From owner-FreeBSD-net-jp@jp.FreeBSD.org Sun Feb  6 19:27:31 2005
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id j16ARVH95772;
	Sun, 6 Feb 2005 19:27:31 +0900 (JST)
	(envelope-from owner-FreeBSD-net-jp@jp.FreeBSD.org)
Received: from mail530.nifty.com (mail530.nifty.com [202.248.37.252])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet id j16ARV895767
	for <FreeBSD-net-jp@jp.FreeBSD.org>; Sun, 6 Feb 2005 19:27:31 +0900 (JST)
	(envelope-from sakatuba@nifty.com)
Received: from [127.0.0.1] (i218-47-255-33.s30.a048.ap.plala.or.jp [218.47.255.33])by mail530.nifty.com with ESMTP id j16ARLHC023986;
	Sun, 6 Feb 2005 19:27:23 +0900
Message-ID: <4205F10B.1000802@nifty.com>
From: Tsubasa Sakamoto <sakatuba@nifty.com>
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: ja, en-us, en
MIME-Version: 1.0
To: FreeBSD-net-jp@jp.FreeBSD.org
References: <41EF2C3F.5040007@ba2.so-net.ne.jp> <4802640.1106190069990.sakatuba@nifty.com> <7893920.1106202717880.sakatuba@nifty.com> <41EFA3C8.50500@nifty.com>
In-Reply-To: <41EFA3C8.50500@nifty.com>
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit
Reply-To: FreeBSD-net-jp@jp.FreeBSD.org
Precedence: list
Date: Sun, 06 Feb 2005 19:27:23 +0900
X-Sequence: FreeBSD-net-jp 4137
Subject: [FreeBSD-net-jp 4137] Re: ipfw =?ISO-2022-JP?B?GyRCJEsbKEI=?=
 =?ISO-2022-JP?B?GyRCJGgkayVeJWslQSVbITwlXyVzJTAkTkBfRGobKEI=?=
 =?ISO-2022-JP?B?GyRCJEskRCQkJEYhShsoQg==?=
 5 .3-s table)
Sender: owner-FreeBSD-net-jp@jp.FreeBSD.org
X-Originator: sakatuba@nifty.com
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+041223

$B$I$&$b!":dK\!w2#IM$G$9!#(B

$B0JA0(B(FreeBSD-net-jp 4136)$B!"(B5.3-stable$B$G(Bipfw$B$K$h$k%^%k%A%[!<%_%s%0@_Dj$r(B
$B;n$7$F:C@^$7$?$N$G$9$,!"(B
$B7k6I(Bipfilter$B$G$bF0$-$^$;$s!#(B

$B0J2<$=$NJs9p$G$9!#(B


(0$B!KJ*M}9=@.(B
rl0$B$,%0%m!<%P%k(BIP$BB&(B($B0J2<!"ET9g$K$h$j(B192.168.0.3$B$H5-=R(B) IP$B8GDj(B 192.168.0.0/24
rl0$B$N@h$K%@%$%"%k%"%C%W%k!<%?!<$rF~$l!"(B192.168.0.0/16$B$r(B
aaa.bbb.ccc.ddd/28$B$K(BNAT$B$7$F$^$9!#(B
fxp0$B$,%W%i%$%Y!<%H%"%I%l%9(B($B%1!<%V%k%F%l%S$N(BISP$B$G$9(B)DHCP$B;HMQ!"F0E*(BIP
(10.227.0.0/16)
$B%G%U%)%k%H%k!<%H$O(Bfxp0$B$K8~$$$F$$$^$9!#!J(Bdhclient$B$K$h$j@_Dj$5$l$F$$$^$9!K(B

$B$A$J$_$K!"(Bfxp0$B$r;&$7$F!"(Bdefault router$B$r(Brl0$B$K$7$F$d$k$HIaDL$K30$+$i(Bssh$B$J(B
$B$j(Bsmtp$B$J$j(Bwww$B$J$j$GF~$l$^$9!#(B

(1)$B%+!<%M%k%*%W%7%g%s$K0J2<$rDI2C$7!"%+!<%M%k$N:F%3%s%Q%$%k(B
#IPFilter support
options IPDIVERT
options IPFILTER
options IPFILTER_LOG
options TCP_DROP_SYNFIN
options NETGRAPH
$BB>$OBgBN%G%U%)%k%H$G$9$,!"(BIPv6$B4X78$@$1H4$$$F$"$j$^$9!#;H$o$J$$$N$G!#(B

$B:F%3%s%Q%$%k8e!"(B
#uname -ar
FreeBSD test.xxxxx.com 5.3-STABLE FreeBSD 5.3-STABLE #1: Sat Jan 22
15:12:38 JST 2005 root@test.xxxxx.com:/usr/obj/usr/src/sys/TESTKERNEL i386

(2)/etc.rc.conf$B$K0J2<$rDI2C(B
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipfilter_flags="-v"
ipmon_enable="YES"
ipmon_flags="-D /var/log/ipflog"
gateway_enable="YES"

(3)ipfilter$BMQ$N@_Dj%U%!%$%k$r=q$/(B
$B4pK\E*$K(B mkipfilter > /etc/ipf.rules$B$G:n$C$F!"(B1$B9T$@$1%U%)%o!<%G%#%s%0$N(B
$B9T$rF~$l$F$$$^$9!#(B

