Site Navigation

Date:      Mon, 11 Jul 2016 12:22:30 +0900
From:      maruyama@ism.ac.jp (=?iso-2022-jp?B?GyRCNF07M0Q+PjsbKEI=?=)
To:        Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
Cc:        freebsd-users-jp@freebsd.org
Subject:   [FreeBSD-users-jp 95846] Re: =?iso-2022-jp?b?aXBmdxskQiRIGyhCRE5T?=
Message-ID:  <ydlmvlo6eq1.fsf@indra.ism.ac.jp>
In-Reply-To: <20160710175551.c7a2b2f19b6881eb189c0a0e@dec.sakura.ne.jp> (message from Tomoaki AOKI on Sun, 10 Jul 2016 17:55:51 %2B0900)

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

$B@DLZ(B $BMM(B

Sun, 10 Jul 2016 17:55:51 +0900
Tomoaki AOKI <junchoon@dec.sakura.ne.jp> writes:

>$B0l1~G0$N0Y!#(B
>
>FreeBSD$B$@$H(B
>$B!!(B1./etc/defaults/rc.conf$B$rFI$_9~$`!#(B

$B$($(!"$=$l$O>5CN$7$F$$$^$9!#(BPC-BSD$B$G$O$3$N(B /etc/defaults/rc.conf $B$NCf$K(B

  rc_conf_files="/etc/rc.conf.pcbsd /etc/rc.conf /etc/rc.conf.local"

$B$H$$$&9T$,$"$k(B($B$D$^$j85AD(BFreeBSD$B$N(B /etc/defaults/rc.conf $B$r$$$8$C$F(B
$B$$$k(B)$B$N$G!"(B

2./etc/rc.conf.pcbsd$B$rFI$`(B
3./etc/rc.conf$B$rFI$`(B
4./etc/rc.conf.local$B$,$"$l$PFI$`(B

$B$H$J$j$^$9!#$J$*!"(B/etc/rc.conf.pcbsd $B$NCf$G=EMW$J@_Dj$O(B

  pcdm_enable="YES"

$B$G!"$3$l$r(B rc.conf $B$G(B NO $B$K@_Dj$9$k$H!"0l8+$7$?$H$3$m(BFreeBSD$B$H6hJL$,$D$+(B
$B$J$/$J$k$H;W$$$^$9!#(B

>$B!!(B2./etc/rc.conf$B$,$"$l$P(B/etc/defaults/rc.conf$BFb$N=hM}$GFI$_9~$`!#(B
>$B!!(B3./etc/rc.conf.local$B$,$"$l$P(B/etc/defaults/rc.conf$BFb$N=hM}$GFI$_9~$`!#(B
>$B!!(B4./etc/defaults/vendor.conf$B$,$"$l$P(B/etc/defaults/rc.conf$BFb$N=hM}$G(B
>$B!!(B  $BFI$_9~$`!#(B
>$B$H$$$&N.$l$K$J$C$F$*$j!"8e$N@_Dj$GA0$N@_Dj$r>e=q$-$G$-$k$h$&$K$J$C$F(B
>$B$*$j!"%G%U%)%k%H$G$O!"(B/etc/defaults/rc.conf$B$7$+B8:_$7$^$;$s!#(B
>$B0l1~$N;H$$J,$1$H$7$F!"(B
>
>$B!!!&(B/etc/defaults/rc.conf$B$O(BFreeBSD$B$NF0:n>eI,MW$J@_Dj$N%G%U%)%k%H$r(B
>$B!!!!E;$a$F$"$j!"4IM}<T!&%f!<%6$K$h$kJT=8$O0l@ZA[Dj$7$J$$!#(B

$B=>$C$F!"(BPC-BSD$B$,(B /etc/defaults/rc.conf $B$NCf$N(B rc_conf_files $B$H$$$&JQ?t$r(B
$B$$$8$C$?$N$O!"85AD(B FreeBSD$B$N@_7W<T$N!VA[Dj30!W$+$bCN$l$^$;$s$M!#(B

