Вы находитесь на странице: 1из 608

NetUP, 20012007.

3.1 1 2007 . UTM5 5.2.1-005 .


http://www.netup.ru.
.

1. ........................................................ 5
2. ........................................................ 11
3. ........................................... 23
4. , , ......... 101
5. .............................................................. 131
6. UTM5 RADIUS............................................................. 145
7. UTM5 Unif ................................................................... 179
8. UTM5 RFW................................................................... 195
9. UTM5 Dynashape......................................................... 217
10. UTM5 Urfaclient ....................................................... 235
11. ................................... 273
12. .................................................. 285
13. Web-.......................................................... 297
14. hotspot........................................................... 299
15. IP-............................................... 301
16. ...... 309
17. ...................................... 315
18. ............................................ 327
19. ........................ 347
20. ....................................... 429
21. 1........................................................... 439
22. 2........................................................... 521

1.

1.1 .......................................... 6

1.1
( )
,
( , ) ( NetUP), ,
,
,
( ).
1. .
1.1.
.

1.2. , , .

1.3. ,

,
,
.
2. NetUP
, , .
,
, .
3. ,
NetUP, ,
.

4. .
.
:
, , . , .
5.
, ,
,
.
6.
.
.
7. ,
,
.

8. , , NetUP
- , ,
(, : ;
; , ;
; ;
,
;
, ; ), , ,
,
, -

( ),
( ) - ,
NetUP ,

. NetUP , .
9.
. ,
, . 4
.
10. ,
NetUP .
(), .

11. .

10

2.

1. ........................................ 12
2. ............................ 14
3. UTM............................................... 16
4. UTM Remote Function Access (URFA).......................... 18
5. ....................................................... 19
6. ............................................................ 20


11

1.
( ,
) NetUP UTM .
. , ,
.
IP-,
().
,
, .

NetUP

UTM

, ,
, IP

-, , .

12


NetUP
UTM


.
, Java
.
.

XML
.
,
. .
, .

.
, , .

-, , Internet.
XML


.
, , ,
, .
: , ,
(
TOS
), , , ,
.

( ) , .
.

13

2.
.
NetUP

UTM


. .
Internet
,

Cisco
,
Mikrotik
,
NSG
,
Revolution

, , .
, (, ,
).
.

UTM

Internet
,

14


, , ,

IP. , (), . ,
,
.

(
PC
-)

, .
( )
( ).
, ,
,
.

RADIUS


Cisco
,
PC

- .

RADIUS
.
,
.

UTM

15

Wi-Fi


Wi
-
Fi
, . , , , , .

3. UTM


UTM
, : , . , .

Java
-, .
-
:
Windows, Linux

, FreeBSD

. , -
.

16

17

4. UTM Remote
Function
Access

(
URFA)
URFA .
CHAP . . URFA
, , , .
.

128- (
SID
), . SID
.
SID ,
.
SID IP-
. ,
.

18

, ,
, . ,
. .
, - ,
.
,
. , ( ),
.
,
.
.

5.
:
(, ) ( ). ,
.
( | ). , 0
x
80000000,
, .

, . 1 (wheel).
,
.
, , . .


19

6.
-
, .
:

20

*EMERG

*ALERT

*CRIT

ERROR

Warn

Notice

Info

?Debug

?Trace

-Stats

.
. .

0 2

0 3 log_level


. , ,
,
. ,
, .
, .0.
, .<timestamp>, <timestamp> -
Unix Time Stamp. , . ,
, , .

21

22

3.

1. ................................................ 25
1.1 .............. 25
1.2 .............. 25
1.3 . ................................................... 26
1.4 ............................................ 26
1.5 . ............................... 26
1.6 ......................................................27
2. ........................... 28
2.1 .................. 28
2.2 ................................. 29
3. . ......................... 30
3.1 . ..................................................................... 30
3.2 .............................................. 32
3.3 .................................................. 34
3.4 ..........................................................37
3.5 .......................................41
3.6 ..................................................... 42
3.7 . ....................................................................... 43
3.7.1 ........................................................ 45
3.7.1.1 ......................................... 45
3.7.1.2 ..................................... 46
3.7.1.3 ,
.......................................................................47
3.7.2 ........................................................ 48
3.7.2.1 . ........................................................ 48
3.7.2.2 .
. .......................................50
3.7.2.3 IP-.
IP- ...................56

23

3.7.2.4 hotspot.
hotspot .................................................................. 69
3.7.2.5 . . .... 74
3.7.2.6 . ........................................................ 79
3.8 . ......................................................... 88
3.8.1 .................... 90
3.8.2 . ..................................................91
4. ......................................................................... 95
4.1 ............................................. 95
4.2 ......................................................... 95
4.2.1 . . 96
4.2.2 ..........................97
4.2.3 .................97
4.2.4 () ........... 98
4.3 . ........................................................ 98

24

1.
: , , , ,
.

1.1

. .
, .
, .

, ,
.

1.2
.

25

1. . .
2. .

.
, ,
.

,
.

1.3

26

. , , .

1.4
,
.
.

1.5
,
, .

1.6

. , , .


27

2.
,

UTM
. ,
. , .

: init

; web

,
;
radius
, RADIUS
.

28

,
.
.
. , :
( ), ( ), (
) .

, : , .

2.1
. IP

-
,
.
.

2.2

UTM
.
,
.


29

3.
,
.
,
.
,
, :


, :



30

, , ,
( ).
,
, .. ,
, ,
.

3.1
. , .


, .
:
( )
( )
( )
( )
( )


ISO 4217.

ISO 4217.

31



25.12.2000 N 405.


.
on-line
. 1. on-line ,
system_currency 810, ..
.
1,
. . .

32

,
,
.
, .

3.2

. .
:




,
. , .
, ,
, , .


, .
, 0-00 24-00 (0-00 ),
.

33

,
.
, , , 0-00 0-00
, 0-00 12-00 23 , 8 , 1 .
. ,
. .
.

3.3

,
.

34

, ( ).

, ,
.
:






, .
:





.
.

.
. ,
,
.

35


...,
, ..

( ).

,
.

,
. . , ,
.

36

:

( IP-)

.

.
. , .
.
,
1 1 2007 ,

1 2007 .
/ , .

3.4
, . ,
.
.

:
( )
( )






( )

37


.
.
, , ,
.


.

,
.

38

,
.

, web-.

, .
,
. , -

, .
.

.
, .
:



, . ,
.


, . , NetFlow-, NetFlow (IP
).
, NetFlow-:

o ( )
o ( )
o
o
o

, .

39


TOS
TCP-

40

NetFlow-
(,
), .
IP , NetFlow .
,
,
NetFlow-
IP- NetFlow IP-, ,
.


, . .
,
.
,



3.5
.

.

:
( > 1000000)

( )
( )

41


,
( , ).

, , .
POSIX 1003.2.
, . . .
.

3.6
.

.
:

42

( )

, .

3.7
, .

:

( )

43




.
:



, .

:


IP-
hotspot

44


.
.
.
:

IP-
hotspot


.


.
UTM5 .

.
UTM5 ,
,
.
:
IP-

hotspot

.

3.7.1
3.7.1.1
, , .
, .

45

3.7.1.2
,
,
, .





46

, .

.
,


IP-

,

..

.
, .

3.7.1.3 ,

, ,
.
, :

( )
(
)

( )



,
,
, .
,
, ,
.

, , :

47

, , ,
( ).

3.7.2
3.7.2.1 .


.
:

48


, . .
,
.


, .


, .
.

. ,
.
, .

49

3.7.2.2 .

. :


.
:



50


.


. ,
, ( flow_discount_per_period).

, . ,
, , ,
flow_discount_per_period
( 64).
-. ,

, .

,
.

.
.
-, , , .
,
,
, .

51

, .
discount_barrier, .

.

,

. , ,
,
.

,
,
.

52


. , .
,
,
.


IP-
hotspot

c , ,
.
, ,
.

.
.

53


,
(
).
, .
,
UTM5.

.
. .

, .

54


, :
,

=
* (

/ )


, UTM5.

..
( )=( )*(l1/L),

( )=( )*(l2/L),


.
:
IP-

hotspot


, ,
,
,

55

,
.

3.7.2.3 IP-.
IP-
IP-
.
:

56


, .
, . .

.
:



,
.
:

57


,
, ,
(
IP-). , ,
.
, .
.

bytes_in_kbyte, 1024.
, , HS , .


,
, .

, . , ,
.

58

,
.

, .
:


,

, .
,
.
IP-
.

.
, -

59

, .
, .
, .

, . .
.

125Mb ,
50Mb 1Mb,
1. 50Mb 1Mb, 2. 25Mb 1Mb,
3.

60


10Mb, , 10Mb . ,

,
.

. .
:

. .

61

:
(max) ( )
(sum) (
)
(max)
max
.
: , max.


, .

,
max, ,
.

62

, max 1 2. 1 .
:
1. 15Mb 2. 1Mb,
.
2. 40Mb 1.
15Mb 25Mb. 15Mb
. 25Mb
1Mb, 1.
3. 50Mb 2.
25Mb 25Mb. 25Mb

. 2,
10Mb ( 2) 15Mb (
2). 10Mb
1Mb, 1. 15Mb 1Mb, 2.
4. 45Mb 1.
25Mb 20Mb. 25Mb
. 3,
10Mb ( 3) 10Mb (
3). 10Mb
1Mb, 2. 15Mb 1Mb, 3.


63

(sum)
sum
, .
, .
,
.

, sum 1
2. 1 .
2 . 1,
2 ( ). .

64


, , .
IP- UTM5 RADIUS

IP-
IP- :
IP-


65

IP-
IP- , . IP-, NetFlow-.

IP- :

66

IP IP- ( ). UTM5 RADIUS.


IP- ( ).
UTM5 RADIUS.
ID , NetFlow. , IP- ,
IP-.
MAC- , firewall.
( )
,
IP- , IP-. UTM5 RADIUS.
IP- -
.
CID , CallingStation-ID .
UTM5 RADIUS. (NAS
CID)
, .
VPN IP- .
.
firewall ,
IP- firewall.

, ,

.
:

,
.

.
.
, .

67

.

,
.
,
:

, =
* ( /
)

68


, .

..
( )=( )*(l1/L),

( )=( )*(l2/L),


.

.

3.7.2.4 hotspot.
hotspot

hotspot .

69

70

.
. ,
. .
.

. .
, 60 , 15 15 .

, ,

,
hotspot , ,
.

71

, 1.
3 , 2.
, 3.

72

, IP- .
UTM5 RADIUS.
IP-,
Framed-IP-Address .
, .
,
RADIUS.
web- UTM5, .

IP- UTM5 RADIUS.



UTM5 .
.

.

hotspot


hotspot :

73


.
. UTM5 RADIUS.

UTM5

3.7.2.5 .

74


, IP-. UTM5 RADIUS. ,
UTM5, . , .


. UTM5 RADIUS.
0,
0
.

,
. UTM5 RADIUS.

.


.

75

.
. ,
. ,
, . .

. .

, 60 , 15 15 .

76

,
,
, .
, ,

,
1. 3 ,
2. , 3.
IP- UTM5 RADIUS.

:

( )
CID
CSID
Callback
Ringdown

77

( )
.
IP- . UTM5 RADIUS.

Callback

78

, RADIUS , Callback-. , .
UTM5 RADIUS.
Ringdown
, RADIUS Callback-. UTM5 RADIUS.
Callback Ringdown , , , .

CID
CID ,
Calling-StationID ( UTM5
RADIUS). UTM5 RADIUS.
, .
CSID
CSID ,
Called-StationID ( UTM5
RADIUS). UTM5 RADIUS.
, .

UTM5 .


.
,

3.7.2.6 .

79

80


. , . .

. .

, , .

81


,
. .
.

. , ,
60 .
.


, .

82

.

. .

, 1.1,
, x*1.1 + 0,
Enter. , 10, , x*1.0 + 10,
Enter.

,
, , .

, .

83

, , ,
.

.
.

, , ,
:

84

1.
/ 600 ,
( ).
2.
/ 600 3600 , -

100*1.0
.
3.
/ 3600 5400 , 100*0.5
.
4. / 5400 ,
100*0.25 .
. ,
. .
.
RADIUS RADIUS.

:
1. /.
2
.
3. .
.

4. , .

85

86



/, CID.
:



CID


,
. UTM5
RADIUS.

CID
CID ,
Calling-StationID ( - UTM5
RADIUS). UTM5 RADIUS.
, .

.

, . UTM5 RADIUS.


UTM5 .

87

3.8

. , ( ) .
:


( )
,
,


88

,
.
,

.

.


, , .

,
. () .

, .

OK.
, . -

89

, - , .



.

3.8.1

90

,
, , , .
.
,
,
, , IP-
IP-.
, , , .
.
1,
2, . , -

, ,
, .

,

:



( )

3.8.2

91

, .

92



,
. ,
, .


, .. .
( []),


.


, .
,
.
, ,
.

,
.

, ,
..., ,
.

93

. .
.

94

4.
NetUP

UTM


. , , . ( | ).

4.1

, .
NetUP

UTM

, .

, , .



NetUP
UTM

.

,
.

4.2
,
:

-
.

95

() UTM.

4.2.1

. .
.


(). .

(
):
;
;
,
;
. . ;
. . ;

96

,
;

. ( ) , , ,
-
- ;
( ), . , .
Internet ,
, . Turn on inet
,
. utm5admin.cfg, , payment_inet_switch.
on ( ) off ( ).

4.2.2

4.2.3
,
, ,
.
.


. , , .

97


, , , , ,
, .

4.2.4 ()

98


( ) ,
.
.
,
. .. .
, .
.

4.3
NetUP

UTM
.
NetUP

UTM

( |
)
. , .
.

, , .
, , (.
).
.


99

100

, ,

4. , ,

, ,

1.
......................................................... 102
2. . ........... 104
2.1 Linux rpm . ..................... 104
2.2 Gentoo Linux .......................................................... 105
2.3 FreeBSD ....................................................................107
2.4 Solaris . ..................................................................... 108
2.5 Windows .................................................................. 109
3. ........................... 113
4. .................................................................. 114
5. , .................................................. 115

101

1.


. utm5_core.

, ,

Java 2.
UTM_admin.
web,
init radius.

/netup/utm5/web5.cfg /netup/utm5/radius5.cfg.
( )

.
, .
.
1, . . . ,
.
, .
.

102


.
, ( ,
).
- , .
.

, ,
103

2.

2.1 Linux rpm

, ,


Linux (RedHat 9.0, ) : MySQL 5.x,
Postgresql 8.x.
MySQL InnoDB, .
:
rpm ihv --nodeps utm5-2.1.xxx.rpm

:
/netup , -

, .
/usr/local/apache/cgi-bin/utm5 - -

.
/usr/local/apache/htdocs/ , .

- ,
:
/etc/rc.d/init.d/utm5_core
/etc/rc.d/init.d/utm5_radius
/etc/rc.d/init.d/utm5_rfw

104

MySQL
mysqladmin create UTM5
mysql UTM5 < /netup/utm5/UTM5_MYSQL.sql

Postgresql
createdb -U postgres UTM5
psql -f /netup/utm5/UTM5_PG.sql -U postgres UTM5

.
,

UTM Linux
:
chkconfig --add utm5_core
chkconfig utm5_core on

2.2 Gentoo Linux



Gentoo Linux :
MySQL 5.x, Postgresql 8.x. MySQL InnoDB,
.
utm52.1.xxx.ebuild.tbz /usr/local/portage. :
mkdir /usr/local/portage
cd /usr/local/portage

, ,

/etc/rc.d/init.d/utm5_core start

105

tar -jxvf /path/to/utm5-2.1.xxx.ebuild.tbz

utm5-2.1.xxx.tar.bz2 /usr/portage/distfiles. /etc/make.conf :


PORTDIR_OVERLAY=/usr/local/portage

:
emerge -a utm5
:
/netup , -

, ,

, .
/var/www/netup/cgi-bin/utm5/ - -

.
/var/www/netup/htdocs , .

- , .
:
/etc/init.d/utm5_core
/etc/init.d/utm5_radius
/etc/init.d/utm5_rfw

:
MySQL
mysqladmin create UTM5

106

mysql UTM5 < /netup/utm5/UTM5_MYSQL.sql

Postgresql
createdb -U postgres UTM5
psql -f /netup/utm5/UTM5_PG.sql -U postgres UTM5

.
, :
/etc/init.d/utm5_core start

UTM Gentoo
Linux :

2.3 FreeBSD

FreeBSD 4.x, 5.x 6., :
MySQL 5.x, Postgresql 8.x. MySQL
InnoDB, .
pkg
_
add
utm

5-2.1.xxx.
tgz

.
/netup , -

, .
/usr/local/apache/cgi-bin/utm5 - .

, ,

rc-update add utm5_core default

/usr/local/apache/htdocs/ , .

- , .

107

.
/usr/local/etc/rc.d/utm5_core.sh
/usr/local/etc/rc.d/utm5_radius.sh
/usr/local/etc/rc.d/utm5_rfw.sh

MySQL.
mysqladmin create UTM5
mysql UTM5 < /netup/utm5/UTM5_MYSQL.sql

Postgresql.

, ,

createdb -U postgres UTM5


psql -f /netup/utm5/UTM5_PG.sql -U postgres UTM5

.
,

/usr/local/etc/rc.d/utm5_core.sh start

FreeBSD

: /usr/
libexec/ld-elf.so.1: Shared object libc.so not found.

compat
4
x
,
compat
5
x
compat
6
x .

2.4 Solaris

SUN Solaris 9 10 SPARC. Linux FreeBSD.
:
gzip -d utm5-2.1.xxx.gz

108

pkgadd -d utm5-2.1.xxx


.
MySQL.
mysqladmin create UTM5
mysql UTM5 < /netup/utm5/UTM5_MYSQL.sql
Postgresql.
createdb -U postgres UTM5
psql -f /netup/utm5/UTM5_PG.sql -U postgres UTM5
.

/usr/local/etc/rc.d/utm5_core.sh start

2.5 Windows
utm5-2.1.xxx.exe.

.

, ,

Next. .

109

, ,

- ,
Next.

110

UTM
MySQL.
MySQL,
MySQL.
UTM .
, ,
, .
Java Virtual Machine , .
UTM.
. ,
I agree with the above terms and conditions Next.
,
Exit, .

UTM.
Browse, .


MySQL.

, - Apache. Next.

UTM .
UTM
Windows NT utm5_core.

net start utm5_core

UTM (

) ( | | UserTrafManager 5.0 | UTM5 Core Debug Mode)
:
C:\program files\NetUP\UTM5\utm5_core.exe d

, ,

, CGI - Apache. Next.

111

utm5_core
utm5_core.exe c install uninstall :
C:\Program Files\NetUP\UTM5>utm5_core.exe --uninstall
Successfully deleted utm5_core service
C:\Program Files\NetUP\UTM5>utm5_core.exe --install

, ,

Successfully created utm5_core service

112

3.

Linux/FreeBSD/Solaris:
mysql UTM5 < reg.sql

Windows reg.sql.
, :
C:\Program Files\Netup\utm5\mysql\bin\mysql.exe UTM5 <
reg.sql

, ,
113

4.

, ,

1. UTM5
2.

3. SQL
4. UTM5
5. UTM5
6.

7. ,
8. UTM5

114


. .

5. ,

,
, (| ) .
.


, .

, ,
115

,
UTM5

, ,

116

raw_max_files

raw_max_size

5242880

raw_prefix*

raw_commit_int**

raw_fd_process_sript

raw_storage_file*

bytes_in_kbyte

traffic_mult_coef

traffic_agregation_interval

aggregation_todisc_barrier

10


.
, ,

100000000

/netup/utm5/db

2048

NetFlow-,

/netup/utm5/bin/raw_fd_
script

Gigabase

,
.

,

raw-

1024

.
bytes_in_kbyte

900

, ,

117

discount_barrier


0.0001

flow_discounts_per_period

, ,

118

block_recalc_abon

0 1

block_recalc_prepaid

0 1

default_vat_rate

card_callback_enable

0, 1, 2 3

0.01


, , discount_barrier,

64




: 0 - , 1
-




: 0 - , 1
-


Callback Ringdown
: 0 - Callback ; 1 -
; 2 -
; 3 - Ringdown

, ,

119

, ,
120

default_dialup_cid

default_dialup_csid

card_tel_uid_len

card_user_prefix

special_write

tel_attrs_write

dialup_attrs_write

access_attrs_write

sm_license

sm_license_hotspot

sm_license_telephony

sm_license_dynashape


CID


CSID

,

;

card_


.
, ,
( |
)

special_
transactions

RADIUS- tel_sessions_log_attrs

RADIUS-
, hotspot dhs_sessions_log_attrs

RADIUS- dhs_access_log_
attrs

UTM5

hotspot

UTM5 dynashape

, ,

121

sm_license_radius

sm_license_urfaclient

, ,

122

hotspot_refresh_timeout

system_currency

web_session_timeout

disable_utm_tolower

null_prepaid_traffic_if_tarif_change

lite_search_ent

login_prefix_separator

system_tax_rate

tel_report_dont_show_id

email_exec_register

email_exec_unregister

UTM5 RADIUS

UTM5 urfaclient

300

840

ID , 810 - online

300

, URFA-
(SID)


( ).

1 -

, ,

, prefix
.
,

Callback.

,
.

, (.
e-mail)

, (.
e-mail)

, ,

123

, ,

124

smtp_relay

IP-

smtp_port

1 65534

smtp_fqdn

smtp_sender

e-mail

smtp_recipient

e-mail

invoice_subject

invoice_text

notification_borders***

notification_message

****

notification_message_subject

notification_message_from

e-mail

notification_message_by_wintray

yes

balance_notification_email

e-mail

payment_notification_message

*****

IP- SMTP,

25

SMTP

localhost

utm5_core

root

Invoice

Invoice message

- .
-
, ,
,

,
e-mail , notification_borders

,
e-mail
, notification_borders

utm5_core


yes,
notification_
borders

root

,
notification_borders

Your payment succeeded!


Payment_Sum=AMOUNT
Payment id =PAYMENT_ID

,
,
email

, ,

125

, ,

126

force_prepaid_change

check_abon_on_payment

discount_traffic_comission

*
** GigaBase
***

****

FULL_NAME

ACCOUNT_ID

BALANCE

DATE

EMAIL

e-mail,

,
.
, ..

1 -
.

1 -

FULL_NAME

ACCOUNT_ID

AMOUNT

PAYMENT_ID

, ,

*****

127

,
UTM5 RADIUS

radius_max_
session_age

, ,

radius_do_
accounting

128

86400


,
RADIUS- .
0

Stop-


Stop-

,
UTM5 RFW

fw_rule_
offset

5000

,

RULE_ID

, UTM5
Dynashape UTM5 dynashape|


, . .

raw_cleanup_sleep

smtp_subject

certificate

utm5_handshare_performed

yes

radius_vpn_inet_control

0, 1

raw_max_age

flow_discount_random_coef

sudo_path

, ,

129

130

5.

1. ....................................................................... 132
2. ..................................... 133
3. ................................................................... 135
3.1
.............................................................................. 135
4. ............................................................................ 142


131

1.

,
, (
, ). , . ,

.

132

2.

URFA
(
UTM

Remote

Function

Access
) .

.
.

NetFlow

NetFlow
5. ,
,
NetFlow

5 get

_
xyz.
,
( )
, . UTM
.
- ,
IP

-. , ,
.

.

UTM
-
.
NetFlow

URFA.
.
, ,
.

UTM

.
.

133

NetFlow -,
.
NetFlow ,
.
N
et
F
low
- GigaBase . ,
, , .

URFA (liburfa). , .
,
. - , , .

( |
).

134

3.
:

, ( - , ,
| ,
)

, .
, ,
.
, , . .

3.1
/netup/utm5/utm5.cfg.

=
, ,
, - .
. . ,
#, .

135

136

database_type

mysql, postgres

database

database_host

database_login

database_password

database_sock_path*

database_port*

dbcount

2 64

database_reconnect_count

database_reconnect_sleep

database_charset*

db_transaction_enable

yes, on, true

, c URFA-

urfa_bind_host**

IP- 0.0.0.0

urfa_bind_port

1 65534

localhost

/tmp/mysql.sock

unix-,
. ,
database_host localhost

3306

,
SQL,


SQL-

IP- ,
URFA-

11758

, URFA

137

urfa_lib_file**

, c Stream-

stream_bind_host

IP- 0.0.0.0

stream_bind_port

1 65534

NetFlow

nfbuffer_host

nfbuffer_port

nbuffer_bufsize

138

log_level

0 3

log_file_main

log_file_debug

log_file_critical

log_file_verificator

core_pid_file

rotate_logs

yes, on, enable

max_logfile_count***

max_logfile_size***

0.0.0.0

IP-,
Stream-

12758

, Stream

0.0.0.0

IP-,
UDP- NetFlow-

9997

,
NetFlow

UDP-,
NetFlow

,
( - |
)

/netup/utm5/log/
verificator.sql

/var/run/utm5_core.pid

PID-

10485760

(.so),
.

liburfa_std
liburfa_utils

139

, c

ssl_cert_file

ssl_privkey_file

ssl_privkey_passphrase

thread_stack_size

, 65536

rpc_stack_size

, 65536

* MySQL
**
*** ,

, .

.

140

ctx_certificate

ctx_certificate_req

ctx_init_file

ctx_password

netup_host

IP-

netup_password

netup_user

timed_wait_sleep

/netup/utm5/cert.crt

/netup/utm5/privkey.pem

8388608

-
URFA


141

4.
UTM5
/netup/utm5/bin/utm5_core

-p pid

-c <cfg>-

-v

utm5_core:
1.

/netup/
utm5/bin/utm5_core

2.

watchdog start

utm5_core, ,

.

