Суть проблемы такая:
"Настроен" фаервол с защитой от флуда и в принципе работает, но есть проблема
Банит пользователей на некоторых хостах и в таблицу бана не заносит данные
Ощущение что идет переполнение таблицы динамических правил или что-то подобное
Перезапускаю фаервол командой /etc/rc.fw начинает пускать и так до определенного времени
Перезапускать фаервол по крону нереально, тогда нельзя нормально использовать ssh или ftp
Помогите найти проблему
/var/log/ipfw.yesterday
Код: Выделить всё
00300 0 0 deny ip from any to any frag in via fxp0
00400 0 0 deny icmp from any to any frag in via fxp0
00550 31140 1743840 deny icmp from any to any in icmptypes 5,9,13,14,1$
00560 0 0 deny icmp from any to 255.255.255.255 in via fxp0
00570 0 0 deny icmp from 255.255.255.255 to any out via fxp0
00610 0 0 deny ip from table(1) to me
00620 0 0 deny ip from table(1) to any established
00630 0 0 deny icmp from table(2) to me
00640 0 0 deny icmp from table(2) to any established
01200 0 0 deny ip from 127.0.0.0/8 to any in via fxp0
01300 0 0 deny ip from 0.0.0.0/8 to any in via fxp0
01600 163 6520 deny ip from 172.16.0.0/16 to any in via fxp0
02000 0 0 deny tcp from any to any dst-port 445 in via fxp0
02100 0 0 deny tcp from any to any dst-port 137-139 in via f$
65535 8462368 382629716 deny ip from any to any
Код: Выделить всё
#!/bin/sh
ipfw -q -f flush
fw="ipfw -q add"
eth="fxp0"
ip_1="xxx.xxx.xxx.26"
ip_2="xxx.xxx.xxx.27"
ip_3="xxx.xxx.xxx.28"
ip_4="xxx.xxx.xxx.29"
ip_ssh="xxx.xxx.xxx.30"
ip_ftp="xxx.xxx.xxx.30"
ip_ftps="xxx.xxx.xxx.30"
ip_all="xxx.xxx.xxx.10"
#ip_work="80.254.2.169"
limit="limit src-addr 50"
#ssh_ban_table="table(50)"
# fail2ban
#$fw 11 deny ip from ${ssh_ban_table} to me 22 via $eth
### $fw 10 allow ip from any to any
$fw 100 check-state
### allow lo
$fw 200 allow ip from any to any via lo0
### deny fragments tcp,udp,icmp
$fw 300 deny ip from any to any frag in via $eth
$fw 400 deny icmp from any to any frag in via $eth
## allow all from my ip
$fw 500 allow ip from $ip_all any to me
#$fw 510 allow ip from $ip_work any to me
### block undesirable icmp requests
$fw 550 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
$fw 560 deny icmp from any to 255.255.255.255 in via $eth
$fw 570 deny icmp from 255.255.255.255 to any out via $eth
### block atack 80 port ip
$fw 610 deny ip from table\(1\) to me
$fw 620 deny ip from table\(1\) to any established
### block atack icmp ip
$fw 630 deny icmp from table\(2\) to me
$fw 640 deny icmp from table\(2\) to any established
### antispoofing
$fw 700 reject ip from any to any not verrevpath in via $eth
### antispoofing 2
$fw 1200 deny ip from 127.0.0.0/8 to any in via $eth
$fw 1300 deny ip from 0.0.0.0/8 to any in via $eth
#$fw 1400 deny ip from 10.0.0.0/8 to any in via $eth
#$fw 1500 deny ip from 192.168.0.0/24 to any in via $eth
$fw 1600 deny ip from 172.16.0.0/16 to any in via $eth
### antiscan port
$fw 1700 reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg
$fw 1800 reject tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg
$fw 1900 reject tcp from any to any not established tcpflags fin
### block share & netbios
$fw 2000 deny tcp from any to any 445 in via $eth
$fw 2100 deny tcp from any to any 137-139 in via $eth
### allow DNS
$fw 2200 allow udp from any to $ip_1 53 in via $eth
$fw 2210 allow udp from $ip_1 53 to any out via $eth
$fw 2220 allow udp from any 53 to $ip_1 in via $eth
$fw 2230 allow udp from $ip_1 to any 53 out via $eth
### allow icmp type
$fw 2700 allow icmp from any to any icmptype 8
$fw 2800 allow icmp from any to any icmptype 0
$fw 2900 allow icmp from any to any icmptype 11
### allow from max
$fw 2950 allow ip from $ip_all to any
### allow http
$fw 3010 allow tcp from any to $ip_1 80 in via $eth $limit
$fw 3020 allow tcp from any to $ip_2 80 in via $eth $limit
$fw 3030 allow tcp from any to $ip_3 80 in via $eth $limit
$fw 3040 allow tcp from any to $ip_4 80 in via $eth $limit
### deny ports
#$fw 3110 deny tcp from any to $ip_forum 8080 in via $eth setup $limit
#$fw 3120 deny tcp from any to $ip_hd 8080 in via $eth setup $limit
#$fw 3130 deny tcp from any to $ip_forum 25 in via $eth setup $limit
#$fw 3140 deny tcp from any to $ip_hd 25 in via $eth setup $limit
### allow ssh
$fw 3500 allow tcp from any to $ip_ssh 22 in via $eth limit src-addr 5
### allow ftp
$fw 3600 allow tcp from any to $ip_ftp 21 in via $eth limit src-addr 5
### allow ftps
$fw 3700 allow tcp from any to $ip_ftps 2222 in via $eth limit src-addr 5
### me to any
$fw 3900 allow ip from me to any
### allow establish
$fw 4000 allow ip from any to any established
### delete allow all
#ipfw -q delete 10
Код: Выделить всё
#!/bin/sh
cd /usr/local/etc/nginx/logs/
cp error.log er.log
cat /dev/null > banlist
ban=`cat er.log | grep limiting | awk '{ print $12 }' | sed "s/,//" | sort | uniq | grep -v "xxx.xxx.xxx.26" | grep -$
cat /dev/null > error.log
cat /dev/null > access.log
for i in $ban
do
ipfw -q table 1 add ${i}
done
#delete server ip
ipfw -q table 1 delete xxx.xxx.xxx.26
ipfw -q table 1 delete xxx.xxx.xxx.27
ipfw -q table 1 delete xxx.xxx.xxx.28
ipfw -q table 1 delete xxx.xxx.xxx.29
ipfw -q table 1 delete xxx.xxx.xxx.30
ipfw -q table 1 delete 80.254.12.198
