Во FreeBSD 5.0 не работают правила с указанием владельца-отправителя пакета:
Правила вида
ipfw add 900 deny ip from any to www.ru uid www
(вместо www пробывал указывать и цифровой id)
не работают для пользователя www, а иногда, как не странно, срабатывают для всех пользователей сразу (последнее - на другой машине).
вот пример:
# ipfw show
00100 878 101308 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
65000 50619 8882772 allow ip from any to any
65535 1 84 deny ip from any to any
# ipfw add 900 deny ip from any to www.ru uid www 00900 deny ip from any to 194.87.0.50 uid www
# ipfw show
00100 932 107202 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00900 0 0 deny ip from any to 194.87.0.50 uid www
65000 50629 8884872 allow ip from any to any
65535 1 84 deny ip from any to any
# su www
$ whoami
www
$ wget www.ru
--00:57:05-- http://www.ru/
=> `index.html'
Resolving www.ru... done.
Connecting to www.ru[194.87.0.50]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /eng/index.html [following]
--00:57:05-- http://www.ru/eng/index.html
=> `index.html'
Connecting to www.ru[194.87.0.50]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12,177 [text/html]
100%[========================>] 12,177 16.49K/s ETA 00:00
00:57:06 (16.49 KB/s) - `index.html' saved [12177/12177]
В чем тут может быть дело?
Вот конфиг ядра:
===================================================================
machine i386
cpu I686_CPU
ident test1
maxusers 512
options NMBCLUSTERS=65536
device bpf # Berkeley packet filter
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options QUOTA
options INET #InterNETworking
options FFS #Berkeley Fast Filesystem
options SOFTUPDATES #Enable FFS soft updates support
options UFS_ACL #Support for access control lists
options UFS_DIRHASH #Improve performance on big directories
options NFSCLIENT #Network Filesystem Client
options CD9660 #ISO 9660 Filesystem
options PROCFS #Process filesystem (requires PSEUDOFS)
options PSEUDOFS #Pseudo-filesystem framework
options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]
options COMPAT_FREEBSD4 #Compatible with FreeBSD4
options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI
options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
options INVARIANT_SUPPORT #Extra sanity checks of internal structures, required by INVARIANTS
options SMP # Symmetric MultiProcessor Kernel
options APIC_IO # Symmetric (APIC) I/O
device isa
device pci
device ata
device atapicd # ATAPI CDROM drives
options ATA_STATIC_ID #Static device numbering
device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
device scbus # SCSI bus (required)
device da # Direct Access (disks)
device cd # CD
device pass # Passthrough device (direct SCSI access)
device ses # SCSI Environmental Services (and SAF-TE)
device aac # Adaptec FSA RAID
device aacp # SCSI passthrough for aac (requires CAM)
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device vga # VGA video card driver
device sc
device npx
device pmtimer
device sio # 8250, 16[45]50 based serial ports
device miibus # MII bus support
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
device random # Entropy device
device loop # Network loopback
device ether # Ethernet support
device sl # Kernel SLIP
device ppp # Kernel PPP
device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
================================================================
>uid user
> Match all TCP or UDP packets sent by or received for a
> user. A user may be matched by name or identification
> number.
А можно немного поподробнее, пожалста.
Это я читал, т.е. под правило подпадут все пакеты посланные или
принятые локальным пользователем по протоколам TCP или UDP.
Ну так http работает по tcp протоколу. Соответственно, если я могу
получить web страницу пользователем 'www', хотя на него установлено
правило
ipfw add 900 deny ip from any to www.ru uid www
другими словами, пользователь 'www' не должен был отсылать никакие пакеты (по tcp) на www.ru.