160841SdarrenrIP filter $B%7%g!<%H%,%$%I(B Dec, 1999 260841Sdarrenr 360841Sdarrenr$B%[!<%`%Z!<%8(B: http://coombs.anu.edu.au/~avalon/ip-filter.html 460841SdarrenrFTP: ftp://coombs.anu.edu.au/pub/net/ip-filter/ 560841Sdarrenr 660841Sdarrenr $B30;3(B $B=c@8(B <sumio@is.s.u-tokyo.ac.jp> 760841Sdarrenr $B;3K\(B $BBY1'(B <ymmt@is.s.u-tokyo.ac.jp> 860841Sdarrenr 960841Sdarrenr----- 1060841Sdarrenr$B$O$8$a$K(B 1160841Sdarrenr 1260841SdarrenrIP filter $B$r(B gateway $B%^%7%s$K%$%s%9%H!<%k$9$k$3$H$G%Q%1%C%H%U%#(B 1360841Sdarrenr$B%k%?%j%s%0$r9T$&$3$H$,$G$-$^$9!#(B 1460841Sdarrenr 1560841Sdarrenr$B%$%s%9%H!<%k$NJ}K!$O!"(BINSTALL$B$K=q$$$F$"$k$N$G!"$=$A$i$r;2>H$7$F(B 1660841Sdarrenr$B$/$@$5$$!#(BIP filter $B$N%P!<%8%g%s(B 3.3.5 $B$O!"(B 1760841Sdarrenr Solaris/Solaris-x86 2.3 - 8 (early access) 1860841Sdarrenr SunOS 4.1.1 - 4.1.4 1960841Sdarrenr NetBSD 1.0 - 1.4 2060841Sdarrenr FreeBSD 2.0.0 - 2.2.8 2160841Sdarrenr BSD/OS-1.1 - 4 2260841Sdarrenr IRIX 6.2 2360841Sdarrenr$B$GF0:n$9$k$3$H$,3NG'$5$l$F$$$^$9!#(B 2460841Sdarrenr 2560841Sdarrenr$B$J$*!"(B64 bit kernel $B$NAv$C$F$k(B Solaris7 $B%^%7%s$G$O!"(Bgcc $B$H$+$G%3(B 2660841Sdarrenr$B%s%Q%$%k$7$?(B kernel driver $B$OF0:n$7$^$;$s!#(B 2760841Sdarrenr 2860841Sdarrenr$B$=$N$h$&$J>l9g$K$O!"(Bprecompiled binary $B$r(B 2960841Sdarrenrftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.3.2-sparcv9.pkg.gz 3060841Sdarrenr(1999$BG/(B12$B7n(B14$BF|8=:_!"$^$@(B3.3.5$B$O%Q%C%1!<%8$K$J$C$F$$$^$;$s(B) 3160841Sdarrenr$B$+$i<h$C$F$/$k$+!"(BWorkshop Compiler 5.0 $B$G%3%s%Q%$%k$7$F(B 64bit 3260841Sdarrenrdriver $B$r:n$C$F$/$@$5$$!#(B 3360841Sdarrenr 3460841Sdarrenr----- 3560841Sdarrenr$B@_Dj%U%!%$%k$N5-=RJ}K!(B 3660841Sdarrenr 3760841SdarrenrIP filter$B$N@_Dj$O!V$I$N%"%I%l%9!W$N!V$I$N%]!<%H!W$+$i!V$I$N%"%I(B 3860841Sdarrenr$B%l%9!W$N!V$I$N%]!<%H!W$X$N%Q%1%C%H$r(B block $B$9$k$+(B pass $B$9$k$+!"(B 3960841Sdarrenr$B$r;XDj$9$k$3$H$G9T$$$^$9!#(B 4060841Sdarrenr 4160841Sdarrenr$B0J2<$NNc$G$O!"2f!9$,4IM}$7$F$$$k%5%V%M%C%H$h$j30$+$iFb$N%"%/%;%9(B 4260841Sdarrenr$B$O!"0lIt$N%^%7%s$r=|$$$F$OA4$F%V%m%C%/$7!"Fb$+$i30$X$N%"%/%;%9$O!"(B 4360841Sdarrenr$B86B'$H$7$FA4$FAGDL$7$9$k%]%j%7!<$G5-=R$5$l$F$$$^$9!#(B 4460841Sdarrenr 4560841Sdarrenr$B0J2<!"4IM}$7$F$$$k%5%V%M%C%H$r(B 4660841Sdarrenr 123.45.1.0/24 4760841Sdarrenr$B$H$7$FNc$r<($7$^$9!#(B24$B$O%5%V%M%C%H%^%9%/$G$9!#(B 4860841Sdarrenr 4960841Sdarrenr$B$^$?!"(Bgateway $B$O(B 5060841Sdarrenr 123.45.1.111 (hme0) 5160841Sdarrenr$B$,(B LAN$BB&$N%$%s%?!<%U%'!<%9!"(B 5260841Sdarrenr 123.45.2.10 (hme1) 5360841Sdarrenr$B$,30B&$N%$%s%?!<%U%'!<%9$H$7$^$9!#(B 5460841Sdarrenr 5560841Sdarrenr 5660841Sdarrenr===================== $B$3$3$+$i(B ==================== 5760841Sdarrenr########## quickly deny malicious packets 5860841Sdarrenr# 5960841Sdarrenrblock in quick from any to any with short 6060841Sdarrenrblock in log quick from any to any with ipopts 6160841Sdarrenr===================== $B$3$3$^$G(B ==================== 6260841Sdarrenr 6360841Sdarrenr$B$^$:$O$3$N%k!<%k$G!"IT@5$J%Q%1%C%H$r$O$M$^$9!#(Bblock $B$O(B block $B$9(B 6460841Sdarrenr$B$k0UL#$G!"H?BP$KDL$9>l9g$O(B pass $B$H$J$j$^$9!#(B 6560841Sdarrenr 6660841Sdarrenrlog $B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$9$k%Q%1%C%H$N%m%0$r<h$k;X<($G(B 6760841Sdarrenr$B$9!