NetBSD/dist/ipf/IPF.KANJI
2000-05-03 10:55:27 +00:00

466 lines
19 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

IP filter $B%7%g!<%H%,%$%I(B Dec, 1999
$B%[!<%`%Z!<%8(B: http://coombs.anu.edu.au/~avalon/ip-filter.html
FTP: ftp://coombs.anu.edu.au/pub/net/ip-filter/
$B30;3(B $B=c@8(B <sumio@is.s.u-tokyo.ac.jp>
$B;3K\(B $BBY1'(B <ymmt@is.s.u-tokyo.ac.jp>
-----
$B$O$8$a$K(B
IP filter $B$r(B gateway $B%^%7%s$K%$%s%9%H!<%k$9$k$3$H$G%Q%1%C%H%U%#(B
$B%k%?%j%s%0$r9T$&$3$H$,$G$-$^$9!#(B
$B%$%s%9%H!<%k$NJ}K!$O!"(BINSTALL$B$K=q$$$F$"$k$N$G!"$=$A$i$r;2>H$7$F(B
$B$/$@$5$$!#(BIP filter $B$N%P!<%8%g%s(B 3.3.5 $B$O!"(B
Solaris/Solaris-x86 2.3 - 8 (early access)
SunOS 4.1.1 - 4.1.4
NetBSD 1.0 - 1.4
FreeBSD 2.0.0 - 2.2.8
BSD/OS-1.1 - 4
IRIX 6.2
$B$GF0:n$9$k$3$H$,3NG'$5$l$F$$$^$9!#(B
$B$J$*!"(B64 bit kernel $B$NAv$C$F$k(B Solaris7 $B%^%7%s$G$O!"(Bgcc $B$H$+$G%3(B
$B%s%Q%$%k$7$?(B kernel driver $B$OF0:n$7$^$;$s!#(B
$B$=$N$h$&$J>l9g$K$O!"(Bprecompiled binary $B$r(B
ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.3.2-sparcv9.pkg.gz
(1999$BG/(B12$B7n(B14$BF|8=:_!"$^$@(B3.3.5$B$O%Q%C%1!<%8$K$J$C$F$$$^$;$s(B)
$B$+$i<h$C$F$/$k$+!"(BWorkshop Compiler 5.0 $B$G%3%s%Q%$%k$7$F(B 64bit
driver $B$r:n$C$F$/$@$5$$!#(B
-----
$B@_Dj%U%!%$%k$N5-=RJ}K!(B
IP filter$B$N@_Dj$O!V$I$N%"%I%l%9!W$N!V$I$N%]!<%H!W$+$i!V$I$N%"%I(B
$B%l%9!W$N!V$I$N%]!<%H!W$X$N%Q%1%C%H$r(B block $B$9$k$+(B pass $B$9$k$+!"(B
$B$r;XDj$9$k$3$H$G9T$$$^$9!#(B
$B0J2<$NNc$G$O!"2f!9$,4IM}$7$F$$$k%5%V%M%C%H$h$j30$+$iFb$N%"%/%;%9(B
$B$O!"0lIt$N%^%7%s$r=|$$$F$OA4$F%V%m%C%/$7!"Fb$+$i30$X$N%"%/%;%9$O!"(B
$B86B'$H$7$FA4$FAGDL$7$9$k%]%j%7!<$G5-=R$5$l$F$$$^$9!#(B
$B0J2<!"4IM}$7$F$$$k%5%V%M%C%H$r(B
123.45.1.0/24
$B$H$7$FNc$r<($7$^$9!#(B24$B$O%5%V%M%C%H%^%9%/$G$9!#(B
$B$^$?!"(Bgateway $B$O(B
123.45.1.111 (hme0)
$B$,(B LAN$BB&$N%$%s%?!<%U%'!<%9!"(B
123.45.2.10 (hme1)
$B$,30B&$N%$%s%?!<%U%'!<%9$H$7$^$9!#(B
===================== $B$3$3$+$i(B ====================
########## quickly deny malicious packets
#
block in quick from any to any with short
block in log quick from any to any with ipopts
===================== $B$3$3$^$G(B ====================
$B$^$:$O$3$N%k!<%k$G!"IT@5$J%Q%1%C%H$r$O$M$^$9!#(Bblock $B$O(B block $B$9(B
$B$k0UL#$G!"H?BP$KDL$9>l9g$O(B pass $B$H$J$j$^$9!#(B
