[FreeBSD-users-jp 95833] Re: ipfwとDNS

moto kawasaki moto @ kawasaki3.org
2016年 6月 30日 (木) 09:14:21 UTC 

川崎と申します。

ヤマカンですみませんが、

00110 allow ip from 133.58.124.49 to any keep-state

となるように keep-state を追加ですかねぇ。

# 1100 にあるところの udp の場合の established ってどういう意味になる
# んでしょう。

-- 
moto kawasaki <moto at kawasaki3.org> 090-2464-8454


on Thu, 30 Jun 2016 17:39:51 +0900, maruyama at ism.ac.jp (丸山直昌) wrote:

maruyama> 平野 様
maruyama> 
maruyama> 丸山です。
maruyama> 
maruyama> Thu, 30 Jun 2016 16:12:43 +0900
maruyama> Akihiro HIRANO <hirano at t.kanazawa-u.ac.jp> writes:
maruyama> 
maruyama> > 支障がなければ、「ipfw list」の結果を示して頂くのが早道だと思います。
maruyama> 
maruyama> はい。
maruyama> 
maruyama> 実験1(PC-BSD10.3)
maruyama> /etc/ipfw.custom        (PC-BSDの出荷値、中はコメントだけ)
maruyama> /etc/ipfw.openports     (PC-BSDの出荷値、udp 5353, tcp 22だけ)
maruyama> /etc/ipfw.rules         (PC-BSDの出荷値、このメールの末尾に同封)
maruyama> 
maruyama> # ipfw list
maruyama> 00020 allow ip from any to any via lo0
maruyama> 01000 check-state
maruyama> 01050 allow tcp from any to any established
maruyama> 01100 allow udp from any to any established
maruyama> 02000 allow ip from any to any out keep-state
maruyama> 02050 allow ip6 from any to any out keep-state
maruyama> 02100 allow ipv6-icmp from any to any keep-state
maruyama> 02150 allow icmp from any to any keep-state
maruyama> 10000 allow udp from any to any dst-port 5353 in keep-state
maruyama> 10001 allow tcp from any to any dst-port 22 in keep-state
maruyama> 64000 deny log ip from any to any
maruyama> 65535 allow ip from any to any
maruyama> 
maruyama> この状態では dig @133.58.32.12 ism.ac.jp ns は正常に結果を表示。
maruyama> 
maruyama> 実験2(PC-BSD10.3)
maruyama> /etc/ipfw.custom
maruyama>         ipfw -q add 110 allow ip from 133.58.124.49 to any
maruyama> だけ。ここに 133.58.124.49 は DNSサーバー 133.58.32.12 に繋がるインター
maruyama> フェース。
maruyama> /etc/ipfw.openports     (PC-BSDの出荷値、udp 5353, tcp 22だけ)
maruyama> /etc/ipfw.rules         (PC-BSDの出荷値、このメールの末尾に同封)
maruyama> 
maruyama> # ipfw list
maruyama> 00020 allow ip from any to any via lo0