#%m%0$O(B /dev/ipl $B$H$$$&%G%P%$%9%U%!%$%k$+$i%"%/%;%9$G$-$^$9$,!"(B 6860841Sdarrenr$B$3$N%G%P%$%9$O(B bounded buffer $B$J$N$G!"$"$kDxEY0J>e$N%m%0$O>C$($F(B 6960841Sdarrenr$B$7$^$$$^$9!#(B 7060841Sdarrenr 7160841Sdarrenr/dev/ipl $B$NFbMF$rFI$_=P$9$K$O(B ipmon $B$H$$$&%W%m%0%i%`$r;H$$$^$9!#(B 7260841Sdarrenripmon $B$O(B stdout, syslog, $B$b$7$/$ODL>o$N%U%!%$%k$K%m%0$r=PNO$7$^(B 7360841Sdarrenr$B$9!#5/F0;~$K(B ipmon $B$rN)$A>e$2$k$J$i!"<!$N$h$&$J9T$r(B rc $B%U%!%$%k(B 7460841Sdarrenr$B$K=q$/$H$h$$$G$7$g$&!#(B 7560841Sdarrenr 7660841Sdarrenripmon -n -o I ${IPMONLOG} < /dev/null > /dev/null 2>&1 & 7760841Sdarrenr 7860841Sdarrenr${IPMONLOG} $B$OE,Ev$J%U%!%$%kL>$KCV49$7$F$/$@$5$$!#(Bsyslog $B$K=PNO(B 7960841Sdarrenr$B$9$k>l9g$O!"(B-s $B%*%W%7%g%s$rIU$1$^$9!#(Bsyslog $B$K=PNO$9$k>l9g!"(B 8060841Sdarrenrlocal0.info $B$r5-O?$9$k$h$&$K(B syslog.conf $B$rJT=8$7$F$/$@$5$$!#(B 8160841Sdarrenr$BNc$($P!"(B 8260841Sdarrenr 8360841Sdarrenrlocal0.info ifdef(`LOGHOST', /var/log/syslog, @loghost) 8460841Sdarrenr 8560841Sdarrenr 8660841Sdarrenrquick $B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$O0J9_$N%k!<%k$r(B 8760841Sdarrenr$BD4$Y$:$K!"%"%/%7%g%s(B(block or pass)$B$K=>$o$;$k$H$$$&$b$N$G$9!#$?(B 8860841Sdarrenr$B$@$7!"Nc30$,$"$j$^$9!#8e=R$7$^$9!#(B 8960841Sdarrenr 9060841Sdarrenr 9160841Sdarrenr===================== $B$3$3$+$i(B ==================== 9260841Sdarrenr########## group setup 9360841Sdarrenr# 9460841Sdarrenrblock in on hme1 all head 100 9560841Sdarrenrblock out on hme1 all head 150 9660841Sdarrenrpass in quick on hme0 all 9760841Sdarrenrpass out quick on hme0 all 9860841Sdarrenr===================== $B$3$3$^$G(B ==================== 9960841Sdarrenr 10060841Sdarrenr$B<!$K@)8f$r$+$1$k%$%s%?!<%U%'!<%9Kh$K%Q%1%C%H$KE,MQ$9$k%k!<%k$rJ,(B 10160841Sdarrenr$BN`$7$^$9!#(Bhme0 $B$O(B LAN $BB&$N%$%s%?!<%U%'!<%9$J$N$G!"B(:B$K5v2D(B 10260841Sdarrenr(pass quick)$B$7$F$$$^$9!#(B 10360841Sdarrenr 10460841Sdarrenrall $B$H$$$&$N$O!"(Bfrom any to any $B$N>JN,7A$G$9!#(B 10560841Sdarrenr 10660841Sdarrenr$B30It$H$N%$%s%?!<%U%'!<%9$G$"$k(B hme1 $B$O(B incoming $B$H(B outgoing $B$G!"(B 10760841Sdarrenr$B$=$l$>$l(B group 100 $BHV$H(B 150 $BHV$KJ,N`$7$^$9!#(Bhead $B$H$$$&$N$O!"$3(B 10860841Sdarrenr$B$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$r<!$NHV9f$N%0%k!<%W$KJ,N`$9$k$H$$$&(B 10960841Sdarrenr$B0UL#$G$9!#(B 11060841Sdarrenr 11160841Sdarrenr 11260841Sdarrenr===================== $B$3$3$+$i(B ==================== 11360841Sdarrenr########## deny IP spoofing 11460841Sdarrenr# 11560841Sdarrenrblock in log quick from 127.0.0.0/8 to any group 100 11660841Sdarrenrblock in log quick from 123.45.2.10/32 to any group 100 11760841Sdarrenrblock in log quick from 123.45.1.111/24 to any group 100 11860841Sdarrenr# 11960841Sdarrenr########## deny reserved addresses 12060841Sdarrenr# 12160841Sdarrenrblock in log quick from 10.0.0.0/8 to any group 100 12260841Sdarrenrblock in log quick from 192.168.0.0/16 to any group 100 12360841Sdarrenrblock in log quick from 172.16.0.0/12 to any group 100 12460841Sdarrenr# 12560841Sdarrenr===================== $B$3$3$^$G(B ==================== 12660841Sdarrenr 12760841SdarrenrIP $B%"%I%l%9$r2~cb$7$?%Q%1%C%H$rB(:B$K5qH]$7$F$$$^$9!#KvHx$N(B 12860841Sdarrenrgroup 100 $B$H$$$&$N$O(B head 100 $B$GJ,N`$5$l$?