From owner-FreeBSD-users-jp@jp.FreeBSD.org Tue Jul  6 17:36:04 2004
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id i668a4D11081;
	Tue, 6 Jul 2004 17:36:04 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from smtp1.dti.ne.jp (smtp1.dti.ne.jp [202.216.228.36])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet id i668a4I11076
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Tue, 6 Jul 2004 17:36:04 +0900 (JST)
	(envelope-from daisaito@lares.dti.ne.jp)
Received: from [127.0.0.1] (p233.akuma.jp [211.19.48.233]) by smtp1.dti.ne.jp (3.08s) with ESMTP id i668a3NI010961;Tue, 6 Jul 2004 17:36:03 +0900 (JST)
From: SAITO Masaru <daisaito@lares.dti.ne.jp>
To: FreeBSD-users-jp@jp.FreeBSD.org
Message-Id: <20040706165200.F84B.DAISAITO@lares.dti.ne.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
X-Mailer: Becky! ver. 2.05.03
Reply-To: FreeBSD-users-jp@jp.FreeBSD.org
Precedence: list
Date: Tue, 06 Jul 2004 17:35:54 +0900
X-Sequence: FreeBSD-users-jp 80057
Subject: [FreeBSD-users-jp 80057] ipf+ipnat
 =?ISO-2022-JP?B?GyRCJE4layE8JWskSyREJCQkRhsoQg==?= 
Sender: owner-FreeBSD-users-jp@jp.FreeBSD.org
X-Originator: daisaito@lares.dti.ne.jp
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+040628

$Bc7F#!w2#IM$G$9!#(B
# net-jp$B$HLB$$$^$7$?$,!"(Busers-jp$B$NJ}$,(B
# $B%"%I%P%$%9$,$?$/$5$sLc$($=$&$J$N$G!#!#(B

FreeBSD4.8R$B$K$F(Bpppoe$B%k!<%?$r;H$C$F(Bipnat+ipf$B$N;n9TCf$G$9!#(B

$B:#2s!"0J2<$N$h$&$J9=@.$G%M%C%H%o!<%/$rAH$_$^$7$?!#(B

    internet
        | 211.xxx.yyy.0/30(tun0)
========|=========
   +----+----+
   | gateway |
   +----+----+192.168.1.1(de0)
        |
        +------------------------+-----192.168.1.0/24
        |                        | 
  +-----+----+192.168.1.100  +---+---+192.168.1.xx(DHCP)
  |mailserver|               |windows|
  +----------+               +-------+

$B308~$1$K$O2<5-$N$h$&$J(BMAPPING$B$G$9!#(B
gateway:     211.xxx.yyy.1
mailserver:  211.xxx.yyy.2

$B0J2<$N%Z!<%8$r;29M$K$7$^$7$?!#(B
http://www.fujie.jp/freebsd/freebsd_router_ipfilter.html

$B:#2s(Bgateway$B$G$O$J$/(Bmailserver$B$K%a!<%k$,Mh$k$h$&$K$7$F@_Dj$7$^$7$?!#(B
# $B2#IM$NK?(B8$B8GDj(BIP$B$r$b$i$($k%W%m%P%$%@$K$7$?$N$G!"$=$N<B83$b7s$M$F$^$9!#(B

rc.conf
ppp_enable="YES"
ppp_mode="ddial"
ppp_profile="MY_ISP"
ppp_nat="NO"

ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipfilter_flags=""

ipmon_enable="YES"
ipmon_flags=" -D /var/log/ipf.log"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
ipnat_program="/sbin/ipnat"
ipnat_flags=" -CF -f"

$B$3$3$G!"(B/etc/ipnat.rules$B$H(B/etc/ipf.rules$B$OC1=c$K2<5-$N$h$&$K$7$F$_$^$7$?!#(B

/etc/ipf.rules
=======================
pass in all
pass out all
=======================

/etc/ipnat.rules
=======================
map tun0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
map tun0 192.168.1.0/24 -> 0/32
bimap tun0 192.168.1.2/32 -> 211.xxx.yyy.2/32
rdr tun0 211.xxx.yyy.2/32 port 25 -> 192.168.1.100 port 25
=======================

