Проблемы с Proxy после обновления. Подскажите…



  • Имею две площадки связанные через 2 PFSense по OpenVPN и там и там установлены squid  2.7.9 pkg v.4.3.3 + squidGuard 1.4_4 pkg v.1.9.5  proxy в режиме Transparent proxy. Всё это досталось от прежнего сисадмина в рабочем состоянии.  Proxy filter  всё нормально фильтровал, при необходимости, а так же пускал в обход себя если требовалось. Недавно, после выхода обновлений  обновил их до кофигурации 2.1-RELEASE (i386)
    built on Wed Sep 11 18:16:50 EDT 2013
    FreeBSD 8.3-RELEASE-p11

    После обновления, как бы у пользователей проблем не возникло. Недавно начальство потребовало ограничить доступ пользователей в интернет (ранее все ограничения были убраны (народ от начальства вытребовал) по чему я проблемы сразу и не заметил) и столкнулся я с проблемой, что фильтр ничего не фильтрует вообще, все станции свободно ходят во все адреса, даже если поставить all deny в CommonACL.  Установил Lightsquid 1.8.2 pkg v.2.33 и видел только ошибки. Покопавшись на форуме поставил по верх имеющегося  squid3 3.1.20 pkg 2.0.6 + squidGuard-squid3 1.4_4 pkg v.1.9.5 , но картина не изменилась, лишь Lightsquid стал показывать, что никакие пользователи прокси не пользуются. Удалил старые пакеты и переустановил squidGuard3 + squid3, но картина опять не изменилась.. Т.е. как я понимаю, рабочие станции у меня все ходят в иннет мимо прокси, и не пойму, что могло при обновлении нарушить работу. Подскажите, что мне теперь лучше  сделать и как проблему разрешить? Где искать корень зла?



  • В Diagnostics -> Command выполните команду pfctl -sa | grep rdr | grep 127.0.0.1 и опубликуйте ее вывод здесь.



  • transparent
    v23.router

    System
        Interfaces
        Firewall
        Services
        VPN
        Status
        Diagnostics
        Help

    Diagnostics: Execute command help

    $ pfctl -sa
    TRANSLATION RULES:
    no nat proto carp all
    nat-anchor "natearly/" all
    nat-anchor "natrules/
    " all
    nat on rl0 inet from 192.168.11.0/24 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
    nat on rl0 inet from 10.11.12.0/24 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
    nat on rl0 inet from 10.11.10.0/24 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
    nat on rl0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
    nat on rl0 inet from 0.0.0.0 port = isakmp to any port = isakmp -> 10.0.2.73 port 500
    nat on rl0 inet from 192.168.11.0/24 to any -> 10.0.2.73 port 1024:65535
    nat on rl0 inet from 10.11.12.0/24 to any -> 10.0.2.73 port 1024:65535
    nat on rl0 inet from 10.11.10.0/24 to any -> 10.0.2.73 port 1024:65535
    nat on rl0 inet from 127.0.0.0/8 to any -> 10.0.2.73 port 1024:65535
    nat on rl0 inet from 0.0.0.0 to any -> 10.0.2.73 port 1024:65535
    no rdr proto carp all
    rdr-anchor "relayd/" all
    rdr-anchor "tftp-proxy/
    " all
    rdr on rl0 inet proto tcp from any to 10.0.2.73 port = pptp -> 192.168.11.110
    rdr on rl0 inet proto gre from any to 10.0.2.73 -> 192.168.11.110
    rdr on rl0 inet proto tcp from any to 10.0.2.73 port = http -> 192.168.11.105
    rdr on rl0 inet proto tcp from any to 10.0.2.73 port = 8882 -> 192.168.11.105 port 80
    rdr-anchor "miniupnpd" all