>$B!!!&(B/etc/rc.conf$B$O%5%$%H!J?&>l$d<+Bp!KFb$NA4%5!<%P!&C<Kv$G6&DL$N(B
>$B!!!!@_Dj$r9T$&!#!!%G%U%)%k%H$GITET9g$N$"$k>l9g$N$_:n@.MW!#(B
>
>$B!!!&(B/etc/rc.conf.local$B$O$=$N%5!<%P!&C<Kv8GM-$N@_Dj$r9T$&!#(B
>$B!!!!(B/etc/rc.conf$B$^$G$N@_Dj$GITET9g$N$"$k>l9g$N$_:n@.MW!#(B

$B$3$N$h$&$J!V3,AXE*$J!W9M$($O;d$K$OHs>o$KG<F@$G$-$k$N$b$G$9$,!"$7$+$7$=$l(B
$B$J$i(B hostname $B$d(B ifconfig_($B%$%s%?!<%U%'!<%9L>(B)$B$O(B/etc/rc.conf.local $B$KF~(B
$B$l$k$Y$-!"$H$$$&5DO@$K$J$k$H;W$$$^$9!#(BFreeBSD$B$N%$%s%9%H!<%i!<$G$O$I$&@_(B
$BDj$5$l$^$9$+!)$^$?3'$5$s$O$I$&$7$F$$$^$9$+!)(BPC-BSD$B$O$3$l$i$O(B
/etc/rc.conf $B$K@_Dj$5$l$F$7$^$$$^$9!#(B

($B0zMQESCfN,(B)
>/etc/defaults/vendor.conf$B$r;H$&0UL#$O!"%Y%s%@!<$H$7$F$NJ]>Z>e!"2?$,$J$s(B
>$B$G$b%f!<%6B&$G>e=q$-$5$l$k$H:$$k@_Dj$,$"$k>l9g$X$NBP1~$G$7$g$&$+!#(B
>PC-BSD$B$G$=$A$i$r;H$C$F$$$J$$$N$J$i!"!V@_Dj$7$?$N$KH?1G$5$l$J$$!#!!$J$s(B
>$B$G!)!W$H$$$&ITJ?$r;:$s$G$^$G6/@)$7$?$$@_Dj$OL5$$!"$H$$$&$3$H$G$7$g$&!#(B
>
>...$B$H=q$$$F$$$F5$$K$J$C$?$N$G(Bsvnweb$B$G3NG'$7$?$i!"(Bstable/10$B$G$O(B
>/etc/defaults/vendor.donf$B$K4X$9$k=hM}$OF~$C$F$$$^$;$s$G$7$?!#!!(B11$B7O$+$i(B
>$B$N?75!G=$N$h$&$G$9!#!!$b$7$+$9$k$H(BPC-BSD$B$N(B10$B7O$+$i$O$3$A$i$N;EAH$_$,(B
>$B;H$o$l$k$+$b!)(B

$B$H$$$&$h$j!"(B PC-BSD$B$N(B /etc/rc.conf.pcbsd $B$r!V;29M$K$7$F!W!"$"$k$$$O!V1F(B
$B6A$5$l$F!W(B/etc/defaults/vendor.conf $B$,(B 11 $B$GF3F~$5$l$?$N$G$O$J$$$G$9$+!)(B
PC-BSD$B$O!"(BFreeBSD$B$r4pK\$H$7$J$,$i$b!"$$$/$+$NE@$G!VK\2H(BFreeBSD$B$N2~NI$r@h(B
$BF3$7$?$$!W$H$$$&$h$&$J0U?^$r46$8$k$H$3$m$,$"$j$^$9!#Nc$($P(B package $B$,(Btbz
$B$+$i(B txz $B$KJQ$o$C$?$N$O!"K\2H(B FreeBSD$B$h$j$b(B PC-BSD$B$NJ}$,@h$G$7$?!#$3$N$h(B
$B$&$JBVEY$r<h$k(BPC-BSD$B$N%A!<%`$,K\2H(BFreeBSD$B$N%3%"%a%s%P!<$H$I$&$$$&?M4V4X(B
$B78$J$N$+!";d$O>/$75$$K$J$C$F$$$?$N$G$9$,!":#2s(BPC-BSD$B$N(BKris Moore$B$,(B
Core.9 $B$K2C$o$C$?(B(7$B7n(B6$BF|$N(B FreeBSD-Announce$B;2>H(B)$B$N$G!"(BPC-BSD$B$H(BFreeBSD$B$N(B
$B4V$N!VP*N%!W$O$3$l$^$G$h$j$b>/$J$/$J$k$@$m$&$H9M$($F$$$^$9!#(B

