Site Navigation

Date:      Thu, 30 Jun 2016 18:05:17 +0900 (JST)
From:      moto kawasaki <moto@kawasaki3.org>
To:        maruyama@ism.ac.jp
Cc:        hirano@t.kanazawa-u.ac.jp, freebsd-users-jp@freebsd.org
Subject:   [FreeBSD-users-jp 95833] Re: =?iso-2022-jp?b?aXBmdxskQiRIGyhCRE5T?=
Message-ID:  <20160630.180517.2230511729743152378.moto@kawasaki3.org>
In-Reply-To: <ydlk2h783zc.fsf@indra.ism.ac.jp>
References:  <54a8b85f-54a4-0761-3acb-5acbcaccc534@t.kanazawa-u.ac.jp> <ydlk2h783zc.fsf@indra.ism.ac.jp>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

$B@n:j$H?=$7$^$9!#(B

$B%d%^%+%s$G$9$_$^$;$s$,!"(B

00110 allow ip from 133.58.124.49 to any keep-state

$B$H$J$k$h$&$K(B keep-state $B$rDI2C$G$9$+$M$'!#(B

$B!t(B 1100 $B$K$"$k$H$3$m$N(B udp $B$N>l9g$N(B established $B$C$F$I$&$$$&0UL#$K$J$k(B
# $B$s$G$7$g$&!#(B

-- 
moto kawasaki <moto@kawasaki3.org> 090-2464-8454


on Thu, 30 Jun 2016 17:39:51 +0900, maruyama@ism.ac.jp ($B4];3D>>;(B) wrote:

maruyama> $BJ?Ln(B $BMM(B
maruyama> 
maruyama> $B4];3$G$9!#(B
maruyama> 
maruyama> Thu, 30 Jun 2016 16:12:43 +0900
maruyama> Akihiro HIRANO <hirano@t.kanazawa-u.ac.jp> writes:
maruyama> 
maruyama> >$B!!;Y>c$,$J$1$l$P!"!V(Bipfw list$B!W$N7k2L$r<($7$FD:$/$N$,AaF;$@$H;W$$$^$9!#(B
maruyama> 
maruyama> $B$O$$!#(B
maruyama> 
maruyama> $B<B83(B1(PC-BSD10.3)
maruyama> /etc/ipfw.custom        (PC-BSD$B$N=P2YCM!"Cf$O%3%a%s%H$@$1(B)
maruyama> /etc/ipfw.openports     (PC-BSD$B$N=P2YCM!"(Budp 5353, tcp 22$B$@$1(B)
maruyama> /etc/ipfw.rules         (PC-BSD$B$N=P2YCM!"$3$N%a!<%k$NKvHx$KF1Iu(B)
maruyama> 
maruyama> # ipfw list
maruyama> 00020 allow ip from any to any via lo0
maruyama> 01000 check-state
maruyama> 01050 allow tcp from any to any established
maruyama> 01100 allow udp from any to any established
maruyama> 02000 allow ip from any to any out keep-state
maruyama> 02050 allow ip6 from any to any out keep-state
maruyama> 02100 allow ipv6-icmp from any to any keep-state
maruyama> 02150 allow icmp from any to any keep-state
maruyama> 10000 allow udp from any to any dst-port 5353 in keep-state
maruyama> 10001 allow tcp from any to any dst-port 22 in keep-state
maruyama> 64000 deny log ip from any to any
maruyama> 65535 allow ip from any to any
maruyama> 
maruyama> $B$3$N>uBV$G$O(B dig @133.58.32.12 ism.ac.jp ns $B$O@5>o$K7k2L$rI=<(!#(B
maruyama> 
maruyama> $B<B83(B2(PC-BSD10.3)
maruyama> /etc/ipfw.custom
maruyama>         ipfw -q add 110 allow ip from 133.58.124.49 to any
maruyama> $B$@$1!#$3$3$K!!(B133.58.124.49 $B$O(B DNS$B%5!<%P!<(B 133.58.32.12 $B$K7R$,$k%$%s%?!<(B
maruyama> $B%U%'!<%9!#(B
maruyama> /etc/ipfw.openports     (PC-BSD$B$N=P2YCM!"(Budp 5353, tcp 22$B$@$1(B)
maruyama> /etc/ipfw.rules         (PC-BSD$B$N=P2YCM!"$3$N%a!<%k$NKvHx$KF1Iu(B)
maruyama> 
maruyama> # ipfw list
maruyama> 00020 allow ip from any to any via lo0

maruyama> 00110 allow ip from 133.58.124.49 to any



maruyama> 01000 check-state
maruyama> 01050 allow tcp from any to any established
maruyama> 01100 allow udp from any to any established
maruyama> 02000 allow ip from any to any out keep-state
maruyama> 02050 allow ip6 from any to any out keep-state
maruyama> 02100 allow ipv6-icmp from any to any keep-state
maruyama> 02150 allow icmp from any to any keep-state
maruyama> 10000 allow udp from any to any dst-port 5353 in keep-state
maruyama> 10001 allow tcp from any to any dst-port 22 in keep-state
maruyama> 64000 deny log ip from any to any
maruyama> 65535 allow ip from any to any
maruyama> 
maruyama> $B$3$N$H$-!"(B
maruyama> 
maruyama> % dig @133.58.32.12 ism.ac.jp ns
maruyama> 
maruyama> ; <<>> DiG 9.10.3-P4 <<>> @133.58.32.12 ism.ac.jp ns
maruyama> ; (1 server found)
maruyama> ;; global options: +cmd
maruyama> ;; connection timed out; no servers could be reached
maruyama> 
maruyama> ----------------------------------------------------------------
maruyama> /etc/ipfw.rules $B$N(BPC-BSD$B$N=P2YCM(B
maruyama> ----------------------------------------------------------------
maruyama> #!/bin/sh
maruyama> # To re-apply rules, you can run "sh /etc/ipfw.rules"
maruyama> 
maruyama> # Flush out the list before we begin.
maruyama> ipfw -q -f flush
maruyama> 
maruyama> # Set rules command prefix
maruyama> cmd="ipfw -q add"
maruyama> 
maruyama> # No restrictions on loopback
maruyama> ####################################################################
maruyama> $cmd 00020 allow all from any to any via lo0
maruyama> ####################################################################
maruyama> 
maruyama> # Check the state of packets
maruyama> ####################################################################
maruyama> $cmd 01000 check-state
maruyama> $cmd 01050 allow tcp from any to any established
maruyama> $cmd 01100 allow udp from any to any established
maruyama> ####################################################################
maruyama> 
maruyama> # Allow all outgoing packets
maruyama> ####################################################################
maruyama> $cmd 02000 allow ip from any to any out keep-state
maruyama> $cmd 02050 allow ip6 from any to any out keep-state
maruyama> $cmd 02100 allow ipv6-icmp from any to any keep-state
maruyama> $cmd 02150 allow icmp from any to any keep-state
maruyama> ####################################################################
maruyama> 
maruyama> # Allow specific ports IN now
maruyama> # Add items to /etc/ipfw.openports in the format
maruyama> # {tcp|udp} <portnum>
maruyama> ####################################################################
maruyama> nextnum=10000
maruyama> if [ -e "/etc/ipfw.openports" ] ; then
maruyama>   while read line
maruyama>   do
maruyama>     echo $line | grep -q "^#"
maruyama>     if [ $? -eq 0 ] ; then continue ; fi
maruyama>     proto="`echo $line | awk '{print $1}'`"
maruyama>     port="`echo $line | awk '{print $2}'`"
maruyama>     if [ -z "$proto" -o -z "$port" ] ; then continue ; fi
maruyama>     $cmd $nextnum allow $proto from any to any $port in keep-state
maruyama>     nextnum=`expr $nextnum + 1`
maruyama>   done < /etc/ipfw.openports
maruyama> fi
maruyama> ####################################################################
maruyama> 
maruyama> # Allow specific IPs incoming traffic now (Used for jails mainly)
maruyama> # Add items to /etc/ipfw.openip in the format
maruyama> # {ip4|ip6} <ip>
maruyama> ####################################################################
maruyama> nextnum=20000
maruyama> if [ -e "/etc/ipfw.openip" ] ; then
maruyama>   while read line
maruyama>   do
maruyama>     echo $line | grep -q "^#"
maruyama>     if [ $? -eq 0 ] ; then continue ; fi
maruyama>     proto="`echo $line | awk '{print $1}'`"
maruyama>     ip="`echo $line | awk '{print $2}'`"
maruyama>     if [ -z "$proto" -o -z "$ip" ] ; then continue ; fi
maruyama>     $cmd $nextnum allow $proto from any to $ip in keep-state
maruyama>     nextnum=`expr $nextnum + 1`
maruyama>   done < /etc/ipfw.openip
maruyama> fi
maruyama> ####################################################################
maruyama> 
maruyama> 
maruyama> # Deny all other incoming troublemakers
maruyama> ####################################################################
maruyama> $cmd 64000 deny log all from any to any
maruyama> ####################################################################
maruyama> 
maruyama> # Check for user custom rules
maruyama> if [ -e "/etc/ipfw.custom" ] ; then
maruyama>   sh /etc/ipfw.custom
maruyama> fi
maruyama> 
maruyama> --------
maruyama> $B4];3D>>;!wE}7W?tM}8&5f=j(B
maruyama> _______________________________________________
maruyama> freebsd-users-jp@freebsd.org mailing list
maruyama> https://lists.freebsd.org/mailman/listinfo/freebsd-users-jp
maruyama> To unsubscribe, send any mail to "freebsd-users-jp-unsubscribe@freebsd.org"

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160630.180517.2230511729743152378.moto>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact