Date: Thu, 30 Jun 2016 18:05:17 +0900 (JST) From: moto kawasaki <moto@kawasaki3.org> To: maruyama@ism.ac.jp Cc: hirano@t.kanazawa-u.ac.jp, freebsd-users-jp@freebsd.org Subject: [FreeBSD-users-jp 95833] Re: =?iso-2022-jp?b?aXBmdxskQiRIGyhCRE5T?= Message-ID: <20160630.180517.2230511729743152378.moto@kawasaki3.org> In-Reply-To: <ydlk2h783zc.fsf@indra.ism.ac.jp> References: <54a8b85f-54a4-0761-3acb-5acbcaccc534@t.kanazawa-u.ac.jp> <ydlk2h783zc.fsf@indra.ism.ac.jp>
next in thread | previous in thread | raw e-mail | index | archive | help
$B@n:j$H?=$7$^$9!#(B $B%d%^%+%s$G$9$_$^$;$s$,!"(B 00110 allow ip from 133.58.124.49 to any keep-state $B$H$J$k$h$&$K(B keep-state $B$rDI2C$G$9$+$M$'!#(B $B!t(B 1100 $B$K$"$k$H$3$m$N(B udp $B$N>l9g$N(B established $B$C$F$I$&$$$&0UL#$K$J$k(B # $B$s$G$7$g$&!#(B -- moto kawasaki <moto@kawasaki3.org> 090-2464-8454 on Thu, 30 Jun 2016 17:39:51 +0900, maruyama@ism.ac.jp ($B4];3D>>;(B) wrote: maruyama> $BJ?Ln(B $BMM(B maruyama> maruyama> $B4];3$G$9!#(B maruyama> maruyama> Thu, 30 Jun 2016 16:12:43 +0900 maruyama> Akihiro HIRANO <hirano@t.kanazawa-u.ac.jp> writes: maruyama> maruyama> >$B!!;Y>c$,$J$1$l$P!"!V(Bipfw list$B!W$N7k2L$r<($7$FD:$/$N$,AaF;$@$H;W$$$^$9!#(B maruyama> maruyama> $B$O$$!#(B maruyama> maruyama> $B<B83(B1(PC-BSD10.3) maruyama> /etc/ipfw.custom (PC-BSD$B$N=P2YCM!"Cf$O%3%a%s%H$@$1(B) maruyama> /etc/ipfw.openports (PC-BSD$B$N=P2YCM!"(Budp 5353, tcp 22$B$@$1(B) maruyama> /etc/ipfw.rules (PC-BSD$B$N=P2YCM!"$3$N%a!<%k$NKvHx$KF1Iu(B) maruyama> maruyama> # ipfw list maruyama> 00020 allow ip from any to any via lo0 maruyama> 01000 check-state maruyama> 01050 allow tcp from any to any established maruyama> 01100 allow udp from any to any established maruyama> 02000 allow ip from any to any out keep-state maruyama> 02050 allow ip6 from any to any out keep-state maruyama> 02100 allow ipv6-icmp from any to any keep-state maruyama> 02150 allow icmp from any to any keep-state maruyama> 10000 allow udp from any to any dst-port 5353 in keep-state maruyama> 10001 allow tcp from any to any dst-port 22 in keep-state maruyama> 64000 deny log ip from any to any maruyama> 65535 allow ip from any to any maruyama> maruyama> $B$3$N>uBV$G$O(B dig @133.58.32.12 ism.ac.jp ns $B$O@5>o$K7k2L$rI=<(!#(B maruyama> maruyama> $B<B83(B2(PC-BSD10.3) maruyama> /etc/ipfw.custom maruyama> ipfw -q add 110 allow ip from 133.58.124.49 to any maruyama> $B$@$1!#$3$3$K!!(B133.58.124.49 $B$O(B DNS$B%5!<%P!<(B 133.58.32.12 $B$K7R$,$k%$%s%?!<(B maruyama> $B%U%'!<%9!#(B maruyama> /etc/ipfw.openports (PC-BSD$B$N=P2YCM!"(Budp 5353, tcp 22$B$@$1(B) maruyama> /etc/ipfw.rules (PC-BSD$B$N=P2YCM!"$3$N%a!<%k$NKvHx$KF1Iu(B) maruyama> maruyama> # ipfw list maruyama> 00020 allow ip from any to any via lo0 maruyama> 00110 allow ip from 133.58.124.49 to any maruyama> 01000 check-state maruyama> 01050 allow tcp from any to any established maruyama> 01100 allow udp from any to any established maruyama> 02000 allow ip from any to any out keep-state maruyama> 02050 allow ip6 from any to any out keep-state maruyama> 02100 allow ipv6-icmp from any to any keep-state maruyama> 02150 allow icmp from any to any keep-state maruyama> 10000 allow udp from any to any dst-port 5353 in keep-state maruyama> 10001 allow tcp from any to any dst-port 22 in keep-state maruyama> 64000 deny log ip from any to any maruyama> 65535 allow ip from any to any maruyama> maruyama> $B$3$N$H$-!"(B maruyama> maruyama> % dig @133.58.32.12 ism.ac.jp ns maruyama> maruyama> ; <<>> DiG 9.10.3-P4 <<>> @133.58.32.12 ism.ac.jp ns maruyama> ; (1 server found) maruyama> ;; global options: +cmd maruyama> ;; connection timed out; no servers could be reached maruyama> maruyama> ---------------------------------------------------------------- maruyama> /etc/ipfw.rules $B$N(BPC-BSD$B$N=P2YCM(B maruyama> ---------------------------------------------------------------- maruyama> #!/bin/sh maruyama> # To re-apply rules, you can run "sh /etc/ipfw.rules" maruyama> maruyama> # Flush out the list before we begin. maruyama> ipfw -q -f flush maruyama> maruyama> # Set rules command prefix maruyama> cmd="ipfw -q add" maruyama> maruyama> # No restrictions on loopback maruyama> #################################################################### maruyama> $cmd 00020 allow all from any to any via lo0 maruyama> #################################################################### maruyama> maruyama> # Check the state of packets maruyama> #################################################################### maruyama> $cmd 01000 check-state maruyama> $cmd 01050 allow tcp from any to any established maruyama> $cmd 01100 allow udp from any to any established maruyama> #################################################################### maruyama> maruyama> # Allow all outgoing packets maruyama> #################################################################### maruyama> $cmd 02000 allow ip from any to any out keep-state maruyama> $cmd 02050 allow ip6 from any to any out keep-state maruyama> $cmd 02100 allow ipv6-icmp from any to any keep-state maruyama> $cmd 02150 allow icmp from any to any keep-state maruyama> #################################################################### maruyama> maruyama> # Allow specific ports IN now maruyama> # Add items to /etc/ipfw.openports in the format maruyama> # {tcp|udp} <portnum> maruyama> #################################################################### maruyama> nextnum=10000 maruyama> if [ -e "/etc/ipfw.openports" ] ; then maruyama> while read line maruyama> do maruyama> echo $line | grep -q "^#" maruyama> if [ $? -eq 0 ] ; then continue ; fi maruyama> proto="`echo $line | awk '{print $1}'`" maruyama> port="`echo $line | awk '{print $2}'`" maruyama> if [ -z "$proto" -o -z "$port" ] ; then continue ; fi maruyama> $cmd $nextnum allow $proto from any to any $port in keep-state maruyama> nextnum=`expr $nextnum + 1` maruyama> done < /etc/ipfw.openports maruyama> fi maruyama> #################################################################### maruyama> maruyama> # Allow specific IPs incoming traffic now (Used for jails mainly) maruyama> # Add items to /etc/ipfw.openip in the format maruyama> # {ip4|ip6} <ip> maruyama> #################################################################### maruyama> nextnum=20000 maruyama> if [ -e "/etc/ipfw.openip" ] ; then maruyama> while read line maruyama> do maruyama> echo $line | grep -q "^#" maruyama> if [ $? -eq 0 ] ; then continue ; fi maruyama> proto="`echo $line | awk '{print $1}'`" maruyama> ip="`echo $line | awk '{print $2}'`" maruyama> if [ -z "$proto" -o -z "$ip" ] ; then continue ; fi maruyama> $cmd $nextnum allow $proto from any to $ip in keep-state maruyama> nextnum=`expr $nextnum + 1` maruyama> done < /etc/ipfw.openip maruyama> fi maruyama> #################################################################### maruyama> maruyama> maruyama> # Deny all other incoming troublemakers maruyama> #################################################################### maruyama> $cmd 64000 deny log all from any to any maruyama> #################################################################### maruyama> maruyama> # Check for user custom rules maruyama> if [ -e "/etc/ipfw.custom" ] ; then maruyama> sh /etc/ipfw.custom maruyama> fi maruyama> maruyama> -------- maruyama> $B4];3D>>;!wE}7W?tM}8&5f=j(B maruyama> _______________________________________________ maruyama> freebsd-users-jp@freebsd.org mailing list maruyama> https://lists.freebsd.org/mailman/listinfo/freebsd-users-jp maruyama> To unsubscribe, send any mail to "freebsd-users-jp-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160630.180517.2230511729743152378.moto>