mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-29 12:44:53 +01:00
19 KiB
19 KiB
IP filter $B%7%g!<%H%,%$%I Dec, 1999
$B%[!<%`%Z!<%8: http://coombs.anu.edu.au/~avalon/ip-filter.html
FTP: ftp://coombs.anu.edu.au/pub/net/ip-filter/
$B30;3 $B=c@8 <sumio@is.s.u-tokyo.ac.jp>
$B;3K\ $BBY1' <ymmt@is.s.u-tokyo.ac.jp>
-----
$B$O$8$a$K
IP filter $B$r gateway $B%^%7%s$K%$%s%9%H!<%k$9$k$3$H$G%Q%1%C%H%U%#
$B%k%?%j%s%0$r9T$&$3$H$,$G$-$^$9!#
$B%$%s%9%H!<%k$NJ}K!$O!"INSTALL$B$K=q$$$F$"$k$N$G!"$=$A$i$r;2>H$7$F
$B$/$@$5$$!#IP filter $B$N%P!<%8%g%s 3.3.5 $B$O!"
Solaris/Solaris-x86 2.3 - 8 (early access)
SunOS 4.1.1 - 4.1.4
NetBSD 1.0 - 1.4
FreeBSD 2.0.0 - 2.2.8
BSD/OS-1.1 - 4
IRIX 6.2
$B$GF0:n$9$k$3$H$,3NG'$5$l$F$$$^$9!#
$B$J$*!"64 bit kernel $B$NAv$C$F$k Solaris7 $B%^%7%s$G$O!"gcc $B$H$+$G%3
$B%s%Q%$%k$7$? kernel driver $B$OF0:n$7$^$;$s!#
$B$=$N$h$&$J>l9g$K$O!"precompiled binary $B$r
ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.3.2-sparcv9.pkg.gz
(1999$BG/12$B7n14$BF|8=:_!"$^$@3.3.5$B$O%Q%C%1!<%8$K$J$C$F$$$^$;$s)
$B$+$i<h$C$F$/$k$+!"Workshop Compiler 5.0 $B$G%3%s%Q%$%k$7$F 64bit
driver $B$r:n$C$F$/$@$5$$!#
-----
$B@_Dj%U%!%$%k$N5-=RJ}K!
IP filter$B$N@_Dj$O!V$I$N%"%I%l%9!W$N!V$I$N%]!<%H!W$+$i!V$I$N%"%I
$B%l%9!W$N!V$I$N%]!<%H!W$X$N%Q%1%C%H$r block $B$9$k$+ pass $B$9$k$+!"
$B$r;XDj$9$k$3$H$G9T$$$^$9!#
$B0J2<$NNc$G$O!"2f!9$,4IM}$7$F$$$k%5%V%M%C%H$h$j30$+$iFb$N%"%/%;%9
$B$O!"0lIt$N%^%7%s$r=|$$$F$OA4$F%V%m%C%/$7!"Fb$+$i30$X$N%"%/%;%9$O!"
$B86B'$H$7$FA4$FAGDL$7$9$k%]%j%7!<$G5-=R$5$l$F$$$^$9!#
$B0J2<!"4IM}$7$F$$$k%5%V%M%C%H$r
123.45.1.0/24
$B$H$7$FNc$r<($7$^$9!#24$B$O%5%V%M%C%H%^%9%/$G$9!#
$B$^$?!"gateway $B$O
123.45.1.111 (hme0)
$B$, LAN$BB&$N%$%s%?!<%U%'!<%9!"
123.45.2.10 (hme1)
$B$,30B&$N%$%s%?!<%U%'!<%9$H$7$^$9!#
===================== $B$3$3$+$i ====================
########## quickly deny malicious packets
#
block in quick from any to any with short
block in log quick from any to any with ipopts
===================== $B$3$3$^$G ====================
$B$^$:$O$3$N%k!<%k$G!"IT@5$J%Q%1%C%H$r$O$M$^$9!#block $B$O block $B$9
$B$k0UL#$G!"H?BP$KDL$9>l9g$O pass $B$H$J$j$^$9!#
log $B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$9$k%Q%1%C%H$N%m%0$r<h$k;X<($G
$B$9!#%m%0$O /dev/ipl $B$H$$$&%G%P%$%9%U%!%$%k$+$i%"%/%;%9$G$-$^$9$,!"
$B$3$N%G%P%$%9$O bounded buffer $B$J$N$G!"$"$kDxEY0J>e$N%m%0$O>C$($F
$B$7$^$$$^$9!#
/dev/ipl $B$NFbMF$rFI$_=P$9$K$O ipmon $B$H$$$&%W%m%0%i%`$r;H$$$^$9!#
ipmon $B$O stdout, syslog, $B$b$7$/$ODL>o$N%U%!%$%k$K%m%0$r=PNO$7$^
$B$9!#5/F0;~$K ipmon $B$rN)$A>e$2$k$J$i!"<!$N$h$&$J9T$r rc $B%U%!%$%k
$B$K=q$/$H$h$$$G$7$g$&!#
ipmon -n -o I ${IPMONLOG} < /dev/null > /dev/null 2>&1 &
${IPMONLOG} $B$OE,Ev$J%U%!%$%kL>$KCV49$7$F$/$@$5$$!#syslog $B$K=PNO
$B$9$k>l9g$O!"-s $B%*%W%7%g%s$rIU$1$^$9!#syslog $B$K=PNO$9$k>l9g!"
local0.info $B$r5-O?$9$k$h$&$K syslog.conf $B$rJT=8$7$F$/$@$5$$!#
$BNc$($P!"
local0.info ifdef(`LOGHOST', /var/log/syslog, @loghost)
quick $B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$O0J9_$N%k!<%k$r
$BD4$Y$:$K!"%"%/%7%g%s(block or pass)$B$K=>$o$;$k$H$$$&$b$N$G$9!#$?
$B$@$7!"Nc30$,$"$j$^$9!#8e=R$7$^$9!#
===================== $B$3$3$+$i ====================
########## group setup
#
block in on hme1 all head 100
block out on hme1 all head 150
pass in quick on hme0 all
pass out quick on hme0 all
===================== $B$3$3$^$G ====================
$B<!$K@)8f$r$+$1$k%$%s%?!<%U%'!<%9Kh$K%Q%1%C%H$KE,MQ$9$k%k!<%k$rJ,
$BN`$7$^$9!#hme0 $B$O LAN $BB&$N%$%s%?!<%U%'!<%9$J$N$G!"B(:B$K5v2D
(pass quick)$B$7$F$$$^$9!#
all $B$H$$$&$N$O!"from any to any $B$N>JN,7A$G$9!#
$B30It$H$N%$%s%?!<%U%'!<%9$G$"$k hme1 $B$O incoming $B$H outgoing $B$G!"
