[FUGSPBR] dois link....

Marcelo Aldi Vera Olate mavo em tuxnuts.com.br
Qui Fev 26 18:43:40 BRT 2004 

Olá Luiz,

    Agradeço ae pela força estou seguindo os passo do teu site... me parece
ate uma solução bem mais limpa dos que a minha....e qualquer coisa volta e
vejo tambem como esta aqui "o script atual" se comporta... vlw

[]´s


----- Original Message ----- 
From: "Luiz Otavio Souza" <luiz em microeletronica.com.br>
To: <fugspbr em fugspbr.org>
Sent: Thursday, February 26, 2004 1:49 PM
Subject: Re: [FUGSPBR] dois link....


> Ola Marcelo,
>
>     Aparentemente o erro esta aqui:
>
> > #nat everything that get's here, should be ok as local allowed in first
> > lines to go direct
> > ${fwcmd} add 00700 divert 8868 ip from $lan_ip to any in
> > ${fwcmd} add 00750 divert 8868 ip from $lan_ip to any out
> > ${fwcmd} add 00900 divert 8869 ip from $lan_ip to any out
> > ${fwcmd} add 00950 divert 8869 ip from $lan_ip to any in
>
>     Quando o pacote passa pela linha 700 e passa tambem pela linha 900 e
> pode ser traduzido duas vezes e acaba saindo sempre pela natd da porta
8869.
>
>     Outra coisa, voce pode capturar os pacotes com apenas uma linha (voce
ja
> capturou o retorno nas linhas 400 e 450 do seu script). Os pacotes são
> traduzidos para o IP da interface (alias address) na saida da interface
(out
> via if).
>
>     Normalmente a routa default envia todos os pacotes para a interface
onde
> se encontra o gateway.
>
>     Você precisaria de duas linhas +- assim:
>
> ${fwcmd} add 00700 divert 8868 ip from $lan_ip to any via out
${gateway_if}
> ${fwcmd} add 00800 skipto 2000
> ${fwcmd} add 00900 divert 8869 ip from $lan_ip to any via out
${gateway_if}
>
>
>     Qualquer duvida entre em contato.
>
> []'s
> ___________________________________
> Luiz Otávio Souza
> Microeletrônica - OpenSource Development
> luiz em microeletronica.com.br
> 14.9111.1255
>
> ----- Original Message -----
> From: "Marcelo Aldi Vera Olate" <mavo em tuxnuts.com.br>
> To: <fugspbr em fugspbr.org>
> Sent: Thursday, February 26, 2004 9:07 AM
> Subject: Re: [FUGSPBR] dois link....
>
>
> > Olá Aprigio,
> >
> >     Em principio a ideia e estas fazer redundância de links, a segunda
> opção
> > não deixa de ser interesante tambem...inclusive fiz algo usando natd e
> ipfw
> > so que nao deu certo... onde eu posso conseguir documentação ou ainda
> melhor
> > alguem na lista ja tem isto em pratica e poderia me da um ajuda....segue
> > abaixo o script do ipfw....
> >
> > ----------####-----------
> > #!/bin/sh
> > #
> > # Setup system for firewall service.
> > #
> > # Suck in the configuration variables.
> >
> > if [ -r /etc/defaults/rc.conf ]; then
> >         . /etc/defaults/rc.conf
> >         source_rc_confs
> > elif [ -r /etc/rc.conf ]; then
> >         . /etc/rc.conf
> > fi
> >
> > ############
> > # Set quiet mode if requested
> > #
> > case ${firewall_quiet} in
> > [Yy][Ee][Ss])
> >                 fwcmd="/sbin/ipfw -q"
> >                 ;;
> >         *)
> >                 fwcmd="/sbin/ipfw"
> >                 ;;
> > esac
> >
> > natcmd="/sbin/natd"
> >
> > ############
> > #
> > # Local Variables
> >
> > net_iface="ed0"
> > lan_iface="rl0"
> > tun_iface=`ifconfig | grep tun | cut -d: -f1`
> > loc_iface="lo0"
> >
> > lan_ip="172.18.1.0/24"
> > net_ip="200.164.x.x/24"
> > tun_ip=""
> > loc_ip="127.0.0.0/8"
> >
> > lan_ip_local="172.18.1.254"
> > net_ip_local="200.164.x.x"
> > tun_ip_local=`ifconfig $tun_iface | grep inet | awk '{print $2}'`
