Привет,
Есть 2 сателита
На первом
GW1# ipfw show
00050 112274 8648341 allow tcp from any to me dst-port 22
00051 134100 28110039 allow tcp from me 22 to any
00080 5319676731 2771778816753 count ip from any to any out via em0
00085 6583163333 6600828520230 count ip from any to any in via em0
00090 5505513237 3863257150461 count ip from any to table(126) via em0
00095 5887441948 5504051070342 count ip from table(126) to any via em0
00100 3254 165948 deny tcp from any to any dst-port 445
00110 102386 9320218 allow ip from any to any via lo0
00120 7432924 1420498723 skipto 1000 ip from me to any
00130 54536 3060954 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00140 13519944 1610075917 deny ip from any to table(120)
00150 715359 69513805 deny ip from table(120) to any
00157 22148 2770054 allow tcp from table(2) to хх.хх.хх.хх dst-port 80
00157 81916 67786980 allow tcp from хх.хх.хх.хх to table(2)
00160 186571222 22880568001 skipto 2000 ip from any to me
00200 11710868601 9348594109506 skipto 500 ip from any to any via em0
00300 5336060761 2780779471734 skipto 4500 ip from any to any in
00400 6357010211 6524071487213 skipto 450 ip from any to any recv em0
00420 7212346 1126675499 tee 1 ip from any to any
00450 6364435683 6525362314197 tee 2 ip from any to any
00490 6364134762 6525099169556 allow ip from any to any
00500 6400074158 6579224598436 skipto 32500 ip from any to any in
00510 5312338597 2770433486387 tee 1 ip from any to any
00540 5312283879 2770404148639 allow ip from any to any
01000 0 0 allow udp from any 53,7723 to any
01010 11095187 9264785814 allow tcp from any to any setup keep-state
01020 5333772 1043120112 allow udp from any to any keep-state
01100 295957 238712163 allow ip from any to any
02000 0 0 check-state
02010 1129016 1282769920 allow icmp from any to any
02020 75670 5511838 allow tcp from any to any dst-port 80,443
02050 173317295 12283201561 deny ip from any to any via em0
02060 0 0 allow udp from any to any dst-port 53,7723
02100 2757169 183356432 deny ip from any to any
05000 1305805 139557541 deny ip from not table(0) to any
05001 2534224778 1112565620778 skipto 5010 ip from table(127) to table(126)
05002 2800021520 1667985748799 skipto 5030 ip from any to not table(2)
05003 7565 874352 deny ip from any to not table(1)
05004 407796 73091475 pipe tablearg ip from table(21) to any
05005 0 0 deny ip from any to any
05010 2534249401 1112569842255 pipe tablearg ip from table(127) to any
05030 410760 20738124 deny tcp from table(15) to any dst-port 25
05226 0 0 allow ip from table(127) to table(126)
05400 2799594775 1667957354036 pipe tablearg ip from table(11) to any
32000 5 275 deny ip from any to any
32490 61469 6088625 deny ip from any to any
33000 3402910906 4016189335835 pipe tablearg ip from table(126) to table(127)
33001 2996996569 2562956770068 skipto 33010 ip from not table(2) to any
33002 1524 107200 pipe tablearg ip from any to table(20)
33003 173 11072 deny ip from any to any
33226 0 0 allow ip from table(126) to table(127)
33400 2996695774 2562913007534 pipe tablearg ip from any to table(10)
65535 286471 31110754 deny ip from any to any
GW1#
На втором
root@gw2:/etc # ipfw show
00050 1057 52404 allow tcp from any to me dst-port 22
00051 1249 799696 allow tcp from me 22 to any
00080 26372658 15045539463 count ip from any to any out via em0
00085 36093268 38497715439 count ip from any to any in via em0
00090 48376634 46416427387 count ip from any to table(126) via em0
00095 43199394 33576397914 count ip from table(126) to any via em0
00100 288 14068 deny tcp from any to any dst-port 445
00110 96 8784 allow ip from any to any via lo0
00120 25876279 15017339448 skipto 1000 ip from me to any
00130 226 12656 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00140 33154 3815055 deny ip from any to table(120)
00150 1740 95547 deny ip from table(120) to any
00157 0 0 allow tcp from table(2) to хх.хх.хх.хх dst-port 80