%Q%1%C%H$K$N$_%^%C%A$9(B 12960841Sdarrenr$B$k%k!<%k$H$$$&0UL#$G$9!#(B 13060841Sdarrenr 13160841Sdarrenr----- 13260841Sdarrenr$B$3$3$^$G$G!"4pK\E*$K(BLAN$BFb$NDL?.$OAGDL$7$@$,30It$H$NDL?.$O%G%U%)(B 13360841Sdarrenr$B%k%H$G0l@Z6X;_$H$$$&@_Dj$K$J$j$^$9!#0J9_$G$O!"$=$N%G%U%)%k%H$KBP(B 13460841Sdarrenr$B$9$kNc30$H$$$&7A$G!"DL$7$?$$%Q%1%C%H$r5-=R$7$F$$$-$^$9!#(B 13560841Sdarrenr 13660841Sdarrenr$B$^$:!"FbIt$+$i30It$X$N@\B3$K4X$9$k@_Dj$r$7$^$9!#(B 13760841Sdarrenr===================== $B$3$3$+$i(B ==================== 13860841Sdarrenr########## OUTGOING 13960841Sdarrenr# 14060841Sdarrenr## allow ping out 14160841Sdarrenr# 14260841Sdarrenrpass out quick proto icmp from any to any keep state group 150 14360841Sdarrenr# 14460841Sdarrenr## allow all outgoing UDP packets except for netbios ports (137-139). 14560841Sdarrenr# 14660841Sdarrenrpass out quick proto udp from any to any keep state head 160 group 150 14760841Sdarrenrblock out log quick proto udp from any to any port 136 >< 140 group 160 14860841Sdarrenr# 14960841Sdarrenr## pass all TCP connection setup packets except for netbios ports (137-139). 15060841Sdarrenr# 15160841Sdarrenrpass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150 15260841Sdarrenrblock out log quick proto tcp from any to any port 136 >< 140 group 170 15360841Sdarrenr===================== $B$3$3$^$G(B ==================== 15460841Sdarrenr 15560841Sdarrenr$B$3$l$O4pK\E*$KA4$F$N%Q%1%C%H$r5v$9%k!<%k$G$9!#$7$+$7!"(Bnetbios 15660841Sdarrenr(137-139/udp, tcp)$B$N%]!<%H$@$1$O6X;_$7$F$$$^$9!#(Bnetbios$B$O(B Windows 15760841Sdarrenr$B$N%U%!%$%k6&M-$G;H$o$l$k%]!<%H$G!"$3$N%]!<%H$,3+$$$F$$$k$H!"(B 15860841SdarrenrWindows$B$N@_Dj$K$h$C$F$O!"@$3&Cf$+$i%U%!%$%k$rFI$_=q$-$G$-$k(B 15960841Sdarrenr$B62$l$,$"$j$^$9!#(B 16060841Sdarrenr 16160841Sdarrenr$B$3$3$G!"4JC1$K=q<0$r8+$F$*$/$H!"(B 16260841Sdarrenr* $B:G=i$NC18l$G!"(Bblock$B$9$k$+(Bpass$B$9$k$+;XDj$9$k(B 16360841Sdarrenr* proto $B$N8e$NC18l$G!"(Bprotocol$B$r;XDj$9$k(B(udp, tcp, icmp, etc.)$B!#(B 16460841Sdarrenr* from A to B $B$G!"$I$3$+$i$I$3$X$N%Q%1%C%H$+$r;XDj$9$k(B 16560841Sdarrenr* head XXX$B$r;XDj$9$k$H!"$=$N9T$G;XDj$5$l$"$?%Q%1%C%H$O!"(Bgroup 16660841Sdarrenr XXX$B$H$7$F;2>H$G$-$k(B 16760841Sdarrenr* group$B$r;XDj$9$k$3$H$G!"5,B'$rE,MQ$9$k8uJd$r(B($BM=$a(Bhead$B$G@_Dj$7$?(B) 16860841Sdarrenr group$B$K8BDj$G$-$k!#(B 16960841Sdarrenr 17060841Sdarrenr$B$^$?!"(Bfrom A to B$B$N(BA$B$d(BB$B$O!"(BIP$B%"%I%l%9$H(Bport$B$r=q$/$3$H$,$G$-$^$9!#(B 17160841Sdarrenr from any to any port 136 >< 140 17260841Sdarrenr$B$H$$$&$N$O!"(B 17360841Sdarrenr $B!VG$0U$N%]!<%H$NG$0U$N%"%I%l%9$+$i!"(B137$BHV$+$i(B139$BHV%]!<%H$NG$0U$N(B 17460841Sdarrenr $B%"%I%l%9$X$N%Q%1%C%H!W(B 17560841Sdarrenr$B;XDj$7$F$$$k$3$H$K$J$j$^$9!#$^$?!"HV9f$NBe$o$j$K(B/etc/service$B$K5-(B 17660841Sdarrenr$B=R$5$l$F$$$k%5!<%S%9L>$r5-=R$9$k$3$H$b$G$-$^$9!#(B 17760841Sdarrenr$B$?$H$($P(B 17860841Sdarrenr from any to any port = telnet 17960841Sdarrenr$B$H(B 18060841Sdarrenr from any to any port = 23 18160841Sdarrenr$B$OF1$80UL#$H$J$j$^$9!#(B 18260841Sdarrenr 18360841Sdarrenr$B$5$F!"$3$3$G(B quick $B$NNc30$r@bL@$7$F$*$-$^$9!#(Bquick $B$NIU$$$?(B 18460841Sdarrenrrule $B$,(B head $B$G?7$?$J%0%k!<%W$r:n$k>l9g!"=hM}$O$^$@$3$N;~E@(B 18560841Sdarrenr$B$G$O3NDj$7$^$;$s!#0J9_!"!V(Bhead $B$G@k8@$5$l$?%0%k!<%W$N%k!<%k!W(B 18660841Sdarrenr$B$N$_=hM}$9$k$H$$$&0UL#$K$J$j$^$9!#$G$9$+$i>e$N!"(B 18760841Sdarrenr 18860841Sdarrenrpass out quick proto udp from any to any keep state head 160 group 150 18960841Sdarrenrblock out log quick proto udp from any to any port 136 >< 140 group 160 19060841Sdarrenr 19160841Sdarrenr$B$O!"$^$:(B 150$BHV%0%k!<%W$K%^%C%A$9$k(B UDP $B%Q%1%C%H$OAGDL$7(B 19260841Sdarrenr$B$9$k!"$,!"0J2<$N(B 160$BHV$KB0$9$k%k!<%k$r$^$@=hM}$9$k!#(B 19360841Sdarrenr$B$=$7$F(B2$B9TL\$G(B 160$BHV%0%k!<%W$KBP$7$F(B netbios packet $B$r(B 19460841Sdarrenrblock $B$7$F$$$kLu$G$9!#(B 19560841Sdarrenr$B0l9TL\$K%^%C%A$7$?%Q%1%C%H$O0J2<$K$b$7(B150$BHV$N%0%k!<%W$N(B 19660841Sdarrenr$B%k!<%k$,$"$C$?$H$7$F$b!"L5;k$9$k$3$H$KCm0U$7$F$/$@$5$$!#(B 19760841Sdarrenr 19860841Sdarrenr---------- 19960841Sdarrenr$B<!$K!"30It$+$iFbIt$X$N%"%/%;%9$N@_Dj$r$7$^$9!#(B 20060841Sdarrenr 20160841Sdarrenr* $B%k!<%F%#%s%0>pJs(B(RIP)$B$N%Q%1%C%H$O!"A4It5v$7$^$9!#(B 20260841Sdarrenrpass in quick proto udp from any to any port = 520 keep state group 100 20360841Sdarrenr 20460841Sdarrenr* ICMP$B$N%Q%1%C%H$OA4It5v$7$^$9!#(B 20560841Sdarrenrpass in quick proto icmp from any to any group 100 20660841Sdarrenr 20760841Sdarrenr* $BFbIt$+$i30It$X$N(Bftp$B$r5v$9$?$a$K!"(Bftp-data port$B$+$i0lHL%]!<%H$X(B 20860841Sdarrenr $B$NG$0U$N@\B3$r<u$1IU$1$^$9!#$3$l$O(Bpassive mode$B$G$J$$(BFTP$B$N5sF0(B 20960841Sdarrenr $B$G$9!#(B 21060841Sdarrenrpass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100 21160841Sdarrenr 21260841Sdarrenr $B$7$+$7!"$3$l$O0lHL$K8@$C$FB?>/4m81$J9T0Y$G$9!#@\B3$G$-$k$N$,(B 21360841Sdarrenr 1024$BHV0J9_$N0lHL%]!<%H$K8BDj$O$5$l$^$9$,!"$"$^$j$*4+$a$G$-$^$;$s!#(B 21460841Sdarrenr $B$3$N9T$r2C$($:$K!"(Bpassive mode (ftp $B$G(B pasv $B%3%^%s%I$GF~$l$k(B) 21560841Sdarrenr $B$G(B FTP $B$r$9$k$3$H$r4+$a$^$9!#$J$*!":G6a$N(B FTP client $B$O:G=i(B 21660841Sdarrenr $B$+$i(B passive mode $B$KL5>r7o$G$7$F$7$^$&$b$N$,B?$$$h$&$G$9!#(B 21760841Sdarrenr 21860841Sdarrenr* sendmail$B$d(Bftpd$B$K7R$0$H!"Aj<j$,(Bident$B%]!<%H$X%"%/%;%9$7$F$/$k$3(B 21960841Sdarrenr $B$H$,$"$k$N$G!"(Bident port$B$r3+$1$^$9!#(Bident $B$ODL>o$O5/F0$5$l$F$$(B 22060841Sdarrenr $B$J$$(B daemon $B$J$N$G!"AGDL$7$7$F$b%;%-%e%j%F%#%[!<%k$K$J$k$3$H$O$"(B 22160841Sdarrenr $B$j$^$;$s(B(connection refused$B$K$J$k$@$1$G$9(B)$B!#$3$l$r3+$1$J$$$H!"(B 22260841Sdarrenr $BAj<jB&$O(B timeout $B$9$k$^$G@h$K?J$^$J$$$N$G!"(BFTP $B$d(B mail $B$NAw?.(B 22360841Sdarrenr $B$,$d$?$i$KCY$/$J$k$3$H$,$"$j$^$9!#(B 22460841Sdarrenr $B$b$7(B 113 $BHV%]!<%H$K@\B3$G$-$k$h$&$J$i!"$=$N%5!<%S%9$OB(:B$K(B 22560841Sdarrenr $BDd;_$9$k$3$H$r4+$a$^$9!#(B 22660841Sdarrenrpass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100 22760841Sdarrenr 22860841Sdarrenr------ 22960841Sdarrenr$B<!$K!"30It$+$i(B firewall $B$X$N%"%/%;%9$r5v$9%5!<%S%9$r5-=R$7$F$$$-(B 23060841Sdarrenr$B$^$9!#$^$:$O!"30It$+$i$N@\B3$r5v$7$?$$%[%9%H$K$D$$$F!"%0%k!<%WHV(B 23160841Sdarrenr$B9f$r$D$1$^$9!#(B 23260841Sdarrenr 23360841Sdarrenr===================== $B$3$3$+$i(B ==================== 23460841Sdarrenr## grouping by host 23560841Sdarrenrblock in log quick proto tcp from any to 123.45.1.X flags S/SA head 110 group 100 23660841Sdarrenrblock in log quick proto tcp from any to 123.45.1.Y flags S/SA head 111 group 100 23760841Sdarrenr===================== $B$3$3$^$G(B ==================== 23860841Sdarrenr 23960841Sdarrenr$B$3$l$G!"