>> # grep firewall rc.conf.pcbsd
>>   firewall_enable="YES"
>>   firewall_type="open"
>>   firewall_enable="YES"
>>   firewall_script="/etc/ipfw.rules"
>>   firewall_type="open"
>> 
>> $B$H$J$C$F$*$j$^$9!#(B
>
>/etc/ipfw.rules$B$H$$$&$N$O(BPC-BSD$BFH<+$N$h$&$G$9$M!#(B
>FreeBSD$B$N>l9g!"(B/etc/defaults/rc.conf$B$K(Bfirewall_script="/etc/rc.firewall"
>$B$N@_Dj$,$"$j$^$9$N$G!"(B/etc/rc.firewall$B$rCV$-49$($k7A$G;H$&$3$H$K$J$j(B
>$B$^$9!#!!=>$C$F!"F1$8(Bfirewall_type="open"$B$G$b(BFreeBSD$B$H=hM}$,0[$J$k(B
>$B2DG=@-$,$"$j$^$9!#(B

PC-BSD10.2, 10.3 $B$N(B /etc/ipfw.rules $B$O0J2<$N$h$&$K$J$C$F$*$j$^$9!#(B

#!/bin/sh
# To re-apply rules, you can run "sh /etc/ipfw.rules"

# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"

# No restrictions on loopback
####################################################################
$cmd 00020 allow all from any to any via lo0
####################################################################

# Check the state of packets
####################################################################
$cmd 01000 check-state
$cmd 01050 allow tcp from any to any established
$cmd 01100 allow udp from any to any established
####################################################################

# Allow all outgoing packets
####################################################################
$cmd 02000 allow ip from any to any out keep-state
$cmd 02050 allow ip6 from any to any out keep-state
$cmd 02100 allow ipv6-icmp from any to any keep-state
$cmd 02150 allow icmp from any to any keep-state
####################################################################

# Allow specific ports IN now
# Add items to /etc/ipfw.openports in the format
# {tcp|udp} <portnum>
####################################################################
nextnum=10000
if [ -e "/etc/ipfw.openports" ] ; then
  while read line
  do
    echo $line | grep -q "^#"
    if [ $? -eq 0 ] ; then continue ; fi
    proto="`echo $line | awk '{print $1}'`"
    port="`echo $line | awk '{print $2}'`"
    if [ -z "$proto" -o -z "$port" ] ; then continue ; fi
    $cmd $nextnum allow $proto from any to any $port in keep-state
    nextnum=`expr $nextnum + 1`
  done < /etc/ipfw.openports
fi
####################################################################

# Allow specific IPs incoming traffic now (Used for jails mainly)
# Add items to /etc/ipfw.openip in the format
# {ip4|ip6} <ip>
####################################################################
nextnum=20000
if [ -e "/etc/ipfw.openip" ] ; then
  while read line
  do
    echo $line | grep -q "^#"
    if [ $? -eq 0 ] ; then continue ; fi
    proto="`echo $line | awk '{print $1}'`"
    ip="`echo $line | awk '{print $2}'`"
    if [ -z "$proto" -o -z "$ip" ] ; then continue ; fi
    $cmd $nextnum allow $proto from any to $ip in keep-state
    nextnum=`expr $nextnum + 1`
  done < /etc/ipfw.openip
fi
####################################################################


# Deny all other incoming troublemakers
####################################################################
$cmd 64000 deny log all from any to any
####################################################################

# Check for user custom rules
if [ -e "/etc/ipfw.custom" ] ; then
  sh /etc/ipfw.custom
fi

>> PC-BSD $B$r(BNFS$B%5!<%P!<$K$9$k$K$O!"$"$H(B /etc/hosts.allow $B$b$$$8$kI,MW$,$"$j(B
>> $B$^$9$,!"3'MM$KHdO*$9$k$h$&$JOC$G$b$J$$$H;W$$$^$9$N$G!">JN,$7$^$9!#(B
>
>$B@x:_E*$K<{MW$O$"$j$=$&$J5$$b$7$^$9$,!">/$J$/$H$b(BFreeBSD$B$G$O$3$N%U%!%$%k(B
>$B<+BN$,;vNc=8$N$h$&$K$J$C$F$$$k$N$G!"8+$?$$$H$$$&@<$,5s$,$C$?$i$G$$$$$+(B
>$B$H!#(B

PD-BSD10.2 $B$N(B /etc/hosts.allow $B$O0J2<$NDL$j$G$9!#(B

# 
# hosts.allow access control file for "tcp wrapped" applications. 
# $FreeBSD: src/etc/hosts.allow,v 1.19.8.1 2006/02/19 14:57:01 ume Exp $ 
# 
# NOTE: The hosts.deny file is deprecated. 
#       Place both 'allow' and 'deny' rules in the hosts.allow file. 
#	See hosts_options(5) for the format of this file. 
#	hosts_access(5) no longer fully applies. 
 