#cat /etc/ipf.rules

#
# The following routes should be configured, if not already:
#
# route add 192.168.0.3 localhost 0
# route add 10.227.1.20 localhost 0
#
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
pass out on rl0 all head 150
block out from 127.0.0.0/8 to any group 150
block out from any to 127.0.0.0/8 group 150
block out from any to 192.168.0.3/32 group 150
pass in on rl0 all head 100
block in from 127.0.0.0/8 to any group 100
block in from 192.168.0.3/32 to any group 100
block in from 10.227.1.20/0xffff0000 to any group 100
pass out on fxp0 all head 250
block out from 127.0.0.0/8 to any group 250
block out from any to 127.0.0.0/8 group 250
block out from any to 10.227.1.20/32 group 250
pass out on fxp0 to rl0 from 192.168.0.3 to ! 10.227.0.0/16 group 250$B!!(B
<---$B$3$l(B
pass in on fxp0 all head 200
block in from 127.0.0.0/8 to any group 200
block in from 10.227.1.20/32 to any group 200
block in from 192.168.0.3/0xffffff00 to any group 200

(4)ipfilter$B$N5/F0(B
#/etc/rc.d/ipfilter start
Enabling ipfilter.
ioctl(SIOCIPFL6): Invalid argument

(5)$B3NG'(B
#ipfstat -hio
0 pass out on rl0 from any to any head 150
0 block out from 127.0.0.0/8 to any group 150
0 block out from any to 127.0.0.0/8 group 150
0 block out from any to 192.168.0.3/32 group 150
1 pass out on fxp0 from any to any head 250
0 block out from 127.0.0.0/8 to any group 250
0 block out from any to 127.0.0.0/8 group 250
0 block out from any to 10.227.1.20/32 group 250
1 pass out on fxp0 to rl0 from 192.168.0.3/32 to !10.227.0.0/16 group 250
0 block in log quick from any to any with ipopt
0 block in log quick proto tcp from any to any with short
3 pass in on rl0 from any to any head 100
0 block in from 127.0.0.0/8 to any group 100
0 block in from 192.168.0.3/32 to any group 100
0 block in from 10.227.0.0/16 to any group 100
0 pass in on fxp0 from any to any head 200
0 block in from 127.0.0.0/8 to any group 200
0 block in from 10.227.1.20/32 to any group 200
0 block in from 192.168.0.0/24 to any group 200

#tail -f /var/log/ipflog
06/02/2005 18:46:59.731439 rl0 @0:3 P 218.47.255.33,55697 ->
192.168.0.3,22 PR tcp len 20 48 -S IN
06/02/2005 18:46:59.731513 fxp0 @250:4 P 192.168.0.3,22 ->
218.47.255.33,55697 PR tcp len 20 48 -AS OUT
06/02/2005 18:47:02.725739 fxp0 @250:4 P 192.168.0.3,22 ->
218.47.255.33,55697 PR tcp len 20 48 -AS OUT
06/02/2005 18:47:02.728469 rl0 @0:3 P 218.47.255.33,55697 ->
192.168.0.3,22 PR tcp len 20 48 -S IN
06/02/2005 18:47:02.728492 fxp0 @250:4 P 192.168.0.3,22 ->
218.47.255.33,55697 PR tcp len 20 48 -AS OUT
06/02/2005 18:47:08.725832 fxp0 @250:4 P 192.168.0.3,22 ->
218.47.255.33,55697 PR tcp len 20 48 -AS OUT
06/02/2005 18:47:08.764107 rl0 @0:3 P 218.47.255.33,55697 ->
192.168.0.3,22 PR tcp len 20 48 -S IN
06/02/2005 18:47:08.764135 fxp0 @250:4 P 192.168.0.3,22 ->
218.47.255.33,55697 PR tcp len 20 48 -AS OUT
06/02/2005 18:47:20.756313 fxp0 @250:4 P 192.168.0.3,22 ->
218.47.255.33,55697 PR tcp len 20 48 -AS OUT

(218.47.255.33$B$+$i!"(Brl0$B$KBP$7$F(Bssh$B$GF~$m$&$H$7$F$$$^$9!#$G$b(BConnection
timeout$B$GF~$l$^$;$s!#(Blogin: $B$9$i$G$J$$!#(B)

$BL\O@8+$H$7$F$O(B06/02/2005 18:46:59.731513$B$N(Bsshd$B$+$i=P$F9T$/%Q%1%C%H$,(Brl0
$B$K%U%)%o!<%I$5$l$k$Y$-$@$H;W$&$N$G$9$,!"(B
$B$=$&$O$J$C$F$/$l$J$$$_$?$$$G$9!#(B

$B$&!<$s!#$3$l$C$F(Bsend-pr$B$7$?$[$&$,$$$$$s$G$7$g$&$+!)(B
ipfw$B$H(Bipfilter$B$N0c$$$9$i$"$l!"7k6I$O%+!<%M%k$NCf$GF1$8ItJ,$r8F$s$G$$$k$s(B
$B$8$c$J$$$+$H;W$&$s$G$9$,!#(B
$B7k6I(Bhttp://www.jp.freebsd.org/cgi/query-pr.cgi?pr=71230$B$,<B$O$^$@<#$C$F(B
$B$$$J$$$C$F$$$&$N$G$O$J$$$G$7$g$&$+!)(B
$B$=$l$H$b;d$,$^$@2?$+K:$l$F$$$k$s$G$7$g$&$+!)(B
default route$B$r(Brl0$B$K$7$F$d$k$@$1$G%0%m!<%P%k(BIP$BB&$+$iF~$l$k$N$G!"%5!<%P$N(B
$B30$NLdBj$G$O$J$$$H;W$&$s$G$9$,!#(B

$B$I$J$?$+F1$8$h$&$J$3$H$r$7$F@.8y$7$F$$$kJ}$$$i$C$7$c$$$^$9$+!)(B


-----------
Tsubasa Sakamoto

