-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Olá, lista.
Tenho um IPFW configurado aqui com algumas regras dinâmicas. De vez em quando, aparece "too many dynamic rules" no terminal. Quando eu tento usar o nmap também. Dá pra ver pela mensagem que o IPFW está construindo muitas regras dinâmicas com o keep-state. Se eu aumentar o máximo de regras pelo sysctl, provavelmente a mensagem vai sumir, mas será que o desempenho vai continuar o mesmo? Abaixo segue meu script de firewall: #!/bin/sh # Variaveis cmd="/sbin/ipfw -q" pif="rl0" # Limpa o firewall $cmd flush $cmd pipe flush # NAT de entrada $cmd add divert natd ip from any to any in via $pif ####################################### # Firewall ####################################### $cmd add check-state $cmd add allow all from any to any via lo0 # Descarta trafego vindo de redes privadas pela interface publica $cmd add deny all from 192.168.0.0/16 to any in via $pif $cmd add deny all from 172.16.0.0/12 to any in via $pif $cmd add deny all from 10.0.0.0/8 to any in via $pif $cmd add deny all from 127.0.0.0/8 to any in via $pif $cmd add deny all from 0.0.0.0/8 to any in via $pif $cmd add deny all from 169.254.0.0/16 to any in via $pif $cmd add deny all from 192.0.2.0/24 to any in via $pif $cmd add deny all from 204.152.64.0/23 to any in via $pif $cmd add deny all from 224.0.0.0/3 to any in via $pif $cmd add deny all from any to any frag in via $pif $cmd add allow ip from any to me icmptypes 0,8,11 $cmd add allow tcp from any to me 21,50000-50010 setup keep-state $cmd add allow tcp from any to me 22 setup keep-state $cmd add allow tcp from any to me 53 setup keep-state $cmd add allow tcp from any to me 80 setup keep-state $cmd add allow tcp from any to me 3306 setup keep-state $cmd add allow udp from any to me 53 keep-state $cmd add allow udp from any to me 123 keep-state $cmd add allow tcp from me to any setup keep-state $cmd add allow udp from me to any keep-state $cmd add deny all from any to me ####################################### # Squid e NAT de saida ####################################### $cmd add fwd 127.0.0.1,3128 tcp from 172.16.0.0/16 to any 80 $cmd add divert natd ip from any to any out via $pif - -- João Paulo Just Diretor Executivo - Justsoft Informática Ltda. http://www.justsoft.com.br/ - -- Feira de Santana, BA, Brasil. +55 75 8104 8473 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH93CRXL+vuN2d7ZwRAgDdAJ9zLtZ9ZVOLrvJTLyIoCQ50LKAQqQCgq6hd +jFpbIjCh/TKTSeaEIzPBa4= =V/71 -----END PGP SIGNATURE----- ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
