mirror of
https://github.com/bol-van/zapret.git
synced 2024-11-30 05:50:53 +03:00
BSD use SYN,ACK filter to catch autottl
This commit is contained in:
parent
48850b5f4e
commit
5ef3fb9e97
@ -364,8 +364,8 @@ pktws_ipt_prepare()
|
|||||||
;;
|
;;
|
||||||
ipfw)
|
ipfw)
|
||||||
IPFW_ADD divert $IPFW_DIVERT_PORT tcp from me to any $1 proto ip${IPV} out not diverted not sockarg
|
IPFW_ADD divert $IPFW_DIVERT_PORT tcp from me to any $1 proto ip${IPV} out not diverted not sockarg
|
||||||
# this redirects all incoming traffic to the port, do not use it in real life !
|
# for autottl mode
|
||||||
IPFW_ADD divert $IPFW_DIVERT_PORT tcp from any $1 to me proto ip${IPV} in not diverted not sockarg
|
IPFW_ADD divert $IPFW_DIVERT_PORT tcp from any $1 to me proto ip${IPV} tcpflags syn,ack in
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
|
@ -155,6 +155,8 @@ For all traffic:
|
|||||||
```
|
```
|
||||||
ipfw delete 100
|
ipfw delete 100
|
||||||
ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg xmit em0
|
ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg xmit em0
|
||||||
|
# required for autottl mode only
|
||||||
|
ipfw add 100 divert 989 tcp from any 80,443 to any tcpflags syn,ack in recv em0
|
||||||
/opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2
|
/opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -163,6 +165,8 @@ Process only table zapret with the exception of table nozapret:
|
|||||||
ipfw delete 100
|
ipfw delete 100
|
||||||
ipfw add 100 allow tcp from me to table\(nozapret\) 80,443
|
ipfw add 100 allow tcp from me to table\(nozapret\) 80,443
|
||||||
ipfw add 100 divert 989 tcp from any to table\(zapret\) 80,443 out not diverted not sockarg xmit em0
|
ipfw add 100 divert 989 tcp from any to table\(zapret\) 80,443 out not diverted not sockarg xmit em0
|
||||||
|
# required for autottl mode only
|
||||||
|
ipfw add 100 divert 989 tcp from table\(zapret\) 80,443 to any tcpflags syn,ack in recv em0
|
||||||
/opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2
|
/opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -349,6 +353,7 @@ table <zapret> file "/opt/zapret/ipset/zapret-ip.txt"
|
|||||||
table <zapret-user> file "/opt/zapret/ipset/zapret-ip-user.txt"
|
table <zapret-user> file "/opt/zapret/ipset/zapret-ip-user.txt"
|
||||||
table <nozapret> file "/opt/zapret/ipset/zapret-ip-exclude.txt"
|
table <nozapret> file "/opt/zapret/ipset/zapret-ip-exclude.txt"
|
||||||
pass out quick on em0 inet proto tcp to <nozapret> port {80,443}
|
pass out quick on em0 inet proto tcp to <nozapret> port {80,443}
|
||||||
|
pass in quick on em0 inet proto tcp from <zapret> port {80,443} flags SA/SA divert-packet port 989 no state
|
||||||
pass in quick on em0 inet proto tcp from <zapret> port {80,443} no state
|
pass in quick on em0 inet proto tcp from <zapret> port {80,443} no state
|
||||||
pass out quick on em0 inet proto tcp to <zapret> port {80,443} divert-packet port 989 no state
|
pass out quick on em0 inet proto tcp to <zapret> port {80,443} divert-packet port 989 no state
|
||||||
pass in quick on em0 inet proto tcp from <zapret-user> port {80,443} no state
|
pass in quick on em0 inet proto tcp from <zapret-user> port {80,443} no state
|
||||||
@ -357,6 +362,7 @@ table <zapret6> file "/opt/zapret/ipset/zapret-ip6.txt"
|
|||||||
table <zapret6-user> file "/opt/zapret/ipset/zapret-ip-user6.txt"
|
table <zapret6-user> file "/opt/zapret/ipset/zapret-ip-user6.txt"
|
||||||
table <nozapret6> file "/opt/zapret/ipset/zapret-ip-exclude6.txt"
|