    FILTER RULES:
    scrub on rl0 all fragment reassemble
    scrub on fxp0 all fragment reassemble
    anchor "relayd/" all
    anchor "openvpn/
    " all
    anchor "ipsec/" all
    block drop in log quick inet6 all label "Block all IPv6"
    block drop out log quick inet6 all label "Block all IPv6"
    block drop in log inet all label "Default deny rule IPv4"
    block drop out log inet all label "Default deny rule IPv4"
    block drop in log inet6 all label "Default deny rule IPv6"
    block drop out log inet6 all label "Default deny rule IPv6"
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
    block drop quick inet proto tcp from any port = 0 to any
    block drop quick inet proto tcp from any to any port = 0
    block drop quick inet proto udp from any port = 0 to any
    block drop quick inet proto udp from any to any port = 0
    block drop quick inet6 proto tcp from any port = 0 to any
    block drop quick inet6 proto tcp from any to any port = 0
    block drop quick inet6 proto udp from any port = 0 to any
    block drop quick inet6 proto udp from any to any port = 0
    block drop quick from <snort2c>to any label "Block snort2c hosts"
    block drop quick from any to <snort2c>label "Block snort2c hosts"
    block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
    block drop in log quick proto tcp from <webconfiguratorlockout>to any port = http label "webConfiguratorlockout"
    block drop in quick from <virusprot>to any label "virusprot overload table"
    block drop in on ! rl0 inet from 10.0.0.0/22 to any
    block drop in inet from 10.0.2.73 to any
    block drop in on ! fxp0 inet from 192.168.11.0/24 to any
    block drop in inet from 192.168.11.200 to any
    block drop in on rl0 inet6 from fe80::230:84ff:fe89:4ce0 to any
    block drop in on fxp0 inet6 from fe80::2d0:b7ff:fee6:eab9 to any
    pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to (rl0 10.0.0.1) inet from 10.0.2.73 to ! 10.0.0.0/22 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass in quick on fxp0 proto tcp from any to (fxp0) port = http flags S/SA keep state label "anti-lockout rule"
    pass in quick on fxp0 proto tcp from any to (fxp0) port = ssh flags S/SA keep state label "anti-lockout rule"
    anchor "userrules/
    " all
    pass in quick on openvpn all flags S/SA keep state label "USER_RULE"
    pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto gre from any to 192.168.11.110 keep state label "USER_RULE: NAT MAP PPTP to server"
    pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto icmp from any to 10.0.2.73 keep state label "USER_RULE: MAP ping to router"
    pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 10.0.2.73 port = la-maint flags S/SA keep state label "USER_RULE: IPSec"
    pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto udp from any to 10.0.2.73 port = isakmp keep state label "USER_RULE: IPSec"
    pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 10.0.2.73 port 11899 >< 11951 flags S/SA keep state label "USER_RULE: OpenVPN"
    pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto udp from any to 10.0.2.73 port 11899 >< 11951 keep state label "USER_RULE: OpenVPN"
    pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 192.168.11.110 port = pptp flags S/SA keep state label "USER_RULE: NAT MAP PPTP to server"
    pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 192.168.11.105 port = http flags S/SA keep state label "USER_RULE: NAT HTTP"
    pass in quick on rl0 reply-to (rl0 10.0.0.1) inet proto tcp from any to 192.168.11.105 port = http flags S/SA keep state label "USER_RULE: NAT HTTP for 103"
    pass in quick on fxp0 inet from any to 192.168.11.0/24 flags S/SA keep state label "USER_RULE"
    pass in quick on fxp0 inet from 192.168.11.0/24 to <lansubnets>flags S/SA keep state label "USER_RULE"
    pass in quick on fxp0 from <vpnclients>to <lansubnets>flags S/SA keep state label "USER_RULE"
    pass in quick on fxp0 inet proto icmp from any to 192.168.11.200 keep state label "USER_RULE"
    pass in quick on fxp0 inet proto tcp from <server>to any port = domain flags S/SA keep state label "USER_RULE: NAT server DNS"
    pass in quick on fxp0 inet proto udp from <server>to any port = domain keep state label "USER_RULE: NAT server DNS"
    pass in quick on fxp0 inet proto icmp from <server>to any keep state label "USER_RULE: NAT server ping"
    pass in quick on fxp0 inet proto tcp from <server>to any port = pptp flags S/SA keep state label "USER_RULE: NAT server PPTP"
    pass in quick on fxp0 inet proto gre from <server>to any keep state label "USER_RULE: NAT server PPTP"
    pass in quick on fxp0 inet proto tcp from <server>to any port = ntp flags S/SA keep state label "USER_RULE: NAT server NTP"
    pass in quick on fxp0 inet proto udp from <server>to any port = ntp keep state label "USER_RULE: NAT server NTP"
    pass in quick on fxp0 proto tcp from <vpnusers>to any port = pptp flags S/SA keep state label "USER_RULE: NAT VPN PPTP"
    pass in quick on fxp0 proto gre from <vpnusers>to any keep state label "USER_RULE: NAT VPN PPTP"
    pass in quick on fxp0 proto tcp from <workstation>to any port = ftp flags S/SA keep state label "USER_RULE: NAT FTP workstation"
    pass in quick on fxp0 proto tcp from <vpnclients>to any port = ftp flags S/SA keep state label "USER_RULE: NAT FTP PPTPclient"
    pass in quick on fxp0 proto tcp from <workstation>to any port = http flags S/SA keep state label "USER_RULE: NAT HTTP workstation"
    pass in quick on fxp0 proto tcp from <workstation>to any port = 8882 flags S/SA keep state label "USER_RULE: NAT HTTP workstation"
    pass in quick on fxp0 proto tcp from <vpnclients>to any port = http flags S/SA keep state label "USER_RULE: NAT HTTP PPTPclient"
    pass in quick on fxp0 proto tcp from <workstation>to any port = https flags S/SA keep state label "USER_RULE: NAT HTTPS workstation"
    pass in quick on fxp0 proto tcp from <vpnclients>to any port = https flags S/SA keep state label "USER_RULE: NAT HTTPS PPTPclient"
    pass in quick on fxp0 proto icmp from <workstation>to any keep state label "USER_RULE: NAT ping workstation"
    pass in quick on fxp0 proto tcp from <workstation>to any port 2040 >< 2043 flags S/SA keep state label "USER_RULE: NAT port workstation"
    pass in quick on fxp0 proto tcp from <workstation>to any port = 2305 flags S/SA keep state label "USER_RULE: NAT port workstation"
    pass in quick on fxp0 proto tcp from <workstation>to any port = jabber-client flags S/SA keep state label "USER_RULE: NAT port workstation"
    pass in quick on fxp0 proto tcp from <workstation>to any port = 8080 flags S/SA keep state label "USER_RULE: NAT port workstation"
    pass in quick on fxp0 proto tcp from <workstation>to any port = 27015 flags S/SA keep state label "USER_RULE: hl"
    pass in quick on fxp0 proto udp from <workstation>to any port = 27015 keep state label "USER_RULE: hl"
    pass in quick on fxp0 proto tcp from <workstation>to any port = aol flags S/SA keep state label "USER_RULE: ICQ"
    pass in quick on fxp0 proto tcp from <workstation>to any port = 8000 flags S/SA keep state label "USER_RULE: Muzic"
    pass in quick on fxp0 proto udp from <workstation>to any port = 8000 keep state label "USER_RULE: Muzic"
    pass in quick on fxp0 inet proto tcp from 192.168.11.105 to any port = smtp flags S/SA keep state label "USER_RULE"
    pass in quick on fxp0 proto tcp from <workstation>to any port = dsf flags S/SA keep state label "USER_RULE: Test RDP"
    anchor "tftp-proxy/*" all
    pass in quick on fxp0 proto tcp from any to ! (fxp0) port = http flags S/SA keep state
    pass in quick on fxp0 proto tcp from any to ! (fxp0) port = 3128 flags S/SA keep state
    No queue in use

