From owner-freebsd-users-jp@freebsd.org Tue Mar 7 10:50:38 2017 Return-Path: Delivered-To: freebsd-users-jp@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 26ECED0140D for ; Tue, 7 Mar 2017 10:50:38 +0000 (UTC) (envelope-from hrs@allbsd.org) Received: from mail.allbsd.org (gatekeeper.allbsd.org [IPv6:2001:2f0:104:e001::32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.allbsd.org", Issuer "RapidSSL SHA256 CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7DAF41D3E for ; Tue, 7 Mar 2017 10:50:37 +0000 (UTC) (envelope-from hrs@allbsd.org) Received: from mail-d.allbsd.org (p2027-ipbf1605funabasi.chiba.ocn.ne.jp [123.225.191.27]) (authenticated bits=56) by mail.allbsd.org (8.15.2/8.15.2) with ESMTPSA id v27AoCL7015384 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) (Client CN "/OU=GT07882699/OU=See+20www.rapidssl.com/resources/cps+20+28c+2915/OU=Domain+20Control+20Validated+20-+20RapidSSL+28R+29/CN=*.allbsd.org", Issuer "/C=US/O=GeoTrust+20Inc./CN=RapidSSL+20SHA256+20CA+20-+20G3"); Tue, 7 Mar 2017 19:50:32 +0900 (JST) (envelope-from hrs@allbsd.org) Received: from alph.allbsd.org (alph.allbsd.org [192.168.0.10]) by mail-d.allbsd.org (8.15.2/8.15.2) with ESMTPS id v27AmvfP046885 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 7 Mar 2017 19:48:57 +0900 (JST) (envelope-from hrs@allbsd.org) Received: from localhost (localhost [IPv6:::1]) (authenticated bits=0) by alph.allbsd.org (8.15.2/8.15.2) with ESMTPA id v27AmtP7046882; Tue, 7 Mar 2017 19:48:57 +0900 (JST) (envelope-from hrs@allbsd.org) Date: Tue, 07 Mar 2017 19:48:18 +0900 (JST) Message-Id: <20170307.194818.1218798633239477588.hrs@allbsd.org> To: matumoto@pluto.ai.kyutech.ac.jp Cc: freebsd-users-jp@freebsd.org From: Hiroki Sato In-Reply-To: <20170307.182632.2029998101879781962.matumoto@pluto.ai.kyutech.ac.jp> References: <20170307.182632.2029998101879781962.matumoto@pluto.ai.kyutech.ac.jp> X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530 FFD7 4F2C D3D8 2793 CF2D X-Mailer: Mew version 6.7 on Emacs 25.1 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Multipart/Signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="--Security_Multipart0(Tue_Mar__7_19_48_18_2017_203)--" Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.99 at gatekeeper.allbsd.org X-Virus-Status: Clean X-Greylist: Sender DNS name whitelisted, not delayed by milter-greylist-4.4.3 (mail.allbsd.org [133.31.130.32]); Tue, 07 Mar 2017 19:50:33 +0900 (JST) X-Spam-Status: No, score=1.6 required=13.0 tests=CONTENT_TYPE_PRESENT, ISO2022JP_BODY,QENCPTR1,RP_MATCHES_RCVD,URIBL_SC2_SURBL,URIBL_XS_SURBL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on gatekeeper.allbsd.org Subject: [FreeBSD-users-jp 96056] Re: =?iso-2022-jp?b?RE5TGyRCJHI0RjtrJDckRkYwRSokSxsoQmlwZnc=?= =?iso-2022-jp?b?GyRCJE4layE8JWskckRJMkMbKEIvGyRCOm89fCQ5JGslRCE8JWsbKEI=?= =?iso-2022-jp?b?GyRCISUbKEI=?= X-BeenThere: freebsd-users-jp@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussion relevant to FreeBSD communities in Japan List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Mar 2017 10:50:38 -0000 ----Security_Multipart0(Tue_Mar__7_19_48_18_2017_203)-- Content-Type: Multipart/Mixed; boundary="--Next_Part(Tue_Mar__7_19_48_18_2017_652)--" Content-Transfer-Encoding: 7bit ----Next_Part(Tue_Mar__7_19_48_18_2017_652)-- Content-Type: Text/Plain; charset=iso-2022-jp Content-Transfer-Encoding: 7bit Ryuji MATSUMOTO wrote in <20170307.182632.2029998101879781962.matumoto@pluto.ai.kyutech.ac.jp>: ma> > 12340 allow tcp from LOCAL-IP to 192.0.2.1 dst-port 993 ma> > 12341 allow tcp from LOCAL-IP to 192.0.2.2 dst-port 993 (snip) ma> while(1) ma> { ma> sleep(1時間ぐらい); ma> ma> dig +short imap.example.com > ip-list.txt ma> ma> if(ip-list.txtの中身が変動した) ma> { ma> ipfwルール番号 12340-12341を削除する. ma> ipfwルール番号 12340-12341の所に新しいルールを追加する. ma> } ma> } ma> ma> こういう事をやってくれるツールがどこかにありそうな気がするのですが. 12340 allow tcp from LOCAL-IP to table(1) dst-port 993 というようなルールを定義して、添付のようなスクリプトを cron でまわすのはいかがでしょうか。 -- Hiroki ----Next_Part(Tue_Mar__7_19_48_18_2017_652)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipfwtbl_dns.sh" #!/bin/sh TARGET=${1:-imap.example.com} TBLNUM=1 fifo1="/tmp/ipfwtbl_dns1.$$" fifo2="/tmp/ipfwtbl_dns2.$$" rm -f $fifo1 $fifo2 mkfifo -m 0600 $fifo1 $fifo2 || exit 1 host -t A $TARGET | while read d d TYPE IPADDR; do case $TYPE in address) echo $IPADDR HOST ;; esac done | sort > $fifo1 & ipfw table $TBLNUM list | while read IPADDR d; do case $IPADDR in -*) ;; */32) echo ${IPADDR%/32} IPFW ;; esac done | sort > $fifo2 & join -v 1 -v 2 $fifo1 $fifo2 | while read IPADDR MODE; do case $MODE in HOST) # found in DNS but not found in IPFW table ipfw table $TBLNUM add $IPADDR/32 ;; IPFW) # found in IPFW table but not found in DNS ipfw table $TBLNUM delete $IPADDR/32 ;; esac done rm -f $fifo1 $fifo2 ----Next_Part(Tue_Mar__7_19_48_18_2017_652)---- ----Security_Multipart0(Tue_Mar__7_19_48_18_2017_203)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEABECAAYFAli+j/IACgkQTyzT2CeTzy3BEwCeIAWr2BmvTgOlrqmA84HqqvFh 4K4AoJ2zsyGr30KrzZUuDpbSJAbTnr+m =N8P2 -----END PGP SIGNATURE----- ----Security_Multipart0(Tue_Mar__7_19_48_18_2017_203)----