log $B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$9$k%Q%1%C%H$N%m%0$r<h$k;X<($G(B
$B$9!#%m%0$O(B /dev/ipl $B$H$$$&%G%P%$%9%U%!%$%k$+$i%"%/%;%9$G$-$^$9$,!"(B
$B$3$N%G%P%$%9$O(B bounded buffer $B$J$N$G!"$"$kDxEY0J>e$N%m%0$O>C$($F(B
$B$7$^$$$^$9!#(B
/dev/ipl $B$NFbMF$rFI$_=P$9$K$O(B ipmon $B$H$$$&%W%m%0%i%`$r;H$$$^$9!#(B
ipmon $B$O(B stdout, syslog, $B$b$7$/$ODL>o$N%U%!%$%k$K%m%0$r=PNO$7$^(B
$B$9!#5/F0;~$K(B ipmon $B$rN)$A>e$2$k$J$i!"<!$N$h$&$J9T$r(B rc $B%U%!%$%k(B
$B$K=q$/$H$h$$$G$7$g$&!#(B
ipmon -n -o I ${IPMONLOG} < /dev/null > /dev/null 2>&1 &
${IPMONLOG} $B$OE,Ev$J%U%!%$%kL>$KCV49$7$F$/$@$5$$!#(Bsyslog $B$K=PNO(B
$B$9$k>l9g$O!"(B-s $B%*%W%7%g%s$rIU$1$^$9!#(Bsyslog $B$K=PNO$9$k>l9g!"(B
local0.info $B$r5-O?$9$k$h$&$K(B syslog.conf $B$rJT=8$7$F$/$@$5$$!#(B
$BNc$($P!"(B
local0.info ifdef(`LOGHOST', /var/log/syslog, @loghost)
quick $B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$O0J9_$N%k!<%k$r(B
$BD4$Y$:$K!"%"%/%7%g%s(B(block or pass)$B$K=>$o$;$k$H$$$&$b$N$G$9!#$?(B
$B$@$7!"Nc30$,$"$j$^$9!#8e=R$7$^$9!#(B
===================== $B$3$3$+$i(B ====================
########## group setup
#
block in on hme1 all head 100
block out on hme1 all head 150
pass in quick on hme0 all
pass out quick on hme0 all
===================== $B$3$3$^$G(B ====================
$B<!$K@)8f$r$+$1$k%$%s%?!<%U%'!<%9Kh$K%Q%1%C%H$KE,MQ$9$k%k!<%k$rJ,(B
$BN`$7$^$9!#(Bhme0 $B$O(B LAN $BB&$N%$%s%?!<%U%'!<%9$J$N$G!"B(:B$K5v2D(B
(pass quick)$B$7$F$$$^$9!#(B
all $B$H$$$&$N$O!"(Bfrom any to any $B$N>JN,7A$G$9!#(B
$B30It$H$N%$%s%?!<%U%'!<%9$G$"$k(B hme1 $B$O(B incoming $B$H(B outgoing $B$G!"(B
$B$=$l$>$l(B group 100 $BHV$H(B 150 $BHV$KJ,N`$7$^$9!#(Bhead $B$H$$$&$N$O!"$3(B
$B$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$r<!$NHV9f$N%0%k!<%W$KJ,N`$9$k$H$$$&(B
$B0UL#$G$9!#(B
===================== $B$3$3$+$i(B ====================
########## deny IP spoofing
#
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from 123.45.2.10/32 to any group 100
block in log quick from 123.45.1.111/24 to any group 100
#
########## deny reserved addresses
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
===================== $B$3$3$^$G(B ====================
IP $B%"%I%l%9$r2~cb$7$?%Q%1%C%H$rB(:B$K5qH]$7$F$$$^$9!#KvHx$N(B
group 100 $B$H$$$&$N$O(B head 100 $B$GJ,N`$5$l$?%Q%1%C%H$K$N$_%^%C%A$9(B
$B$k%k!<%k$H$$$&0UL#$G$9!#(B