$B$=$l$>$l group 100 $BHV$H 150 $BHV$KJ,N`$7$^$9!#head $B$H$$$&$N$O!"$3
$B$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$r<!$NHV9f$N%0%k!<%W$KJ,N`$9$k$H$$$&
$B0UL#$G$9!#
===================== $B$3$3$+$i ====================
########## deny IP spoofing
#
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from 123.45.2.10/32 to any group 100
block in log quick from 123.45.1.111/24 to any group 100
#
########## deny reserved addresses
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
===================== $B$3$3$^$G ====================
IP $B%"%I%l%9$r2~cb$7$?%Q%1%C%H$rB(:B$K5qH]$7$F$$$^$9!#KvHx$N
group 100 $B$H$$$&$N$O head 100 $B$GJ,N`$5$l$?%Q%1%C%H$K$N$_%^%C%A$9
$B$k%k!<%k$H$$$&0UL#$G$9!#
-----
$B$3$3$^$G$G!"4pK\E*$KLAN$BFb$NDL?.$OAGDL$7$@$,30It$H$NDL?.$O%G%U%)
$B%k%H$G0l@Z6X;_$H$$$&@_Dj$K$J$j$^$9!#0J9_$G$O!"$=$N%G%U%)%k%H$KBP
$B$9$kNc30$H$$$&7A$G!"DL$7$?$$%Q%1%C%H$r5-=R$7$F$$$-$^$9!#
$B$^$:!"FbIt$+$i30It$X$N@\B3$K4X$9$k@_Dj$r$7$^$9!#
===================== $B$3$3$+$i ====================
########## OUTGOING
#
## allow ping out
#
pass out quick proto icmp from any to any keep state group 150
#
## allow all outgoing UDP packets except for netbios ports (137-139).
#
pass out quick proto udp from any to any keep state head 160 group 150
block out log quick proto udp from any to any port 136 >< 140 group 160
#
## pass all TCP connection setup packets except for netbios ports (137-139).
#
pass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150
block out log quick proto tcp from any to any port 136 >< 140 group 170
===================== $B$3$3$^$G ====================
$B$3$l$O4pK\E*$KA4$F$N%Q%1%C%H$r5v$9%k!<%k$G$9!#$7$+$7!"netbios
(137-139/udp, tcp)$B$N%]!<%H$@$1$O6X;_$7$F$$$^$9!#netbios$B$O Windows
$B$N%U%!%$%k6&M-$G;H$o$l$k%]!<%H$G!"$3$N%]!<%H$,3+$$$F$$$k$H!"
Windows$B$N@_Dj$K$h$C$F$O!"@$3&Cf$+$i%U%!%$%k$rFI$_=q$-$G$-$k
$B62$l$,$"$j$^$9!#
$B$3$3$G!"4JC1$K=q<0$r8+$F$*$/$H!"
* $B:G=i$NC18l$G!"block$B$9$k$+pass$B$9$k$+;XDj$9$k
* proto $B$N8e$NC18l$G!"protocol$B$r;XDj$9$k(udp, tcp, icmp, etc.)$B!#
* from A to B $B$G!"$I$3$+$i$I$3$X$N%Q%1%C%H$+$r;XDj$9$k
* head XXX$B$r;XDj$9$k$H!"$=$N9T$G;XDj$5$l$"$?%Q%1%C%H$O!"group
XXX$B$H$7$F;2>H$G$-$k
* group$B$r;XDj$9$k$3$H$G!"5,B'$rE,MQ$9$k8uJd$r($BM=$ahead$B$G@_Dj$7$?)
group$B$K8BDj$G$-$k!#
$B$^$?!"from A to B$B$NA$B$dB$B$O!"IP$B%"%I%l%9$Hport$B$r=q$/$3$H$,$G$-$^$9!#
from any to any port 136 >< 140
$B$H$$$&$N$O!"
$B!VG$0U$N%]!<%H$NG$0U$N%"%I%l%9$+$i!"137$BHV$+$i139$BHV%]!<%H$NG$0U$N
$B%"%I%l%9$X$N%Q%1%C%H!W
$B;XDj$7$F$$$k$3$H$K$J$j$^$9!#$^$?!"HV9f$NBe$o$j$K/etc/service$B$K5-
$B=R$5$l$F$$$k%5!<%S%9L>$r5-=R$9$k$3$H$b$G$-$^$9!#
$B$?$H$($P
from any to any port = telnet
$B$H
from any to any port = 23
$B$OF1$80UL#$H$J$j$^$9!#
$B$5$F!"$3$3$G quick $B$NNc30$r@bL@$7$F$*$-$^$9!#quick $B$NIU$$$?
rule $B$, head $B$G?7$?$J%0%k!<%W$r:n$k>l9g!"=hM}$O$^$@$3$N;~E@
$B$G$O3NDj$7$^$;$s!#0J9_!"!Vhead $B$G@k8@$5$l$?%0%k!<%W$N%k!<%k!W
$B$N$_=hM}$9$k$H$$$&0UL#$K$J$j$^$9!#$G$9$+$i>e$N!"
pass out quick proto udp from any to any keep state head 160 group 150
block out log quick proto udp from any to any port 136 >< 140 group 160
$B$O!"$^$: 150$BHV%0%k!<%W$K%^%C%A$9$k UDP $B%Q%1%C%H$OAGDL$7
$B$9$k!"$,!"0J2<$N 160$BHV$KB0$9$k%k!<%k$r$^$@=hM}$9$k!#
$B$=$7$F2$B9TL\$G 160$BHV%0%k!<%W$KBP$7$F netbios packet $B$r
block $B$7$F$$$kLu$G$9!#
$B0l9TL\$K%^%C%A$7$?%Q%1%C%H$O0J2<$K$b$7150$BHV$N%0%k!<%W$N
$B%k!<%k$,$"$C$?$H$7$F$b!"L5;k$9$k$3$H$KCm0U$7$F$/$@$5$$!#
----------
$B<!$K!"30It$+$iFbIt$X$N%"%/%;%9$N@_Dj$r$7$^$9!#
* $B%k!<%F%#%s%0>pJs(RIP)$B$N%Q%1%C%H$O!"A4It5v$7$^$9!#
pass in quick proto udp from any to any port = 520 keep state group 100
* ICMP$B$N%Q%1%C%H$OA4It5v$7$^$9!#
pass in quick proto icmp from any to any group 100
* $BFbIt$+$i30It$X$Nftp$B$r5v$9$?$a$K!"ftp-data port$B$+$i0lHL%]!<%H$X
$B$NG$0U$N@\B3$r<u$1IU$1$^$9!#$3$l$Opassive mode$B$G$J$$FTP$B$N5sF0
$B$G$9!#
pass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100
$B$7$+$7!"$3$l$O0lHL$K8@$C$FB?>/4m81$J9T0Y$G$9!#@\B3$G$-$k$N$,
1024$BHV0J9_$N0lHL%]!<%H$K8BDj$O$5$l$^$9$,!"$"$^$j$*4+$a$G$-$^$;$s!#
$B$3$N9T$r2C$($:$K!"passive mode (ftp $B$G pasv $B%3%^%s%I$GF~$l$k)
$B$G FTP $B$r$9$k$3$H$r4+$a$^$9!#$J$*!":G6a$N FTP client $B$O:G=i
$B$+$i passive mode $B$KL5>r7o$G$7$F$7$^$&$b$N$,B?$$$h$&$G$9!#
* sendmail$B$dftpd$B$K7R$0$H!"Aj<j$,ident$B%]!<%H$X%"%/%;%9$7$F$/$k$3
$B$H$,$"$k$N$G!"ident port$B$r3+$1$^$9!#ident $B$ODL>o$O5/F0$5$l$F$$
$B$J$$ daemon $B$J$N$G!"AGDL$7$7$F$b%;%-%e%j%F%#%[!<%k$K$J$k$3$H$O$"
$B$j$^$;$s(connection refused$B$K$J$k$@$1$G$9)$B!#$3$l$r3+$1$J$$$H!"
