■nwdiagで、ネットワーク構成を変更を検討する。
blockdiag/nwdiag/actdiagでA4縦、A4横に自動的にSVG/PDFを拡大、縮小出力する。
http://labunix.hateblo.jp/entry/20131225/1387903263
■pdfifo はpoppler-utilsで確認出来る。
GUIのプロパティのドキュメントタブの情報とほぼ同じ。
ちゃんとA4横として認識されている。
$ apt-file search pdfinfo | grep "bin\/pdfinfo\$"
poppler-utils: /usr/bin/pdfinfo
$ nwdiag -T svg myhome1.diag && \
sed -i s%"^<svg "%"&width=\"1052.36\" height=\"744.09\" "% myhome1.svg && \
inkscape -A myhome1.pdf myhome1.svg && \
pdfinfo myhome1.pdf
Creator: cairo 1.12.2 (http://cairographics.org)
Producer: cairo 1.12.2 (http://cairographics.org)
Tagged: no
Pages: 1
Encrypted: no
Page size: 841.888 x 595.272 pts (A4)
File size: 48342 bytes
Optimized: no
PDF version: 1.5
■25.4mmが1inch、ptsは1inchに72ptあるとすると。
$ echo "A4(mm) = 297.000 x 210.000" | \
awk '{print $0",A4(inch) = "$(NF-2)/25.4,$(NF-1),$(NF)/25.4}' | \
awk '{print $0",A4(pts) = "$(NF-2)*72,$(NF-1),$(NF)*72}' | \
awk '{print $0",A4(dpi) = "$3/25.4*90,$4,$5/25.4*90}' | \
sed s/","/"\n"/g
A4(mm) = 297 x 210
A4(inch) = 11.6929 x 8.26772
A4(pts) = 841.889 x 595.276
A4(dpi) = 1052.36 x 744.094
■ぴったり合わせるには。。。
$ echo "297 210 25.4" | \
awk '{printf "%5.4f x %5.4f\n",$1/$3,$2/$3}' | \
awk '{print $0"\n"$(NF-2)*25.4,$(NF-1),$(NF)*25.4}'
11.6929 x 8.2677
297 x 210
$ echo "297 210 72 25.4" | \
awk '{printf "%5.3f x %5.3f\n",$1*$3/$4,$2*$3/$4}' | \
awk '{print $0"\n"$1/72*25.4,$2,$3/72*25.4}'
841.890 x 595.276
297 x 210
$ echo "297 210 90 25.4" | \
awk '{printf "%5.3f x %5.3f\n",$1*$3/$4,$2*$3/$4}' | \
awk '{print $0"\n"$1/90*25.4,$2,$3/90*25.4}'
1052.362 x 744.094
297 x 210
$ nwdiag -T svg myhome1.diag && \
sed -i s%"^<svg "%"&width=\"1052.362\" height=\"744.095\" "% myhome1.svg && \
inkscape -A myhome1.pdf myhome1.svg && \
pdfinfo myhome1.pdf
Creator: cairo 1.12.2 (http://cairographics.org)
Producer: cairo 1.12.2 (http://cairographics.org)
Tagged: no
Pages: 1
Encrypted: no
Page size: 841.89 x 595.276 pts (A4)
File size: 52445 bytes
Optimized: no
PDF version: 1.5
■元のネットワーク構成。
他にもっと複雑な構成もあるのだけど、対象範囲だけ。
【現状】
「debian-fwi1」と「debian2」が冗長化されたsheeva-debianの親プロキシで、
SnortによるIDSで、
fail2ban+iptablesのFireWallで、
ClamAVによるウイルス対策で、
chroot+Postfix+SpamAssasinによるスパム対策で、
内部向けDNS(chroot+binc9)で、内部向けNTPサーバで。。。
$ cat myhome1.diag
diagram {
class obj_old [color = lightblue,style = dotted];
class obj_null [style = dotted,stacked];
class obj_router [shape = roundedbox];
network untrust {
address = "X.X.X.0/24"
main-router [address = ".n",class = obj_router];
}
network dmz {
address = "192.168.X.0/24"
main-router [address = ".n\ndmz/24 only",class = obj_router];
debian-fw1 [address = ".n+16",class = obj_old];
debian-fw2 [address = ".m+17",class = obj_old];
}
network trust {
address = "172.X.X.0/24"
VLAN-Switch [address = ".n",class = obj_router];
debian-fw1 [address = ".n+16\n<->VLAN-Switch only"];
debian-fw2 [address = ".n+17\n<->VLAN-Switch only"];
nat-router [address = ".n+64\n<->VLAN-Switch only",class = obj_router];
}
network wlan-seg {
address = "10.X.X.0/24"
nat-router [address = ".n+64\n<->wlan-router's IP only"];
wlan-router [address = ".n\n<->sheeva-debian only\n<->note-debian only",class = obj_router];
sheeva-debian [address = ".n+16"];
note-debian [address = ".n+17"];
iPod [address = ".n+128"];
Android [address = ".n+129"];
}
}
■変更後
【課題】
「debian-fw1」「debian-fw2」に役割を盛りすぎ。
【対策】
unrtrust側にワンクッション入れたい。
無線LANはDHCP無効にしてMACアドレス制限をしているのだけど、
WAN側同様にUnTrustにしたい。
【補足】
debian機をもう一台追加したい。
$ nwdiag -T svg myhome2.diag && \
sed -i s%"^<svg "%"&width=\"1052.36\" height=\"744.09\" "% myhome2.svg && \
inkscape -A myhome2.pdf myhome2.svg && \
pdfinfo myhome2.pdf
Creator: cairo 1.12.2 (http://cairographics.org)
Producer: cairo 1.12.2 (http://cairographics.org)
Tagged: no
Pages: 1
Encrypted: no
Page size: 841.888 x 595.272 pts (A4)
File size: 55543 bytes
Optimized: no
PDF version: 1.5
$ cat myhome2.diag
diagram {
class obj_old [color = lightblue,style = dotted];
class obj_null [style = dotted,stacked];
class obj_router [shape = roundedbox];
class obj_new [color = lightgreen,style = dotted];
class obj_new_fw [shape = roundedbox,color = lightgreen,style = dotted];
network fake-global {
address = "X.X.X.0/24"
main-router [address = ".n",class = obj_router];
}
network untrust {
address = "192.168.X.0/24"
main-router [address = ".n\ndmz/24 only",class = obj_router];
ssg [address = ".n+1",class = obj_router];
}
network dmz {
address = "172.X.X.0/24"
ssg [address = ".n\ndmz<->untrust",class = obj_new_fw];
debian-fw [address = ".n+32",class = obj_new];
debian-fw1 [address = ".n+16",class = obj_old];
debian-fw2 [address = ".m+17",class = obj_old];
}
network trust {
note-debian [address = ".n+32"];
VLAN-Switch [address = ".n+1",class = obj_router];
ssg [address = ".n\ntrust<->dmz",class = obj_new_fw];
}
network intra {
ssg [address = ".n\nintra<->dmz",class = obj_new_fw];
nat-router [address = ".n+1",class = obj_router];
}
network intra-dmz {
address = "10.26.X.0/24"
sheeva-debian [address = ".n+1"];
nat-router [address = ".n+2"];
wlan-router [address = ".n+128",class = obj_router];
}
network intra-untrust {
address = ""
wlan-router [address = ".n",class = obj_router];
iPod [address = ".n+64"];
Android [address = ".n+65"];
}
}
■余談。以下でPDFをPNG画像に変換。
$ pdftoppm myhome1.pdf myhome1
$ pdftoppm myhome2.pdf myhome2