-----
$B$3$3$^$G$G!"4pK\E*$K(BLAN$BFb$NDL?.$OAGDL$7$@$,30It$H$NDL?.$O%G%U%)(B
$B%k%H$G0l@Z6X;_$H$$$&@_Dj$K$J$j$^$9!#0J9_$G$O!"$=$N%G%U%)%k%H$KBP(B
$B$9$kNc30$H$$$&7A$G!"DL$7$?$$%Q%1%C%H$r5-=R$7$F$$$-$^$9!#(B
$B$^$:!"FbIt$+$i30It$X$N@\B3$K4X$9$k@_Dj$r$7$^$9!#(B
===================== $B$3$3$+$i(B ====================
########## OUTGOING
#
## allow ping out
#
pass out quick proto icmp from any to any keep state group 150
#
## allow all outgoing UDP packets except for netbios ports (137-139).
#
pass out quick proto udp from any to any keep state head 160 group 150
block out log quick proto udp from any to any port 136 >< 140 group 160
#
## pass all TCP connection setup packets except for netbios ports (137-139).
#
pass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150
block out log quick proto tcp from any to any port 136 >< 140 group 170
===================== $B$3$3$^$G(B ====================
$B$3$l$O4pK\E*$KA4$F$N%Q%1%C%H$r5v$9%k!<%k$G$9!#$7$+$7!"(Bnetbios
(137-139/udp, tcp)$B$N%]!<%H$@$1$O6X;_$7$F$$$^$9!#(Bnetbios$B$O(B Windows
$B$N%U%!%$%k6&M-$G;H$o$l$k%]!<%H$G!"$3$N%]!<%H$,3+$$$F$$$k$H!"(B
Windows$B$N@_Dj$K$h$C$F$O!"@$3&Cf$+$i%U%!%$%k$rFI$_=q$-$G$-$k(B
$B62$l$,$"$j$^$9!#(B
$B$3$3$G!"4JC1$K=q<0$r8+$F$*$/$H!"(B
* $B:G=i$NC18l$G!"(Bblock$B$9$k$+(Bpass$B$9$k$+;XDj$9$k(B
* proto $B$N8e$NC18l$G!"(Bprotocol$B$r;XDj$9$k(B(udp, tcp, icmp, etc.)$B!#(B
* from A to B $B$G!"$I$3$+$i$I$3$X$N%Q%1%C%H$+$r;XDj$9$k(B
* head XXX$B$r;XDj$9$k$H!"$=$N9T$G;XDj$5$l$"$?%Q%1%C%H$O!"(Bgroup
XXX$B$H$7$F;2>H$G$-$k(B
* group$B$r;XDj$9$k$3$H$G!"5,B'$rE,MQ$9$k8uJd$r(B($BM=$a(Bhead$B$G@_Dj$7$?(B)
group$B$K8BDj$G$-$k!#(B
$B$^$?!"(Bfrom A to B$B$N(BA$B$d(BB$B$O!"(BIP$B%"%I%l%9$H(Bport$B$r=q$/$3$H$,$G$-$^$9!#(B
from any to any port 136 >< 140
$B$H$$$&$N$O!"(B
$B!VG$0U$N%]!<%H$NG$0U$N%"%I%l%9$+$i!"(B137$BHV$+$i(B139$BHV%]!<%H$NG$0U$N(B
$B%"%I%l%9$X$N%Q%1%C%H!W(B
$B;XDj$7$F$$$k$3$H$K$J$j$^$9!#$^$?!"HV9f$NBe$o$j$K(B/etc/service$B$K5-(B
$B=R$5$l$F$$$k%5!<%S%9L>$r5-=R$9$k$3$H$b$G$-$^$9!#(B
$B$?$H$($P(B
from any to any port = telnet
$B$H(B
from any to any port = 23
$B$OF1$80UL#$H$J$j$^$9!#(B
$B$5$F!"$3$3$G(B quick $B$NNc30$r@bL@$7$F$*$-$^$9!#(Bquick $B$NIU$$$?(B
rule $B$,(B head $B$G?7$?$J%0%k!<%W$r:n$k>l9g!"=hM}$O$^$@$3$N;~E@(B
$B$G$O3NDj$7$^$;$s!#0J9_!"!V(Bhead $B$G@k8@$5$l$?%0%k!<%W$N%k!<%k!W(B
