泚é
ã€ã³ã¿ãŒãããæ¥ç¶ã®å®å®æ§ãåäžããããªãã·ã§ã³ã®1ã€ã¯ã2ã€ã®å€éšéä¿¡ãã£ãã«ã䜿çšããããšã§ããããã¯ããããã®éã®èªååãæ¿ããæå³ããŸãã ãã®èšäºã§ã¯ããã®åé¡ã解決ããããã®ããã€ãã®ãªãã·ã§ã³ã«ã€ããŠç°¡åã«èª¬æããŸãã FreeBSD OSã§bashã¹ã¯ãªããã䜿çšããŠè§£æ±ºããæ¹æ³ãææ¡ãããŠãããæçµçãªã·ã¹ãã ãšããã«å¿ èŠãªã¹ã¯ãªããã®ãœãŒã¹ã³ãŒããäœæããããã®æé ã瀺ãããŠããŸãã
ã¯ããã«
ã€ã³ã¿ãŒããããžã®æ¥ç¶ã®å®å®æ§ãåäžãããããã«ãäŒæ¥ãœãªã¥ãŒã·ã§ã³ã§ã¯2ã€ä»¥äžã®å€éšãããã¯ãŒã¯ãã£ãã«ã䜿çšããŸãã ãããã®åæïŒããšãã°ããã©ã³ã¹æ¹æ³ïŒãŸãã¯ä»£æ¿ïŒãã£ãã«éã®åãæ¿ãïŒã®äœ¿çšã¯ãããããªããšã§ã¯ãããŸããããåé¡ã«ãã£ãŠãã§ã«å€ãã®æ¹æ³ã§è§£æ±ºãããŠããŸãã ãããã®ããã€ãã次ã«ç€ºããŸãã
- å€éšãããã¯ãŒã¯ãžã®2ã€ã®åºå£ãæã€SOHOã¯ã©ã¹ã«ãŒã¿ãŒïŒä»¥äžãã€ã³ã¿ãŒããããšåŒã°ããå€éšãããã¯ãŒã¯ãããã³äŒæ¥ã®ããŒã«ã«ãããã¯ãŒã¯ãšåŒã°ããå éšãããã¯ãŒã¯ïŒ;
- ååãšããŠãã¬ã€ã€3ã¹ã€ããã¯ãã£ãªã¢ã¯ã©ã¹ã§ãããç¹ã«å€æ°ã®å¯å€ãã©ã¡ãŒã¿ãæã¡ãäžèšã®åé¡ã解決ã§ããŸãã
- å€ãã®å Žåãçãããå質ã®ããŸããŸãªUNIXããã³Linuxã®ãããªã·ã¹ãã çšã®ãç°ãªãèšèªã®å€ãã®èªå·±èšè¿°ã¹ã¯ãªããã
- NATã«ãŒã«ã«ãããã£ãã«ãã©ã³ã·ã³ã°ã
- ãããã·ãµãŒããŒã䜿çšãããã©ã³ã·ã³ã°ãŸãã¯ã¹ã€ããã³ã°ã
äžèšã®ã¢ãããŒãã«ã¯ããããé·æãšçæããããŸãã ãªãã·ã§ã³1ãSOHOã«ãŒã¿ãŒïŒ
å©ç¹ïŒ
- äœäŸ¡æ Œ;
- ã€ã³ã¹ããŒã«ãšæ§æã®å®¹æãã
çæïŒ
- åé·æ§ã®æ¬ åŠã«ããäŒæ¥ã»ã°ã¡ã³ãã®ä¿¡é Œæ§äžè¶³ã
- æ§æã®æè»æ§ã®æ¬ åŠãäœæ©èœã ïŒéåžžããã®ãããªããã€ã¹ã¯éåžžã«éãããç¯å²ã®ã¿ã¹ã¯ã解決ã§ããŸããããäžæ©èžã¿åºããããšããŸã£ããã§ããªãããšãã§ããŸãããããã¯ããŸããŸãªå°é£ãåå ã§ããïŒ
2çªç®ã®ãªãã·ã§ã³ãã¬ã€ã€ãŒ3ã¹ã€ããïŒ
å©ç¹ïŒ
- ä¿¡é Œæ§;
- ã«ã¹ã¿ãã€ãºã®æè»æ§ã
çæïŒ
- äŸ¡æ ŒïŒéåžžããã®ãããªããã€ã¹ã®äŸ¡æ Œã¯50ãã³ãè¶ ããŠããŸããïŒ;
- ã»ããã¢ããã®è€éãïŒããã¬ãã«ã®ããã€ã¹ã«ã¯é©åãªã¢ãããŒããå¿ èŠã§ãïŒã
3çªç®ã®ãªãã·ã§ã³ãã¹ã¯ãªããã®åãæ¿ãïŒ
å©ç¹ïŒ
- äŸ¡æ ŒïŒç¡æãèšå®ããäœæ¥æéã¯ã«ãŠã³ããããŸããïŒã
çæïŒ
- äºæž¬äžå¯èœãªä¿¡é Œæ§ïŒãããã®ã¹ã¯ãªããã®äœæè ã®å°é家ã¬ãã«ã¯å€ãã®å Žåäžæã§ããããã詳现ãªèª¿æ»ãªãã§ã¯è£œåã®åââ質ã«ã€ããŠçµè«ä»ããããšã¯å°é£ã§ãïŒã
- æè»æ§ã®æ¬ åŠãšã«ã¹ã¿ãã€ãºã®è€éãïŒéåžžããã®ãããªã¹ã¯ãªããã¯ç¹å®ã®æ¡ä»¶ã«åãããŠäœæãããŸãããŸããä»ã®äººãç解ãããããç¬èªã®ããŒãžã§ã³ãæžãæ¹ãç°¡åãªå ŽåããããŸãã
4çªç®ã®ãªãã·ã§ã³ãNATã«ãŒã«ãšã®ãã©ã³ã¹ïŒ
å©ç¹ïŒ
- äŸ¡æ ŒïŒç¡æã§ãæ§æããäœæ¥æéãã«ãŠã³ãããŸããïŒ;
- ã»ããã¢ãããæ¯èŒçç°¡åã
çæïŒ
- ã»ãŒåçã®ã¹ã«ãŒããããã£ãã«ãå¿ èŠã§ãã
å€éšãã£ãã«ã®1ã€ããèœäžãããå Žåã®é床ã«ã¯çåããããŸãã
æåŸã«ããããã·ãµãŒããŒã䜿çšãã5çªç®ã®ãªãã·ã§ã³ïŒ
å©ç¹ïŒ
- äŸ¡æ ŒïŒç¡æã§ãæ§æããäœæ¥æéãã«ãŠã³ãããŸããïŒ;
- ã«ã¹ã¿ãã€ãºã®æè»æ§ã
çæïŒ
- ããŒã¿ãããŒãé ãããŸãã
- ãŠãŒã¶ãŒãã·ã³ã§ã®è¿œå æ§æã®å¿ èŠæ§ã
- ç°åžžãªç¶æ³ã§ã®èšå®ã®é£ããã
æ°å¹Žåã®éçºã®éå§æã«ã次ã®çç±ã§ç¬èªã®ã¹ã¯ãªãããäœæãããªãã·ã§ã³ãéžæãããŸããã ãŸããäŸ¡æ Œã ãã®åºæºã«ãããšãã¬ã€ã€ãŒ3ã¯2çªç®ã®æ®µèœããåãæ¿ããããããã¢ãŠãã§ãã 10å°ã®ãã·ã³ãããããŒã«ã«ãšãªã¢ãããã¯ãŒã¯ã§ã¯ããšã³ã¿ãŒãã©ã€ãºã¬ãã«ã®ãœãªã¥ãŒã·ã§ã³ã¯èŽ æ²¢ã§ãã æ²ããããªãèè ã¯æ±ºå®ã®æç¹ã§æåã®æ®µèœããããã€ã¹ã«ã€ããŠç¥ããŸããã§ããã ãšããã§ãä»ã§ã¯ãå®å®æ§ãé ç®ã«é©åããŠããŸããã ãŸãã4çªç®ã®æ®µèœã®è§£æ±ºçã¯é©åããŸããã æ¢åã®ã€ã³ã¿ãŒããããã£ãã«ã¯é床ãäœååãç°ãªãããã®ãããªã¹ããŒã ã®äœ¿çšã¯ãç§ã®æèŠã§ã¯æ£åœåãããŠããŸããã ããã«ããã£ãã«ã®1ã€ããèœã¡ããå Žåã®å€éšãããã¯ãŒã¯ãšã®éä¿¡ã®å質ã«é¢ããŠçåãè¿œå ãããŸãã 5çªç®ã®ãã€ã³ãã¯ã第äžã«ãæµéãé ãããããšã«ãã£ãŠæºããããŸããã第äºã«ããªãã·ã§ã³ã®ã³ã³ããŒãã³ãã«äŸåããªããœãªã¥ãŒã·ã§ã³ãå¿ èŠã§ãã ãããã£ãŠããã€ã³ã3ã¯æ®ããŸãããä»ã®äººã®ã¹ã¯ãªããã調æ»ããããããé©å¿ãããããšããåŸããã®ã¢ã€ãã¢ãæŸæ£ããŠç¬èªã®ã¹ã¯ãªãããäœæããããšã決å®ãããŸããã
æéã®çµéãšãšãã«ãFreeBSDã®ã¡ã€ã³ãã«ãŒã¿ãŒãã®è¿ãã«ããã¯ã¢ãããã€ã³ã¹ããŒã«ãããdnsãdhcpãnatãipfwã®èšå®ãè€æ°åå€æŽãããŸããã åè¿°ã®ã¹ã¯ãªãããé€ãããã¹ãŠãåŸã ã«éçºããã³æ¹åãããŸããããæçµçã«ã¯ãã¢ãžã¥ãŒã«æ§ãåäžã®èšå®ãã¡ã€ã«ãUnixã©ã€ã¯ãªã·ã¹ãã ã§ã®èšå®ã®æè»æ§ãšã·ã³ãã«ããããã³æ°ããã¢ãžã¥ãŒã«ã®è¿œå ã®å®¹æããåºæ¬ãšããŠäœ¿çšããŠæžãçŽãããšã«ããŸããã
ç®æšãšç®ç
ãã®ãããžã§ã¯ãã®æçµçãªç®æšã¯äœã§ããïŒ ã¯ã©ã€ã¢ã³ããµãŒããŒã·ã¹ãã ã«åºã¥ããŠãç°¡åã«ã¹ã±ãŒã©ãã«ãªæ±çšãœãããŠã§ã¢ããã±ãŒãžãäœæããŸãïŒãã ãããšãŒãžã§ã³ããµãŒããŒãåŒã³åºãæ¹ãé©åã§ãïŒãå€éšããã³å éšæ¥ç¶ã®åé¡ãç¹å®ããåäœäžã®æ¥ç¶ã«èªåçã«åãæ¿ããŸãã ãã®å ŽåããšãŒãžã§ã³ãã¯çŸåšã®å€éšããã³å éšæ¥ç¶ã®ç¶æ ã«é¢ããæ å ±ã®ãã³ã¬ã¯ã¿ãŒãã§ããããµãŒããŒã¯ã©ã®æ¥ç¶ãåªå ããããã決å®ããå¿ èŠã«å¿ããŠãã®æ¥ç¶ã«åãæ¿ããã³ãã³ããéä¿¡ããããã°ã©ã ã®äžéšã§ãã ããã«ããã®ã³ã³ããã¹ãã§ã¯ããµãŒããŒäžã§ãšãŒãžã§ã³ããæ©èœããªãå ŽåããããŸãã
ã ããïŒ
- ããããã«måã®å€éšãã£ãã«ãæã€nåã®ãã«ãŒã¿ãŒãããããŸãã ããã«ãnåã®ãã«ãŒã¿ãŒãã¯ãã¹ãŠå³å¯ãªéå±€ã«ãªã£ãŠããŸãã
- ãšãŒãžã§ã³ãã¯åãã·ã³äžã§ç¬ç«ããŠåäœãããã®ã¿ã¹ã¯ã¯ãå€éšãã£ãã«ã®ãã¹ãçµæãåéããŠãçŸæç¹ã§æé«ã®åªå 床ãæã€ãµãŒããŒãŸãã¯ãã«ãŒã¿ãŒãã«ãè¿œå ãããããšã§ãïŒãµãŒããŒéšåã¯ããã®æç¹ã§ãšãŒãžã§ã³ããžã®å¿ é è¿œå ã§ãããšæ³å®ãããŸããšãŒãžã§ã³ãã¯ãµãŒããŒæ©èœãå®è¡ããå¿ èŠããªãããïŒããã®ïŒãµãŒããŒïŒå¯çšæ§ãå€æããå¿ èŠããããŸãã
- 次ã«ããµãŒããŒã¯åä¿¡ããããŒã¿ãåæããçŸåšã©ã®ãã£ãã«ãšã©ã®ãã«ãŒã¿ãŒããåªå ãããŠããããå€æããŸãã ãã®ç®çã®ããã«ããã®èšäºã§ã¯DHCPãµãŒããŒã®èšå®ã«ã€ããŠèª¬æããŸãã dhcpdèšå®ã¯ãã²ãŒããŠã§ã€ãå€æŽããããã«å€æŽãããŸãã
- ãµãŒããŒã«é害ãçºçãããšããã¹ãŠã®ãšãŒãžã§ã³ãã§ããã°ã©ã ãã¢ã¯ãã£ãã«ãªããäºåã«èšå®ãããåªå é äœã«åŸã£ãŠãšãŒãžã§ã³ãã®äžããæ°ãããµãŒããŒãéžæããŠæå®ããå€éšæ¥ç¶ã®çŸåšã®ç¶æ ã«é¢ããæ å ±ãåéããåãæ¿ãã«ã€ããŠæ±ºå®ããæ©èœãå§ä»»ããŸãã æåã®ãµãŒããŒãåäœç¶æ ã«åŸ©å ãããåŸãéã®ããã»ã¹ãçºçããŸã-ãããžã®èªååãæ¿ãã
ã¢ã«ãŽãªãºã ã®è©³çŽ°ã¯éåžžã«é·ãéæãããŠããå¯èœæ§ããããŸãããäžè¬çãªæ¬è³ªã¯äžèšã®ãšããã§ãã ïŒäžèšã®äŸããïŒnãšmã®äž¡æ¹ã2ãè¶ ããå€ããšãããšã¯ãã£ãã«ãããŸããããããããèŠã€ãã£ãã®ã§ãæ®éçãªããŒã«ãäœã£ãŠã¿ãŸãããïŒ
ã¹ã¯ãªãããæžãéçšã§ãbashèšèªã®ããã€ãã®å¶éã«ééãããããçŸæç¹ã§ã¯ãäžèšã®åé¡ã«å¯Ÿãããããšã¬ã¬ã³ããªãœãªã¥ãŒã·ã§ã³ã¯éåžžã«ãããŸãã§ãã ãããŸã§ã®ãšãããæ©èœãããã«æ¡åŒµããããšã«éç¹ã眮ããŠèšèšãããã¹ã¿ã³ãã¢ãã³ã®ãã«ãŒã¿ãŒãã®ãœãªã¥ãŒã·ã§ã³ããããŸãã
解決ç
å€ãã®çç±ãããããŒã«ã«ãããã¯ãŒã¯ã®åºç€ãšããŠããŸãã€ã³ã¿ãŒããããžã®ã²ãŒããŠã§ã€ãšããŠãå€ããã·ã³ïŒPentium 3ã512 OPïŒãšFreeBSDãçŸåšããŒãžã§ã³9.2ã䜿çšããããšã決å®ãããŸããã ãã®åŸãä¿¡é Œæ§ãåäžãããããã«ãæ¢åã®ãã·ã³ãšé£æºããŠåäœãã2å°ç®ã®åæ§ã®ãã·ã³ãã€ã³ã¹ããŒã«ãããŸããã ã¡ãªã¿ã«ãéå»2幎éã§æ£ç¢ºã«2ã€ã®æ éããããŸãã-åããŠPSUãæ éãã2çªç®ã®ãããã¯ãŒã¯ã«ãŒããæ éããŸããã åæã«ãé害ãçºçããå Žåã«ããã¯ã¢ãããã·ã³ãæ©èœããããã«ãªã£ããããããŒã«ã«ãããã¯ãŒã¯å šäœãåé¡ãªãæ©èœããããšã«æ³šæããŠãã ããã ãããã£ãŠããã®ã¹ããŒã ã§å€ãéã䜿çšããŠãããããã¯ãŒã¯ã®å®å®æ§ã«ã¯ã»ãšãã©åœ±é¿ããŸããã ããŸããŸãªã€ã³ã¿ãŒããããããã€ããŒããã®2ã€ã®å€éšãã£ãã«ããããŸãã äžè¬çãªã¹ããŒã ã以äžã«ç€ºããŸãã
éãšèµ€ã®ç¢å°ã¯å€éšéä¿¡ãã£ãã«ã§ãã
é»ãç¢å°ã¯å éšéä¿¡ãã£ãã«ã§ãã
ãã®ã·ã¹ãã ã¯æ¬¡ã®ããã«ãªããŸãã

ã¹ã€ããã¯ãvlan-sã䜿çšããŠãããã€ããŒãããã©ãã£ãã¯ãåé¢ããŸãã ç¹å®ã®ã±ãŒã¹ã§ã¯ãããã¯Cisco SF300-08ã§ãã
ãã詳现ã«ã¯ãäœãããããŠãã·ã³èªäœã§äœãæ©èœããã®ããšããå©ããåããŠïŒ
