Во FreeBSD 5.0 не работают правила с указанием владельца-отправителя пакета: Правила вида ipfw add 900 deny ip from any to www.ru uid www (вместо www пробывал указывать и цифровой id) не работают для пользователя www, а иногда, как не странно, срабатывают для всех пользователей сразу (последнее - на другой машине). вот пример: # ipfw show 00100 878 101308 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 50619 8882772 allow ip from any to any 65535 1 84 deny ip from any to any # ipfw add 900 deny ip from any to www.ru uid www 00900 deny ip from any to 194.87.0.50 uid www # ipfw show 00100 932 107202 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00900 0 0 deny ip from any to 194.87.0.50 uid www 65000 50629 8884872 allow ip from any to any 65535 1 84 deny ip from any to any # su www $ whoami www $ wget www.ru --00:57:05-- http://www.ru/ => `index.html' Resolving www.ru... done. Connecting to www.ru[194.87.0.50]:80... connected. HTTP request sent, awaiting response... 302 Found Location: /eng/index.html [following] --00:57:05-- http://www.ru/eng/index.html => `index.html' Connecting to www.ru[194.87.0.50]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 12,177 [text/html] 100%[========================>] 12,177 16.49K/s ETA 00:00 00:57:06 (16.49 KB/s) - `index.html' saved [12177/12177] В чем тут может быть дело? Вот конфиг ядра: =================================================================== machine i386 cpu I686_CPU ident test1 maxusers 512 options NMBCLUSTERS=65536 device bpf # Berkeley packet filter options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options QUOTA options INET #InterNETworking options FFS #Berkeley Fast Filesystem options SOFTUPDATES #Enable FFS soft updates support options UFS_ACL #Support for access control lists options UFS_DIRHASH #Improve performance on big directories options NFSCLIENT #Network Filesystem Client options CD9660 #ISO 9660 Filesystem options PROCFS #Process filesystem (requires PSEUDOFS) options PSEUDOFS #Pseudo-filesystem framework options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!] options COMPAT_FREEBSD4 #Compatible with FreeBSD4 options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time extensions options KBD_INSTALL_CDEV # install a CDEV entry in /dev options AHC_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~128k to driver. options AHD_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~215k to driver. options INVARIANT_SUPPORT #Extra sanity checks of internal structures, required by INVARIANTS options SMP # Symmetric MultiProcessor Kernel options APIC_IO # Symmetric (APIC) I/O device isa device pci device ata device atapicd # ATAPI CDROM drives options ATA_STATIC_ID #Static device numbering device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID device scbus # SCSI bus (required) device da # Direct Access (disks) device cd # CD device pass # Passthrough device (direct SCSI access) device ses # SCSI Environmental Services (and SAF-TE) device aac # Adaptec FSA RAID device aacp # SCSI passthrough for aac (requires CAM) device atkbdc # AT keyboard controller device atkbd # AT keyboard device vga # VGA video card driver device sc device npx device pmtimer device sio # 8250, 16[45]50 based serial ports device miibus # MII bus support device fxp # Intel EtherExpress PRO/100B (82557, 82558) device random # Entropy device device loop # Network loopback device ether # Ethernet support device sl # Kernel SLIP device ppp # Kernel PPP device tun # Packet tunnel. device pty # Pseudo-ttys (telnet etc) ================================================================
Ответ на:
комментарий
от anonymous
Ответ на:
комментарий
от EightN
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.