$BAj<jB&$O timeout $B$9$k$^$G@h$K?J$^$J$$$N$G!"FTP $B$d mail $B$NAw?.
$B$,$d$?$i$KCY$/$J$k$3$H$,$"$j$^$9!#
$B$b$7 113 $BHV%]!<%H$K@\B3$G$-$k$h$&$J$i!"$=$N%5!<%S%9$OB(:B$K
$BDd;_$9$k$3$H$r4+$a$^$9!#
pass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100
------
$B<!$K!"30It$+$i firewall $B$X$N%"%/%;%9$r5v$9%5!<%S%9$r5-=R$7$F$$$-
$B$^$9!#$^$:$O!"30It$+$i$N@\B3$r5v$7$?$$%[%9%H$K$D$$$F!"%0%k!<%WHV
$B9f$r$D$1$^$9!#
===================== $B$3$3$+$i ====================
## grouping by host
block in log quick proto tcp from any to 123.45.1.X flags S/SA head 110 group 100
block in log quick proto tcp from any to 123.45.1.Y flags S/SA head 111 group 100
===================== $B$3$3$^$G ====================
$B$3$l$G!"
$B30It$+$i 123.45.1.X $B$X$N@\B3$O group 110
$B30It$+$i 123.45.1.Y $B$X$N@\B3$O group 111
$B$G;2>H$9$k$3$H$,$G$-$^$9!#
$BB>$K$b5v$7$?$$%[%9%H$rA}$d$7$?$$$H$-$O!">e$HF1MM$K$7$F!"head$B$N8e
$B$K!"?7$7$$?t;z(112, 113$B$J$I)$B$r3d$jEv$F$F$/$@$5$$!#
$B$b$&0lEYCm0U$7$F$*$-$^$9$,!"quick $B$H head $B$,F1;~$K8=$l$k%k!<%k
$B0J9_$G$O!"head $B$G@k8@$5$l$?%0%k!<%W$N%k!<%k$7$+E,MQ$5$l$J$/$J$j
$B$^$9!#$G$9$+$i!">e$N ident $B$d ftp data-port $B$N$h$&$K!"FbIt$N
$BA4$F$N%[%9%H$K%^%C%A$9$k%k!<%k$O!"$3$N%[%9%H$K$h$k%0%k!<%WJ,$1
$B$NA0$KCV$/I,MW$,$"$j$^$9!#
X$B$X$O!"telnet, ftp, ssh $B$r!"Y$B$X$O!"ftp, http, smtp, pop $B$r5v$9$3
$B$H$K$7$^$9!#
* X(group 110)$B$X$Ntelnet$B$r5v$7$^$9
pass in quick proto tcp from any to any port = telnet keep state group 110
* X$B$X$Nftp$B$r5v$7$^$9!#ftp-data port $B$b3+$1$F$*$-$^$9!#
($BI,MW$,$"$k$+$I$&$+3NG'$O$7$F$$$^$;$s$,!"3+$1$F$$$F$b0BA4$G$7$g$&)$B!#
pass in quick proto tcp from any to any port = ftp keep state group 110
pass in quick proto tcp from any to any port = ftp-data keep state group 110
* X$B$X$Nssh$B$r5v$7$^$9!#
pass in quick proto tcp from any to any port = 22 keep state group 110
* Y$B$X$Nftp$B$r5v$7$^$9!#
pass in quick proto tcp from any to any port = ftp keep state group 111
pass in quick proto tcp from any to any port = ftp-data keep state group 111
pass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111
Y$B$O anonoymous ftp $B%5!<%P$r1?1D$7$F$$$k$?$a wu-ftpd $B$r;H$C$F$$
$B$^$9!#wu-ftpd $B$O passive mode $B$NFTP$B$K$bBP1~$7$F$$$^$9$N$G!"$I
$B$N%]!<%H$rPASV$BMQ$K;H$&$+!"wu-ftpd $B$N@_Dj$K=q$$$F$*$/I,MW$,$"$j
$B$^$9!#$3$3$G$O3000$B$+$i3099$BHV%]!<%H$r;HMQ$9$k$h$&$K!"wu-ftpd $B$r
$B@_Dj$7$F$$$^$9!#
passive FTP $B$K$D$$$F2r@b$7$^$9!#passive FTP $B$O!"%/%i%$%"%s%H$,
$B%U%!%$%"%&%)!<%k$NFbB&$K$$$k>l9g$N$?$a$K3+H/$5$l$?%W%m%H%3%k$G
$B$9!#%G%U%)%k%H$G$O>e$G@bL@$7$?$h$&$K!"%G!<%?E>Aw$N$?$a!"%5!<%P
$B$N ftp-data port $B$+$i%/%i%$%"%s%H$K@\B3$,$$$-$^$9!#
passive FTP $B$G$O!"%G!<%?E>Aw$b client $B$+$i%5!<%P$K@\B3$9$k$h$&
$B$K$J$j$^$9!#$=$N:]!"%5!<%P$OE,Ev$J%]!<%HHV9f$r3d$j?6$C$F!"$=$3
$B$K%/%i%$%"%s%H$,@\B3$9$k$h$&;X<($7$^$9!#
$B$3$N$?$a!"%5!<%P$,%U%!%$%"%&%)!<%kFb$K$$$k>l9g!"E,Ev$J%]!<%HHV
$B9f$O%U%!%$%"%&%)!<%k$G$O$M$i$l$F$7$^$$$^$9!#$=$3$G!"wu-ftpd $B$N
$B@_Dj$G!"3d$j?6$k%]!<%HHV9f$NHO0O$r8BDj$7$F!"$=$3$@$1%U%!%$%"
$B%&%)!<%k$K7j$r3+$1$F$$$k$o$1$G$9!#wu-ftpd $B$N>l9g$O!"ftpaccess
$B$H$$$&%U%!%$%k$K
# passive ports <cidr> <min> <max>
passive ports 0.0.0.0/0 3000 3099
$B$HDI2C$9$k$3$H$G@_Dj$G$-$^$9!#ftpaccess(5)$B$r;2>H$7$F$/$@$5$$!#
* Y$B$X$Nhttp$B$r5v$7$^$9!#
pass in quick proto tcp from any to any port = 80 keep state group 111
* Y$B$X$Nsmtp$B$r5v$7$^$9!#
pass in quick proto tcp from any to any port = smtp keep state group 111
* Y$B$X$Npop$B$r5v$7$^$9!#
pass in quick proto tcp from any to any port = 110 keep state group 111
$B0J>e$N@_Dj$K$h$j!"X, Y $B0J30$N%^%7%s$X$N!"30It$+$i$N@\B3$O!"0l@Z
$B9T$($J$/$J$j$^$9$N$G!"remote exploit $BBP:v$O!"X, Y $B$K$N$_9T$($P$h
$B$/$J$j!"4IM}$N<j4V$,7Z8:$G$-$^$9!#
$BB>$N%W%m%H%3%k$rDL$9>l9g$b!">e$r;29M$K$7$FDL$7$?$$%]!<%HHV9f$r=q
$B$/$@$1$G$9$,!"$$$/$D$+Cm0UE@$,$"$j$^$9!#0J2<$bL\$rDL$7$F$/$@$5$$!#
-----
$B$=$NB>$NCm0U
1) gateway $B%^%7%s$N$h$&$K!"J#?t$NIP$B%"%I%l%9$r;}$D%^%7%s$G%5!<%S
$B%9$rN)$A>e$2$k>l9g$O!"$=$l$>$l$NIP$B%"%I%l%9$KBP$7$F!"port $B$r3+$/
$BI,MW$,$"$j$^$9!#Nc$($P X $B$, IP:a $B$H IP:b $B$r;}$D$J$i!"group $B$O a,
b $B$=$l$>$lMQ0U$7$F!"N>J}$N%0%k!<%WMQ$K rule $B$rDI2C$9$kI,MW$,$"$j
$B$^$9!#0J2<$NNc$G$O!"%2!<%H%&%'%$%^%7%s(123.45.2.10$B$H123.45.1.111
$B$NIP$B$r;}$D)$B$KNNTP$B%5!<%P$rN)$F$F$$$^$9!#
($BNc)
#### grouping by host
block in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100
block in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100
#### allow NNTP
pass in quick proto tcp from any to any port = nntp keep state group 112
pass in quick proto tcp from any to any port = nntp keep state group 113
gateway $B$,2$B$D0J>e$"$k%M%C%H%o!<%/$G$O!"N>J}$N gateway $B$K IP
filter $B$,I,MW$K$J$j!"@_Dj$O99$KJ#;($K$J$j$^$9!#$=$N$h$&$J4D6-$N