ãã¡ã€ã¢ãŠã©ãŒã«-IPFW
NAT-IPFWããã®ãã³ã¢ãNATã
DNS-ãã€ã³ã9ïŒFreeBSDã®ææ°ããŒãžã§ã³ã䜿çšïŒ
DHCP-isc-dhcpd
ToFoInã¯ããã®èšäºã®äž»ãªç¯äººã§ãã
äžè¬çã«èšãã°ãèªè ã¯åæ§ã®ã·ã¹ãã ã«ç²ŸéããŠãããšæ³å®ãããŠããããããã®èšäºã§ã¯DNSãDHCPã®æ§æã®è€éãã«ã€ããŠã¯èª¬æããŸããã ããã«ããã®ããŒãã«é¢ããè³æã¯å€æ°ãããèšäºã®æåŸã«ããã€ãã®ãªã³ã¯ãèšèŒãããŸãã æè¡çãªéšåã«ã¯ãçŸæç¹ã§å©çšå¯èœãªã³ã¡ã³ãã®ãªãå®å šãªãã¡ã€ã¢ãŠã©ãŒã«ããã³NATã«ãŒã«ãå«ãŸããŠããŸãïŒããã§ãããã®ãããã¯ã«é¢ããè³æãå€æ°ãããŸãïŒãã«ãŒãã«ãã©ã¡ãŒã¿ãŒãšrc.confããããŸãã
次ã«ãã¹ã¯ãªããã®åçã詳现ã«æ€èšããŸãã æå§ãã«ãã¢ãžã¥ãŒã«ãšãã®æ©èœã¯äœã§ããïŒ
Daemonã¯ããã®ååã瀺ããšãããã¿ã€ããŒã§ãã¹ãããã³ã¹ã€ããã³ã°ã¢ãžã¥ãŒã«ãå®è¡ããã¡ã€ã³ããã»ã¹ã§ãã
ãã¹ã¿ãŒ -pingã³ãã³ãã䜿çšããŠãå€éšãã£ãã«äžã®éä¿¡ã®ååšããã¹ãããŸãã
å€å® -ãã¹ãçµæã«åºã¥ããŠãã©ã®å€éšãã£ãã«ãæ©èœããããããã³åãæ¿ããå¿ èŠãã©ãããå€æããŸãã
ãã¬ãŒ -ã€ãã³ãã®ãã®ã³ã°ãæ åœããŸãã ã€ãã³ãã«é¢ããæ å ±ãéè€ãããéèªãèªã¿ããããªãããã«ããå¿ èŠããããŸãã
ãŠã©ããããã° -crontabããã¹ã±ãžã¥ãŒã«ã«åŸã£ãŠå®è¡ãããŸãã ãã¹ãŠã®ã¢ãžã¥ãŒã«ã®ãããªãŒãºããå€æããå¯èœãªå Žåã¯çºçããåé¡ã®è§£æ±ºãè©Šã¿ãŸãã
ã¹ã¯ãªããèªäœã«å ããŠãããã«éèŠãªãã¡ã€ã«ãæ€èšãã䟡å€ããããŸãã
Tofoin.conf-åäžã®èšå®ãã¡ã€ã«ã
Tofoin.logã¯åäžã®ã€ãã³ããã°ãã¡ã€ã«ã§ãã
Result_ <å éšãã£ãã«çªå·> -äœæ¥ãã¡ã€ã«ããã¹ãçµæã¯ããã«è¿œå ãããŸã
äžå®æ°ã®äœæ¥ãã¡ã€ã«ã䜿çšãããŸãããã¡ãããåã¹ã¯ãªããã¯èµ·åæã«pidãã¡ã€ã«ãäœæããã·ã£ããããŠã³ããã»ã¹äžã«åé€ããŸãã
LoggerãšWatchdogã®äœæ¥ã«ã€ããŠã¯è©³ãã説æããŸãããèå³ã®ãã人ã¯ãå¿ èŠã«å¿ããŠæ £ããããšãã§ããŸãã ã¡ã€ã³ã¢ãžã¥ãŒã«ã®åäœãããªãã¡ã ããŒã¢ã³ããã¹ã¿ãŒããžã£ããžã ããŒã¢ã³ã¯ãèšå®ãã¡ã€ã«ã«ä¿åãããŠããã¿ã€ããŒã§ãã¹ã¿ãŒãšãžã£ããžãèµ·åããŸãã 次ã®ããã«ãªããŸãïŒéå§æã«ãã¹ããéå§ãããã¿ã€ã ã¹ã¿ã³ããèšæ¶ãããŸãã次ã«ãæ床ã«åºã¥ããŠãnç§ããšã«æ¬¡ã®ãã¹ããéå§ããæéãè¶ éããããéä¿¡ã®çŸåšã®ã¹ããŒã¿ã¹ãè©äŸ¡ããããã©ããããã§ãã¯ãããŸãã ãããã£ãŠãããŒã¢ã³ã¯ãã¹ããšæ€èšŒã®æåŸã®ã¿ã€ã ã¹ã¿ã³ããèšæ¶ããçŸåšã®ã¿ã€ã ã¹ã¿ã³ããšæ¯èŒããŸãã æ§æãã¡ã€ã«ã«ç€ºãããŠããå€ããã倧ããå Žåããã¹ããŸãã¯ãã¹ããããããèµ·åãããã¿ã€ã ã¹ã¿ã³ããçŸåšã®ã¿ã€ã ã¹ã¿ã³ãã«çœ®ãæããããŸãã ç
ãããŸã§ã®ãšããããã¹ã¿ãŒã¯æãåçŽãªã¢ãžã¥ãŒã«ã§ãã å ¥åãšããŠ2ã€ã®å€æ°ãåãå ¥ããŸãã
./tester.sh ab
ããã§ãaã¯ã«ãŒãã£ã³ã°ããŒãã«çªå·ãbã¯ã¿ã¹ã¯ã§ãïŒéåžžã®ããŒãžã§ã³ã§ã¯ãb = 10ã§ããããã¯ãå®å šãªãã¹ããšçµæã®èšé²ãæå³ããŸãïŒã
Testerã¢ãžã¥ãŒã«ã®è©Šçšã¢ãŒãããããŸããb= 0-æåã®ã¿ãŒã²ããã®ã¿ã«pingïŒæ§æãã¡ã€ã«ããïŒãb = 1-2çªç®ã®ã¿ãŒã²ããã«ã®ã¿pingïŒæ§æãã¡ã€ã«ããïŒãb = <destination>ãããšãã°b = habrhabrã ru-ãã®ã¢ãŒãã§ã¯ãä»»æã®ã¿ãŒã²ããã®pingãå®è¡ãããŸãã ãã®å Žåã0ã«ãŒãã£ã³ã°ããŒãã«ã®å Žåãã³ãã³ãã¯æ¬¡ã®ããã«ãªããŸãã
./tester.sh 0 habrahabr.ru
ããã°ã©ã ã®äž»èŠãªã³ã³ããŒãã³ãã¯ãæããã«è£å€å®ã¢ãžã¥ãŒã«ã§ãã äžè¬çãªçšèªã§ã®åœŒã®ä»äºã®ã¢ã«ãŽãªãºã ã¯æ¬¡ã®ãšããã§ãã
- çŸåšã®ipfwã«ãŒã«ã«åºã¥ããŠãçŸåšã®å€éšãã£ãã«ã決å®ãããŸãã
- ãµã€ã¯ã«ã¯ãå€éšãã£ãã«ã®é¢é£ããç¶æ ããŒã¿ã®é åãã³ã³ãã€ã«ããŸãã
- 次ã®ãµã€ã¯ã«ã§åªå å€éšãã£ãã«ã決å®ãããŸãã
- 次ã«ããã£ãã«ãåãæ¿ããå¿ èŠããããã©ãããå€æããæ©èœãéå§ãããå¿ èŠã«å¿ããŠãåãæ¿ãæ©èœãéå§ãããããã«åãæ¿ãçšã®å éšãã£ãã«çªå·ãéä¿¡ãããã ïŒã¡ã€ã³ãã£ãã«ãžã®åŸ©åž°ã¯ããã«ã¯è¡ãããŸãããããã«ãããã¡ã€ã³ãã£ãã«ã®åäœãäžå®å®ãªå Žåã«åŸåŸ©ãžã£ã³ããçºçãããã¡ã€ã³å€éšãã£ãã«ãå®å®ããŠåäœãå§ãããšãã«ã®ã¿åãæ¿ããè¡ãããŸãïŒã
- æåŸã«ãå¿ èŠãããå Žåãã¹ã€ããã³ã°æ©èœãèµ·åãããå¿ èŠãªipfwèšå®ã眮ãæããŠåèµ·åããå¿ èŠãªã«ãŒãã£ã³ã°ããŒãã«ã§ãã€ã³ããåèµ·åããŸãã
ãã¡ããããã¹ãŠã®äž»èŠãªã¢ã¯ã·ã§ã³ã¯ã€ãã³ããã°ã«èšé²ãããŸãããŸããç·æ¥äºæ ãçºçããå Žåãããšã©ãŒã®åå ãèšé²ãããWatchdogãåŒã³åºãããŸãã
ããã§ãä»äºã®åºæ¬ååãèæ ®ãããŸããç§ã¯ããããã¹ãŠå®éã«å®è¡ãããæ¹æ³ãç¥ãããšãææ¡ããŸãã
æè¡éš
è£ åå
æ©åšã«ã€ããŠã¯ãã§ã«èšåããŸãããããã®ã»ã¯ã·ã§ã³ã§ã¯ãããã«è©³ãã説æããŸãã ç§ã®å ŽåïŒçŽ30å°ã®ãã·ã³ã®å éšãããã¯ãŒã¯ïŒã§DNSãDHCPãNATãIPFWã®åäœãä¿èšŒããã«ã¯ãPentium IIIã«åºã¥ãCeleronã512 MBã®RAMã40 GBã®HDDãããã³å¯Ÿå¿ãããã¶ãŒããŒãã³ãã¯ã¿ããµããŒããã350W PSUã§ååã§ãã è¿œå ã®2ã€ã®PCIãããã¯ãŒã¯ã«ãŒããæ¥ç¶ãããŸãã é»åã«é¢ããŠã¯ãäž¡æ¹ã®ã«ãŒã¿ãŒã¯ã»ãŒåãã§ãã
äžéšã®å Žæã§ã¯å®¹éãäœåã§ããããšã«å察ãããããããŸãããããããã®ãã·ã³ã¯ç¹å¥ã«è³Œå ¥ãããã®ã§ã¯ãªãããŠãŒã¶ãŒãã·ã³ã®ããªãŒããæŽæ°ããåŸã«æ®ã£ããã®ããåéãããŸããã ãããããæäœéå¿ èŠãªãµãŒãã¹ã®ã»ããã¯ãã¯ããã«åŒ±ãããŒããŠã§ã¢äžã§èµ·åã§ããŸãã ãŸããå®å šã«ãã¬ã€ããŠããã©ãŒåãããRAIDãæŽçããã®ãããã§ãããã æ®å¿µãªãããç§ã¯äºåã«ããã«ã€ããŠèããŠããŸããã§ããããä»ã§ã¯ããã€ãã®å°é£ã«é¢é£ããŠããŸãããããã¯ãŸã£ããç°ãªã話ã§ãã
ç§ã®æèŠã§ã¯ãããã¯å€ãäœæ¥çšã¢ã€ãã³ã®éåžžã«äŸ¡å€ã®ãã䜿çšæ¹æ³ã§ããããããªããã°å庫ã§ã»ããã£ãœããªã£ãããæšãŠããããé åžããããããŸãã
ããªã»ãã
ãã¡ããããã®ã·ã¹ãã ãæ©èœããããã«ã¯ãäºåèšå®ãè¡ãå¿ èŠããããŸãã
æåã«ããã©ã€ããªããã³ã»ã«ã³ããªDNSãµãŒããŒãæ§æããŸãã ãã«ãŒã¿ãŒãã1ã€ãããªãå Žåã¯ããã©ã€ããªDNSãµãŒããŒã§ååã§ãã ãã®åé¡ã§ã¯ãåè¿°ã®ããã«ãã€ã³ã9ã䜿çšããŸãããèšäºã®æåŸã«ããã€ãã®ãã¥ãŒãã³ã°ãªã³ã¯ãèšèŒãããŠããŸãã ãã®å ŽåãCricket LeeãšPaul Albitzã®ãDNS and BINDããã¥ãŒããªã¢ã«ãéåžžã«åœ¹ç«ã¡ãŸãã
次ã«ãdhcpãã§ãŒã«ãªãŒããŒãã¢ãèšå®ããå¿ èŠããããŸãã ãã«ãŒã¿ãŒãã1ã€ãããªãå Žåã¯ãã¹ã¿ã³ãã¢ãã³DHCPãµãŒããŒã®éåžžã®èšå®ã§ååã§ãã ç¹°ãè¿ãã«ãªããŸããããªã³ã¯ã¯èšäºã®æåŸã«èšèŒãããŠããŸãã äœããã®çç±ã§ããªã³ã¯ã«ãããã§ãŒã«ãªãŒããŒdhcpãã¢ã®ã»ããã¢ããã«é¢ããèšäºã¯å©çšã§ããŸããïŒãããŠãããæ°ãæã§ç¶æ³ã¯ããã ãã§ãïŒãããã§èšå®ãåæããããã®ã¹ã¯ãªãããšã»ããã¢ããã®ããŒãã€ã³ããæäŸããŸãã
ãã§ãŒã«ãªãŒããŒdhcpdãæ§æãã
ãã§ãŒã«ãªãŒããŒdhcpãã¢ãæ§æããã«ã¯ã次ã®ãã®ãå¿
èŠã§ãã
- / usr / local / etcã«ãrc.confã§åç
§ãããã¡ã€ã³æ§æãã¡ã€ã«dhcpd.confãäœæããŸãã ç§ã¯ãã®ããã«èŠããŸãïŒ
/usr/local/etc/dhcpd.conf# dhcpd.conf # # option definitions common to all supported networks... option domain-name "companyname.local"; option domain-name-servers 10.0.0.2, 10.0.0.1; option ntp-servers 10.0.0.2, 10.0.0.1; option log-servers 10.0.0.1; update-static-leases on; # 1 hour default-lease-time 3600; # 1 day max-lease-time 86400; # Use this to enable / disable dynamic dns updates globally. ddns-update-style interim; # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. authoritative; # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). log-facility local7; set vendorclass = option vendor-class-identifier; # DNS key include "/usr/local/etc/dhcpd/dns.key"; zone companyname.local.{ primary 127.0.0.1; key DHCP_UPDATER; } zone 0.0.10.in-addr.arpa.{ primary 127.0.0.1; key DHCP_UPDATER; } # DHCP Failover, Primary include "/usr/local/etc/dhcpd/dhcpd.conf_primary"; # Subnet declaration include "/usr/local/etc/dhcpd/dhcpd.subnet"; # Static IP addresses include "/usr/local/etc/dhcpd/dhcpd.static";