( ) Linux
/etc/init.d/utm5_core start

142

/netup/utm5/bin/safe_utm5_core start

FreeBSD, Solaris
/usr/local/etc/rc.d/utm5_core.sh start

watchdog.

utm5_core watchdog
Linux
/etc/init.d/utm5_core stop

FreeBSD, Solaris
/usr/local/etc/rc.d/utm5_core.sh stop


143

144

UTM5 RADIUS

6. UTM5 RADIUS

1. ...................................................................... 146
2. RADIUS ...147
3. ....................................................... 153
4. NAS ................................................................. 162
5. RADIUS- . ..................... 164
6. IP- ......................................................................... 166
7. utm5_radius ......................................................167
7.1 ............................................................168
7.1.1 ............................................ 168
8. IP-.............. 176

UTM5 RADIUS
145

1.
UTM5 RADIUS ( NAS) RADIUS.
Remote Authentication Dial In User Service (RADIUS)
, .

NAS. ,
, ,
, ,
.
,
RADIUS. , RADIUS.

UTM5 RADIUS

, , , IP- ..
UTM5 RADIUS UTM5
Stream.
UTM5 liburfa-radius.so,
. (|
|), urfa_lib_file ():

146
urfa_lib_file=/netup/utm5/lib/utm5_radius/liburfa-radius.so

2.
RADIUS
, NAS UTM5
RADIUS RADIUS,
.
, NAS
(Access-Request).
UTM5 RADIUS . , NAS
(Access-Accept).
, NAS ,
(Access-Reject).
, , NAS UTM5 RADIUS, NAS
Access-Challenge
-+-+-+-+-+-+-+-+-

-+-+-+-+-+-+-+-+-+-

| ---->Access-Request

| <----Access-Challenge

NAS

| <----Access-Accept

+-+-+-+-+-+-+-+-+

UTM5 RADIUS

+-+-+-+-+-+-+-+-+-+

, NAS , UTM5 RADIUS (Accounting-Request),


. , NAS
(Accounting-Request),
, NAS.

UTM5 RADIUS

| ---->Access-Request

147

, NAS AccountingRequest ,

Accounting-Request.
Accounting-Request UTM5 RADIUS ,
, . Accounting-Request,
,
.
Accounting-Request, UTM5
RADIUS NAS
(Accounting-Response), NAS .
NAS
.

UTM5 RADIUS

(
| NAS) NAS .

148

UTM5 RADIUS NAS RADIUS-. RADIUS-


UDP.
(Access-Request) UTM5 RADIUS 1812.
(Accounting-Request) UTM5 RADIUS
1813.

RADIUS-
0

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|

Code

Identifier

Length

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|

Authenticator

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|

Attributes ...

+-+-+-+-+-+-+-+-+-+-+-+-+-...

:
Code
RADIUS-.
UTM5 RADIUS RADIUS-
:



UTM5 RADIUS

Access-Request

Access-Accept

Access-Reject

Accounting-Request

Accounting-Response

11

Access-Challenge

UTM5 RADIUS

Identifier
, .
, -

149

NAS .
Length
Code, Identifier, Authenticator
Attributes
Authenticator
,
md5- UTM5
RADIUS NAS (secret), .
md5- Code, Identifier, Length,
Authenticator, Attributes .

.

. UTM5 RADIUS RADIUS- , .

UTM5 RADIUS

Attributes
, RADIUS.
RADIUS- .
RADIUS-
0

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|

Type

Length

Value ...

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+...

150

Type
, .
RADIUS- RFC 1700.
Length
Type , Length Value.
Value
, .
:
text - 1 253 , UTF-8 (
)
string - 1 253 ,
address - 32 ,
integer - 32 ,
time - 32 ,
00:00:00 1 1970 UTC
.
. .

, User-Name (1).

UTM5 RADIUS

- RADIUS-
, .

151

Vendor-specific (26),
,
. ,
0

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|

Vendor-Id

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|

Vendor-Type |

Vendor-Length |

Data...

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+...

Vendor-Id
, , ( - RFC 1700).
Vendor-Type
, .
Vendor-Length
Vendor-Type , Vendor-Length Data.

UTM5 RADIUS

Data

152

.
Vendor-specific , Vendor-Id
Vendor-Type .
, Cisco-AVPair (9;1).

3.
:
1. UTM5
2. UTM5

3. NAS
4. UTM5

UTM5 RADIUS UTM5, , ,


Stream.

UTM5 RADIUS
Stream. , ,
, UTM5 RADIUS, UTM5 Stream.
, UTM5 RADIUS
,
:

UTM5 RADIUS

, UTM5
UTM5 RADIUS
.

153

IP-
NAS


, ,
hotspot,
, hotspot,



IP-

Access-Request UTM5 RADIUS


:

UTM5 RADIUS

1. , :
PAP
CHAP
MS-CHAP v1
MS-CHAP v2
EAP
Digest

154


User-Name (1). User-Name (1) :
Callback_prefix. .
User-Name (1) , Access-Request
.
, , NAS AccessReject.

2. , , , .
.
IP-

UTM5 RADIUS radius_auth_vap,


,

IP- IP-
IP- CID , Calling-Station-Id (31)

UTM5 RADIUS radius_nas_port_vpn,
NAS-Port-Type (61) radius_nas_port_vpn

- Access-Reject, .

UTM5 RADIUS

AccessAccept, :
Service-Type (6) - 2
Framed-IP-Netmask (9) - 0xFFFF FFFF
Framed-Routing (10) - 0
Framed-Protocol (7) - 1
Framed-IP-Address (8) - IP IP-, IP- , radius_
ippool_acct_timeout UTM5
RADIUS
Session-Timeout (27) -
radius_default_session_timeout
UTM5 RADIUS

155

hotspot

,
Framed-IP-Address (8), , , . -

, ,


.
,
0, ,

UTM5 RADIUS

- Access-Reject, .

156

AccessAccept, :
Mikrotik-Xmit-Limit (14988;2) -

Mikrotik-Rate-Limit (14988;8) - BandwithLimit


Callback_prefix
Callback Ringdown.
Callback , Callback_prefix.
Ringdown ,
Callback_prefix

CID , CallingStation-Id (31)

CSID , CalledStation-Id (30)

, ,


.
,
0, ,

,
UTM5 RADIUS, IP- . IP-
-

UTM5 RADIUS radius_nas_port_dialup, NAS-Port-Type (0;61)


radius_nas_port_
dialup

UTM5 RADIUS

- Access-Reject, .
AccessAccept.

157


IP-, :
Service-Type (6) - 2
Framed-IP-Netmask (9) - 0xFFFF FFFF
Framed-Routing (10) - 0
Framed-Protocol (7) - 1
Framed-IP-Address (8) - IP-
IP-, IP-
, radius_ippool_
acct_timeout UTM5 RADIUS
Session-Timeout (27) -

UTM5 RADIUS


IP-, :
Service-Type (6) - 2
Framed-MTU (12) - 1500
Framed-Routing (10) - 0
Framed-Protocol (7) - 1
Session-Timeout (27) -
Cisco-AVPair (9;1) - addr-pool=<
>, < > - IP-

158

, Callback_prefix :
Callback-Number (19) - callback
number ( radius_callback_
avpair_enable UTM5 RADIUS)
Callback-Id (20) - Callback ( radius_callback_avpair_enable UTM5 RADIUS)
Cisco-AVPair (9;1) - lcp:callbackdialstring=<callback_prefix> ( radius_callback_
avpair_enable UTM5 RADIUS
)

IP- ,
radius_ippool_timeout UTM5 RADIUS.
.
Access-Accept , , NAS.

(Accounting-Request) UTM5
RADIUS IP-,
hotspot, , , , ,
, IP-.
Accounting-Request :
Acct-Status-Type (40)
Acct-Session-Id (44)

.

UTM5 RADIUS Accounting-Request:



Acct-Status-Type

Start

Stop

UTM5 RADIUS

Acct-Status-Type
(40).

159

InterimUpdate

Start-:
, , Acct-Session-Id (44), Stream
,
UTM5
, User-Name (1) IP- , IP- IP-
. IP- , radius_ippool_timeout, radius_ippool_timeout
,
Interim-Update . IP-
,
interim_update_interval,
IP-, ,

UTM5 RADIUS

radius_ippool_timeout , interim_update_interval.

160

Stop-:
User-Name (1) hotspot
, , , Acct-Session-Time (46).
Stream
, , Acct-Session-Id (44), .
Stream
IP-

Interim-Update-:
, , Acct-Session-Id (44),
Stream ,
UTM5
, User-Name (1),

, InterimUpdate-, IP- ,
interim_update_interval, .

Stop-
, NetFlow,
Stop-.
radius_do_accounting
1.
Stop- RADIUS- , .

IP- ,
IP- , .
Acct-Input-Octets (42) Stop.
IP- ,
IP- , .
Acct-Output-Octets (43) Stop-.

UTM5 RADIUS

UTM5 Stream.

161

4. NAS
NAS
(| NAS) .

UTM5 RADIUS

NAS :

NAS ID
Auth Secret
Acct Secret
-

162

NAS ID
IP- NAS.
Auth Secret

NAS NAS.
(secret), NAS .

Acct Secret
NAS NAS.
(secret),
NAS .
-
RADIUS-, AccessAccept, NAS ( -
RADIUS-)

UTM5 RADIUS
163

5. RADIUS-
RADIUS-,
Access-Accept, NAS. RADIUS- -
NAS, IP-, hotspot,
,
.
RADIUS- ,

.

RADIUS-

UTM5 RADIUS

RADIUS- :
Vendor
Attr

Vendor

164

Attr
.

.
RADIUS- ( , , .) ,
, NAS.
.
RADIUS-
RFC 2865
RFC 2866
NAS

UTM5 RADIUS
165

6. IP-
IP- (|IP) .

UTM5 RADIUS IP- ( ),


, .

UTM5 RADIUS

IP- :



.
.

166

7. utm5_radius
UTM5 RADIUS
/netup/utm5/bin/utm5_radius

:
-p pid
-c <cfg>-
-v
3 utm5_radius:
1. /netup/
utm5/bin/utm5_radius
2. watchdog start
/netup/utm5/bin/safe_utm5_radius start

utm5_radius ,
.
3. ( ) Linux

FreeBSD, Solaris
/usr/local/etc/rc.d/utm5_radius.sh start

UTM5 RADIUS

/etc/init.d/utm5_radius start

watchdog.
utm5_core watchdog

167

Linux
/etc/init.d/utm5_radius stop

FreeBSD, Solaris
/usr/local/etc/rc.d/utm5_radius.sh stop

7.1
UTM5 RADIUS :
,
,
( - ,
, | ,
)
, , UTM5 RADIUS.

7.1.1 utm5_radius

UTM5 RADIUS

168

UTM5 RADIUS
/netup/utm5/radius5.cfg.
:
=

, ,
, - . . . ,
#, .

UTM5 RADIUS

169

UTM5 RADIUS

170

core_host

IP-

core_port

1 65534

radius_login

radius_password

radius_ssl_type

tls1, ssl3, none

radius_acct_host

IP- 0.0.0.0

radius_acct_port

1 65534

radius_auth_host

IP- 0.0.0.0

radius_auth_port

1 65534

radius_auth_mppe

enable

radius_auth_vap

radius_ippool_acct_timeout

radius_ippool_timeout

radius_auth_null

yes enable

radius_auth_h323_remote_address

eneble, on, yes

IP- ,
UTM5

, UTM5 Stream

radius

UTM5

radius

UTM5

none

SSL.
none,

0.0.0.0


(Accounting-Request)

1813


(Accounting-Request)

0.0.0.0

(Access-Request)

1812

(Access-Request)

MPPE 128 ,

MS-CHAP-v2

,
,
,

30

, IP-
Access-Accept


Stop-

, IP-
Accounting-Start

RADIUS

User-Password(2),
,
,

h323remote-address


User-Name (1),
h323-remote-address (9;23).

UTM5 RADIUS

171

UTM5 RADIUS
172

radius_nas_port_vpn*

radius_nas_port_dialup*

radius_nas_port_tel*

radius_card_autoadd

yes, on, enable

send_xpgk_ep_number

send_h323_ivr_in

enable_fast_telephony

enable, yes

h323_origin_reject

interim_update_interval

61


, NAS-Port-Type (61)
,

NAS-Port-Type


, NAS-Port-Type (61)
,

NAS-Port-Type


, NAS-Port-Type (61)
,

yes,
RADIUS .
,
- .
-
-,

,
, Access-Accept
Cisco-AVPair (9;1) : xpgkep-number=< ,
>


Access-Accept
Cisco-AVPair (9;1) : h323ivr-in=terminal-alias:< , >


.
0 9, ^ $ + )( |


Accounting-Request, h323call-origin (9;26)

Interim-Update . Acct-Interim-Interval (85)


Acces-Accept

UTM5 RADIUS

NAS-Port-Type

IP-

173

radius_default_session_timeout

radius_callback_avpair_enable

radius_acct_rewrite_login_answer

enable, on, true

radius_acct_rewrite_login_originate

enable, on, true

UTM5 RADIUS

***

174

log_level

0 3

log_file_main

log_file_debug

log_file_critical

rotate_logs

yes, on, enable

max_logfile_size**

*
** |
*** ,

Session-Timeout (27) Access-Accept


Cisco-AVPair (9;1)
lcp:callback-dialstring=<callback
number>, <callback number> -
:

h323-call-origin (9;26) originate -


h323remote-address (9;23)
Accounting-Request

h323-call-origin (9;26) answer -


h323remote-address (9;23)
Accounting-Request

10485760

UTM5 RADIUS

86400

175

8.
IP-
,
IP- UTM5
, IP-
IP-.
IP-
IP- /hotspot
IP-.

UTM5 RADIUS

Accounting-Start UserName (1) , /hotspot IP-,


Framed-IP-Address (8) IP, UTM5 ,
IP- .
IP-. ,
.

176

IP-
:
1.

,
IP-
IP- .
,

2.

IP-, IP-. IP- ,

3.

IP-, IP-
IP-, -

255.255.255.255. IP-
4.

IP-, 1

IP- :

Internet , IP-,

IP-
Internet

IP- Internet


Internet
, Internet .
IP-, IP- IP-,
IP-.

UTM5 RADIUS
177

178

UTM5 Unif

7. UTM5 Unif

1. ...................................................................... 180
2. . .............................................................181
2.1 ........181
2.2
......................................................................... 182
3. utm5_unif ..................................................... 186
3.1 utm5_unif ................................................................... 186

UTM5 Unif
179

1.
UTM5 Unif , , UTM5, , ,
RADIUS-.
UTM5 Unif
,
, , ,
,
.
, NetFlow, NetFlow.
UTM5 Unif
,
RADIUS-
RADIUS- (Accounting-Request).

UTM5 Unif

,
RADIUS-
(Accounting-Request),
RADIUS-.

180

2.
2.1

:
1.

UTM5
URFA

2.

3.

, ,
.

4.

UTM5
URFA- 0x5510

5.

UTM5 Unif

,
:
1. :
<BYTES>

<TCLASS> <IP>

<LOGIN> , ,
<BYTES> - (
2).

UTM5 Unif

<LOGIN>

181

<TCLASS> , UTM5,

<IP> IP-,
IP. IP- IP-.
2. ,
, .

2.2

UTM5 Unif

182

1.

,
,

2.

, ,

3.

, , , :

1.

Accounting-Request
RADIUS-

2.

. Accounting-Request Start-

3.

Accounting-Request
RADIUS-

4.

. Accounting-Request Stop-

5.

,
-t

+-+-+-+-+-+-+-+-

Start-

Stop-

+-+-+-+-+-+-+-+-

| ---->Access-Request1

| <----Accounting-Response1

| UTM5 Unif | ---->Access-Request2

RADIUS

| <----Accounting-Response2

+-+-+-+-+-+-+-+-+

+-+-+-+-+-+-+-+-+

6. UTM5 Unif

1.

2.

3.


, .

UTM5 Unif

, :

183

4.

,
, .

UTM5 Unif

184

1.

2.

.
:

( )

( )

, ,


( ).

, (
):
<>:<>:<>.<> <> <> <> <> <>

, 00:35:05.000 UTC Tue Jul 19 2007


.
, , .
, ,
.

UTM5 Unif
185

3. utm5_unif
utm5_unif
/netup/utm5/bin/utm5_unif
:

-c <cfg> -

-s <dat_file> - ,

. /netup/
utm5/source.dat

-d , ,

-n , RADIUS RADIUS-

-t <time> -

-v -

UTM5 Unif

186

3.1 utm5_unif

UTM5 Unif
/netup/utm5/utm5_unif.cfg.

:
=
, ,
, - . . . ,
#, .

UTM5 Unif
187

data_source

iptr, pbx

iptr_isaserver

UTM5

core_host

IP-

core_port

1 65534

core_login

core_password

UTM5 Unif

RADIUS-

188

radius_dst_host

IP-

radius_port

1 65534

radius_secret

radius_nas_name

.
IP-
iptr.
pbx.
iptr_isaserver

127.0.0.1

IP- ,
UTM5

11758

, UTM5 URFA

init


UTM5

init


UTM5

127.0.0.1

IP- , RADIUS

1813

, RADIUS-

secret

utm5_unif

. NAS-Identifier
(32)

UTM5 Unif

189

pbx_calling_sid

pbx_called_sid

pbx_duration

pbx_session_id

pbx_date_time

pbx_date_format

pbx_delimiter

pbx_quote

UTM5 Unif

**

190

log_level

0 3

log_file_main

log_file_debug

log_file_critical

dont_use_radius

RADIUS-

,
RADIUS- ,
UTM5 URFA.
0x5510

UTM5 Unif

191

UTM5 Unif

* .

:

192

%Y

(1970...)

%y

(00..99)

%N

(01..12)

%n

(1..12)

%H

(00..23)

%h

(0..23)

%D

(01..31)

%d

(1..31)

%M

(00..59)

%m

(0..59)

%S

(00..60)

%s

(0..60)

%b

(Jan..Dec)

%z

( MSK) -
FreeBSD Linux

** |
- MS ISA . ,
.

- MS ISA

isa_cs_class

10

isa_logfile_dir

isa_logfile_mask

FWS*

isa_meta_filename

utm5_unif.dat

isa_result_set_limit

1000

isa_sc_class

20

isa_traffic_mult_coef

isalog_cs-bytes

10

isalog_cs-username

isalog_r-ip

isalog_sc-bytes

11

timeout

10

UTM5 Unif
193

194

UTM5 RFW

8. UTM5 RFW

1. ...................................................................... 196
2. . .............................................................197
3. ............................................... 199
4. firewall .......................................................... 202
5. utm5_rfw .......................................................... 210
5.1 utm5_rfw ....................................................................211

UTM5 RFW
195

1.
UTM5 RFW , UTM5.

UTM5 RFW

UTM5 RFW .

196

2.
:
1.

UTM5

2.

UTM5

3.

UTM5 rfw (| )
.
UTM5 rfw .
UTM5 rfw
UTM5 Stream, , .

UTM5 RFW

UTM5 rfw , , .

197

firewall (|
firewall)
firewall.
,
, .
, rfw - Local.

UTM5 RFW

rsh -
Remote Cisco.

198

3.

(| )
.

Firewall name

IP-

UTM5 RFW
199


.
firewall.

Local

Remote Cisco

Local
, .
Remote Cisco
,
rsh.
firewall_
type rfw, .

UTM5 RFW

Firewall name
rfw.
Firewall name rfw_name rfw,
.

IP-

200

NetFlow,
IP- ID -

. .. NetFlow
.
.

Remote login, rsh.


Remote Cisco.
local login netup.

UTM5 RFW
201

4. firewall
firewall (| firewall)
.
firewall - .
UTM5 rfw.

UTM5 RFW

firewall :

202

( )

( )

(
)

(rfw, ,
,
)


,
:

UTM5 RFW
203

ACCOUNT_ID

UID

RULE_ID

ULOGIN

UIP

0.0.0.0

/ Internet

UMASK

255.255. 255.255

/ Internet

UBITS

32

/ Internet

UINVERTMASK

0.0.0.0

/ Internet

SLINK_ID

/ Internet

SPLINK_ID

10000

/ Internet

BLOCK_TYPE

-1

UTM5 RFW

EMAIL

204

/ Internet,

IP_LIST

MAC

/ Internet

SWITCH_IP

/ Internet

SWITCH_PORT

/ Internet

TRAFFIC_LIMIT

/ Internet

UGROUP

/ Internet

UTELLOGINS

/ Internet

UTELNUMBERS

/ Internet

TIME_LIMIT




fw_rule_offset -
fw_rule_offset, ,
/ Internet, - , .
, , -
, IP-
(, 255.255.255.255)
(, 32 - ,
255.255.255.255)
. Cisco (, 0.255.255.255)
IP-
IP- 10000

,
UIP/UMASK, ;
MAC-, IP

,
,
IP-

UTM5 RFW

, , ;
, ;
, ;

205


, Internet , IP- .
, , , .
.

, Internet
IP- .
firewall firewall.

UTM5 RFW

,
.

206

, ,
,
.

Internet sudo, ,

sudoers , utm5_
rfw. utm5_rfw
, sudoers

.

,
,
Internet, , , .



, .
ID ,
ID , ID .

ID
, ID
,
.
0 - .

ID

0 - .

ID
, ID , , .
0 - .

UTM5 RFW

, ID , .

207


, ID , ID ,
ID .
, .
, .
,
ID ,
ID - ,
.
,
.

UTM5 RFW

Internet, ,
:


,
, .

208


, ,
.


, ,
.


ID
,
.

UTM5 RFW
209

5. utm5_rfw
utm5_rfw
/netup/utm5/bin/utm5_rfw

:
-c <cfg>-
-f Internet
,
-o Internet
,
-v
3 utm5_rfw:
1.

/netup/
utm5/bin/utm5_rfw

2.

watchdog start

UTM5 RFW

/netup/utm5/bin/safe_utm5_rfw start

-f.
utm5_rfw, ,
.
3. ( )
Linux

210
/etc/init.d/utm5_rfw start

FreeBSD, Solaris
/usr/local/etc/rc.d/utm5_rfw.sh start

watchdog.
utm5_rfw watchdog
Linux
/etc/init.d/utm5_rfw stop

FreeBSD, Solaris
/usr/local/etc/rc.d/utm5_rfw.sh stop

, firewall UTM, -f -o.


.

5.1 utm5_rfw

UTM5 RFW

UTM5 rfw
/netup/utm5/rfw5.cfg.

, ,
, - . . . ,
#, .

211

rfw_name

firewall_path

core_host

IP-

core_port

1 65534

rfw_login

rfw_password

firewall_type

local, cisco

rfw_ssl_type

tls1, ssl3, none

UTM5 RFW

,
firewall_type=local
sudo_path

dont_fork

yes, enable, true

,
firewall_type=cisco
cisco_ip

212

IP-

UTM5 rfw,

UTM5.

IP- ,
UTM5

, UTM5 Stream

UTM5

UTM5

local

firewall.

none

SSL.
none,

sudo

IP- rsh

UTM5 RFW

- ..

. iptables

213

log_level

0 3

log_file_main

log_file_debug

log_file_critical

rotate_logs

yes, on, enable

max_logfile_count**

max_logfile_size**

pid_file

* - - |
** - ,

, .

.

UTM5 RFW

214

firewall_flush_cmd

core_timeout

10485760

/var/run/utm5_rfw.pid

PID-

UTM5 RFW
215

216

UTM5 Dynashape

9. UTM5 Dynashape

1. ..................................................................................218
2. ..........................................................................220
3. ..................................................................................224
4. utm5_dynashape ......................................................226
4.1 utm5_dynashape .......................................................................226
5. , ......................................................................231

UTM5 Dynashape
217

1.
UTM5 dynashape
()
, .
UTM5 dynashape :
- liburfadynashape.so,
utm5_dynashape
utm5_dynashape, -



:
dummynet FreeBSD
iproute2 GNU/Linux

UTM5 Dynashape


.
UTM5
liburfadynashape.so, .
(| |), urfa_lib_file ():
urfa_lib_file=/netup/utm5/lib/utm5_core/liburfa-dynashape.so

218

IP-
.

UTM5 Dynashape
219

2.

UTM5 Dynashape

:
1. UTM5
2.
3.
4. ,
(, )
5.
6. /
7.

220

UTM5 dynashape , / .
UTM5 dynashape URFA,
UTM5:

. (|)

, , ,
t_class
UTM5 dynashape
UTM5 .
utm5_dynashape
cron.
, , IP-,
IP-,
, ( - IP-), utm5_dynashape
:
{firewall_path} {RULE_ID} {IP} {BITMASK} {MASK}
{SPEED} {INET_STATUS} {OPER_STATUS}

firewall_path

RULE_ID

IP
MASK
BITMASK

,
firewall_path


ACCOUNT_ID fw_rule_offset
- fw_rule_offset


(,
255.255.255.255)
(, 32 - ,
255.255.255.255)

UTM5 Dynashape

ACCOUNT_ID

221

SPEED

INET_STATUS
OPER_STATUS

, ,

Internet:1 - on; 2 - off
,
,
*

* - , ,

UTM5 Dynashape

222

IP-
, IP- IP--

IP-
,
IP-

IP- ,
IP- ,

IP-
,
IP-


IP-

IP- , .

tmp_file .
UTM5
dynashape .
utm5_dynashape -i.

UTM5 Dynashape
223

3.

(|
) ,
ID , - .
. .
, 2
1 512
; 1 2 256 ;
2 - 128 .
: 2

UTM5 Dynashape

: 0-512;1-256;2-128;

224

2 .

UTM5 Dynashape

225

4. utm5_dynashape
utm5_dynashape
/netup/utm5/bin/utm5_dynashape

:
-c <cfg>-
-i ( OPER_STATUS=1).
-h

4.1 utm5_dynashape

UTM5 Dynashape

UTM5 dynashape /netup/utm5/dynashape.cfg.

226

:
=

, ,
, - . . . ,
#, .

UTM5 Dynashape

227

UTM5 Dynashape

228

tmp_file

core_host

IP-
0.0.0.0

core_port

1 65534

core_login*

core_password

group_id

t_class

firewall_path

fw_rule_offset

vpn_only

0, 1 2

127.0.0.1

IP- ,
UTM5

11758

, UTM5 URFA

init


UTM5

init


UTM5

ID ,

,

RULE_ID


VPN IP, **

UTM5 Dynashape

229

* - urfa-
ID = 0x12001

UTM5 Dynashape

** VPN IP

230

VPN
IP-

5. ,


iproute2 GNU/Linux.
,
tc qdisc add dev eth0 root handle 1: htb

tc class add dev eth0 parent 1: classid 1:1 htb


rate 100mbit ceil 100mbit burst 200k
tc class add dev eth0 parent 1:1 classid 1:10 htb
rate 1mbit burst 20k

UTM5 Dynashape

tc filter add dev eth0 parent 1: protocol ip prio 3


handle 1 fw classid 1:10

231

#!/bin/bash
if=eth1
echo $*
echo First create: tc qdisc add dev $if root handle 1: htb
case $7 in
1)
iptables -t mangle -A FORWARD -s 0/0 -d
$2/$3 -j MARK --set-mark $1
tc filter add dev $if parent 1: protocol ip
prio 3 handle $1 fw classid 1:$1
tc class add dev $if parent 1:1 classid 1:$1
htb rate $5kbit burst 20k
;;
0)
iptables -t mangle -D FORWARD -s 0/0 -d
$2/$3 -j MARK --set-mark $1
tc filter del dev $if parent 1: protocol ip
prio 3 handle $1 fw classid 1:$1
tc class del dev $if parent 1:1 classid 1:$1
htb rate $5kbit burst 20k

UTM5 Dynashape

;;
2)
;;
3)
tc class change dev $if parent 1:1 classid
1:$1 htb rate $5kbit burst 20k
;;
*)
echo Usage: `basename $0` {ID IP BITMASK
MASK SPEED INT_STATUS OPER_STATUS} >&2
exit 64
;;

232

esac


dummynet FreeBSD:
#!/bin/sh
case $7 in
0)
/sbin/ipfw delete $1
/sbin/ipfw pipe delete $1
;;
1)
/sbin/ipfw pipe $1 config bw $5Kbit/s
/sbin/ipfw add $1 pipe $1 ip from $2/$3 to
any
;;
2)
;;
3)
/sbin/ipfw pipe $1 config bw $5Kbit/s
;;
esac

UTM5 Dynashape
233

234

UTM5 Urfaclient

10. UTM5 Urfaclient

1. ........................................................ 236
2. .......................................................................237
3. . .......................................................................... 238
4. URFA- ............................................................... 243
5. utm5_urfaclient . .......................................... 248
5.1 ..................................................................................... 250
6. ........................................................... 252
6.1 .......................... 252

UTM5 Urfaclient
235

1.

, web-
.
,
.
, ,
UTM5 urfaclient, .
UTM5 urfaclient
UTM5
.

UTM5 Urfaclient

NetUP , .

236

2.

UTM5 RPC (URFA).
UTM5 urfaclient :
- liburfaclient.so, utm5_
urfaclient UTM5
utm5_urfaclient,

, URFA-,
URFA-
URFA-,

URFA-
(stdout).

urfa_lib_file=/netup/utm5/lib/utm5_core/liburfa-client.so

UTM5 Urfaclient

UTM5
liburfa-client.
so, .

(| |),
urfa_lib_file ():

237

3.
api.xml XML-

;

. ,
api.xml, . - /netup/utm5/
xml/.

, ,
, ,
.
.

, .
.

UTM5 Urfaclient

, integer
,
.

238

, .
:
now() - unix;
max_time() - UTM5 unix
(2000000000, ~2033 );
size(var_name) var_
name.

urfa
. (property). function.
function
. :
name
id .
input output (
). input output
.
input
.
. :

output
input, .

UTM5 Urfaclient

integer
long
double
string
ip_address
if
for
error

239

integer
output,
32 . input,
32 .
name - .
:
default . , , name.

array_index - -.
long
integer, 64 (int64_t).

UTM5 Urfaclient

double

240

integer,
(double).
string
integer, .

ip_address
integer,
Ipv4- ( 192.168.0.1 255.255.0.0). Ipv4
32 ( int32_t).
if
.
:
variable ,
value ,
condition (eq , ne ).

.
for
.
:
name -
from
count
:

UTM5 Urfaclient

:
integer
long
double
string
ip_address
if
for
error

241

integer
long
double
string
ip_address
if
for
error
.
error

UTM5 Urfaclient

,
. :
icode
comment
variable , .

242

4. URFA-
URFA- URFA, ,
XML-. URFA-
.
_.xml
, URFA-,
.
- /netup/utm5/xml/.
add_user /netup/utm5/xml/add_user.xml.
URFA- .
urfa

call
URFA-, api.
function .

UTM5 Urfaclient

.
call
parameter
for
if
message
set
error
remove

243

output,
xml-.
parameter.
.
parameter
name .
, value, .
, value, . ,
, ,
name.

UTM5 Urfaclient

comment
,

-a [_] -help.

244

if
.
:
variable ,
value ,
condition (eq , ne )
:
call

parameter
for
if
message
set
error
break
remove
.
for
.
:
name -
from
count

UTM5 Urfaclient

:
call
parameter
for
if
message
set
error
break
remove

message
text.
stdout ,
text.

245

set
. dst : src value. src value .
:
dst_index - (0, )
src_index - (0, )

dst -( - , ),
src -,
value .

UTM5 Urfaclient

,
, . 0. -
.

246

error
,
. :
code
comment
variable , .

shift
,
name, .

.
break
for

.
remove
, name.
array_index,
. .

UTM5 Urfaclient
247

5. utm5_urfaclient
.
UTM5 Urfaclient

/netup/utm5/bin/utm5_urfaclient

- , ( -help, -debug, -u ).
, .
:
-a .

UTM5 Urfaclient

-h IP- , UTM5. core_host

-p , UTM5 URFA. core_port

248

-c (
netup/utm5/utm5_urfaclient.cfg).

-l UTM5. core_login

-P UTM5. core_password

-x , URFA-.
xml_path
-u ,
. plain_user
yes
-s

, .
,
. session_key
-i
-s, IP, . user_ip
-help . -a,
.

,
.
.

UTF-8.
.

UTM5 Urfaclient

-debug , ,

249

5.1
UTM5 Urfaclient
/netup/utm5/utm5_urfaclient.cfg.
:
=

, ,
, - . . . , #, .

UTM5 Urfaclient

250

core_host

127.0.0.1

core_port

11758

core_login

init

core_password

init

xml_path

/netup/utm5/xml/

plain_user

session_key

user_ip

127.0.0.1


IP- , UTM5
, UTM5 URFA
UTM5
UTM5

yes , . yes (
), ( )
, . ,


IP-,

UTM5 Urfaclient

, URFA-

251


. , , , .

6.
6.1
,
.
XML- , URFA-.
XML-, , 1.
URFA- ,
, . URFA- 2.

UTM5 Urfaclient

252

utm5_urfaclient -a link_tariff_with_services
-user_id 5 -account_id 5 -discount_period_id 2
-tariff_current 1 -ip_address 10.4.5.7
-iptraffic_login test4 -iptraffic_password 123


, 3.

<string name=full_name/>

<integer name=basic_account/>

<string name=password/>

<string name=login/>

</for>

<string name=account_name array_index=i/>

<integer name=account_id array_index=i/>

<for name=i from=0 count=accounts_count>

<integer name=accounts_count/>

</if>

<error code=10 comment=user not found/>

<if variable=user_id value=0 condition=eq>

<integer name=user_id/>

<output>

</input>

<integer name=user_id/>

<input>

<function name=rpcf_get_userinfo id=0x2006>

1. XML-

UTM5 Urfaclient

253

254

<integer name=connect_date/>

<string name=personal_manager/>

<string name=comments/>

<string name=bank_account/>

<integer name=bank_id/>

<string name=kpp_number/>

<string name=tax_number/>

<string name=icq_number/>

<string name=web_page/>

<string name=mob_tel/>

<string name=home_tel/>

<string name=work_tel/>

<string name=act_address/>

<string name=jur_address/>

<integer name=is_juridical/>

<integer name=who_change/>

<integer name=who_create/>

<integer name=last_change_date/>

<integer name=create_date/>

UTM5 Urfaclient

<input>

<function name=rpcf_link_user_tariff id=0x3018>

</function>

</output>

</for>

<string name=parameter_value/>

<integer name=parameted_id/>

<for name=i from=0 count=parameters_size>

<integer name=parameters_size/>

<string name=passport/>

<string name=building/>

<string name=district/>

<string name=floor/>

<string name=entrance/>

<string name=flat_number/>

<integer name=house_id/>

<integer name=advance_payment/>

<integer name=is_send_invoice/>

<string name=email/>

UTM5 Urfaclient

255

UTM5 Urfaclient

<integer name=tariff_link_id default=0/>

<integer name=discount_period_id/>

<integer name=tariff_next default=tariff_current/>

<integer name=tariff_current/>

<integer name=account_id default=0/>

<integer name=user_id/>

<output>

</input>

<integer name=tariff_id/>

<input>

<function name=rpcf_get_tariff id=0x3011>

</function>

</output>

</if>

<error code=13 comment=unable to link user tariff/>

<if variable=tariff_link_id value=0 condition=eq>

<integer name=tariff_link_id/>

<output>

</input>

256

</for>

<integer name=is_dynamic_array array_index=i/>

<integer name=link_by_default_array array_index=i/>

<string name=comment_array array_index=i/>

<string name=service_name_array array_index=i/>

<integer name=service_type_array array_index=i/>

<integer name=service_id_array array_index=i/>

<for name=i from=0 count=services_count>

<integer name=services_count/>

<integer name=tariff_balance_rollover/>

<integer name=tariff_is_blocked/>

<integer name=tariff_expire_date/>

<string name=who_change_login/>

<integer name=who_change/>

<integer name=tariff_change_date/>

<string name=who_create_login/>

<integer name=who_create/>

<integer name=tariff_create_date/>

<string name=tariff_name/>

UTM5 Urfaclient

257

UTM5 Urfaclient

<integer name=start_date default=now()/>

<integer name=discount_period_id/>

<integer name=is_blocked default=0/>

<integer name=slink_id default=0/>

<if variable=service_type value=2 condition=eq>

</if>

<integer name=discount_date default=now()/>

<integer name=slink_id default=0/>

<if variable=service_type value=1 condition=eq>

<integer name=tariff_link_id default=0/>

<string name=return_type default=/>

<integer name=service_type/>

<integer name=service_id/>

<integer name=account_id default=basic_account/>

<integer name=user_id/>

<input>

<function name=rpcf_add_service_to_user id=0x2551>

</function>

</output>

258

<string name=iptraffic_allowed_cid array_index=i default=/>

<string name=iptraffic_login array_index=i default=/>

<string name=mac array_index=i default=/>

<ip_address name=mask array_index=i default=-1/>

<ip_address name=ip_address array_index=i/>

<for name=i from=0 count=size(ip_address)>

<integer name=ip_groups_count default=size(ip_address)/>

<integer name=unprepay default=0/>

<integer name=unabon default=0/>

<integer name=expire_date default=max_time()/>

<integer name=start_date default=now()/>

<integer name=discount_period_id/>

<integer name=is_blocked default=0/>

<integer name=slink_id default=0/>

<if variable=service_type value=3 condition=eq>

</if>

<integer name=unprepay default=0/>

<integer name=unabon default=0/>

<integer name=expire_date default=max_time()/>

UTM5 Urfaclient

259

260

<string name=dialup_password default=/>

<string name=dialup_login/>

<integer name=expire_date default=max_time()/>

<integer name=start_date default=now()/>

<integer name=discount_period_id/>

<integer name=is_blocked default=0/>

<integer name=slink_id default=0/>

<if variable=service_type value=5 condition=eq>

</if>

</for>

<long name=quota array_index=i/>

<integer name=tclass_id array_index=i/>

<for name=i from=0 count=size(quota)>

<integer name=quotas_count default=size(quota)/>

</for>

<integer name=router_id array_index=i default=0/>

<integer name=dont_use_fw array_index=i default=0/>

<integer name=ip_not_vpn array_index=i default=0/>

<string name=iptraffic_password array_index=i default=/>

UTM5 Urfaclient

<error code=12 comment=unable to add service to user variable=error_msg/>

<if variable=error_msg value= condition=ne>

<string name=error_msg/>

<if variable=return_type value=integer_return condition=ne>

</if>

<error comment=test/>

</if>

<error code=12 comment=unable to add service to user/>

<if variable=error_code value=0 condition=ne>

<integer name=error_code/>

<if variable=return_type value=integer_return condition=eq>

<output>

</input>

</if>

<integer name=unprepay default=0/>

<integer name=unabon default=0/>

<integer name=callback_enabled default=0/>

<string name=dialup_allowed_csid default=/>

<string name=dialup_allowed_cid default=/>

UTM5 Urfaclient

261

</if>

</if>

UTM5 Urfaclient

<call function=rpcf_get_tariff/>

<set src=tariff_current dst=tariff_id/>

</call>

<parameter name=discount_period_id comment=Discount period ID/>

<parameter name=tariff_next comment=Next discount period tariff, default is same as


tariff_current/>

<parameter name=tariff_current comment=Current discount period tariff/>

<parameter name=account_id comment=Account ID, default is basic account/>

<call function=rpcf_link_user_tariff>

</call>

<parameter name=user_id comment=User ID/>]

<call function=rpcf_get_userinfo>

<urfa>

<?xml version=1.0?>

2. URFA-

</function>

</output>

262

<parameter name=unprepay comment=Decrease prepayed units in blocked state/>

<parameter name=unabon/>

<parameter name=expire_date comment=Service expire date (unix timestamp)/>

<parameter name=start_date comment=Service start date (unix timestamp)/>

<parameter name=discount_period_id comment=Discount period ID/>

<parameter name=is_blocked comment=Block type in numeric form/>

<call function=rpcf_add_service_to_user>

<if variable=service_type value=2 condition=eq>

</if>

</call>

<parameter name=discount_date comment=Discount date for once service/>

<call function=rpcf_add_service_to_user>

<if variable=service_type value=1 condition=eq>

<set dst=return_type value=/>

<set src=service_type_array src_index=j dst=service_type/>

<set src=service_id_array src_index=j dst=service_id/>

<if variable=link_by_default value=1 condition=eq>

<set src=link_by_default_array src_index=j dst=link_by_default/>

<for name=j from=0 count=size(service_id_array)>

UTM5 Urfaclient

263

vice/>

264

<parameter name=router_id comment=Router ID for each IP-address/>

<parameter name=dont_use_fw comment=1 if dont use firewall, else 0/>

<parameter name=ip_not_vpn comment=1 if IP is not VPN, else 0/>

<parameter name=iptraffic_password comment=Service link password/>

<parameter name=iptraffic_allowed_cid comment=Allowed CID/>

<parameter name=iptraffic_login comment=Service link login/>

<parameter name=mac comment=MAC address array for IP-traffic service/>

<parameter name=mask comment=IP mask array for IP-traffic service/>

<parameter name=ip_address comment=IP-address array for IP-traffic ser-

<parameter name=unprepay comment=Decrease prepayed units in blocked state/>

<parameter name=unabon/>

<parameter name=expire_date comment=Service expire date (unix timestamp)/>

<parameter name=start_date comment=Service start date (unix timestamp)/>

<parameter name=discount_period_id comment=Discount period ID/>

<parameter name=is_blocked comment=Block type in numeric form/>

<call function=rpcf_add_service_to_user>

<if variable=service_type value=3 condition=eq>

</if>

</call>

UTM5 Urfaclient

</if>

</call>

<parameter name=dialup_password comment=Service link password/>

<parameter name=dialup_allowed_csid comment=Allowed CSID/>

<parameter name=dialup_allowed_cid comment=Allowed CID/>

<parameter name=dialup_login comment=Service link login/>

<parameter name=callback_enabled/>

<parameter name=unprepay comment=Decrease prepayed units in blocked state/>

<parameter name=unabon/>

<parameter name=expire_date comment=Service expire date (unix timestamp)/>

<parameter name=start_date comment=Service start date (unix timestamp)/>

<parameter name=discount_period_id comment=Discount period ID/>

<parameter name=is_blocked comment=Block type in numeric form/>

<call function=rpcf_add_service_to_user>

<if variable=service_type value=5 condition=eq>

</if>

</call>

<parameter name=quota comment=Quotas array/>

<parameter name=tclass_id comment=TClass array for quotas/>

UTM5 Urfaclient

265

UTM5 Urfaclient

<string name=login value=5/>

</array>

</item>

<string name=account_name value=auto create account/>

<integer name=account_id value=5/>

<item>

<array name=i>

<integer name=accounts_count value=1/>

<integer name=user_id value=5/>

<output>

<call function=rpcf_get_userinfo>

<session key=0c282446926357fca58d1a282017baac/>

<urfa>

<?xml version=1.0?>

3.

</urfa>

</for>

</if>

266

<string name=bank_account value=/>

<integer name=bank_id value=0/>

<string name=kpp_number value=/>

<string name=tax_number value=/>

<string name=icq_number value=/>

<string name=web_page value=/>

<string name=mob_tel value=/>

<string name=home_tel value=/>

<string name=work_tel value=/>

<string name=act_address value=/>

<string name=jur_address value=/>

<integer name=is_juridical value=0/>

<integer name=who_change value=-1/>

<integer name=who_create value=-1/>

<integer name=last_change_date value=1176774652/>

<integer name=create_date value=1176774652/>

<string name=full_name value=/>

<integer name=basic_account value=5/>

<string name=password value=1a2466/>

UTM5 Urfaclient

267

UTM5 Urfaclient

<output>

<call function=rpcf_link_user_tariff>

</call>

</output>

<array name=i/>

<integer name=parameters_size value=0/>

<string name=passport value=/>

<string name=building value=/>

<string name=district value=/>

<string name=floor value=/>

<string name=entrance value=/>

<string name=flat_number value=/>

<integer name=house_id value=0/>

<integer name=advance_payment value=0/>

<integer name=is_send_invoice value=0/>

<string name=email value=/>

<integer name=connect_date value=0/>

<string name=personal_manager value=/>

<string name=comments value=/>

268

<integer name=service_id_array value=5/>

<item>

<array name=i>

<integer name=services_count value=2/>

<integer name=tariff_balance_rollover value=0/>

<integer name=tariff_is_blocked value=0/>

<integer name=tariff_expire_date value=1208376000/>

<string name=who_change_login value=init/>

<integer name=who_change value=-1/>

<integer name=tariff_change_date value=1176773782/>

<string name=who_create_login value=init/>

<integer name=who_create value=-1/>

<integer name=tariff_create_date value=1176773745/>

<string name=tariff_name value=test/>

<output>

<call function=rpcf_get_tariff>

</call>

</output>

<integer name=tariff_link_id value=3/>

UTM5 Urfaclient

269

</item>

<integer name=is_dynamic_array value=0/>

<integer name=link_by_default_array value=1/>

<string name=comment_array value=/>

<string name=service_name_array value=3/>

<integer name=service_type_array value=3/>

<integer name=service_id_array value=6/>

<item>

</item>

<integer name=is_dynamic_array value=0/>

<integer name=link_by_default_array value=1/>

<string name=comment_array value=/>

<string name=service_name_array value=2/>

<integer name=service_type_array value=2/>

UTM5 Urfaclient

<output>

<call function=rpcf_add_service_to_user>

</call>

</output>

</array>

270

</urfa>

</call>

</output>

<string name=error_msg value=/>

<output>

<call function=rpcf_add_service_to_user>

</call>

</output>

<string name=error_msg value=/>

UTM5 Urfaclient

271

272

11.

1. .................................. 274
2. . ................................................................................... 275
2.1 ............................................................... 275
2.2 ............................................................ 275
2.3 .................................... 276
2.4 ........................................ 276
2.5 .............................................................. 277
2.6 , VPN .... 277
2.7 .......................................................... 278
2.8 ................................................... 279
3. ........................................................................... 280
3.1 IP-.......................................................... 280
3.2 .......................................................... 280
3.3 ......................................................... 280
4. ....................................281


273

1.

UTM
.

Java

2.


UTM
(
UTM
_
Admin
.
jar
)

274


IP
- . . . , ( )
.

Sun Java 2 (http://www.sun.com/),
UTM_Admin.jar. init init. .
web,
/netup/utm5/web5.cfg.

2.
, .
, .
,
.
XML
.

2.1
( )

.

;
;
.

2.2
IP

-
.

:
;
;
;
;
IP-;
;
;
;
;

275

:
;
;
;
;
;
( 1 );
.

2.3



.
, IP

-.

276

2.4
:
;
;
;
;
IP- ;
IP- ;
;
;
TCP;
;
TOS.


, .
,
get_nf_direct.

2.5

2.6 , VPN

VPN


RADIUS
. :
;
;
;
;
IP-;
;
;
(NAS);

. :
;
;
;
;
;
;
.

277

;
;
IP- ;
;
;
;
;
.
, :
;
.

2.7

278


. :
;
;
;
;
;
;
;
, ;
.

.

2.8

.
: . . , , .
. :
;
;
;
;
;
.


279

3.
3.1 IP-
IP-

: ,
. IP-
.

3.2
, .
IP-.

3.3

280


. ,
, .
XML.
: , , .

4.
,
.
().
:
.
, .
,
, .

: .
,
, .
.


, , , - . .
.

281

,
, .

.

Infinity
date

,
.

Infinity
date
,
( ).
, ,
. , .

, - (), ,
( ).

282

XML
.
(
) ,
.

.

, card

_
NUM
, NUM


, , - .
,
, .
,

.


283

284

12.

1. ....................................................................... 286
2. .......................................................................287
3. ............................................ 288
4. UTM5................................... 290
5. ........................................................... 292


285

1.
Java-,
United Control Center (UCC).
UCC , / .
UCC
.

:

,
.

,
:

286


, .

( ext)
,
(
). .

2.

http://www.netup.ru
. , , cashier.zip cashier_ext.zip ccse.keystore, Keystore,
, control.center.se.jar.
Java
Runtime Environment 5.0 (JRE 1.5.0.x). http://java.sun.com
downloads http://www.netup.ru .


287

3.

UTM :
1.

privkey.pem cert.crt, , /netup/utm5/:


# cp privkey.pem cert.crt /netup/utm5/

2.

/netup/utm5/utm5.cfg ,
:
ssl_cert_file=/netup/utm5/cert.crt
ssl_privkey_file=/netup/utm5/privkey.pem
ssl_privkey_passphrase=<password>

<password> ,
.
3.

UTM :

4.

Linux:

# /etc/rc.d/init.d/utm5_core stop
# /etc/rc.d/init.d/utm5_core start
FreeBSD Sun Solaris:
# /usr/local/etc/rc.d/utm5_core.sh stop
# /usr/local/etc/rc.d/utm5_core.sh start

288


, UTM 5,
.

- /netup/utm5/log/debug.log
:
Info : Dec 07 16:33:55 RPCCtx: Loading core
certificate </netup/utm5/crt/cert.crt> private
key </netup/utm5/crt/privkey.pem>
Info : Dec 07 16:33:55 RPCCtx: Certificate
loaded successfully


289

4. UTM5
cashier, . cashier , ,
.

,

FID

rpcf_search_users_lite

2001*

rpcf_get_users_list

2011*

rpcf_get_users_count

2030

rpcf_get_accountinfo

2033

rpcf_get_user_account_list

2910

rpcf_get_currency_list

3008

rpcf_payments_report_owner

3100

rpcf_get_payment_methods_list

1202

290

3110

rpcf_add_payment_for_account

440A

rpcf_whoami


( )

* -

IP , IP .


291

5.
, control.center.se.jar, ,
:
java -jar control.center.se.jar

IP-
UTM5, ( ).

292


.
, .
( ). ( )
.

: [ ] :
.

2.

, .

3.

.
.

4.

. ,
Cash payment.

5.

OK.

1.

293



, . ,
.

294

.
- , - .

...


295

296

Web-

13. Web-

-
/netup/utm5/web5.cfg. - .
.
core_host

, .
: 127.0.0.1.
web_login

.
: web.
web_password

.
: web.
traffic_detail_report

<item name=user_reports_traffic_detail mvalue=M_


REPORTS_TRAFFIC_DETAIL href=user5?cmd=user_reports_
traffic_detail&amp;skey=/>

Web-


- . : enable.
user_reports_traffic_menu.xml ( cgi-
UTM 5.0) :

traffic_detail_report_size

297

298

M hotspot

14. hotspot
, FreeBSD Linux
- Apache, DNS

NetUP

UTM.
,
hotspot.
.
- , ,
.
(
), ( ),

. .

M hotspot
299

300

IP-

15. IP

-
IP

- UTM5 RADIUS

,
(
gatekeepers
), -.
UTM5 RADIUS

UTM5 RADIUS.

IP- (IP telephony)


, IP

. :
Voice
over

IP

(
VoIP
), Internet

Telephony.
(PSTN)

(Caller ID)
.
ANI

Automatic

Number

Identification
. .

IP-


. .
PSTN

Public

Switched

Telephony

Network
.

301

IP- (VoIP gateway)


,
IP

, .
IP

-.

IP-

Cisco

3620 NM

-2
V
+ VIC

2
FXO.



IP
. ,
IP
- (
Microsoft
NetMeeting,
OpenPhone
.) ().
: ()
IP
.
( 9391000)
( )
IP

(
100 200).
H.323

302

, (
ITU
-
T
),
IP
-.

,
IP

- (
RAS

Registration
, Admission

and

Status
), (
H
.225.0, H

.245), , .
H.323 (H.323 , H.323 gatekeeper)
(, ), ,
.
RADIUS
.

IP-
. RADIUS Access-Request.

303

IP- . ,
IP-.
RADIUS
Called-Station-Id ( ) Calling-Station-Id ( ). RADIUS
, ,
, Access-Accept,
. h323credit-time, vendor 9 (Cisco).

IP-

, , . RADIUS
(Accounting-Start), .

304

, , .
, .
, .
,
IP
- .
, (, IP
)
.
RADIUS

.
, .

RADIUS
,
.

.
,
.
64/.
, , DSP

-.

, /

G.711

64

G.723.1

5.3 6.4

G.729


Interactive
Voice

Response

.

