From owner-FreeBSD-net-jp@jp.freebsd.org  Sun Oct  7 09:34:46 2001
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id JAA95035;
	Sun, 7 Oct 2001 09:34:46 +0900 (JST)
	(envelope-from owner-FreeBSD-net-jp@jp.FreeBSD.org)
Received: from serv1.u-netsurf.ne.jp (serv1.u-netsurf.ne.jp [202.233.0.133])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id JAA95030
	for <FreeBSD-net-jp@jp.FreeBSD.org>; Sun, 7 Oct 2001 09:34:46 +0900 (JST)
	(envelope-from griffon@dp.u-netsurf.ne.jp)
Received: from mirage (fcbd2.osk.ppp.u-netsurf.ne.jp [210.166.203.210])
	by serv1.u-netsurf.ne.jp (3.7Wpl2-2.288(01/10/06)) with SMTP id JAA14254
	for <FreeBSD-net-jp@jp.FreeBSD.org>; Sun, 7 Oct 2001 09:38:28 +0900 (JST)
Message-Id: <200110070038.JAA14254@serv1.u-netsurf.ne.jp>
X-My-Real-Login-Name: griffon; mail.u-netsurf.ne.jp
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-2022-jp
X-Mailer: Denshin 8 Go V32.1.3.1
Date: Sun, 07 Oct 2001 09:34:45 +0900
From: "R.Nakatsukasa" <griffon@dp.u-netsurf.ne.jp>
To: FreeBSD-net-jp@jp.FreeBSD.org
Reply-To: FreeBSD-net-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+010328
X-Sequence: FreeBSD-net-jp 3370
Subject: [FreeBSD-net-jp 3370] ppp + natd + ipfw
 =?ISO-2022-JP?B?GyRCJEc9UExhJGolUSUxJUMlSCQsTGEkQyRGJDMbKEI=?=
 =?ISO-2022-JP?B?GyRCJEokJBsoQg==?=
Errors-To: owner-FreeBSD-net-jp@jp.freebsd.org
Sender: owner-FreeBSD-net-jp@jp.freebsd.org
X-Originator: griffon@dp.u-netsurf.ne.jp

$B=i$a$^$7$F!$CfL3(B ($B$J$+$D$+$5(B) $B$H?=$7$^$9!%(B

$B$9$_$^$;$s$,$4<ALd$,$"$j$^$9!%(B
$BD9J8$G?=$7LuM-$j$^$;$s$,$h$m$7$/$*4j$$$7$^$9!%(B

$B8=:_0J2<$N$h$&$J%M%C%H%o!<%/$r<+Bp$G9=C[$7$F$$$k$N$G$9$,!$<+J,$N@_Dj(B
$B$,0-$$$N$+!$$=$l$H$b;EMM$J$N$+$o$+$j$^$;$s$,!$La$C$F$/$k$O$:$N%Q%1%C(B
$B%H$,$J$<$+La$C$F$-$^$;$s!%(B

$B>\$7$/?=$7$^$9$H!$(BLAN $BFb$N(B PC (192.168.1.0/24) $B$+$i%0%m!<%P%k(B IP $B$r(B
$B;XDj$7$F!$(Bnatd.conf $B$G;XDj$7$?(B redirect_port $B$K;XDj$5$l$?%5!<%P!<(B
(192.168.1.10) $B$r8+$5$;$h$&$H;W$&$N$G$9$,!$%/%i%$%"%s%H(B PC $B$G%0%m!<(B
$B%P%k(B IP $B%"%I%l%9$rC!$$$F$b5"$C$F$3$:$K(B connection refused $B$K$J$C$F$7(B
$B$^$$$^$9!%(B

tcpdump $B$d(B natd -v$B!$(Bipfw $B$N%m%0$rD/$a$F$$$k$H!$30$+$i$O$A$c$s$HFbB&(B
$B$N%5!<%P!<$K%Q%1%C%H$,FO$$$F$$$k$h$&$J$N$G$9$,!$FbB&$N%/%i%$%"%s%H$+(B
$B$i%0%m!<%P%k(B IP $B%"%I%l%9$rC!$/$H!$$I$&$b(B tun0 $B$G;_$^$C$F$$$k$h$&$G(B
$B$9!%(B
($B$*$+$7$$$H;W$C$F(B SSH $B$r;H$C$F7R$$$G$_$k$H(B FreeBSD $B%k!<%?!<$K7R$,$j(B
$B$^$7$?(B)

$B8D?ME*$K$O(B tun0 $B$KFO$$$?%Q%1%C%H$O(B NAT $B$G%0%m!<%P%k(B IP $B%"%I%l%9$KJQ(B
$B49$5$l!$(Bredirect_port $B$G;XDj$5$l$?%]!<%H$K7R$$$G$k$N$GFbB&$N%5!<%P!<(B
$B$KLa$C$F$/$k$H;W$C$?$N$G$9$,!&!&!&!%(B