ããã§dns.keyã¯dnsãµãŒããŒãšã®éä¿¡ã®ããŒã§ãããããã®åé¡ã«ã€ããŠã¯ãdns + dhcpã®æ§æã«é¢ããèšäºã§è©³ãã説æãããŠããŸãã - ãã©ã«ããŒ/ usr / local / etc / dhcpdãäœæããŸãã ãã®äžã«ãããã次ã®ãã®ãå«ã次ã®ãã¡ã€ã«ãäœæããŸãã
/usr/local/etc/dhcpd/dhcpd.conf_primary########################## # DHCP Failover, Primary # ########################## failover peer "dhcpdpeer" { # Failover configuration primary; # I am the primary address 10.0.0.1; # My IP address port 1111; peer address 10.0.0.2; # Peer's IP address peer port 2222; max-response-delay 60; max-unacked-updates 10; mclt 3600; split 128; # Leave this at 128, only defined on Primary load balance max seconds 3; }
/usr/local/etc/dhcpd/dhcpd.subnetsubnet 10.0.0.0 netmask 255.255.255.0 { pool { failover peer "dhcpdpeer"; range 10.0.0.15 10.0.0.240; } option subnet-mask 255.255.255.0; option routers 10.0.0.2, 10.0.0.1; option broadcast-address 10.0.0.255; option netbios-name-servers 10.0.0.3; option netbios-dd-server 10.0.0.3; option netbios-node-type 8; }
ãã®å ŽåãnetbiosããŒã ãµãŒããŒã¯winsãµãŒããŒãµãŒãã¹ãå®è¡ãããŠããWindowsãµãŒããŒã§ãããsambaããã®åœ¹å²ãæããããšãã§ããŸãã
/usr/local/etc/dhcpd/dhcpd.statichost SERVER3 { hardware ethernet 11:11:11:11:11:11; fixed-address 10.0.0.3; } host SERVER4 { hardware ethernet 22:22:22:22:22:22; fixed-address 10.0.0.4; }
ãæ³åã®ãšããããã®ãã¡ã€ã«ã¯éçã¢ãã¬ã¹çšã§ãã
- 2çªç®ã®ãã«ãŒã¿ãŒãã§ã¯ããã¡ã€ã«ã¯æ¬¡ã®ããã«ãªããŸãã
/usr/local/etc/dhcpd.conf# dhcpd.conf # # option definitions common to all supported networks... option domain-name "companyname.local "; option domain-name-servers 10.0.0.2, 10.0.0.1; option ntp-servers 10.0.0.2, 10.0.0.1; option log-servers 10.0.0.1; update-static-leases on; # 1 hour default-lease-time 3600; # 1 day max-lease-time 86400; # Use this to enable / disable dynamic dns updates globally. ddns-update-style interim; # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. authoritative; # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). log-facility local7; set vendorclass = option vendor-class-identifier; # DNS key include "/usr/local/etc/dhcpd/dns.key"; zone companyname.local.{ secondary 127.0.0.1; key DHCP_UPDATER; } zone 0.0.10.in-addr.arpa.{ secondary 127.0.0.1; key DHCP_UPDATER; } # DHCP Failover, Primary include "/usr/local/etc/dhcpd/dhcpd.conf_secondary"; # Subnet declaration include "/usr/local/etc/dhcpd/dhcpd.subnet.DONOTEDIT"; # Static IP addresses include "/usr/local/etc/dhcpd/dhcpd.static.DONOTEDIT";
/usr/local/etc/dhcpd/dhcpd.conf_secondary########################### # DHCP Failover,Secondary # ########################### failover peer "dhcpdpeer" { # Failover configuration secondary; # I am the secondary address 10.0.0.2; # My IP address port 2222; peer address 10.0.0.1; # Peer's IP address peer port 1111; max-response-delay 60; max-unacked-updates 10; mclt 3600; load balance max seconds 3; }
æ®ãã®ãã¡ã€ã«ã¯ãååãå€æŽããããšã«ãã£ãŠã®ã¿æåã®ãã«ãŒã¿ãŒãããååŸããããæåŸã«èšå®ãããšãisc-dhcpdã®åèµ·åæã«ãã¡ã€ã«ãèªåçã«ç§»åããŸãïŒæ¹æ³ã«ã€ããŠã¯ã以äžãåç §ïŒã
- 次ã®å
容ã®å®è¡å¯èœãã¡ã€ã«ãäœæããŸãã
/ usr / local / bin / dhcpd-sync#!/bin/sh # backup generation date=`date -v-1d '+%Y%m%d-%H%M%s'` month=`date '+%m%Y'` sudo -u dhcp-updater cp -f /usr/local/etc/dhcpd/dhcpd.subnet /var/dhcp-backup/dhcpd.subnet.$date sudo -u dhcp-updater bzip2 -f -k -z /var/dhcp-backup/dhcpd.subnet.$date sudo -u dhcp-updater tar -r -f /var/dhcp-backup/dhcpd.subnet.$month.tar -C /var/dhcp-backup dhcpd.subnet.$date.bz2 sudo -u dhcp-updater cp -f /usr/local/etc/dhcpd/dhcpd.static /var/dhcp-backup/dhcpd.static.$date sudo -u dhcp-updater bzip2 -f -k -z /var/dhcp-backup/dhcpd.static.$date sudo -u dhcp-updater tar -r -f /var/dhcp-backup/dhcpd.static.$month.tar -C /var/dhcp-backup dhcpd.static.$date.bz2 sudo -u dhcp-updater scp -P 22 -q /var/dhcp-backup/dhcpd.subnet.$date.bz2 dhcp-updater@10.0.0.2:/var/dhcp-backup sudo -u dhcp-updater ssh -p 22 10.0.0.2 tar -r -f /var/dhcp-backup/dhcpd.subnet.$month.tar -C /var/dhcp-backup dhcpd.subnet.$date.bz2 sudo -u dhcp-updater scp -P 22 -q /var/dhcp-backup/dhcpd.static.$date.bz2 dhcp-updater@10.0.0.2:/var/dhcp-backup sudo -u dhcp-updater ssh -p 22 10.0.0.2 tar -r -f /var/dhcp-backup/dhcpd.static.$month.tar -C /var/dhcp-backup dhcpd.static.$date.bz2 sudo -u dhcp-updater ssh -p 22 10.0.0.2 rm /var/dhcp-backup/dhcpd.subnet.$date.bz2 sudo -u dhcp-updater ssh -p 22 10.0.0.2 rm /var/dhcp-backup/dhcpd.static.$date.bz2 sudo -u dhcp-updater rm /var/dhcp-backup/dhcpd.subnet.$date sudo -u dhcp-updater rm /var/dhcp-backup/dhcpd.static.$date sudo -u dhcp-updater rm /var/dhcp-backup/dhcpd.subnet.$date.bz2 sudo -u dhcp-updater rm /var/dhcp-backup/dhcpd.static.$date.bz2 # sync and restart secondary DHCP sudo -u dhcp-updater scp -P 22 -q /usr/local/etc/dhcpd/dhcpd.subnet dhcp-updater@10.0.0.2:/usr/local/etc/dhcpd/dhcpd.subnet.DONOTEDIT sudo -u dhcp-updater scp -P 22 -q /usr/local/etc/dhcpd/dhcpd.static dhcp-updater@10.0.0.2:/usr/local/etc/dhcpd/dhcpd.static.DONOTEDIT sudo -u dhcp-updater ssh -p 22 10.0.0.2 sudo /usr/local/etc/rc.d/isc-dhcpd restart
- äž¡æ¹ã®ãµãŒããŒã§é©åãªæš©éãæã€dhcp-updaterãŠãŒã¶ãŒãäœæããsudoèšå®ã«ç»é²ãããã©ã€ããªããã»ã«ã³ããªãã«ãŒã¿ãŒããžã®ããŒã«ããsshæ¥ç¶ãèšå®ãããã¹ã¯ãŒããåé€ããŸãã ãŸããäž¡æ¹ã®ãã·ã³ã§/ var / dhcp-backup /ãã©ã«ããŒãäœæããå¿ èŠãããå ŽåããããŸãã
- /usr/local/etc/rc.d/isc-dhcpdãã¡ã€ã«ã®äžéšã次ã®ããã«å€æŽããŸãã
å®å ïŒdhcpd_checkconfig () { local rc_flags_mod setup_flags rc_flags_mod="$rc_flags" # Eliminate '-q' flag if it is present case "$rc_flags" in *-q*) rc_flags_mod=`echo "${rc_flags}" | sed -Ee 's/(^-q | -q | -q$)//'` ;; esac if ! ${command} -t -q ${rc_flags_mod}; then err 1 "`${command} -t ${rc_flags_mod}` Configuration file sanity check failed" fi }
åŸïŒdhcpd_checkconfig () { local rc_flags_mod setup_flags rc_flags_mod="$rc_flags" # Eliminate '-q' flag if it is present case "$rc_flags" in *-q*) rc_flags_mod=`echo "${rc_flags}" | sed -Ee 's/(^-q | -q | -q$)//'` ;; esac if ! ${command} -t -q ${rc_flags_mod}; then err 1 "`${command} -t ${rc_flags_mod}` Configuration file sanity check failed" else sh /usr/local/bin/dhcpd-sync fi }