(B 24060841Sdarrenr $B30It$+$i(B 123.45.1.X $B$X$N@\B3$O(B group 110 24160841Sdarrenr $B30It$+$i(B 123.45.1.Y $B$X$N@\B3$O(B group 111 24260841Sdarrenr$B$G;2>H$9$k$3$H$,$G$-$^$9!#(B 24360841Sdarrenr 24460841Sdarrenr$BB>$K$b5v$7$?$$%[%9%H$rA}$d$7$?$$$H$-$O!">e$HF1MM$K$7$F!"(Bhead$B$N8e(B 24560841Sdarrenr$B$K!"?7$7$$?t;z(B(112, 113$B$J$I(B)$B$r3d$jEv$F$F$/$@$5$$!#(B 24660841Sdarrenr 24760841Sdarrenr$B$b$&0lEYCm0U$7$F$*$-$^$9$,!"(Bquick $B$H(B head $B$,F1;~$K8=$l$k%k!<%k(B 24860841Sdarrenr$B0J9_$G$O!"(Bhead $B$G@k8@$5$l$?%0%k!<%W$N%k!<%k$7$+E,MQ$5$l$J$/$J$j(B 24960841Sdarrenr$B$^$9!#$G$9$+$i!">e$N(B ident $B$d(B ftp data-port $B$N$h$&$K!"FbIt$N(B 25060841Sdarrenr$BA4$F$N%[%9%H$K%^%C%A$9$k%k!<%k$O!"$3$N%[%9%H$K$h$k%0%k!<%WJ,$1(B 25160841Sdarrenr$B$NA0$KCV$/I,MW$,$"$j$^$9!#(B 25260841Sdarrenr 25360841Sdarrenr 25460841SdarrenrX$B$X$O!"(Btelnet, ftp, ssh $B$r!"(BY$B$X$O!"(Bftp, http, smtp, pop $B$r5v$9$3(B 25560841Sdarrenr$B$H$K$7$^$9!#(B 25660841Sdarrenr 25760841Sdarrenr* X(group 110)$B$X$N(Btelnet$B$r5v$7$^$9(B 25860841Sdarrenrpass in quick proto tcp from any to any port = telnet keep state group 110 25960841Sdarrenr 26060841Sdarrenr* X$B$X$N(Bftp$B$r5v$7$^$9!#(Bftp-data port $B$b3+$1$F$*$-$^$9!#(B 26160841Sdarrenr ($BI,MW$,$"$k$+$I$&$+3NG'$O$7$F$$$^$;$s$,!"3+$1$F$$$F$b0BA4$G$7$g$&(B)$B!#(B 26260841Sdarrenrpass in quick proto tcp from any to any port = ftp keep state group 110 26360841Sdarrenrpass in quick proto tcp from any to any port = ftp-data keep state group 110 26460841Sdarrenr 26560841Sdarrenr* X$B$X$N(Bssh$B$r5v$7$^$9!#(B 26660841Sdarrenrpass in quick proto tcp from any to any port = 22 keep state group 110 26760841Sdarrenr 26860841Sdarrenr* Y$B$X$N(Bftp$B$r5v$7$^$9!#(B 26960841Sdarrenrpass in quick proto tcp from any to any port = ftp keep state group 111 27060841Sdarrenrpass in quick proto tcp from any to any port = ftp-data keep state group 111 27160841Sdarrenrpass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111 27260841Sdarrenr 27360841Sdarrenr Y$B$O(B anonoymous ftp $B%5!<%P$r1?1D$7$F$$$k$?$a(B wu-ftpd $B$r;H$C$F$$(B 27460841Sdarrenr $B$^$9!#(Bwu-ftpd $B$O(B passive mode $B$N(BFTP$B$K$bBP1~$7$F$$$^$9$N$G!"$I(B 27560841Sdarrenr $B$N%]!<%H$r(BPASV$BMQ$K;H$&$+!"(Bwu-ftpd $B$N@_Dj$K=q$$$F$*$/I,MW$,$"$j(B 27660841Sdarrenr $B$^$9!#$3$3$G$O(B3000$B$+$i(B3099$BHV%]!<%H$r;HMQ$9$k$h$&$K!"(Bwu-ftpd $B$r(B 27760841Sdarrenr $B@_Dj$7$F$$$^$9!#(B 27860841Sdarrenr 27960841Sdarrenr passive FTP $B$K$D$$$F2r@b$7$^$9!#(Bpassive FTP $B$O!"%/%i%$%"%s%H$,(B 28060841Sdarrenr $B%U%!%$%"%&%)!<%k$NFbB&$K$$$k>l9g$N$?$a$K3+H/$5$l$?%W%m%H%3%k$G(B 28160841Sdarrenr $B$9!#%G%U%)%k%H$G$O>e$G@bL@$7$?$h$&$K!"%G!<%?E>Aw$N$?$a!"%5!<%P(B 28260841Sdarrenr $B$N(B ftp-data port $B$+$i%/%i%$%"%s%H$K@\B3$,$$$-$^$9!#(B 28360841Sdarrenr 28460841Sdarrenr passive FTP $B$G$O!"%G!<%?E>Aw$b(B client $B$+$i%5!<%P$K@\B3$9$k$h$&(B 28560841Sdarrenr $B$K$J$j$^$9!#$=$N:]!"%5!<%P$OE,Ev$J%]!<%HHV9f$r3d$j?6$C$F!"$=$3(B 28660841Sdarrenr $B$K%/%i%$%"%s%H$,@\B3$9$k$h$&;X<($7$^$9!#(B 28760841Sdarrenr 28860841Sdarrenr $B$3$N$?$a!"%5!<%P$,%U%!%$%"%&%)!<%kFb$K$$$k>l9g!"E,Ev$J%]!<%HHV(B 28960841Sdarrenr $B9f$O%U%!