平野 様 丸山です。
Thu, 30 Jun 2016 16:12:43 +0900 Akihiro HIRANO <hir...@t.kanazawa-u.ac.jp> writes: > 支障がなければ、「ipfw list」の結果を示して頂くのが早道だと思います。 はい。 実験1(PC-BSD10.3) /etc/ipfw.custom (PC-BSDの出荷値、中はコメントだけ) /etc/ipfw.openports (PC-BSDの出荷値、udp 5353, tcp 22だけ) /etc/ipfw.rules (PC-BSDの出荷値、このメールの末尾に同封) # ipfw list 00020 allow ip from any to any via lo0 01000 check-state 01050 allow tcp from any to any established 01100 allow udp from any to any established 02000 allow ip from any to any out keep-state 02050 allow ip6 from any to any out keep-state 02100 allow ipv6-icmp from any to any keep-state 02150 allow icmp from any to any keep-state 10000 allow udp from any to any dst-port 5353 in keep-state 10001 allow tcp from any to any dst-port 22 in keep-state 64000 deny log ip from any to any 65535 allow ip from any to any この状態では dig @133.58.32.12 ism.ac.jp ns は正常に結果を表示。 実験2(PC-BSD10.3) /etc/ipfw.custom ipfw -q add 110 allow ip from 133.58.124.49 to any だけ。ここに 133.58.124.49 は DNSサーバー 133.58.32.12 に繋がるインター フェース。 /etc/ipfw.openports (PC-BSDの出荷値、udp 5353, tcp 22だけ) /etc/ipfw.rules (PC-BSDの出荷値、このメールの末尾に同封) # ipfw list 00020 allow ip from any to any via lo0 00110 allow ip from 133.58.124.49 to any 01000 check-state 01050 allow tcp from any to any established 01100 allow udp from any to any established 02000 allow ip from any to any out keep-state 02050 allow ip6 from any to any out keep-state 02100 allow ipv6-icmp from any to any keep-state 02150 allow icmp from any to any keep-state 10000 allow udp from any to any dst-port 5353 in keep-state 10001 allow tcp from any to any dst-port 22 in keep-state 64000 deny log ip from any to any 65535 allow ip from any to any このとき、 % dig @133.58.32.12 ism.ac.jp ns ; <<>> DiG 9.10.3-P4 <<>> @133.58.32.12 ism.ac.jp ns ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached ---------------------------------------------------------------- /etc/ipfw.rules のPC-BSDの出荷値 ---------------------------------------------------------------- #!/bin/sh # To re-apply rules, you can run "sh /etc/ipfw.rules" # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" # No restrictions on loopback #################################################################### $cmd 00020 allow all from any to any via lo0 #################################################################### # Check the state of packets #################################################################### $cmd 01000 check-state $cmd 01050 allow tcp from any to any established $cmd 01100 allow udp from any to any established #################################################################### # Allow all outgoing packets #################################################################### $cmd 02000 allow ip from any to any out keep-state $cmd 02050 allow ip6 from any to any out keep-state $cmd 02100 allow ipv6-icmp from any to any keep-state $cmd 02150 allow icmp from any to any keep-state #################################################################### # Allow specific ports IN now # Add items to /etc/ipfw.openports in the format # {tcp|udp} <portnum> #################################################################### nextnum=10000 if [ -e "/etc/ipfw.openports" ] ; then while read line do echo $line | grep -q "^#" if [ $? -eq 0 ] ; then continue ; fi proto="`echo $line | awk '{print $1}'`" port="`echo $line | awk '{print $2}'`" if [ -z "$proto" -o -z "$port" ] ; then continue ; fi $cmd $nextnum allow $proto from any to any $port in keep-state nextnum=`expr $nextnum + 1` done < /etc/ipfw.openports fi #################################################################### # Allow specific IPs incoming traffic now (Used for jails mainly) # Add items to /etc/ipfw.openip in the format # {ip4|ip6} <ip> #################################################################### nextnum=20000 if [ -e "/etc/ipfw.openip" ] ; then while read line do echo $line | grep -q "^#" if [ $? -eq 0 ] ; then continue ; fi proto="`echo $line | awk '{print $1}'`" ip="`echo $line | awk '{print $2}'`" if [ -z "$proto" -o -z "$ip" ] ; then continue ; fi $cmd $nextnum allow $proto from any to $ip in keep-state nextnum=`expr $nextnum + 1` done < /etc/ipfw.openip fi #################################################################### # Deny all other incoming troublemakers #################################################################### $cmd 64000 deny log all from any to any #################################################################### # Check for user custom rules if [ -e "/etc/ipfw.custom" ] ; then sh /etc/ipfw.custom fi -------- 丸山直昌@統計数理研究所 _______________________________________________ freebsd-users-jp@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-users-jp To unsubscribe, send any mail to "freebsd-users-jp-unsubscr...@freebsd.org"