    STATES:
    rl0 icmp 10.0.2.73:2891 -> 10.0.0.1      0:0
    fxp0 icmp 192.168.11.200:2891 -> 192.168.11.1      0:0
    fxp0 tcp 213.199.179.172:443 <- 192.168.11.9:51143      ESTABLISHED:ESTABLISHED
    rl0 tcp 192.168.11.9:51143 -> 10.0.2.73:58588 -> 213.199.179.172:443      ESTABLISHED:ESTABLISHED
    fxp0 tcp 91.190.218.66:443 <- 192.168.11.9:51158      ESTABLISHED:ESTABLISHED
    rl0 tcp 192.168.11.9:51158 -> 10.0.2.73:43537 -> 91.190.218.66:443      ESTABLISHED:ESTABLISHED
    fxp0 tcp 195.239.111.145:5222 <- 192.168.11.9:53322      ESTABLISHED:ESTABLISHED
    rl0 tcp 192.168.11.9:53322 -> 10.0.2.73:10573 -> 195.239.111.145:5222      ESTABLISHED:ESTABLISHED
    fxp0 tcp 94.100.190.238:2042 <- 192.168.11.9:56871      ESTABLISHED:ESTABLISHED
    rl0 tcp 192.168.11.9:56871 -> 10.0.2.73:27635 -> 94.100.190.238:2042      ESTABLISHED:ESTABLISHED
    fxp0 tcp 217.69.141.247:2042 <- 192.168.11.9:57107      ESTABLISHED:ESTABLISHED
    rl0 tcp 192.168.11.9:57107 -> 10.0.2.73:23484 -> 217.69.141.247:2042      ESTABLISHED:ESTABLISHED
    fxp0 tcp 134.170.25.42:443 <- 192.168.11.9:65438      ESTABLISHED:ESTABLISHED
    rl0 tcp 192.168.11.9:65438 -> 10.0.2.73:41729 -> 134.170.25.42:443      ESTABLISHED:ESTABLISHED
    rl0 tcp 10.0.2.73:11912 <- 5.19.244.122:28930      ESTABLISHED:ESTABLISHED
    fxp0 tcp 64.12.30.48:5190 <- 192.168.11.9:59400      ESTABLISHED:ESTABLISHED
    rl0 tcp 192.168.11.9:59400 -> 10.0.2.73:59839 -> 64.12.30.48:5190      ESTABLISHED:ESTABLISHED
    fxp0 tcp 192.168.12.100:445 <- 192.168.11.133:62151      ESTABLISHED:ESTABLISHED
    ovpns1 tcp 192.168.11.133:62151 -> 192.168.12.100:445      ESTABLISHED:ESTABLISHED
    fxp0 tcp 217.69.141.244:2042 <- 192.168.11.11:56434      ESTABLISHED:ESTABLISHED
    rl0 tcp 192.168.11.11:56434 -> 10.0.2.73:39079 -> 217.69.141.244:2042      ESTABLISHED:ESTABLISHED
    fxp0 tcp 64.12.30.67:443 <- 192.168.11.11:56495      ESTABLISHED:ESTABLISHED
    rl0 tcp 192.168.11.11:56495 -> 10.0.2.73:48704 -> 64.12.30.67:443      ESTABLISHED:ESTABLISHED
    ovpns1 tcp 192.168.11.115:3389 <- 192.168.12.115:59821      ESTABLISHED:ESTABLISHED
    fxp0 tcp 192.168.12.115:59821 -> 192.168.11.115:3389      ESTABLISHED:ESTABLISHED
    fxp0 icmp 202.39.253.11:1 <- 192.168.11.10      0:0
    rl0 icmp 192.168.11.10:1 -> 10.0.2.73:42639 -> 202.39.253.11      0:0
    fxp0 tcp 217.69.139.216:443 <- 192.168.11.9:52920      ESTABLISHED:ESTABLISHED
    rl0 tcp 192.168.11.9:52920 -> 10.0.2.73:30937 -> 217.69.139.216:443      ESTABLISHED:ESTABLISHED
    fxp0 tcp 94.100.179.66:443 <- 192.168.11.9:52988      ESTABLISHED:ESTABLISHED
    rl0 tcp 192.168.11.9:52988 -> 10.0.2.73:54092 -> 94.100.179.66:443      ESTABLISHED:ESTABLISHED
    fxp0 tcp 213.180.204.179:443 <- 192.168.11.9:53151      TIME_WAIT:TIME_WAIT
    rl0 tcp 192.168.11.9:53151 -> 10.0.2.73:13605 -> 213.180.204.179:443      TIME_WAIT:TIME_WAIT
    fxp0 tcp 217.20.147.94:443 <- 192.168.11.9:53162      TIME_WAIT:TIME_WAIT
    rl0 tcp 192.168.11.9:53162 -> 10.0.2.73:14248 -> 217.20.147.94:443      TIME_WAIT:TIME_WAIT
    fxp0 tcp 87.240.131.118:80 <- 192.168.11.10:50184      FIN_WAIT_2:FIN_WAIT_2
    rl0 tcp 192.168.11.10:50184 -> 10.0.2.73:58830 -> 87.240.131.118:80      FIN_WAIT_2:FIN_WAIT_2
    fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53167      TIME_WAIT:TIME_WAIT
    rl0 tcp 192.168.11.9:53167 -> 10.0.2.73:36998 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
    fxp0 tcp 5.45.205.235:80 <- 192.168.11.11:61980      TIME_WAIT:TIME_WAIT
    rl0 tcp 192.168.11.11:61980 -> 10.0.2.73:10455 -> 5.45.205.235:80      TIME_WAIT:TIME_WAIT
    fxp0 tcp 141.8.153.67:80 <- 192.168.11.11:61981      TIME_WAIT:TIME_WAIT
    rl0 tcp 192.168.11.11:61981 -> 10.0.2.73:50556 -> 141.8.153.67:80      TIME_WAIT:TIME_WAIT
    fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53168      TIME_WAIT:TIME_WAIT