%$%"%&%)!<%k$G$O$M$i$l$F$7$^$$$^$9!#$=$3$G!"(Bwu-ftpd $B$N(B 29060841Sdarrenr $B@_Dj$G!"3d$j?6$k%]!<%HHV9f$NHO0O$r8BDj$7$F!"$=$3$@$1%U%!%$%"(B 29160841Sdarrenr $B%&%)!<%k$K7j$r3+$1$F$$$k$o$1$G$9!#(Bwu-ftpd $B$N>l9g$O!"(Bftpaccess 29260841Sdarrenr $B$H$$$&%U%!%$%k$K(B 29360841Sdarrenr 29460841Sdarrenr # passive ports <cidr> <min> <max> 29560841Sdarrenr passive ports 0.0.0.0/0 3000 3099 29660841Sdarrenr 29760841Sdarrenr $B$HDI2C$9$k$3$H$G@_Dj$G$-$^$9!#(Bftpaccess(5)$B$r;2>H$7$F$/$@$5$$!#(B 29860841Sdarrenr 29960841Sdarrenr* Y$B$X$N(Bhttp$B$r5v$7$^$9!#(B 30060841Sdarrenrpass in quick proto tcp from any to any port = 80 keep state group 111 30160841Sdarrenr 30260841Sdarrenr* Y$B$X$N(Bsmtp$B$r5v$7$^$9!#(B 30360841Sdarrenrpass in quick proto tcp from any to any port = smtp keep state group 111 30460841Sdarrenr 30560841Sdarrenr* Y$B$X$N(Bpop$B$r5v$7$^$9!#(B 30660841Sdarrenrpass in quick proto tcp from any to any port = 110 keep state group 111 30760841Sdarrenr 30860841Sdarrenr$B0J>e$N@_Dj$K$h$j!"(BX, Y $B0J30$N%^%7%s$X$N!"30It$+$i$N@\B3$O!"0l@Z(B 30960841Sdarrenr$B9T$($J$/$J$j$^$9$N$G!"(Bremote exploit $BBP:v$O!"(BX, Y $B$K$N$_9T$($P$h(B 31060841Sdarrenr$B$/$J$j!"4IM}$N<j4V$,7Z8:$G$-$^$9!#(B 31160841Sdarrenr 31260841Sdarrenr$BB>$N%W%m%H%3%k$rDL$9>l9g$b!">e$r;29M$K$7$FDL$7$?$$%]!<%HHV9f$r=q(B 31360841Sdarrenr$B$/$@$1$G$9$,!"$$$/$D$+Cm0UE@$,$"$j$^$9!#0J2<$bL\$rDL$7$F$/$@$5$$!#(B 31460841Sdarrenr 31560841Sdarrenr----- 31660841Sdarrenr$B$=$NB>$NCm0U(B 31760841Sdarrenr 31860841Sdarrenr1) gateway $B%^%7%s$N$h$&$K!"J#?t$N(BIP$B%"%I%l%9$r;}$D%^%7%s$G%5!<%S(B 31960841Sdarrenr$B%9$rN)$A>e$2$k>l9g$O!"$=$l$>$l$N(BIP$B%"%I%l%9$KBP$7$F!"(Bport $B$r3+$/(B 32060841Sdarrenr$BI,MW$,$"$j$^$9!#Nc$($P(B X $B$,(B IP:a $B$H(B IP:b $B$r;}$D$J$i!"(Bgroup $B$O(B a, 32160841Sdarrenrb $B$=$l$>$lMQ0U$7$F!"N>J}$N%0%k!<%WMQ$K(B rule $B$rDI2C$9$kI,MW$,$"$j(B 32260841Sdarrenr$B$^$9!#0J2<$NNc$G$O!"%2!<%H%&%'%$%^%7%s(B(123.45.2.10$B$H(B123.45.1.111 32360841Sdarrenr$B$N(BIP$B$r;}$D(B)$B$K(BNNTP$B%5!<%P$rN)$F$F$$$^$9!#(B 32460841Sdarrenr 32560841Sdarrenr($BNc(B) 32660841Sdarrenr#### grouping by host 32760841Sdarrenrblock in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100 32860841Sdarrenrblock in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100 32960841Sdarrenr#### allow NNTP 33060841Sdarrenrpass in quick proto tcp from any to any port = nntp keep state group 112 33160841Sdarrenrpass in quick proto tcp from any to any port = nntp keep state group 113 33260841Sdarrenr 33360841Sdarrenrgateway $B$,(B2$B$D0J>e$"$k%M%C%H%o!<%/$G$O!"N>J}$N(B gateway $B$K(B IP 33460841Sdarrenrfilter $B$,I,MW$K$J$j!"@_Dj$O99$KJ#;($K$J$j$^$9!#$=$N$h$&$J4D6-$N(B 33560841Sdarrenr$B>l9g$K$O!"%^%K%e%"%k$rFI$s$G8!F$$7$F$/$@$5$$!#(B 33660841Sdarrenr 33760841Sdarrenr2) NFS$B$H(Brsh$B$O%W%m%H%3%k$N4X78>e!"(Bfirewall$BD6$($OIT2DG=$G$9!#(B 33860841Sdarrenr NFS$B$NBeBX$K$D$$$F$OITL@$G$9$,!"(Brsh$B$NBeBX$H$7$F$O(Bssh$B$,;H$($^$9!#(B 33960841Sdarrenr 34060841Sdarrenr3) $B30It$N(BX client $B$r!"%U%!%$%"%&%)!<%kFb$N(BX$B%5!<%P$K@\B3$5$;$?$$!"(B 34160841Sdarrenr $B$H$$$&$N$O(B FAQ $B$N0l$D$G$9!#$*4+$a$N2r7h:v$O!"(Bssh $B$N(B X forwarding 34260841Sdarrenr $B5!9=$r;H$&$3$H$G$9!#(Bssh$B$G@\B3$G$-$k$J$i$P!"$3$l$O40A4$K(B secure 34360841Sdarrenr $B$GHFMQE*$JJ}K!