- ãã¹ãŠã®èšå®ãæ£ããè¡ãããŠããå Žåãã¡ã€ã³ãã·ã³ã§dhcpãµãŒããŒãåèµ·åãããšãçŸåšã®æ§æãã¢ãŒã«ã€ãããã2çªç®ã®ãµãŒããŒãšåæãããäž¡æ¹ã®ãã·ã³ã§åèµ·åãè¡ãããŸãã
- 次ã®ã¿ã¹ã¯ãcrontabã«è¿œå ãããšäŸ¿å©ã§ãã
0 0 * * * root /usr/local/etc/rc.d/isc-dhcpd restart
- ããã§ããã§ãŒã«ãªãŒããŒdhcpdèšå®ãå®äºããŸããã
第äžã«ããŒãã«å ããŠã«ãŒãã£ã³ã°ããŒãã«ã衚瀺ãããæ žãnatããã³ipfwãæ©èœããããã«ã¯ã次ã®ãã©ã¡ãŒã¿ãŒã§ã«ãŒãã«ãåæ§ç¯ããå¿ èŠããããŸãïŒãã¡ããããªãã·ã§ã³ã¯å¯èœã§ãããæåŸã«ãªã³ã¯ã䜿çšããŸãïŒã
options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=50 options IPFIREWALL_NAT options LIBALIAS options DUMMYNET options HZ=1000 options ROUTETABLES=2
2çªç®ã®ã«ãŒãã£ã³ã°ããŒãã«ïŒçªå·ã1ãã®äžãæåã®ããŒãã«ã«ã¯çªå·ã0ããããããïŒããªããŒãåŸã«æ©èœããã«ã¯ãrc.dã«äœæããå¿ èŠããããŸãïŒ/usr/local/etc/rc.dã«ãããŸãïŒ /ïŒæ¬¡ã®å 容ã®ãã¡ã€ã«ïŒ
/usr/local/etc/rc.d/setfib1
#!/bin/sh # # PROVIDE: SETFIB1 # REQUIRE: NETWORKING # BEFORE: DAEMON # # Add the following lines to /etc/rc.conf to enable setfib -1 at startup # setfib1 (bool): Set to "NO" by default. # Set it to "YES" to enable setfib1 # setfib1_defaultroute (str): Set to "" by default # Set it to ip address of default gateway for use in fib 1 . /etc/rc.subr name="setfib1" rcvar=`set_rcvar` load_rc_config $name [ -z "$setfib1_enable" ] && setfib1_enable="NO" [ -z "$setfib1_defaultrouter" ] && setfib1_defaultrouter="" start_cmd="${name}_start" stop_cmd="${name}_stop" setfib1_start() { if [ ${setfib1_defaultrouter} ] then setfib 1 route add -net default ${setfib1_defaultrouter} else echo "Can not set default route for fib 1 - setfib1_defaultrouter is not assigned in rc.conf!" fi } setfib1_stop() { setfib 1 route del -net default } run_rc_command "$1"
ãŸããããšãã°ããã©ã€ããªãã«ãŒã¿ãŒãã®å Žåãrc.confã«æ°è¡ãè¿œå ããŸãã
setfib1_enable="YES" setfib1_defaultrouter="2.2.2.1"
å®éããã®ããŒãã¹ã¯ãªããã¯2çªç®ã®ããŒãã«ã«ããã©ã«ãã«ãŒããšåãã ãè¿œå ããŸãã å¿ èŠã«å¿ããŠãæ倧65536ã®ã«ãŒãã£ã³ã°ããŒãã«ïŒFreeBSDããŒãžã§ã³10ïŒãå®è¡ããäžèšã®ã¹ã¯ãªãããå°ãå€æŽããŠã³ããŒããrc.confã«ãã©ã¡ãŒã¿ãŒãè¿œå ã§ããŸãã ïŒãã¡ãããã«ãŒãã«ãã©ã¡ãŒã¿ãŒã«ã¯ãæåã«ãããã®65536ããŒãã«ãå«ããå¿ èŠããããŸããïŒ
ã¡ã€ã³ã®ãã«ãŒã¿ãŒãã§ã®ç§ã®rc.confèšå®ïŒ
ããããæåã«ãããã€ãã®ã³ã¡ã³ãïŒ
Eth0ã¯ãã¡ã€ã³å€éšãã£ãã«ã®ç©çã€ã³ã¿ãŒãã§ã€ã¹ã§ãã
Eth1ã¯ãããã¯ã¢ããå€éšãã£ãã«ã®ç©çã€ã³ã¿ãŒãã§ã€ã¹ã§ãã
Eth2ã¯ãå éšãã£ãã«ã®ç©çã€ã³ã¿ãŒãã§ã€ã¹ã§ãã
Vlan1-ã¡ã€ã³å€éšãã£ãã«ã®ã€ã³ã¿ãŒãã§ãŒã¹ã
Vlan2-ããã¯ã¢ããå€éšãã£ãã«ã€ã³ã¿ãŒãã§ã€ã¹ã
vlan3ããã³vlan4-å°æ¥ã®æ©èœã®ããã«äºçŽãããŠããŸããããã«ã€ããŠã¯èšäºã®æåŸã§èª¬æããŸãã
10.0.0.1-å éšãããã¯ãŒã¯å ã®ãã«ãŒã¿ãŒãã®ã¢ãã¬ã¹ããããããããšãã°ã10.0.0.2ã«ãªããŸãã
1.1.1.2ããã³1.1.1.1-ã¡ã€ã³å€éšãã£ãã«ã®IPã¢ãã¬ã¹ãšããã©ã«ãã²ãŒããŠã§ã€ã
2.2.2.2ããã³2.2.2.1-ããã¯ã¢ããå€éšãã£ãã«ã®IPã¢ãã¬ã¹ãšããã©ã«ãã²ãŒããŠã§ã€ã
##泚æïŒ ã€ã³ã¿ãŒãã§ã€ã¹ãšIPã¢ãã¬ã¹ã®ååã¯äŸãšããŠäœ¿çšãããããããã®å Žåã«ç¬èªã®ãã®ã«ãªããŸãïŒ ##
/etc/rc.conf
hostname="SERVER1.companyname.local" keymap="ru.koi8-r" font8x8="cp866-8x8" font8x14="cp866-8x14" font8x16="cp866-8x16" scrnmap="koi8-r2cp866" cursor="destructive" ifconfig_eth0="up" vlans_eth0="vlan1 vlan3" create_args_vlan1="vlan 1" create_args_vlan3="vlan 3" ifconfig_eth1="up" vlans_eth1="vlan2 vlan4" create_args_vlan2="vlan 2" create_args_vlan4="vlan 4" ifconfig_eth2="inet 10.0.0.1 netmask 255.255.255.0" ifconfig_vlan1="inet 1.1.1.2/24" ifconfig_vlan3="inet 10.0.1.1/30" ifconfig_vlan2="inet 2.2.2.2/24" ifconfig_vlan4="inet 10.0.2.1/30" defaultrouter="1.1.1.1" setfib1_enable="YES" setfib1_defaultrouter="2.2.2.1" gateway_enable="YES" sshd_enable="YES" moused_enable="YES" ntpd_enable="YES" powerd_enable="YES" hald_enable="YES" dbus_enable="YES" dumpdev="AUTO" firewall_enable="YES" firewall_logging="YES" firewall_script="/etc/firewall.sh" named_enable="YES" named_program="/usr/sbin/named" named_flags="-u bind -c /etc/namedb/named.conf" dhcpd_enable="YES" dhcpd_conf="/usr/local/etc/dhcpd.conf" dhcpd_ifaces="eth2"
以äžã¯ãç§ã«ãšã£ãŠæå¹ãªNATãšãã¡ã€ã¢ãŠã©ãŒã«ã®èšå®ã§ãã
ã¡ã€ã³å€éšãã£ãã«ãä»ããŠäœæ¥ããå ŽåïŒ
/etc/rules.firewall0
#!/bin/sh # Delete all rules /sbin/ipfw -q -f flush /sbin/ipfw -q -f pipe flush /sbin/ipfw -q -f queue flush /sbin/ipfw -q -f nat 1 delete /sbin/ipfw -q -f table all flush # Parameters ipfw="/sbin/ipfw -q add" extM_if="vlan1" extM_ip="1.1.1.2" extS_if="vlan2" extS_ip="2.2.2.2" int_if="eth2" int_ip="10.0.0.1" lan_net="10.0.0.0/24" odmin="10.0.0.111" # Tables # Table 1 - non-routes networks /sbin/ipfw table 1 add 192.168.0.0/16 /sbin/ipfw table 1 add 172.16.0.0/12 /sbin/ipfw table 1 add 10.0.0.0/8 /sbin/ipfw table 1 add 127.0.0.0/8 /sbin/ipfw table 1 add 0.0.0.0/8 /sbin/ipfw table 1 add 169.254.0.0/16 /sbin/ipfw table 1 add 192.0.2.0/24 /sbin/ipfw table 1 add 204.152.64.0/23 /sbin/ipfw table 1 add 224.0.0.0/3 # Choose route table $ipfw setfib 0 all from any to any via $int_if # Allow all traffic on loopback $ipfw allow all from any to any via lo0 # Deny access to lo0 from out $ipfw deny log all from any to 127.0.0.0/8 # Deny outcome packets from lo0 $ipfw deny log all from 127.0.0.0/8 to any # Allow returning $ipfw check-state # Deny IPv6 $ipfw deny log ipv6 from any to any # Antispoofing $ipfw deny log all from any to any not antispoof in # Block any delayed packets (fragments) $ipfw deny all from any to any frag ######################################### # Internal interface, outcoming traffic # ######################################### # Allow all traffic from gateway to lan $ipfw allow all from any to $lan_net out via $int_if # Deny and log other $ipfw deny log all from any to any out via $int_if ######################################## # Internal interface, incoming traffic # ######################################## # Deny all Netbios $ipfw deny tcp from any to any 81,137,138,139 in via $int_if # Allow traffic on internal interface # DHCP $ipfw allow udp from any to me 67,68,1515,1516 in via $int_if # Mail $ipfw allow tcp from $lan_net to any 25,110,143,465,993,995 in via $int_if # Time $ipfw allow tcp from $lan_net to any 37 in via $int_if $ipfw allow udp from $lan_net to any 123 in