244:2042 ESTABLISHED:ESTABLISHED
fxp0 tcp 64.12.30.67:443 <- 192.168.11.11:56495 ESTABLISHED:ESTABLISHED
rl0 tcp 192.168.11.11:56495 -> 10.0.2.73:48704 -> 64.12.30.67:443 ESTABLISHED:ESTABLISHED
ovpns1 tcp 192.168.11.115:3389 <- 192.168.12.115:59821 ESTABLISHED:ESTABLISHED
fxp0 tcp 192.168.12.115:59821 -> 192.168.11.115:3389 ESTABLISHED:ESTABLISHED
fxp0 icmp 202.39.253.11:1 <- 192.168.11.10 0:0
rl0 icmp 192.168.11.10:1 -> 10.0.2.73:42639 -> 202.39.253.11 0:0
fxp0 tcp 217.69.139.216:443 <- 192.168.11.9:52920 ESTABLISHED:ESTABLISHED
rl0 tcp 192.168.11.9:52920 -> 10.0.2.73:30937 -> 217.69.139.216:443 ESTABLISHED:ESTABLISHED
fxp0 tcp 94.100.179.66:443 <- 192.168.11.9:52988 ESTABLISHED:ESTABLISHED
rl0 tcp 192.168.11.9:52988 -> 10.0.2.73:54092 -> 94.100.179.66:443 ESTABLISHED:ESTABLISHED
fxp0 tcp 213.180.204.179:443 <- 192.168.11.9:53151 TIME_WAIT:TIME_WAIT
rl0 tcp 192.168.11.9:53151 -> 10.0.2.73:13605 -> 213.180.204.179:443 TIME_WAIT:TIME_WAIT
fxp0 tcp 217.20.147.94:443 <- 192.168.11.9:53162 TIME_WAIT:TIME_WAIT
rl0 tcp 192.168.11.9:53162 -> 10.0.2.73:14248 -> 217.20.147.94:443 TIME_WAIT:TIME_WAIT
fxp0 tcp 87.240.131.118:80 <- 192.168.11.10:50184 FIN_WAIT_2:FIN_WAIT_2
rl0 tcp 192.168.11.10:50184 -> 10.0.2.73:58830 -> 87.240.131.118:80 FIN_WAIT_2:FIN_WAIT_2
fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53167 TIME_WAIT:TIME_WAIT
rl0 tcp 192.168.11.9:53167 -> 10.0.2.73:36998 -> 10.0.0.1:80 TIME_WAIT:TIME_WAIT
fxp0 tcp 5.45.205.235:80 <- 192.168.11.11:61980 TIME_WAIT:TIME_WAIT
rl0 tcp 192.168.11.11:61980 -> 10.0.2.73:10455 -> 5.45.205.235:80 TIME_WAIT:TIME_WAIT
fxp0 tcp 141.8.153.67:80 <- 192.168.11.11:61981 TIME_WAIT:TIME_WAIT
rl0 tcp 192.168.11.11:61981 -> 10.0.2.73:50556 -> 141.8.153.67:80 TIME_WAIT:TIME_WAIT
fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53168 TIME_WAIT:TIME_WAIT
rl0 tcp 192.168.11.9:53168 -> 10.0.2.73:58798 -> 10.0.0.1:80 TIME_WAIT:TIME_WAIT
fxp0 tcp 77.88.21.27:80 <- 192.168.11.9:53169 TIME_WAIT:TIME_WAIT
rl0 tcp 192.168.11.9:53169 -> 10.0.2.73:57761 -> 77.88.21.27:80 TIME_WAIT:TIME_WAIT
fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50192 TIME_WAIT:TIME_WAIT
fxp0 tcp 213.180.204.179:443 <- 192.168.11.9:53170 ESTABLISHED:ESTABLISHED
rl0 tcp 192.168.11.9:53170 -> 10.0.2.73:22576 -> 213.180.204.179:443 ESTABLISHED:ESTABLISHED
fxp0 tcp 213.222.201.16:80 <- 192.168.11.9:53171 TIME_WAIT:TIME_WAIT
rl0 tcp 192.168.11.9:53171 -> 10.0.2.73:40142 -> 213.222.201.16:80 TIME_WAIT:TIME_WAIT
fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61817 TIME_WAIT:TIME_WAIT
ovpns1 tcp 192.168.11.100:61817 -> 192.168.12.120:389 TIME_WAIT:TIME_WAIT
fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61818 TIME_WAIT:TIME_WAIT
ovpns1 tcp 192.168.11.100:61818 -> 192.168.12.120:389 TIME_WAIT:TIME_WAIT
fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61819 TIME_WAIT:TIME_WAIT
ovpns1 tcp 192.168.11.100:61819 -> 192.168.12.120:389 TIME_WAIT:TIME_WAIT
fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61820 TIME_WAIT:TIME_WAIT
ovpns1 tcp 192.168.11.100:61820 -> 192.168.12.120:389 TIME_WAIT:TIME_WAIT
fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61821 TIME_WAIT:TIME_WAIT
ovpns1 tcp 192.168.11.100:61821 -> 192.168.12.120:389 TIME_WAIT:TIME_WAIT
fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53172 TIME_WAIT:TIME_WAIT
rl0 tcp 192.168.11.9:53172 -> 10.0.2.73:1332 -> 10.0.0.1:80 TIME_WAIT:TIME_WAIT
fxp0 udp 192.168.11.255:1947 <- 192.168.11.100:59008 NO_TRAFFIC:SINGLE
fxp0 tcp 91.228.166.14:80 <- 192.168.11.9:53173 FIN_WAIT_2:FIN_WAIT_2
rl0 tcp 192.168.11.9:53173 -> 10.0.2.73:3654 -> 91.228.166.14:80 FIN_WAIT_2:FIN_WAIT_2
fxp0 udp 192.168.11.255:138 <- 192.168.11.3:138 NO_TRAFFIC:SINGLE
fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53174 TIME_WAIT:TIME_WAIT
rl0 tcp 192.168.11.9:53174 -> 10.0.2.73:51477 -> 10.0.0.1:80 TIME_WAIT:TIME_WAIT
fxp0 udp 192.168.11.255:138 <- 192.168.11.105:138 NO_TRAFFIC:SINGLE
fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50194 TIME_WAIT:TIME_WAIT
fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50195 FIN_WAIT_2:FIN_WAIT_2
fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50196 FIN_WAIT_2:FIN_WAIT_2
fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50197 FIN_WAIT_2:FIN_WAIT_2
fxp0 udp 192.168.11.255:138 <- 192.168.11.122:138 NO_TRAFFIC:SINGLE
fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53175 TIME_WAIT:TIME_WAIT
rl0 tcp 192.168.11.9:53175 -> 10.0.2.73:54076 -> 10.0.0.1:80 TIME_WAIT:TIME_WAIT
fxp0 udp 192.168.12.100:53 <- 192.168.11.9:54530 SINGLE:MULTIPLE
ovpns1 udp 192.168.11.9:54530 -> 192.168.12.100:53 MULTIPLE:SINGLE
fxp0 icmp 192.168.12.50:1 <- 192.168.11.10 0:0
ovpns1 icmp 192.168.11.10:1 -> 192.168.12.50 0:0
fxp0 udp 192.168.11.255:138 <- 192.168.11.103:138 NO_TRAFFIC:SINGLE
fxp0 udp 192.168.12.100:53 <- 192.168.11.9:50848 SINGLE:MULTIPLE
ovpns1 udp 192.168.11.9:50848 -> 192.168.12.100:53 MULTIPLE:SINGLE
fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50204 ESTABLISHED:ESTABLISHED
fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50205 FIN_WAIT_2:FIN_WAIT_2
fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50206 FIN_WAIT_2:FIN_WAIT_2
fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50207 FIN_WAIT_2:FIN_WAIT_2
fxp0 tcp 87.250.250.27:80 <- 192.168.11.10:50208 FIN_WAIT_2:FIN_WAIT_2
rl0 tcp 192.168.11.10:50208 -> 10.0.2.73:34811 -> 87.250.250.27:80 FIN_WAIT_2:FIN_WAIT_2
fxp0 udp 192.168.12.100:53 <- 192.168.11.9:55228 SINGLE:MULTIPLE
ovpns1 udp 192.168.11.9:55228 -> 192.168.12.100:53 MULTIPLE:SINGLE
lo0 udp 127.0.0.1:10248 -> 127.0.0.1:53 MULTIPLE:SINGLE
lo0 udp 127.0.0.1:53 <- 127.0.0.1:10248 SINGLE:MULTIPLE
rl0 udp 10.0.2.73:22656 -> 192.168.245.14:53 MULTIPLE:SINGLE
rl0 udp 10.0.2.73:22656 -> 192.168.248.21:53 MULTIPLE:SINGLE
lo0 udp 127.0.0.1:28825 -> 127.0.0.1:53 MULTIPLE:SINGLE
lo0 udp 127.0.0.1:53 <- 127.0.0.1:28825 SINGLE:MULTIPLE
rl0 udp 10.0.2.73:36531 -> 192.168.245.14:53 MULTIPLE:SINGLE
rl0 udp 10.0.2.73:36531 -> 192.168.248.21:53 MULTIPLE:SINGLE
rl0 tcp 10.0.2.73:33438 -> 69.64.6.17:80 FIN_WAIT_2:FIN_WAIT_2
fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50209 FIN_WAIT_2:FIN_WAIT_2
fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50210 FIN_WAIT_2:FIN_WAIT_2
fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50211 FIN_WAIT_2:FIN_WAIT_2
fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50212 FIN_WAIT_2:FIN_WAIT_2
fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53176 TIME_WAIT:TIME_WAIT
rl0 tcp 192.168.11.9:53176 -> 10.0.2.73:28094 -> 10.0.0.1:80 TIME_WAIT:TIME_WAIT
fxp0 udp 192.168.12.100:53 <- 192.168.11.9:63439 SINGLE:MULTIPLE
ovpns1 udp 192.168.11.9:63439 -> 192.168.12.100:53 MULTIPLE:SINGLE
fxp0 udp 192.168.12.100:53 <- 192.168.11.9:53711 SINGLE:MULTIPLE
ovpns1 udp 192.168.11.9:53711 -> 192.168.12.100:53 MULTIPLE:SINGLE
fxp0 udp 192.168.12.100:53 <- 192.168.11.9:58502 SINGLE:MULTIPLE
ovpns1 udp 192.168.11.9:58502 -> 192.168.12.100:53 MULTIPLE:SINGLE
fxp0 udp 192.168.12.110:389 <- 192.168.11.10:52758 SINGLE:MULTIPLE
ovpns1 udp 192.168.11.10:52758 -> 192.168.12.110:389 MULTIPLE:SINGLE
fxp0 tcp 213.180.204.232:80 <- 192.168.11.9:53177 ESTABLISHED:ESTABLISHED
rl0 tcp 192.168.11.9:53177 -> 10.0.2.73:56718 -> 213.180.204.232:80 ESTABLISHED:ESTABLISHED
fxp0 tcp 87.250.250.27:80 <- 192.168.11.10:50216 ESTABLISHED:ESTABLISHED
rl0 tcp 192.168.11.10:50216 -> 10.0.2.73:59964 -> 87.250.250.27:80 ESTABLISHED:ESTABLISHED
fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61824 TIME_WAIT:TIME_WAIT
ovpns1 tcp 192.168.11.100:61824 -> 192.168.12.120:389 TIME_WAIT:TIME_WAIT
fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61825 TIME_WAIT:TIME_WAIT
ovpns1 tcp 192.168.11.100:61825 -> 192.168.12.120:389 TIME_WAIT:TIME_WAIT
fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61826 TIME_WAIT:TIME_WAIT
ovpns1 tcp 192.168.11.100:61826 -> 192.168.12.120:389 TIME_WAIT:TIME_WAIT
fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61827 TIME_WAIT:TIME_WAIT
ovpns1 tcp 192.168.11.100:61827 -> 192.168.12.120:389 TIME_WAIT:TIME_WAIT
fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61828 TIME_WAIT:TIME_WAIT
ovpns1 tcp 192.168.11.100:61828 -> 192.168.12.120:389 TIME_WAIT:TIME_WAIT
fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53178 TIME_WAIT:TIME_WAIT
rl0 tcp 192.168.11.9:53178 -> 10.0.2.73:45877 -> 10.0.0.1:80 TIME_WAIT:TIME_WAIT
fxp0 tcp 128.140.169.208:443 <- 192.168.11.9:53179 ESTABLISHED:ESTABLISHED
rl0 tcp 192.168.11.9:53179 -> 10.0.2.73:27846 -> 128.140.169.208:443 ESTABLISHED:ESTABLISHED
fxp0 tcp 23.43.139.27:80 <- 192.168.11.9:53180 ESTABLISHED:ESTABLISHED
rl0 tcp 192.168.11.9:53180 -> 10.0.2.73:27030 -> 23.43.139.27:80 ESTABLISHED:ESTABLISHEDINFO:
Status: Enabled for 66 days 07:59:51 Debug: UrgentInterface Stats for fxp0 IPv4 IPv6
Bytes In 80424040351 2319700
Bytes Out 220153381963 0
Packets In
Passed 137489254 0
Blocked 53168 30525
Packets Out
Passed 209519736 0
Blocked 1 0State Table Total Rate
current entries 140
searches 839472044 146.5/s
inserts 11937308 2.1/s
removals 11937168 2.1/s
Counters
match 14961873 2.6/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 180336 0.0/s
state-mismatch 540 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
divert 0 0.0/sLABEL COUNTERS:
Block all IPv6 54774 154 11088 154 11088 0 0
