From owner-FreeBSD-net-jp@jp.FreeBSD.org Fri Aug  2 18:00:05 2002
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) id g72905V49707;
	Fri, 2 Aug 2002 18:00:05 +0900 (JST)
	(envelope-from owner-FreeBSD-net-jp@jp.FreeBSD.org)
Received: from athena.ginganet.org (postfix@tk0008-202x210x243x26.ap-TK.usen.ad.jp [202.210.243.26])
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) with ESMTP/inet id g72905n49702
	for <FreeBSD-net-jp@jp.FreeBSD.org>; Fri, 2 Aug 2002 18:00:05 +0900 (JST)
	(envelope-from ginga@ginganet.org)
Received: by athena.ginganet.org (Postfix, from userid 5003)
	id 322264132; Fri,  2 Aug 2002 18:00:05 +0900 (JST)
Date: Fri, 2 Aug 2002 18:00:05 +0900
From: Kawaguti Ginga <ginga@ginganet.org>
To: FreeBSD-net-jp@jp.FreeBSD.org
Message-ID: <20020802090005.GA83381%ginga@ginganet.org>
References: <sld6t64uk4.fsf@belldandy.vsp.cpg.sony.co.jp> <20020801140400.GB75523%ginga@ginganet.org> <20020802122729.8E0D.UCHIYAMA@pp.iij4u.or.jp>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-2022-jp
Content-Disposition: inline
In-Reply-To: <20020802122729.8E0D.UCHIYAMA@pp.iij4u.or.jp> <20020802040035.82494.qmail@maruma.net.dhis.org>
User-Agent: Mutt/1.3.27i-ja.2
Reply-To: FreeBSD-net-jp@jp.FreeBSD.org
Precedence: list
X-Sequence: FreeBSD-net-jp 3773
Subject: [FreeBSD-net-jp 3773] Re: ipfw + vtun(Re: vtund
 =?ISO-2022-JP?B?GyRCJEdETD5vJE4bKEI=?= IP address
 =?ISO-2022-JP?B?GyRCJEskaCRrQFxCMxsoQg==?=(unnumber
	e d routing?))
Errors-To: owner-FreeBSD-net-jp@jp.FreeBSD.org
Sender: owner-FreeBSD-net-jp@jp.FreeBSD.org
X-Originator: ginga@ginganet.org
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+020727

$B@n8}$G$9(B

ipfw list $B$N7k2L$bKvHx$K$D$1$^$9!%(B
$B$h$m$7$/$*4j$$CW$7$^$9!%(B

$BOBED$5$s(B:
> $B$b$A$m$s!!30(B=> 5000 $B$ODL$7$F$k$s$G$9$h$M!#(B

$B$O$$!$DL$7$F$$$^$9!%(B
client $BB&$N(B vtund -n testconfig server $B$G$N(Bserver $BB&%a%C%;!<%8$G$9$,!$(B

vtund[83892]: VTUN server ver 2.5 06/28/2002 (stand)
vtund[83893]: Session gugesathena[yy.yy.yy.121:1688] opened
vtund[83893]: UDP connection initialized
vtund[83893]: BlowFish encryption initialized
add net 192.168.220.8: gateway tun0		# $B$3$3$K$7$P$i$/$$$k!$$,(B..
vtund[83893]: Session gugesathena network timeout	# ($B$?$V$s(Btimeout $B$N(B60s $B8e$K$3$A$i$K$/$k(B)
vtund[83893]: Session gugesathena closed
vtund[83902]: Session gugesathena[yy.yy.yy.121:1689] opened
$B0J2<!$7+$jJV$7$G$9!%(B

client $BB&$O(B
vtund[19617]: Connection closed by other side
$B$H8@$C$F$$$^$9!%(B


In Fri, Aug 02, 2002 at 12:27:40PM +0900,
Koji Uchiyama <uchiyama@pp.iij4u.or.jp> wrote:
> > $B$G!$0l=V!$(Bipfw $B$rA4(B open (/etc/rc.firewall open)$B$K$7$F$_$k$H(B
> > ping $B$K$7$m!$(Bssh $B$K$7$m(B vtun $B7PM3$GLdBj$J$/@\B3$G$-$k$N$G$9$,!$(B
> > $B<+J,$N(B ipfw config $B$G$O$&$^$/DL$8$^$;$s!%(B
> 
> > vtun $B$N%Q%1%C%H$r(B ipfw $B$GA4DL$7$9$k$K$O(B $B$I$N$h$&$J%k!<%k$r(B
> > $B=q$1$PNI$$$N$G$7$g$&$+(B($B$H$$$&$+!$(Bvia tun0 $B$G0z$C3]$+$i$J$$M}M3$,J,$+$j$^$;$s(B)
> 
> $B$O$:$7$F$$$k$+$b$7$l$^$;$s$,(B
> $B!V(Bipfw $B$rA4(B open $B$J>uBV$G$O!"<B$O(B vtun $B$r7PM3$7$J$$$G7R$,$C$F$$$?!W(B
> $B$H$$$&2DG=@-$O$"$j$^$;$s$G$7$g$&$+!)(B


-----------local net(192.168.0.0/24)
    |xl0(192.168.0.72)
vtunserver
    |dc0(xx.xx.xx.26), tun0(192.168.220.9)
-------------------------------------------- xx.xx.xx.24/29
           | (Internet)
-------------------------------------------- yy.yy.yy.0/24
    |fxp0(yy.yy.yy.121), tun0(192.168.220.10)
vtunclient

$B$H$$$&$h$&$J@\B3$G!$(Bvtun $B$J(B network $B$O(B 192.168.220.8/29 $B$G$9!%(B
$B$G!$@\B3;n83$O(B 
	client% ping 192.168.220.9
	client% ssh -v 192.168.220.9
	server% ping 192.168.220.10
	server% ssh -v 192.168.220.10
$B$J$I$G9T$C$F$$$k$N$G!$(Bvtun $B$8$c$J$$J}$r7PM3$7$h$&$H$7$F$b!$(B
$B$=$b$=$b%"%I%l%9$,$I$3$@$+$o$+$i$s!$$K$J$k$H;W$$$^$9!%(B

> ipfw $B$rA4(B open $B$K$7$?>uBV$G(B
> 
> - $B%M%C%H%o!<%/9=@.?^(B
> - /etc/rc.conf ($B$N(B IP $B%"%I%l%9$d7PO)@_Dj$K4X$9$kItJ,(B)
vtunserver:
ifconfig_xl0="inet 192.168.0.72  netmask 255.255.255.0"
ifconfig_dc0="inet xx.xx.xx.26 netmask 255.255.255.248"
defaultrouter="xx.xx.xx.25"	# $BFbIt%M%C%H$OC10l(B subnet $B$J$N$G(B
network_interfaces="dc0 lo0 xl0"
firewall_enable="YES"
firewall_script="/etc/ipfw.sh"
firewall_type=""
natd_enable="YES"	# nat $B$OF0$+$=$&$H;W$C$F$$$^$9$,!$(B
natd_interface="dc0"	# $B$3$l$^$?(B ipfw $B<~$j$+$J$K$+$G(B
natd_flags=""		# $B$^$@F0:nL$3NG'$G$9(B
gateway_enable="YES"	# 

vtunclient:
ifconfig_fxp0="inet yy.yy.yy.121  netmask 255.255.255.0"
defaultrouter="yy.yy.yy.1"	# $B$3$3$KEj$2$k$@$1(B

> - vtund.conf

$B$$$^$N$H$3$m!$A02s$NDL$j$G$9!%(B

> - vtun $B$r5/F0$9$k(B script (cliant $BB&$G;XDj$7$?(B server address $B$O!)(B)

server# vtund -n -s	# $B%G%P%C%0Cf$J$N$G(B -n $B$G(B non-daemon $B$K$7$F$$$^$9(B
client# vtund -n hogetest xx.xx.xx.26

> - netstat -rn $B$N7k2L(B

server:------------------------------------------------------------
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            xx.xx.xx.25        UGSc       11      250    dc0
127.0.0.1          127.0.0.1          UH          4     5756    lo0
192.168.0          link#1             UC          1        0    xl0
192.168.0.72       00:10:4b:2c:57:b5  UHLW        4   113890    lo0
192.168.220.8/29   tun0               USc         0        0   tun0
192.168.220.10     192.168.220.9      UH          0        0   tun0
xx.xx.xx.24/29     link#2             UC          2        0    dc0
xx.xx.xx.25        00:e0:2b:00:00:80  UHLW       11        0    dc0   1069
xx.xx.xx.26        00:00:39:ea:96:06  UHLW        1      128    lo0

client:------------------------------------------------------------
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            yy.yy.yy.1         UGSc        6       13   fxp0
127.0.0.1          127.0.0.1          UH          6    49881    lo0
yy.yy.yy/24        link#1             UC          6        0   fxp0
192.168.220.8/29   tun0               USc         0        0   tun0
192.168.220.9      192.168.220.10     UH          0        0   tun0

# $B:G8e$N9T$,$J$s$+JQ(B($B5U(B?)$B$J5$$,$7$J$$$G$b$J$$(B
# server $BB&$N(B192.168.220.10 $B$N9T$bF1$8(B...

> - ifconfig -u $B$N7k2L(B

server:------------------------------------------------------------
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.0.72 netmask 0xffffff00 broadcast 192.168.0.255
        inet6 fe80::210:4bff:fe2c:57b5%xl0 prefixlen 64 scopeid 0x1 
        ether 00:10:4b:2c:57:b5
        media: Ethernet autoselect (10baseT/UTP)
        status: active
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet xx.xx.xx.26 netmask 0xfffffff8 broadcast xx.xx.xx.31
        inet6 fe80::200:39ff:feea:9606%dc0 prefixlen 64 scopeid 0x2 
        ether 00:00:39:ea:96:06
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 ::1 prefixlen 128 
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 
        inet 127.0.0.1 netmask 0xff000000 
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        inet6 fe80::210:4bff:fe2c:57b5%tun0 prefixlen 64 scopeid 0x8 
        inet 192.168.220.9 --> 192.168.220.10 netmask 0xfffffff8 
        Opened by PID 83911

client:------------------------------------------------------------
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet yy.yy.yy.121 netmask 0xffffff00 broadcast yy.yy.yy.255
        inet6 fe80::290:27ff:fe78:10e9%fxp0 prefixlen 64 scopeid 0x1 
        ether 00:90:27:78:10:e9
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 ::1 prefixlen 128 
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 
        inet 127.0.0.1 netmask 0xff000000 
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        inet6 fe80::290:27ff:fe78:10e9%tun0 prefixlen 64 scopeid 0x7 
        inet 192.168.220.10 --> 192.168.220.9 netmask 0xfffffff8 
        Opened by PID 19617

> $B%"%I%l%9$r?6$i$J$$$HFI$_$K$/$$$N$G!"2>$K%"%I%l%9$r?6$j$^$9!'(B

$B$9$_$^$;$s!$=q$-$+$1$F$7$^$C$?$N$G!$E}0l$5$l$F$$$^$;$s$,!$(B

> - vtun $B%5!<%P$N(B IP $B%"%I%l%9(B       v.v.v.1
> - vtun $B%5!<%P$N%M%C%H%o!<%/(B       n.n.n.0/24

($B;d$NI=5-$G(B) xx.xx.xx.72 on xx.xx.xx.24/29

> - vtun $B%/%i%$%"%s%H$N(B IP $B%"%I%l%9(B u.u.u.1
> - vtun $B%/%i%$%"%s%H$N%M%C%H%o!<%/(B m.m.m.0/24

yy.yy.yy.121 on yy.yy.yy.0/24 $B$KBP1~$7$^$9!%(B

> "add -net 192.168.220.8/29 -interface %d" $B$NItJ,$O(B
> $B!V(Bvtun server <---> vtun client $B4V$N(B($B2>A[(B)$B%M%C%H%o!<%/!W(B
> $B$K4X$9$k7PO)@_Dj$r9T$C$F$$$k$h$&$G$9$,!"(B
> n.n.n.0/24 $B$d(B m.m.m.0/24 $B$K4X$9$k7PO)@_Dj$O(B
> $B$I$3$G@_Dj$5$l$F$$$k$N$G$7$g$&$+!)(B
> (/etc/rc.conf $B$K=q$$$F$$$k$H$+(B vtund.conf $B$K=q$$$F$$$k$H$+(B)

rc.conf $B$K$J$j$^$9!%(B
$B$H$$$&$+!$(Blocal subnet $B$K$D$$$F$O(B route $B$OITMW$G$9$s$G!$(B
server/client $B6&$K(B Internet $B8~$1$N(B default router $B$r(B
$B@_Dj$7$F$$$k$@$1$G$9!%(B

> vtun $B%5!<%PB&$G$O(B
> route add -net  m.m.m.0 netmask 0xffffff00 -interface tun0
> vtun $B%/%i%$%"%s%HB&$G$O(B
> route add -net  n.n.n.0 netmask 0xffffff00 -interface tun0
> $B$_$?$$$J@_Dj$,I,MW$H;W$$$^$9!#(B

vtund.conf $B$N(B up{} $B$G$d$C$F$$$k$3$H$G$"$k$HM}2r$7$F$$$^$9!%(B

> v.v.v.1 $B$,(B n.n.n.0/24 $B$K4^$^$l$k>l9g$d(B
> u.u.u.1 $B$,(B m.m.m.0/24 $B$K4^$^$l$k>l9g$O(B

$B$=$l$OA02s$NEj9F$K=q$$$?$h$&$K;d$,4*0c$$$7$F$$$?$N$,H=L@$7!$(B
$BD($j$^$7$?(B :-) $B$N$GJ}?K$rJQ99$7$^$7$F!$(B
$B>e5-$NNc$G(B 192.168.220.8/29 $B$H$$$&$N$O(B vtun only $B$N%"%I%l%9$G$9!%(B



$B$J$*!$(Bipfw list $B$N7k2L$r0J2<$K<($7$^$9!%(B
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from 192.168.0.0/24 to any in recv dc0
00500 deny ip from xx.xx.xx.24/29 to any in recv xl0
00600 deny ip from any to 10.0.0.0/8 via dc0
00700 deny ip from any to 172.16.0.0/12 via dc0
00800 deny ip from any to 192.168.0.0/16 via dc0
00900 deny ip from any to 0.0.0.0/8 via dc0
01000 deny ip from any to 169.254.0.0/16 via dc0
01100 deny ip from any to 192.0.2.0/24 via dc0
01200 deny ip from any to 224.0.0.0/4 via dc0
01300 deny ip from any to 240.0.0.0/4 via dc0
01400 divert 8668 ip from any to any via dc0
01500 deny ip from 10.0.0.0/8 to any via dc0
01600 deny ip from 172.16.0.0/12 to any via dc0
01700 deny ip from 192.168.0.0/16 to any via dc0
01800 deny ip from 0.0.0.0/8 to any via dc0
01900 deny ip from 169.254.0.0/16 to any via dc0
02000 deny ip from 192.0.2.0/24 to any via dc0
02100 deny ip from 224.0.0.0/4 to any via dc0
02200 deny ip from 240.0.0.0/4 to any via dc0
02300 allow tcp from any to any established
02400 allow ip from any to any frag
02500 allow ip from any to any via xl0
02600 allow icmp from any to any
02700 allow ip from any to any via tun0
02800 allow tcp from any to xx.xx.xx.26 25 setup
02900 allow tcp from any to xx.xx.xx.26 113 setup
03000 allow tcp from any to xx.xx.xx.26 53 setup
03100 allow udp from any to xx.xx.xx.26 53
03200 allow udp from xx.xx.xx.26 53 to any
03300 allow tcp from any to xx.xx.xx.26 22 setup
03400 allow tcp from any to xx.xx.xx.26 5000 setup
03500 allow tcp from any to xx.xx.xx.26 80 setup
03600 deny log tcp from any to any in recv dc0 setup
03700 allow tcp from any to any setup
03800 allow udp from xx.xx.xx.26 to any 53 keep-state
03900 allow udp from xx.xx.xx.26 to any 123 keep-state
04000 allow udp from xx.xx.xx.26 to any
65535 deny ip from any to any

vtun $BMQ$N@_Dj$O(B 02700 + 03400 $B$G$9(B($B$N$D$b$j(B)$B!%(B
-- 
       $B"J"J(B
Zzz.. (- - )$B"^"^"=!A(B       $B@n8}(B $B6d2O(B
      ##############   ginga@ginganet.org