$B>l9g$K$O!"%^%K%e%"%k$rFI$s$G8!F$$7$F$/$@$5$$!#
2) NFS$B$Hrsh$B$O%W%m%H%3%k$N4X78>e!"firewall$BD6$($OIT2DG=$G$9!#
NFS$B$NBeBX$K$D$$$F$OITL@$G$9$,!"rsh$B$NBeBX$H$7$F$Ossh$B$,;H$($^$9!#
3) $B30It$NX client $B$r!"%U%!%$%"%&%)!<%kFb$NX$B%5!<%P$K@\B3$5$;$?$$!"
$B$H$$$&$N$O FAQ $B$N0l$D$G$9!#$*4+$a$N2r7h:v$O!"ssh $B$N X forwarding
$B5!9=$r;H$&$3$H$G$9!#ssh$B$G@\B3$G$-$k$J$i$P!"$3$l$O40A4$K secure
$B$GHFMQE*$JJ}K!$G$9!#
$B$=$l$,=PMh$J$$>l9g$O!"2f!9$O@\B3$5$;$?$$%[%9%H$N%Z%"$r%f!<%6$KJs
$B9p$7$F$b$i$C$F!"0J2<$N$h$&$J%k!<%k$rDI2C$7$F$$$^$9!#
# X:0 $B$O tcp:6000 $BHV$K$J$j$^$9!#
# 123.45.1.Z:0 (server) <-> A.B.C.D (client)
pass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100
-----
$B:G8e$K!";D$k%Q%1%C%H$OA4$F%V%m%C%/$5$l$kLu$G$9$,!"$=$l$K$D$$$F$N
$BA4$F$N%m%0$r;D$9$3$H$r4uK>$9$k>l9g!"<!$N%k!<%k$r!VI,$::G8e$K!W2C
$B$($^$9!#
## log blocked packets
block in log quick from any to 123.45.1.111/24 group 100
block in log quick from any to 123.45.2.10 group 100
------
$B:#Kx$N@_Dj$r$R$H$D$K$^$H$a$?%U%!%$%k$r:G8e$KE:IU$7$^$9!#
===================== $B$3$3$+$i ====================
########## Packet Filtering Rules for 123.45.1. ##########
#
# The following routes should be configured, if not already:
#
# route add 123.45.1.111 localhost 0 (hme0) (LAN)
# route add 123.45.2.10 localhost 0 (hme1) (upstream)
#
########## quickly deny malicious packets
#
block in quick from any to any with short
block in log quick from any to any with ipopts
#
########## group setup
#
block in on hme1 all head 100
block out on hme1 all head 150
pass in quick on hme0 all
pass out quick on hme0 all
#
########## deny IP spoofing
#
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from 123.45.2.10/32 to any group 100
block in log quick from 123.45.1.111/24 to any group 100
#
########## deny reserved addresses
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
########## OUTGOING
#
## allow ping out
pass out quick proto icmp from any to any keep state group 150
#
## allow all outgoing UDP packets except for netbios ports (137-139).
#
pass out quick proto udp from any to any keep state head 160 group 150
block out log quick proto udp from any to any port 136 >< 140 group 160
#
## pass all TCP connection setup packets except for netbios ports (137-139).
#
pass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150
block out log quick proto tcp from any to any port 136 >< 140 group 170
#
######### INCOMING
## ICMP
pass in quick proto icmp from any to any group 100
## RIP
pass in quick proto udp from any to any port = 520 keep state group 100
## FTP
pass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100
## IDENT
pass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100
#
## grouping by host (112 & 113 is the gateway address)
block in log quick proto tcp from any to 123.45.1.X flags S/SA head 110 group 100
block in log quick proto tcp from any to 123.45.1.Y flags S/SA head 111 group 100
block in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100
block in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100
#
## telnet, ftp, ssh, www, smtp, pop
pass in quick proto tcp from any to any port = telnet keep state group 110
pass in quick proto tcp from any to any port = ftp keep state group 110
pass in quick proto tcp from any to any port = ftp-data keep state group 110
pass in quick proto tcp from any to any port = 22 keep state group 110
pass in quick proto tcp from any to any port = ftp keep state group 111
pass in quick proto tcp from any to any port = ftp-data keep state group 111
pass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111
pass in quick proto tcp from any to any port = 80 keep state group 111
pass in quick proto tcp from any to any port = smtp keep state group 111
pass in quick proto tcp from any to any port = 110 keep state
group 111
#
## allow NNTP on the gateway
pass in quick proto tcp from any to any port = nntp keep state group 112
pass in quick proto tcp from any to any port = nntp keep state group 113
#
## X connections
# 123.45.1.Z:0 (server) <-> A.B.C.D (client)
pass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100
#
## log blocked packets
## THIS MUST BE THE LAST RULE!
block in log quick from any to 123.45.1.111/24 group 100
block in log quick from any to 123.45.2.10 group 100
===================== $B$3$3$^$G ====================
----
$B$3$NJ8=q$N<h$j07$$$K$D$$$F
Copyright (C) 1999 TOYAMA Sumio <sumio@is.s.u-tokyo.ac.jp>
and YAMAMOTO Hirotaka <ymmt@is.s.u-tokyo.ac.jp>
THIS DOCUMENT IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
Permission to modify this document and to distribute it is hereby
granted, as long as above notices and copyright notice are retained.