$G$9!#(B 34460841Sdarrenr 34560841Sdarrenr$B$=$l$,=PMh$J$$>l9g$O!"2f!9$O@\B3$5$;$?$$%[%9%H$N%Z%"$r%f!<%6$KJs(B 34660841Sdarrenr$B9p$7$F$b$i$C$F!"0J2<$N$h$&$J%k!<%k$rDI2C$7$F$$$^$9!#(B 34760841Sdarrenr# X:0 $B$O(B tcp:6000 $BHV$K$J$j$^$9!#(B 34860841Sdarrenr 34960841Sdarrenr# 123.45.1.Z:0 (server) <-> A.B.C.D (client) 35060841Sdarrenrpass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100 35160841Sdarrenr 35260841Sdarrenr----- 35360841Sdarrenr$B:G8e$K!";D$k%Q%1%C%H$OA4$F%V%m%C%/$5$l$kLu$G$9$,!"$=$l$K$D$$$F$N(B 35460841Sdarrenr$BA4$F$N%m%0$r;D$9$3$H$r4uK>$9$k>l9g!"<!$N%k!<%k$r!VI,$::G8e$K!W2C(B 35560841Sdarrenr$B$($^$9!#(B 35660841Sdarrenr 35760841Sdarrenr## log blocked packets 35860841Sdarrenrblock in log quick from any to 123.45.1.111/24 group 100 35960841Sdarrenrblock in log quick from any to 123.45.2.10 group 100 36060841Sdarrenr 36160841Sdarrenr------ 36260841Sdarrenr$B:#Kx$N@_Dj$r$R$H$D$K$^$H$a$?%U%!%$%k$r:G8e$KE:IU$7$^$9!#(B 36360841Sdarrenr 36460841Sdarrenr===================== $B$3$3$+$i(B ==================== 36560841Sdarrenr########## Packet Filtering Rules for 123.45.1. ########## 36660841Sdarrenr# 36760841Sdarrenr# The following routes should be configured, if not already: 36860841Sdarrenr# 36960841Sdarrenr# route add 123.45.1.111 localhost 0 (hme0) (LAN) 37060841Sdarrenr# route add 123.45.2.10 localhost 0 (hme1) (upstream) 37160841Sdarrenr# 37260841Sdarrenr########## quickly deny malicious packets 37360841Sdarrenr# 37460841Sdarrenrblock in quick from any to any with short 37560841Sdarrenrblock in log quick from any to any with ipopts 37660841Sdarrenr# 37760841Sdarrenr########## group setup 37860841Sdarrenr# 37960841Sdarrenrblock in on hme1 all head 100 38060841Sdarrenrblock out on hme1 all head 150 38160841Sdarrenrpass in quick on hme0 all 38260841Sdarrenrpass out quick on hme0 all 38360841Sdarrenr# 38460841Sdarrenr########## deny IP spoofing 38560841Sdarrenr# 38660841Sdarrenrblock in log quick from 127.0.0.0/8 to any group 100 38760841Sdarrenrblock in log quick from 123.45.2.10/32 to any group 100 38860841Sdarrenrblock in log quick from 123.45.1.111/24 to any group 100 38960841Sdarrenr# 39060841Sdarrenr########## deny reserved addresses 39160841Sdarrenr# 39260841Sdarrenrblock in log quick from 10.0.0.0/8 to any group 100 39360841Sdarrenrblock in log quick from 192.168.0.0/16 to any group 100 39460841Sdarrenrblock in log quick from 172.16.0.0/12 to any group 100 39560841Sdarrenr# 39660841Sdarrenr########## OUTGOING 39760841Sdarrenr# 39860841Sdarrenr## allow ping out 39960841Sdarrenrpass out quick proto icmp from any to any keep state group 150 40060841Sdarrenr# 40160841Sdarrenr## allow all outgoing UDP packets except for netbios ports (137-139). 40260841Sdarrenr# 40360841Sdarrenrpass out quick proto udp from any to any keep state head 160 group 150 40460841Sdarrenrblock out log quick proto udp from any to any port 136 >< 140 group 160 40560841Sdarrenr# 40660841Sdarrenr## pass all TCP connection setup packets except for netbios ports (137-139). 