table <nozapret6> file "/opt/zapret/ipset/zapret-ip-exclude6.txt"
|
||||||
pass out quick on em0 inet6 proto tcp to <nozapret6> port {80,443}
|
pass out quick on em0 inet6 proto tcp to <nozapret6> port {80,443}
|
||||||
|
pass in quick on em0 inet6 proto tcp from <zapret6> port {80,443} flags SA/SA divert-packet port 989 no state
|
||||||
pass in quick on em0 inet6 proto tcp from <zapret6> port {80,443} no state
|
pass in quick on em0 inet6 proto tcp from <zapret6> port {80,443} no state
|
||||||
pass out quick on em0 inet6 proto tcp to <zapret6> port {80,443} divert-packet port 989 no state
|
pass out quick on em0 inet6 proto tcp to <zapret6> port {80,443} divert-packet port 989 no state
|
||||||
pass in quick on em0 inet6 proto tcp from <zapret6-user> port {80,443} no state
|
pass in quick on em0 inet6 proto tcp from <zapret6-user> port {80,443} no state
|
||||||
|
@ -123,12 +123,16 @@ ipfw add 100 fwd ::1,988 tcp from any to any 80,443 proto ip6 recv em1
|
|||||||
Для всего трафика :
|
Для всего трафика :
|
||||||
ipfw delete 100
|
ipfw delete 100
|
||||||
ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg xmit em0
|
ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg xmit em0
|
||||||
|
# required for autottl mode only
|
||||||
|
ipfw add 100 divert 989 tcp from any 80,443 to any tcpflags syn,ack in recv em0
|
||||||
/opt/zapret/nfq/dvtws --port=989 ---dpi-desync=split2
|
/opt/zapret/nfq/dvtws --port=989 ---dpi-desync=split2
|
||||||
|
|
||||||
Для трафика только на таблицу zapret, за исключением таблицы nozapret :
|
Для трафика только на таблицу zapret, за исключением таблицы nozapret :
|
||||||
ipfw delete 100
|
ipfw delete 100
|
||||||
ipfw add 100 allow tcp from me to table\(nozapret\) 80,443
|
ipfw add 100 allow tcp from me to table\(nozapret\) 80,443
|
||||||
ipfw add 100 divert 989 tcp from any to table\(zapret\) 80,443 out not diverted not sockarg xmit em0
|
ipfw add 100 divert 989 tcp from any to table\(zapret\) 80,443 out not diverted not sockarg xmit em0
|
||||||
|
# required for autottl mode only
|
||||||
|
ipfw add 100 divert 989 tcp from table\(zapret\) 80,443 to any tcpflags syn,ack in recv em0
|
||||||
/opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2
|
/opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2
|
||||||
|
|
||||||
Недопущение зацикливания - повторного вхождения фейк пакетов на обработку.
|
Недопущение зацикливания - повторного вхождения фейк пакетов на обработку.
|
||||||
@ -282,6 +286,7 @@ dvtws для всего трафика :
|
|||||||
|
|
||||||
/etc/pf.conf
|
/etc/pf.conf
|
||||||
------------
|
------------
|
||||||
|
pass in quick on em0 proto tcp from port {80,443} flags SA/SA divert-packet port 989 no state
|
||||||
pass in quick on em0 proto tcp from port {80,443} no state
|
pass in quick on em0 proto tcp from port {80,443} no state
|
||||||
pass out quick on em0 proto tcp to port {80,443} divert-packet port 989 no state
|
pass out quick on em0 proto tcp to port {80,443} divert-packet port 989 no state
|
||||||
------------
|
------------
|
||||||
@ -297,6 +302,7 @@ table <zapret> file "/opt/zapret/ipset/zapret-ip.txt"
|
|||||||
table <zapret-user> file "/opt/zapret/ipset/zapret-ip-user.txt"
|
table <zapret-user> file "/opt/zapret/ipset/zapret-ip-user.txt"
|
||||||
table <nozapret> file "/opt/zapret/ipset/zapret-ip-exclude.txt"
|
table <nozapret> file "/opt/zapret/ipset/zapret-ip-exclude.txt"
|
||||||
pass out quick on em0 inet proto tcp to <nozapret> port {80,443}
|
pass out quick on em0 inet proto tcp to <nozapret> port {80,443}
|
