From owner-FreeBSD-users-jp@jp.FreeBSD.org Tue Oct 19 10:51:06 2010
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id o9J1p6Y88064;
	Tue, 19 Oct 2010 10:51:06 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from ts1.inter7.jp (220x218x138x50.ap220.ftth.ucom.ne.jp [220.218.138.50])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with SMTP/inet id o9J1p6D88059
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Tue, 19 Oct 2010 10:51:06 +0900 (JST)
	(envelope-from nana0773@inter7.jp)
Received: (qmail 3129 invoked by uid 507); 19 Oct 2010 10:51:01 +0900
Message-ID: <20101019015101.3128.qmail@ts1.inter7.jp>
To: FreeBSD-users-jp@jp.FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
X-Mailer: Webmail-inter7
X-Priority: 3
From: nana0773 <nana0773@inter7.jp>
Reply-To: FreeBSD-users-jp@jp.FreeBSD.org
Precedence: list
Date: 19 Oct 2010 10:51:01 +0900
X-Sequence: FreeBSD-users-jp 93243
Subject: [FreeBSD-users-jp 93243] ipf =?ISO-2022-JP?B?GyRCJE4kMxsoQg==?=
 =?ISO-2022-JP?B?GyRCJEgkSyREJCQkRiFKODUbKEI=?= ipnat
 =?ISO-2022-JP?B?GyRCJEskRCQkJEYhSxsoQg==?=
Sender: owner-FreeBSD-users-jp@jp.FreeBSD.org
X-Originator: nana0773@inter7.jp
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+060209

>gateway_enable="YES"
>$B$O$$$i$J$$$s$G$7$?$C$1!)(B

$B$"!"$^$5$K$=$l$G$9!*(B

$B$"$j$,$H$&$4$6$$$^$9!#(B

>$B8E$$%^%7%s$N(Brc.conf $B$K$O=q$$$F$"$C$?$s$8$c$J$$$+$H;W$$$^$9$,!D!#(B
$B=q$$$F$J$/$FF0$$$F$^$7$?!#!J$J$<$G$7$g$&$+!)!K(B
$B!J(BFreeBSD 4.? $B$N$3$m$+$iF0$+$7$F$^$7$?!K(B

>ipf $B$NJ}$O$I$s$J%(%i!<%a%C%;!<%8$+65$($F$b$i$($P$J$K$+$o$+$k$+$b!"$G$9!#(B

$B:#F|!"$J$s$H$J$/!"(B

# /sbin/ipf -FA -Z /etc/ipf.rules

$B$r<B9T$7$?$i!"FC$K%(%i!<$,$G$^$;$s$G$7$?!#(B

bad packets:            in 0    out 0
 input packets:         blocked 0 passed 1148 nomatch 960 counted 0
output packets:         blocked 0 passed 1084 nomatch 856 counted 0
 input packets logged:  blocked 0 passed 0
output packets logged:  blocked 0 passed 0
 packets logged:        input 0-0 output 0-0

$B%(%i!<$,=P$?$H$-$O%a%C%;!<%8$OK:$l$^$7$?$,(B

?($B?t;z(B) IOCTL $B$J$s$H$+(B File not found
$B!J$,J#?t!K(B
$B$G$7$?(B

$B$7$+$7!"(B

# ipfstat -io

$B$r<B9T$9$k$H(B

empty list for ipfilter(out)
empty list for ipfilter(in)

$B$H$J$j$^$9!#(B

$B:#!"F0$+$7$F$$$k(Bipf.rules$B$O$3$l$G$9!#(B
-----------------
#pass in quick all
#pass out quick all

# smb blocks

block in quick proto tcp/udp from any to $B8GDj(BIP/32 port = 113
block in quick proto tcp/udp from any to $B8GDj(BIP/32 port = 137
block in quick proto tcp/udp from any to $B8GDj(BIP/32 port = 138
block in quick proto tcp/udp from any to $B8GDj(BIP/32 port = 139
block in quick proto tcp/udp from any to $B8GDj(BIP/32 port = 445
block in quick proto tcp/udp from any to $B8GDj(BIP/32 port = 1512
block in quick proto tcp/udp from any to $B8GDj(BIP/32 port = 3389

# localnet block
#block in log quick on ng0 from 192.168.1.0/24 to any group 200

# multicast block
#block in log quick on ng0 from 224.0.0.0/4 to any group 200

# smtp allow
pass in quick on ng0 proto tcp from any to any port = 25 flags S/SA keep state group 200

# pop3 allow
#pass in quick on ng0 proto tcp from any to any port = 110 flags S/SA group 200

# www allow
pass in quick on ng0 proto tcp from any to any port = 80 flags S/SA group 200

# ssl allow
pass in quick on ng0 proto tcp from any to any port = 443 flags S/SA group 200

# dns allow
pass in quick on ng0 proto tcp from any to any port = 53 flags S/SA group 200
pass in quick on ng0 proto udp from any to any port = 53 group 200

# localnet allows
pass out on em0  from 192.168.1.0/24 to 192.168.1.0/24 group 350


$B;29M$^$G$K!"(BFreeBSD 6.2$B$GF0$$$F$$$?$N$O$3$l$G$9!#(B
$B!J%+!<%M%k$G(BDEFAULT_BLOCK$B$K$F!K(B
-----------------
#block in quick from any to any with ipopts frag
#block in quick proto tcp from any to any with short
#block in quick from 169.254.0.0/16 to any

pass in quick all
pass out quick all

# smb block

block in quick proto tcp/udp from any to $B8GDj(BIP/32 port = 113
block in quick proto tcp/udp from any to $B8GDj(BIP/32 port = 137
block in quick proto tcp/udp from any to $B8GDj(BIP/32 port = 138
block in quick proto tcp/udp from any to $B8GDj(BIP/32 port = 139
block in quick proto tcp/udp from any to $B8GDj(BIP/32 port = 445
block in quick proto tcp/udp from any to $B8GDj(BIP/32 port = 1512


block in quick proto tcp/udp from any to $B8GDj(BIP/32 port = 3389

# localnet block
block in log quick on ng0 from 192.168.1.0/24 to any group 200

# multicast block
block in log quick on ng0 from 224.0.0.0/4 to any group 200

# smtp allow
pass in quick on ng0 proto tcp from any to any port = 25 flag S keep state group 200

# pop3 allow
pass in quick on ng0 proto tcp from any to any port = 110 flag S keep state group 200

# www allow
pass in quick on ng0 proto tcp from any to any port = 80 flag S keep state group 200

# ssl allow
pass in quick on ng0 proto tcp from any to any port = 443 flag S keep state group 200

# dns allow
pass in quick on ng0 proto tcp from any to any port = 53 flag S keep state group 200
pass in quick on ng0 proto udp from any to any port = 53 flag S keep state group 200

# localnet allows
pass out on bge0  from 192.168.1.0/24 to 192.168.1.0/24 group 350

-----
p.s.

telnet$B$,3+$$$F$$$^$9$,!"30It$+$iMh$^$9$H!"(B/usr/local/bin/sl $B$,Av$j$^$9!#4@(B
ftp$B$O3+$1$F$*$/I,MW$,$"$j$^$9!#(B
sshd$B$OM-8z$K$J$C$F$$$^$;$s!#!J$"$/$^$G(Blocalnet$B$+$i$N(Btelnet$B$N$_$J$N$G!K(B


$B$J$J(B <nana0773@inter7.jp>