    rl0 tcp 192.168.11.9:53168 -> 10.0.2.73:58798 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
    fxp0 tcp 77.88.21.27:80 <- 192.168.11.9:53169      TIME_WAIT:TIME_WAIT
    rl0 tcp 192.168.11.9:53169 -> 10.0.2.73:57761 -> 77.88.21.27:80      TIME_WAIT:TIME_WAIT
    fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50192      TIME_WAIT:TIME_WAIT
    fxp0 tcp 213.180.204.179:443 <- 192.168.11.9:53170      ESTABLISHED:ESTABLISHED
    rl0 tcp 192.168.11.9:53170 -> 10.0.2.73:22576 -> 213.180.204.179:443      ESTABLISHED:ESTABLISHED
    fxp0 tcp 213.222.201.16:80 <- 192.168.11.9:53171      TIME_WAIT:TIME_WAIT
    rl0 tcp 192.168.11.9:53171 -> 10.0.2.73:40142 -> 213.222.201.16:80      TIME_WAIT:TIME_WAIT
    fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61817      TIME_WAIT:TIME_WAIT
    ovpns1 tcp 192.168.11.100:61817 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
    fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61818      TIME_WAIT:TIME_WAIT
    ovpns1 tcp 192.168.11.100:61818 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
    fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61819      TIME_WAIT:TIME_WAIT
    ovpns1 tcp 192.168.11.100:61819 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
    fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61820      TIME_WAIT:TIME_WAIT
    ovpns1 tcp 192.168.11.100:61820 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
    fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61821      TIME_WAIT:TIME_WAIT
    ovpns1 tcp 192.168.11.100:61821 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
    fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53172      TIME_WAIT:TIME_WAIT
    rl0 tcp 192.168.11.9:53172 -> 10.0.2.73:1332 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
    fxp0 udp 192.168.11.255:1947 <- 192.168.11.100:59008      NO_TRAFFIC:SINGLE
    fxp0 tcp 91.228.166.14:80 <- 192.168.11.9:53173      FIN_WAIT_2:FIN_WAIT_2
    rl0 tcp 192.168.11.9:53173 -> 10.0.2.73:3654 -> 91.228.166.14:80      FIN_WAIT_2:FIN_WAIT_2
    fxp0 udp 192.168.11.255:138 <- 192.168.11.3:138      NO_TRAFFIC:SINGLE
    fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53174      TIME_WAIT:TIME_WAIT
    rl0 tcp 192.168.11.9:53174 -> 10.0.2.73:51477 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
    fxp0 udp 192.168.11.255:138 <- 192.168.11.105:138      NO_TRAFFIC:SINGLE
    fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50194      TIME_WAIT:TIME_WAIT
    fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50195      FIN_WAIT_2:FIN_WAIT_2
    fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50196      FIN_WAIT_2:FIN_WAIT_2
    fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50197      FIN_WAIT_2:FIN_WAIT_2
    fxp0 udp 192.168.11.255:138 <- 192.168.11.122:138      NO_TRAFFIC:SINGLE
    fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53175      TIME_WAIT:TIME_WAIT
    rl0 tcp 192.168.11.9:53175 -> 10.0.2.73:54076 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
    fxp0 udp 192.168.12.100:53 <- 192.168.11.9:54530      SINGLE:MULTIPLE
    ovpns1 udp 192.168.11.9:54530 -> 192.168.12.100:53      MULTIPLE:SINGLE
    fxp0 icmp 192.168.12.50:1 <- 192.168.11.10      0:0
    ovpns1 icmp 192.168.11.10:1 -> 192.168.12.50      0:0
    fxp0 udp 192.168.11.255:138 <- 192.168.11.103:138      NO_TRAFFIC:SINGLE
    fxp0 udp 192.168.12.100:53 <- 192.168.11.9:50848      SINGLE:MULTIPLE
    ovpns1 udp 192.168.11.9:50848 -> 192.168.12.100:53      MULTIPLE:SINGLE
    fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50204      ESTABLISHED:ESTABLISHED
    fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50205      FIN_WAIT_2:FIN_WAIT_2
    fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50206      FIN_WAIT_2:FIN_WAIT_2
    fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50207      FIN_WAIT_2:FIN_WAIT_2
