From owner-FreeBSD-net-jp@jp.freebsd.org  Sat Sep 11 11:28:02 1999
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id LAA72545;
	Sat, 11 Sep 1999 11:28:02 +0900 (JST)
	(envelope-from owner-FreeBSD-net-jp@jp.FreeBSD.org)
Received: from mail.netwave.or.jp (mail.netwave.or.jp [202.214.48.114])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id LAA72540
	for <freebsd-net-jp@jp.freebsd.org>; Sat, 11 Sep 1999 11:28:00 +0900 (JST)
	(envelope-from takesima@mail.netwave.or.jp)
Received: from BLESS (ppp20040.netwave.or.jp [202.214.54.40])
	by mail.netwave.or.jp (8.8.8+2.7Wbeta7/3.6W) with SMTP id LAA06932
	for <freebsd-net-jp@jp.freebsd.org>; Sat, 11 Sep 1999 11:28:55 +0900 (JST)
Message-ID: <001e01befbfd$08af81d0$dd00a8c0@BLESS>
From: "takesima" <takesima@mail.netwave.or.jp>
To: <freebsd-net-jp@jp.freebsd.org>
Date: Sat, 11 Sep 1999 11:25:03 +0900
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-2022-jp"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2014.211
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211
Reply-To: FreeBSD-net-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+990727
X-Sequence: FreeBSD-net-jp 1895
Subject: [FreeBSD-net-jp 1895] nat+firewall+gateway
 =?ISO-2022-JP?B?GyRCJEskRCQkJEYbKEI=?= help
 =?ISO-2022-JP?B?GyRCISobKEI=?= 
Errors-To: owner-FreeBSD-net-jp@jp.freebsd.org
Sender: owner-FreeBSD-net-jp@jp.freebsd.org
X-Originator: takesima@mail.netwave.or.jp

$BC]Eg(B@$B2,K-IB1!$G$9!#(B

nat+firewall+gateway$B$Gm5$$$F$$$^$9!#(B
$B$h$m$7$/$*4j$$?=$7>e$2$^$9!#(B

$BA4BN?^$G$9!#(B
---ed1$B!J(B192.168.0.2$B!K30It!'(BFreeBSD3.2$B%^%7%s!'FbIt(Bed2$B!J(B192.168.1.2$B!K(B----


$B$=$7$F(B /etc/rc.conf$B$G$9!#(B
 *---------------
 # This file now contains just the overrides from /etc/defaults/rc.conf
 # please make all changes to this file.
 # -- sysinstall generated deltas -- #
 network_interfaces="ed1 ed2 lo0"
 ifconfig_ed1="inet 192.168.0.2  netmask 255.255.255.0"
 ######
 ifconfig_ed2="inet 192.168.1.2  netmask 255.255.255.0"
 ######
 moused_port="/dev/psm0"
 moused_enable="YES"
 ##########################
 defaultrouter="192.168.0.1"
 nfs_server_enable="YES"
 nfs_client_enable="YES"
 ######
 hostname="bsd.hiroyuki.co.jp"
 keymap="jp.106"
 # -- sysinstall generated deltas -- #
 lpd_enable="YES"
 named_enable="YES"
 # -- sysinstall generated deltas -- #
 check_quotas="YES"
 # -- sysinstall generated deltas -- #
 linux_enable="YES"
 ##################
 firewall_enable="YES" # Set to YES to enable firewall functionality
 firewall_script="/etc/rc.firewall" # Which script to run to set up the
firewall
 firewall_type="simple" #$B!z(B"UNKNOWN"- Firewall type (see /etc/rc.firewall)
 firewall_quiet="NO" # Set to YES to suppress rule display
 natd_program="/sbin/natd" # path to natd, if you want a different one.
 natd_enable="YES"                # Enable natd (if firewall_enable == YES).
 natd_interface="ed1"    #$B!z(B Public interface or IPaddress to use.
natd_flags=""     #-m -p natd"   # Additional flags for natd.



