nwdiagで、ネットワーク構成を変更を検討する。

■nwdiagで、ネットワーク構成を変更を検討する。

　blockdiag/nwdiag/actdiagでA4縦、A4横に自動的にSVG/PDFを拡大、縮小出力する。
　http://labunix.hateblo.jp/entry/20131225/1387903263

■pdfifo はpoppler-utilsで確認出来る。
　GUIのプロパティのドキュメントタブの情報とほぼ同じ。
　ちゃんとA4横として認識されている。

$ apt-file search pdfinfo | grep "bin\/pdfinfo\$"
poppler-utils: /usr/bin/pdfinfo

$ nwdiag -T svg myhome1.diag && \
  sed -i s%"^<svg "%"&width=\"1052.36\" height=\"744.09\" "% myhome1.svg && \
  inkscape -A myhome1.pdf myhome1.svg && \
  pdfinfo myhome1.pdf
Creator:        cairo 1.12.2 (http://cairographics.org)
Producer:       cairo 1.12.2 (http://cairographics.org)
Tagged:         no
Pages:          1
Encrypted:      no
Page size:      841.888 x 595.272 pts (A4)
File size:      48342 bytes
Optimized:      no
PDF version:    1.5

■25.4mmが1inch、ptsは1inchに72ptあるとすると。

$ echo           "A4(mm)   = 297.000 x 210.000" | \
  awk '{print $0",A4(inch) = "$(NF-2)/25.4,$(NF-1),$(NF)/25.4}' | \
  awk '{print $0",A4(pts)  = "$(NF-2)*72,$(NF-1),$(NF)*72}' | \
  awk '{print $0",A4(dpi)  = "$3/25.4*90,$4,$5/25.4*90}' | \
  sed s/","/"\n"/g
A4(mm)   = 297 x 210
A4(inch) = 11.6929 x 8.26772
A4(pts)  = 841.889 x 595.276
A4(dpi)  = 1052.36 x 744.094

■ぴったり合わせるには。。。

$ echo "297 210 25.4" | \
  awk '{printf "%5.4f x %5.4f\n",$1/$3,$2/$3}' | \
  awk '{print $0"\n"$(NF-2)*25.4,$(NF-1),$(NF)*25.4}'
11.6929 x 8.2677
297 x 210

$ echo "297 210 72 25.4" | \
  awk '{printf "%5.3f x %5.3f\n",$1*$3/$4,$2*$3/$4}' | \
  awk '{print $0"\n"$1/72*25.4,$2,$3/72*25.4}'
841.890 x 595.276
297 x 210

$ echo "297 210 90 25.4" | \
  awk '{printf "%5.3f x %5.3f\n",$1*$3/$4,$2*$3/$4}' | \
  awk '{print $0"\n"$1/90*25.4,$2,$3/90*25.4}'
1052.362 x 744.094
297 x 210

$ nwdiag -T svg myhome1.diag && \
  sed -i s%"^<svg "%"&width=\"1052.362\" height=\"744.095\" "% myhome1.svg && \
  inkscape -A myhome1.pdf myhome1.svg && \
  pdfinfo myhome1.pdf
Creator:        cairo 1.12.2 (http://cairographics.org)
Producer:       cairo 1.12.2 (http://cairographics.org)
Tagged:         no
Pages:          1
Encrypted:      no
Page size:      841.89 x 595.276 pts (A4)
File size:      52445 bytes
Optimized:      no
PDF version:    1.5

■元のネットワーク構成。
　他にもっと複雑な構成もあるのだけど、対象範囲だけ。

　【現状】
　「debian-fwi1」と「debian2」が冗長化されたsheeva-debianの親プロキシで、
　SnortによるIDSで、
　fail2ban+iptablesのFireWallで、
　ClamAVによるウイルス対策で、
　chroot+Postfix+SpamAssasinによるスパム対策で、
　内部向けDNS(chroot+binc9)で、内部向けNTPサーバで。。。