    fxp0 tcp 87.250.250.27:80 <- 192.168.11.10:50208      FIN_WAIT_2:FIN_WAIT_2
    rl0 tcp 192.168.11.10:50208 -> 10.0.2.73:34811 -> 87.250.250.27:80      FIN_WAIT_2:FIN_WAIT_2
    fxp0 udp 192.168.12.100:53 <- 192.168.11.9:55228      SINGLE:MULTIPLE
    ovpns1 udp 192.168.11.9:55228 -> 192.168.12.100:53      MULTIPLE:SINGLE
    lo0 udp 127.0.0.1:10248 -> 127.0.0.1:53      MULTIPLE:SINGLE
    lo0 udp 127.0.0.1:53 <- 127.0.0.1:10248      SINGLE:MULTIPLE
    rl0 udp 10.0.2.73:22656 -> 192.168.245.14:53      MULTIPLE:SINGLE
    rl0 udp 10.0.2.73:22656 -> 192.168.248.21:53      MULTIPLE:SINGLE
    lo0 udp 127.0.0.1:28825 -> 127.0.0.1:53      MULTIPLE:SINGLE
    lo0 udp 127.0.0.1:53 <- 127.0.0.1:28825      SINGLE:MULTIPLE
    rl0 udp 10.0.2.73:36531 -> 192.168.245.14:53      MULTIPLE:SINGLE
    rl0 udp 10.0.2.73:36531 -> 192.168.248.21:53      MULTIPLE:SINGLE
    rl0 tcp 10.0.2.73:33438 -> 69.64.6.17:80      FIN_WAIT_2:FIN_WAIT_2
    fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50209      FIN_WAIT_2:FIN_WAIT_2
    fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50210      FIN_WAIT_2:FIN_WAIT_2
    fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50211      FIN_WAIT_2:FIN_WAIT_2
    fxp0 tcp 192.168.11.200:80 <- 192.168.11.10:50212      FIN_WAIT_2:FIN_WAIT_2
    fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53176      TIME_WAIT:TIME_WAIT
    rl0 tcp 192.168.11.9:53176 -> 10.0.2.73:28094 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
    fxp0 udp 192.168.12.100:53 <- 192.168.11.9:63439      SINGLE:MULTIPLE
    ovpns1 udp 192.168.11.9:63439 -> 192.168.12.100:53      MULTIPLE:SINGLE
    fxp0 udp 192.168.12.100:53 <- 192.168.11.9:53711      SINGLE:MULTIPLE
    ovpns1 udp 192.168.11.9:53711 -> 192.168.12.100:53      MULTIPLE:SINGLE
    fxp0 udp 192.168.12.100:53 <- 192.168.11.9:58502      SINGLE:MULTIPLE
    ovpns1 udp 192.168.11.9:58502 -> 192.168.12.100:53      MULTIPLE:SINGLE
    fxp0 udp 192.168.12.110:389 <- 192.168.11.10:52758      SINGLE:MULTIPLE
    ovpns1 udp 192.168.11.10:52758 -> 192.168.12.110:389      MULTIPLE:SINGLE
    fxp0 tcp 213.180.204.232:80 <- 192.168.11.9:53177      ESTABLISHED:ESTABLISHED
    rl0 tcp 192.168.11.9:53177 -> 10.0.2.73:56718 -> 213.180.204.232:80      ESTABLISHED:ESTABLISHED
    fxp0 tcp 87.250.250.27:80 <- 192.168.11.10:50216      ESTABLISHED:ESTABLISHED
    rl0 tcp 192.168.11.10:50216 -> 10.0.2.73:59964 -> 87.250.250.27:80      ESTABLISHED:ESTABLISHED
    fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61824      TIME_WAIT:TIME_WAIT
    ovpns1 tcp 192.168.11.100:61824 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
    fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61825      TIME_WAIT:TIME_WAIT
    ovpns1 tcp 192.168.11.100:61825 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
    fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61826      TIME_WAIT:TIME_WAIT
    ovpns1 tcp 192.168.11.100:61826 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
    fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61827      TIME_WAIT:TIME_WAIT
    ovpns1 tcp 192.168.11.100:61827 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
    fxp0 tcp 192.168.12.120:389 <- 192.168.11.100:61828      TIME_WAIT:TIME_WAIT
    ovpns1 tcp 192.168.11.100:61828 -> 192.168.12.120:389      TIME_WAIT:TIME_WAIT
    fxp0 tcp 10.0.0.1:80 <- 192.168.11.9:53178      TIME_WAIT:TIME_WAIT
    rl0 tcp 192.168.11.9:53178 -> 10.0.2.73:45877 -> 10.0.0.1:80      TIME_WAIT:TIME_WAIT
    fxp0 tcp 128.140.169.208:443 <- 192.168.11.9:53179      ESTABLISHED:ESTABLISHED
    rl0 tcp 192.168.11.9:53179 -> 10.0.2.73:27846 -> 128.140.169.208:443      ESTABLISHED:ESTABLISHED
    fxp0 tcp 23.43.139.27:80 <- 192.168.11.9:53180      ESTABLISHED:ESTABLISHED
    rl0 tcp 192.168.11.9:53180 -> 10.0.2.73:27030 -> 23.43.139.27:80      ESTABLISHED:ESTABLISHED

