From owner-FreeBSD-users-jp@jp.freebsd.org  Sun Feb 20 19:17:39 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id TAA15214;
	Sun, 20 Feb 2000 19:17:39 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from juran.asahi-net.or.jp (juran.asahi-net.or.jp [202.224.39.39])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id TAA15209
	for <FreeBSD-users-jp@jp.freebsd.org>; Sun, 20 Feb 2000 19:17:38 +0900 (JST)
	(envelope-from hiroki.kakishima@nifty.ne.jp)
Received: from heart (ppp220101.asahi-net.or.jp [210.155.220.101])
	by juran.asahi-net.or.jp (8.8.8/3.7W) with SMTP id TAA00367
	for <FreeBSD-users-jp@jp.freebsd.org>; Sun, 20 Feb 2000 19:17:37 +0900 (JST)
Message-Id: <200002201017.TAA00367@juran.asahi-net.or.jp>
Date: Sun, 20 Feb 2000 19:23:15 +0900
From: Hiroki Kakishima <hiroki.kakishima@nifty.ne.jp>
To: FreeBSD-users-jp@jp.freebsd.org
X-Mailer: Datula version 1.22 for Windows
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-2022-jp
Reply-To: FreeBSD-users-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+990727
X-Sequence: FreeBSD-users-jp 49886
Subject: [FreeBSD-users-jp 49886] firewall type = filename
Errors-To: owner-FreeBSD-users-jp@jp.freebsd.org
Sender: owner-FreeBSD-users-jp@jp.freebsd.org
X-Originator: hiroki.kakishima@nifty.ne.jp

$B$+$-$7$^$G$9!#(B

ip-filter$B$N7o$G$O$"$j$,$H$&$4$6$$$^$7$?!#(B
IP$B%^%9%+%l!<%I$r<B8=$G$-$^$7$?!#(B

ipfw$B$rM-8z$K$7!"%Q%1%C%H%U%#%k%?%j%s%0%k!<%?$K$7$h$&$H;W$C$F$$$^$9!#(B
rc.conf$B$G(B firewall_type="filename" $B$r;XDj$7$F%U%#%k%?$7$?$$$N$G$9$,!"(B
$B:n@.$7$?%k!<%k%U%!%$%k$rFI$_9~$^$:%G%U%)%k%H$N!VA4%Q%1%C%H$r5qH]!W$K(B
$B$J$C$F$7$^$$$^$9!#(B

FreeBSD 3.3R$B$G$9!#(B
ip-filter$B$G(BIP$B%^%9%+%l!<%I$7$?$N$G!"(Bnatd$B$O;H$o$J$$$3$H$K$7$^$7$?!#(B
$B$h$m$7$/$*4j$$$7$^$9!#(B


$B!c%+!<%M%k!d(B
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
$B$rDI2C!#(B


$B!c(Brc.conf $B4X78ItJ,H4?h!d(B
gateway_enable="YES"
static_routes="nat"
route_nat="192.168.0.0 -netmask 255.255.255.0 -interface 192.168.0.254"

firewall_enable="YES"
firewall_type="/etc/ipfwrules"
firewall_quiet="NO"

hostname="myhost.my.domain"
network_interfaces="fxp0 fxp1 lo0"
ifconfig_fxp0="inet 192.168.1.1 netmask 255.255.255.0"
ifconfig_fxp1="inet 192.168.0.254 netmask 255.255.255.0"
ifconfig_lo0="inet 127.0.0.1"
ifconfig_fxp0_alias0="inet 192.168.1.2 netmask 255.255.255.0"


$B!c(B/etc/ipfwrules$B!d(B
add deny 137-139 from any to any
add deny 192.168.1.1 to any in via fxp0

# Stop spoofing
add deny all from 192.168.0.0/24 to any in via fxp0
add deny all from 192.168.1.1 to any in via fxp0

# Stop RFC1918 nets on the outside interface
add deny all from 192.168.0.0/16 to any via fxp0
add deny all from any to 192.168.0.0/16 via fxp0
add deny all from 172.16.0.0/12 to any via fxp0
add deny all from any to 172.16.0.0/12 via fxp0
add deny all from 10.0.0.0/8 to any via fxp0
add deny all from any to 10.0.0.0/8 via fxp0

# Allow TCP through if setup succeeded
add pass tcp from any to any established

# Allow setup of incoming email
add pass tcp from any to 192.168.1.1 25 setup

# Allow access to our DNS
add pass tcp from any to 192.168.1.1 53 setup

# Allow access to our WWW
add pass tcp from any to 192.168.1.1 80 setup

# Reject&Log all setup of incoming connections from the outside
add deny log tcp from any to any in via fxp0 setup

# Allow DNS queries out in the world
add pass udp from any 53 to 192.168.1.1
add pass udp from 192.168.1.1 to any 53

# Allow NTP queries out in the world
add pass udp from 210.145.255.76 123 to 192.168.1.1
add pass udp from 192.168.1.1 to 210.145.255.76 123

# Allow ICMP queries out in the world
add pass icmp from 192.168.1.0/24 to any via fxp0
add pass icmp from any to 192.168.1.0/24 via fxp0

# Allow localhost and localnetwork connection
add pass all tcp,udp from any to any via lo0
add pass tcp,udp from 192.168.0.0/24 to any setup
add pass tcp,udp from localhost to any setup

# Everything else is denied as default.
add 65530 deny log all from any to any






=============================================================
 Hiroki Kakishima
-E-Mail------------------------------------------------------
 hiroki.kakishima@nifty.ne.jp
 kakibo@wo-wo.net
 heart@mbb.nifty.ne.jp (PostPet)
-Homepage---------------------------------------------------
 http://www.pipi.net/heart (KAKIBO-PC-MEMO)
 http://www.pipi.net/oyako ($BEDJ}$*$d$37`>l(B)
 http://www.ne.jp/asahi/is/sunshine/theater/ (Theatre$BK|2Z6@(B)
=============================================================
