[FUG-BR] ipfw: too many dynamic rules

João Paulo Just jpjust em justsoft.com.br
Sábado Abril 5 09:29:05 BRT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Olá, lista.

Tenho um IPFW configurado aqui com algumas regras dinâmicas. De vez em
quando, aparece "too many dynamic rules" no terminal. Quando eu tento
usar o nmap também. Dá pra ver pela mensagem que o IPFW está construindo
muitas regras dinâmicas com o keep-state. Se eu aumentar o máximo de
regras pelo sysctl, provavelmente a mensagem vai sumir, mas será que o
desempenho vai continuar o mesmo?

Abaixo segue meu script de firewall:


#!/bin/sh

# Variaveis
cmd="/sbin/ipfw -q"
pif="rl0"

# Limpa o firewall
$cmd flush
$cmd pipe flush

# NAT de entrada
$cmd add divert natd ip from any to any in via $pif

#######################################
# Firewall
#######################################

$cmd add check-state
$cmd add allow all from any to any via lo0

# Descarta trafego vindo de redes privadas pela interface publica
$cmd add deny all from 192.168.0.0/16  to any in via $pif
$cmd add deny all from 172.16.0.0/12   to any in via $pif
$cmd add deny all from 10.0.0.0/8      to any in via $pif
$cmd add deny all from 127.0.0.0/8     to any in via $pif
$cmd add deny all from 0.0.0.0/8       to any in via $pif
$cmd add deny all from 169.254.0.0/16  to any in via $pif
$cmd add deny all from 192.0.2.0/24    to any in via $pif
$cmd add deny all from 204.152.64.0/23 to any in via $pif
$cmd add deny all from 224.0.0.0/3     to any in via $pif

$cmd add deny all from any to any frag in via $pif

$cmd add allow ip from any to me icmptypes 0,8,11

$cmd add allow tcp from any to me 21,50000-50010 setup keep-state
$cmd add allow tcp from any to me 22 setup keep-state
$cmd add allow tcp from any to me 53 setup keep-state
$cmd add allow tcp from any to me 80 setup keep-state
$cmd add allow tcp from any to me 3306 setup keep-state

$cmd add allow udp from any to me 53 keep-state
$cmd add allow udp from any to me 123 keep-state

$cmd add allow tcp from me to any setup keep-state
$cmd add allow udp from me to any keep-state

$cmd add deny all from any to me

#######################################
# Squid e NAT de saida
#######################################

$cmd add fwd 127.0.0.1,3128 tcp from 172.16.0.0/16 to any 80
$cmd add divert natd ip from any to any out via $pif

- --
João Paulo Just
Diretor Executivo - Justsoft Informática Ltda.
http://www.justsoft.com.br/
- --
Feira de Santana, BA, Brasil.
+55 75 8104 8473
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH93CRXL+vuN2d7ZwRAgDdAJ9zLtZ9ZVOLrvJTLyIoCQ50LKAQqQCgq6hd
+jFpbIjCh/TKTSeaEIzPBa4=
=V/71
-----END PGP SIGNATURE-----

Mais detalhes sobre a lista de discussão freebsd