$B$N$_=hM}$9$k$H$$$&0UL#$K$J$j$^$9!#$G$9$+$i>e$N!"(B
pass out quick proto udp from any to any keep state head 160 group 150
block out log quick proto udp from any to any port 136 >< 140 group 160
$B$O!"$^$:(B 150$BHV%0%k!<%W$K%^%C%A$9$k(B UDP $B%Q%1%C%H$OAGDL$7(B
$B$9$k!"$,!"0J2<$N(B 160$BHV$KB0$9$k%k!<%k$r$^$@=hM}$9$k!#(B
$B$=$7$F(B2$B9TL\$G(B 160$BHV%0%k!<%W$KBP$7$F(B netbios packet $B$r(B
block $B$7$F$$$kLu$G$9!#(B
$B0l9TL\$K%^%C%A$7$?%Q%1%C%H$O0J2<$K$b$7(B150$BHV$N%0%k!<%W$N(B
$B%k!<%k$,$"$C$?$H$7$F$b!"L5;k$9$k$3$H$KCm0U$7$F$/$@$5$$!#(B
----------
$B<!$K!"30It$+$iFbIt$X$N%"%/%;%9$N@_Dj$r$7$^$9!#(B
* $B%k!<%F%#%s%0>pJs(B(RIP)$B$N%Q%1%C%H$O!"A4It5v$7$^$9!#(B
pass in quick proto udp from any to any port = 520 keep state group 100
* ICMP$B$N%Q%1%C%H$OA4It5v$7$^$9!#(B
pass in quick proto icmp from any to any group 100
* $BFbIt$+$i30It$X$N(Bftp$B$r5v$9$?$a$K!"(Bftp-data port$B$+$i0lHL%]!<%H$X(B
$B$NG$0U$N@\B3$r<u$1IU$1$^$9!#$3$l$O(Bpassive mode$B$G$J$$(BFTP$B$N5sF0(B
$B$G$9!#(B
pass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100
$B$7$+$7!"$3$l$O0lHL$K8@$C$FB?>/4m81$J9T0Y$G$9!#@\B3$G$-$k$N$,(B
1024$BHV0J9_$N0lHL%]!<%H$K8BDj$O$5$l$^$9$,!"$"$^$j$*4+$a$G$-$^$;$s!#(B
$B$3$N9T$r2C$($:$K!"(Bpassive mode (ftp $B$G(B pasv $B%3%^%s%I$GF~$l$k(B)
$B$G(B FTP $B$r$9$k$3$H$r4+$a$^$9!#$J$*!":G6a$N(B FTP client $B$O:G=i(B
$B$+$i(B passive mode $B$KL5>r7o$G$7$F$7$^$&$b$N$,B?$$$h$&$G$9!#(B
* sendmail$B$d(Bftpd$B$K7R$0$H!"Aj<j$,(Bident$B%]!<%H$X%"%/%;%9$7$F$/$k$3(B
$B$H$,$"$k$N$G!"(Bident port$B$r3+$1$^$9!#(Bident $B$ODL>o$O5/F0$5$l$F$$(B
$B$J$$(B daemon $B$J$N$G!"AGDL$7$7$F$b%;%-%e%j%F%#%[!<%k$K$J$k$3$H$O$"(B
$B$j$^$;$s(B(connection refused$B$K$J$k$@$1$G$9(B)$B!#$3$l$r3+$1$J$$$H!"(B
$BAj<jB&$O(B timeout $B$9$k$^$G@h$K?J$^$J$$$N$G!"(BFTP $B$d(B mail $B$NAw?.(B
$B$,$d$?$i$KCY$/$J$k$3$H$,$"$j$^$9!#(B
$B$b$7(B 113 $BHV%]!<%H$K@\B3$G$-$k$h$&$J$i!"$=$N%5!<%S%9$OB(:B$K(B
$BDd;_$9$k$3$H$r4+$a$^$9!#(B
pass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100
------
$B<!$K!"30It$+$i(B firewall $B$X$N%"%/%;%9$r5v$9%5!<%S%9$r5-=R$7$F$$$-(B
$B$^$9!#$^$:$O!"30It$+$i$N@\B3$r5v$7$?$$%[%9%H$K$D$$$F!"%0%k!<%WHV(B
$B9f$r$D$1$^$9!#(B
===================== $B$3$3$+$i(B ====================
## grouping by host
block in log quick proto tcp from any to 123.45.1.X flags S/SA head 110 group 100