IP

-.
.
1.
IP
-. IP

- (, Cisco

3640
E
1),
.
2. ( .
au
) -

IP-

IVR

305

. -
.
3.
RADIUS.
1 (UserName), - 2 (Password).

IP-

4. RADIUS Access-Accept, .
h323-credit-amount h323-currency vendor=9 (Cisco).
IP-

, . , IP-
(
).

306

5.
RADIUS, Called-Station-Id, .
RADIUS
Access-Accept h323credit-time.
6. RA
DIUS

IP
- . , ,
.
7. RADIUS Accounting-Start, Accounting-Stop.

IP-

307

308

16.


UTM
-
: .
, ,
. , .
-
,
, .


- .

309


,
. , guest

guest
.

310

, -. , , 600 .
: GUEST

,
600 ., 0 .. .

, UTM

,
IP
-
GUEST
, , 172.16.0.0/16. ,
, ,
DNS
.

DNS
, Internet, ,
- .


-
RADIUS.

RADIUS
/netup/utm5/radius5.cfg
radius
_
card
_
autoadd
=
yes

RADIUS

UTM


.
, - - .
,

- -
, -.
,
,
UTM

,
. UTM

,
, ,
.

311


RADIUS
,
.
,
, - . , , .

,
PAP

.
Windows

, . ,
,
.

RADIUS
:
?Debug : Oct 27 12:08:00 RADIUS Auth: Packet from
<example.org>
?Debug : Oct 27 12:08:00 RADIUS Auth: User <5> connecting
ERROR : Oct 27 12:08:00 RADIUS DBA: Cant find login
<5>
ERROR : Oct 27 12:08:00 RADIUS DBA: Cant find card
login <000000005>
?Debug : Oct 27 12:08:00 RADIUS Auth: Attempt to add
new Card user: <5>
?Debug : Oct 27 12:08:00 RADIUS DBA: Sending Auto-Add
Request for Card-ID: 5
?Debug : Oct 27 12:08:00 RADIUS URFA[plugin]: DLink:
SLID/SID/AID: 14/6/14

312

?Debug : Oct 27 12:08:00 RADIUS URFA[plugin]: Account


<14> with balance <10.000>

?Debug : Oct 27 12:08:00 RADIUS Auth: Got AutoAdd 14


UID from core.
ERROR : Oct 27 12:08:00 RADIUS DBA: Cant find login
<5>
?Debug : Oct 27 12:08:00 RADIUS DBA: login_store
iter->second.dialup.session_count:0
Info

: Oct 27 12:08:00 RADIUS Auth: User <5> added.

?Debug : Oct 27 12:08:00 RADIUS Auth: Auth scheme:


PAP
?Debug : Oct 27 12:08:00 RADIUS Auth: PAP: <51154755>
vs <51154755>

?Debug : Oct 27 12:08:00 RADIUS Auth: Dialup session


limit:0 session count:0 for user:5
?Debug : Oct 27 12:08:00 RADIUS Auth: Calculated maximum session time: 36000
?Debug : Oct 27 12:08:00 RADIUS DBA: dialup_link_update called for slink:14
?Debug : Oct 27 12:08:00 RADIUS DBA: soft dialup_
link_update for slink:14 session_count:1

?Debug : Oct 27 12:08:00 RADIUS Auth: PAP: Authorized


user <5>

313

314

17.

1. NetFlow ........ 316


2. RADIUS
....... 318
3. get_nf_direct..................................................321
4. utm5_payment_tool ..................................... 323


315

1.
NetFlow
NetFlow v.5
utm5_flowgen, :
/netup/utm5/bin/utm5_flowgen.
:
-h

IP- ,
NetFlow-. 127.0.0.1.
-p

, NetFlow-. 9996.

-c

316

NetFlow-.
65535.
-t


NetFlow.
-s

IP-, IP-. srcaddr NetFlow-.


-d

IP-, IP-. dstaddr NetFlow-.

-b

.
dOctet NetFlow-.
NetFlow

- 1048576 , 10.0.0.1
10.0.0.2:
/netup/utm5/bin/utm5_flowgen c 1 s 10.0.0.1 d
10.0.0.2 b 1048576


317

2.
RADIUS
RADIUS utm5_radgen, : /netup/
utm5/bin/utm5_radgen.
:
-p

,
RADIUS
-.
-h

IP
-, RADIUS
.

-s

RADIUS

-.
-c

RADIUS-. 1 (Access-Request).
-u

. ID 2 (Password).
-a

. . :

318

vendor_id:attr_id:is_digit:value

. . 0.
.
: . 0, ,
. 1, , (integer).
.

1. (Access-request) :
/netup/utm5/bin/utm5_radgen -h 127.0.0.1 -p 1812 -s
secret u password -a 0:1:0:username

RADIUS-
username password.

/netup/utm5/bin/utm5_radgen -h 127.0.0.1 -p 1813 -s


secret -a 0:1:0:username -a 0:40:1:1 -a 0:44:0:sessionid1 -c 4

RADIUS- username. ,
(start).
sessionid1.
3. (Accounting-request)
:
/netup/utm5/bin/utm5_radgen -h 127.0.0.1 -p 1813
-s secret -a 0:1:0:username -a 0:32:0:localhost -a
0:40:1:2 -a 0:44:0:sessionid1 -a 0:46:1:100 -c 4

2. (Accounting-request)
:

319

RADIUS- username. ,
(stop). sessionid1. (Acct-SessionTime) 100 .

320

3. get_nf_direct
get_nf_direct

.
get_nf_direct
/netup/utm5/bin/get_nf_direct
:

-D <dir> -

-b <database filename> -

-a ,

-s <source address> - ,

-d <destination address> - ,

-p <source port> - ,

-P <destination port> - ,

-c <t_class> - ,

-f <from timestamp> - Unix Time Stamp,


321

-t <to timestamp> - Unix Time Stamp,

. ,

-l <limit> ,

. -

-u raw-

-e

-h -

322

4. utm5_payment_tool
utm5_payment_tool .
utm5_payment_tool
/netup/utm5/bin/utm5_payment_tool

-h IP- , UTM5

-P , UTM5 URFA

-t

-m

-e

-k

-l UTM5

-p UTM5

-a

-b

-c

-i

-C <cfg>-

-L

323

utm5_payment_tool /netup/utm5/utm5_payment_tool.cfg.
:
=

, ,
, - . . . ,
#, .

core_host

IP- ,
UTM5

core_port

, UTM5
URFA

core_user


UTM5

core_password


UTM5

user_comment
admin_comment
currency_id
payment_method

324

turn_on_internet

account_id
external_number

, , .


325

326

18.

1. ........ 328
2.
............................................................................. 332
3. . .................. 335


327

1.


NetUP

UTM
.
.

CD
-
ROM
NetUP

UTM
.
.
.
utm5_core.
00 00 1
2003 .

FreeBSD:

date 0304010000

328

Linux:
date 0401000003

.
mysqladmin drop UTM5
mysqladmin create UTM5
mysql UTM5 < UTM5_MYSQL_kp.sql
mysql f UTM5 < UTM5_MYSQL_update.sql

kp.pl ,
NetFlow-
, - NetFlow- utm5_flowgen (
/netup/utm5/bin/utm5_flowgen).

utm5_core.
kp.pl .
perl kp.pl

1 2003 . 1 2003 . ,

: , , 2003.
( 2003 .)
cli2

cli3

cli4

cli5

0,5

10

40

30

30

30

30

30

15

60

120

300

1200

0,2

0,2

0,2

0,15

0,15

50

50

50

500

500

14

105

100

100

-3

-5

-17

-100

-205

cli1

329

( 2003 .)
cli1

cli2

cli3

cli4

cli5

2,5

20

50

31

31

31

31

31

31

77,5

155

620

1550

0,2

0,2

0,2

0,15

0,15

50

50

50

500

500

5,5

21

18

157,5

100

100

-6

-13,5

-41

-218

-462,5

cli1

cli2

cli3

cli4

cli5

1
,5

30

60

30

30

30

30

30

45

90

180

900

1800

0,2

0,2

0,2

0,15

0,15

50

50

50

500

500

( 2003 .)

330

26

60

195

100

100

-3

-11

-29

-160

-295

-9

-24,5

-70

-378

-757,5

, kp.pl .
.


331

2.

NetUP

UTM
.

.

CDROM
NetUP

UTM
.
.
.
utm5_core.
00 00 1
2003 .

FreeBSD:
date 0304010000

Linux:

332

date 0401000003

.
mysqladmin drop UTM5
mysqladmin create UTM5
mysql UTM5 < UTM5_MYSQL_kp_dialup.sql
mysql f UTM5 < UTM5_MYSQL_update.sql

kp_dialup.pl
, Radius Accounting-
utm5_radius, -
RADIUS- utm5_radgen (
/netup/utm5/bin/utm5_radgen).

utm5_core
RADIUS utm5_radius.
kp.pl .
perl
kp

_
dialup
.
pl

1 2003 . 1 2003 . ,

: , , 2003.
, kp_dialup.pl .
.

( 2003 .). 30.


dialup
1
dialup
2
dialup3
8.00- 20
.00- 8.00- 20
.00- 8.00- 20
.0019
.
59 7
.
59 19
.
59 7
.
59 19
.
59 7
.
59
0,1

0,1

0,2

0,2

0,3

0,3

12

18

10
-19

10
-28

10
-37

,

,
,
../
,
..

333

( 2003 .). 31.


dialup
1
dialup
2
dialup3
8.00- 20
.00- 8.00- 20
.00- 8.00- 20
.0019
.
59 7
.
59 19
.
59 7
.
59 19
.
59 7
.
59

,

,
,
../
,
..

0,1

0,1

0,2

0,2

0,3

0,3

3,1

3,1

6,2

6,2

9,3

9,3

3,1

6,2

6,2

12,4

9,3

18,6

10

10

10

-19,3

-28,6

-37,9

( 2003 .). 30.

dialup
1
dialup
2
dialup3
8.00- 20
.00- 8.00- 20
.00- 8.00- 20
.0019
.
59 7
.
59 19
.
59 7
.
59 19
.
59 7
.
59

334

,

,
,
../
,
..

0,1

0,1

0,2

0,2

0,3

0,3

12

18

10
-19

10
-28

10
-37

-57,3

-84,6

-111,9

, kp.pl .
.

3.


:
mysql UTM5 < /netup/utm5/UTM5_tel_kp_clean.sql
mysql -f UTM5 < /netup/utm5/UTM5_MYSQL_update.
sql > /dev/null 2>&1
RADIUS- .
CDR- :
/netup/utm5/bin/utm5_unif -c /netup/utm5/utm5_
unif_kp.cfg -s /netup/utm5/src.cdr

2005 .


.
1
5409652
1

2
5409653
2

335

. 1 1

336

. 2 2

. 1

()

(1)

7095

- (2)

7812

(.) (3)

7910, 7915, 7916, 7917

(4)

7351

(5)

7345

(6)

81039

(7)

81033

(8)

810249

1
5 .
60 .
- 10 .
1 .
60 .

- (2)

0,2

0,4

(.) (3)
(4)

0,2
0,4

0,3
0,6

0,3
0,2
0,4

10 ..

(5)
(6)
(7)

0,5
1
1,2

0,8
1,3
1,6

0,6
1,1
1,2

337

(8)

2,1

2,9

2,5


. 2 1

(1)


00:00 9:00
9:00 23:59:59
0,1
0,2

0,1

2
0 .
60 .
- 10 .
1 .
5 ..
60 .

. 3 2

338

00:00 9:00

9:00
23:59:59

(1)

0,08

0,15

0,08

- (2)

0,15

0,22

0,2

(.) (3)

0,2

0,3

0,2

(4)

0,35

0,5

0,4

(5)

0,4

0,7

0,4

(6)

1,2

1,5

1,2

(7)

1,5

1,9

1,5

(8)

2,4

3,1

2,3

. 4 1

- (2)
(.)
(3)

(4)

00:12:10

730

0,4

4,833

01:10:00

4200

0,3

20,975

00:02:54

174

0,6

1,690

(5)

00:12:04

724

0,6

7,190

01.07.05
11:20:00
01.07.05
15:55:40
01.07.05
21:05:00
02.07.05
01:25:00

(6)

00:10:01

601

1,1

10,927

(7)

01:01:54

3714

1,6

98,907

(8)

00:00:24

24

2,9

1,208

(1)

00:01:04

64

0,1

0,098

(7)

02:00:01

7201

1,6

191,893

(.)
(3)

(4)

(4)

00:32:05

1925

0,3

9,600

00:12:01

721

0,4

4,773

00:00:09

0,4

0,027

(6)

00:22:52

1372

22,783

(4)

00:01:24

84

0,6

0,790

(8)

00:03:13

193

2,1

6,580

(7)

00:07:00

420

1,6

11,067

(4)

00:39:12

2352

0,6

23,470

(6)

00:00:54

54

1,1

1,008

(1)

00:00:23

23

0,1

0,042

(1)

00:22:05

1325

0,2

4,400

(5)

00:21:11

1271

0,8

16,880

- (2)

00:12:01

721

0,2

2,387

(6)

00:00:13

13

0,250

(1)

00:01:22

82

0,2

0,257

- (2)

00:00:03

0,000

(8)

00:52:05

3125

2,5

130,000

(8)

00:18:19

1099

2,9

52,877

03.07.05
11:15:00
04.07.05
21:53:00
05.07.05
12:13:00
06.07.05
01:25:00
07.07.05
11:05:20
08.07.05
21:25:00
09.07.05
09:55:00
10.07.05
08:05:00
11.07.05
04:35:00
12.07.05
13:10:00
13.07.05
01:05:00
14.07.05
16:03:00
15.07.05
18:04:00
16.07.05
19:15:00
17.07.05
16:35:00
18.07.05
14:10:00
19.07.05
23:01:00
20.07.05
00:35:00
21.07.05
00:35:00
22.07.05
10:22:00
23.07.05
06:16:00
24.07.05
01:14:00
25.07.05
12:19:00

339

26.07.05
13:45:00
27.07.05
11:05:00
28.07.05
15:17:00
29.07.05
12:25:00
30.07.05
21:25:00
31.07.05
02:00:10

- (2)

00:20:21

1221

0,4

8,107

(1)

00:01:10

70

0,2

0,217

- (2)

00:02:12

132

0,4

0,847

(1)

00:32:05

1925

0,2

6,400

(6)

00:02:14

134

1,1

2,365

(1)

00:01:25

85

0,1

0,133

642,98

. 4 2

340

01.07.05
04:15:10

(1)

00:00:19

19

0,08

0,019

02.07.05
14:25:30

(7)

00:01:11

71

1,5

1,650

03.07.05
18:11:24

(1)

00:20:34

1234

0,08

1,639

04.07.05
01:21:10

(6)

00:15:39

939

1,2

18,680

05.07.05
07:12:23

(1)

00:00:15

15

0,08

0,020

06.07.05
17:22:13

- (2)

00:00:43

43

0,22

0,139

07.07.05
22:45:52

(8)

00:00:18

18

3,1

0,775

08.07.05
09:10:15

- (2)

00:00:20

20

0,22

0,055

09.07.05
12:32:16

(1)

00:01:21

81

0,08

0,101

10.07.05
19:11:25

(5)

00:05:45

345

0,4

2,267

11.07.05
02:50:38

(6)

00:10:07

607

1,2

12,040

12.07.05
06:00:20

(4)

01:15:21

4521

0,35

26,343

13.07.05
13:11:45

- (2)

00:01:32

92

0,22

0,319

(.)
(3)

00:02:45

165

0,3

0,800

15.07.05
15:27:13

(1)

00:00:13

13

0,15

0,038

16.07.05
11:58:22

(1)

00:07:21

441

0,08

0,581

17.07.05
14:17:23

- (2)

00:16:42

1002

0,2

3,323

18.07.05
20:34:31

(6)

00:32:15

1935

1,5

48,250

19.07.05
11:15:53

(1)

03:15:41

11741

0,15

29,340

20.07.05
17:52:33

(1)

01:10:32

4232

0,15

10,568

21.07.05
19:20:41

(4)

00:04:21

261

0,5

2,133

22.07.05
02:16:14

(5)

00:09:54

594

0,4

3,927

23.07.05
15:47:22

(6)

00:05:34

334

1,2

6,580

24.07.05
11:17:27

(7)

00:15:55

955

1,5

23,750

25.07.05
22:34:51

(5)

00:20:45

1245

0,7

14,467

26.07.05
10:37:21

(1)

01:56:17

6977

0,15

17,430

27.07.05
14:47:29

(1)

00:21:56

1316

0,15

3,278

28.07.05
08:45:23

- (2)

00:48:12

2892

29.07.05
11:04:03

(6)

00:12:55

775

1,5

19,250

30.07.05
18:05:11

(.)
(3)

00:03:51

231

0,2

0,753

31.07.05
23:14:43

(1)

00:08:12

492

0,08

0,649

258,76

9,570

14.07.05
10:12:28

341

. 3

342

. 4 1

343


344

. 5 2

345

346

19.

1. ...... 349
1.1 .................................................................. 349
1.2 ...........................................................351
1.3 ................................................................ 358
1.3.1 .......................... 359
1.3.1.1 GNU/Linux ............................................. 359
1.3.1.2 FreeBSD .................................................... 359
1.3.2 . ........ 360
1.3.3 ...361
1.3.3.1 e-port ..........................................................361
1.3.3.2 ....................................................361
1.3.3.3 Web Money ............................................... 362
1.3.3.4 . . ....................................... 362
1.3.3.5 Z-PAY ......................................................... 363
1.3.4 ............................... 364
1.3.5 ..................... 364
1.4 .............................................................. 365
1.4.1 ........ 365
1.4.2 . .............. 369
1.5. . ...... 370
1.5.1 GNU/Linux .................................................... 370
1.5.2 FreeBSD ........................................................... 370
1.5.3 ........................................... 370
1.6. . .......... 372
1.6.1 . ...................................... 375
1.6.2 .....381
1.6.3 .................................... 386
1.6.4 . ......................................391
1.6.5 ................................ 329
1.6.6 329

347


348

1.6.7 ...............................394
1.6.8 ......................................395
1.7 ...........396
1.7.1 ..............................................................396
1.7.2 - .................................................398
1.7.3 .......................................................399
1.7.4 ..............................................................400
1.7.5 ...........................................................401
1.7.6 . ................................................402
1.7.7 e-port ................................................................405
1.7.8 Rapida ..............................................................406
1.7.9 Web Money ......................................................407
1.7.10 Z-PAY ..............................................................409
2. UTM5 & 1: ..412
2.1 .................................................................412
2.2 ..........................414
2.3 ............................................................418
2.4 ................................................................................422

1. UTM5

1.1
UTM5 ,
,
UTM5.
:
,
UTM5, , ;

, ;

UTM5 ;

UTM5 :

External Payment
Systems Server, NetUP Business
Server (NBS)

349

, United Control Center (UCC).


:
()

.
e-port
Rapida
Z-PAY
WebMoney
:

n FreeBSD 5.4, 5.5

n GNU/Linux (kernel 2.6)

n MYSQL 5.0.32

n PostgreSQL 8.2

350

UTM5

utm5_payment_tool

Java Runtime
Environment 5.0 (JRE 1.5.0.x) .


e-port
Webmoney
.
openssl (www.openssl.org)
0.9.8 .

.
gnupg (www.gnupg.org) 1.4.3
UTM5 2.1.7159.

:
1.

2.

,
UTM5

3.


utm5_payment_tool

NBS External Payment Server ,


HTTPS
GET POST. URI, ,
.

1.2

351

URI - HTTP , . ,
https://zao.ru:8080/osmp?command=check&txn_id=12345
67&account=0957835959&sum=10.45

URI = osmp.
,

.
, ,
, , .

352

( , ,
, , ..)

( , , ,
, ..)

HTTPS . HTTPS . [netup:http].



[netup:http] . , e-port [netup:http]http_
request[1.eport].

HTTPS :


business]payment_verification[1.external]

[netup:

[netup:business]new_payment[1.external]

,
, . :

SQL SELECT UTM5


.
1
[netup:
business]payment_verification[1.external] , :
1. SQL UTM5
SELECT db.personal_accounts.id AS personal_account_
id FROM personal_accounts WHERE personal_accounts.
id = $account


. UNIX .

2
[netup:business]new_payment[1.
external] ,
:

353

1. SQL UTM5
SELECT event.sum AS amount
SELECT db.personal_accounts.id AS personal_account_
id FROM personal_accounts WHERE personal_accounts.
id = $cid

2.
/netup/utm5/bin/utm5_payment_tool


-e
-k

-l

354

UTM5

-p UTM5

-a UTM5
-b
-c
-i
-C
-L

PROCESSED - (
, - ,
UTM5)

IDENTIFIED - (
, -
, UTM5:
shell-)

UNKNOWN - ( , - )

( , , utm5_payment_tool) UNKNOWN_
ON_TEST IDENTIFIED_ON_TEST.

IDENTIFIED PROCESSED
[netup:integration]payment_registration[1.external],
shell-,
.
:
.
Z-PAY
Web Money

,
, ,

UNKNOWN.
, .

-
.

,
(),
.

355


.
:

-
(,
)


.
:

1.

356

FSIGN=$RANDOM.sign; echo -n $pgpsignature |


perl /netup/etc/hex2bin.pl > /netup/etc/$FSIGN ;
FTEXT=$RANDOM.text; echo -n $orderispaid;$order
sumamount;$ordersumcurrencypaycash;$ordersum
bankpaycash;$shopid;$ordernumber;$custom
ernumber > /netup/etc/$FTEXT ;gpg --verify /netup/
etc/$FSIGN /netup/etc/$FTEXT;TMP_RESULT=$? ;rm /netup/etc/$FSIGN /netup/etc/$FTEXT ; exit $TMP_RESULT ;

- :
1.

SQL

UTM5

SELECT db.staff.password AS staff_password FROM


staff WHERE staff.id = $staff_id

2.
expr $md5 == `echo -n $orderispaid;$ordersum
amount;$ordersumcurrencypaycash;$ordersumba
nkpaycash;$shopid;$ordernumber;$custome
rnumber;$staff_password | openssl dgst -md5 |
tr [:lower:] [:upper:]` ;

:
1. SQL UTM5
SELECT db.staff.password AS staff_password FROM
staff WHERE staff.id = $staff_id AND staff.password = $dpass

:
1. SQL UTM5
SELECT db.staff.login AS staff_login FROM staff
WHERE staff.id = $staff_id AND staff.login =
$lmi_payee_purse

echo -n $message | openssl dgst -md5 -sign /netup/etc/external-payment-systems/eport/md5/private.


pem -hex

, ,

.
e-port / message prepared_uri,
.

1.

357

1.3
,
.
utm5_payment_tool
/netup/utm5/bin/utm5_payment_tool

, , :

rm -rf /netup/external-payment-systems


Linux
rm /etc/init.d/nbs-eps-linux

FreeBSD
rm /usr/local/etc/rc.d/nbs-eps-free-bsd.sh



/netup/etc/external-payment-systems/netup.cfg

358

1.3.1
1.3.1.1 GNU/Linux
http://www.netup.ru/

:

netup-payment-systems-linux-mysql.tar.gz, UTM5 MySQL,

netup-payment-systems-linux-pgsql.tar.gz, UTM5 PostgreSQL.

GNU/Linux :

UTM5 MySQL.
# tar zxf netup-payment-systems-linux-pgsql.tar.gz -C/

UTM5 PostgreSQL.

1.3.1.2 FreeBSD
http://www.netup.ru/
:

netup-payment-systems-freebsd-mysql.tar.gz, UTM5 MySQL,

netup-payment-systems-freebsd-pgsql.tar.gz, UTM5 PostgreSQL.

# tar zxf netup-payment-systems-linux-mysql.tar.gz -C/

359

FreeBSD :
# tar zxf netup-payment-systems-freebsd-mysql.
tar.gz -C /

UTM5 MySQL.
# tar zxf netup-payment-systems-freebsd-pgsql.tar.
gz -C /

UTM5 PostgreSQL.

1.3.2

360

,
, .

:
netup-< >-< >< >.tar.gz,

< > - , < > - linux freebsd, < > - mysql


pgsql.

GNU/Linux FreeBSD
:
# tar zxf netup-< >-<
>-< >.tar.gz -C /

1.3.3

1.3.3.1 e-port

/netup/etc/external-payment-systems/eport/private.pem.

1.3.3.2

(duser)
(dpass).
,
Name = < >

2 openssl- (
).
/netup/etc/external-payment-systems/eport/public.pem.

Login = < >


Password = < >
( ).

361

(
)
, , ,
<
>.

1.3.3.3 Web Money



md5-.
,
Name = < Web Money>

Login = < >


Password = < >
( ).
(
) Web
Money , , , <
Web Money>.

1.3.3.4 .

(shopId), GnuPG .

362

,
Name = < .>
Login = < >
Password = < >
( ).
(
) . ,
, , <
.>.

gpg --import < >

1.3.3.5 Z-PAY

md5-.
,
Name = < Z-PAY>
Login = < >

Password = < >


( ).

363

(
) Z-PAY
,
, ,
<
Z-PAY>.

1.3.4

http://www.netup.ru/
, , netup.keystore

364

/netup/etc/external-paymentsystems/
, , . .
, .

1.3.5
UTM5
utc-payment-systems.
zip,
.
ucc-payment-systems.zip.

netup.keystore
.

.

Java Runtime Environment 5.0
(JRE 1.5.0.x).
http://java.sun.com downloads
http://www.netup.ru (http://www.netup.ru/downloads/jre-1_5_0windows-i586.exe).

1.4
1.4.1

=
, ,
, - . . . ,
#, .

/netup/etc/external-paymentsystems/netup.cfg.

365


366

private_key_passphrase

( )

keystore

netup.keystore
( )

keystore_password

(
)

additional_config_path

UTM5

main_script

shell-, SQL-,

UTM5 NBS
,

patch_script

shell-,SQL-,

patch_flag

,
shell-, patch_script

verify_script

Shell-,

httpd_port

,
http/https

plugins_dir

startup_xml_path

startup.xml

database_login


UTM5

database_password


UTM5

database

UTM5

database_host

IP UTM5

database_port


UTM5

database_sock_path

unix- UTM5

nbs_port

367

private_key_passphrase, keystore, keystore_password.