||||||
|
pass in quick on em0 inet proto tcp from <zapret> port {80,443} flags SA/SA divert-packet port 989 no state
|
||||||
pass in quick on em0 inet proto tcp from <zapret> port {80,443} no state
|
pass in quick on em0 inet proto tcp from <zapret> port {80,443} no state
|
||||||
pass out quick on em0 inet proto tcp to <zapret> port {80,443} divert-packet port 989 no state
|
pass out quick on em0 inet proto tcp to <zapret> port {80,443} divert-packet port 989 no state
|
||||||
pass in quick on em0 inet proto tcp from <zapret-user> port {80,443} no state
|
pass in quick on em0 inet proto tcp from <zapret-user> port {80,443} no state
|
||||||
@ -305,6 +311,7 @@ table <zapret6> file "/opt/zapret/ipset/zapret-ip6.txt"
|
|||||||
table <zapret6-user> file "/opt/zapret/ipset/zapret-ip-user6.txt"
|
table <zapret6-user> file "/opt/zapret/ipset/zapret-ip-user6.txt"
|
||||||
table <nozapret6> file "/opt/zapret/ipset/zapret-ip-exclude6.txt"
|
table <nozapret6> file "/opt/zapret/ipset/zapret-ip-exclude6.txt"
|
||||||
pass out quick on em0 inet6 proto tcp to <nozapret6> port {80,443}
|
pass out quick on em0 inet6 proto tcp to <nozapret6> port {80,443}
|
||||||
|
pass in quick on em0 inet6 proto tcp from <zapret6> port {80,443} flags SA/SA divert-packet port 989 no state
|
||||||
pass in quick on em0 inet6 proto tcp from <zapret6> port {80,443} no state
|
pass in quick on em0 inet6 proto tcp from <zapret6> port {80,443} no state
|
||||||
pass out quick on em0 inet6 proto tcp to <zapret6> port {80,443} divert-packet port 989 no state
|
pass out quick on em0 inet6 proto tcp to <zapret6> port {80,443} divert-packet port 989 no state
|
||||||
pass in quick on em0 inet6 proto tcp from <zapret6-user> port {80,443} no state
|
pass in quick on em0 inet6 proto tcp from <zapret6-user> port {80,443} no state
|
||||||
|
@ -27,9 +27,10 @@ ipfw add 100 fwd ::1,988 tcp from any to any 80,443 proto ip6 recv em1
|
|||||||
|
|
||||||
ipfw delete 100
|
ipfw delete 100
|
||||||
ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg xmit em0
|
ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg xmit em0
|
||||||
|
; required for autottl mode
|
||||||
|
ipfw add 100 divert 989 tcp from any 80,443 to any tcpflags syn,ack in recv em0
|
||||||
|
; udp
|
||||||
ipfw add 100 divert 989 udp from any to any 443 out not diverted not sockarg xmit em0
|
ipfw add 100 divert 989 udp from any to any 443 out not diverted not sockarg xmit em0
|
||||||
# this is required for autottl but very bad, all incoming traffic will be diverted, no way to limit like in linux (connbytes)
|
|
||||||
ipfw add 100 divert 989 tcp from any 80,443 to any in not diverted not sockarg recv em0
|
|
||||||
|
|
||||||
ipfw delete 100
|
ipfw delete 100
|
||||||
ipfw add 100 allow tcp from me to table\(nozapret\) 80,443
|
ipfw add 100 allow tcp from me to table\(nozapret\) 80,443
|
||||||
@ -71,6 +72,7 @@ pfctl -f /etc/pf.conf
|
|||||||
|
|
||||||
; dvtws works both for routed and local
|
; dvtws works both for routed and local
|
||||||
|
|
||||||
|
pass in quick on em0 proto tcp from port {80,443} flags SA/SA divert-packet port 989 no state
|
||||||
pass in quick on em0 proto tcp from port {80,443} no state
|
pass in quick on em0 proto tcp from port {80,443} no state
|
||||||
pass out quick on em0 proto tcp to port {80,443} divert-packet port 989 no state
|
pass out quick on em0 proto tcp to port {80,443} divert-packet port 989 no state
|
||||||
pfctl -f /etc/pf.conf
|
pfctl -f /etc/pf.conf
|
||||||
|
Loading…
Reference in New Issue
Block a user