block in log quick proto tcp from any to 123.45.1.Y flags S/SA head 111 group 100
===================== $B$3$3$^$G(B ====================
$B$3$l$G!"(B
$B30It$+$i(B 123.45.1.X $B$X$N@\B3$O(B group 110
$B30It$+$i(B 123.45.1.Y $B$X$N@\B3$O(B group 111
$B$G;2>H$9$k$3$H$,$G$-$^$9!#(B
$BB>$K$b5v$7$?$$%[%9%H$rA}$d$7$?$$$H$-$O!">e$HF1MM$K$7$F!"(Bhead$B$N8e(B
$B$K!"?7$7$$?t;z(B(112, 113$B$J$I(B)$B$r3d$jEv$F$F$/$@$5$$!#(B
$B$b$&0lEYCm0U$7$F$*$-$^$9$,!"(Bquick $B$H(B head $B$,F1;~$K8=$l$k%k!<%k(B
$B0J9_$G$O!"(Bhead $B$G@k8@$5$l$?%0%k!<%W$N%k!<%k$7$+E,MQ$5$l$J$/$J$j(B
$B$^$9!#$G$9$+$i!">e$N(B ident $B$d(B ftp data-port $B$N$h$&$K!"FbIt$N(B
$BA4$F$N%[%9%H$K%^%C%A$9$k%k!<%k$O!"$3$N%[%9%H$K$h$k%0%k!<%WJ,$1(B
$B$NA0$KCV$/I,MW$,$"$j$^$9!#(B
X$B$X$O!"(Btelnet, ftp, ssh $B$r!"(BY$B$X$O!"(Bftp, http, smtp, pop $B$r5v$9$3(B
$B$H$K$7$^$9!#(B
* X(group 110)$B$X$N(Btelnet$B$r5v$7$^$9(B
pass in quick proto tcp from any to any port = telnet keep state group 110
* X$B$X$N(Bftp$B$r5v$7$^$9!#(Bftp-data port $B$b3+$1$F$*$-$^$9!#(B
($BI,MW$,$"$k$+$I$&$+3NG'$O$7$F$$$^$;$s$,!"3+$1$F$$$F$b0BA4$G$7$g$&(B)$B!#(B
pass in quick proto tcp from any to any port = ftp keep state group 110
pass in quick proto tcp from any to any port = ftp-data keep state group 110
* X$B$X$N(Bssh$B$r5v$7$^$9!#(B
pass in quick proto tcp from any to any port = 22 keep state group 110
* Y$B$X$N(Bftp$B$r5v$7$^$9!#(B
pass in quick proto tcp from any to any port = ftp keep state group 111
pass in quick proto tcp from any to any port = ftp-data keep state group 111
pass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111
Y$B$O(B anonoymous ftp $B%5!<%P$r1?1D$7$F$$$k$?$a(B wu-ftpd $B$r;H$C$F$$(B
$B$^$9!#(Bwu-ftpd $B$O(B passive mode $B$N(BFTP$B$K$bBP1~$7$F$$$^$9$N$G!"$I(B
$B$N%]!<%H$r(BPASV$BMQ$K;H$&$+!"(Bwu-ftpd $B$N@_Dj$K=q$$$F$*$/I,MW$,$"$j(B
$B$^$9!#$3$3$G$O(B3000$B$+$i(B3099$BHV%]!<%H$r;HMQ$9$k$h$&$K!"(Bwu-ftpd $B$r(B
$B@_Dj$7$F$$$^$9!#(B
passive FTP $B$K$D$$$F2r@b$7$^$9!#(Bpassive FTP $B$O!"%/%i%$%"%s%H$,(B
$B%U%!%$%"%&%)!<%k$NFbB&$K$$$k>l9g$N$?$a$K3+H/$5$l$?%W%m%H%3%k$G(B
$B$9!#%G%U%)%k%H$G$O>e$G@bL@$7$?$h$&$K!"%G!<%?E>Aw$N$?$a!"%5!<%P(B
$B$N(B ftp-data port $B$+$i%/%i%$%"%s%H$K@\B3$,$$$-$^$9!#(B
passive FTP $B$G$O!"%G!<%?E>Aw$b(B client $B$+$i%5!<%P$K@\B3$9$k$h$&(B
