После сборки FreeBSD 7.0 + UTM 5.0 + mpd4 + ndsad -
ndsad не позволяет работать по НАТу клиентам которые заходят по ВПН. Вот правила файровола когда НАТ не работает(ndsad включен - трафик считается):
ipfw show
00010 0 0 divert 21000 ip from any to 172.16.80.0/24
00050 50989 6515659 allow ip from any to any
00100 3040 219844 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 14407 2353088 allow ip from any to any
65535 13 844 deny ip from any to any
А вот правила при которых НАТ работает, интернет у пользователей VPN есть но трафик не считается:
ipfw show
00050 5099 631659 allow ip from any to any
00010 0 0 divert 21000 ip from any to 172.16.80.0/24
00100 3040 219844 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 14407 2353088 allow ip from any to any
65535 13 844 deny ip from any to any
Конфиг ndsad:
# cat /usr/local/etc/ndsad.conf
# Data stream collector ip
ip 127.0.0.1
# Data stream collector port
port 9996
# Forced faces - these faces
# will be processed even if dummy family is specified
# in configuration file.
force em1
ignore all
dummy all
heap 65536
log /var/log/ndsad.log
#config /usr/local/etc/nfcd.local.conf
# This directive for FreeBSD only !
# Listen on specified port for traffic.
# add following rules for ipfw (example rule) to divert traffic to port:
# ipfw add 10 tee 21000 all from any to any
# if you want to use 'ipfw add 10 divert 21000 ip from any to any' you must use 'bsd_div_copy yes' directive (see following)
bsd_div_port 21000
# This directive for FreeBSD only !
# If you use 'divert' in ipfw uncomment this directive! Otherwise packets w'be killed in ndsad ... ;-(
bsd_div_copy yes
Лог ndsad:
ndsad[5896]: Session opened on Tue Nov 25 10:51:47 2008
ndsad[5896]: binary version `1.33'
ndsad[5896]: Creating NFC for <bsd_divert_iface> family. dev <bsd_divert_iface0>
ndsad[5896]: NFC created <0x2830a800>.
ndsad[5896]: BSD_DIV: Starting worker thread for bsd divert socket.
ndsad[5896]: BSD_DIV: Iface already exist. All is ok. Iface <0x28309060> iface->ifl_nfc <0x2830a800>
ndsad[5896]: BSD_DIV: Successfully connected to ipfw divert/tee socket.
ndsad[5896]: `em0': new device
ndsad[5896]: Starting worker thread for device <em0>
ndsad[5896]: `em1': new device
ndsad[5896]: Starting worker thread for device <em1>
ndsad[5896]: `lo0': new device
ndsad[5896]: Starting worker thread for device <lo0>
ndsad[5896]: Creating NFC for <em> family. dev <em0>
ndsad[5896]: `bsd_divert_iface0': new device
ndsad[5896]: NFC created <0x28503800>.
ndsad[5896]: Creating NFC for <lo> family. dev <lo0>
ndsad[5896]: `em0' thread started successfully.
ndsad[5896]: `em1' thread started successfully.
ndsad[5896]: NFC created <0x28703800>.
ndsad[5896]: `lo0' thread started successfully.
ndsad[5896]: `em0' thread is preparing for PCAP loop call
ndsad[5896]: `em1' thread is preparing for PCAP loop call
ndsad[5896]: pcap_datalink(em0) = 1
ndsad[5896]: Set ppp offset = 4
ndsad[5896]: pcap_datalink(em1) = 1
ndsad[5896]: Set ppp offset = 4
ndsad[5896]: `lo0' thread is preparing for PCAP loop call
ndsad[5896]: pcap_datalink(lo0) = 0
ndsad[5896]: Set ppp offset = 4
Заранее спасибо за помощь...
