川崎と申します。 ヤマカンですみませんが、
00110 allow ip from 133.58.124.49 to any keep-state となるように keep-state を追加ですかねぇ。 # 1100 にあるところの udp の場合の established ってどういう意味になる # んでしょう。 -- moto kawasaki <[email protected]> 090-2464-8454 on Thu, 30 Jun 2016 17:39:51 +0900, [email protected] (丸山直昌) wrote: maruyama> 平野 様 maruyama> maruyama> 丸山です。 maruyama> maruyama> Thu, 30 Jun 2016 16:12:43 +0900 maruyama> Akihiro HIRANO <[email protected]> writes: maruyama> maruyama> > 支障がなければ、「ipfw list」の結果を示して頂くのが早道だと思います。 maruyama> maruyama> はい。 maruyama> maruyama> 実験1(PC-BSD10.3) maruyama> /etc/ipfw.custom (PC-BSDの出荷値、中はコメントだけ) maruyama> /etc/ipfw.openports (PC-BSDの出荷値、udp 5353, tcp 22だけ) maruyama> /etc/ipfw.rules (PC-BSDの出荷値、このメールの末尾に同封) maruyama> maruyama> # ipfw list maruyama> 00020 allow ip from any to any via lo0 maruyama> 01000 check-state maruyama> 01050 allow tcp from any to any established maruyama> 01100 allow udp from any to any established maruyama> 02000 allow ip from any to any out keep-state maruyama> 02050 allow ip6 from any to any out keep-state maruyama> 02100 allow ipv6-icmp from any to any keep-state maruyama> 02150 allow icmp from any to any keep-state maruyama> 10000 allow udp from any to any dst-port 5353 in keep-state maruyama> 10001 allow tcp from any to any dst-port 22 in keep-state maruyama> 64000 deny log ip from any to any maruyama> 65535 allow ip from any to any maruyama> maruyama> この状態では dig @133.58.32.12 ism.ac.jp ns は正常に結果を表示。 maruyama> maruyama> 実験2(PC-BSD10.3) maruyama> /etc/ipfw.custom maruyama> ipfw -q add 110 allow ip from 133.58.124.49 to any maruyama> だけ。ここに 133.58.124.49 は DNSサーバー 133.58.32.12 に繋がるインター maruyama> フェース。 maruyama> /etc/ipfw.openports (PC-BSDの出荷値、udp 5353, tcp 22だけ) maruyama> /etc/ipfw.rules (PC-BSDの出荷値、このメールの末尾に同封) maruyama> maruyama> # ipfw list maruyama> 00020 allow ip from any to any via lo0 maruyama> 00110 allow ip from 133.58.124.49 to any maruyama> 01000 check-state maruyama> 01050 allow tcp from any to any established maruyama> 01100 allow udp from any to any established maruyama> 02000 allow ip from any to any out keep-state maruyama> 02050 allow ip6 from any to any out keep-state maruyama> 02100 allow ipv6-icmp from any to any keep-state maruyama> 02150 allow icmp from any to any keep-state maruyama> 10000 allow udp from any to any dst-port 5353 in keep-state maruyama> 10001 allow tcp from any to any dst-port 22 in keep-state maruyama> 64000 deny log ip from any to any maruyama> 65535 allow ip from any to any maruyama> maruyama> このとき、 maruyama> maruyama> % dig @133.58.32.12 ism.ac.jp ns maruyama> maruyama> ; <<>> DiG 9.10.3-P4 <<>> @133.58.32.12 ism.ac.jp ns maruyama> ; (1 server found) maruyama> ;; global options: +cmd maruyama> ;; connection timed out; no servers could be reached maruyama> maruyama> ---------------------------------------------------------------- maruyama> /etc/ipfw.rules のPC-BSDの出荷値 maruyama> ---------------------------------------------------------------- maruyama> #!/bin/sh maruyama> # To re-apply rules, you can run "sh /etc/ipfw.rules" maruyama> maruyama> # Flush out the list before we begin. maruyama> ipfw -q -f flush maruyama> maruyama> # Set rules command prefix maruyama> cmd="ipfw -q add" maruyama> maruyama> # No restrictions on loopback maruyama> #################################################################### maruyama> $cmd 00020 allow all from any to any via lo0 maruyama> #################################################################### maruyama> maruyama> # Check the state of packets maruyama> #################################################################### maruyama> $cmd 01000 check-state maruyama> $cmd 01050 allow tcp from any to any established maruyama> $cmd 01100 allow udp from any to any established maruyama> #################################################################### maruyama> maruyama> # Allow all outgoing packets maruyama> #################################################################### maruyama> $cmd 02000 allow ip from any to any out keep-state maruyama> $cmd 02050 allow ip6 from any to any out keep-state maruyama> $cmd 02100 allow ipv6-icmp from any to any keep-state maruyama> $cmd 02150 allow icmp from any to any keep-state maruyama> #################################################################### maruyama> maruyama> # Allow specific ports IN now maruyama> # Add items to /etc/ipfw.openports in the format maruyama> # {tcp|udp} <portnum> maruyama> #################################################################### maruyama> nextnum=10000 maruyama> if [ -e "/etc/ipfw.openports" ] ; then maruyama> while read line maruyama> do maruyama> echo $line | grep -q "^#" maruyama> if [ $? -eq 0 ] ; then continue ; fi maruyama> proto="`echo $line | awk '{print $1}'`" maruyama> port="`echo $line | awk '{print $2}'`" maruyama> if [ -z "$proto" -o -z "$port" ] ; then continue ; fi maruyama> $cmd $nextnum allow $proto from any to any $port in keep-state maruyama> nextnum=`expr $nextnum + 1` maruyama> done < /etc/ipfw.openports maruyama> fi maruyama> #################################################################### maruyama> maruyama> # Allow specific IPs incoming traffic now (Used for jails mainly) maruyama> # Add items to /etc/ipfw.openip in the format maruyama> # {ip4|ip6} <ip> maruyama> #################################################################### maruyama> nextnum=20000 maruyama> if [ -e "/etc/ipfw.openip" ] ; then maruyama> while read line maruyama> do maruyama> echo $line | grep -q "^#" maruyama> if [ $? -eq 0 ] ; then continue ; fi maruyama> proto="`echo $line | awk '{print $1}'`" maruyama> ip="`echo $line | awk '{print $2}'`" maruyama> if [ -z "$proto" -o -z "$ip" ] ; then continue ; fi maruyama> $cmd $nextnum allow $proto from any to $ip in keep-state maruyama> nextnum=`expr $nextnum + 1` maruyama> done < /etc/ipfw.openip maruyama> fi maruyama> #################################################################### maruyama> maruyama> maruyama> # Deny all other incoming troublemakers maruyama> #################################################################### maruyama> $cmd 64000 deny log all from any to any maruyama> #################################################################### maruyama> maruyama> # Check for user custom rules maruyama> if [ -e "/etc/ipfw.custom" ] ; then maruyama> sh /etc/ipfw.custom maruyama> fi maruyama> maruyama> -------- maruyama> 丸山直昌@統計数理研究所 maruyama> _______________________________________________ maruyama> [email protected] mailing list maruyama> https://lists.freebsd.org/mailman/listinfo/freebsd-users-jp maruyama> To unsubscribe, send any mail to "[email protected]" _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-users-jp To unsubscribe, send any mail to "[email protected]"
