From owner-freebsd-users-jp@freebsd.org  Thu Jun 30 09:14:20 2016
Return-Path: <owner-freebsd-users-jp@freebsd.org>
Delivered-To: freebsd-users-jp@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id DB0D8B867CF
 for <freebsd-users-jp@mailman.ysv.freebsd.org>;
 Thu, 30 Jun 2016 09:14:20 +0000 (UTC)
 (envelope-from moto@kawasaki3.org)
Received: from flyingdutchman.kawasaki3.org (EE0475lan5.rev.em-net.ne.jp
 [124.109.182.21])
 by mx1.freebsd.org (Postfix) with ESMTP id 8778228EE
 for <freebsd-users-jp@freebsd.org>; Thu, 30 Jun 2016 09:14:19 +0000 (UTC)
 (envelope-from moto@kawasaki3.org)
Received: from localhost (p7195-ipbffx02marunouchi.tokyo.ocn.ne.jp
 [61.126.191.195])
 by flyingdutchman.kawasaki3.org (Postfix) with ESMTPSA id 194EE37A5;
 Thu, 30 Jun 2016 18:04:56 +0900 (JST)
Date: Thu, 30 Jun 2016 18:05:17 +0900 (JST)
Message-Id: <20160630.180517.2230511729743152378.moto@kawasaki3.org>
To: maruyama@ism.ac.jp
Cc: hirano@t.kanazawa-u.ac.jp, freebsd-users-jp@freebsd.org
From: moto kawasaki <moto@kawasaki3.org>
In-Reply-To: <ydlk2h783zc.fsf@indra.ism.ac.jp>
References: <54a8b85f-54a4-0761-3acb-5acbcaccc534@t.kanazawa-u.ac.jp>
 <ydlk2h783zc.fsf@indra.ism.ac.jp>
X-Mailer: Mew version 6.6 on Emacs 24.4 / Mule 6.0 (HANACHIRUSATO)
X-Face: )._4~w!_D$r6qNS0+;
 nS|]WNeI4f3o)QnH[ItB[esXuc$~hQ$.,?}$SnLe/[24Hao%^q/Is
 'SJtZe#21h;7z;q+iyj[^%7\46.Gg-t7.px<}L-f_:P+6i4-a{DIL[
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
X-Virus-Scanned: clamav-milter 0.99.2 at flyingdutchman.kawasaki3.org
X-Virus-Status: Clean
Content-Transfer-Encoding: 7bit
Subject: [FreeBSD-users-jp 95833] Re: =?iso-2022-jp?b?aXBmdxskQiRIGyhCRE5T?=
X-BeenThere: freebsd-users-jp@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion relevant to FreeBSD communities in Japan
 <freebsd-users-jp.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-users-jp>, 
 <mailto:freebsd-users-jp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-users-jp/>
List-Post: <mailto:freebsd-users-jp@freebsd.org>
List-Help: <mailto:freebsd-users-jp-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-users-jp>, 
 <mailto:freebsd-users-jp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2016 09:14:21 -0000


川崎と申します。

ヤマカンですみませんが、

00110 allow ip from 133.58.124.49 to any keep-state

となるように keep-state を追加ですかねぇ。

＃ 1100 にあるところの udp の場合の established ってどういう意味になる
# んでしょう。

-- 
moto kawasaki <moto@kawasaki3.org> 090-2464-8454


on Thu, 30 Jun 2016 17:39:51 +0900, maruyama@ism.ac.jp (丸山直昌) wrote:

maruyama> 平野 様
maruyama> 
maruyama> 丸山です。
maruyama> 
maruyama> Thu, 30 Jun 2016 16:12:43 +0900
maruyama> Akihiro HIRANO <hirano@t.kanazawa-u.ac.jp> writes:
maruyama> 
maruyama> >　支障がなければ、「ipfw list」の結果を示して頂くのが早道だと思います。
maruyama> 
maruyama> はい。
maruyama> 
maruyama> 実験1(PC-BSD10.3)
maruyama> /etc/ipfw.custom        (PC-BSDの出荷値、中はコメントだけ)
maruyama> /etc/ipfw.openports     (PC-BSDの出荷値、udp 5353, tcp 22だけ)
maruyama> /etc/ipfw.rules         (PC-BSDの出荷値、このメールの末尾に同封)
maruyama> 
maruyama> # ipfw list
maruyama> 00020 allow ip from any to any via lo0
maruyama> 01000 check-state
maruyama> 01050 allow tcp from any to any established
maruyama> 01100 allow udp from any to any established
maruyama> 02000 allow ip from any to any out keep-state
maruyama> 02050 allow ip6 from any to any out keep-state
maruyama> 02100 allow ipv6-icmp from any to any keep-state
maruyama> 02150 allow icmp from any to any keep-state
maruyama> 10000 allow udp from any to any dst-port 5353 in keep-state
maruyama> 10001 allow tcp from any to any dst-port 22 in keep-state
maruyama> 64000 deny log ip from any to any
maruyama> 65535 allow ip from any to any
maruyama> 
maruyama> この状態では dig @133.58.32.12 ism.ac.jp ns は正常に結果を表示。
maruyama> 
maruyama> 実験2(PC-BSD10.3)
maruyama> /etc/ipfw.custom
maruyama>         ipfw -q add 110 allow ip from 133.58.124.49 to any
maruyama> だけ。ここに　133.58.124.49 は DNSサーバー 133.58.32.12 に繋がるインター
maruyama> フェース。
maruyama> /etc/ipfw.openports     (PC-BSDの出荷値、udp 5353, tcp 22だけ)
maruyama> /etc/ipfw.rules         (PC-BSDの出荷値、このメールの末尾に同封)
maruyama> 
maruyama> # ipfw list
maruyama> 00020 allow ip from any to any via lo0

maruyama> 00110 allow ip from 133.58.124.49 to any



maruyama> 01000 check-state
maruyama> 01050 allow tcp from any to any established
maruyama> 01100 allow udp from any to any established
maruyama> 02000 allow ip from any to any out keep-state
maruyama> 02050 allow ip6 from any to any out keep-state
maruyama> 02100 allow ipv6-icmp from any to any keep-state
maruyama> 02150 allow icmp from any to any keep-state
maruyama> 10000 allow udp from any to any dst-port 5353 in keep-state
maruyama> 10001 allow tcp from any to any dst-port 22 in keep-state
maruyama> 64000 deny log ip from any to any
maruyama> 65535 allow ip from any to any
maruyama> 
maruyama> このとき、
maruyama> 
maruyama> % dig @133.58.32.12 ism.ac.jp ns
maruyama> 
maruyama> ; <<>> DiG 9.10.3-P4 <<>> @133.58.32.12 ism.ac.jp ns
maruyama> ; (1 server found)
maruyama> ;; global options: +cmd
maruyama> ;; connection timed out; no servers could be reached
maruyama> 
maruyama> ----------------------------------------------------------------
maruyama> /etc/ipfw.rules のPC-BSDの出荷値
maruyama> ----------------------------------------------------------------
maruyama> #!/bin/sh
maruyama> # To re-apply rules, you can run "sh /etc/ipfw.rules"
maruyama> 
maruyama> # Flush out the list before we begin.
maruyama> ipfw -q -f flush
maruyama> 
maruyama> # Set rules command prefix
maruyama> cmd="ipfw -q add"
maruyama> 
maruyama> # No restrictions on loopback
maruyama> ####################################################################
maruyama> $cmd 00020 allow all from any to any via lo0
maruyama> ####################################################################
maruyama> 
maruyama> # Check the state of packets
maruyama> ####################################################################
maruyama> $cmd 01000 check-state
maruyama> $cmd 01050 allow tcp from any to any established
maruyama> $cmd 01100 allow udp from any to any established
maruyama> ####################################################################
maruyama> 
maruyama> # Allow all outgoing packets
maruyama> ####################################################################
maruyama> $cmd 02000 allow ip from any to any out keep-state
maruyama> $cmd 02050 allow ip6 from any to any out keep-state
maruyama> $cmd 02100 allow ipv6-icmp from any to any keep-state
maruyama> $cmd 02150 allow icmp from any to any keep-state
maruyama> ####################################################################
maruyama> 
maruyama> # Allow specific ports IN now
maruyama> # Add items to /etc/ipfw.openports in the format
maruyama> # {tcp|udp} <portnum>
maruyama> ####################################################################
maruyama> nextnum=10000
maruyama> if [ -e "/etc/ipfw.openports" ] ; then
maruyama>   while read line
maruyama>   do
maruyama>     echo $line | grep -q "^#"
maruyama>     if [ $? -eq 0 ] ; then continue ; fi
maruyama>     proto="`echo $line | awk '{print $1}'`"
maruyama>     port="`echo $line | awk '{print $2}'`"
maruyama>     if [ -z "$proto" -o -z "$port" ] ; then continue ; fi
maruyama>     $cmd $nextnum allow $proto from any to any $port in keep-state
maruyama>     nextnum=`expr $nextnum + 1`
maruyama>   done < /etc/ipfw.openports
maruyama> fi
maruyama> ####################################################################
maruyama> 
maruyama> # Allow specific IPs incoming traffic now (Used for jails mainly)
maruyama> # Add items to /etc/ipfw.openip in the format
maruyama> # {ip4|ip6} <ip>
maruyama> ####################################################################
maruyama> nextnum=20000
maruyama> if [ -e "/etc/ipfw.openip" ] ; then
maruyama>   while read line
maruyama>   do
maruyama>     echo $line | grep -q "^#"
maruyama>     if [ $? -eq 0 ] ; then continue ; fi
maruyama>     proto="`echo $line | awk '{print $1}'`"
maruyama>     ip="`echo $line | awk '{print $2}'`"
maruyama>     if [ -z "$proto" -o -z "$ip" ] ; then continue ; fi
maruyama>     $cmd $nextnum allow $proto from any to $ip in keep-state
maruyama>     nextnum=`expr $nextnum + 1`
maruyama>   done < /etc/ipfw.openip
maruyama> fi
maruyama> ####################################################################
maruyama> 
maruyama> 
maruyama> # Deny all other incoming troublemakers
maruyama> ####################################################################
maruyama> $cmd 64000 deny log all from any to any
maruyama> ####################################################################
maruyama> 
maruyama> # Check for user custom rules
maruyama> if [ -e "/etc/ipfw.custom" ] ; then
maruyama>   sh /etc/ipfw.custom
maruyama> fi
maruyama> 
maruyama> --------
maruyama> 丸山直昌＠統計数理研究所
maruyama> _______________________________________________
maruyama> freebsd-users-jp@freebsd.org mailing list
maruyama> https://lists.freebsd.org/mailman/listinfo/freebsd-users-jp
maruyama> To unsubscribe, send any mail to "freebsd-users-jp-unsubscribe@freebsd.org"