$B$K$J$j$^$9!#$=$N:]!"%5!<%P$OE,Ev$J%]!<%HHV9f$r3d$j?6$C$F!"$=$3(B
$B$K%/%i%$%"%s%H$,@\B3$9$k$h$&;X<($7$^$9!#(B
$B$3$N$?$a!"%5!<%P$,%U%!%$%"%&%)!<%kFb$K$$$k>l9g!"E,Ev$J%]!<%HHV(B
$B9f$O%U%!%$%"%&%)!<%k$G$O$M$i$l$F$7$^$$$^$9!#$=$3$G!"(Bwu-ftpd $B$N(B
$B@_Dj$G!"3d$j?6$k%]!<%HHV9f$NHO0O$r8BDj$7$F!"$=$3$@$1%U%!%$%"(B
$B%&%)!<%k$K7j$r3+$1$F$$$k$o$1$G$9!#(Bwu-ftpd $B$N>l9g$O!"(Bftpaccess
$B$H$$$&%U%!%$%k$K(B
# passive ports <cidr> <min> <max>
passive ports 0.0.0.0/0 3000 3099
$B$HDI2C$9$k$3$H$G@_Dj$G$-$^$9!#(Bftpaccess(5)$B$r;2>H$7$F$/$@$5$$!#(B
* Y$B$X$N(Bhttp$B$r5v$7$^$9!#(B
pass in quick proto tcp from any to any port = 80 keep state group 111
* Y$B$X$N(Bsmtp$B$r5v$7$^$9!#(B
pass in quick proto tcp from any to any port = smtp keep state group 111
* Y$B$X$N(Bpop$B$r5v$7$^$9!#(B
pass in quick proto tcp from any to any port = 110 keep state group 111
$B0J>e$N@_Dj$K$h$j!"(BX, Y $B0J30$N%^%7%s$X$N!"30It$+$i$N@\B3$O!"0l@Z(B
$B9T$($J$/$J$j$^$9$N$G!"(Bremote exploit $BBP:v$O!"(BX, Y $B$K$N$_9T$($P$h(B
$B$/$J$j!"4IM}$N<j4V$,7Z8:$G$-$^$9!#(B
$BB>$N%W%m%H%3%k$rDL$9>l9g$b!">e$r;29M$K$7$FDL$7$?$$%]!<%HHV9f$r=q(B
$B$/$@$1$G$9$,!"$$$/$D$+Cm0UE@$,$"$j$^$9!#0J2<$bL\$rDL$7$F$/$@$5$$!#(B
-----
$B$=$NB>$NCm0U(B
1) gateway $B%^%7%s$N$h$&$K!"J#?t$N(BIP$B%"%I%l%9$r;}$D%^%7%s$G%5!<%S(B
$B%9$rN)$A>e$2$k>l9g$O!"$=$l$>$l$N(BIP$B%"%I%l%9$KBP$7$F!"(Bport $B$r3+$/(B
$BI,MW$,$"$j$^$9!#Nc$($P(B X $B$,(B IP:a $B$H(B IP:b $B$r;}$D$J$i!"(Bgroup $B$O(B a,
b $B$=$l$>$lMQ0U$7$F!"N>J}$N%0%k!<%WMQ$K(B rule $B$rDI2C$9$kI,MW$,$"$j(B
$B$^$9!#0J2<$NNc$G$O!"%2!<%H%&%'%$%^%7%s(B(123.45.2.10$B$H(B123.45.1.111
$B$N(BIP$B$r;}$D(B)$B$K(BNNTP$B%5!<%P$rN)$F$F$$$^$9!#(B
($BNc(B)
#### grouping by host
block in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100
block in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100
#### allow NNTP
pass in quick proto tcp from any to any port = nntp keep state group 112
pass in quick proto tcp from any to any port = nntp keep state group 113
gateway $B$,(B2$B$D0J>e$"$k%M%C%H%o!<%/$G$O!"N>J}$N(B gateway $B$K(B IP
filter $B$,I,MW$K$J$j!"@_Dj$O99$KJ#;($K$J$j$^$9!#$=$N$h$&$J4D6-$N(B
$B>l9g$K$O!"%^%K%e%"%k$rFI$s$G8!F$$7$F$/$@$5$$!#(B
2) NFS$B$H(Brsh$B$O%W%m%H%3%k$N4X78>e!"(Bfirewall$BD6$($OIT2DG=$G$9!#(B