 $B$=$7$F(B/etc/rc.firewall$B$N(Bsimple$BItJ,$O0J2<$NDL$j$G$9!#(B
 elif [ "${firewall_type}" = "simple" ]; then
 ############
 # This is a prototype setup for a simple firewall.  Configure this machine
 # as a named server and ntp server, and point all the machines on the
inside
 # at this machine for those services.
 ############
 # set these to your outside interface network and netmask and ip
 ############
     iif="ed2"
     inet="192.168.1.0"
     imask="255.255.255.0"
     iip="192.168.1.2"
     # set these to your inside interface network and netmask and ip
     oif="ed1"
     onet="192.168.0.0"
     omask="255.255.255.0"
     oip="192.168.0.2"
 #############
 # Stop spoofing
 $fwcmd add pass all from ${inet}:${imask} to ${iip}  via ${iif}
 $fwcmd add pass all from ${iip} to ${inet}:${imask}  via ${iif}
 $fwcmd add pass all from ${onet}:${omask} to ${oip}  via ${oif}
 $fwcmd add pass all from ${oip} to ${onet}:${omask}  via ${oif}
 ############
     $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
     $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
 ###########
     $fwcmd add pass all from any  to 192.168.1.22  via ${oif}
     $fwcmd add pass all from  192.168.1.22 to any  via ${oif}
     # Allow TCP through if setup succeeded
     $fwcmd add pass tcp from any to any established
 # Allow setup of incoming email
 ##    $fwcmd add pass tcp from any to ${oip} 25 setup
 # Allow access to our DNS
 ##    $fwcmd add pass tcp from any to ${oip} 53 setup
 # Allow access to our WWW
 ##    $fwcmd add pass tcp from any to ${oip} 80 setup
     # Reject&Log all setup of incoming connections from the outside
     $fwcmd add deny log tcp from any to any in via ${oif} setup
     # Allow setup of any other TCP connection
     $fwcmd add pass tcp from any to any setup
 # Allow DNS queries out in the world
 ##    $fwcmd add pass udp from any 53 to ${oip}
 ##    $fwcmd add pass udp from ${oip} to any 53
 # Allow NTP queries out in the world
 ##    $fwcmd add pass udp from any 123 to ${oip}
 ##    $fwcmd add pass udp from ${oip} to any 123
     # Everything else is denied as default.


$B$9$k$H0J>e$N@_Dj$G$I$&$J$C$?$+$H$$$&$H(B
 ipfw$B!!(B-a$B!!(Blist$B!!$9$k$H$o$+$j$^$7$F!"(B
 $B$^$:(Bnat$B$N$D$b$j(B
 00100 115 7385 divert 8668 ip from any to any via ed1

 00100  64 4368 allow ip from any to any via lo0
 00200   0    0 deny ip from any to 127.0.0.0/8

 $B$=$l$>$l$N%"%I%l%96u4V$G%$%1%$%1$N$D$b$j(B
 00300   0    0 allow ip from 192.168.1.0/24 to 192.168.1.2 via ed2
 00400   0    0 allow ip from 192.168.1.2 to 192.168.1.0/24 via ed2
 00500   0    0 allow ip from 192.168.0.0/24 to 192.168.0.2 via ed1
 00600   0    0 allow ip from 192.168.0.2 to 192.168.0.0/24 via ed1

 $BKI2PJI$N$D$b$j(B
 00700   0    0 deny ip from 192.168.1.0/24 to any in recv ed1
 00800   8  770 deny ip from 192.168.0.0/24 to any in recv ed2

192.168.1.22$B$N%^%7%s$+$i$O!"30It$X(Bnat$B$G(Bed1$B!J(B192.168.0.2$B!K$KJQAu$7$F<x<u$7$F(B
$B$$$k$D$b$j(B
 00900   0    0 allow ip from any to 192.168.1.22 via ed1
 01000   0    0 allow ip from 192.168.1.22 to any via ed1
 01100   0    0 allow tcp from any to any established
 01200   0    0 deny log tcp from any to any in recv ed1 setup
 01300   0    0 allow tcp from any to any setup
 65535 115 7385 deny ip from any to any
 $B$G$9!#(B
$B$h$m$7$/$*4j$$?=$7>e$2$^$9!#(B

$B(.!|(.!|(.!|(.!|(.!|(.!|(.!|(B
$B%a!<%k!'(B takesima@mail.netwave.or.jp
$B%[!<%`JG!'(Bhttp://www.netwave.or.jp/~takesima/