$B%[!<%`%Z!<%8: http://coombs.anu.edu.au/~avalon/ip-filter.html
FTP: ftp://coombs.anu.edu.au/pub/net/ip-filter/
$B30;3 $B=c@8 <sumio@is.s.u-tokyo.ac.jp>
$B;3K\ $BBY1' <ymmt@is.s.u-tokyo.ac.jp>
-----
$B$O$8$a$K
IP filter $B$r gateway $B%^%7%s$K%$%s%9%H!<%k$9$k$3$H$G%Q%1%C%H%U%#
$B%k%?%j%s%0$r9T$&$3$H$,$G$-$^$9!#
$B%$%s%9%H!<%k$NJ}K!$O!"INSTALL$B$K=q$$$F$"$k$N$G!"$=$A$i$r;2>H$7$F
$B$/$@$5$$!#IP filter $B$N%P!<%8%g%s 3.3.5 $B$O!"
Solaris/Solaris-x86 2.3 - 8 (early access)
SunOS 4.1.1 - 4.1.4
NetBSD 1.0 - 1.4
FreeBSD 2.0.0 - 2.2.8
BSD/OS-1.1 - 4
IRIX 6.2
$B$GF0:n$9$k$3$H$,3NG'$5$l$F$$$^$9!#
$B$J$*!"64 bit kernel $B$NAv$C$F$k Solaris7 $B%^%7%s$G$O!"gcc $B$H$+$G%3
$B%s%Q%$%k$7$? kernel driver $B$OF0:n$7$^$;$s!#
$B$=$N$h$&$J>l9g$K$O!"precompiled binary $B$r
ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.3.2-sparcv9.pkg.gz
(1999$BG/12$B7n14$BF|8=:_!"$^$@3.3.5$B$O%Q%C%1!<%8$K$J$C$F$$$^$;$s)
$B$+$i<h$C$F$/$k$+!"Workshop Compiler 5.0 $B$G%3%s%Q%$%k$7$F 64bit
driver $B$r:n$C$F$/$@$5$$!#
-----
$B@_Dj%U%!%$%k$N5-=RJ}K!
IP filter$B$N@_Dj$O!V$I$N%"%I%l%9!W$N!V$I$N%]!<%H!W$+$i!V$I$N%"%I
$B%l%9!W$N!V$I$N%]!<%H!W$X$N%Q%1%C%H$r block $B$9$k$+ pass $B$9$k$+!"
$B$r;XDj$9$k$3$H$G9T$$$^$9!#
$B0J2<$NNc$G$O!"2f!9$,4IM}$7$F$$$k%5%V%M%C%H$h$j30$+$iFb$N%"%/%;%9
$B$O!"0lIt$N%^%7%s$r=|$$$F$OA4$F%V%m%C%/$7!"Fb$+$i30$X$N%"%/%;%9$O!"
$B86B'$H$7$FA4$FAGDL$7$9$k%]%j%7!<$G5-=R$5$l$F$$$^$9!#
$B0J2<!"4IM}$7$F$$$k%5%V%M%C%H$r
123.45.1.0/24
$B$H$7$FNc$r<($7$^$9!#24$B$O%5%V%M%C%H%^%9%/$G$9!#
$B$^$?!"gateway $B$O
123.45.1.111 (hme0)
$B$, LAN$BB&$N%$%s%?!<%U%'!<%9!"
123.45.2.10 (hme1)
$B$,30B&$N%$%s%?!<%U%'!<%9$H$7$^$9!#
===================== $B$3$3$+$i ====================
########## quickly deny malicious packets
#
block in quick from any to any with short
block in log quick from any to any with ipopts
===================== $B$3$3$^$G ====================
$B$^$:$O$3$N%k!<%k$G!"IT@5$J%Q%1%C%H$r$O$M$^$9!#block $B$O block $B$9
$B$k0UL#$G!"H?BP$KDL$9>l9g$O pass $B$H$J$j$^$9!#
log $B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$9$k%Q%1%C%H$N%m%0$r<h$k;X<($G
$B$9!#%m%0$O /dev/ipl $B$H$$$&%G%P%$%9%U%!%$%k$+$i%"%/%;%9$G$-$^$9$,!"
$B$3$N%G%P%$%9$O bounded buffer $B$J$N$G!"$"$kDxEY0J>e$N%m%0$O>C$($F
$B$7$^$$$^$9!#
/dev/ipl $B$NFbMF$rFI$_=P$9$K$O ipmon $B$H$$$&%W%m%0%i%`$r;H$$$^$9!#
ipmon $B$O stdout, syslog, $B$b$7$/$ODL>o$N%U%!%$%k$K%m%0$r=PNO$7$^
$B$9!#5/F0;~$K ipmon $B$rN)$A>e$2$k$J$i!"<!$N$h$&$J9T$r rc $B%U%!%$%k
$B$K=q$/$H$h$$$G$7$g$&!#
ipmon -n -o I ${IPMONLOG} < /dev/null > /dev/null 2>&1 &
${IPMONLOG} $B$OE,Ev$J%U%!%$%kL>$KCV49$7$F$/$@$5$$!#syslog $B$K=PNO
$B$9$k>l9g$O!"-s $B%*%W%7%g%s$rIU$1$^$9!#syslog $B$K=PNO$9$k>l9g!"
local0.info $B$r5-O?$9$k$h$&$K syslog.conf $B$rJT=8$7$F$/$@$5$$!#
$BNc$($P!"
local0.info ifdef(`LOGHOST', /var/log/syslog, @loghost)
quick $B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$O0J9_$N%k!<%k$r
$BD4$Y$:$K!"%"%/%7%g%s(block or pass)$B$K=>$o$;$k$H$$$&$b$N$G$9!#$?
$B$@$7!"Nc30$,$"$j$^$9!#8e=R$7$^$9!#
===================== $B$3$3$+$i ====================
########## group setup
#
block in on hme1 all head 100
block out on hme1 all head 150
pass in quick on hme0 all
pass out quick on hme0 all
===================== $B$3$3$^$G ====================
$B<!$K@)8f$r$+$1$k%$%s%?!<%U%'!<%9Kh$K%Q%1%C%H$KE,MQ$9$k%k!<%k$rJ,
$BN`$7$^$9!#hme0 $B$O LAN $BB&$N%$%s%?!<%U%'!<%9$J$N$G!"B(:B$K5v2D
(pass quick)$B$7$F$$$^$9!#
all $B$H$$$&$N$O!"from any to any $B$N>JN,7A$G$9!#
$B30It$H$N%$%s%?!<%U%'!<%9$G$"$k hme1 $B$O incoming $B$H outgoing $B$G!"