$B$3$N>uBV$G!"30$+$i$N%a!<%k$O(B211.xxx.yyy.2$B$N(B192.168.1.100(mailserver)
$B$K%a!<%k$,FO$$$F$$$^$7$?!#$3$3$^$G$O3NG'=PMh$F$$$^$9!#(B

$B$7$+$7!"(B/etc/ipfrules$B$r2<5-$N$h$&$K$7$?$i(Bipf$B$K(Bblock$B$5$l$F$7$^$$$^$9!#(B

/var/log/ipf.log$B$K$O2<5-$N$h$&$K5-O?$5$l$F$*$j$^$9!#(B

/var/log/ipf.log
==========================================================================================================
06/07/2004 16:50:16.664372 tun0 @100:19 b 202.216.228.36,49338 -> 192.168.1.100,25 PR tcp len 20 48 -S IN
06/07/2004 16:50:20.028027 tun0 @100:19 b 202.216.228.36,49338 -> 192.168.1.100,25 PR tcp len 20 48 -S IN
06/07/2004 16:50:26.777573 tun0 @100:19 b 202.216.228.36,49338 -> 192.168.1.100,25 PR tcp len 20 48 -S IN
==========================================================================================================
$B"((B202.216.228$B$O(Bntt docomo$B$N%a!<%k%5!<%P$G$9!#(B
  $B%F%9%H$N0Y$K7HBS$+$i%a!<%k$r=P$7$F$_$^$7$?!#(B

$B$3$3$G$"$k5?Ld$,@8$8$^$7$?!#(B
ipf.rules$B$K$O(B211.xxx.yyy.2$B$N(B25$BHV(Bport$B$r5v2D$9$k$h$&$K=q$$$?$N$G$9$,!"(B
$B$=$NA0$K(Bipnat$B$K$h$C$F(Bdest$B$,(B192.168.1.100$B$K=q$-JQ$o$C$F(B
$B$7$^$C$F$$$k$h$&$J5$$,$7$^$9!#$3$N>l9g$O(Bipf.rules$B$K$b(B
$B$=$N$h$&$K=q$/$Y$-$J$N$G$7$g$&$+!)(B
ipf.rules$B$K$O$G$-$l$P%W%i%$%Y!<%H%"%I%l%9$r=q$-$?$/$O$J$$$N$G$9$,!#!#(B


/etc/ipf.rules
========================================================================
#  IPF+NAT $BMQ$N%k!<%k%U%!%$%k!J@EE*%k!<%k!K(B
# $B!J(Bgroup $B$r;XDj$7$F$$$J$$%k!<%k$O%0%k!<%W(B 0$B!K(B
# IP $B%*%W%7%g%s$,;XDj$5$l$?$b$N!"CGJR2=$5$l$?$b$N!"(B
# $BC;$$%Q%1%C%H$J$I$O$3$3$GGK4~(B
block in log quick from any to any with ipopts frag
block in log quick proto tcp from any to any with short

#########################################################################
# internet => tun0
#########################################################################
pass in on tun0 all head 100
# $B%"%I%l%956AuKI;_(B
block in from 127.0.0.0/8 to any group 100
block in from 192.168.1.1/24 to any group 100

# $B%W%i%$%Y!<%H%"%I%l%9$NGK4~(B
block in from 10.0.0.0/8 to any group 100
block in from 172.16.0.0/12 to any group 100
block in from 192.168.0.0/16 to any group 100
block in from 0.0.0.0/8 to any group 100

# $B@\B3$5$l$?(B TCP $B%Q%1%C%H$r5v2D(B
pass in quick proto tcp all flags A/A group 100

# DNS $B%5!<%P(B $B@\B33+;O$r5v2D(B
pass in quick proto tcp from any to any port = 53 flags S/SA group 100
pass in quick proto udp from any to any port = 53 group 100