$B$J$s$H$+$7$FFbB&$N%/%i%$%"%s%H(B PC $B$G%0%m!<%P%k(B IP $B$r;XDj$7$FFbB&$N%5(B
$B!<%P!<$K%Q%1%C%H$r$D$l$F$-$?$$$N$G$9$,!$2?$+CN7C$O$4$6$$$^$;$s$G$7$g(B
$B$&$+!%(B

$B$J$*!$(Bipfw $B$N@_Dj$r(B firewall_type="open" $B$K$7$F$b>u67$OJQ$o$j$^$;$s(B
$B$G$7$?!%(B

$B?=$7Lu$4$6$$$^$;$s$,$465<x$$$?$@$1$l$P9,$$$KA[$$$^$9!%(B

# $B$d$d$3$7$/$F$9$_$^$;$s!%(B
# $B$I$&$7$F$b%0%m!<%P%k(B IP $B%"%I%l%9$r;}$C$?L>A0$GFbB&$N%5!<%P!<$r8+$J(B
# $B$$$HBLL\$J%9%/%j%W%H$,$"$k$N$G!&!&!&!%(B


[ $B%M%C%H%o!<%/9=@.(B ]

$B!&(Bed0 $B!'FbIt@\B3MQ%$%s%?!<%U%'%$%9(B
$B!&(Bed1 $B!'30It@\B3MQ%$%s%?!<%U%'%$%9(B
$B!&(Btun0$B!'%@%$%"%k%"%C%WMQ2>A[%$%s%?!<%U%'%$%9(B (?)

$B!{%U%l%C%D(B ADSL $B$K$h$k%W%m%P%$%@$H$N@\B3!%(B
$B!{%0%m!<%P%k(B IP $B%"%I%l%9$O%W%m%P%$%@$+$iF0E*G[I[!%?^Cf$G$O(B
$B!!(BXXX.XXX.XXX.XXX $B$,$=$l$H$J$k!%(B
$B!{FbB&$N%/%i%$%"%s%H$O(B 192.168.1.10 $B%5!<%P!<$N(B DNS $B$r0z$$$F$$$k$,!$(B
$B!!$3$3$K:\$C$F$$$J$$L>A0$O30$N(B DNS $B$r8+$K9T$/!%(B
$B!{(BFreeBSD router $B$G$O(B ipfw$B!$(Bppp$B!$(Bnatd$B!$(Bssh $B$N$_;HMQ$7$F$$$k!%(Binetd
$B!!$OL$;HMQ!%(B

                +----------+        +--------------+       +--------------+
$B%$%s%?!<%M%C%H"+(B|ADSL$B%b%G%`(B|-[tun0]-|FreeBSD router|-[ed0]-|192.168.1.0/24|
                +----------+  (ed1) +--------------+       +--------------+


[ ifconfig -a $B7k2L(B ]

ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.1.253 netmask 0xffffff00 broadcast 192.168.1.255
        ether 00:60:67:60:15:3f
ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        ether 00:40:26:60:c9:2c
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
ed3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        ether 00:40:26:14:24:a9
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8000<MULTICAST> mtu 1500
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
tun0: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> mtu 1454
        inet XXX.XXX.XXX.XXX --> YYY.YYY.YYY.YYY netmask 0xffffff00
        Opened by PID 1683


[ /etc/natd.conf ]

use_sockets no
deny_incoming   no
same_ports yes
port 8668
unregistered_only yes
dynamic yes
punch_fw 60000:500
redirect_port tcp 192.168.1.10:20-25 20-25
redirect_port tcp 192.168.1.10:80 80
redirect_port tcp 192.168.1.10:110 110
redirect_port tcp 192.168.1.10:443 443
redirect_port tcp 192.168.1.10:7000-7500 7000-7500
redirect_port udp 192.168.1.10:7000-7500 7000-7500


[ ipfw list $B7k2L(B ]

00100 allow icmp from any to any
00200 allow ip from any to any via lo0
00300 deny log ip from any to any via tun0 frag
00400 allow ip from 192.168.1.0/24 to any via ed0
00410 allow ip from any to 192.168.1.0/24 via ed0
00500 deny log ip from 192.168.1.0/24 to any recv tun0
00510 deny log ip from 127.0.0.1 to any recv tun0
00520 deny log ip from any to 127.0.0.0/8
00530 deny log ip from 127.0.0.0/8 to any
00600 deny log tcp from any 137-139,445 to any
00610 deny log udp from any 137-139,445 to any
00620 deny log tcp from any to any 137-139,445
00630 deny log udp from any to any 137-139,445
00900 divert 8668 ip from any to any
01000 allow tcp from any to any established
01010 allow ip from any to any out xmit tun0
01300 allow udp from any to any 53
01310 allow udp from any 53 to any
01400 allow tcp from any to 192.168.1.10 80 setup
01410 allow tcp from any to 192.168.1.10 443 setup
01500 allow tcp from any to 192.168.1.10 25 setup
01600 allow udp from any 123 to any
01700 allow udp from any 161 to any
01800 allow tcp from any to 192.168.1.10 110 setup
01900 allow tcp from any to 192.168.1.10 20 setup
01910 allow udp from any to 192.168.1.10 20
01920 allow tcp from any to 192.168.1.10 21 setup
01930 allow udp from any to 192.168.1.10 21
02000 allow udp from any 4000 to any in recv tun0
02100 allow tcp from any to 192.168.1.10 22 setup
09900 deny log tcp from any to any
20000 allow udp from any to any keep-state out xmit tun0
20010 check-state
20020 deny log udp from any to any
65535 deny ip from any to any


[ netstat -rn $B7k2L(B ]

Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use     Netif Expire
default            YYY.YYY.YYY.YYY    UGSc        2     2479     tun0
127.0.0.1          127.0.0.1          UH          0        8      lo0
192.168.1          link#1             UC          0        0      ed0 =>
YYY.YYY.YYY.YYY    XXX.XXX.XXX.XXX    UH          2       36     tun0


[ tcpdump -i ed0 -f -l -n $B%m%0(B ]

$B@\B385!'(BFreeBSD $B%k!<%?!<>e(B
	- $B%F%9%HMQ%3%^%s%I$H7k2L(B
	FreeBSD % telnet XXX.XXX.XXX.XXX 80
	Trying XXX.XXX.XXX.XXX...
	
	- $B%m%0(B
	09:03:43.507134 XXX.XXX.XXX.XXX.1058 > 192.168.1.10.80:
		S 2817729031:2817729031(0) win 16384 <mss 1414> (DF) [tos 0x10]
	09:03:43.507393 192.168.1.10.80 > XXX.XXX.XXX.XXX.1058:
		S 694610516:694610516(0) ack 2817729032 win 16968 <mss 1414> (DF)
	09:03:43.507530 XXX.XXX.XXX.XXX.1058 > 192.168.1.10.80:
		R 2817729032:2817729032(0) win 0

$B@\B385!'%/%i%$%"%s%H(B
	- $B%F%9%HMQ%3%^%s%I$H7k2L(B
	Client % telnet XXX.XXX.XXX.XXX 80
	Trying XXX.XXX.XXX.XXX...
	telnet: Unable to connect to remote host: Connection refused
	
	- $B%m%0(B
	09:05:52.049961 192.168.1.10.3616 > XXX.XXX.XXX.XXX.80:
		S 719394769:719394769(0) win 16384 <mss 1414> (DF) [tos 0x10]
	09:05:52.050150 XXX.XXX.XXX.XXX.80 > 192.168.1.10.3616:
		R 0:0(0) ack 719394770 win 0


[ tcpdump -i tun0 -f -l -n $B%m%0(B ]

$B@\B385!'(BFreeBSD $B%k!<%?!<>e(B
	- $B%F%9%HMQ%3%^%s%I$H7k2L(B
	FreeBSD % telnet XXX.XXX.XXX.XXX 80
	Trying XXX.XXX.XXX.XXX...
	
	- $B%m%0(B
	09:25:00.134994 XXX.XXX.XXX.XXX.1060 > XXX.XXX.XXX.XXX.80:
		S 3560601361:3560601361(0) win 16384 <mss 1414> (DF) [tos 0x10]
	09:25:00.135217 XXX.XXX.XXX.XXX.1060 > XXX.XXX.XXX.XXX.80:
		S 3560601361:3560601361(0) win 16384 <mss 1414> (DF) [tos 0x10]

$B@\B385!'%/%i%$%"%s%H(B
	- $B%F%9%HMQ%3%^%s%I$H7k2L(B
	Client % telnet XXX.XXX.XXX.XXX 80
	Trying XXX.XXX.XXX.XXX...
	telnet: Unable to connect to remote host: Connection refused
	
	- $B%m%0(B
	$B$J$K$b=P$:(B


[ natd -v $B%m%0(B ]

FreeBSD $B%^%7%s$G(B telnet XXX.XXX.XXX.XXX 80 $B$7$?7k2L(B

	- telnet
	% telnet XXX.XXX.XXX.XXX 80
	Trying XXX.XXX.XXX.XXX...

	- Log
	Out [TCP]   [TCP] XXX.XXX.XXX.XXX:1055 -> XXX.XXX.XXX.XXX:80 aliased to
	            [TCP] XXX.XXX.XXX.XXX:1055 -> XXX.XXX.XXX.XXX:80
	In  [TCP]   [TCP] XXX.XXX.XXX.XXX:1055 -> XXX.XXX.XXX.XXX.80 aliased to
	            [TCP] XXX.XXX.XXX.XXX:1055 -> 192.168.10:80

$B%/%i%$%"%s%H(B PC $B$G(B telnet XXX.XXX.XXX.XXX 80 $B$7$?7k2L(B

	- telnet
	% telnet XXX.XXX.XXX.XXX 80
	Trying XXX.XXX.XXX.XXX...
	telnet: Unable to connect to remote host: Connection refused

	- Log
	$B2?$b$G$:(B
