mirror of
https://github.com/bol-van/zapret.git
synced 2025-01-22 16:10:36 +05:00
Update bsd.eng.md
This commit is contained in:
parent
e66413d9e2
commit
83a3ab9ee1
@ -22,16 +22,17 @@ In FreeBSD enable PF only if you use it. Its undesirable if you don't.
|
|||||||
PF is enabled automatically in OpenBSD and MacOS.
|
PF is enabled automatically in OpenBSD and MacOS.
|
||||||
|
|
||||||
Divert sockets are internal type sockets in the BSD kernel. They have no relation to network addresses
|
Divert sockets are internal type sockets in the BSD kernel. They have no relation to network addresses
|
||||||
or network packet exchange. They are identified by a port number 1..65535. Its like queue number in NFQUEUE.
|
or network packet exchange. They are identified by a port number `1..65535`. Its like queue number in NFQUEUE.
|
||||||
Traffic can be diverted to a divert socket using firewall rule.
|
Traffic can be diverted to a divert socket using firewall rule.
|
||||||
If nobody listens on the specified divert port packets are dropped. Its similar to NFQUEUE without `--queue-bypass`.
|
If nobody listens on the specified divert port packets are dropped. Its similar to NFQUEUE without `--queue-bypass`.
|
||||||
|
|
||||||
`ipset/*.sh` scripts work with ipfw lookup tables if ipfw is present.
|
`ipset/*.sh` scripts work with ipfw lookup tables if ipfw is present.
|
||||||
|
|
||||||
ipfw table is analog to linux ipset. Unlike ipsets ipfw tables share v4 an v6 addresses and subnets.
|
ipfw table is analog to linux ipset. Unlike ipsets ipfw tables share v4 an v6 addresses and subnets.
|
||||||
If ipfw is absent scripts check LISTS_RELOAD config variable.
|
|
||||||
If its present then scripts execute a command from LISTS_RELOAD.
|
- If ipfw is absent scripts check LISTS_RELOAD config variable.
|
||||||
If LISTS_RELOAD=- scripts do not load tables even if ipfw exists.
|
- If its present then scripts execute a command from LISTS_RELOAD.
|
||||||
|
- If LISTS_RELOAD=- scripts do not load tables even if ipfw exists.
|
||||||
|
|
||||||
PF can load ip tables from a file. To use this feature with ipset/*.sh scripts disable gzip file creation
|
PF can load ip tables from a file. To use this feature with ipset/*.sh scripts disable gzip file creation
|
||||||
using `GZIP_LISTS=0` directive in the `/opt/zapret/config' file.
|
using `GZIP_LISTS=0` directive in the `/opt/zapret/config' file.
|
||||||
@ -81,7 +82,7 @@ pkill ^dvtws$
|
|||||||
|
|
||||||
To restart firewall and daemons run : `/etc/rc.d/ipfw restart`
|
To restart firewall and daemons run : `/etc/rc.d/ipfw restart`
|
||||||
|
|
||||||
Assume LAN='em1', WAN="em0".
|
Assume `LAN=em1`, `WAN="em0"`.
|
||||||
|
|
||||||
tpws transparent mode quick start.
|
tpws transparent mode quick start.
|
||||||
|
|
||||||
@ -272,14 +273,20 @@ What everyone have updated long ago they keep old like a mammoth. But who cares
|
|||||||
MacOS used to have ipfw but it was removed later and replaced by PF.
|
MacOS used to have ipfw but it was removed later and replaced by PF.
|
||||||
It looks like divert sockets are internally replaced with raw. Its possible to request a divert socket
|
It looks like divert sockets are internally replaced with raw. Its possible to request a divert socket
|
||||||
but it behaves exactly as raw socket with all its BSD inherited + apple specific bugs and feature.
|
but it behaves exactly as raw socket with all its BSD inherited + apple specific bugs and feature.
|
||||||
The fact is that divert-packet in /etc/pf.conf does not work. pfctl binary does not contain the word 'divert'.
|
The fact is that divert-packet in `/etc/pf.conf` does not work. pfctl binary does not contain the word `divert`.
|
||||||
|
|
||||||
dvtws does compile but is useless.
|
dvtws does compile but is useless.
|
||||||
|
|
||||||
After some efforts tpws works. Apple has removed some important stuff from their newer SDKs (DIOCNATLOOK) making
|
After some efforts tpws works. Apple has removed some important stuff from their newer SDKs (DIOCNATLOOK) making
|
||||||
them undocumented and unsupported. With important definitions copied from an older SDK it was possible to make
|
them undocumented and unsupported.
