IPFW e Regole dinamiche

Davide D'Amico davide.damico a gmail.com
Lun 19 Maggio 2008 10:27:43 CEST


Salve,
in un clusterino web ho (nodo1) le seguenti regole ipfw:
dave a node1:~> more /etc/rc.firewall.sh
#!/bin/sh

## Variables used ##
out_ports='21,80'
log="192.168.0.5"
me='192.168.0.2'
ipfw=`which ipfw`
ext_if='em0'
net="192.168.0.0/24"
node2="192.168.0.3"
maps0="209.85.128.0/17"
maps1="66.249.64.0/19"
maps2="72.14.192.0/18"
weat0="65.192.0.0/11"
weat1="65.212.118/24"

## Prepare the environment ##
$ipfw -f flush

$ipfw add 10 drop ip from any to any mac-type ipv6
$ipfw add allow all from any to any via lo0

# RFC Compliant rules ##
$ipfw add drop all from 172.16.0.0/12 to any in via $ext_if
$ipfw add allow ip from $net to $net via $ext_if
$ipfw add allow udp from $me to $log syslog via $ext_if
$ipfw add allow tcp from any to $me $out_ports via $ext_if keep-state
#$ipfw add allow udp from $me to any domain via $ext_if
$ipfw add allow tcp from $me to maps.google.com http via $ext_if keep-state
$ipfw add allow tcp from $me to maps.google.it http via $ext_if keep-state
$ipfw add allow udp from $me to ntp1.ien.it ntp via $ext_if keep-state
$ipfw add allow tcp from $me to $weat0 http via $ext_if keep-state
$ipfw add allow tcp from $me to $weat1 http via $ext_if keep-state
$ipfw add allow tcp from $me to any smtp via $ext_if keep-state
dave a node1:~>
Sui nodi c'è un traficco medio per un portale web siciliano.
Purtroppo ogni tanto devo riavviare lo script (l'ho messo in crontab
addirittura!!!!) perchè nei log vedo:
May 16 10:18:27 node1 kernel: ipfw: install_state: Too many dynamic rules

C'è qualche cosa che posso inserire/togliere per evitare questo
"brutto" inconveniente?

Davide

P.S. maps.google.com, maps.google.it e ntp1.ien.it risolvono tutti un
unico indirizzo mediante zona fake interna


Maggiori informazioni sulla lista Esperti