mirror of
https://github.com/bol-van/zapret.git
synced 2025-01-04 07:20:35 +05:00
bsd: pfsense tpws info
This commit is contained in:
parent
f5537666bc
commit
0f55960460
@ -201,11 +201,56 @@ sysctl net.inet.ip.pfil.inbound=ipfw,pf
|
||||
sysctl net.inet6.ip6.pfil.outbound=ipfw,pf
|
||||
sysctl net.inet6.ip6.pfil.inbound=ipfw,pf
|
||||
ipfw delete 100
|
||||
ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg
|
||||
ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg xmit em0
|
||||
pkill ^dvtws$
|
||||
dvtws --daemon --port 989 --dpi-desync=split2
|
||||
```
|
||||
|
||||
I could not make tpws work from ipfw. Looks like there's some conflict between two firewalls.
|
||||
Only PF redirection works. PF does not allow to freely add and delete rules. Only anchors can be reloaded.
|
||||
To make an anchor work it must be referred from the main ruleset. But its managed by pfsense scripts.
|
||||
One possible solution would be to modify '/etc/inc/filter.inc' as follows :
|
||||
```
|
||||
$natrules .= "# TFTP proxy\n";
|
||||
|
||||
/* MOD */
|
||||
$natrules .= "rdr-anchor \"zapret/*\"\n";
|
||||
|
||||
$natrules .= "rdr-anchor \"tftp-proxy/*\"\n";
|
||||
```
|
||||
|
||||
Write the anchor code to '/etc/zapret.anchor':
|
||||
```
|
||||
rdr pass on em1 inet proto tcp to port {80,443} -> 127.0.0.1 port 988
|
||||
rdr pass on em1 inet6 proto tcp to port {80,443} -> fe80::20c:29ff:5ae3:4821 port 988
|
||||
```
|
||||
|
||||
Autostart '/usr/local/etc/rc.d/zapret.sh' :
|
||||
```
|
||||
pfctl -a zapret -f /etc/zapret.anchor
|
||||
pkill ^tpws_pf$
|
||||
tpws_pf --daemon --port=988 --split-http-req=method --split-pos=2
|
||||
```
|
||||
|
||||
Note that the special tpws version is used which supports PF.
|
||||
After reboot check that anchor is created and referred from the main ruleset :
|
||||
```
|
||||
[root@pfSense /]# pfctl -s nat
|
||||
no nat proto carp all
|
||||
nat-anchor "natearly/*" all
|
||||
nat-anchor "natrules/*" all
|
||||
...................
|
||||
no rdr proto carp all
|
||||
rdr-anchor "zapret/*" all
|
||||
rdr-anchor "tftp-proxy/*" all
|
||||
rdr-anchor "miniupnpd" all
|
||||
[root@pfSense /]# pfctl -s nat -a zapret
|
||||
rdr pass on em1 inet proto tcp from any to any port = http -> 127.0.0.1 port 988
|
||||
rdr pass on em1 inet proto tcp from any to any port = https -> 127.0.0.1 port 988
|
||||
rdr pass on em1 inet6 proto tcp from any to any port = http -> fe80::20c:29ff:5ae3:4821 port 988
|
||||
rdr pass on em1 inet6 proto tcp from any to any port = https -> fe80::20c:29ff:5ae3:4821 port 988
|
||||
```
|
||||
|
||||
|
||||
## OpenBSD
|
||||
|
||||
|
49
docs/bsd.txt
49
docs/bsd.txt
@ -198,11 +198,58 @@ sysctl net.inet.ip.pfil.inbound=ipfw,pf
|
||||
sysctl net.inet6.ip6.pfil.outbound=ipfw,pf
|
||||
sysctl net.inet6.ip6.pfil.inbound=ipfw,pf
|
||||
ipfw delete 100
|
||||
ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg
|
||||
ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg xmit em0
|
||||
pkill ^dvtws$
|
||||
dvtws --daemon --port 989 --dpi-desync=split2
|
||||
-----------
|
||||
|
||||
Что касается tpws, то видимо имеется некоторый конфликт двух фаерволов, и правила fwd в ipfw не работают.
|
||||
Работает перенаправление средствами pf как описано в разделе по FreeBSD.
|
||||
В pf можно изменять правила только целыми блоками - якорями (anchors). Нельзя просто так добавить или удалить что-то.
|
||||
Но чтобы какой-то anchor был обработан, на него должна быть ссылка из основного набора правил.
|
||||
Его трогать нельзя, иначе порушится весь фаервол.
|
||||
Поэтому придется править код скриптов pfsense. Поправьте /etc/inc/filter.inc следующим образом :
|
||||
-----------
|
||||
$natrules .= "# TFTP proxy\n";
|
||||
|
||||
/* MOD */
|
||||
$natrules .= "rdr-anchor \"zapret/*\"\n";
|
||||
|
||||
$natrules .= "rdr-anchor \"tftp-proxy/*\"\n";
|
||||
-----------
|
||||
|
||||
Напишите файл с содержимым anchor-а (например, /etc/zapret.anchor):
|
||||
-----------
|
||||
rdr pass on em1 inet proto tcp to port {80,443} -> 127.0.0.1 port 988
|
||||
rdr pass on em1 inet6 proto tcp to port {80,443} -> fe80::20c:29ff:5ae3:4821 port 988
|
||||
-----------
|
||||
|
||||
Добавьте в автозапуск /usr/local/etc/rc.d/zapret.sh :
|
||||
-----------
|
||||
pfctl -a zapret -f /etc/zapret.anchor
|
||||
pkill ^tpws_pf$
|
||||
tpws_pf --daemon --port=988 --split-http-req=method --split-pos=2
|
||||
-----------
|
||||
|
||||
Обратите внимание, что запускается специальная версия tpws с поддежкой pf. Обычный tpws не работает с PF.
|
||||
После перезагрузки проверьте, что правила создались :
|
||||
-----------
|
||||
[root@pfSense /]# pfctl -s nat
|
||||
no nat proto carp all
|
||||
nat-anchor "natearly/*" all
|
||||
nat-anchor "natrules/*" all
|
||||
...................
|
||||
no rdr proto carp all
|
||||
rdr-anchor "zapret/*" all
|
||||
rdr-anchor "tftp-proxy/*" all
|
||||
rdr-anchor "miniupnpd" all
|
||||
[root@pfSense /]# pfctl -s nat -a zapret
|
||||
rdr pass on em1 inet proto tcp from any to any port = http -> 127.0.0.1 port 988
|
||||
rdr pass on em1 inet proto tcp from any to any port = https -> 127.0.0.1 port 988
|
||||
rdr pass on em1 inet6 proto tcp from any to any port = http -> fe80::20c:29ff:5ae3:4821 port 988
|
||||
rdr pass on em1 inet6 proto tcp from any to any port = https -> fe80::20c:29ff:5ae3:4821 port 988
|
||||
-----------
|
||||
|
||||
|
||||
OpenBSD
|
||||
-------
|
||||
|
Loading…
Reference in New Issue
Block a user