NFS$B$NBeBX$K$D$$$F$OITL@$G$9$,!"(Brsh$B$NBeBX$H$7$F$O(Bssh$B$,;H$($^$9!#(B
3) $B30It$N(BX client $B$r!"%U%!%$%"%&%)!<%kFb$N(BX$B%5!<%P$K@\B3$5$;$?$$!"(B
$B$H$$$&$N$O(B FAQ $B$N0l$D$G$9!#$*4+$a$N2r7h:v$O!"(Bssh $B$N(B X forwarding
$B5!9=$r;H$&$3$H$G$9!#(Bssh$B$G@\B3$G$-$k$J$i$P!"$3$l$O40A4$K(B secure
$B$GHFMQE*$JJ}K!$G$9!#(B
$B$=$l$,=PMh$J$$>l9g$O!"2f!9$O@\B3$5$;$?$$%[%9%H$N%Z%"$r%f!<%6$KJs(B
$B9p$7$F$b$i$C$F!"0J2<$N$h$&$J%k!<%k$rDI2C$7$F$$$^$9!#(B
# X:0 $B$O(B tcp:6000 $BHV$K$J$j$^$9!#(B
# 123.45.1.Z:0 (server) <-> A.B.C.D (client)
pass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100
-----
$B:G8e$K!";D$k%Q%1%C%H$OA4$F%V%m%C%/$5$l$kLu$G$9$,!"$=$l$K$D$$$F$N(B
$BA4$F$N%m%0$r;D$9$3$H$r4uK>$9$k>l9g!"<!$N%k!<%k$r!VI,$::G8e$K!W2C(B
$B$($^$9!#(B
## log blocked packets
block in log quick from any to 123.45.1.111/24 group 100
block in log quick from any to 123.45.2.10 group 100
------
$B:#Kx$N@_Dj$r$R$H$D$K$^$H$a$?%U%!%$%k$r:G8e$KE:IU$7$^$9!#(B
===================== $B$3$3$+$i(B ====================
########## Packet Filtering Rules for 123.45.1. ##########
#
# The following routes should be configured, if not already:
#
# route add 123.45.1.111 localhost 0 (hme0) (LAN)
# route add 123.45.2.10 localhost 0 (hme1) (upstream)
#
########## quickly deny malicious packets
#
block in quick from any to any with short
block in log quick from any to any with ipopts
#
########## group setup
#
block in on hme1 all head 100
block out on hme1 all head 150
pass in quick on hme0 all
pass out quick on hme0 all
#
########## deny IP spoofing
#
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from 123.45.2.10/32 to any group 100
block in log quick from 123.45.1.111/24 to any group 100
#
########## deny reserved addresses
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
########## OUTGOING
#
## allow ping out
pass out quick proto icmp from any to any keep state group 150
#
## allow all outgoing UDP packets except for netbios ports (137-139).
#
pass out quick proto udp from any to any keep state head 160 group 150
block out log quick proto udp from any to any port 136 >< 140 group 160
#
## pass all TCP connection setup packets except for netbios ports (137-139).
#
pass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150
block out log quick proto tcp from any to any port 136 >< 140 group 170