40760841Sdarrenr# 40860841Sdarrenrpass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150 40960841Sdarrenrblock out log quick proto tcp from any to any port 136 >< 140 group 170 41060841Sdarrenr# 41160841Sdarrenr######### INCOMING 41260841Sdarrenr## ICMP 41360841Sdarrenrpass in quick proto icmp from any to any group 100 41460841Sdarrenr## RIP 41560841Sdarrenrpass in quick proto udp from any to any port = 520 keep state group 100 41660841Sdarrenr## FTP 41760841Sdarrenrpass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100 41860841Sdarrenr## IDENT 41960841Sdarrenrpass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100 42060841Sdarrenr# 42160841Sdarrenr## grouping by host (112 & 113 is the gateway address) 42260841Sdarrenrblock in log quick proto tcp from any to 123.45.1.X flags S/SA head 110 group 100 42360841Sdarrenrblock in log quick proto tcp from any to 123.45.1.Y flags S/SA head 111 group 100 42460841Sdarrenrblock in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100 42560841Sdarrenrblock in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100 42660841Sdarrenr# 42760841Sdarrenr## telnet, ftp, ssh, www, smtp, pop 42860841Sdarrenrpass in quick proto tcp from any to any port = telnet keep state group 110 42960841Sdarrenrpass in quick proto tcp from any to any port = ftp keep state group 110 43060841Sdarrenrpass in quick proto tcp from any to any port = ftp-data keep state group 110 43160841Sdarrenrpass in quick proto tcp from any to any port = 22 keep state group 110 43260841Sdarrenrpass in quick proto tcp from any to any port = ftp keep state group 111 43360841Sdarrenrpass in quick proto tcp from any to any port = ftp-data keep state group 111 43460841Sdarrenrpass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111 43560841Sdarrenrpass in quick proto tcp from any to any port = 80 keep state group 111 43660841Sdarrenrpass in quick proto tcp from any to any port = smtp keep state group 111 43760841Sdarrenrpass in quick proto tcp from any to any port = 110 keep state 43860841Sdarrenrgroup 111 43960841Sdarrenr# 44060841Sdarrenr## allow NNTP on the gateway 44160841Sdarrenrpass in quick proto tcp from any to any port = nntp keep state group 112 44260841Sdarrenrpass in quick proto tcp from any to any port = nntp keep state group 113 44360841Sdarrenr# 44460841Sdarrenr## X connections 44560841Sdarrenr# 123.45.1.Z:0 (server) <-> A.B.C.D (client) 44660841Sdarrenrpass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100 44760841Sdarrenr# 44860841Sdarrenr## log blocked packets 44960841Sdarrenr## THIS MUST BE THE LAST RULE! 45060841Sdarrenrblock in log quick from any to 123.45.1.111/24 group 100 45160841Sdarrenrblock in log quick from any to 123.45.2.10 group 100 45260841Sdarrenr===================== $B$3$3$^$G(B ==================== 45360841Sdarrenr 45460841Sdarrenr---- 45560841Sdarrenr$B$3$NJ8=q$N<h$j07$$$K$D$$$F(B 45660841SdarrenrCopyright (C) 1999 TOYAMA Sumio <sumio@is.s.u-tokyo.ac.jp> 45760841Sdarrenr and YAMAMOTO Hirotaka <ymmt@is.s.u-tokyo.ac.jp> 45860841Sdarrenr 45960841SdarrenrTHIS DOCUMENT IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 46060841SdarrenrIMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 46160841SdarrenrWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 46260841SdarrenrPURPOSE. 46360841Sdarrenr 46460841SdarrenrPermission to modify this document and to distribute it is hereby 46560841Sdarrenrgranted, as long as above notices and copyright notice are retained. 466