Block all IPv6 17334 0 0 0 0 0 0
Default deny rule IPv4 54620 18665 4308907 18665 4308907 0 0
Default deny rule IPv4 54620 0 0 0 0 0 0
Default deny rule IPv6 54620 0 0 0 0 0 0
Default deny rule IPv6 17334 0 0 0 0 0 0
Block snort2c hosts 54620 0 0 0 0 0 0
Block snort2c hosts 54620 0 0 0 0 0 0
sshlockout 54620 0 0 0 0 0 0
webConfiguratorlockout 10825 0 0 0 0 0 0
virusprot overload table 37286 0 0 0 0 0 0
pass IPv4 loopback 37286 91 33198 49 3082 42 30116
pass IPv4 loopback 17348 0 0 0 0 0 0
pass IPv6 loopback 28 0 0 0 0 0 0
pass IPv6 loopback 14 0 0 0 0 0 0
let out anything IPv4 from firewall host itself 54620 3293127 2927774805 1710649 1659714896 1582478 1268059909
let out anything IPv6 from firewall host itself 17334 0 0 0 0 0 0
let out anything from firewall host itself 17334 96611 33316774 48484 23939060 48127 9377714
anti-lockout rule 54620 888 470390 392 44406 496 425984
anti-lockout rule 0 0 0 0 0 0 0
USER_RULE 54574 85978 20345824 44060 14690765 41918 5655059
USER_RULE: NAT MAP PPTP to server 46124 0 0 0 0 0 0
USER_RULE: MAP ping to router 18752 106 6416 53 3208 53 3208
USER_RULE: IPSec 18686 0 0 0 0 0 0
USER_RULE: IPSec 17970 0 0 0 0 0 0
USER_RULE: OpenVPN 1108 0 0 0 0 0 0
USER_RULE: OpenVPN 1024 0 0 0 0 0 0
USER_RULE: NAT MAP PPTP to server 18731 13 852 8 484 5 368
USER_RULE: NAT HTTP 798 33326 27504297 12694 1092582 20632 26411715
USER_RULE: NAT HTTP for 103 0 0 0 0 0 0 0
USER_RULE 37278 6343 549735 6343 549735 0 0
USER_RULE 17076 3166123 2880067090 1522099 1252611364 1644024 1627455726
USER_RULE 0 0 0 0 0 0 0
USER_RULE 8742 0 0 0 0 0 0
USER_RULE: NAT server DNS 8742 0 0 0 0 0 0
USER_RULE: NAT server DNS 1679 2132 407063 1066 79591 1066 327472
USER_RULE: NAT server ping 565 0 0 0 0 0 0
USER_RULE: NAT server PPTP 563 0 0 0 0 0 0
USER_RULE: NAT server PPTP 563 0 0 0 0 0 0
USER_RULE: NAT server NTP 563 0 0 0 0 0 0
USER_RULE: NAT server NTP 539 0 0 0 0 0 0
USER_RULE: NAT VPN PPTP 7684 0 0 0 0 0 0
USER_RULE: NAT VPN PPTP 1097 0 0 0 0 0 0
USER_RULE: NAT FTP workstation 7684 0 0 0 0 0 0
USER_RULE: NAT FTP PPTPclient 20 0 0 0 0 0 0
USER_RULE: NAT HTTP workstation 7063 61942 26125169 30367 5998394 31575 20126775
USER_RULE: NAT HTTP workstation 463 0 0 0 0 0 0
USER_RULE: NAT HTTP PPTPclient 483 0 0 0 0 0 0
USER_RULE: NAT HTTPS workstation 483 14719 6179101 7745 3021719 6974 3157382
USER_RULE: NAT HTTPS PPTPclient 20 0 0 0 0 0 0
USER_RULE: NAT ping workstation 657 25723 951751 12893 477041 12830 474710
USER_RULE: NAT port workstation 655 0 0 0 0 0 0
USER_RULE: NAT port workstation 16 0 0 0 0 0 0
USER_RULE: NAT port workstation 16 0 0 0 0 0 0
USER_RULE: NAT port workstation 16 0 0 0 0 0 0
USER_RULE: hl 16 0 0 0 0 0 0
USER_RULE: hl 619 0 0 0 0 0 0
USER_RULE: ICQ 61 0 0 0 0 0 0
USER_RULE: Muzic 16 0 0 0 0 0 0
USER_RULE: Muzic 45 0 0 0 0 0 0
USER_RULE 655 0 0 0 0 0 0
USER_RULE: Test RDP 36 0 0 0 0 0 0TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 0 states
adaptive.end 0 states
src.track 0sLIMITS:
states hard limit 23000
src-nodes hard limit 23000
frags hard limit 5000
tables hard limit 3000
table-entries hard limit 200000TABLES:
VPNclients
VPNusers
blocklist
bogons
lansubnets
server
snort2c
sshlockout
virusprot
webConfiguratorlockout
workstationOS FINGERPRINTS:
710 fingerprints loadedExecute Shell command
Command:Download
File to download:Upload
File to upload:PHP Execute
Command:Example: interfaces_carp_setup();
pfSense is 2004 - 2013 by Electric Sheep Fencing LLC. All Rights Reserved. [view license]</workstation></workstation></workstation></workstation></workstation></workstation></workstation></workstation></workstation></workstation></workstation></vpnclients></workstation></vpnclients></workstation></workstation></vpnclients></workstation></vpnusers></vpnusers></server></server></server></server></server></server></server></lansubnets></vpnclients></lansubnets></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c> -
На другие две команды ответ был такой:
$ grep rdr
grep: (standard input): Socket is not connected$ grep 127.0.0.1
grep: (standard input): Socket is not connectedМожет я что-то не так ввёл?
-
Это одна команда.
-
Под вечер реально туплю.
$ pfctl -sa | grep rdr
no rdr proto carp all
rdr-anchor "relayd/" all
rdr-anchor "tftp-proxy/" all
rdr on rl0 inet proto tcp from any to 10.0.2.73 port = pptp -> 192.168.11.110
rdr on rl0 inet proto gre from any to 10.0.2.73 -> 192.168.11.110
rdr on rl0 inet proto tcp from any to 10.0.2.73 port = http -> 192.168.11.105
rdr on rl0 inet proto tcp from any to 10.0.2.73 port = 8882 -> 192.168.11.105 port 80
rdr-anchor "miniupnpd" all -
А на полную команду реагируте вот так:
$ pfctl -sa | grep rdr | grep 127.0.0.1
-
у тебя сквид, не работает или не настроен. должно быть так:
$ pfctl -sa | grep rdr | grep 127.0.0.1
rdr on sk0 inet proto tcp from any to ! (sk0) port = http -> 127.0.0.1 port 3128 -
Так и что мне теперь сделать? Снести его и поставить заново, или что? Или вообще всё заново устанавливать или конфигурацию в ручную настраивать а не заливать из бэкап? Или как быть?
-
Ну, если галка "Transparent proxy" в настройках SQUID стоит, а правила почему-то нету, то можно и руками его создать:
Firewall -> NAT -> Port Forward ->LAN TCP * * LAN address HTTP 127.0.0.1 3128
Правда не факт, что у вас SQUID вообще работает. Что, кстати, в Status -> Services у вас?
В любом случае, все это не нормально, я бы переустановил все на вашем месте. -
2 TC
Как вариант - выгрузить конфиг без пакетов - там для этого спец. галка есть. Поставить по-новой и установить только проблемный сквид.
Проверить работоспособность и ,если все ок, - продолжить настройку. -
в Status -> Services и squid и squidGuard стоит Running….. Причём картина наблюдается на всех имеющихся роутерах (у меня ещё домашняя сеть связана с рабочей по OpenVPN)
-
Прописал правило руками теперь стало так:
$ pfctl -sa | grep rdr | grep 127.0.0.1
rdr on fxp0 inet proto tcp from any to 192.168.11.200 port = http -> 127.0.0.1 port 3128 -
Ошибся я, LAN Address уберите, надо:
LAN TCP * * * HTTP 127.0.0.1 3128UPD: ну или Not LAN Address поставьте
-
Ура! Теперь, вроде всё поехало. Получается дело в правиле было. Теперь вроде всё фильтруется, что хочу. Большое всем спасибо.