# IDENT $B$K$OEz$($J$$(B
block return-rst in quick proto tcp from any to any port = 113 group 100

# $B30It$N(B DNS $B$KLd$$9g$o$;$?5"$j$N%Q%1%C%H(B
pass in proto udp from any port = 53 to any group 100

# NTP $B$N5"$j(B
pass in proto udp from any port = 123 to any group 100

# $BFbIt$+$i30It$X$N(B ping $B$N$_5v2D(B
block in proto icmp all group 100
pass in proto icmp all icmp-type 0 group 100

# RFC2979
pass in proto icmp all icmp-type 3 group 100

#####################################################################################
# internet => 211.xxx.yyy.2 [FreeBSD($B308~$1%5!<%P(B)
#####################################################################################
## DNS Server
pass in quick proto tcp from any to 211.xxx.yyy.2 port = 53 flags S/SA group 100
pass in quick proto udp from any to 211.xxx.yyy.2 port = 53 group 100

## SMTP Server
pass in quick proto tcp from any to 211.xxx.yyy.2 port = 25 flags S/SA group 100

########################################################
# others
########################################################
# $B$=$l0J30$N30It$+$i$N(BTCP$B@\B3$r5qH](B
block in log proto tcp all flags S/SA group 100

############################################
# $B30It$X$N=PNO!J%0%k!<%W(B 200$B!K(B
############################################
pass out on tun0 all head 200

# $B%"%I%l%956B$KI;_(B
block out from 127.0.0.0/8 to any group 200
block out from any to 127.0.0.0/8 group 200
block out from any to 211.19.48.232/30 group 200

# $B%W%i%$%Y!<%H%"%I%l%9$NGK4~(B
block out from any to 10.0.0.0/8 group 200
block out from any to 172.16.0.0/12 group 200
block out from any to 192.168.0.0/16 group 200
block out from any to 0.0.0.0/8 group 200

# NetBIOS (port 137-139)
block out proto tcp from any to any port 136 >< 140 group 200

# $B@\B3$5$l$?(B TCP $B%Q%1%C%H$r5v2D(B
pass out proto tcp all flags A/A group 200

# FTP
pass out proto tcp from any to any port = 20 flags A/A group 200
pass out quick proto tcp from any to any port = 21 flags S/SA group 200
pass out quick proto tcp from any port = 20 to any flags S/SA group 200
pass out quick proto tcp from any port = 21 to any flags A/A group 200

# $B30It$N(B DNS $B%5!<%P$X$NLd$$9g$o$;$r5v2D(B
pass out proto tcp from any to any port = 53 flags S/SA group 200
pass out proto udp from any to any port = 53 group 200

# $B30It$X$N@\B33+;O$r5v2D(B
pass out proto tcp all flags S/SA group 200

# $B30It$N(B NTP $B%5!<%P$X$NLd$$9g$o$;$r5v2D(B
pass out proto udp from any to any port = 123 group 200

# $BFbIt$+$i30It$X$N(B ping $B$N$_5v2D(B
block out proto icmp all group 200
pass out proto icmp all icmp-type 8 group 200

############################################
# $BFbIt$+$iMh$k%Q%1%C%H!J%0%k!<%W(B 300$B!K(B
############################################

pass in on de0 all head 300
block in from 127.0.0.0/8 to any group 300
block in from 192.168.1.1/32 to any group 300
block in from 202.19.48.232/30 to any group 300

############################################
# $BFbIt$X=P$F$$$/%Q%1%C%H!J%0%k!<%W(B 400$B!K(B
############################################

pass out on de0 all head 400
block out from 127.0.0.0/8 to any group 400
block out from any to 127.0.0.0/8 group 400
block out from any to 192.168.1.1/32 group 400

############################################
# $B%k!<%W%P%C%/$X$N%k!<%k!J%0%k!<%W(B 0$B!K(B
# $B!J:G8e$K$"$C$F$b(B OK$B!K(B
############################################
pass in quick on lo0 all
pass out quick on lo0 all
========================================================================




---
SAITO Masaru <daisaito@lares.dti.ne.jp>