|
||||||
|
|
||||||
|
With important definitions copied from an older SDK it was possible to make
|
||||||
transparent mode working again. But this is not guaranteed to work in the future versions.
|
transparent mode working again. But this is not guaranteed to work in the future versions.
|
||||||
Another MacOS unique feature is root requirement while polling /dev/pf.
|
|
||||||
By default tpws drops root. Its necessary to specify --user=root to stay with root.
|
Another MacOS unique feature is root requirement while polling `/dev/pf`.
|
||||||
|
|
||||||
|
By default tpws drops root. Its necessary to specify `--user=root` to stay with root.
|
||||||
|
|
||||||
In other aspects PF behaves very similar to FreeBSD and shares the same pf.conf syntax.
|
In other aspects PF behaves very similar to FreeBSD and shares the same pf.conf syntax.
|
||||||
|
|
||||||
In MacOS redirection works both for passthrough and outgoing traffic. Outgoing redirection requires route-to rule.
|
In MacOS redirection works both for passthrough and outgoing traffic. Outgoing redirection requires route-to rule.
|
||||||
@ -287,15 +294,24 @@ Because tpws is forced to run as root to avoid loop its necessary to exempt root
|
|||||||
That's why DPI bypass will not work for local requests from root.
|
That's why DPI bypass will not work for local requests from root.
|
||||||
|
|
||||||
If you do ipv6 routing you have to get rid of "secured" ipv6 address assignment.
|
If you do ipv6 routing you have to get rid of "secured" ipv6 address assignment.
|
||||||
|
|
||||||
"secured" addresses are designed to be permanent and not related to the MAC address.
|
"secured" addresses are designed to be permanent and not related to the MAC address.
|
||||||
|
|
||||||
And they really are. Except for link-locals.
|
And they really are. Except for link-locals.
|
||||||
If you just reboot the system link-locals will not change. But next day they will change. Not necessary to wait so long.
|
|
||||||
|
If you just reboot the system link-locals will not change. But next day they will change.Not necessary to wait so long.
|
||||||
|
|
||||||
Just change the system time to tomorrow and reboot. Link-locals will change. (at least they change in vmware guest)
|
Just change the system time to tomorrow and reboot. Link-locals will change. (at least they change in vmware guest)
|
||||||
Looks like its a kernel bug. Link locals should not change. Its useless and can be harmful. Cant use LL as a gateway.
|
Looks like its a kernel bug. Link locals should not change. Its useless and can be harmful. Cant use LL as a gateway.
|
||||||
|
|
||||||
The easiest solution is to disable "secured" addresses.
|
The easiest solution is to disable "secured" addresses.
|
||||||
|
|
||||||
Outgoing connections prefer randomly generated temporary addressesas like in other systems.
|
Outgoing connections prefer randomly generated temporary addressesas like in other systems.
|
||||||
Put the string "net.inet6.send.opmode=0" to /etc/sysctl.conf. If not present - create it.
|
|
||||||
|
Put the string `net.inet6.send.opmode=0` to `/etc/sysctl.conf`. If not present - create it.
|
||||||
|
|
||||||
Then reboot the system.
|
Then reboot the system.
|
||||||
|
|
||||||
If you dont like this solution you can assign an additional static ipv6 address from fd00::/8 range with /128 prefix
|
If you dont like this solution you can assign an additional static ipv6 address from fd00::/8 range with /128 prefix
|
||||||
to your LAN interface and use it as the gateway address.
|
to your LAN interface and use it as the gateway address.
|
||||||
|
|
||||||
@ -316,8 +332,10 @@ pfctl -ef /etc/pf.conf
|
|||||||
|
|
||||||
tpws transparent mode for both passthrough and outgoing connections. en1 - LAN.
|
tpws transparent mode for both passthrough and outgoing connections. en1 - LAN.
|
||||||
|
|
||||||
|
```
|
||||||
ifconfig en1 | grep fe80
|
ifconfig en1 | grep fe80
|
||||||
inet6 fe80::bbbb:bbbb:bbbb:bbbb%en1 prefixlen 64 scopeid 0x8
|
inet6 fe80::bbbb:bbbb:bbbb:bbbb%en1 prefixlen 64 scopeid 0x8
|
||||||
|
```
|
||||||
/etc/pf.conf
|
/etc/pf.conf
|
||||||
```
|
```
|
||||||
rdr pass on en1 inet proto tcp from any to any port {80,443} -> 127.0.0.1 port 988
|
rdr pass on en1 inet proto tcp from any to any port {80,443} -> 127.0.0.1 port 988
|
||||||
@ -342,13 +360,14 @@ Build from source : `make -C /opt/zapret mac`
|
|||||||
|
|
||||||
`install_easy.sh` supports MacOS
|
`install_easy.sh` supports MacOS
|
||||||
|
|
||||||
Shipped precompiled binaries are built for 64-bit MacOS with -mmacosx-version-min=10.8 option.