> > loc_ip_local="127.0.0.1"
> >
> > route_net_ip="200.164.x.x"
> > route_tun_ip=`ifconfig $tun_iface | grep inet | awk '{print $4}'`
> >
> >
> > ############
> > # Flush out the list before we begin.
> > #
> > ${fwcmd} -f flush
> >
> > ############
> > #
> > #
> >
> > ############
> > # start natd
> > #
> > ${natcmd} -p 8868 -dynamic -interface $net_iface
> > ${natcmd} -p 8869 -dynamic -interface $tun_iface
> >
> > ############
> > # Only in rare cases do you want to change these rules
> > #
> >
> > # allow local traffic
> > ${fwcmd} add 00100 allow ip from $lan_ip to $lan_ip
> > ${fwcmd} add 00125 allow ip from 127.0.0.0/24 to $lan_ip
> > ${fwcmd} add 00130 allow ip from $lan_ip to 127.0.0.0/24
> >
> > ${fwcmd} add 00140 allow all from $lan_ip to $net_ip
> > ${fwcmd} add 00145 allow all from $net_ip to $lan_ip
> >
> > ${fwcmd} add 00150 pass all from any to any via lo0
> > ${fwcmd} add 00160 deny all from any to 127.0.0.0/8
> > ${fwcmd} add 00170 deny ip from 127.0.0.0/8 to any
> >
> > # stop simple incoming attempts from internet
> > ${fwcmd} add 00200 deny tcp from any to any setup in via $tun_iface
> > ${fwcmd} add 00250 deny tcp from any to any setup in via $net_iface
> >
> > #send incoming traffic to natd
> > ${fwcmd} add 00450 divert 8868 ip from any to any in via $net_iface
> > ${fwcmd} add 00400 divert 8869 ip from any to any in via $tun_iface
> >
> > #if flow is already going via NATD, send it back to same NATD
> > ${fwcmd} add 00500 check-state
> >
> > # send 38% of traffic to isp 1 as 600k = 38% of 1mb + 600k
> > ${fwcmd} add 00600 prob 0.380000 skipto 700 ip from $lan_ip to any out
> > keep-state
> >
> > # remaining 62% of traffic send to isp2
> > ${fwcmd} add 00650 skipto 900 ip from $lan_ip to any out keep-state
> >
> > #nat everything that get's here, should be ok as local allowed in first
> > lines to go direct
> > ${fwcmd} add 00700 divert 8868 ip from $lan_ip to any in
> > ${fwcmd} add 00750 divert 8868 ip from $lan_ip to any out
> > ${fwcmd} add 00900 divert 8869 ip from $lan_ip to any out
> > ${fwcmd} add 00950 divert 8869 ip from $lan_ip to any in
> >
> > #policy route to send traffic to correct isp
> > ${fwcmd} add 02000 fwd $route_net_ip ip from $net_ip_local to any
> > ${fwcmd} add 02500 fwd $route_tun_ip ip from $tun_ip_local to any
> >
> > #break out traffic to allow accounting to show me what's going where
> > ${fwcmd} add 30000 allow ip from any to $lan_ip
> > ${fwcmd} add 30100 allow ip from any to any in via $tun_iface
> > ${fwcmd} add 30200 allow ip from any to any in via $net_iface
> > ${fwcmd} add 30300 allow ip from any to any out via $tun_iface
> > ${fwcmd} add 30400 allow ip from any to any out via $net_iface
> >
> > ${fwcmd} add 65000 allow ip from any to any
> > #${fwcmd} add 65535 deny ip from any to any
> >
> > ----------####-----------
> >
> >
> > onde esta o error aqui... ja que este script parte dele eu obtive de
> alguns
> > colegas da lista outra parte eu fiz.....
> >
> >
> > agradeço......
> >
> > []´s
> >
> >
> > Marcelo Olate
> >
>
>
> _______________________________________________________________
> Sair da Lista: http://lists.fugspbr.org/listinfo.cgi
> Historico: http://www4.fugspbr.org/lista/html/FUG-BR/

_______________________________________________________________
Sair da Lista: http://lists.fugspbr.org/listinfo.cgi
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/

Mais detalhes sobre a lista de discussão freebsd