/netup/etc/externalpayment-systems/netup.cfg
UTM5, /netup/utm5/utm5.cfg.
:
additional_config_path=/netup/utm5/utm5.cfg
httpd_port=8080
keystore=/netup/etc/external-payment-systems/
netup.keystore
keystore_password=

main_script=
nbs_port=55555
patch_script=psql
-U
$database_login
$database -f /netup/external-payment-systems/
patch_sql/patch-1.0-2.1.sql || true;
patch_flag=/netup/external-payment-systems/
patch_sql/patch-1.0-2.1.flag
plugins_dir=/netup/external-payment-systems/
plugins
private_key_passphrase=
startup_xml_path=/netup/external-paymentsystems/startup/startup.xml
verify_script=
netup.cfg , utm5.cfg

368

1.4.2
, IP-, :
()



Rapida


. IP- . IP-.


.
, , :
e-port
.
Z-PAY
WebMoney

.

IP-
.

369

1.5 .

1.5.1 GNU/Linux

# /etc/init.d/netup-payment-systems start
, .

1.5.2 FreeBSD

# /usr/local/etc/rc.d/netup-payment-systems.
sh start
/etc/rc.conf

netup-payment-systems_enable=YES

1.5.3

370

/netup/log/external-payment-systems/payments.
log

( ) , .

/netup/log/external-payment-systems/management.
log
, .

/netup/log/external-payment-systems/netup.log


/netup/log/external-payment-systems/verifier.
.

/netup/log/external-payment-systems/details.log
, .

( ) .

371

1.6 .

control.center.se.jar :
java -jar control.center.se.jar
, 25 , -Xmx1g.

, , . NBS External Payment Systems .


External Payment Systems.
, root, root. , manager, manager
( ).

.

372

:


. :

, , ,

373

,
root manager.
.

374

.
, .

...

.
.

.
( ) . ( ) .

, .

1.6.1
, (
UTM5), ,
.


:
( )
( IDENTIFIED)
( UNKNOWN)

375

( IDENTIFIED
UNKNOWN)
( PROCESSED)


, .

.

, .

376

c
,
. c , :
ID




ID

. - .

UTM5, .

.
.
.

, .

, .

377

, .


,

=<>&=<>....
.
.

, .

.
:

378

(
)

( , , ,
..)

, , UTM5,
.

(PROCESSED).
,

shell- , UTM5 . (IDENTIFIED).



,

379


380

UTM5
PROCESSED ()
[netup:integration]payment_registration[1.external].


.

.
[netup:integration]payment_registration
[1.external] 90 .
.

-
.
(UNKNOWN).
,

, IDENTIFIED,
[netup:integration]payment_registration[1.
external].



.

, .

1.6.2

- ,
.

381

382



URI





URI
URI .

, , .
. 100 .
100
100
. 10%
90 . .


:
active ,
URI
blocked ,
URI
setting_up ,
URI (
)

, .


.

:
( )
( )

:

URI

, .

383

384

:
( )
( )


.

: (
) (
).

(), :

-


385

:
( )
( )

386


, .

: (
) ( ).
.

1.6.3

.
:

()

:
active ,
,
blocked , ,

setting up ,
,

( , )

/.

387

388


, /.

, /.
, :
SQL- ( , )
Shell- ( , SQL-)

SQL-

SQL SQL .
SQL .

,
+-----------+--------------+---------+
|

| |

+-----------+--------------+---------+
| event.sum | event.amount |

+-----------+--------------+---------+
, sum amount.
,

SQL ANSI SQL.

389

+-------------------------+---------------------------+---------------------------+
|

+-------------------------+---------------------------+---------------------------+
| db.personal_accounts.id | event.personal_account_id | db.personal_accounts.id = |
|

event.account

+-------------------------+---------------------------+---------------------------+

, personal_account_id id personal_accounts
, id account,
.
SQL
SQL .

SQL ,
, .

390

Shell-

Shell- , .
.
Shell- .

Shell- ,
0, , 0
.
shell- .
Shell- SQL HTTPS-, EVENT ( EVENT), ( ). SQL- Shell- EVENT.<
> < >,
. - , .. < >.

1.6.4


,
.

391

1.6.5

,

, .

392

, .

1.6.6


,
.

, ,

.

, ,
.
, ,
, .

netup:integration:payment_
registration:1.external,
IDENTIFIED PROCESSED.

393

1.6.7

394

- .
, .


. ,
e-port e-port.


. , .

:
( )
(
)
( )
, , .
, .

1.6.8
, .

395

1.7

396

1.7.1
: http://www.elecsnet.ru/

Auth

Action

Pre

Timestamp

yyyymmddhhmmss

(
)

Client

Key

(128 hex)

Sum

(dec)

Stan

Cheque

Sign

(512 hex)

( )

810.
:

https://zao.ru:8080/binom?action=auth&key=68b329da9
893e34099c7d8ad5cb9c940&stan=121212&client=2821&sum
=20000&timestamp=20061201121059&term=5577&cheque=87
654321&sign=9d1f673b5c7e065ebea1e7e2dce2ebc45302579
8755a5a47d42b3f3a0fe946335ac48ed8e7f78307059c0b3e5a
006ff2ad81b30c03dbb667e52286f4ecc3123cfecb1602d9316
4df3b7253f6ebffd0fddcff3d9f8f
a5ccce3a217767ac4509e367e2e634ffd7e2064d7de9375bd0
86db0c6ac25aadd35f9e0234550e1f659f784bd38fbb0a775a
14e26c50166189e08e5285927d1845a0848fa1134b4d244742
4d4de2182a1a326c93c23c6c8f1048d7a02112fc9e26998efb
306fdadc25490117986d52299f14bbc55cd1f2dd62b9a46005
786facd11f9717934d11721c620cf0e9e2ccb635c6226f4127
fb39f052606dd157a9672de4670f2e387cccdead0

https://zao.ru:8080/binom?action=pre&key=705591aba8
5a60acc2179df3d42a7717&stan=XXXXXX&client=2821&sum=
20000&timestamp=20061201121059&term=5577&cheque=876
54321&sign=28162ff1459e0eaa7402c37aacdf0900fc0116e3
f2ac34eafb262438c0d278eb185bb464807f09290aa3c87cf5c
bd5c11930049b0489e03a3ce933e62201525a20cf4ea59bb107
2ef9e05f9eb26da1c0545edf86991215c7196eb55d1e92a646b
9986a8ce4c64c467b0f452fc6d6fab129dcdf71c911ffd0508a
025e0540aad9d68ca253ef2aeae0f2369a8e2ca46571afc5f49
c0766f3a741d88d4d6a9e08e662e2669efff06871bed79f4dbd
e048ad0e7e2b4b16747410fa9a69014b1e1327578b662a62d57
f830bf25654808916d65315b2f33dffdd94020136c4f216f646
863727ac5784d9f80111c384b814dcb297165644b02a638b13d
9a63aa4fcc53a

397

1.7.2 -
C : http://www.kp-dealer.ru/
- :

getabstateacc

addtobalanceacc

bankid

(
)

devid

qid

abacc

crcid

sum

command

398

810.
:

https://zao.ru:8080/credit_pilot?command=getabstate
acc&bankid=1234&devid=1&qid=34342324&abacc=1234567
https://zao.ru:8080/credit_pilot?command=addtobalan
ceacc&bankid=1235&devid=1&qid=34342324&abacc=123456
7&crcid=810sum=300

. URI = osmp.

1.7.3
: http://www.cyberplat.ru/
:

payment

number

, 30

type


number

amount

10
,
NNNNNN.NN

. . ()

receipt


15

,
( )

date

YYYY-MMDDThh:mm:ss

action

check


( ,
)

399

additional

. , ,
.

810.
:
https://zao.ru:8080/cyberplat?action=check&number=9
166438476&type=1&amount=25.34

https://zao.ru:8080/cyberplat?action=payment&number
=9166438476&amount=25.34&receipt=3568264&date=200509-20T15:53:00

1.7.4
: http://www.osmp.ru
:

command

400

pay

check

bankid

(
)

txn_id

integer dec 20

account

string 200

sum


NNNNNN.NN

810.
:
https://zao.ru:8080/osmp?command=check&txn_id=12345
67&account=0957835959&sum=10.45

1.7.5
: http://www.unikassa.ru/
:

duser

64

https://zao.ru:8080/osmp?command=pay&txn_
id=1234567&txn_date=20050815120133&account=09578359
59&sum=10.45

401

dpass

128

sid

64

sum

64

get_info

payment

Trans


(
Term

)

Sum


NNNNNN.NN

uact

Term

810.
:
https://zao.ru:8080/unikassa?duser=dealer1&dpass=1d
ad01d23ads4567&cid=123123123&uact=get_info
https://zao.ru:8080/unikassa?duser=dealer1&dpass=1d
ad01d23ads4567&cid=123123123&uact=payment&term=10&t
rans=12345&sum=123.00

1.7.6 .
: http://money.yandex.ru/

402

Yandex. :

Check

paymentFailed

orderCreatedDatetime

YYYY-MM-DDThh:
mm:ss.fZZZZZ

(

)

customerNumber

64

orderNumber


Yandex.

orderSumAmount


NNNNNN.NN

(
)

!=1

(
)

orderSumBankPaycash

pgpSignature

PGP-

md5

md5

requestDatetime

YYYY-MM-DDThh:
mm:ss.fZZZZZ

.
( )

shopId

shopSumAmount

(
)

shopSumAmount

Action

orderSumCurrencyPaycash

orderIsPaid

shopSumCurrency-Paycash

paymentSuccess

403

shopSumBankPaycash

paymentPayerCode

paymentDatetime

YYYY-MM-DDThh:
mm:ss.fZZZZZ


( )

paymentType

810.

https://zao.ru:8080/yandex_money?requestDatetime=2
007-01-21T10:20:06Z&action=Check&md5=8256D2A032A35
709EAF156270C9EFE2E&shopId=13&orderNumber=55&custo
merNumber=8123294469&orderCreatedDatetime=2007-0121T10:20:04Z&orderSumAmount=87.10&orderSumCurrency
Paycash=643&orderSumBankPaycash=1001&shopSumAmount
6.23&shopSumCurrencyPaycash=643&shopSumBankPaycash
=1001&paymentType=1&paymentPayerCode=42007148320&o
rderIsPaid=0&md5=&pgpSignature=&MyField=

https://zao.ru:8080/yandex_money?requestDatetime=2
007-01-21T10:20:10Z&action=PaymentSuccess&md5=4512
5C95A20A7F25B63D58EA34AFED2&shopId=13&orderNumber=5
5&customerNumber=8123294469&orderCreatedDatetime=2
007-01-21T10:20:04Z&orderSumAmount=87.10&orderSumC
urrencyPaycash=643&orderSumBankPaycash=1001&shopSu
mAmount=86.23&shopSumCurrencyPaycash=643&shopSumBa
nkPaycash=1001&orderIsPaid=1&paymentDatetime=200501-21T10:20:10Z&paymentType=PC&paymentPayerCode=4
2007148320&md5=&pgpSignature=&MyField=

404

1.7.7 e-port
: http://e-port.ru
e-port :


( )

( )

id

(
)

e-port

date

DD.MM.YY HH:
MM:SS

(
)

account

Sum


NNNNNN.NN

sign

(hex)

RSA MD5

hash

- ( )

testMode

type

810

405

https://zao.ru:8080/eport?account=1234%20567&date=2
1.10.03%2016%3A07%3A14&hash=5237893&id=30275&sum=23
4.56&type=1&sign=2BA555F3746588078D99419B2FB52E0303
BB87F1EF9D8943CE02D8A2B8D8EFF3AA9899C80D537625E9000
A2123AAEFCE8D68ADFC836823C7847203C635521E02D4F4C681
CE65AD4AF3C14FE7D55EB2CCEB4DD2B17C15F922ECFE850E23A
85FCE81EFABC845B3E7B2EAB98DA2DF03125F6097FCD9E3B835
0726D453750303499F

https://zao.ru:8080/eport?account=1234%20567&date=2
1.10.03%2016%3A07%3A14&sum=234.56&type=2&sign=3C5A0
FBFD8443512B1B3340036040F46BC0BB848D88A19345A52AA9A
25CFE79C58FC480BABD2A08067D1911CE5FEDCA9D5C75AE4C6C
0B3D1D0040E47146ACD75120FA298ADC9B343AA6C54D24E3AB0
E2DFADE07F810F0780986B5C03BB4BAD9BA2763FB528DE2F680
0CA1150213DCA53AA3CBCFDD4DA7783AFB79BB22ED0C300

1.7.8 Rapida
: http://www.rapida.ru
Rapida

type

406

Rapida

order

(int)

Sum


Rapida

id

810.
:
https://zao.ru:8080/rapida?order=123456&sum=100.00&
id=&type=1
https://zao.ru:8080/rapida?order=123456&sum=100.00&
id=&type=2

1.7.9 Web Money


: http://www.webmoney.ru/
WebMoney :

LMI_PREREQUEST

!=1

15

LMI_PAYEE_
PURSE

407

LMI_
PAYMENT_
AMOUNT


NNNNNN.NN

LMI_
PAYMENT_NO


WebMoney

!=1

LMI_PAYER_
WM


WebMoney (
)

LMI_
PAYMER_
NUMBER

- ( )

LMI_
PAYMER_
EMAIL

e-mail ( )

LMI_MODE

408

LMI_TELEPAT_

NENUMBER

( )

LMI_SYS_
YYYYMMDD HH:
TRANS_DATE MM:SS

(

)

LMI_SYS_
INVS_NO

WebMoney ( )

LMI_SYS_
TRANS_NO


WebMoney

LMI_PAYER_
PURSE

15

LMI_HASH

md5-

LMI_SECRET_

KEY

account

UTM5

810.
:

https://zao.ru:8080/web_money?LMI_PREREQUEST=1&LMI_
PAYMENT_AMOUNT=1.0&LMI_PAYMENT_NO=1&LMI_PAYEE_
PURSE=R397656178472&LMI_MODE=1&LMI_PAYER_
WM=809399319852&FIELD_1=VALUE_1&FIELD_2=VALUE_
2&FIELD_N=VALUE_N&account=123
https://zao.ru:8080/web_money?LMI_PAYMENT_
AMOUNT=1.0&LMI_PAYMENT_NO=1&LMI_PAYEE_
PURSE=R397656178472&LMI_MODE=1&LMI_SYS_
INVS_NO=281&LMI_SYS_TRANS_NO=558&LMI_PAYER_
PURSE=R397656178472&LMI_PAYER_WM=809399319852&LMI_
SYS_TRANS_DATE=20020314 14:01:14&LMI_HASH=114128B
8AEFD8CAA76D3CF75B9AEBC17&FIELD_1=VALUE_1&FIELD_
2=VALUE_2&FIELD_N=VALUE_N&account=123

1.7.10 Z-PAY
: http://www.z-pay.ru
Z-PAY :

LMI_PREREQUEST

!=1

409

PURSE

15


Z-PAY,

LMI_
PAYMENT_
AMOUNT


NNNNNN.NN

LMI_
PAYMENT_NO


Z-PAY

!=1

LMI_PAYER_
WM


Z-PAY ( )

LMI_
PAYMER_
NUMBER

- ( )

LMI_
PAYMER_
EMAIL

e-mail ( )

( )

LMI_PAYEE_

LMI_MODE

410

LMI_TELEPAT_
PHONENUMBER

LMI_SYS_
YYYYMMDD HH:
TRANS_DATE MM:SS

(

)

LMI_SYS_
INVS_NO

Z-PAY (
)

LMI_SYS_
TRANS_NO


Z-PAY

LMI_PAYER_
PURSE

15

LMI_HASH

md5-

LMI_SECRET_

KEY

account

UTM5

DESC_PAY

. .

ID_PAY


Z-PAY.
Z_PAY,

CLIENT_
MAIL

e-mail

810.
:

https://zao.ru:8080/z_pay?LMI_PAYMENT_
AMOUNT=1.0&LMI_PAYMENT_NO=1&LMI_PAYEE_
PURSE=R397656178472&LMI_MODE=1&LMI_SYS_
INVS_NO=281&LMI_SYS_TRANS_NO=558&LMI_PAYER_
PURSE=R397656178472&LMI_PAYER_WM=809399319852&LMI_
SYS_TRANS_DATE=20020314 14:01:14&LMI_HASH=114128B
8AEFD8CAA76D3CF75B9AEBC17&FIELD_1=VALUE_1&FIELD_
2=VALUE_2&FIELD_N=VALUE_N&account=123

https://zao.ru:8080/z_pay?LMI_PREREQUEST=1&LMI_
PAYMENT_AMOUNT=1.0&LMI_PAYMENT_NO=1&LMI_PAYEE_
PURSE=R397656178472&LMI_MODE=1&LMI_PAYER_
WM=809399319852&FIELD_1=VALUE_1&FIELD_2=VALUE_
2&FIELD_N=VALUE_N&account=123

411

2. UTM5 & 1:
2.1
UTM5 1:1
NetUP UTM5
1.

UTM5 1: :

412

NBS Integration Server,


NetUP Business Server (NBS)

,
NetUP Control Center Special
Edition (CCSE)

1:, 1:.


UTM5 1:

1::
o ,

o ,
o ,
o , -



UTM5

TCP/IP
SSLv3

1:
.

UTM5
1: :

UTM 5.2.0
( GNU/Linux, FreeBSD, Solaris, Windows)
5.2.0 ,
UTM5
user_log. ,
UTM 5.2.0. .

413

Gentoo Linux NBS Integration


Server. Linux
. NBS Integration Server
.

MySQL 5.x

Windows Microsoft
XML Parser 3.0 1: 7.7 7.70.021 :
o , 4.5 ( -

7.70.450 )

-
,
, ++.

414

Java Runtime Environment


5.0 (JRE 1.5.0.x) UTM5 1: (CCSE ).

2.2
http://www.netup.ru 1

1.

Gentoo GNU/Linux :

# tar zxf is-utm5-1c-server.tar.gz -C /


/netup/
integration_system_solution/, , /netup/logs/nbs, ,
/etc/init.d/nbs.iss.
2.

NBS :
# mysql -u root

UTM5
1: is-utm5-1c-server.tar.gz, 1 .

mysql> create database NBS;


mysql> quit

415

3.

login_MySQL,
host password_MySQL NBS:
# mysql -u root
mysql> grant all privileges on NBS.* to
login_MySQL@host identified by password_
MySQL with grant option;
mysql> quit

4.

UTM5
1: :

# /etc/init.d/nbs.iss start

/netup/integration_
system_solution/nbs.cfg.
NBS
/netup/integration_system_solution/startup.xml
login_NBS password_NBS

<new_staff family=netup:sys
version=1.0>
<password type=string>password_NBS</
password>

<login type=string>login_NBS</login>
</new_staff>
NBS Integration .

416


UTM5 1:
UTM5 1:, . is-utm5-1c-ccse.zip.

Java Runtime Environment 5.0 (JRE 1.5.0.x).
http://java.sun.com downloads
http://www.netup.ru
(http://www.netup.ru/downloads/jre-1_5_0-windows-i586.exe_).

.


1c_extension.ini
.
1C,
.
C:\Program Files\1Cv77\1SBDB

1:
1C:,
.
is-utm5-1c-extension.zip. 1C: Windows ,
setup.exe.

417

1, .

418

2.3

UTM5 1:
control.center.se.jar :
java -jar control.center.se.jar
,
UTM5 1:

. ,
.

UTM5

UTM5 5.2.0, 01.01.2006.

, ,
1.

419

.
. 500 . .

420

, , , ,
1C.
.
, .

421


...

2.4

1C:


. NetUP UTM5 (1.0).

422
.

: , , ,


UTM5 1:

OK.

423

.
1:
RUB 643.

424

1 ,
,

,
1, UTM5

425

UTM5

426

427

428

20.

1. .......................................................... 430
2. utm5 wintray.................................................. 432
3. VPN.. 433


429

1.
- (
Internet
Explorer
,
Opera
, Mozil
la
, Konqueror

, lynx

.) :
https
://
SERVER
/
cgi
-
bin
/
utm
5/
aaa
5

SERVER IP-
. https:// ,
SSL. SSL, -
.
http://,
.

, , , , .

430

.
, , . :
, .

,
. , , ( , ).
, , .

.
.


, .

, -.
-. ,
.
.


431

2. utm

5 wintray

utm

5_
wintray.


. / .

432

3.
VPN


W
indows 2000.
(
Network
Connections
). : (Create a new connection).


433

: VPN.
IP- VPN

. , vpn

.
local.

, : .

434

, ( ).


Finish

.



VPN
. ,

435

,
.

436

437

438

21. 1

1. UTM5 ... 440


2. UTM5 . .... 443
3. UTM5 LDAP .......................... 446
4.
UTM5 . .............................................................................. 462
5. UTM5 OC
Solaris10 ........................................................................... 474
6. ........................ 516

1
439

1. UTM5

( | )
( = ):
smtp_relay = 10.0.0.1
smtp_port = 25
smtp_fqdn = host.example.org
smtp_sender = utm@host.example.org
smtp_subject = Message from UTM5
admin_email = utm@host.example.org
notification_borders = 5
notification_borders = 3

notification_borders = 0
notification_message = , FULL_NAME!
ACCOUNT_ID
BALANCE. : DATE
EMAIL. , .
notification_message_subject =
notification_message_from = utm@host.example.org

, , , .

440

5, 3 0 .
10 . .
6, 8 11 .
10 . . 4, 2 . .
:
tcpdump ni eth0 port 25

eth0 , .
:
12:45:34.738410 127.0.0.1.57021 > 127.0.0.1.25: . ack
1 win 35840 <nop,nop,timestamp 603505811 603505811>
(DF)
12:45:34.875100 127.0.0.1.25 > 127.0.0.1.57021: P
1:37(36) ack 1 win 35840 <nop,nop,timestamp 603505824
603505811> (DF)
12:45:34.875187 127.0.0.1.57021 > 127.0.0.1.25: P
1:16(15) ack 37 win 35840 <nop,nop,timestamp 603505824
603505824> (DF)

, , . , .
. -

12:45:34.875249
127.0.0.1.25
>
127.0.0.1.57021:
P 37:59(22) ack 16 win 35840 <nop,nop,timestamp
603505824 603505824> (DF)

441

,
( | ). email.
UTM :
?Debug : Jul 21 12:54:04 BusLogic: call SmtpLogger::
smtp

, .

,
.

442

2.


NetFlow . ,

utm5.cfg
:
nfbuffer_bufsize=10485760


10 . debug.log :
?Debug : Jan 29 19:39:30 NFBuffer: Setting SO_RCVBUF
to <10485760> bytes

.
Linux :
sysctl -w net.core.rmem_max=10485760

FreeBSD:

net.inet.udp.recvspace=10485760
net.local.dgram.recvspace=10485760
net.inet.udp.maxdgram=100000


NetFlow .

.

kern.ipc.maxsockbuf=10485760

443

CPU
.
NetFlow .
:
raw_storage_file=1


.

.utm.
NetUP. get_nf_direct. :
/netup/utm5/bin/get_nf_direct
traffic_raw_1138443603.utm u

-b

/netup/utm5/db/ip-

/netup/utm5/db/iptraffic_raw_1138443603.utm.
1 .
.
/netup/utm5/bin/raw_fd_
script,
.
, .
/netup/utm5/bin/raw_fd_script shell:
#!/bin/sh
gzip $*

444

CPU .

NetUP

. :
CPU: Intel Pentium 4 3.00
: 2
: Serial ATA 250
: Intel 100 /
: Gentoo Linux

NetFlow . Netflow utm5_flowgen.


top. ,
, Net-Flow 100%
, .
- .
.
UTM5 NetFlow
90
80

CPU, %

70
60
50
40
30
20
10
0
50

100

300

500

1000

1200

1400

1600

1800

1845

2215

2252

2333

2605

2732

2882

2992

Netflow

445
1. CPU NetFlow

3. UTM5 LDAP


LDAP
NetUP .


NetUP

UTM


OpenLDAP
, . LDAP


(,
, ),
, LDAP

. , ( , ..)
.

446


, .


.
BerkeleyDB

BerkeleyDB: http://www.sleepycat.com/update/
snapshot/db-4.2.52.tar.gz.

tar xvfz db-4.2.52.tar.gz


cd db-4.2.52
cd build_unix/
../dist/configure --prefix=/usr/ --exec-prefix=/usr/

BerkeleyDB

make
make install

447

OpenLDAP
tar
xvfz openldap-2.1.26.tgz
C

OpenLDAP:
ftp://ftp.openldap.org/pub/Opencd openldap-2.1.26
LDAP/openldap-release/openldap-2.1.26.tgz.
./configure
make depend

OpenLDAP

.
make

make install

/usr/local/etc/
openldap/slapd.conf.

.
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.
schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/java.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args

allow bind_v2

448

database bdb
suffix dc=example,dc=ru
rootdn cn=Manager,dc=example,dc=ru
rootpw secret
directory /usr/local/var/openldap-netup
index cn,sn,uid

pres,eq,sub

OpenLDAP

/usr/local/libexec/slapd

example.ldiff .
dn: dc=example,dc=ru
objectclass: dcObject
objectclass: organization
o: Example company
dc: example
dn: cn=Manager,dc=example,dc=ru
objectclass: organizationalRole
cn: Manager

.
ldapadd D cn=Manager,dc=example,dc=ru w secret <
example.ldiff

Cyrus
, (
POP
3/
IMAP
) Cyrus

ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.18.tar.
gz;
http://email.uoa.gr/download/cyrus/cyrus-imapd-2.2.3/cyrusimapd-2.2.3-autocreate-0.8.6.diff.

ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-imapd2.2.3.tar.gz;

449

tar xvfz cyrus-sasl-2.1.18.tar.gz


cd cyrus-sasl-2.1.18
./configure --with-ldap --with-bdb-incdir=/usr/local/BerkeleyDB.4.2/include/
make
make install

/usr/local/etc/saslauthd.conf,

.
ldap_servers: ldap://127.0.0.1/
ldap_bind_dn: cn=Manager,dc=example,dc=ru
ldap_password: secret
ldap_search_base: ou=users,dc=example,dc=ru
ldap_mech: DIGEST_MD5
ldap_auth_method: custom

.
/usr/local/sbin/saslauthd -a ldap

.
tar xvfz cyrus-imapd-2.2.3.tar.gz

patch

< cyrus-imapd-2.2.3-autocreate-0.8.6.diff

cd cyrus-imapd-2.2.3
./configure --with-ldap --with-sasl=/usr/local/ -with-bdb=/usr/local/BerkeleyDB.4.2/ --with-bdb-incdir=/usr/local/BerkeleyDB.4.2/include/
make
make install

/etc/imapd.conf

450

configdirectory: /var/imap
partition-default: /var/spool/imap
sasl_pwcheck_method: saslauthd
admins: aospan
mboxlist_db: flat
autocreatequota: 1000000
createonpost: yes

cyrus

adduser
.
C
.
/var/imap/
/var/imap/proc
/var/imap/db
/var/imap/socket
/var/imap/log
/var/imap/msg
/var/spool/imap/


cyrus.

cyrus-imapd2.2.3.

cp master/conf/normal.conf /etc/cyrus.conf

.
/usr/cyrus/bin/master &

./tools/mkimap

Postfix

(SMTP)

postfix

ftp://ftp.easynet.be/postfix/official/postfix-2.0.19.tar.gz

451

.
tar xvfz postfix-2.0.19.tar.gz
cd postfix-2.0.19
make tidy
make makefiles CCARGS=-I./ -DHAS_LDAP AUXLIBS=lldap -llber
make
make install

/etc/postfix/main.cf
.
mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
alias_maps = hash:/etc/aliases, ldap:ldapsource
ldapsource_server_host = example.ru
ldapsource_search_base = ou=users,dc=example,dc=ru
ldapsource_version = 3
ldapsource_bind_dn = cn=Manager,dc=example,dc=ru
ldapsource_bind_pw = secret
ldapsource_result_attribute = mail
ldapsource_query_filter = (&(mail=%s))
readme_directory = no
sample_directory = /etc/postfix

sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
command_directory = /usr/sbin
manpage_directory = /usr/local/man
daemon_directory = /usr/libexec/postfix
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
queue_directory = /var/spool/postfix
mail_owner = postfix

452

unknown_local_recipient_reject_code = 450

.
/usr/libexec/postfix/master &

LDAP
netup.ldiff .
dn: ou=users, dc=example, dc=ru
objectclass: organizationalUnit
ou: users
dn: cn=test, ou=users, dc=example, dc=ru
cn: test
sn: test
givenName: Test Test
objectClass: inetOrgPerson
objectClass: uidObject
objectClass: organizationalPerson
objectClass: top
mail: test
mail: test@example.ru
uid: test
userPassword: {MD5}2FeO34RYzgb7xbt2pYxcpA==

ldapadd -D cn=Manager,dc=example,dc=ru -w secret


< netup.ldiff

test@example.ru. POP

3 ( POP

3
S
) test
qwerty (
LDAP

MD
5-: {MD5}2FeO34
RYzgb7xbt2pYxcpA==).

453

perl-,
http://www.netup.ru/download/pas_md5.pl,

slappasswd -h {MD5}


LDAP
ldapsearch
LDAP Browser

/
Editor
: http://www.iit.edu/
~gawojar/ldap/.
DHCP
DHCP

ftp://ftp.isc.org/isc/dhcp/
dhcp-3.0pl2.tar.gz http://www.
lunytune.net/dhcp-3.0pl2.ldap.diff.gz.
.
tar xvfz dhcp-3.0pl2.tar.gz
gzip -d dhcp-3.0pl2.ldap.diff.gz
cp dhcp-3.0pl2.ldap.diff dhcp-3.0pl2
cd dhcp-3.0pl2
patch -p1 < dhcp-3.0pl2.ldap.diff
./configure

work.freebsd/server/Makefile

LIBS = -lldap


LIBS =

454

make
make install

dhcpd.conf,

LDAP
contrib/dhcpd-conf-to-ldap.pl ( ).
LDIFF

-:
dn: cn=dhcpd.example.ru, dc=example, dc=ru
objectClass: top
objectClass: dhcpServer
cn: dhcpd.example.ru
dhcpServiceDN: cn=DHCP Config, dc=example, dc=ru
dn: cn=DHCP Config, dc=example, dc=ru
cn: DHCP Config
objectClass: top
objectClass: dhcpService
objectClass: dhcpOptions
dhcpPrimaryDN: cn=dhcpd.example.ru, dc=example,
dc=ru
dhcpStatements: default-lease-time 600
dhcpStatements: max-lease-time 7200
dhcpStatements: log-facility local7
dhcpOption: domain-name example.ru
dhcpOption: domain-name-servers 10.1.2.1
dn: cn=10.1.2.0, cn=DHCP Config, dc=example, dc=ru
cn: 10.1.2.0
objectClass: dhcpSubnet
objectClass: dhcpOptions
dhcpNetMask: 24
dhcpRange: 10.1.2.2 10.1.2.253
dhcpOption: domain-name-servers 10.1.2.1

objectClass: top

dhcpOption: routers 10.1.2.1


dn: cn=test, cn=DHCP Config, dc=example, dc=ru
cn: test
objectClass: top

455

/etc/dhcpd.conf :
ldap-server localhost;
ldap-port 389;
ldap-username cn=Manager, dc=example, dc=ru;
ldap-password secret;
ldap-base-dn dc=example, dc=ru;
ldap-method dynamic;
ddns-update-style ad-hoc;


DHCP
( fxp0
).
/usr/sbin/dhcpd fxp0

IP

-
DHCP
LDAP
.
FTP
FTP

- - ftp://ftp.proftpd.org/distrib/source/
proftpd-1.2.9.tar.bz2

.
tar xvfj proftpd-1.2.9.tar.bz2
cd proftpd-1.2.9
./configure --with-modules=mod_ldap
make
make install

/usr/local/etc/proftpd.conf

.
LDAPServer localhost
LDAPDNInfo cn=Manager,dc=example,dc=ru secret
LDAPDoAuth on ou=users,dc=examle,dc=ru

456

LDIFF

dn: cn=test, ou=users, dc=netup, dc=ru


cn: test
sn: test
givenName: Test
objectClass: inetOrgPerson
objectClass: uidObject
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: top
uid: test
userPassword: {MD5}2FeO34RYzgb7xbt2pYxcpA==
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/test

.
ldapadd -D cn=Manager,dc=example,dc=ru -w secret <
netup.ldiff


FTP
test


qwerty
(
LDAP

MD
5- {MD5}2FeO34RYzgb7xbt2pY
xcpA==). /home/test.
FTP

.
/usr/local/sbin/proftpd


DNS

bind9/9.2.3/bind-9.2.3.tar.gz.
.

ftp://ftp.isc.org/isc/

DNS

tar xvfz bind-9.2.3.tar.gz


cd bind-9.2.3

457

cp contrib/sdb/ldap/ldapdb.c bin/named/
cp contrib/sdb/ldap/ldapdb.h bin/named/include/

bin/named/Makefile.in. , .
DBDRIVER_OBJS = ldapdb.@O@
DBDRIVER_SRCS = ldapdb.c
DBDRIVER_INCLUDES = -I/usr/local/include
DBDRIVER_LIBS = -L/usr/local/lib -lldap -llber

bin/named/main.c. .
include <ldapdb.h>

#include xxdb.h
ldapdb_init();

xxdb_init();
ldapdb_clear();

458

DNS

/usr/local/sbin/
named.

xxdb_clear();

./configure
make
make install

/etc/named.conf.
, LDAP
.
zone hosting.example.ru {
type master;
database ldap ldap://127.0.0.1/dc=hosting,dc=examp
le,dc=ru 172800;
};

LDIFF

-
.

0
dNSTTL: 3600
zoneName: hosting.example.ru
mXRecord: 10 mail.example.ru.
nSRecord: ns.example.ru.
nSRecord: ns2.example.ru.
aRecord: 10.0.0.1

dn: dc=hosting,dc=example,dc=ru
dc: hosting
objectClass: dcObject
objectClass: Organization
o: DNS
dn: relativeDomainName=zzz,dc=hosting,dc=example,dc
=ru
objectClass: top
objectClass: dNSZone
relativeDomainName: zzz
aRecord: 10.1.2.105
dNSTTL: 3600
zoneName: hosting.example.ru
dn: dNSTTL=3600+relativeDomainName=@,dc=hosting,dc=e
xample,dc=ru
objectClass: top
objectClass: dNSZone
relativeDomainName: @
sOARecord: hosting.example.ru. root.example.ru.
2004040304 86400 900 3600000 360

459


LDAP


UTM

/netup/utm5/utm5.cfg.
:

, LDAP,
*

460

ldap_enable

yes


LDAP

LDAP.
LDAP
IP- LDAP

ldap_base_dn

ldap_host

IP-

127.0.0.1

ldap_login


LDAP

ldap_
password


LDAP

ldap_ping_
timeout


59
60

ldap_port

1
65534



LDAP

LDAP

* LDAP

.
, .


LDAP
,
.
MAC

-
IP


IP

-
IP
-
MAC
-.

LDAP
cn=DHCP Config. ,
dn: cn=10.1.2.45, cn=DHCP Config, dc=example, dc=ru
cn: 10.1.2.45
objectClass: top
objectClass: dhcpHost
objectClass: dhcpOptions
dhcpHWAddress: ethernet 00:00:e2:58:ac:a6
dhcpStatements: fixed-address 10.1.2.45

RFC
-2251 LDAP

http://www.rfc-editor.org/rfc/
rfc2251.txt.
OpenLDAP

http://www.openldap.org/.
BerkeleyDB

http://www.sleepycat.com/.

461

4.

NetUP UTM


NetUP UTM .
Gentoo Linux.
mysql

462

1.

Gigabit Ethernet .

, 1 /.
(crossover) .

.

192.168.0.200. .
, ,
.
heartbeat [2].
1:
: netup1
IP- .
eth1: 172.16.0.1
IP- 192.168.0.200
(eth0:1). heartbeat.

2:

IP- .
eth1: 172.16.0.2
IP- 192.168.0.200
(eth0:1). heartbeat.

Gentoo Linux - /dev/sda.


- /dev/sdb -

: netup2

463

drbd [1]. :
emerge drbd


/etc/drbd.conf :
resource r0 {
protocol C;
incon-degr-cmd echo !DRBD! pri on incon-degr |
wall ; sleep 60 ; halt -f;
startup {
degr-wfc-timeout 120;
}
disk {
on-io-error

detach;

}
net {
}

syncer {
rate 200M;
group 1;
al-extents 257;
}
on netup2 {

464

device

/dev/drbd0;

disk

/dev/sdb1;

# 2 minutes.

address
meta-disk

172.16.0.2:7788;
internal;

}
on netup1 {
device

/dev/drbd0;

disk

/dev/sdb1;

address

172.16.0.1:7788;

meta-disk internal;

/usr/share/doc/drbd-0.7.11/drbd.conf.gz.

/dev/sdb1.
/dev/drbd0 .
drbd :
/etc/init.d/drbd start

drbdadm -- --do-what-I-say primary all

1 :

, /dev/
sdb1 . :

465

/etc/init.d/drbd status

:
drbd driver OK; device status:
version: 0.7.11 (api:77/proto:74)
SVN Revision: 1807 build by netup@netup1, 2006-01-17
00:52:49
0: cs:Connected st:Primary/Secondary ld:Consistent

ld:Consistent , .
, .
reiserfs , . 1 :
mkreiserfs /dev/drbd0

mkdir /mnt/sync

466

2 :
mkdir /mnt/sync


heartbeat. :

echo sys-cluster/heartbeat ~x86 >> /etc/portage/


package.keywords
emerge sys-cluster/heartbeat

.
1 /etc/ha.d/ha.cf :
logfacility

local0

ucast eth1 172.16.0.2


auto_failback on
node netup1 netup2

2 /etc/ha.d/ha.cf
:
logfacility

local0

ucast eth1 172.16.0.1


auto_failback on

IP- . /etc/ha.d/haresources :

node netup1 netup2

467

netup1

192.168.0.200/24/eth0:1

drbddisk

File-

system::/dev/drbd0::/mnt/sync::reiserfs apache2
mysql utm5_core utm5_radius

, . IP-
192.168.0.200, 24 eth0:1, IP-. ,
,
. , .

drbddisk, (Primary) drbd. /dev/drbd0.
Filesystem.
- /dev/drbd0, - /mnt/sync
reiserfs.
/mnt/sync .

. ,
, .

468

apache2, mysql ,
utm5_core, RADIUS utm5_radius.
NetUP UTM mysql,
/var/lib/mysql /mnt/sync.
mysql.

/etc/mysql/my.cnf [mysqld]
:
datadir = /mnt/sync/mysql

, mysql , .
heartbeat
/etc/ha.d/authkeys
. :
auth 1
1 sha1 somethinglong


.
heartbeat :
/etc/init.d/heartbeat start

1. eth0:1 IP- 192.168.0.200

ifconfig, df, ps. ,


, :

2. /mnt/sync
3. apache2, mysql, utm5_core, utm5_radius

469


. , heartbeat

. IP- 192.168.0.1,
/mnt/sync apache2, mysql,
utm5_core utm5_radius.
30 . ,
,
.

:
rc-update add drbd default
rc-update add heartbeat default

split-brain
-
,
. (split-brain).

.
drbd. :

470

/etc/init.d/drbd status


:
0: cs:StandAlone st:Primary/Unknown ld:Consistent

0: cs:StandAlone st:Secondary/Unknown ld:Consistent

, . .
. ,
.
:
drbdadm disconnect all
/etc/init.d/heartbeat stop

drbdadm secondary all

471

drbdadm secondary all

drbdadm -- --human primary all

drbdadm connect all

,
. :

/etc/init.d/drbd status

drbd driver OK; device status:


version: 0.7.11 (api:77/proto:74)
SVN Revision: 1807 build by netup@netup1, 2006-01-17
00:52:49
0: cs:Connected st:Secondary/Primary ld:Consistent

472

st:Secondary/Primary ld:Consistent
, .

[1] drbd - http://www.drbd.


org/
[2] heartbeat - http://linuxha.org/HeartbeatProgram

473

5.
Solaris 10

Solaris 10 - System Management Facility (SMF) [1],


. :

474


(watchdog).
- , .


,
.
.

, - ,
,
.

, ,
SMF,
MySQL .

SMF.
notify_admin, /netup/utm5/smf/mail.sh.
.

,
-

. ,
.
MySQL

MySQL, , .
MySQL Solaris 10.
, SMF,

svccfg(1M).
SMF (manifest) XML, , (method)
.
Bourne Shell.
MySQL 1.1. /var/svc/manifest
(). - . application,
UTM5 ,
utm.

475

<!--

<service

<!-- -->

<single_instance />

<create_default_instance enabled=false />

version=1>

type=service

name=application/mysql

<service_bundle type=manifest name=mysql:mysql>

<!DOCTYPE service_bundle SYSTEM /usr/share/lib/xml/dtd/service_bundle.dtd.1>

<?xml version=1.0?>

1.1 /var/svc/manifest/application/mysql.xml

476

-->

restart_on=none

grouping=require_all

<dependency name=net

</dependency>

<service_fmri value=svc:/system/filesystem/local />

type=service>

restart_on=none

grouping=require_all

<dependency name=fs

477

</dependency>

<service_fmri value=svc:/network/loopback />

type=service>

-->

timeout_seconds=-1>

exec=/lib/svc/method/svc-mysql start

name=start

type=method

<exec_method

. ,
.

<!--

478

</method_context>

</service>

</exec_method>

timeout_seconds=-1>

exec=:kill

name=stop

type=method

<exec_method

</exec_method>

group=mysql />

<method_credential user=mysql

<method_context>

479

PID_FILE=${DB_DIR}/`/usr/bin/uname -n`.pid

DB_DIR=/var/mysql

. /lib/svc/share/smf_include.sh

# mysql

#!/sbin/sh

1.2 /lib/svc/method/svc-mysql

,
1.2. /lib/svc/method.

</service_bundle>

480

while pgrep mysqld > /dev/null

stop

restart)

;;

fi

/usr/bin/kill `cat ${PID_FILE}` > /dev/null 2>&1 && echo -n mysql

/usr/bin/pkill mysqld_safe > /dev/null 2>&1

if [ -f ${PID_FILE} ]; then

stop)

;;

/usr/local/mysql/bin/mysqld_safe --user=mysql --datadir=${DB_DIR} --pid-file=${PID_FILE} >


/dev/null &

start)

case $1 in

481

sleep 1

;;

exit 64

chmod 444 /var/svc/manifest/application/mysql.xml

chown root:sys /var/svc/manifest/application/mysql.xml

esac

*)

;;

start

done

do

echo Usage: `basename $0` {start | stop | restart}

482

svc:/application/mysql:default enabled.

svcadm v enable mysql

svccfg import /var/svc/manifest/application/mysql.xml

XML :

OK

svccfg validate /var/svc/manifest/application/mysql.xml && echo OK

chmod 555 /lib/svc/method/svc-mysql

chown root:bin /lib/svc/method/svc-mysql

483

12:29:59

svc:/application/mysql:default

svcs -p mysql

, :

Impact: None.

See: /var/svc/log/application-mysql:default.log

State: online since Tue Dec 27 12:18:40 2005

svc:/application/mysql:default (?)

svcs -x mysql

online

svcs -a | grep mysql

484

212 mysqld_safe
291 mysqld

Dec_27

svc:/application/mysql:default

Dec_27

Dec_27

FMRI

STIME

. /var/svc/log.

svcadm clear mysql

, - , SMF maintenance
svcadm enable. ,
:

svcadm v disable mysql

online

STATE

485

<create_default_instance enabled=false />

version=1>

type=service

name=utm/utm5_core

<service

<service_bundle type=manifest name=UTM5:utm5_core>

<!DOCTYPE service_bundle SYSTEM /usr/share/lib/xml/dtd/service_bundle.dtd.1>

<?xml version=1.0?>

3.1 /var/svc/manifest/utm/utm5_core.xml

. .

utm5_core

, , man .
MySQL SMF .

486

name=mysql

name=start

type=method

<exec_method

</dependency>

<service_fmri value=svc:/application/mysql />

type=service>

restart_on=restart

grouping=require_all

<dependency

<!-- Cannot work without application -->

<single_instance />

487

488

<method_credential user=root group=root />

<method_context>

timeout_seconds=120>

exec=/lib/svc/method/svc-utm5_core stop %{restarter/contract}

name=stop

type=method

<exec_method

</exec_method>

</method_context>

<method_credential user=root group=root />

<method_context>

timeout_seconds=120>

exec=/lib/svc/method/svc-utm5_core start

</description>

</loctext>

The Core of UTM5 System

<loctext xml:lang=C>

<description>

</common_name>

</loctext>

NetUP UTM5 core

<loctext xml:lang=C>

<common_name>

<template>

</exec_method>

</method_context>

489

</service>

</template>

</documentation>

uri=http://www.netup.ru />

<doc_link name=netup.ru

<documentation>

. /lib/svc/share/smf_include.sh

# NetUP UTM 5 Core Method

#!/sbin/sh

3.2 /lib/svc/method/svc-utm5_core

</service_bundle>

490

PID=`head -1 $1`

check_and_kill ()

SVCLOG=/var/svc/log/utm-utm5_core:default.log

MAINLOG=${log_file_main:-/netup/utm5/log/main.log}

PIDFILE=${core_pid_file:-/var/run/utm5_core.pid}

[ ! -x $BINDIR/$EXEC ] && exit $SMF_EXIT_ERR_CONFIG

EXEC=utm5_core

BINDIR=/netup/utm5/bin

. $CFGFILE

[ ! -f $CFGFILE ] && exit $SMF_EXIT_ERR_CONFIG

CFGFILE=/netup/utm5/utm5.cfg

. /netup/utm5/smf/mail.sh

491

[ $? -eq 0 ] && kill -USR1 $PID

kill -0 $PID > /dev/null 2>&1

exit $SMF_EXIT_ERR_FATAL

echo Error.

else

exit $SMF_EXIT_OK

echo Success.

if kill -0 $! > /dev/null 2>&1 ; then

sleep 5

[ -x $BINDIR/$EXEC ] && $BINDIR/$EXEC &

start)

case $1 in

492

# Kill process

;;

smf_kill_contract $2 KILL 1

notify_admin E UTM5 Core exited! ${SVCLOG}.40 ${MAINLOG}.30

# Notify admins about service stop

[ -f $PIDFILE ] && rm -f $PIDFILE

sleep 10

[ -f $PIDFILE ] && check_and_kill $PIDFILE

stop)

;;

fi

493

;;

*)

echo Usage: `basename $0` {start | stop}

version=1>

type=service

name=utm/utm5_radius

<service

<service_bundle type=manifest name=netup:utm5_radius>

<!DOCTYPE service_bundle SYSTEM /usr/share/lib/xml/dtd/service_bundle.dtd.1>

<?xml version=1.0?>

4.1 /var/svc/manifest/utm/utm5_radius.xml

RADIUS- utm5_radius

esac

494

type=method

<exec_method

<!-- Execution methods -->

</dependency>

<service_fmri value=svc:/utm/utm5_core />

type=service>

restart_on=restart

grouping=require_all

name=utm5_core

<dependency

<!-- Cannot work without utm5_core -->

<single_instance />

<create_default_instance enabled=false />

495

name=stop

type=method

<exec_method

</exec_method>

</method_context>

<method_credential user=root group=root />

<method_context>

timeout_seconds=120>

exec=/lib/svc/method/svc-utm5_radius start

name=start

</exec_method>

timeout_seconds=120>

exec=/lib/svc/method/svc-utm5_radius stop %{restarter/contract}

496

</service_bundle>

</service>

</template>1

</documentation>

uri=http://www.netup.ru />

<doc_link name=netup.ru

<documentation>

</common_name>

</loctext>

NetUP UTM5 radius

<loctext xml:lang=C>

<common_name>

<template>

497

EXEC=utm5_radius

BINDIR=/netup/utm5/bin

MAINLOG=${log_file_main:-/netup/utm5/log/radius_main.log}

. $CFGFILE

[ ! -f $CFGFILE ] && exit $SMF_EXIT_ERR_CONFIG

CFGFILE=/netup/utm5/radius5.cfg

. /netup/utm5/smf/mail.sh

. /lib/svc/share/smf_include.sh

# Radius method

#!/sbin/sh

4.2 /lib/svc/method/svc-utm5_radius

498

else

exit $SMF_EXIT_ERR_CONFIG

exit $SMF_EXIT_OK

kill -0 $! || exit $SMF_EXIT_ERR_FATAL

sleep 3

$BINDIR/$PING $PING_ARGS && $BINDIR/$EXEC &

if [ -n $PING_ARGS ]; then

[ -x $BINDIR/$PING -a -x $BINDIR/$EXEC ] && PING_ARGS=-h ${core_host:-127.0.0.1}


-P ${core_port:-11758} -l ${radius_login:-radius} -p ${radius_password:-radius} -i 2 -c 1

start)

case $1 in

PING=core_ping

SVCLOG=/var/svc/log/utm-utm5_radius:default.log

PIDFILE=/var/run/utm5_radius.pid

499

;;

*)

;;

echo Usage: `basename $0` {stop|start}

smf_kill_contract $2 KILL 1 && rm -f $PIDFILE && exit $SMF_EXIT_OK

notify_admin W Radius exited! ${SVCLOG}.40 ${MAINLOG}.30

stop)

;;

fi

<?xml version=1.0?>

5.1 /var/svc/manifest/utm/utm5_rfw.xml

utm5_rfw

esac

500

name=utm5_core

<dependency

<!-- Cannot work without utm5_core -->

<single_instance />

<create_default_instance enabled=false />

version=1>

type=service

name=utm/utm5_rfw

<service

<service_bundle type=manifest name=netup:utm5_rfw>

<!DOCTYPE service_bundle SYSTEM /usr/share/lib/xml/dtd/service_bundle.dtd.1>

501

502

<method_credential user=root group=root />

<method_context>

timeout_seconds=120>

exec=/lib/svc/method/svc-utm5_rfw start

name=start

type=method

<exec_method

<!-- Execution methods -->

</dependency>

<service_fmri value=svc:/utm/utm5_core />

type=service>

restart_on=restart

grouping=require_all

</loctext>

NetUP UTM5 rfw

<loctext xml:lang=C>

<common_name>

<template>

</exec_method>

timeout_seconds=120>

exec=/lib/svc/method/svc-utm5_rfw stop %{restarter/contract}

name=stop

type=method

<exec_method

</exec_method>

</method_context>

503

</service>

</template>

</documentation>

uri=http://www.netup.ru />

<doc_link name=netup.ru

<documentation>

</common_name>

# UTM5 rfw method

#!/sbin/sh

5.2 /lib/svc/method/svc-utm5_rfw

</service_bundle>

504

start)

case $1 in

SVCLOG=/var/svc/log/utm-utm5_rfw:default.log

PIDFILE=/var/run/utm5_rfw.pid

EXEC_FLAGS=-f

EXEC=utm5_rfw

BINDIR=/netup/utm5/bin

MAINLOG=${log_file_main:-/netup/utm5/log/rfw_main.log}

. $CFGFILE

[ ! -f $CFGFILE ] && exit $SMF_EXIT_ERR_CONFIG

CFGFILE=/netup/utm5/rfw5.cfg

. /netup/utm5/smf/mail.sh

. /lib/svc/share/smf_include.sh

505

esac

;;

*)

;;

smf_kill_contract $2 KILL 1 && rm -f $PIDFILE && exit $SMF_EXIT_OK

notify_admin W UTM5 RFW exited! ${SVCLOG}.40 ${MAINLOG}.30

echo Usage: `basename $0` {stop|start}

stop)

;;

exit $SMF_EXIT_OK

kill -0 $! || exit $SMF_EXIT_ERR_FATAL

sleep 3

[ -x $BINDIR/$EXEC ] && $BINDIR/$EXEC $EXEC_FLAGS &

506

MAIL_COPY_TO=another@email.address

MAIL_ADMIN_MAIL=any@email.address

# .

# .

notify_admin_ARGS=$@

# ----------------

# Common variables

# Copyright (c) 2001-2005 NetUP Inc. <info@netup.ru>. All rights reserved.

#!/sbin/sh

7.1 /netup/utm5/smf/mail.sh

notify_admin

507

[message]

Last $lines to be included into message body of the

(`tail -$lines $logfile used)

string

Message body. If contains spaces MUST be QUOTED.