    INFO:
    Status: Enabled for 66 days 07:59:51          Debug: Urgent

    Interface Stats for fxp0              IPv4            IPv6
      Bytes In                    80424040351          2319700
      Bytes Out                  220153381963                0
      Packets In
        Passed                      137489254                0
        Blocked                          53168            30525
      Packets Out
        Passed                      209519736                0
        Blocked                              1                0

    State Table                          Total            Rate
      current entries                      140             
      searches                      839472044          146.5/s
      inserts                        11937308            2.1/s
      removals                        11937168            2.1/s
    Counters
      match                          14961873            2.6/s
      bad-offset                            0            0.0/s
      fragment                              0            0.0/s
      short                                  0            0.0/s
      normalize                              0            0.0/s
      memory                                0            0.0/s
      bad-timestamp                          0            0.0/s
      congestion                            0            0.0/s
      ip-option                              0            0.0/s
      proto-cksum                      180336            0.0/s
      state-mismatch                      540            0.0/s
      state-insert                          0            0.0/s
      state-limit                            0            0.0/s
      src-limit                              0            0.0/s
      synproxy                              0            0.0/s
      divert                                0            0.0/s

    LABEL COUNTERS:
    Block all IPv6 54774 154 11088 154 11088 0 0
    Block all IPv6 17334 0 0 0 0 0 0
    Default deny rule IPv4 54620 18665 4308907 18665 4308907 0 0
    Default deny rule IPv4 54620 0 0 0 0 0 0
    Default deny rule IPv6 54620 0 0 0 0 0 0
    Default deny rule IPv6 17334 0 0 0 0 0 0
    Block snort2c hosts 54620 0 0 0 0 0 0
    Block snort2c hosts 54620 0 0 0 0 0 0
    sshlockout 54620 0 0 0 0 0 0
    webConfiguratorlockout 10825 0 0 0 0 0 0
    virusprot overload table 37286 0 0 0 0 0 0
    pass IPv4 loopback 37286 91 33198 49 3082 42 30116
    pass IPv4 loopback 17348 0 0 0 0 0 0
    pass IPv6 loopback 28 0 0 0 0 0 0
    pass IPv6 loopback 14 0 0 0 0 0 0
    let out anything IPv4 from firewall host itself 54620 3293127 2927774805 1710649 1659714896 1582478 1268059909
    let out anything IPv6 from firewall host itself 17334 0 0 0 0 0 0
    let out anything from firewall host itself 17334 96611 33316774 48484 23939060 48127 9377714
    anti-lockout rule 54620 888 470390 392 44406 496 425984
    anti-lockout rule 0 0 0 0 0 0 0
    USER_RULE 54574 85978 20345824 44060 14690765 41918 5655059
    USER_RULE: NAT MAP PPTP to server 46124 0 0 0 0 0 0
    USER_RULE: MAP ping to router 18752 106 6416 53 3208 53 3208
    USER_RULE: IPSec 18686 0 0 0 0 0 0
    USER_RULE: IPSec 17970 0 0 0 0 0 0
    USER_RULE: OpenVPN 1108 0 0 0 0 0 0
    USER_RULE: OpenVPN 1024 0 0 0 0 0 0
    USER_RULE: NAT MAP PPTP to server 18731 13 852 8 484 5 368
    USER_RULE: NAT HTTP 798 33326 27504297 12694 1092582 20632 26411715
    USER_RULE: NAT HTTP for 103 0 0 0 0 0 0 0
    USER_RULE 37278 6343 549735 6343 549735 0 0
    USER_RULE 17076 3166123 2880067090 1522099 1252611364 1644024 1627455726
    USER_RULE 0 0 0 0 0 0 0
    USER_RULE 8742 0 0 0 0 0 0
    USER_RULE: NAT server DNS 8742 0 0 0 0 0 0
    USER_RULE: NAT server DNS 1679 2132 407063 1066 79591 1066 327472
    USER_RULE: NAT server ping 565 0 0 0 0 0 0
    USER_RULE: NAT server PPTP 563 0 0 0 0 0 0
    USER_RULE: NAT server PPTP 563 0 0 0 0 0 0
    USER_RULE: NAT server NTP 563 0 0 0 0 0 0
    USER_RULE: NAT server NTP 539 0 0 0 0 0 0
    USER_RULE: NAT VPN PPTP 7684 0 0 0 0 0 0
    USER_RULE: NAT VPN PPTP 1097 0 0 0 0 0 0
    USER_RULE: NAT FTP workstation 7684 0 0 0 0 0 0
    USER_RULE: NAT FTP PPTPclient 20 0 0 0 0 0 0
    USER_RULE: NAT HTTP workstation 7063 61942 26125169 30367 5998394 31575 20126775
    USER_RULE: NAT HTTP workstation 463 0 0 0 0 0 0
    USER_RULE: NAT HTTP PPTPclient 483 0 0 0 0 0 0
    USER_RULE: NAT HTTPS workstation 483 14719 6179101 7745 3021719 6974 3157382
    USER_RULE: NAT HTTPS PPTPclient 20 0 0 0 0 0 0
    USER_RULE: NAT ping workstation 657 25723 951751 12893 477041 12830 474710
    USER_RULE: NAT port workstation 655 0 0 0 0 0 0
    USER_RULE: NAT port workstation 16 0 0 0 0 0 0
    USER_RULE: NAT port workstation 16 0 0 0 0 0 0
    USER_RULE: NAT port workstation 16 0 0 0 0 0 0
    USER_RULE: hl 16 0 0 0 0 0 0
    USER_RULE: hl 619 0 0 0 0 0 0
    USER_RULE: ICQ 61 0 0 0 0 0 0
    USER_RULE: Muzic 16 0 0 0 0 0 0
    USER_RULE: Muzic 45 0 0 0 0 0 0
    USER_RULE 655 0 0 0 0 0 0
    USER_RULE: Test RDP 36 0 0 0 0 0 0

