[FUGSPBR] wins --outro dilema

[Kassiano]

Oi galera
Fiz um servidor para servir como gateway da rede aqui da Universidade, com
proxy squid e NAT
Bom tudo funciona blz, mas tenho duas dúvidas: como aparece no script
abaixo, estou usando algumas regras statefull no firewall, mas quando só
dois clientes começam a navegar, por exemplo, já são criadas 500 regras
dinâmicas, aí aparece a mensagem "Too many dynamic rules, sorry", e para de
criá-las. Até aí tudo bem, criei um script que faz

sysctl -w net.inet.ip.fw.dyn_buckets=512
*sysctl -w net.inet.ip.fw.dyn_max=10000*
sysctl -w net.inet.ip.fw.dyn_ack_lifetime=150
sysctl -w net.inet.ip.fw.dyn_syn_lifetime=10
sysctl -w net.inet.ip.fw.dyn_fin_lifetime=10
sysctl -w net.inet.ip.fw.dyn_rst_lifetime=2
sysctl -w net.inet.ip.fw.dyn_short_lifetime=15

Melhorou, mas fica a dúvida:  as regras statefull são as melhores neste
caso? Será que devo mudar para regras estáticas?
Dúvida dois: o ftp dos clientes internos não funciona...

[]s pra todo mundo

Kassiano


#########  rc.firewall.current #################

fwcmd="/sbin/ipfw"
oif="rl0"
onwr="200.19.X.1/24"
oip="200.19.X.5"
iif="rl1"
inwr="192.168.1.1/24"
iip="192.168.1.1"
ns1="200.19.X.1"

        $fwcmd -f flush
        $fwcmd add allow all from any to any via lo0
        $fwcmd add deny log all from any to 127.0.0.0/8
        $fwcmd add deny all from $inwr to $onwr via rl0 in
        $fwcmd add deny all from $onwr to $inwr via rl1 in
        $fwcmd add fwd 127.0.0.1,3128 tcp from 192.168.1.0/24 to any 80
        $fwcmd add divert natd all from 192.168.1.0/24 to any via $oif
        $fwcmd add divert natd all from any to 192.168.1.0/24 via $oif
        $fwcmd add allow tcp from any to any established
        $fwcmd add allow tcp from any to $oip 22 setup
        $fwcmd add allow tcp from any to $oip 20,21 keep-state
        $fwcmd add allow tcp from $oip 20 to any keep-state
        $fwcmd add allow tcp from $oip to any 20,21 keep-state
        $fwcmd add allow tcp from any 20,21 to $oip keep-state
        $fwcmd add allow icmp from any to any icmptypes 3,4,11,12
        $fwcmd add allow udp from any 53 to $ns1 53
        $fwcmd add check-state
        $fwcmd add allow ip from $oip to any keep-state out via $oif
        $fwcmd add allow ip from $inwr to any keep-state via $iif
        $fwcmd add 65435 deny ip from any to any



______________________________________________
http://www2.fugspbr.org/mailman/listinfo/fugspbr