Subject. If contains spaces MUST be QUOTED.

{E|W|N} ERROR, WARNING, NOTICE respectively. Default INFO.

# All parameters are optional.

string

string

char

[logfile.lines ...]

[subject]

#
$logfile

[type]

# Usage: notify_admin [type] [subject] [message] [logfile.lines ...]

# Version: 0.2

# Descr: Sends formatted email to admin

# Name: notify_admin ()

# ========

# Function

508

# -------------------------------

# If command line contains status

notify_admin_MAILER_ARGS=

notify_admin_MESSAGE=

notify_admin_SUBJECT=

notify_admin_STATUS=INFO

notify_admin_COPY_TO=$MAIL_COPY_TO

notify_admin_ADMIN_MAIL=${MAIL_ADMIN_MAIL:-root}

# -------------------------

# Initialize some variables

notify_admin ()

509

510

esac

;;

N)

;;

W)

;;

E)

case $1 in

shift

notify_admin_STATUS=NOTICE

shift

notify_admin_STATUS=WARNING

shift

notify_admin_STATUS=ERROR

do

^[^ ]*\.[0-9]?+$ > /dev/null 2>&1

if [ -z $notify_admin_MESSAGE ]; then

fi

continue

shift

notify_admin_SUBJECT=$1

if [ -z $notify_admin_SUBJECT ]; then

while echo $1 | egrep -v

# -------------------------------------------

# Set notify_admin_SUBJECT and notify_admin_MESSAGE variables

511

done

break

fi

continue

shift

notify_admin_MESSAGE=${1}\n

do

for opt in $@

if [ -n $1 ]; then

# ------------------------------------------------

# Check other arguments if any and prepare message

512

notify_admin_LOG_FNAME=`echo $opt | sed s/\.${notify_admin_

[ -s $notify_admin_LOG_FNAME ] || { notify_admin_MESSAGE=${notify_
admin_MESSAGE}\n---\n${notify_admin_LOG_FNAME} is empty.\n\n; continue; }

[ -r $notify_admin_LOG_FNAME ] || { notify_admin_MESSAGE=${notify_
admin_MESSAGE}\n---\n${notify_admin_LOG_FNAME} is not readable.\n\n; continue; }

[ -f $notify_admin_LOG_FNAME ] || { notify_admin_MESSAGE=${notify_
admin_MESSAGE}\n---\n${notify_admin_LOG_FNAME} does not exist.\n\n; continue; }

NUM_LINES}$//;`

# ------------------------------------------

# work with the argument as it is a logfile.

else

continue

if [ $? -ne 0 -o -z $notify_admin_NUM_LINES ]; then

notify_admin_NUM_LINES=`echo $opt | grep -v | awk -F. { print $NF


} | egrep ^[0-9]?+$ 2>/dev/null`

513

{
`date`
`hostname`

echo Date:

echo Host:

[ -n $notify_admin_COPY_TO ] && notify_admin_MAILER_ARGS=$notify_admin_MAILER_ARGS


-c $notify_admin_COPY_TO

# ------------------------------------

# Finally compose and send the message

fi

done

fi

notify_admin_MESSAGE=$notify_admin_MESSAGE\n---\n--- ${notify_
admin_LOG_FNAME}: Last $notify_admin_NUM_LINES lines.\n---\n`eval tail -${notify_admin_NUM_
LINES} $notify_admin_LOG_FNAME`\n

514

$0

echo Command:

$notify_admin_MAILER_ARGS $notify_admin_ADMIN_MAIL

} | mailx -s ${notify_admin_STATUS}: $notify_admin_SUBJECT \

echo *** End ***

echo $notify_admin_MESSAGE

echo

echo $notify_admin_SUBJECT

echo ---

$notify_admin_ARGS

[1] SMF http://www.sun.com/bigadmin/content/selfheal/


sdev_intro.html

`uptime | sed s/^[ ]*//;`

echo Uptime:

[ -n $notify_admin_ARGS ] && echo Args:

`uname -sr`

echo OS:

515

6.

SQL- .
UTM
:
/netup/utm5/bin/utm5_backup.sh


/netup/utm5/backup/UTM5.YY_MM_DD.gz,

YY , MM , DD .
:
0

root

/netup/utm5/bin/utm5_backup.sh

516

/etc/crontab
.
5
.

IP-
IP- .
:

/netup/utm5/bin/utm5_load_tc.pl -h
usage: utm5_load_tc.pl -f file -c tc_class -n our_
net -m our_mask [-r incoming]

:
-
f

IP- :
IP
_
NET
/
MASK

IP_NET , MASK .
-c

UTM. , 10.
-n

IP-. , 192.168.10.0.
-m

IP-. 255.255.255.0.
-r


128.134.151.128/25

-r 1, IP- ,
. , IP-
, .

144.206.166.0/24
144.206.176.0/24

517

ARP

-

IP
- MAC

-.
/netup/utm5/bin/utm5_arp.pl

, ARP-
.
cron. /etc/crontab:
*/5 * * * * root /netup/utm5/bin/utm5_arp.pl > /dev/
null 2>/dev/null

cron.

IP

-

IP

-/
MAC
-.

518

IP

-/
MAC
-

/netup/utm5/bin/arp.sh :
/netup/utm5/bin/arp.sh


ARP
- IP

-/
MAC
-.

permanent

PERM.
:
(10.1.2.27) at 00:0c:29:8e:be:86 on lnc0 permanent
[ethernet]

ARP- cron. /etc/crontab:


*/5 * * * * root /netup/utm5/bin/arp.sh > /dev/null
2>/dev/null

cron.


IP
-
,
IP

-.

519

520

22. 2

1. NetFlow ............................ 523


1.1 ................................................................. 523
1.2
NDSAD .......................................................................... 524
1.3 C NetFlow Cisco . .............................................................531
1.4 NetFlow
get_xyz ............................................537
2. NAS ........................................................... 544
2.1 ................................................................. 544
2.2 VPN- PoPToP ........................ 544
2.3 RRAS . .................................................. 548
2.4 VPN-
Cisco .................................................................548
2.5 802.1x EAP . ...............551
2.6 Mikrotik
HotSpot ......................................................................... 558
2.7 Cisco 2511
. .......................................... 564
2.8 Cisco
.............................................. 566
3. firewall ............................................. 572
3.1 ................................................................. 572
3.2 iptables
Linux . ............................................................................ 573
3.3
FreeBSD ......................................................................... 573
3.4
Cisco .............................................................................. 575
3.5 NAT ............................................. 578

521

4.
HotSpot .................................... 582
4.1 DHCP .............................582
4.2 firewall ................................................. 584
4.3 - Apache ............................587
5.
. ............................. 589
5.1 H323 GNUGK 589
5.2 Cisco ATA-186 ..................................... 594
5.3 VoIP Cisco 26xx, 36xx,
53xx . .............................................................................. 595
5.4 tftp .........................................597
5.5 Cisco
IVR ................................................................................ 598
5.6 Alterteks ProxySoftSwitch
UTM .............................................................................. 600

522

1. NetFlow
1.1
:
ndsad UTM , ;

UTM,
ndsad

ndsad , , ,
.

2
ndsad, , ,
.
ndsad UDP,

523

NetFlow 5.
UDP-,
, ,
. UDP
/netup/utm5/
utm5.cfg. ,
127.0.0.1.

1.2
NDSAD

ndsad
/netup/utm5/ndsad.cfg. NetFlow ,
ip 127.0.0.1, port
9996.
ndsad
, .
ifconfig. , , force. ,
(NAT)
, , :
.
FreeBSD

ndsad

:
/usr/local/etc/rc.d/ndsad.sh start

Linux

ndsad

524

/etc/rc.d/init.d/ndsad start

Windows NT- ndsad


. --install --uninstall
. , .
C:\Program Files\NetUP\UTM5>ndsad.exe --install
Successfully created ndsad service
C:\Program Files\NetUP\UTM5>ndsad.exe --uninstall
Successfully deleted ndsad service

NDSAD
Windows NT ( ).
net
start

ndsad

NDSAD .
c:\program files\NetUP\UTM5\ndsad.exe


.

( ) .
, :

, :
. ping- -
, ping- (,
ndsad);
ndsad. , UDP- -

525


. , :
su# tcpdump ni lo0 port 9996
:
12:40:51.958448 127.0.0.1.4675 > 127.0.0.1.9996: udp
1464
12:40:51.959051 127.0.0.1.4675 > 127.0.0.1.9996: udp
408
12:40:51.959074 127.0.0.1.4675 > 127.0.0.1.9996: udp
648

, ndsad ( ndsad.cfg).
ndsad.cfg .
, , ndsad


.
ndsad
http://sourceforge.net/projects/ndsad .
, ,

526

. , # .
:
<> <>

, ,
.
, ndsad

, . , eth : eth0, eth1, eth12 ..



( heap hash). (,
), :
force rl0
force fxp0


ip

. ( ) . : ip 127.0.0.1.
: ip 10.0.0.1.
port

. ip. : port
9996.

: port 10001.


. , . , ignore dummy.
.
: force eth0.

force

ignore

, . . force.

527

: ignore eth0.
Win32 force ignore
IP-, .
Win

32:
force \Device\NPF_{A07050FE-62B3-40AF-B6D2658701A56089}
ignore 192.168.1.1
force 192.168.0.1

dummy

,
. . force.
all , , , force, .
: dummy eth.
promisc

, ,
. ,
.
: promisc ex0.
filter

. tcp
dump
(
man
tcpdump

).

: filter fxp0 not port 135

528

: filter fxp0 net 10.0.0.0/24 and not port 135


hash

.
.
. : hash all 128.
: hash lo 64.
heap

.
, .
,
. .
: heap 16384.
: heap 65536.
dump


. . 0 ,
. ,
SIGHUP. : dump 0.
: dump 5.
log

: log /var/log/ndsad.log.
bsd_div_port

, () ipfw divert (tee).



ipfw:

, .
, stderr ( , ). : /netup/utm5/log/ndsad.log.

529
ipfw add 10 tee 21000 all from any to any

21000,
:
bsd_div_port 21000
. FreeBSD.
bsd_div_copy

divert tee,
yes. .
ulog_group


ULOG Linux
iptables. :
ulog_group 13
13.

:

iptables -A OUTPUT -s 10.0.0.1 -d 10.0.0.2 -j


ULOG --ulog-nlgroup 13

530

- No buffer
space available, -
:
sysctl -w net/core/rmem_max=1048576
sysctl -w net/core/rmem_default=1048576
.


BSD: vlan, bfe, tun, ng, nv, lo, dc, fxp, pcn,
rl, sf, sis, ste, tl, tx, vr, wb, xl, de, txp, vx, bge, em, gx, lge,
nge, sk, ti, wx, cx, ed, el, ep, ie, is, le, ex, lnc, my, wi, an.
Linux: lo, eth, ppp.
Win32 Ethernet, eth
VPN-, \Device\NPF_GenericDialupAdapter \Device\
NPF_GenericNdiswanAdapter.

1.3 C
NetFlow

Cisco


Cisco

NetFlow

.
CiscoRouter# conf t
CiscoRouter(config)# interface FastEthernet 0/0
CiscoRouter(config-if)# ip route-cache flow

,
Netflow:

CiscoRouter(config)# ip flow-export version 5


CiscoRouter(config)# ip flow-export destination
10.1.1.1 9996

CiscoRouter#
conf

531

C
NetFlow

Cisco

NAT

NetFlow
IP- NAT,
, ,

Internet IP- . ,
NetFlow-
,
.
,
IP
- 10.11.0.0
255.255.0.0,
IP 10.1.0.1. 10.11.0.6 www.netup.ru IP

- 195.161.112.6.

Ethernet 1/0

Cisco 3620

Ethernet 1/1

532

Cisco

Current configuration : 4013 bytes


!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
ip subnet-zero
!
ip cef
!,

. ,
IP-
195.161.112.6 IP- 10.11.0.6. NetFlow, ip route-cache
flow.
!
interface Loopback0
ip address 192.168.0.1 255.255.255.0
ip route-cache flow
!

. IP- 195.161.112.6 IP-


10.1.0.1. NetFlow, ip route-cache flow.
, ip policy route-map NETUP_MAP,

ip route-cache policy

533

Loopback 0 , route-map.
!
interface Ethernet1/0
ip address 10.1.0.1 255.255.0.0
ip nat outside
ip route-cache policy
ip route-cache flow
ip policy route-map NETUP_MAP
!

. IP- 10.11.0.6 IP- 195.161.112.6.


NetFlow, ip route-cache flow.
!
interface Ethernet1/1
ip address 10.11.0.
1
255.255.0.0
ip nat inside
ip route-cache policy
ip route-cache flow

534

, IP- ,
NetFlow- UTM
.

!
ip nat inside source list 1 interface

Ethernet1/0 overload

ip flow-export version 5
ip flow-export destination 10.1.0.5 9996
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.0.5
!

. ( 1) ,
IP- NAT.
( 108) route-map.
!
access-list 1 permit 10.11.0.0 0.0.255.255
access-list 108 permit ip any 10.11.0.0 0.0.255.255
!

, , ,
108 ( 10.11.0.0),
Loopback 0. ,
IP-, IP-
195.161.112.6, NAT, Loopback 0, NetFlow.

route-map NETUP_MAP

permit 10

match ip address 108


set interface Loopback0 Ethernet1/1
!
End

,
,
NetFlow
:

535

1. route-map. :
show route-map NETUP_
MAP

.
2.
NetFlow. :
show ip cache flow | include 195.161.112.6

:
Router#show ip cache flow | include 10.1.2.2
SrcIf SrcIPaddress
Pr SrcP DstP Pkts

DstIf

DstIPaddress

Et1/0 195.161.112.6
06 0050 1093
3

Et1/1

10.11.0.6

Et1/1 10.11.0.6
06 1093 0050

Et1/0

195.161.112.6

Et
1/0 195.161.112.6
Local

10.1.0.1
06 0050 1093
2

536

SrcIf , .
DstIf , .
Null, NetFlow. .

1.4
NetFlow get_xyz
NetUP UTM 5
NetFlow v. 5. NetFlow
NetUP get_xyz. C++
.
NetFlow v.5
. get_xyz
.


NetUP get_xyz

get_xyz

NetFlow 5

UTM

/netup/utm5/bin/get_xyz

:
-d
-l

get_xyz
Cisco IPAccounting, Mikrotik, NSG, Revolution Cisco NetFlow v5 . :

LOGFILE

LOGFILE
-k

537

-h .

/netup/
conf

, #, .
:
outfile
=/
tmp
/
traffic
.
log

, .
outhost=127.0.0.1

IP- , NetFlow v

. 5.
outport
=9996

,
NetFlow v

.5.

538

loop=600

( ),
. , , .
, . {}.
host {

type=nsg

, . : cisco, revolution, mikrotik, nsg.


ip

=192.168.0.1

IP- .
port

=23

TCP- .
timeout=5

- .
login

=
root

.
password=foo

.
}

, .

C IP-accounting

/netup/utm5/get_xyz.conf :

Cisco

539

outhost=127.0.0.1
outport=9996
loop=30
host {
type=cisco
ip=10.1.2.99
port=514
login=root
timeout=5
}

Cisco


.
CiscoRouter#conf t
CiscoRouter(config)# interface FastEthernet 0/0
CiscoRouter(config-if)#ip accounting

get

_
xyz
.
CiscoRouter#conf t
CiscoRouter(config)#username netup privilege 8 password 0 plain_text_password
CiscoRouter(config)#ip rcmd rsh-enable

CiscoRouter(config)#no ip rcmd domain-lookup

540

CiscoRouter(config)#ip rcmd remote-host netup


REMOTE_IP_ADDRESS REMOTE_USER_NAME enable 8

REMOTE_IP_ADDRESS IP- get_xyz.


REMOTE_USER_NAME get_xyz,

CiscoRouter(config)#privilege exec level 8 show ip


accounting checkpoint
CiscoRouter(config)#privilege exec level 1 show ip
CiscoRouter(config)#privilege exec level 8 clear ip
accounting


Cisco
.
/netup/utm5/bin/get_xyz d

, Cisco

.
show ip accounting

, NetFlow
v

.5
. ,
.
su# tcpdump ni lo0 port 9996

12:40:51.959051 127.0.0.1.4675 > 127.0.0.1.9996:


udp
408
12:40:51.959074 127.0.0.1.4675 > 127.0.0.1.9996:
udp
648

12:40:51.958448 127.0.0.1.4675 > 127.0.0.1.9996:


udp
1464

541

C IP-accounting
ipcad
/netup/utm5/get_xyz.conf :
outhost=127.0.0.1
outport=9996
loop=30
host {
type=cisco
ip=10.0.0.1
# IP- ipcad.
port=514
login=root
password=root
timeout=5
}

ipcad
(http://sourceforge.net/projects/ipcad/) /usr/local/etc/ipcad.conf :

542

interface fxp0;
rsh enable;
rsh root@127.0.0.1 admin;
rsh root@10.0.0.2 admin;
# IP- get_xyz ,
get_xyz
pidfile = /var/run/ipcad.pid;
memory_limit = 32m;
dumpfile = ipcad.dump;
ttl = 3;
rsh timeout = 30;


Cisco

IP
-
Accounting

ipcad
get

_
xyz
,
Cisco

NetFlow
(127.0.0.1) 9996. , UDP

- 9996.
tcpdump:
su-2.05b# tcpdump -ni lo0

port 9996

tcpdump: listening on lo0


17:38:26.347689 127.0.0.1.2789 > 127.0.0.1.9996: udp
1464

17:38:26.751455 127.0.0.1.2789 > 127.0.0.1.9996: udp


1464
17:38:26.952631 127.0.0.1.2789 > 127.0.0.1.9996: udp
1464

17:38:26.550360 127.0.0.1.2789 > 127.0.0.1.9996: udp


1464

543

2. NAS
2.1

(
VPN
) RA
DIUS
. (
NAS
)
RADIUS

, ,
,
.

NAS

RADIUS

2.2 VPN- PoPToP

FreeBSD
VPN

( PoPToP). FreeBSD

.
/etc/pptpd.conf.
.
option /etc/ppp/ppp.conf
localip 172.16.0.1

544

pidfile /var/run/pptpd.pid

/etc/ppp/ppp.conf.
.
loop:
set timeout 0
set device /dev/ppp
local
set ifaddr 172.16.0.1 172.16.0.2-254
255.255.255.255
set server /tmp/loop 0177
pptp:
load loop
enable chap
#enable mschapv2
#enable pap
set radius /etc/radius.conf

CHAP

. , P

AP, MSCHAP-v2 .
/etc/radius.conf.
.
auth
127.0.0.1:1812 mysecret

acct
127.0.0.1:1813 mysecret

VPN

, UTM5 RADIUS 127.0.0.1 ( )


1812 1813. RADIUS

mysecret

pptpd

545

FreeBSD
. .

Linux ( RedHat 9.0)


ppp

.
cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login
cvs
cvs -z5 -d :pserver:cvs@pserver.samba.org:/cvsroot
co ppp
cd ppp/
./configure
make
make install


CVS
,
ftp

://
ftp
.
samba
.
org
/
pub
/
ppp
/
ppp
-2.4.2.
tar
.
gz.
.

tar
xvfz

ppp-2.4.2.tar.
gz

cd ppp-2.4.2

546

./configure
make
make install


VPN
( PoPToP).

RedHat
, http://www.
poptop.org/.
/etc/pptpd.conf.
.

option /etc/ppp/options
localip 172.16.0.1

/etc/ppp/options.
.
auth
#require-
pap
require-chap
#require-mschap-v2
local
172.16.0.1:
plugin
radius.
so

CHAP

. , P

AP, MSCHAP-v2 .
/etc/radiusclient/radiusclient.conf. RADIUS.
authserver
localhost
:1812
acctserver
localhost
:1813

localhost
mysecret

, UTM5 RADIUS 127.0.0.1 ( ) 1812 1813.


RADIUS mysecret
/etc/radiusclient/servers.

VPN
.
pptpd

547

Linux Red Hat


9.0 . ,
.

2.3 RRAS

VPN

Windows (Windows 2000

Windows
2003)

RRAS (Routing and Remote Access


Service).
(Control

Panel | Administrative Tools | Routing and Remote Access service).

,
MMC

.

Configure
and

Enable

Routing

and

Remote
Access


RRAS

. Radius
, .

Security

Authentication provider

RADIUS Authentication

Configure.


radius
- OK

. Radius

Accouting.

548

.


RRAS
http

://
www
.
microsoft
.
com.

2.4 VPN -
Cisco
Cisco, IOS - IOS (tm) 3600 Software (C3620-ISM), Version 12.3(3a), RELEASE SOFTWARE (fc2):

!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
interface Virtual-Template1
ip address 192.168.20.1 255.255.255.0
ip tcp header-compression
ip mroute-cache
no peer default ip address
ppp authentication ms-chap-v2 chap
!
radius-server host 10.0.0.1 auth-port 1812 acct-port
1813
radius-server key secret
!


MS CHAP 2 CHAP
RADIUS 10.0.0.1.

549

Router#show vpdn session


%No active L2TP tunnels
%No active L2F tunnels
PPTP Session Information Total tunnels 1 sessions 1
LocID RemID TunID Intf
Chg Uniq ID

10
32768 11
00:00:23 9

550

Username

State

Last

Vi

3
vpn

_
netup
estabd

2.5 802.1x EAP


UTM5 RADIUS EAP RFC 3579 RFC 3748.
EAP-MD5.


. Cisco Catalyst 2950T 12.1(19)EA1c D-Link DES-3226S.
NetUP UTM 5 NetUP.


, . .. ,
. .

Windows . .

1.

551

2.
Windows


Windows:
Windows XP SP2
Windows server 2003 SP1

Windows ,
802.1x MD5-Challenge.

552
3. 802.1x Windows

.

RADIUS UTM5 RADIUS.
,
.
IP-. .

802.1. Cisco Catalyst 2950T.
RADIUS :

!
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
!

!
dot1x system-auth-control

802.1 :

553
RADIUS :

!
radius-server host 10.0.0.1 auth-port 1812 acct-port
1813
radius-server key testkey
!

802.1 .
:

!
interface FastEthernet0/1
switchport mode access
no ip address
dot1x port-control auto
dot1x host-mode multi-host

554

.
.
802.1
. UTM5 RADIUS
. . .

UTM5 RADIUS , CHAP Challenge


.
RADIUS .
.

?Debug : Jan 07 00:18:21 RADIUS Server Auth: User


<test> connecting
?Debug : Jan 07 00:18:21 RADIUS Server Auth: EAP message detected without State. State <test_1136582301_
33> generated. Using it as session id for storing in
sessions cache.
?Debug : Jan 07 00:18:21 RADIUS DBA: Info for login
<test> found. type <2>
?Debug : Jan 07 00:18:21 RADIUS Server Auth: Auth
scheme: EAP
ERROR : Jan 07 00:18:21 RADIUS Server Auth: EAP subsystem called. Supporting: EAP-MD5
?Debug : Jan 07 00:18:21 RADIUS Server Auth: EAP:
Message-Authenticator verify success
?Debug : Jan 07 00:18:21 RADIUS Server Auth: EAP:
Current
state: 0
?Debug : Jan 07 00:18:21 RADIUS Server Auth: EAP
Dump: eap code <2> eap type <1> eap size 4 (eap id 0)
?Debug : Jan 07 00:18:21 RADIUS Server Auth: EAP:
Identity <test> got
?Debug : Jan 07 00:18:21 RADIUS EAPState: Setting
replay code to request, Type to auth_chap (EAP-MD5
request)
?Debug : Jan 07 00:18:21 RADIUS Server Auth: EAP:
state challenge! Setting State<test_1136582301_33>
?Debug : Jan 07 00:18:21 RADIUS Server Auth: EAP: Reply send
?Debug : Jan 07 00:18:21 RADIUS Server Auth: EAP in
progress! Storing session with id <test_1136582301_
33>

555

:
!
radius-server host 10.0.0.1 auth-port 1812 acct-port
1813
radius-server key testkey
!
?Debug : Jan 07 00:18:22 RADIUS Server Auth: User
<test> connecting
?Debug : Jan 07 00:18:22 RADIUS Server Auth: Session
for <test_1136582301_33> found in <10.1.2.254> cache
?Debug : Jan 07 00:18:22 RADIUS Server Auth: Auth
scheme: EAP
ERROR : Jan 07 00:18:22 RADIUS Server Auth: EAP subsystem called. Supporting: EAP-MD5
?Debug : Jan 07 00:18:22 RADIUS Server Auth: EAP: Message-Authenticator verify success

?Debug : Jan 07 00:18:22 RADIUS Server Auth: EAP: Current


state: 3

556

?Debug : Jan 07 00:18:22 RADIUS Server Auth: EAP Dump:


eap code <2> eap type <4> eap size 21 (eap id 1)
?Debug
: Jan
Jan 07
07 00:18:22
00:18:22 RADIUS
RADIUS EAPState:
Server Auth:
?Debug :
Chap EAP:
restate
success
!
sponce check success! Setting state to success!
?Debug : Jan 07 00:18:22 RADIUS Server Auth: EAP: Reply send

, ,
.
UTM5 RADIUS

.
, . UTM5 RADIUS
Access-Accept,
.
UTM5 RADIUS Access-Reject
.

RFC- 3579
RFC- 3748

2
557

2.6 Mikrotik
HotSpot
HotSpot MikroTik Router OS
NetUP UTM 5.0.


MikroTik Router OS NetUP UTM
5.0.