00157 0 0 allow tcp from хх.хх.хх.хх 80 to table(2)
00160 35044317 36969252911 skipto 2000 ip from any to me
00200 1566390 1557772159 skipto 500 ip from any to any via em0
00300 26438533 15055001801 skipto 4500 ip from any to any in
00400 35204788 38410435874 skipto 450 ip from any to any recv em0
00490 35206270 38410598413 allow ip from any to any
00500 1065385 1529551353 skipto 32500 ip from any to any in
00540 501024 28230241 allow ip from any to any
01000 0 0 allow udp from any 53,7723 to any
01010 43995656 40896217400 allow tcp from any to any setup keep-state
01020 15915735 11017499823 allow udp from any to any keep-state
01100 67197 4876673 allow ip from any to any
02000 0 0 check-state
02010 80133 7262912 allow icmp from any to any
02020 908 68301 allow tcp from any to any dst-port 80,443
02050 846113 59923766 deny ip from any to any via em0
02060 0 0 allow udp from any to any dst-port 53,7723
02100 15260 1027237 deny ip from any to any
05000 79847 10967488 deny ip from not table(0) to any
05001 12095808 7911387072 skipto 5010 ip from table(127) to table(126)
05002 14262406 7132608209 skipto 5030 ip from any to not table(2)
05003 147 17843 deny ip from any to not table(1)
05004 325 21189 pipe tablearg ip from table(21) to any
05005 0 0 deny ip from any to any
05010 12095808 7911387072 pipe tablearg ip from table(127) to any
05030 782 39620 deny tcp from table(15) to any dst-port 25
05226 0 0 allow ip from table(127) to table(126)
05400 14261624 7132568589 pipe tablearg ip from table(11) to any
32000 0 0 deny ip from any to any
32490 0 0 deny ip from any to any
33000 297331 430327705 pipe tablearg ip from table(126) to table(127)
33001 768054 1099223648 skipto 33010 ip from not table(2) to any
33002 0 0 pipe tablearg ip from any to table(20)
33003 0 0 deny ip from any to any
33226 0 0 allow ip from table(126) to table(127)
33400 765184 1098926390 pipe tablearg ip from any to table(10)
65535 2870 297258 deny ip from any to any
root@gw:/etc #
на обоих серверах
# sysctl -a | grep one_pass
net.inet.ip.fw.one_pass: 1
Теперь проблема
на первом сателите
GW1# ipfw -d list | wc -l
76
GW1#
и в динамических правилах висять только соединения на 1813 и 3306, тоесть радиус и мускул
а на втором
root@gw1:/etc # ipfw -d list | wc -l
8279
root@gw1:/etc #
а в пиках там около 35000 динамических правил
Создаются динамические правила для пользовательских соединений.
пример со второго сервера
## Dynamic rules (8483):
01020 398240 255186367 (10s) STATE udp xx.xx.xx.xx 64858 <-> 5.164.190.178 38634
01010 2 100 (20s) STATE tcp xx.xx.xx.xx 63328 <-> 125.107.200.22 44404
01020 1 416 (10s) STATE udp xx.xx.xx.xx 59539 <-> 217.121.245.120 29673
01010 20413 6575599 (300s) STATE tcp xx.xx.xx.xx 61537 <-> 195.211.222.2 7777
01020 4 336 (10s) STATE udp xx.xx.xx.xx 57544 <-> 37.215.27.249 58931
01010 2 100 (20s) STATE tcp xx.xx.xx.xx 64270 <-> 81.162.45.25 63253
01010 25291 3849096 (299s) STATE tcp xx.xx.xx.xx 59311 <-> 192.162.100.204 7777
01020 0 0 (9s) STATE udp xx.xx.xx.xx 50873 <-> 46.250.1.90 10721
01010 1 60 (19s) STATE tcp xx.xx.xx.xx 58153 <-> 194.44.160.34 62729
01010 0 0 (19s) STATE tcp xx.xx.xx.xx 53292 <-> 217.66.152.240 19422
01020 1 94 (7s) STATE udp xx.xx.xx.xx 60847 <-> 177.32.66.140 34081
01010 183 74734 (297s) STATE tcp xx.xx.xx.xx 54490 <-> 87.240.131.99 443
01010 0 0 (17s) STATE tcp xx.xx.xx.xx 61288 <-> 178.74.213.139 6881
01020 1 137 (7s) STATE udp xx.xx.xx.xx 51236 <-> 94.245.121.254 3544
01010 572 26860 (296s) STATE tcp xx.xx.xx.xx 65026 <-> 46.118.98.10 26634
01020 14 1743 (6s) STATE udp xx.xx.xx.xx 58032 <-> 178.126.55.182 45572
01010 1 52 (16s) STATE tcp xx.xx.xx.xx 57563 <-> 80.87.145.11 43730
система
на первом
GW1# uname -a
FreeBSD GW1 8.3-RELEASE-p6 FreeBSD 8.3-RELEASE-p6
на втором
root@gw2:/etc # uname -a
FreeBSD gw2 9.1-RELEASE FreeBSD 9.1-RELEASE
Главная проблема - шейпер работает только на аплоад. Почему? Где ошибка?
