[FreeBSD-users-jp 95830] Re: ipfwとDNS

[丸山直昌]

平野 様

丸山です。

Thu, 30 Jun 2016 16:12:43 +0900
Akihiro HIRANO <hirano at t.kanazawa-u.ac.jp> writes:

>　支障がなければ、「ipfw list」の結果を示して頂くのが早道だと思います。

はい。

実験1(PC-BSD10.3)
/etc/ipfw.custom        (PC-BSDの出荷値、中はコメントだけ)
/etc/ipfw.openports     (PC-BSDの出荷値、udp 5353, tcp 22だけ)
/etc/ipfw.rules         (PC-BSDの出荷値、このメールの末尾に同封)

# ipfw list
00020 allow ip from any to any via lo0
01000 check-state
01050 allow tcp from any to any established
01100 allow udp from any to any established
02000 allow ip from any to any out keep-state
02050 allow ip6 from any to any out keep-state
02100 allow ipv6-icmp from any to any keep-state
02150 allow icmp from any to any keep-state
10000 allow udp from any to any dst-port 5353 in keep-state
10001 allow tcp from any to any dst-port 22 in keep-state
64000 deny log ip from any to any
65535 allow ip from any to any

この状態では dig @133.58.32.12 ism.ac.jp ns は正常に結果を表示。

実験2(PC-BSD10.3)
/etc/ipfw.custom
        ipfw -q add 110 allow ip from 133.58.124.49 to any
だけ。ここに　133.58.124.49 は DNSサーバー 133.58.32.12 に繋がるインター
フェース。
/etc/ipfw.openports     (PC-BSDの出荷値、udp 5353, tcp 22だけ)
/etc/ipfw.rules         (PC-BSDの出荷値、このメールの末尾に同封)

# ipfw list
00020 allow ip from any to any via lo0
00110 allow ip from 133.58.124.49 to any
01000 check-state
01050 allow tcp from any to any established
01100 allow udp from any to any established
02000 allow ip from any to any out keep-state
02050 allow ip6 from any to any out keep-state
02100 allow ipv6-icmp from any to any keep-state
02150 allow icmp from any to any keep-state
10000 allow udp from any to any dst-port 5353 in keep-state
10001 allow tcp from any to any dst-port 22 in keep-state
64000 deny log ip from any to any
65535 allow ip from any to any

このとき、

% dig @133.58.32.12 ism.ac.jp ns

; <<>> DiG 9.10.3-P4 <<>> @133.58.32.12 ism.ac.jp ns
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

----------------------------------------------------------------
/etc/ipfw.rules のPC-BSDの出荷値
----------------------------------------------------------------
#!/bin/sh
# To re-apply rules, you can run "sh /etc/ipfw.rules"

# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"

# No restrictions on loopback
####################################################################
$cmd 00020 allow all from any to any via lo0
####################################################################

# Check the state of packets
####################################################################
$cmd 01000 check-state
$cmd 01050 allow tcp from any to any established
$cmd 01100 allow udp from any to any established
####################################################################

# Allow all outgoing packets
####################################################################
$cmd 02000 allow ip from any to any out keep-state
$cmd 02050 allow ip6 from any to any out keep-state
$cmd 02100 allow ipv6-icmp from any to any keep-state
$cmd 02150 allow icmp from any to any keep-state
####################################################################

# Allow specific ports IN now
# Add items to /etc/ipfw.openports in the format
# {tcp|udp} <portnum>
####################################################################
nextnum=10000
if [ -e "/etc/ipfw.openports" ] ; then
  while read line
  do
    echo $line | grep -q "^#"
    if [ $? -eq 0 ] ; then continue ; fi
    proto="`echo $line | awk '{print $1}'`"
    port="`echo $line | awk '{print $2}'`"
    if [ -z "$proto" -o -z "$port" ] ; then continue ; fi
    $cmd $nextnum allow $proto from any to any $port in keep-state
    nextnum=`expr $nextnum + 1`
  done < /etc/ipfw.openports
fi
####################################################################

# Allow specific IPs incoming traffic now (Used for jails mainly)
# Add items to /etc/ipfw.openip in the format
# {ip4|ip6} <ip>
####################################################################
nextnum=20000
if [ -e "/etc/ipfw.openip" ] ; then
  while read line
  do
    echo $line | grep -q "^#"
    if [ $? -eq 0 ] ; then continue ; fi
    proto="`echo $line | awk '{print $1}'`"
    ip="`echo $line | awk '{print $2}'`"
    if [ -z "$proto" -o -z "$ip" ] ; then continue ; fi
    $cmd $nextnum allow $proto from any to $ip in keep-state
    nextnum=`expr $nextnum + 1`
  done < /etc/ipfw.openip
fi
####################################################################


# Deny all other incoming troublemakers
####################################################################
$cmd 64000 deny log all from any to any
####################################################################

# Check for user custom rules
if [ -e "/etc/ipfw.custom" ] ; then
  sh /etc/ipfw.custom
fi

--------
丸山直昌＠統計数理研究所