558

IP- DHCP, , - MikroTik Router


OS ( MikroTik). MikroTik - www.mikrotik.com.
,
.
Radius.

HotSpot MikroTik
:
[admin@MikroTik] ip hotspot> setup
Select interface to run HotSpot on
hotspot interface: ether2
Add hotspot authentication for existing interface
setup?
interface already configured: yes
Use SSL authentication?
use ssl: no
Use transparent web proxy for hotspot clients?
use transparent web proxy: no
Use local DNS cache?
use local dns cache: no
DNS name of local hotspot server
dns name: 192.168.0.1
Select another port for (www) service
port 80 is used by www service, select some other
port for this service
another port for service: 8081
Create local hotspot user
name of local hotspot user: admin
password for the user: admin
[admin@MikroTik] ip hotspot>

[admin@MikroTik] ip hotspot> aaa set use-radius=yes


accounting=yes
[admin@MikroTik] radius> add service=hotspot

- :

address=10.1.2.105 secret=secret
authentication-port=1812 accounting-port=1813

559

DHCP- :
[admin@MikroTik] ip dhcp-server> setup
Select interface to run DHCP server on
dhcp server interface: ether2
Select network for DHCP addresses
dhcp address space: 192.168.0.0/24
Select gateway for given network
gateway for dhcp network: 192.168.0.1
Select pool of ip addresses given out by DHCP server
addresses to give out: 192.168.0.2-192.168.0.254
Select DNS servers
dns servers: 10.1.2.5
Select lease time
lease time: 3d
[admin@MikroTik] ip dhcp-server>

DNS- :
[admin@MikroTik] ip dns> set primary-dns=10.1.2.5
[admin@MikroTik] ip dns> set

allow-remote-requests=yes

560


DHCP IP-, , DNS-.

MikroTik:

MikroTik
Radius-.
- Radius- :
?Debug : Oct 01 22:14:47 RADIUS Auth: Packet from
?Debug : Oct 01 22:14:47 RADIUS Auth: User connecting
?Debug : Oct 01 22:14:47 RADIUS DBA: login_store
iter->second.dialup.session_count:0
?Debug : Oct 01 22:14:47 RADIUS Auth: Auth scheme:
CHAP
?Debug : Oct 01 22:14:47 RADIUS Auth: CHAP:
Challenge size: 16

?Debug : Oct 01 22:14:47 RADIUS Auth: Dialup session


limit:0 session count:0 for user:hsptest
?Debug : Oct 01 22:14:47 RADIUS Auth: Calculated
maximum session time: 67
?Debug : Oct 01 22:14:47 RADIUS DBA: dialup_link_update called for slink:41

?Debug : Oct 01 22:14:47 RADIUS Auth: CHAP:


Authorized user

?Debug : Oct 01 22:14:47 RADIUS DBA: soft dialup_


link_update for slink:41 session_count:1

Calculated maximum session time: 67 67 . -

561

Mikrotik Access-Accept
( ).
tcpdump:
length: 109) 10.1.2.105.1812 > 10.1.2.67.1024: [udp
sum ok] RADIUS, length: 81
Access Accept (2), id: 0x12, Authenticator:
3fdcd4d2ef3a1272554cfa9389cd73e2
Service Type Attribute (6), length: 6, Value: Framed
0x0000: 0000 0002
Framed Protocol Attribute (7), length: 6, Value: PPP
0x0000: 0000 0001
Framed Routing Attribute (10), length: 6, Value:
None
0x0000: 0000 0000
Framed MTU Attribute (12), length: 6, Value: 1500
0x0000: 0000 05dc
Framed Compression Attribute (13), length: 6, Value:
None
0x0000: 0000 0000
Session Timeout Attribute (27), length: 6, Value:
01:12 min

0x0000: 0000 0048

562


.

. Radius-
Accounting-Stop .
- Radius- :

Acct: Packet from MikroTik


?Debug : Oct 01 22:15:54 RADIUS Acct: Acct packet
with session ID: 80100007
?Debug : Oct 01 22:15:54 RADIUS Acct: Acct-Stop
packet
?Debug : Oct 01 22:15:54 RADIUS DBA: Dialup
Discount: TR ID 1: 0.019 for 67 sec

,
.

2
563

2.7 Cisco 2511




Cisco

.
Cisco
2511 16 . IOS

(
tm
) 2500
Software
(
C
2500-
IS
-
L
), Version

12.3(3).
aaa new-model
aaa authentication password-prompt password:
aaa authentication username-prompt login:
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting network default start-stop group
radius

564

interface Group-Async0
ip unnumbered Ethernet0
encapsulation ppp
async mode interactive
peer default ip address pool TEST
ppp authentication pap
group-range 1 16
!
interface Ethernet0
ip address 192.168.0.2 255.255.255.0
no ip mroute-cache
!
ip local pool TEST 172.16.0.2 172.16.0.254
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
no ip http server
async-bootp dns-server 195.161.112.6

!
radius-server host 192.168.0.3 auth-port 1812
acct-port 1813
radius-server retransmit 3
radius-server key mysecret
!
line 1 16
script modem-off-hook offhook
script callback callback
modem InOut

end


RFC-2138

modem autoconfigure type usr_sportster


transport input all
autoselect during-login
autoselect
ppp

speed

115200
!

RFC-2139

565

2.8
Cisco

RADIUS AccessAccept ,
,

.
9 (Cisco) 1 (Cisco-AVPair).
, . :

566

1.

, IP- IP- . :
ip:addr-pool=POOLNAME

2.

, . : lcp:interface-config#1=rate-limit
input 64000 8000 8000 conform-action transmit exceed-action
drop 64000 /.
input, ,
. input output, .

IP- 64 /.
NetUP UTM. :
:
Vendor: 9
Attr: 1
: lcp:interface-config#1=rate-limit input
64000 8000 8000 conform-action transmit exceed-action drop
: String

1. RADIUS- NetUP UTM

UTM5 RADIUS ,
.

NetUP Cisco 3640 Version 12.3(11)T3.


Gentoo Linux. PPTP pptpclient [1].
pptp RADIUS-.
:

567

!
no ip cef
vpdn enable
!
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
!
interface Virtual-Template1
ip address negotiated
no peer default ip address
ppp authentication ms-chap-v2 chap

!
radius-server host 10.1.2.6 auth-port 1812
acct-port 1813
radius-server key secret
radius-server vsa send accounting
!

568

PPTP- /etc/ppp/options :

name net11
debug
local
noproxyarp

net11 .

/etc/ppp/chap-secrets:
net11

123

PPTP- . :
pptp 10.1.2.99

10.1.2.99 IP- .

/etc/ppp/chap-secrets:
net11

123


:
show users


,
.
ifconfig.
ppp0:

569

:
Interface
Peer Address

User

Vi408
net11
172.16.111.146

Mode

PPPoVPDN

Idle

00:02:03


64 /.
:

show interfaces rate-limit


:
Virtual-Access408
Input
matches: all traffic
params:

64000 bps, 8000 limit, 8000 extended

limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 107912740ms ago, current burst: 0
bytes
last cleared 00:03:13 ago, conformed 0 bps, exceeded 0
bps

570

Output
matches: all traffic

params:

64000 bps, 8000 limit, 8000 extended

limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 107912744ms ago, current burst: 0
bytes
last cleared 00:03:13 ago, conformed 0 bps,
exceeded 0 bps

,
[2, 3].
,
IDB
[4]. :
show idb

:
Maximum number of Software IDBs 800.

In use 732.


debug radius
.
[1] pptpclient http://
pptpclient.sourceforge.net/
[2] iperf http://sourceforge.
net/projects/iperf
[3] netperf http://www.
freebsd.org/projects/netperf/
[4] IDB http://www.cisco.com/en/US/products/sw/iosswrel/
ps1835/products_tech_note09186a0080094322.shtml

571

3. firewall
3.1
() , , , , ,
, , IP- .

UTM
. ,
. , IP- ,
UTM.

,
(NAT, Network Address Translation). NAT
IP- IP , IP-
. NAT
, IP-,
.

572

NetUP UTM
. (, ), ( ).
. : .

3.2
iptables Linux

Linux (policy) FORWARD iptables:
iptables -P FORWARD DROP
iptables :
[root@rh73 /]# iptables nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

3.3
FreeBSD

options IPFIREWALL

ipfw FreeBSD . /boot/loader.conf



ipfw_load=YES

FreeBSD GENERIC,
. FreeBSD,

573

FreeBSD
/etc/rc.conf
firewall_enable=YES

/etc/rc.firewall.

, :
fwcmd=/sbin/ipfw -q
${fwcmd} -f flush
${fwcmd} add 100 allow ip from any to me
${fwcmd} add 200 allow ip from me to any

ipfw, , ,
.
.

server# ipfw show

574

00100 8 736 allow ip from any to me


00200 8 596 allow ip from me to any
65535 0 0 deny ip from any to any
server# _

3.4
Cisco

access-list. . .
configure terminal
.
access-list 105 dynamic test1 permit ip any any
access-list 106 dynamic test2 permit ip any any

access-list, . ,
.
access-list 105 permit ip host 10.0.0.10 any
access-list 106 permit ip any host 10.0.0.10


.
.

. -

! , . .

575

, .
.
interface Ethernet 1/0
ip access-group 105 in
ip access-group 106 out
rsh,
:
CiscoRouter#conf t
CiscoRouter(config)#username netup privilege 8 password 0 plain_text_password
CiscoRouter(config)#ip rcmd rsh-enable
CiscoRouter(config)#no ip rcmd domain-lookup
CiscoRouter(config)#ip rcmd remote-host netup
REMOTE_IP_ADDRESS REMOTE_USER_NAME enable
CiscoRouter(config)#privilege exec level 8 accesstemplate
CiscoRouter(config)#privilege exec level 8 clear access-template
REMOTE_IP_ADDRESS IP-
utm5_rfw.

REMOTE_USER_NAME ,
.


write.
:
access-template 105 test1 host UIP any

576

access-template 106 test2 any host UIP

:
clear access-template 105 test1 host UIP any
clear access-template 106 test2 any host UIP

Cisco
rsh utm5_rfw. rfw5.cfg :
firewall_type=cisco
cisco_ip=IP_ADDRESS
IP_ADDRESS IP- Cisco.

utm5_rfw
/netup/utm5/bin/utm5_rfw

Cisco

tcpdump -nXli eth0 -s 65000 port 514

Cisco Windows

CiscoRouter(config)#no ip rcmd domain-lookup


CiscoRouter(config)#ip rcmd rsh-enable
CiscoRouter(config)#ip rcmd remote-host netup
REMOTE_IP_ADDRESS REMOTE_USER_NAME enable

CiscoRouter(config)#ip subnet-zero

577

3.5 NAT
NAT FreeBSD ipfw
NAT FreeBSD IPDIVERT.
.
options IPDIVERT

FreeBSD
natd, 8668.
NAT /etc/rc.conf .
natd_enable=YES
natd_interface=rl0

natd
/etc/rc.local.
.
/sbin/natd -n rl0

, natd, .
server# ps ax | grep natd
145 ?? Is 0:00.51 /sbin/natd -n rl0

, natd 8668, .

578

server# sockstat | grep 8668


root natd 145 3 div4 *:8668 *:*


8668 .
, IP-
(NAT), .
ipfw add 50 divert natd ip from any to any via rl0

, , 192.168.0.0/16, .
ipfw add 50 divert natd ip from 192.168.0.0/16 to any
via rl0
ipfw add 50 divert natd ip from any to me via rl0

, natd,
ipfw.
00050 0 0 divert 8668 ip from any to any via rl0
00200 8 736 allow ip from any to me

65535 0 0 deny ip from any to any

,
natd, , /etc/rc.firewall
:
${fwcmd} add 50 divert 8668 ip from any to any via
rl0

00300 8 596 allow ip from me to any

579


${fwcmd} add 50 divert natd ip from 192.168.0.0/16 to
any via rl0
${fwcmd} add 50 divert natd ip from any to me via
rl0

,
:
fwcmd=/sbin/ipfw -q
${fwcmd} -f flush
${fwcmd} add 50 divert 8668 ip from any to any via
rl0
${fwcmd} add 100 allow ip from any to me
${fwcmd} add 200 allow ip from me to any

,
IP- IP- rl0.
, IP- NAT.

,
ifconfig.

580

NAT Linux
iptables nat POSTROUTING. 192.168.0.0/16 IP- eth0
IP- 195.161.112.6,
.
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o
eth0 -j SNAT --to-source 195.161.112.6

192.168.0.0/16 ;
eth0 IP- 195.161.112.6, -

NAT.
iptables nat
, .
[root@rh73 /]# iptables -t nat nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT
all
-to:195.161.112.6

192.168.0.0/16

0.0.0.0/0

Chain OUTPUT (policy ACCEPT)


target prot opt source destination

2
581

4.

HotSpot
4.1 DHCP

DHCP

, IP-. DHCP

isc-dhcpd.
ftp://ftp.isc.org/isc/dhcp/dhcplatest.tar.gz.
.

./configure
make
make install

isc-dhcp , .

dhcpd.conf.
.

582

option domain-name yourdomain.com;


option domain-name-servers 10.1.2.1;
option subnet-mask 255.255.255.0;
default-lease-time 36000;
max-lease-time 86400;
authoritative;
ddns-update-style none;
log-facility local7;
subnet 10.1.2.0 netmask 255.255.255.0
{
option routers 10.1.2.1;
pool
{
range 10.1.2.10 10.1.2.200 ;
allow unknown clients;
}
}


,
. -


10.1.2.1010.1.2.200, ,
. 10.1.2.1.
, DHCP, , , .
DHCP ,
. , fxp0. dhcpd fxp0. .
, , dhcpd fxp0 fxp1 ed0

583

. .

4.2 firewall
FreeBSD

ipfw
.
, 80
( , -)
, natd -proxy_rule.

, UTM - .
, 10.1.2.1
10.1.2.0/24, IP

-
10.10.10.1. natd
.
# natd -p 9000 -a 10.1.2.1 -proxy_rule port 80 server
10.1.2.1:80 -reverse

.
.

584

10000 divert 9000 tcp from 10.1.2.0/24 to not


10.1.2.1 dst-port 80 via fxp0
10100 divert 9000 tcp from 10.1.2.1 80 to
10.1.2.0/24
10200 allow tcp from 10.1.2.0/24 to any dst-port 80
via fxp0
10300 allow tcp from any 80 to 10.1.2.0/24
10400 skipto 20000 ip from any to me
10500 skipto 20000 ip from me to any
15000 deny log ip from any to any
20000 divert 8668 ip from 10.1.2.0/24 to any via
fxp1
20100 divert 8668 ip from any to 10.10.10.1 via fxp1
65535 allow ip from any to any

fxp1 ;
8668 , natd
( natd -n fxp1).

fxp0 10.1.2.1;

UTM .

585

/sbin/ipfw add RULE_ID skipto 20000 ip from UIP to


any
/sbin/ipfw add RULE_ID skipto 20000 ip from any to
UIP,

/sbin/ipfw delete RULE_ID,

, divert 20000
. , .
Linux

iptables
.

iptables REDIRECT,
, .
UTM -
. nat
PREROUTING .

586

iptables -t nat -A PREROUTING -s 10.1.2.0/24 -p tcp


--dport 80 -j REDIRECT --to-ports 80

, UTM
.

/sbin/iptables -t nat -I PREROUTING 1 -s UIP/UBITS


-j ACCEPT
/sbin/iptables -A FORWARD -s UIP/UBITS -j ACCEPT
/sbin/iptables -A FORWARD -d UIP/UBITS -j ACCEPT

.
/sbin/iptables -t nat -D PREROUTING -s UIP/UBITS -j
ACCEPT
/sbin/iptables -D FORWARD -s UIP/UBITS -j ACCEPT
/sbin/iptables -D FORWARD -d UIP/UBITS -j ACCEPT


FORWARD (iptables -P FORWARD DROP).

4.3 - Apache
404 httpd.conf.

DirectoryIndex /cgi-bin/utm5/aaa5?cmd=card_login
index.html


, -
.

ErrorDocument 404 /cgi-bin/utm5/aaa5?cmd=card_login

587


-.

apachectl restart

,
URL,
aaa5 redirect=yes. - :
ErrorDocument 404 /cgi-bin/utm5/aaa5?cmd=card_
login&redirect=yes
DirectoryIndex /cgi-bin/utm5/aaa5?cmd=card_
login&redirect=yes index.html

web5.cfg

src_redirect=yes

588

aaa5
SERVER_HOST , , .
, IP- DHCP
- www.
netup.ru.
-. www.netup.ru.

5.


5.1 H323
GNUGK
http://www.
gnugk.org/h323download.html ( FreeBSD, Linux, Windows, Solaris)
.
.
PWLib,
http://www.openh323.org/bin/pwlib_1.5.2.tar.gz :
tar xvfz pwlib_1_5_2.tgz
cd pwlib
./configure
gmake
gmake install

:
tar xvfz openh323_1_12_3.tgz
cd openh323
./configure

Openh323 http://www.
openh323.org/bin/openh323_1.12.2.tar.gz.

gmake
gmake install

589

openh323gk http://www.
gnugk.org/download/gnugk-2.2beta2.tgz.
:
tar xvfz gnugk-2.2beta2.tgz
cd openh323gk
export HAS_ACCT=1
./configure
gmake
gmake install

/etc/opengk.ini
http://
www.gnugk.org/h323manual.html.
/etc/
opengk.ini .
[Gatekeeper::Main]
Fourtytwo=42
TimeToLive=600
Name=localhost
[RoutedMode]

GKRouted=1

590

[RasSrv::GWPrefixes]
cisco=5,8,9

(E.164), ,
cisco. , 5, 8 9
.
.
[RasSrv::PermanentEndpoints]
212.1.1.1=voip;1,2,3

(E.164), 212.1.1.1. , 1, 2 3
. .
[GkStatus::Auth]
rule=allow
[Gatekeeper::Acct]
RadAcct=required;start,stop
default=allow
[RadAcct]
Servers=127.0.0.1:1813;

IP- ,
UTM5 RADIUS.
LocalInterface=
RadiusPortRange=10000-11000
DefaultAcctPort=1813
SharedSecret=secret
RequestTimeout=3500
IdCacheTimeout=9000
SocketDeleteTimeout=60000
RoundRobinServers=1
AppendCiscoAttributes=1
IncludeEndpointIP=1
FixedUsername=
[Gatekeeper::Auth]

RequestRetransmissions=4

RadAliasAuth=required;RRQ,ARQ
default=allow
[RadAliasAuth]
Servers=127.0.0.1:1812;

591

IP- ,
UTM5 RADIUS.
LocalInterface=
RadiusPortRange=10000-11000
DefaultAuthPort=1812
SharedSecret=secret
RequestTimeout=2000
IdCacheTimeout=9000
SocketDeleteTimeout=60000
RequestRetransmissions=2
RoundRobinServers=1
AppendCiscoAttributes=1
IncludeTerminalAliases=1
IncludeEndpointIP=1
FixedUsername=
FixedPassword=
[CallTable]
DefaultCallDurationLimit=3600
[Proxy]

Enable=1

592

. ATA-186
. ,
ATA-186 , .
RADIUS ( 1812).
RADIUS
( 1813).


:
/usr/local/bin/gnugk -c /etc/opengk.ini -o /var/log/
gnugk.log ttttt &


/var/log/gnugk.log. , telnet -


telnet 127.0.0.1 7000

2
593

5.2 Cisco ATA-186


ATA-186

UID0: 100

.
UID1: 200

.
GkOrProxy: 10.1.2.105

.
LoginID0: test1

, .
, .
LoginID1: test2
LBRCodec:3

2.

RxCodec:3

594

TxCodec: 3
ConnectMode: 0x00060403
UseSIP: 0

5.3 VoIP Cisco 26xx,


36xx, 53xx
Cisco 3640 IOS 12.2(11)T8 E1.
aaa accounting connection h323 start-stop

group radius

!
controller E1 1/0
pri-group timeslots 1-31
!
!
voice class codec 1
codec preference 1 g729r8
codec preference 2 g711ulaw
codec preference 3 g723r63
!
!
gw-accounting aaa
acct-template callhistory-detail
!
!
ip address 21.1.1.1 255.255.255.252
no ip mroute-cache
full-duplex
no cdp enable
h323-gateway voip interface

2.

interface Ethernet0/1

h323-gateway voip id GK ipaddr 21.1.1.2 1718


h323-gateway voip h323-id cisco
!
!
interface Serial1/0:15

595

no ip address
no logging event link-status
isdn switch-type primary-net5
isdn protocol-emulate network
isdn incoming-voice voice
isdn map address .* plan isdn type subscriber
isdn calling-number xxxxxx
no isdn outgoing display-ie
no cdp enable
!
!
dial-peer voice 2 pots
destination-pattern T
direct-inward-dial
port 1/0:15
prefix 96
!
gateway
!
dial-peer voice 4 voip
destination-pattern 100
voice-class codec 1
session target ras

2.

Microsoft NetMeeting
:
!
voice service voip
h323
h245 tunnel disable
h245 caps mode restricted
!

596

NetMeeting
CCITT u-Law, 8,000 KHz; 8Bit;Mono.

5.4 tftp
tftp ftp://ftp.kernel.org/
pub/software/network/tftp/tftp-hpa-0.34.tar.bz2.
:
tar xvfj tftp-hpa-0.34.tar.bz2
cd tftp-hpa-0.34
./configure
gmake
gmake install

, , tftp
.
mkdir
/netup/
tftp

tftp

/usr/sbin/in.tftpd -l -s /netup/tftp

tftp
/etc/rc.local.

597

5.5 Cisco
IVR
, TCL

(
IVR
),
- .

!
call application voice debit tftp://10.1.2.2/
debitcard.1.1.3.tcl
call application voice debit uid-len 4
call application voice debit pin-len 6
call application voice debit language 1 en
call application voice debit set-location en 0
tftp://10.1.2.2/prompts/en/
!


(uid-len) , , (pin-len) .
,

2.

sh
call

application

voice

debit

.
dial-peer
:
!
dial-peer voice 2 voip
application debit

598

aaa:
!
aaa authentication login h323 group radius
aaa authorization exec h323 group radius
aaa accounting connection h323 start-stop

group radius

!
!
gw
-
accounting

aaa
!
radius-server vsa send accounting
radius-server vsa send authentication
!

VoIP ( -) ,
RADIUS.
RADIUS VSA- (h323-credit-amount/h323-currency) .

RADIUS.
( h323-credit-time), .
, .

RADIUS Accounting STOP .

599

5.5 Alterteks
ProxySoftSwitch UTM

http

://www.alterteks.ru:
Alterteks Proxy SoftSwitch (AlterPSS)- ( ),
IP-
, ().
-. ,
,

ProxySoftSwitch

Windows
2000
Windows

Server
2003
ProxySoftSwitch.
1.


monitor.ini PSS

.
, ;.

; ,
;
,
;
AlterPSS

[IVR]

600

;
,

; : no, all
.
; PhoneNumber=no

PhoneNumber=000

[MONITOR]
; telnet
H323 AlterPss

Port=5099
; AccessIPaddrN
,
;

AccessIPaddr1=127.0.0.1

; WEB-

Port=801

[WEB]

; AccessIPaddrN
,
;

601

;AccessIPaddr1=127.0.0.1
; WEB- /
Login=user
Password=123
; WEB-,
; WEB-
, .
ReloadTime=3000

[RADIUS]
; NAS RADIUS
Server=127.0.0.1
Secret=secret
AuthorizationPort=1812

AuthorizationNasPort=1812
AccountingPort=1813
AccountingNasPort=1813
SessionID=34
Setup=0
Access=0

602

Connect=1
Stop=1

; RADIUS .
RouteMode=0
GatewayID=Pss
; 1

; STOP
, START.
ReAccountingReroute=0

; .
[CONFERENCE]
;Prefix=00
;Amount=2
;MaxChannels=4
;NewMemberWav=gong.wav
;WaitWav=wait.wav

; /

[GATEWAY]

CodecConversion=1
;
.
GetCodecFromTable=1

603

; E.164
IVR.
;InternationalAccessCode=810
;AreaAccessCode=8
;CountryCode=7
;AreaCode=095

[DYNDNS]
; ip- DNS
( ).
PollingTime=1000

[ROUTE]
; ,
.

CauseStop1=17

604

[CAUSE]
; .
;3=17

Server IP

- , RADIUS
utm5_radius.
(
authorization
)

(
accounting
) . , AuthorizationPort, AccountingPort.
Setup, Access, Connect Stop ,
RADIUS


Accounting
. UTM
:
Setup
=0
Access
=0
Connect
=1
Stop
=1

RouteMode=0 ProxySoftSwitch


(. ).
2.


PSS
( | | AlterTeks
| Proxy Soft Switch | PSS).
web
-
, . ,
IP

- .

2
3.

RADIUS

http://
netup.ru/dkalinin/pss_utm5_dlls.zip.

PssControl.dll
ivr.dll

PSS (c:\program files\alterteks\ProxySoftSwitch).

605

4.

ProxySoftSwitch. .
5. http://localhost:5080,
.

(
gateways
). (
table
of

routing

) default, .

, 7 ()
monster
.

Alterteks

ProxySoft
Switch.

UTM


UTM
5 ( ) 5.1.9-004.
1.

606

radius5.cfg. :
radius_auth_h323_remote_address=enable

radius_auth_null=enable
radius_acct_rewrite_login_originate=enable

radius_auth_null
, (

PAP,
CHAP,
MSCHAP
).

radius_auth_h323_remote_address
utm5_radius :
PSS

auth
-
ip
_
address
Cisco Vendor-Specific
h323_remote_address.


IP.

radius_acct_rewrite_login_originate

RADIUS

h323_remote_address

h323_call_origin

originate.

2.
, IP

-.

607

Cisco ATA-186

web
- GkOrProxy
IP
-
PSS.
,
. .


. ,
7 , ,
70955409652#.
-
RADIUS

web
- PSS

( eventlog

).

608