via $int_if # ICQ $ipfw allow tcp from $lan_net to any 443,5190,5222 in via $int_if # FTP and some other $ipfw allow tcp from $lan_net to any 21,22,49152-65535 in via $int_if # HTTP $ipfw allow tcp from $lan_net to any 80 in via $int_if # Output whois $ipfw allow tcp from $lan_net to any 43 in via $int_if # DNS $ipfw allow udp from $lan_net to any 53 in via $int_if $ipfw allow tcp from $lan_net 53 to $int_ip in via $int_if $ipfw allow tcp from $lan_net to $int_ip 53 in via $int_if # Ping $ipfw allow icmp from $lan_net to any icmptypes 0,3,8,11 in via $int_if # For admin $ipfw allow all from $odmin 1025-6000,11111,22222,50000-60000 to any in via $int_if $ipfw allow all from 10.0.0.2 22 to $int_ip in via $int_if $ipfw 55100 allow all from any to $int_ip 22 in via $int_if # Deny and log other $ipfw deny log all from any to any in via $int_if ######################################### # External interface, outcoming traffic # ######################################### # Deny all outcoming traffic to non-route networks $ipfw deny log all from any to 'table(1)' out via $extM_if $ipfw deny log all from any to 'table(1)' out via $extS_if # Deny broadcast ICMP on ext interface $ipfw deny icmp from any to 255.255.255.255 out via $extM_if $ipfw deny icmp from any to 255.255.255.255 out via $extS_if # Deny multicast on ext interface $ipfw deny all from 224.0.0.0/4 to any out via $extM_if $ipfw deny all from 224.0.0.0/4 to any out via $extS_if # Allow me go to internet $ipfw allow all from $extM_ip to any out via $extM_if setup keep-state $ipfw allow all from $extS_ip to any out via $extS_if setup keep-state # DNS BIND $ipfw allow udp from $extM_ip to any 53 out via $extM_if keep-state $ipfw allow udp from $extS_ip to any 53 out via $extS_if keep-state # Time $ipfw allow udp from $extM_ip to any 123 out via $extM_if keep-state $ipfw allow tcp from $extM_ip to any 37 out via $extM_if setup keep-state # Output whois $ipfw allow tcp from $extM_ip to any 43 out via $extM_if setup keep-state # NAT /sbin/ipfw -q nat 1 config log if $extM_if reset same_ports deny_in unreg_only redirect_port tcp 10.0.0.111:33333 33333 redirect_port udp 10.0.0.111:11111 11111 redirect_port tcp 10.0.0.111:22222 22222 redirect_port udp 10.0.0.111:22222 22222 # NAT outcoming traffic $ipfw nat 1 ip from any to any out via $extM_if # Allow traffic on outcoming interface # Mail $ipfw allow tcp from any to any 25,110,143,465,993,995 out via $extM_if # ICQ $ipfw allow tcp from any to any 443,5190,5222 out via $extM_if # FTP and some other $ipfw allow tcp from any to any 21,22,49152-65535 out via $extM_if # HTTP $ipfw allow tcp from any to any 80 out via $extM_if # Ping $ipfw allow icmp from any to any icmptypes 0,3,8,11 out via $extM_if $ipfw allow icmp from any to any icmptypes 0,3,8,11 out via $extS_if # For admin $ipfw allow tcp from any 1025-6000 to any out via $extM_if $ipfw allow all from any 11111,22222,50000-60000 to any out via $extM_if # Deny and log other $ipfw deny log all from any to any out via $extM_if $ipfw deny log all from any to any out via $extS_if ######################################## # External interface, incoming traffic # ######################################## # Deny all incoming traffic from non-route networks $ipfw deny log all from 'table(1)' to any in via $extM_if $ipfw deny log all from 'table(1)' to any in via $extS_if # Deny ident $ipfw deny tcp from any to any 113 in via $extM_if $ipfw deny tcp from any to any 113 in via $extS_if # Deny all Netbios $ipfw deny tcp from any to any 81,137,138,139 in via $extM_if $ipfw deny tcp from any to any 81,137,138,139 in via $extS_if # SSH (also for internal network) $ipfw allow all from any to me 22 in via $extM_if $ipfw allow all from any to me 22 in via $extS_if # NAT incoming traffic $ipfw nat 1 ip from any to any in via $extM_if # Allow traffic on outcoming interface # Mail $ipfw allow tcp from any 25,110,143,465,993,995 to any in via $extM_if # ICQ $ipfw allow tcp from any 443,5190,5222 to any in via $extM_if # FTP and some other $ipfw allow tcp from any 21,22,49152-65535 to any in via $extM_if # HTTP $ipfw allow tcp from any 80 to any in via $extM_if # Ping $ipfw allow icmp from any to any icmptypes 0,3,8,11 in via $extM_if $ipfw allow icmp from any to any icmptypes 0,3,8,11 in via $extS_if # For admin $ipfw allow tcp from any to $odmin 1025-6000 in via $extM_if $ipfw allow all from any to $odmin 11111,22222,50000-60000 in via $extM_if # Deny and log other $ipfw deny log all from any to any in via $extM_if $ipfw deny log all from any to any in via $extS_if $ipfw deny log all from any to any
ããã¯ã¢ããå€éšãã£ãã«ã䜿çšããå Žåããã¹ãŠã®èšå®ã¯åãã§ãããããŒã®ã¿ãå€æŽãããŸãã
/etc/rules.firewall1 hat
# Parameters ipfw="/sbin/ipfw -q add" extM_if="vlan2" extM_ip="2.2.2.2" extS_if="vlan1" extS_ip="1.1.1.1" int_if="eth2" int_ip="10.0.0.1" lan_net="10.0.0.0/24" odmin="10.0.0.111" serv="10.0.0.4
ãŸããsshguardã¯ãã«ãŒã¿ãŒãã§æ§æãããŸãããçµéšè±å¯ãªèªè ã§ããã°ããã®ããã°ã©ã ãèªåã§èŠã€ããŠã€ã³ã¹ããŒã«ããããšãã§ããŸãã
ã¹ã¯ãªãããœãŒã¹
ToFoIn-ã€ã³ã¿ãŒãããã®ãã§ã€ã«ãªãŒããŒãåãæ¿ããŸãã ããããããã®ååã¯éå¿çãªãã®ã§ã¯ãããŸããããæ¢åã®è£œåãããæ£ç¢ºã«è£œåã®ç¹æ§ãèãåºãããšã¯ã§ããŸããã§ããã 以äžã«ãã¹ã¯ãªãããšé¢é£ãã¡ã€ã«ã®ããã¹ããå°ã説æããŸãã
tofoin.conf