    TIMEOUTS:
    tcp.first                  120s
    tcp.opening                  30s
    tcp.established          86400s
    tcp.closing                900s
    tcp.finwait                  45s
    tcp.closed                  90s
    tcp.tsdiff                  30s
    udp.first                    60s
    udp.single                  30s
    udp.multiple                60s
    icmp.first                  20s
    icmp.error                  10s
    other.first                  60s
    other.single                30s
    other.multiple              60s
    frag                        30s
    interval                    10s
    adaptive.start                0 states
    adaptive.end                  0 states
    src.track                    0s

    LIMITS:
    states        hard limit    23000
    src-nodes    hard limit    23000
    frags        hard limit    5000
    tables        hard limit    3000
    table-entries hard limit  200000

    TABLES:
    VPNclients
    VPNusers
    blocklist
    bogons
    lansubnets
    server
    snort2c
    sshlockout
    virusprot
    webConfiguratorlockout
    workstation

    OS FINGERPRINTS:
    710 fingerprints loaded

    Execute Shell command
    Command:

    Download
    File to download:

    Upload
    File to upload:

    PHP Execute
    Command:

    Example: interfaces_carp_setup();
    pfSense is © 2004 - 2013 by Electric Sheep Fencing LLC. All Rights Reserved. [view license]</workstation></workstation></workstation></workstation></workstation></workstation></workstation></workstation></workstation></workstation></workstation></vpnclients></workstation></vpnclients></workstation></workstation></vpnclients></workstation></vpnusers></vpnusers></server></server></server></server></server></server></server></lansubnets></vpnclients></lansubnets></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>



  • На другие две команды ответ был такой:
    $ grep rdr
    grep: (standard input): Socket is not connected

    $ grep 127.0.0.1
    grep: (standard input): Socket is not connected

    Может я что-то не так ввёл?



  • Это одна команда.



  • Под вечер реально туплю.

    $ pfctl -sa | grep rdr
    no rdr proto carp all
    rdr-anchor "relayd/" all
    rdr-anchor "tftp-proxy/
    " all
    rdr on rl0 inet proto tcp from any to 10.0.2.73 port = pptp -> 192.168.11.110
    rdr on rl0 inet proto gre from any to 10.0.2.73 -> 192.168.11.110
    rdr on rl0 inet proto tcp from any to 10.0.2.73 port = http -> 192.168.11.105
    rdr on rl0 inet proto tcp from any to 10.0.2.73 port = 8882 -> 192.168.11.105 port 80
    rdr-anchor "miniupnpd" all



  • А на полную команду реагируте вот так:

    $ pfctl -sa | grep rdr | grep 127.0.0.1



  • у тебя сквид, не работает или не настроен. должно быть так:
    $ pfctl -sa | grep rdr | grep 127.0.0.1
    rdr on sk0 inet proto tcp from any to ! (sk0) port = http -> 127.0.0.1 port 3128



  • Так и что мне теперь сделать? Снести его и поставить заново, или что? Или вообще всё заново устанавливать или конфигурацию в ручную настраивать а не заливать из бэкап? Или как быть?



  • Ну, если галка "Transparent proxy" в настройках SQUID стоит, а правила почему-то нету, то можно и руками его создать:
    Firewall -> NAT -> Port Forward ->

    LAN TCP * * LAN address HTTP 127.0.0.1 3128

    Правда не факт, что у вас SQUID вообще работает. Что, кстати, в Status -> Services у вас?
    В любом случае, все это не нормально, я бы переустановил все на вашем месте.



  • 2 TC

    Как вариант - выгрузить конфиг без пакетов - там для этого спец. галка есть. Поставить по-новой и установить только проблемный сквид.
    Проверить работоспособность и ,если все ок, - продолжить настройку.



  • в Status -> Services  и squid и squidGuard  стоит Running…..  Причём картина наблюдается на всех имеющихся роутерах (у меня ещё домашняя сеть связана с рабочей по OpenVPN)



  • Прописал правило руками теперь стало так:
    $ pfctl -sa | grep rdr | grep 127.0.0.1
    rdr on fxp0 inet proto tcp from any to 192.168.11.200 port = http -> 127.0.0.1 port 3128



  • Ошибся я, LAN Address уберите, надо:
    LAN TCP * * * HTTP 127.0.0.1 3128

    UPD: ну или Not LAN Address поставьте



  • Ура! Теперь, вроде всё поехало.  Получается дело в правиле было. Теперь вроде всё фильтруется, что хочу. Большое всем спасибо.


Log in to reply