From owner-freebsd-users-jp@freebsd.org  Thu Jun 30 09:11:23 2016
Return-Path: <owner-freebsd-users-jp@freebsd.org>
Delivered-To: freebsd-users-jp@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 76E50B86611
 for <freebsd-users-jp@mailman.ysv.freebsd.org>;
 Thu, 30 Jun 2016 09:11:23 +0000 (UTC)
 (envelope-from hirano@t.kanazawa-u.ac.jp)
Received: from mailwd01.kanazawa-u.ac.jp (mailwd01.kanazawa-u.ac.jp
 [133.28.3.23])
 (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 22F7E25B5
 for <freebsd-users-jp@freebsd.org>; Thu, 30 Jun 2016 09:11:22 +0000 (UTC)
 (envelope-from hirano@t.kanazawa-u.ac.jp)
Received: from mailvc06.kanazawa-u.ac.jp (mailvc06.kanazawa-u.ac.jp
 [133.28.3.96])
 by mailwd01.kanazawa-u.ac.jp (Postfix) with ESMTP id A643E3C1DDE
 for <freebsd-users-jp@freebsd.org>; Thu, 30 Jun 2016 18:11:17 +0900 (JST)
Received: from mailvc06.kanazawa-u.ac.jp (localhost [127.0.0.1])
 by localhost.kanazawa-u.ac.jp (Postfix) with ESMTP id 9270049F1E
 for <freebsd-users-jp@freebsd.org>; Thu, 30 Jun 2016 18:11:17 +0900 (JST)
Received: from smtp01.kanazawa-u.ac.jp (smtp01.kanazawa-u.ac.jp [133.28.3.64])
 by mailvc06.kanazawa-u.ac.jp (Postfix) with ESMTP id 8882A49F0C
 for <freebsd-users-jp@freebsd.org>; Thu, 30 Jun 2016 18:11:17 +0900 (JST)
Received: from mail.se.kanazawa-u.ac.jp (mail.se.kanazawa-u.ac.jp
 [133.28.0.131])
 by smtp01.kanazawa-u.ac.jp (Postfix) with ESMTP id 8471211605E
 for <freebsd-users-jp@freebsd.org>; Thu, 30 Jun 2016 18:11:17 +0900 (JST)
Received: from [192.168.1.197] (canes.ec.t.kanazawa-u.ac.jp [133.28.97.35])
 (Authenticated sender: hirano@se.kanazawa-u.ac.jp)
 by mail.se.kanazawa-u.ac.jp (Postfix) with ESMTPSA id 80EF74E62E
 for <freebsd-users-jp@freebsd.org>; Thu, 30 Jun 2016 18:11:16 +0900 (JST)
References: <ydlk2h783zc.fsf@indra.ism.ac.jp>
To: freebsd-users-jp@freebsd.org
From: Akihiro HIRANO <hirano@t.kanazawa-u.ac.jp>
Message-ID: <6d975439-389e-f2ee-5866-657ce86c1937@t.kanazawa-u.ac.jp>
Date: Thu, 30 Jun 2016 18:11:19 +0900
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <ydlk2h783zc.fsf@indra.ism.ac.jp>
Content-Type: text/plain; charset=iso-2022-jp; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
X-TM-AS-MML: No
Subject: [FreeBSD-users-jp 95832] Re: =?utf-8?q?ipfw=E3=81=A8DNS?=
X-BeenThere: freebsd-users-jp@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion relevant to FreeBSD communities in Japan
 <freebsd-users-jp.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-users-jp>, 
 <mailto:freebsd-users-jp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-users-jp/>
List-Post: <mailto:freebsd-users-jp@freebsd.org>
List-Help: <mailto:freebsd-users-jp-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-users-jp>, 
 <mailto:freebsd-users-jp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2016 09:11:23 -0000

平野＠金沢大です。

On 2016/06/30 17:39, 丸山直昌 wrote:
> # ipfw list
> 00020 allow ip from any to any via lo0
> 01000 check-state
> 01050 allow tcp from any to any established
> 01100 allow udp from any to any established
> 02000 allow ip from any to any out keep-state
> 02050 allow ip6 from any to any out keep-state
> 02100 allow ipv6-icmp from any to any keep-state
> 02150 allow icmp from any to any keep-state
> 10000 allow udp from any to any dst-port 5353 in keep-state
> 10001 allow tcp from any to any dst-port 22 in keep-state
> 64000 deny log ip from any to any
> 65535 allow ip from any to any
>
> この状態では dig @133.58.32.12 ism.ac.jp ns は正常に結果を表示。

　DNSの問い合わせを送信するパケットが

 > 02000 allow ip from any to any out keep-state

に合致して、その後のセッションを許可する動的ルールが生成されて、
という流れのようです。

> # ipfw list
> 00020 allow ip from any to any via lo0
> 00110 allow ip from 133.58.124.49 to any
> 01000 check-state
> 01050 allow tcp from any to any established
> 01100 allow udp from any to any established
> 02000 allow ip from any to any out keep-state
> 02050 allow ip6 from any to any out keep-state
> 02100 allow ipv6-icmp from any to any keep-state
> 02150 allow icmp from any to any keep-state
> 10000 allow udp from any to any dst-port 5353 in keep-state
> 10001 allow tcp from any to any dst-port 22 in keep-state
> 64000 deny log ip from any to any
> 65535 allow ip from any to any
>
> このとき、
>
> % dig @133.58.32.12 ism.ac.jp ns

　この場合は、

 > 00110 allow ip from 133.58.124.49 to any

で送信パケットを許可して、後はなにもしないので、
戻りパケットは

 > 64000 deny log ip from any to any

で拒否される、かと。

　おそらく、

/etc/ipfw.custom
         ipfw -q add 1200 allow ip from 133.58.124.49 to any keep-state

あたりで動くのではないかと思います。
番号はそのまま110でも良いのですが、
許可済みのセッションはcheck-stateやestablishedで早めに合致させたい
という趣旨だと思いますので、これらよりは後がいいと思います。

【ご参考】
http://www.wakhok.ac.jp/~kanayama/semi/bsd/node141.html
----
平野晃宏@金沢大学 大学院 自然科学研究科 電子情報科学専攻
hirano@t.kanazawa-u.ac.jp