## tofoin.conf ## ## by LordNicky v0.6 20140719 ## ## Little about the modules and about what function they perform. ## Tester - Testing the availability of the Internet on selected channel. ## Judge - Test results analysis, the decision to switch ## from one channel to another. ## Logger - Event logging. ## Watchdog - Testing and debugging of the scripts. ## Configuration. ## Amouth of the Internet channels. CNUMBER=2 ## Main Internet channel properties. ## Interface name. EXT_0_IF=vlan10 ## Id number of the routing table. RTABLE_0=0 ## Reserve Internet channel properties. ## Interface name. EXT_1_IF=vlan20 ## Id number of the routing table RTABLE_1=1 ## URL's supposed to be used for diagnostic of the availability ## of the Internet channel. PTARGET_0 should be domain name, and ## PTARGET_1 should be IP address. ## Attention: The resources should be different. PTARGET_0=ya.ru PTARGET_1=8.8.8.8 ## Count of icmp packets used for testing one resource. PNUMBER=2 ## Period of launching of the module "Tester" (in seconds). ## Strongly not recomended to set a value less than 60. TESTERPERIOD=240 ## Period of launching of the module "Judge" (in seconds). ## Strongly not recomended to set a value less than TESTERPERIOD. ## Usually enough TESTERPERIOD + 60. JUDGEPERIOD=300 ## Launching sensitivity for the modules Tester and Judge. ## Usually enough 60. SENSITIVITY=60 ## The maximum operating time for the module Tester. TESTERMAXDELAY=40 ## The maximum operating time for the module Judge. JUDGEMAXDELAY=30 ## The maximum operating time for the module Logger. LOGGERMAXDELAY=20 ## Amount of tests that successfully passed before returning ## to the main channel. Thereby, time elapsed since the restore ## the work main channel is approximately (WNUMBER+1)*JUDGEPERIOD ## seconds. WNUMBER=3 ## The frequency of writing error message into the log file. ## The main idea is the following. At first time the message ## is written completely. After LOGFREQ1 repetitions logger ## writes the only message about LOGFREQ1 the same messages. ## Later in each LOGFREQ2 repetitions logger writes the only ## message about LOGFREQ2 the same messages. This algorithm ## works only if the same messages are following after each other. LOGFREQ1=5 LOGFREQ2=20 ## File paths. ## Paths for configuration script files IPFW. ## Default file. (It is written in the rc.conf) FIRESETDEF=/etc/firewall.sh ## Settings for main Internet channel. FIRESET_0=/etc/rules.firewall0 ## Settings for reserve Internet channel. FIRESET_1=/etc/rules.firewall1 ## Paths for all ToFoIn files. ## Daemon. DAEMON=/path/to/file/tofoin_daemon.sh ## Tester. TESTER=/path/to/file/tofoin_tester.sh ## Judge. JUDGE=/path/to/file/tofoin_judge.sh ## Logger. LOGGER=/path/to/file/tofoin_logger.sh ## Watchdog. WATCHDOG=/path/to/file/tofoin_watchdog.sh ## Log file. It is recommended to locate it into the /var/log. LOGFILE=/path/to/file/tofoin.log ## The directory supposed for test results. It is recomended ## to locate it into the /tmp. TESTER_RESULT=/path/to/directory ## Auxiliary module file Judge. It is recommended to locate ## it into the /tmp. JUDGEMETER=/path/to/file/judgemeter ## Auxiliary module file Logger. It is recommended to locate ## it into the /tmp. LOGTMP=/path/to/file/logger.tmp LOGMETER=/path/to/file/logmeter ## PID files for all executable modules. It is recommended ## to locate it into /var/run. DAEMON_PID=/path/to/file/tofoin_daemon.pid TESTER_PID=/path/to/directory JUDGE_PID=/path/to/file/tofoin_judge.pid LOGGER_PID=/path/to/file/tofoin_logger.pid WATCHDOG_PID=/path/to/file/tofoin_watchdog.pid
tofoin_daemon.sh
#!/usr/local/bin/bash # by LordNicky v0.5 20140717 . /root/ToFoIn/tofoin.conf test_time=`date +%s`; judge_time=`date +%s`; echo $$ > $DAEMON_PID; $LOGGER "DAEMON: start successfully with pid $$" & tester_0="$TESTER $RTABLE_0 10 0"; tester_1="$TESTER $RTABLE_1 10 1"; $tester_0 & $tester_1 & while true do current_time=`date +%s`; if [ "`expr $current_time - $test_time`" -ge "$TESTERPERIOD" ] then $tester_0 & $tester_1 & test_time=`date +%s`; else :; fi if [ "`expr $current_time - $judge_time`" -ge "$JUDGEPERIOD" ] then $JUDGE & judge_time=`date +%s`; else :; fi sleep $SENSITIVITY; done
tofoin_tester.sh
#!/usr/local/bin/bash # by LordNicky v0.7 20140717 . /root/ToFoIn/tofoin.conf exit_function () { rm $tester_pid; exit $exit_code; } tester_pid=$TESTER_PID/tofoin_test_$3\.pid; if [ -e $tester_pid ]; then $WATCHDOG "tofoin_test" "$tester_pid" "$3" & exit 0; else echo `date +%s` $$ > $tester_pid; if [ "$2" -eq 10 ]; then if setfib $1 ping -c $PNUMBER $PTARGET_0 > /dev/null; then echo `date +%s` "0 0" > $TESTER_RESULT/result_$3; exit_code=0; exit_function; else if setfib $1 ping -c $PNUMBER $PTARGET_1 > /dev/null; then echo `date +%s` "0 1" > $TESTER_RESULT/result_$3; exit_code=0; exit_function; else echo `date +%s` "1 1" > $TESTER_RESULT/result_$3; exit_code=0; exit_function; fi fi elif [ "$2" -eq 0 ]; then setfib $1 ping -c $PNUMBER $PTARGET_0; exit_code=0; exit_function; elif [ "$2" -eq 1 ]; then setfib $1 ping -c $PNUMBER $PTARGET_1; exit_code=0; exit_function; else setfib $1 ping -c $PNUMBER $2; exit_code=1; exit_function; fi fi
åè¿°ã®ããã«ããã¹ã¿ãŒã¢ãžã¥ãŒã«ã«ã¯ãæåã§èµ·åããããã®æ©èœããããã«æ¡åŒµãããŠããŸããããœãªã¥ãŒã·ã§ã³ãã»ã¯ã·ã§ã³ã§ã¯ããã®æ¹æ³ã«ã€ããŠèª¬æããŸãããŸããã¹ã¯ãªããã®ããã¹ããããããããã«ããã¹ã¿ãŒã¯éåžžã®èµ·åã®å Žåã«ã®ã¿çµæããã¡ã€ã«ã«æžã蟌ã¿ãŸãã
tofoin_judge.sh
#!/usr/local/bin/bash # by LordNicky v0.7 20140717 . /root/ToFoIn/tofoin.conf exit_function () { rm $JUDGE_PID; exit $exit_code; } decision_function () { if [ "$actualchan" -eq "$prefchan" ]; then if [ "$actualchan" -eq 0 ]; then $LOGGER "JUDGE: No problems detected" & exit_code=0; exit_function; elif [ "$actualchan" -eq 1 ]; then echo -e "0" > $JUDGEMETER; $LOGGER "JUDGE: No problems detected at channel $actualchan" & exit_code=0; exit_function; else $LOGGER "JUDGE(decision): Invalid actualchan = $actualchan" & exit_code=1; exit_function; fi else if [ "$prefchan" -eq 1 ]; then switch_function; exit_code=0; exit_function; elif [ "$prefchan" -eq 0 ]; then if [ "$actualstate" -eq 0 ] then meter=`cat $JUDGEMETER`; if [ "$meter" -eq "$WNUMBER" ]; then switch_function; exit_code=0; exit_function; elif [ "$meter" -lt "$WNUMBER" ]; then expr $meter + 1 > $JUDGEMETER; exit_code=0; exit_function; else echo -e "0" > $JUDGEMETER; exit_code=0; exit_function; fi elif [ "$actualstate" -eq 1 ] then $LOGGER "JUDGE: Emergency switch to $prefchan"; switch_function; exit_code=0; exit_function; else $LOGGER "JUDGE(decision): Invalid actualstate = $actualstate" & exit_code=1; exit_function; fi else $LOGGER "JUDGE(decision): Invalid prefchan = $prefchan" & exit_code=1; exit_function; fi fi } switch_function () { echo -e "0" > $JUDGEMETER; if [ "$prefchan" -eq 0 ]; then /etc/rc.d/named stop; cp $FIRESET_0 $FIRESETDEF; /etc/rc.d/ipfw restart; setfib $RTABLE_0 /etc/rc.d/named start; $LOGGER "JUDGE: Now switching on channel $RTABLE_0" & exit_code=0; exit_function; elif [ "$prefchan" -eq 1 ] then /etc/rc.d/named stop; cp $FIRESET_1 $FIRESETDEF; /etc/rc.d/ipfw restart; setfib $RTABLE_1 /etc/rc.d/named start; $LOGGER "JUDGE: Now switching on channel $RTABLE_1" & exit_code=0; exit_function; else $LOGGER "JUDGE(switch): Invalid prefchan = $prefchan" & exit_code=1; exit_function; fi } createarea_function () { for ((a=0; a < CNUMBER ; a++)) do current_time=`date +%s` timearea[$a]=`cut -c 1-10 $TESTER_RESULT/result_$a`; if [ "`expr $current_time - ${timearea[$a]}`" -ge 0 ]; then if [ "`expr $current_time - ${timearea[$a]}`" -lt "`expr $TESTERPERIOD + 120`" ]; then :; else $LOGGER "JUDGE: MAX period" & $WATCHDOG & exit_code=1; exit_function; fi else $LOGGER "JUDGE: testmodule $a in future" & $WATCHDOG & exit_code=1; exit_function; fi statearea[$a]=`cut -c 12 $TESTER_RESULT/result_$a`; if [ "$actualchan" -eq "$a" ] then actualstate=${statearea[$a]}; else :; fi done } findarea_function () { for ((a=0; a < CNUMBER ; a++)) do if [ "${statearea[$a]}" -eq 0 ] then prefchan=$a; decision_function; exit_code=0; exit_function; else if [ "${statearea[$a]}" -eq 1 ] then continue else $LOGGER "JUDGE: Invalid channel state" & exit_code=1; exit_function; fi fi done } if [ -e $JUDGE_PID ] then $WATCHDOG "tofoin_judge" "$JUDGE_PID" & exit 0; else echo `date +%s` $$ > $JUDGE_PID; if ipfw list | grep nat | egrep -q $EXT_0_IF; then actualchan=0; elif ipfw list | grep nat | egrep -q $EXT_1_IF; then actualchan=1; else $LOGGER "JUDGE: NAT error" & prefchan=0; switch_function; exit_code=1; exit_function; fi createarea_function; findarea_function; $LOGGER "JUDGE: All channels down" & exit_code=1; exit_function; fi
è£å€å®ã¢ãžã¥ãŒã«ã«ã¯ããããªãæ¹åã®äœå°ããããŸãããäžè¬ã«é£Ÿãæ°ã¯ãããŸããã
tofoin_logger.sh
#!/usr/local/bin/bash # by LordNicky v0.5 20140713 . /root/ToFoIn/tofoin.conf exit_function () { rm $LOGGER_PID; exit $exit_code; } main_function () { if [[ `tail -n 1 $LOGFILE | grep -o "$1" | grep -o "JUDGE: No problems detected"` = "JUDGE: No problems detected" ]]; then exit_code=0; exit_function; else if [[ `cat $LOGTMP` = $1 ]]; then meter=`cat $LOGMETER`; if [ "$meter" -ge "$LOGFREQ2" ]; then echo -e "0" > $LOGMETER; echo -e "`date -j +%Y%m%d%H%M` last message repeat $LOGFREQ2 times" >> $LOGFILE; exit_code=0; exit_function; elif [ "$meter" -ge "$LOGFREQ1" ]; then if [[ `tail -n 1 $LOGFILE | grep -o "last message repeat $LOGFREQ1 times"` = "last message repeat $LOGFREQ1 times" ]]; then expr $meter + 1 > $LOGMETER; exit_code=0; exit_function; elif [[ `tail -n 1 $LOGFILE | grep -o "last message repeat $LOGFREQ2 times"` = "last message repeat $LOGFREQ2 times" ]]; then expr $meter + 1 > $LOGMETER; exit_code=0; exit_function; else echo -e "`date -j +%Y%m%d%H%M` last message repeat $LOGFREQ1 times" >> $LOGFILE; exit_code=0; exit_function; fi elif [ "$meter" -ge 0 ]; then expr $meter + 1 > $LOGMETER; exit_code=0; exit_function; else echo -e "0" > $LOGMETER; echo -e "`date -j +%Y%m%d%H%M` LOGGER: logmeter index error, write 0" >> $LOGFILE; exit_code=1; exit_function; fi else if [ `cat $LOGMETER` -eq 0 ]; then echo -e "$1" > $LOGTMP; echo -e "`date -j +%Y%m%d%H%M` $1" >> $LOGFILE; exit_code=0; exit_function; else echo -e "0" > $LOGMETER; echo -e "$1" > $LOGTMP; echo -e "`date -j +%Y%m%d%H%M` $1 ; LOGMETER now zero" >> $LOGFILE; exit_code=0; exit_function; fi fi fi } if [ -e $LOGGER_PID ]; then sleep $((RANDOM%5+1)); if [ -e $LOGGER_PID ]; then $WATCHDOG "tofoin_logger" "$LOGGER_PID" & exit 0; else echo `date +%s` $$ > $LOGGER_PID; main_function "$1"; fi else echo `date +%s` $$ > $LOGGER_PID; main_function "$1"; fi
ç§ã®æèŠã§ã¯ãç¥èŠã®é¢ã§æãæãããã¢ãžã¥ãŒã«ã¯ãã¬ãŒã§ããããããæ®å¿µãªãããæžãã®ã¯ç°¡åã§ã¯ãããŸããã§ãããåºæ¬çã«ãã¹ã¯ãªããã®å€§éšåã¯éè€ã¡ãã»ãŒãžã®çºçãé²ãããšã«å°å¿µããŠãããããæããã«è€éã§ãã
tofoin_watchdog.sh
#!/usr/local/bin/bash # by LordNicky v0.5 20140713 . /root/ToFoIn/tofoin.conf exit_function () { rm $WATCHDOG_PID; exit $exit_code; } kill_function () { if [[ "`ps -o command -p $proc_pid | grep -o "$proc_name"`" = "$proc_name" ]]; then $LOGGER "WATCHDOG: Other $proc_s_name working during $diff, kill him" & kill $proc_pid; else $LOGGER "WATCHDOG: None or other process on $proc_s_name pid, cleaning pid file" & fi if [[ "$proc_name" = "tofoin_watchdog" ]]; then main_function; else rm $proc_pid_file; fi } main_function () { echo `date +%s` $$ > $WATCHDOG_PID; proc_name=${one:-all}; return_wait=10 if [[ "$proc_name" = "all" ]]; b=0; c=0 then for ((a=0; a < CNUMBER ; a++)) do current_time=`date +%s`; tester_result=$TESTER_RESULT/result_$a; tester_time=`cut -c 1-10 $tester_result`; diff=`expr $current_time - $tester_time`; if [ "$diff" -ge 0 ] then if [ "$diff" -lt "`expr $TESTERPERIOD + 120`" ]; then :; else proc_name=tofoin_daemon; proc_pid=`cat $DAEMON_PID`; if [[ "`ps -o command -p $proc_pid | grep -o "$proc_name"`" = "$proc_name" ]]; then $LOGGER "WATCHDOG: Restart daemon" & kill $proc_pid; $DAEMON & else $LOGGER "WATCHDOG: None daemon process, start" & $DAEMON & fi exit_code=0; exit_function; fi else $LOGGER "WATCHDOG: Check date" & fi done elif [[ "$proc_name" = "tofoin_test" ]]; then proc_pid_file=$two; cnumber=$three; test_function; return_val=$?; if [[ "$return_val" = "$return_wait" ]]; then sleep $TESTERMAXDELAY; test_function "nowait"; else :; fi elif [[ "$proc_name" = "tofoin_judge" ]]; then proc_pid_file=$JUDGE_PID; judge_function; return_val=$?; if [[ "$return_val" = "$return_wait" ]]; then sleep $JUDGEMAXDELAY; judge_function "nowait"; else :; fi elif [[ "$proc_name" = "tofoin_logger" ]]; then proc_pid_file=$LOGGER_PID; logger_function; return_val=$?; if [[ "$return_val" = "$return_wait" ]]; then sleep $LOGGERMAXDELAY; logger_function "nowait"; else :; fi else $LOGGER "WATCHDOG: Incorrect process name"; fi exit_code=0; exit_function; } test_function () { if [ -e $proc_pid_file ]; then proc_pid=`cut -c 12-18 $proc_pid_file`; proc_s_name="tester $cnumber"; start_time=`cut -c 1-10 $proc_pid_file`; current_time=`date +%s`; diff=`expr $current_time - $start_time`; if [ "$diff" -ge 0 ]; then if [ "$diff" -lt "$TESTERMAXDELAY" ]; then if [[ "$1" = "nowait" ]]; then if [ "$proc_pid" = "$proc_temp_pid" ]; then kill_function; return 0; else $LOGGER "WATCHDOG: Pid of $proc_s_name was changed, exit" & fi else $LOGGER "WATCHDOG: $proc_s_name now working, try wait" & proc_temp_pid=$proc_pid; return $return_wait; fi else kill_function; return 0; fi else $LOGGER "WATCHDOG: Time error in $proc_s_name = $diff" & kill_function; return 0; fi else return 0; fi } judge_function () { if [ -e $proc_pid_file ]; then proc_pid=`cut -c 12-18 $proc_pid_file`; proc_s_name="judge"; start_time=`cut -c 1-10 $proc_pid_file`; current_time=`date +%s`; diff=`expr $current_time - $start_time`; if [ "$diff" -ge 0 ]; then if [ "$diff" -lt "$JUDGEMAXDELAY" ]; then if [[ "$1" = "nowait" ]]; then if [ "$proc_pid" = "$proc_temp_pid" ]; then kill_function; return 0; else $LOGGER "WATCHDOG: Pid of $proc_s_name was changed, exit" & fi else $LOGGER "WATCHDOG: $proc_s_name now working, try wait" & proc_temp_pid=$proc_pid; return $return_wait; fi else kill_function; return 0; fi else $LOGGER "WATCHDOG: Time error in $proc_s_name = $diff" & kill_function; return 0; fi else return 0; fi } logger_function () { if [ -e $proc_pid_file ]; then proc_pid=`cut -c 12-18 $proc_pid_file`; proc_s_name="logger"; start_time=`cut -c 1-10 $proc_pid_file`; current_time=`date +%s`; diff=`expr $current_time - $start_time`; if [ "$diff" -ge 0 ]; then if [ "$diff" -lt "$LOGGERMAXDELAY" ]; then if [[ "$1" = "nowait" ]]; then if [ "$proc_pid" = "$proc_temp_pid" ]; then kill_function; return 0; else echo -e "`date -j +%Y%m%d%H%M` WATCHDOG: Pid of $proc_s_name was changed, exit" >> $LOGFILE; fi else echo -e "`date -j +%Y%m%d%H%M` WATCHDOG: $proc_s_name now working, try wait" >> $LOGFILE; proc_temp_pid=$proc_pid; return $return_wait; fi else kill_function; return 0; fi else echo -e "`date -j +%Y%m%d%H%M` WATCHDOG: Time error in $proc_s_name = $diff" >> $LOGFILE; kill_function; return 0; fi else return 0; fi } one=$1; two=$2; three=$3; if [ -e $WATCHDOG_PID ]; then proc_pid=`cut -c 12-18 $WATCHDOG_PID`; proc_name="tofoin_watchdog"; proc_s_name="watchdog"; start_time=`cut -c 1-10 $WATCHDOG_PID`; current_time=`date +%s`; diff=`expr $current_time - $start_time`; if [ "$diff" -ge 0 ]; then if [ "$diff" -lt "`expr $TESTERMAXDELAY + $JUDGEMAXDELAY + $LOGGERMAXDELAY + 30`" ]; then $LOGGER "WATCHDOG: Other $proc_s_name already working, exit" & exit 0; else kill_function; fi else $LOGGER "WATCHDOG: Time error in $proc_s_name = $diff" & kill_function; fi else main_function; fi
ãŠã©ããããã°ã¯ãæ瀺ããããã¹ãŠã®ã¹ã¯ãªããã®äžã§æ倧ã§ãããããããææ§ãªã¹ã¯ãªããã§ããèãããããã¹ãŠã®é害ãªãã·ã§ã³ãæäŸããããšè©Šã¿ãããããã®ããã«ãªããŸããããããããããŸã§ã®ãšããããã®ã¢ãžã¥ãŒã«ã¯cronã䜿çšããŠèµ·åããããšã«ãªã£ãŠããããã/ etc / crontabã«æ¬¡ã®ãããªãã®ãè¿œå ããå¿ èŠããããŸãã
0 * * * * root /path/to/file/tofoin_watchdog.sh
ãŸãšã
ã¹ã¯ãªããã¯6ãæéãã¹ããããŸãããé倧ãªãšã©ãŒã¯èŠã€ãããŸããã§ããããã€ããŒãªãšã©ãŒã¯ä¿®æ£ãããŸããããã¹ãŠã®ã¢ãžã¥ãŒã«ã¯ãéžè±ãäºæž¬äžå¯èœãªã¢ã¯ã·ã§ã³ãªãã§ãæå®ã®ã¢ã«ãŽãªãºã ã«åŸã£ãŠåäœããŸããã€ãã³ããã°ãã¡ã€ã«ã¯éåžžã«æçã§ãããçºçããåé¡ãšãã®çºçããã³è§£æ±ºã®æéãå€æã§ããŸãããããã£ãŠãæåã®ç®æšãéæããããšçµè«ä»ããããšãã§ããŸãããããªãéçºèšç»ã®æŠèŠã以äžã«ç€ºããŸãã
èšç»
ã¹ã¯ãªããã®ãããªãéçºã®èšç»ïŒ
- é©åãªã·ã¹ãã ãã£ã¬ã¯ããªã«ãã¡ã€ã«ãé 眮ããŸãã
- ç¹å®ã®ã¿ã¹ã¯ã®ããã«sudoã䜿çšããŠç¹å¥ãªãŠãŒã¶ãŒãšããŠå®è¡ããå¿ èŠãããããšãèæ ®ããŠãã ãããè¯å®çãªæ±ºå®ã®å Žåãã¹ã¯ãªãããé©åãããŸãã
- zabbixãšéä¿¡ããããã®ã¢ãžã¥ãŒã«ãè¿œå ããŸãã
- ã¯ã©ã€ã¢ã³ããµãŒããŒã·ã¹ãã ãäœæããŸããvlan3ãšvlan4ãæ§æãããã®ã¯ãã®ã·ã¹ãã ã®ããã§ããå éšãã£ãã«ã®ãã«ãŒã¿ãŒãéã«æ¥ç¶ããªãå Žåã¯ãå€éšã€ã³ã¿ãŒãã§ã€ã¹ã«æ§æãããvlanãä»ããŠéä¿¡ããããšããããã§ãã
- ãããããé ãæããå°æ¥ã«ãããå€ãã®æ©èœãåããèšèªã§ã¹ã¯ãªããå šäœãæžãçŽããŠãã ãããçŸæç¹ã§ã¯ãbashã§å¯èœãªãã¹ãŠã®ããšãçµãåºããããšããèŠæããããŸãã
ã質å
ãã¡ãããæžããšããç¹ã«ãã®åŸãå€ãã®çåãçããŸããããããã®ãã¡æãéèŠãª
ãã®ã¯æ¬¡ã®ãšããã§ãã次ã®å€æ°ããããŸãã
a =< > HI_1=â123â HI_2=â321â
å€æ°HI_1ãšHI_2ãåŒã³åºããŠãaã®ã¿ãå€æŽããå¿ èŠããããŸããåŒã³åºãã¯æ¬¡ã®ããã«ãªããŸãã
${HI_$a} ##
ãŸããa = 1ãäºåã«èšå®ããå Žåããã®åŒã¯123ãæå³ããa = 2ã®å Žåã¯321ãæå³ããŸããæ®å¿µãªããããããè¡ãæ¹æ³ãèŠã€ãããŸããã§ããããã®é¢æ°ã䜿çšãããšãã¹ã¯ãªãããå€§å¹ ã«ç°¡çŽ åãããæ¡åŒµã容æã«ãªããŸãã
ãã¡ãããæ®ãã¯äžè¬çãªè³ªåã§ã-ãã®æ±ºå®ã¯ã©ã®çšåºŠé¢é£ããŠããŸããïŒã¹ã¯ãªããã§ã©ã®ãããªééãããããŸããïŒèšç»ããã³èšäºã®æ¬æã§ç¹å®ãããåé¡ã解決ããæè¯ã®æ¹æ³ã¯äœã§ããïŒããªãã®ã³ã¡ã³ã
ããªããæ¹åãæ¯æŽãããå Žåã¯ãå人çãªã¡ãã»ãŒãžãæžããŠãç§ãã¡ã¯å¯èœãªååã«ã€ããŠè°è«ããŸãã
åç
§è³æ
DNS BIND 9:
., . â DNS BIND (5- )
DNS BIND
DHCP:
Failover DHCP
DHS + DHCP:
DDNS+DHCP
SETFIB:
Multiple default routes in FreeBSD without BGP or similar
setfib
FreeBSD . setfib
IPFW + NAT:
ipfw nat
FreeBSD 9 + ipfw + ipfw nat
ipfw nat
DUMMYNET
Kernel NAT
SSH:
SSH
SSH
SSH ( )
BASH:
BASH. 2.
Advanced Bash-Scripting Guide
., . â DNS BIND (5- )
DNS BIND
DHCP:
Failover DHCP
DHS + DHCP:
DDNS+DHCP
SETFIB:
Multiple default routes in FreeBSD without BGP or similar
setfib
FreeBSD . setfib
IPFW + NAT:
ipfw nat
FreeBSD 9 + ipfw + ipfw nat
ipfw nat
DUMMYNET
Kernel NAT
SSH:
SSH
SSH
SSH ( )
BASH:
BASH. 2.
Advanced Bash-Scripting Guide
ãŸããã·ã¹ãã ãæ§æããŠã¹ã¯ãªãããäœæãããšãã«ãopennet.ruãlissyara.suãhabrahabr.ruãããã³ä»ã®å€ãã®ãµã€ããããä»ã®å€ãã®è³æã䜿çšãããŸãããæ®å¿µãªãããæéã®çµéãšãšãã«å€ãã®ãªã³ã¯ã倱ãããŠãããããããã®ã©ãããããã©ã°ã¡ã³ããèŠã€ããå Žåã¯ããããã«ãªã³ã¯ãè¿œå ãããŠããã ããŸããèæ¬ã®äœæãšäœæã®éçšã§ã®å°é£ã解決ããããã®ã¢ããã€ã¹ãšæ¯æŽãããŠãããAlexei EreskoãšValery Drubaã«ããããŠèšäºã®æºåãæ¯æŽããŠãããOleg Matusevichã«ç¹ã«æè¬ããŸãã
Z.Y. ãã®èšäºã®è³æã䜿çšããå ŽåããœãŒã¹ãšèè ãžã®ãªã³ã¯ã瀺ãããšã矩åä»ããããŠããŸãã