maruyama> 00110 allow ip from 133.58.124.49 to any



maruyama> 01000 check-state
maruyama> 01050 allow tcp from any to any established
maruyama> 01100 allow udp from any to any established
maruyama> 02000 allow ip from any to any out keep-state
maruyama> 02050 allow ip6 from any to any out keep-state
maruyama> 02100 allow ipv6-icmp from any to any keep-state
maruyama> 02150 allow icmp from any to any keep-state
maruyama> 10000 allow udp from any to any dst-port 5353 in keep-state
maruyama> 10001 allow tcp from any to any dst-port 22 in keep-state
maruyama> 64000 deny log ip from any to any
maruyama> 65535 allow ip from any to any
maruyama> 
maruyama> このとき、
maruyama> 
maruyama> % dig @133.58.32.12 ism.ac.jp ns
maruyama> 
maruyama> ; <<>> DiG 9.10.3-P4 <<>> @133.58.32.12 ism.ac.jp ns
maruyama> ; (1 server found)
maruyama> ;; global options: +cmd
maruyama> ;; connection timed out; no servers could be reached
maruyama> 
maruyama> ----------------------------------------------------------------
maruyama> /etc/ipfw.rules のPC-BSDの出荷値
maruyama> ----------------------------------------------------------------
maruyama> #!/bin/sh
maruyama> # To re-apply rules, you can run "sh /etc/ipfw.rules"
maruyama> 
maruyama> # Flush out the list before we begin.
maruyama> ipfw -q -f flush
maruyama> 
maruyama> # Set rules command prefix
maruyama> cmd="ipfw -q add"
maruyama> 
maruyama> # No restrictions on loopback
maruyama> ####################################################################
maruyama> $cmd 00020 allow all from any to any via lo0
maruyama> ####################################################################
maruyama> 
maruyama> # Check the state of packets
maruyama> ####################################################################
maruyama> $cmd 01000 check-state
maruyama> $cmd 01050 allow tcp from any to any established
maruyama> $cmd 01100 allow udp from any to any established
maruyama> ####################################################################
maruyama> 
maruyama> # Allow all outgoing packets
maruyama> ####################################################################
maruyama> $cmd 02000 allow ip from any to any out keep-state
maruyama> $cmd 02050 allow ip6 from any to any out keep-state
maruyama> $cmd 02100 allow ipv6-icmp from any to any keep-state
maruyama> $cmd 02150 allow icmp from any to any keep-state
maruyama> ####################################################################
maruyama> 
maruyama> # Allow specific ports IN now
maruyama> # Add items to /etc/ipfw.openports in the format
maruyama> # {tcp|udp} <portnum>
maruyama> ####################################################################
maruyama> nextnum=10000
maruyama> if [ -e "/etc/ipfw.openports" ] ; then
maruyama>   while read line
maruyama>   do
maruyama>     echo $line | grep -q "^#"
maruyama>     if [ $? -eq 0 ] ; then continue ; fi
maruyama>     proto="`echo $line | awk '{print $1}'`"
maruyama>     port="`echo $line | awk '{print $2}'`"
maruyama>     if [ -z "$proto" -o -z "$port" ] ; then continue ; fi
maruyama>     $cmd $nextnum allow $proto from any to any $port in keep-state
maruyama>     nextnum=`expr $nextnum + 1`
maruyama>   done < /etc/ipfw.openports
maruyama> fi
maruyama> ####################################################################
maruyama> 
maruyama> # Allow specific IPs incoming traffic now (Used for jails mainly)
maruyama> # Add items to /etc/ipfw.openip in the format
maruyama> # {ip4|ip6} <ip>
maruyama> ####################################################################
maruyama> nextnum=20000
maruyama> if [ -e "/etc/ipfw.openip" ] ; then
maruyama>   while read line
maruyama>   do
maruyama>     echo $line | grep -q "^#"
maruyama>     if [ $? -eq 0 ] ; then continue ; fi
maruyama>     proto="`echo $line | awk '{print $1}'`"
maruyama>     ip="`echo $line | awk '{print $2}'`"
maruyama>     if [ -z "$proto" -o -z "$ip" ] ; then continue ; fi
maruyama>     $cmd $nextnum allow $proto from any to $ip in keep-state
maruyama>     nextnum=`expr $nextnum + 1`
maruyama>   done < /etc/ipfw.openip
maruyama> fi
maruyama> ####################################################################
maruyama> 
maruyama> 
maruyama> # Deny all other incoming troublemakers
maruyama> ####################################################################
maruyama> $cmd 64000 deny log all from any to any
maruyama> ####################################################################
maruyama> 
maruyama> # Check for user custom rules
maruyama> if [ -e "/etc/ipfw.custom" ] ; then
maruyama>   sh /etc/ipfw.custom
maruyama> fi
maruyama> 
maruyama> --------
maruyama> 丸山直昌@統計数理研究所
maruyama> _______________________________________________
maruyama> freebsd-users-jp at freebsd.org mailing list
maruyama> https://lists.freebsd.org/mailman/listinfo/freebsd-users-jp
maruyama> To unsubscribe, send any mail to "freebsd-users-jp-unsubscribe at freebsd.org"

freebsd-users-jp メーリングリストの案内