#	 _____                                      _          _ 
#	| ____| __  __   __ _   _ __ ___    _ __   | |   ___  | | 
#	|  _|   \ \/ /  / _` | | '_ ` _ \  | '_ \  | |  / _ \ | | 
#	| |___   >  <  | (_| | | | | | | | | |_) | | | |  __/ |_| 
#	|_____| /_/\_\  \__,_| |_| |_| |_| | .__/  |_|  \___| (_) 
#					   |_| 
# !!! This is an example! You will need to modify it for your specific 
# !!! requirements! 
 
 
# Start by allowing everything (this prevents the rest of the file 
# from working, so remove it when you need protection). 
# The rules here work on a "First match wins" basis. 
#ALL : ALL : allow 
 
# Wrapping sshd(8) is not normally a good idea, but if you 
# need to do it, here's how 
#sshd : .evil.cracker.example.com : deny 
 
# Protect against simple DNS spoofing attacks by checking that the 
# forward and reverse records for the remote host match. If a mismatch 
# occurs, access is denied, and any positive ident response within 
# 20 seconds is logged. No protection is afforded against DNS poisoning, 
# IP spoofing or more complicated attacks. Hosts with no reverse DNS 
# pass this rule. 
ALL : PARANOID : RFC931 20 : deny 
 
# Allow anything from localhost.  Note that an IP address (not a host 
# name) *MUST* be specified for rpcbind(8). 
ALL : localhost 127.0.0.1 : allow 
# Comment out next line if you build libwrap with NO_INET6=yes. 
ALL : [::1] : allow 
ALL : my.machine.example.com 192.0.2.35 : allow 
 
# To use IPv6 addresses you must enclose them in []'s 
ALL : [fe80::%fxp0]/10 : allow 
ALL : [fe80::]/10 : deny 
ALL : [2001:db8:2:1:2:3:4:3fe1] : deny 
ALL : [2001:db8:2:1::]/64 : allow 
 
# Sendmail can help protect you against spammers and relay-rapers 
sendmail : localhost : allow 
sendmail : .nice.guy.example.com : allow 
sendmail : .evil.cracker.example.com : deny 
sendmail : ALL : allow 
 
# Exim is an alternative to sendmail, available in the ports tree 
exim : localhost : allow 
exim : .nice.guy.example.com : allow 
exim : .evil.cracker.example.com : deny 
exim : ALL : allow 
 
# Rpcbind is used for all RPC services; protect your NFS! 
# (IP addresses rather than hostnames *MUST* be used here) 
rpcbind : 192.0.2.32/255.255.255.224 : allow 
rpcbind : 192.0.2.96/255.255.255.224 : allow 
rpcbind : ALL : deny 
 
# NIS master server. Only local nets should have access 
ypserv : localhost : allow 
ypserv : .unsafe.my.net.example.com : deny 
ypserv : .my.net.example.com : allow 
ypserv : ALL : deny 
 
# Provide a small amount of protection for ftpd 
ftpd : localhost : allow 
ftpd : .nice.guy.example.com : allow 
ftpd : .evil.cracker.example.com : deny 
ftpd : ALL : allow 
 
# You need to be clever with finger; do _not_ backfinger!! You can easily 
# start a "finger war". 
fingerd : ALL \ 
	: spawn (echo Finger. | \ 
	 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ 
	: deny 
 
# The rest of the daemons are protected. 
#ALL : ALL \ 
#	: severity auth.info \ 
#	: twist /bin/echo "You are not welcome to use %d from %h." 
 
# denyhosts 
sshd : /etc/hosts.deniedssh : deny 
sshd : ALL : allow 

--------
$B4];3D>>;!wE}7W?tM}8&5f=j(B

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ydlmvlo6eq1.fsf>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact