From owner-FreeBSD-net-jp@jp.FreeBSD.org Wed Jan  7 17:31:48 2004
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id i078VmF96687;
	Wed, 7 Jan 2004 17:31:48 +0900 (JST)
	(envelope-from owner-FreeBSD-net-jp@jp.FreeBSD.org)
Received: from ps.sakura.ne.jp (ps.sakura.ne.jp [210.188.226.140])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet id i078VlC96681
	for <FreeBSD-net-jp@jp.FreeBSD.org>; Wed, 7 Jan 2004 17:31:47 +0900 (JST)
	(envelope-from shota@ps.sakura.ne.jp)
Received: from MELCHIOR (5.16.111.219.st.bbexcite.jp [219.111.16.5])
	by ps.sakura.ne.jp (8.12.8p2/8.12.8/[SAKURA-NET]/2002.11.11) with SMTP id i078Vq7Z026810
	for <FreeBSD-net-jp@jp.FreeBSD.org>; Wed, 7 Jan 2004 17:31:52 +0900 (JST)
	(envelope-from shota@ps.sakura.ne.jp)
From: Shota Wakazuki <shota@ps.sakura.ne.jp>
To: FreeBSD-net-jp@jp.FreeBSD.org
Message-ID: <3ffbc3f8.261%shota@ps.sakura.ne.jp>
X-Mailer: Datula version 1.52.01.01 for Windows
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-2022-JP
Reply-To: FreeBSD-net-jp@jp.FreeBSD.org
Precedence: list
Date: Wed, 07 Jan 2004 17:31:52 +0900
X-Sequence: FreeBSD-net-jp 4042
Subject: [FreeBSD-net-jp 4042] PPPoE with ipfw
Sender: owner-FreeBSD-net-jp@jp.FreeBSD.org
X-Originator: shota@ps.sakura.ne.jp
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+031216

SHOTA $B$G$9!#(B

$B@h$[$I(BB$B%U%l%C%D$N%^%s%7%g%s%?%$%W$NF3F~$,=*$o$C$F!"(B
$B5W$7$V$j$K(B FreeBSD $B$G(B PPP(oE) $B$d$C$?$j$7$F$?$N$G$9$,!"(Bipfw $B$r(B rc.conf $B$G(B

  firewall_type="open"

$B$K$7$J$$$H!"(BFreeBSD $B5!$+$i(B ping $B$H$+$d$C$F$b(B
$B%Q%1%C%H$,Ht$s$G$$$kMM;R$J$N$G$9$,!"JVEz$,$"$j$^$;$s!#(B
ipfw $B$G$O$8$+$l$F$$$kMM;R$J$N$G$9$,!"(B/var/log/security $BEy$K$b(B
$B;D$i$J$+$C$?$j$G!&!&!&(B

$B$3$N2<$K(B ipfw $B$N@_Dj%U%!%$%k$r%3%T%Z$7$FCV$-$^$9$N$G!"(B
$B$3$3$iJU$,$*$+$7$$$N$G$O!"$J$I$o$+$kJ}$$$i$C$7$c$$$^$7$?$i(B
$B65$($F$$$?$@$1$k$H$"$j$,$?$$$G$9!#(B

$B$=$l$G$O!"$*4j$$$7$^$9!#(B

---
fwcmd="/sbin/ipfw"
$fwcmd -f flush

oif="tun0"
iif="fxp1"
#####################################################################
# MRTG Traffic Status
# Network Traffic
$fwcmd add 10 count all from any to me via $oif in
$fwcmd add 11 count all from me to any via $oif out
# http[s] Traffic
$fwcmd add 12 count tcp from any to me 80,443 via $oif in
$fwcmd add 13 count tcp from me 80,443 to any via $oif out
# Network Traffic(Server <--> LAN)
$fwcmd add 14 count all from 192.168.0.0/24 to me via $iif in
$fwcmd add 15 count all from me to 192.168.0.0/24 via $iif out
# Network Traffic IPv6
#$fwcmd add 16 count 41 from any to me in
#$fwcmd add 17 count 41 from me to any out
#####################################################################
# $BGKB;$7$?%Q%1%C%H$OGK4~$9$k!#(B
$fwcmd add deny log any to any via $oif frag

# $B30It$+$i$N%^%k%A%-%c%9%H$r5qH]$9$k(B
$fwcmd add deny all from any to 0.0.0.0/8 via $oif
$fwcmd add deny all from 0.0.0.0/8 to any via $oif
$fwcmd add deny all from any to 169.254.0.0/16 via $oif
$fwcmd add deny all from 169.254.0.0/16 to any via $oif
$fwcmd add deny all from any to 192.0.2.0/24 via $oif
$fwcmd add deny all from 192.0.2.0/24 to any via $oif
$fwcmd add deny all from any to 224.0.0.0/4 via $oif
$fwcmd add deny all from 224.0.0.0/4 to any via $oif
$fwcmd add deny all from any to 240.0.0.0/4 via $oif
$fwcmd add deny all from 240.0.0.0/4 to any via $oif

# NETBIOS$B$X$N%"%/%;%9$r5qH](B
$fwcmd add deny tcp from any 137-139,445 to any via $oif
$fwcmd add deny udp from any 137-139,445 to any via $oif
$fwcmd add deny tcp from any to any 137-139,445 via $oif
$fwcmd add deny udp from any to any 137-139,445 via $oif

# IDENT$B$KBP$7$F$O(Breset$B$rJV$7$^$9!#(B
$fwcmd add reset tcp from any to any 113 in via $oif

#####################################################################
# NAT$B$rM-8z$K$9$k(B
$fwcmd add divert natd all from any to any via $oif

# 192.168.0.0/24 on $iif $B$N%Q%1%C%H$O$9$Y$F5v2D$9$k(B
$fwcmd add allow all from 192.168.0.0/24 to any via $iif
$fwcmd add allow all from any to 192.168.0.0/24 via $iif

# DHCP
$fwcmd add allow udp from 0.0.0.0 68 to 255.255.255.255 67 in via $iif

# $B%k!<%W%P%C%/$O5v2D$9$k(B
$fwcmd add allow all from any to any via lo0

# tun$B%G%P%$%9$r7PM3$7$?FbIt$+$i30It$O5v2D$9$k(B
$fwcmd add allow all from any to any out via $oif
$fwcmd add allow all from any to any out via tun0

# Keep-alive
$fwcmd add allow tcp from any to any via $oif established

# FTP DataConnections
$fwcmd add allow tcp from any 20 to me in via $oif
$fwcmd add allow tcp from any 20 to 192.168.0.0/24 in via $oif
$fwcmd add allow tcp from any to me 10020-10025 in via $oif

# Real(UDP)
#$fwcmd add allow udp from any to 192.168.0.0/24 6970-7170 in via $oif
# $B30It8~$1%M%C%H%o!<%/%5!<%S%9$N(BPort$B$r3+J|$9$k(B
$fwcmd add allow tcp from any to me 21 setup		# FTP
$fwcmd add allow tcp from any to me 22 setup		# SSH
$fwcmd add allow tcp from any to me 25 setup		# SMTP
$fwcmd add allow tcp from any to me 80 setup		# HTTP
$fwcmd add allow tcp from any to me 443 setup		# HTTPS
$fwcmd add allow tcp from any to me 110 setup		# POP3
$fwcmd add allow tcp from any to me 554 setup
$fwcmd add allow tcp from any to me 24 setup
$fwcmd add pass tcp from any to 192.168.0.3 1074 in     # WME



# DNS$B%/%(%j!<$r5v2D$9$k(B
$fwcmd add allow udp from any 53 to me in via $oif
$fwcmd add allow udp from me to any 53 out via $oif

$fwcmd add 65435 deny log ip from any to any
---


-- 
SHOTA / Shota Wakazuki
mailto:shota@ps.sakura.ne.jp / http://www.firefield.net/