|
Shipped precompiled binaries are built for 64-bit MacOS with `-mmacosx-version-min=10.8` option.
|
||||||
They should run on all supported MacOS versions.
|
They should run on all supported MacOS versions.
|
||||||
If no - its easy to build your own. Running 'make' automatically installs developer tools.
|
If no - its easy to build your own. Running `make` automatically installs developer tools.
|
||||||
|
|
||||||
!! Internet sharing is not supported !!
|
!! **Internet sharing is not supported** !!
|
||||||
Routing is supported but only manually configured through PF.
|
Routing is supported but only manually configured through PF.
|
||||||
If you enable internet sharing tpws stops functioning. When you disable internet sharing you may lose web site access.
|
If you enable internet sharing tpws stops functioning. When you disable internet sharing you may lose web site access.
|
||||||
|
|
||||||
To fix : `pfctl -f /etc/pf.conf`
|
To fix : `pfctl -f /etc/pf.conf`
|
||||||
|
|
||||||
If you need internet sharing use tpws socks mode.
|
If you need internet sharing use tpws socks mode.
|
||||||
@ -378,21 +397,24 @@ Reloading PF tables :
|
|||||||
/opt/zapret/init.d/macos/zapret reload-fw-tables
|
/opt/zapret/init.d/macos/zapret reload-fw-tables
|
||||||
```
|
```
|
||||||
|
|
||||||
Installer configures LISTS_RELOAD in the config so `ipset/*.sh` scripts automatically reload PF tables.
|
Installer configures `LISTS_RELOAD` in the config so `ipset/*.sh` scripts automatically reload PF tables.
|
||||||
Installer creates cron job for `ipset/get_config.sh`, as in OpenWRT.
|
Installer creates cron job for `ipset/get_config.sh`, as in OpenWRT.
|
||||||
|
|
||||||
start-fw script automatically patches `/etc/pf.conf` inserting there "zapret" anchors.
|
start-fw script automatically patches `/etc/pf.conf` inserting there `zapret` anchors.
|
||||||
Auto patching requires pf.conf with apple anchors preserved.
|
Auto patching requires pf.conf with apple anchors preserved.
|
||||||
If your pf.conf is highly customized and patching fails you will see the warning. Do not ignore it.
|
If your `pf.conf` is highly customized and patching fails you will see the warning. Do not ignore it.
|
||||||
In that case you need to manually insert "zapret" anchors to your pf.conf (keeping the right rule type ordering) :
|
In that case you need to manually insert "zapret" anchors to your `pf.conf` (keeping the right rule type ordering) :
|
||||||
|
```
|
||||||
rdr-anchor "zapret"
|
rdr-anchor "zapret"
|
||||||
anchor "zapret"
|
anchor "zapret"
|
||||||
unistall_easy.sh unpatches pf.conf
|
unistall_easy.sh unpatches pf.conf
|
||||||
|
```
|
||||||
|
start-fw creates 3 anchor files in `/etc/pf.anchors` : zapret,zapret-v4,zapret-v6.
|
||||||
|
|
||||||
start-fw creates 3 anchor files in /etc/pf.anchors : zapret,zapret-v4,zapret-v6.
|
- Last 2 are referenced by anchor `zapret`.
|
||||||
Last 2 are referenced by anchor "zapret".
|
- Tables `nozapret`,`nozapret6` belong to anchor `zapret`.
|
||||||
Tables nozapret,nozapret6 belong to anchor "zapret".
|
- Tables `zapret`,`zapret-user` belong to anchor `zapret-v4`.
|
||||||
Tables zapret,zapret-user belong to anchor "zapret-v4".
|
- Tables `zapret6`,`apret6-user` belong to anchor `zapret-v6`.
|
||||||
Tables zapret6,zapret6-user belong to anchor "zapret-v6".
|
|
||||||
If an ip version is disabled then corresponding anchor is empty and is not referenced from the anchor "zapret".
|
If an ip version is disabled then corresponding anchor is empty and is not referenced from the anchor `zapret`.
|
||||||
Tables are only created for existing list files in the ipset directory.
|
Tables are only created for existing list files in the ipset directory.
|
||||||
|
Loading…
Reference in New Issue
Block a user