#
######### INCOMING
## ICMP
pass in quick proto icmp from any to any group 100
## RIP
pass in quick proto udp from any to any port = 520 keep state group 100
## FTP
pass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100
## IDENT
pass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100
#
## grouping by host (112 & 113 is the gateway address)
block in log quick proto tcp from any to 123.45.1.X flags S/SA head 110 group 100
block in log quick proto tcp from any to 123.45.1.Y flags S/SA head 111 group 100
block in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100
block in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100
#
## telnet, ftp, ssh, www, smtp, pop
pass in quick proto tcp from any to any port = telnet keep state group 110
pass in quick proto tcp from any to any port = ftp keep state group 110
pass in quick proto tcp from any to any port = ftp-data keep state group 110
pass in quick proto tcp from any to any port = 22 keep state group 110
pass in quick proto tcp from any to any port = ftp keep state group 111
pass in quick proto tcp from any to any port = ftp-data keep state group 111
pass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111
pass in quick proto tcp from any to any port = 80 keep state group 111
pass in quick proto tcp from any to any port = smtp keep state group 111
pass in quick proto tcp from any to any port = 110 keep state
group 111
#
## allow NNTP on the gateway
pass in quick proto tcp from any to any port = nntp keep state group 112
pass in quick proto tcp from any to any port = nntp keep state group 113
#
## X connections
# 123.45.1.Z:0 (server) <-> A.B.C.D (client)
pass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100
#
## log blocked packets
## THIS MUST BE THE LAST RULE!
block in log quick from any to 123.45.1.111/24 group 100
block in log quick from any to 123.45.2.10 group 100
===================== $B$3$3$^$G(B ====================
----
$B$3$NJ8=q$N<h$j07$$$K$D$$$F(B
Copyright (C) 1999 TOYAMA Sumio <sumio@is.s.u-tokyo.ac.jp>
and YAMAMOTO Hirotaka <ymmt@is.s.u-tokyo.ac.jp>
THIS DOCUMENT IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
Permission to modify this document and to distribute it is hereby
granted, as long as above notices and copyright notice are retained.