$ cat myhome1.diag 
diagram {
	class obj_old		[color = lightblue,style = dotted];
	class obj_null		[style = dotted,stacked];
	class obj_router	[shape = roundedbox];

	network untrust {
		address = "X.X.X.0/24"

		main-router	[address = ".n",class = obj_router];
	}

	network dmz {
		address = "192.168.X.0/24"

		main-router	[address = ".n\ndmz/24 only",class = obj_router];
		debian-fw1	[address = ".n+16",class = obj_old];
		debian-fw2	[address = ".m+17",class = obj_old];
	}
	network trust {
		address = "172.X.X.0/24"

		VLAN-Switch	[address = ".n",class = obj_router];
		debian-fw1	[address = ".n+16\n<->VLAN-Switch only"];
		debian-fw2	[address = ".n+17\n<->VLAN-Switch only"];
		nat-router	[address = ".n+64\n<->VLAN-Switch only",class = obj_router];
	}
	network wlan-seg {
		address = "10.X.X.0/24"

		nat-router	[address = ".n+64\n<->wlan-router's IP only"];
		wlan-router	[address = ".n\n<->sheeva-debian only\n<->note-debian only",class = obj_router];
		sheeva-debian	[address = ".n+16"];
		note-debian	[address = ".n+17"];
		iPod		[address = ".n+128"];
		Android		[address = ".n+129"];
	}
}

■変更後

　【課題】
　「debian-fw1」「debian-fw2」に役割を盛りすぎ。

　【対策】
　unrtrust側にワンクッション入れたい。
　無線LANはDHCP無効にしてMACアドレス制限をしているのだけど、
　WAN側同様にUnTrustにしたい。

　【補足】
　debian機をもう一台追加したい。

$ nwdiag -T svg myhome2.diag && \
  sed -i s%"^<svg "%"&width=\"1052.36\" height=\"744.09\" "% myhome2.svg && \
  inkscape -A myhome2.pdf myhome2.svg && \
  pdfinfo myhome2.pdf
Creator:        cairo 1.12.2 (http://cairographics.org)
Producer:       cairo 1.12.2 (http://cairographics.org)
Tagged:         no
Pages:          1
Encrypted:      no
Page size:      841.888 x 595.272 pts (A4)
File size:      55543 bytes
Optimized:      no
PDF version:    1.5

$ cat myhome2.diag 
diagram {
	class obj_old		[color = lightblue,style = dotted];
	class obj_null		[style = dotted,stacked];
	class obj_router	[shape = roundedbox];
	class obj_new		[color = lightgreen,style = dotted];
	class obj_new_fw	[shape = roundedbox,color = lightgreen,style = dotted];

	network fake-global {
		address = "X.X.X.0/24"

		main-router	[address = ".n",class = obj_router];
	}
	network untrust {
		address = "192.168.X.0/24"

		main-router	[address = ".n\ndmz/24 only",class = obj_router];
		ssg		[address = ".n+1",class = obj_router];
	}
	network dmz {
		address = "172.X.X.0/24"

		ssg		[address = ".n\ndmz<->untrust",class = obj_new_fw];
		debian-fw	[address = ".n+32",class = obj_new];
		debian-fw1	[address = ".n+16",class = obj_old];
		debian-fw2	[address = ".m+17",class = obj_old];
	}
	network trust {
		
		note-debian	[address = ".n+32"];
		VLAN-Switch	[address = ".n+1",class = obj_router];
		ssg		[address = ".n\ntrust<->dmz",class = obj_new_fw];
	}
	network intra {

		ssg		[address = ".n\nintra<->dmz",class = obj_new_fw];
		nat-router	[address = ".n+1",class = obj_router];
	}
	network intra-dmz {
		address = "10.26.X.0/24"

		sheeva-debian	[address = ".n+1"];
		nat-router	[address = ".n+2"];
		wlan-router	[address = ".n+128",class = obj_router];
	}
	network intra-untrust {
		address = ""

		wlan-router	[address = ".n",class = obj_router];
		iPod		[address = ".n+64"];
		Android		[address = ".n+65"];
	}
}

■余談。以下でPDFをPNG画像に変換。

$ pdftoppm myhome1.pdf myhome1
$ pdftoppm myhome2.pdf myhome2