$B$=$l$>$l group 100 $BHV$H 150 $BHV$KJ,N`$7$^$9!#head $B$H$$$&$N$O!"$3
$B$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$r<!$NHV9f$N%0%k!<%W$KJ,N`$9$k$H$$$&
$B0UL#$G$9!#
===================== $B$3$3$+$i ====================
########## deny IP spoofing
#
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from 123.45.2.10/32 to any group 100
block in log quick from 123.45.1.111/24 to any group 100
#
########## deny reserved addresses
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
===================== $B$3$3$^$G ====================
IP $B%"%I%l%9$r2~cb$7$?%Q%1%C%H$rB(:B$K5qH]$7$F$$$^$9!#KvHx$N
group 100 $B$H$$$&$N$O head 100 $B$GJ,N`$5$l$?%Q%1%C%H$K$N$_%^%C%A$9
$B$k%k!<%k$H$$$&0UL#$G$9!#
-----
$B$3$3$^$G$G!"4pK\E*$KLAN$BFb$NDL?.$OAGDL$7$@$,30It$H$NDL?.$O%G%U%)
$B%k%H$G0l@Z6X;_$H$$$&@_Dj$K$J$j$^$9!#0J9_$G$O!"$=$N%G%U%)%k%H$KBP
$B$9$kNc30$H$$$&7A$G!"DL$7$?$$%Q%1%C%H$r5-=R$7$F$$$-$^$9!#
$B$^$:!"FbIt$+$i30It$X$N@\B3$K4X$9$k@_Dj$r$7$^$9!#
===================== $B$3$3$+$i ====================
########## OUTGOING
#
## allow ping out
#
pass out quick proto icmp from any to any keep state group 150
#
## allow all outgoing UDP packets except for netbios ports (137-139).
#
pass out quick proto udp from any to any keep state head 160 group 150
block out log quick proto udp from any to any port 136 >< 140 group 160
#
## pass all TCP connection setup packets except for netbios ports (137-139).
#
pass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150
block out log quick proto tcp from any to any port 136 >< 140 group 170
===================== $B$3$3$^$G ====================
$B$3$l$O4pK\E*$KA4$F$N%Q%1%C%H$r5v$9%k!<%k$G$9!#$7$+$7!"netbios
(137-139/udp, tcp)$B$N%]!<%H$@$1$O6X;_$7$F$$$^$9!#netbios$B$O Windows
$B$N%U%!%$%k6&M-$G;H$o$l$k%]!<%H$G!"$3$N%]!<%H$,3+$$$F$$$k$H!"
Windows$B$N@_Dj$K$h$C$F$O!"@$3&Cf$+$i%U%!%$%k$rFI$_=q$-$G$-$k
$B62$l$,$"$j$^$9!#
$B$3$3$G!"4JC1$K=q<0$r8+$F$*$/$H!"
* $B:G=i$NC18l$G!"block$B$9$k$+pass$B$9$k$+;XDj$9$k
* proto $B$N8e$NC18l$G!"protocol$B$r;XDj$9$k(udp, tcp, icmp, etc.)$B!#
* from A to B $B$G!"$I$3$+$i$I$3$X$N%Q%1%C%H$+$r;XDj$9$k
* head XXX$B$r;XDj$9$k$H!"$=$N9T$G;XDj$5$l$"$?%Q%1%C%H$O!"group
XXX$B$H$7$F;2>H$G$-$k
* group$B$r;XDj$9$k$3$H$G!"5,B'$rE,MQ$9$k8uJd$r($BM=$ahead$B$G@_Dj$7$?)
group$B$K8BDj$G$-$k!#
$B$^$?!"from A to B$B$NA$B$dB$B$O!"IP$B%"%I%l%9$Hport$B$r=q$/$3$H$,$G$-$^$9!#
from any to any port 136 >< 140
$B$H$$$&$N$O!"
$B!VG$0U$N%]!<%H$NG$0U$N%"%I%l%9$+$i!"137$BHV$+$i139$BHV%]!<%H$NG$0U$N
$B%"%I%l%9$X$N%Q%1%C%H!W
$B;XDj$7$F$$$k$3$H$K$J$j$^$9!#$^$?!"HV9f$NBe$o$j$K/etc/service$B$K5-
$B=R$5$l$F$$$k%5!<%S%9L>$r5-=R$9$k$3$H$b$G$-$^$9!#
$B$?$H$($P
from any to any port = telnet
$B$H
from any to any port = 23
$B$OF1$80UL#$H$J$j$^$9!#
$B$5$F!"$3$3$G quick $B$NNc30$r@bL@$7$F$*$-$^$9!#quick $B$NIU$$$?
rule $B$, head $B$G?7$?$J%0%k!<%W$r:n$k>l9g!"=hM}$O$^$@$3$N;~E@
$B$G$O3NDj$7$^$;$s!#0J9_!"!Vhead $B$G@k8@$5$l$?%0%k!<%W$N%k!<%k!W
$B$N$_=hM}$9$k$H$$$&0UL#$K$J$j$^$9!#$G$9$+$i>e$N!"
pass out quick proto udp from any to any keep state head 160 group 150
block out log quick proto udp from any to any port 136 >< 140 group 160
$B$O!"$^$: 150$BHV%0%k!<%W$K%^%C%A$9$k UDP $B%Q%1%C%H$OAGDL$7
$B$9$k!"$,!"0J2<$N 160$BHV$KB0$9$k%k!<%k$r$^$@=hM}$9$k!#
$B$=$7$F2$B9TL\$G 160$BHV%0%k!<%W$KBP$7$F netbios packet $B$r
block $B$7$F$$$kLu$G$9!#
$B0l9TL\$K%^%C%A$7$?%Q%1%C%H$O0J2<$K$b$7150$BHV$N%0%k!<%W$N
$B%k!<%k$,$"$C$?$H$7$F$b!"L5;k$9$k$3$H$KCm0U$7$F$/$@$5$$!#
----------
$B<!$K!"30It$+$iFbIt$X$N%"%/%;%9$N@_Dj$r$7$^$9!#
* $B%k!<%F%#%s%0>pJs(RIP)$B$N%Q%1%C%H$O!"A4It5v$7$^$9!#
pass in quick proto udp from any to any port = 520 keep state group 100
* ICMP$B$N%Q%1%C%H$OA4It5v$7$^$9!#
pass in quick proto icmp from any to any group 100
* $BFbIt$+$i30It$X$Nftp$B$r5v$9$?$a$K!"ftp-data port$B$+$i0lHL%]!<%H$X
$B$NG$0U$N@\B3$r<u$1IU$1$^$9!#$3$l$Opassive mode$B$G$J$$FTP$B$N5sF0
$B$G$9!#
pass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100
$B$7$+$7!"$3$l$O0lHL$K8@$C$FB?>/4m81$J9T0Y$G$9!#@\B3$G$-$k$N$,
1024$BHV0J9_$N0lHL%]!<%H$K8BDj$O$5$l$^$9$,!"$"$^$j$*4+$a$G$-$^$;$s!#
$B$3$N9T$r2C$($:$K!"passive mode (ftp $B$G pasv $B%3%^%s%I$GF~$l$k)
$B$G FTP $B$r$9$k$3$H$r4+$a$^$9!#$J$*!":G6a$N FTP client $B$O:G=i
$B$+$i passive mode $B$KL5>r7o$G$7$F$7$^$&$b$N$,B?$$$h$&$G$9!#
* sendmail$B$dftpd$B$K7R$0$H!"Aj<j$,ident$B%]!<%H$X%"%/%;%9$7$F$/$k$3
$B$H$,$"$k$N$G!"ident port$B$r3+$1$^$9!#ident $B$ODL>o$O5/F0$5$l$F$$
$B$J$$ daemon $B$J$N$G!"AGDL$7$7$F$b%;%-%e%j%F%#%[!<%k$K$J$k$3$H$O$"
$B$j$^$;$s(connection refused$B$K$J$k$@$1$G$9)$B!#$3$l$r3+$1$J$$$H!"
$BAj<jB&$O timeout $B$9$k$^$G@h$K?J$^$J$$$N$G!"FTP $B$d mail $B$NAw?.
$B$,$d$?$i$KCY$/$J$k$3$H$,$"$j$^$9!#
$B$b$7 113 $BHV%]!<%H$K@\B3$G$-$k$h$&$J$i!"$=$N%5!<%S%9$OB(:B$K
$BDd;_$9$k$3$H$r4+$a$^$9!#
pass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100
------
$B<!$K!"30It$+$i firewall $B$X$N%"%/%;%9$r5v$9%5!<%S%9$r5-=R$7$F$$$-
$B$^$9!#$^$:$O!"30It$+$i$N@\B3$r5v$7$?$$%[%9%H$K$D$$$F!"%0%k!<%WHV
$B9f$r$D$1$^$9!#
===================== $B$3$3$+$i ====================
## grouping by host
block in log quick proto tcp from any to 123.45.1.X flags S/SA head 110 group 100
block in log quick proto tcp from any to 123.45.1.Y flags S/SA head 111 group 100
===================== $B$3$3$^$G ====================
$B$3$l$G!"
$B30It$+$i 123.45.1.X $B$X$N@\B3$O group 110
$B30It$+$i 123.45.1.Y $B$X$N@\B3$O group 111
$B$G;2>H$9$k$3$H$,$G$-$^$9!#
$BB>$K$b5v$7$?$$%[%9%H$rA}$d$7$?$$$H$-$O!">e$HF1MM$K$7$F!"head$B$N8e
$B$K!"?7$7$$?t;z(112, 113$B$J$I)$B$r3d$jEv$F$F$/$@$5$$!#
$B$b$&0lEYCm0U$7$F$*$-$^$9$,!"quick $B$H head $B$,F1;~$K8=$l$k%k!<%k
$B0J9_$G$O!"head $B$G@k8@$5$l$?%0%k!<%W$N%k!<%k$7$+E,MQ$5$l$J$/$J$j
$B$^$9!#$G$9$+$i!">e$N ident $B$d ftp data-port $B$N$h$&$K!"FbIt$N
$BA4$F$N%[%9%H$K%^%C%A$9$k%k!<%k$O!"$3$N%[%9%H$K$h$k%0%k!<%WJ,$1
$B$NA0$KCV$/I,MW$,$"$j$^$9!#
X$B$X$O!"telnet, ftp, ssh $B$r!"Y$B$X$O!"ftp, http, smtp, pop $B$r5v$9$3
$B$H$K$7$^$9!#
* X(group 110)$B$X$Ntelnet$B$r5v$7$^$9
pass in quick proto tcp from any to any port = telnet keep state group 110
* X$B$X$Nftp$B$r5v$7$^$9!#ftp-data port $B$b3+$1$F$*$-$^$9!#
($BI,MW$,$"$k$+$I$&$+3NG'$O$7$F$$$^$;$s$,!"3+$1$F$$$F$b0BA4$G$7$g$&)$B!#
pass in quick proto tcp from any to any port = ftp keep state group 110
pass in quick proto tcp from any to any port = ftp-data keep state group 110
* X$B$X$Nssh$B$r5v$7$^$9!#
pass in quick proto tcp from any to any port = 22 keep state group 110
* Y$B$X$Nftp$B$r5v$7$^$9!#
pass in quick proto tcp from any to any port = ftp keep state group 111
pass in quick proto tcp from any to any port = ftp-data keep state group 111
pass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111
Y$B$O anonoymous ftp $B%5!<%P$r1?1D$7$F$$$k$?$a wu-ftpd $B$r;H$C$F$$
$B$^$9!#wu-ftpd $B$O passive mode $B$NFTP$B$K$bBP1~$7$F$$$^$9$N$G!"$I
$B$N%]!<%H$rPASV$BMQ$K;H$&$+!"wu-ftpd $B$N@_Dj$K=q$$$F$*$/I,MW$,$"$j
$B$^$9!#$3$3$G$O3000$B$+$i3099$BHV%]!<%H$r;HMQ$9$k$h$&$K!"wu-ftpd $B$r
$B@_Dj$7$F$$$^$9!#
passive FTP $B$K$D$$$F2r@b$7$^$9!#passive FTP $B$O!"%/%i%$%"%s%H$,
$B%U%!%$%"%&%)!<%k$NFbB&$K$$$k>l9g$N$?$a$K3+H/$5$l$?%W%m%H%3%k$G
$B$9!#%G%U%)%k%H$G$O>e$G@bL@$7$?$h$&$K!"%G!<%?E>Aw$N$?$a!"%5!<%P
$B$N ftp-data port $B$+$i%/%i%$%"%s%H$K@\B3$,$$$-$^$9!#
passive FTP $B$G$O!"%G!<%?E>Aw$b client $B$+$i%5!<%P$K@\B3$9$k$h$&
$B$K$J$j$^$9!#$=$N:]!"%5!<%P$OE,Ev$J%]!<%HHV9f$r3d$j?6$C$F!"$=$3
$B$K%/%i%$%"%s%H$,@\B3$9$k$h$&;X<($7$^$9!#
$B$3$N$?$a!"%5!<%P$,%U%!%$%"%&%)!<%kFb$K$$$k>l9g!"E,Ev$J%]!<%HHV
$B9f$O%U%!%$%"%&%)!<%k$G$O$M$i$l$F$7$^$$$^$9!#$=$3$G!"wu-ftpd $B$N
$B@_Dj$G!"3d$j?6$k%]!<%HHV9f$NHO0O$r8BDj$7$F!"$=$3$@$1%U%!%$%"
$B%&%)!<%k$K7j$r3+$1$F$$$k$o$1$G$9!#wu-ftpd $B$N>l9g$O!"ftpaccess
$B$H$$$&%U%!%$%k$K
# passive ports <cidr> <min> <max>
passive ports 0.0.0.0/0 3000 3099
$B$HDI2C$9$k$3$H$G@_Dj$G$-$^$9!#ftpaccess(5)$B$r;2>H$7$F$/$@$5$$!#
* Y$B$X$Nhttp$B$r5v$7$^$9!#
pass in quick proto tcp from any to any port = 80 keep state group 111
* Y$B$X$Nsmtp$B$r5v$7$^$9!#
pass in quick proto tcp from any to any port = smtp keep state group 111
* Y$B$X$Npop$B$r5v$7$^$9!#
pass in quick proto tcp from any to any port = 110 keep state group 111
$B0J>e$N@_Dj$K$h$j!"X, Y $B0J30$N%^%7%s$X$N!"30It$+$i$N@\B3$O!"0l@Z
$B9T$($J$/$J$j$^$9$N$G!"remote exploit $BBP:v$O!"X, Y $B$K$N$_9T$($P$h
$B$/$J$j!"4IM}$N<j4V$,7Z8:$G$-$^$9!#
$BB>$N%W%m%H%3%k$rDL$9>l9g$b!">e$r;29M$K$7$FDL$7$?$$%]!<%HHV9f$r=q
$B$/$@$1$G$9$,!"$$$/$D$+Cm0UE@$,$"$j$^$9!#0J2<$bL\$rDL$7$F$/$@$5$$!#
-----
$B$=$NB>$NCm0U
1) gateway $B%^%7%s$N$h$&$K!"J#?t$NIP$B%"%I%l%9$r;}$D%^%7%s$G%5!<%S
$B%9$rN)$A>e$2$k>l9g$O!"$=$l$>$l$NIP$B%"%I%l%9$KBP$7$F!"port $B$r3+$/
$BI,MW$,$"$j$^$9!#Nc$($P X $B$, IP:a $B$H IP:b $B$r;}$D$J$i!"group $B$O a,
b $B$=$l$>$lMQ0U$7$F!"N>J}$N%0%k!<%WMQ$K rule $B$rDI2C$9$kI,MW$,$"$j
$B$^$9!#0J2<$NNc$G$O!"%2!<%H%&%'%$%^%7%s(123.45.2.10$B$H123.45.1.111
$B$NIP$B$r;}$D)$B$KNNTP$B%5!<%P$rN)$F$F$$$^$9!#
($BNc)
#### grouping by host
block in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100
block in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100
#### allow NNTP
pass in quick proto tcp from any to any port = nntp keep state group 112
pass in quick proto tcp from any to any port = nntp keep state group 113
gateway $B$,2$B$D0J>e$"$k%M%C%H%o!<%/$G$O!"N>J}$N gateway $B$K IP
filter $B$,I,MW$K$J$j!"@_Dj$O99$KJ#;($K$J$j$^$9!#$=$N$h$&$J4D6-$N
$B>l9g$K$O!"%^%K%e%"%k$rFI$s$G8!F$$7$F$/$@$5$$!#
2) NFS$B$Hrsh$B$O%W%m%H%3%k$N4X78>e!"firewall$BD6$($OIT2DG=$G$9!#
NFS$B$NBeBX$K$D$$$F$OITL@$G$9$,!"rsh$B$NBeBX$H$7$F$Ossh$B$,;H$($^$9!#
3) $B30It$NX client $B$r!"%U%!%$%"%&%)!<%kFb$NX$B%5!<%P$K@\B3$5$;$?$$!"
$B$H$$$&$N$O FAQ $B$N0l$D$G$9!#$*4+$a$N2r7h:v$O!"ssh $B$N X forwarding
$B5!9=$r;H$&$3$H$G$9!#ssh$B$G@\B3$G$-$k$J$i$P!"$3$l$O40A4$K secure
$B$GHFMQE*$JJ}K!$G$9!#
$B$=$l$,=PMh$J$$>l9g$O!"2f!9$O@\B3$5$;$?$$%[%9%H$N%Z%"$r%f!<%6$KJs
$B9p$7$F$b$i$C$F!"0J2<$N$h$&$J%k!<%k$rDI2C$7$F$$$^$9!#
# X:0 $B$O tcp:6000 $BHV$K$J$j$^$9!#
# 123.45.1.Z:0 (server) <-> A.B.C.D (client)
pass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100
-----
$B:G8e$K!";D$k%Q%1%C%H$OA4$F%V%m%C%/$5$l$kLu$G$9$,!"$=$l$K$D$$$F$N
$BA4$F$N%m%0$r;D$9$3$H$r4uK>$9$k>l9g!"<!$N%k!<%k$r!VI,$::G8e$K!W2C
$B$($^$9!#
## log blocked packets
block in log quick from any to 123.45.1.111/24 group 100
block in log quick from any to 123.45.2.10 group 100
------
$B:#Kx$N@_Dj$r$R$H$D$K$^$H$a$?%U%!%$%k$r:G8e$KE:IU$7$^$9!#
===================== $B$3$3$+$i ====================
########## Packet Filtering Rules for 123.45.1. ##########
#
# The following routes should be configured, if not already:
#
# route add 123.45.1.111 localhost 0 (hme0) (LAN)
# route add 123.45.2.10 localhost 0 (hme1) (upstream)
#
########## quickly deny malicious packets
#
block in quick from any to any with short
block in log quick from any to any with ipopts
#
########## group setup
#
block in on hme1 all head 100
block out on hme1 all head 150
pass in quick on hme0 all
pass out quick on hme0 all
#
########## deny IP spoofing
#
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from 123.45.2.10/32 to any group 100
block in log quick from 123.45.1.111/24 to any group 100
#
########## deny reserved addresses
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
########## OUTGOING
#
## allow ping out
pass out quick proto icmp from any to any keep state group 150
#
## allow all outgoing UDP packets except for netbios ports (137-139).
#
pass out quick proto udp from any to any keep state head 160 group 150
block out log quick proto udp from any to any port 136 >< 140 group 160
#
## pass all TCP connection setup packets except for netbios ports (137-139).
#
pass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150
block out log quick proto tcp from any to any port 136 >< 140 group 170
#
######### INCOMING
## ICMP
pass in quick proto icmp from any to any group 100
## RIP
pass in quick proto udp from any to any port = 520 keep state group 100
## FTP
pass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100
## IDENT
pass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100
#
## grouping by host (112 & 113 is the gateway address)
block in log quick proto tcp from any to 123.45.1.X flags S/SA head 110 group 100
block in log quick proto tcp from any to 123.45.1.Y flags S/SA head 111 group 100
block in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100
block in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100
#
## telnet, ftp, ssh, www, smtp, pop
pass in quick proto tcp from any to any port = telnet keep state group 110
pass in quick proto tcp from any to any port = ftp keep state group 110
pass in quick proto tcp from any to any port = ftp-data keep state group 110
pass in quick proto tcp from any to any port = 22 keep state group 110
pass in quick proto tcp from any to any port = ftp keep state group 111
pass in quick proto tcp from any to any port = ftp-data keep state group 111
pass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111
pass in quick proto tcp from any to any port = 80 keep state group 111
pass in quick proto tcp from any to any port = smtp keep state group 111
pass in quick proto tcp from any to any port = 110 keep state
group 111
#
## allow NNTP on the gateway
pass in quick proto tcp from any to any port = nntp keep state group 112
pass in quick proto tcp from any to any port = nntp keep state group 113
#
## X connections
# 123.45.1.Z:0 (server) <-> A.B.C.D (client)
pass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100
#
## log blocked packets
## THIS MUST BE THE LAST RULE!
block in log quick from any to 123.45.1.111/24 group 100
block in log quick from any to 123.45.2.10 group 100
===================== $B$3$3$^$G ====================
----
$B$3$NJ8=q$N<h$j07$$$K$D$$$F
Copyright (C) 1999 TOYAMA Sumio <sumio@is.s.u-tokyo.ac.jp>
and YAMAMOTO Hirotaka <ymmt@is.s.u-tokyo.ac.jp>
THIS DOCUMENT IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
Permission to modify this document and to distribute it is hereby
granted, as long as above notices and copyright notice are retained.