From owner-FreeBSD-net-jp@jp.FreeBSD.org Wed May 21 13:37:14 2003
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id h4L4bEt71176;
	Wed, 21 May 2003 13:37:14 +0900 (JST)
	(envelope-from owner-FreeBSD-net-jp@jp.FreeBSD.org)
Received: from mail.netw.co.jp (ns.netw.co.jp [210.249.77.66])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet id h4L4bDY71171
	for <FreeBSD-net-jp@jp.FreeBSD.org>; Wed, 21 May 2003 13:37:13 +0900 (JST)
	(envelope-from noguchi@netw.co.jp)
Received: from [172.29.1.104] [219.118.171.89] by mail.netw.co.jp with ESMTP
  (SMTPD32-7.06) id AF8D14E00C2; Wed, 21 May 2003 13:24:45 +0900
Mime-Version: 1.0
X-Sender: noguchi@mail.netw.co.jp
X-Mailer: QUALCOMM MacOS X Eudora Version 5.1.1-Jr3
Message-Id: <p05111001baf0af5402a0@[172.29.1.104]>
To: FreeBSD-net-jp@jp.FreeBSD.org
From: =?iso-2022-jp?B?IhskQkxuOH0hITdyQkAbKEIi?= <noguchi@netw.co.jp>
Content-Type: text/plain; charset="iso-2022-jp" ; format="flowed"
Content-Transfer-Encoding: 7bit
Reply-To: FreeBSD-net-jp@jp.FreeBSD.org
Precedence: list
Date: Wed, 21 May 2003 13:37:04 +0900
X-Sequence: FreeBSD-net-jp 3943
Subject: [FreeBSD-net-jp 3943] IPSec+ipfw+natd
 =?ISO-2022-JP?B?GyRCJEskRCQkJEYbKEI=?= 
Sender: owner-FreeBSD-net-jp@jp.FreeBSD.org
X-Originator: noguchi@netw.co.jp
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+030514

$B=i$a$^$7$F!"Ln8}$H?=$7$^$9!#(B

$B8=:_#V#P#N$N;n831?MQ$r9T$*$&$H%F%9%H$7$F$$$k:GCf$J$N$G$9$,!"(B
ipfw?natd?$B$GJI$K$"$?$C$F$$$^$9!#(B

IPSec$B$K$FAj8_DL?.$,$G$-$k$^$G$O!"%F%9%H$,$G$-$^$7$?!#(B
$B$?$@!"%U%#%k%?%j%s%0$r$+$1$h$&$H$7$?$N$G$9$,!"%k!<%k$rE,MQ$9$k$H!"2?$b(B 
$B<u$1IU$1$J$/$J$j$^$9!#(B
$B2?$+8+Mn$H$7$F$$$k$N$+!"$=$l$H$b8+Ev0c$$$N$3$H$r$7$F$$$k$N$+$5$C$Q$jJ,(B 
$B$+$j$^$;$s!#(B

$B$I$3$,$$$1$J$$$N$+$4;XE&$$$?$@$-$?$/%a!<%k$rAw$C$?<!Bh$G$9!#(B
$B2<5-$K%U%#%k%?%j%s%0%k!<%k$r5-=R$7$F$*$-$^$7$?!#(B
$B$h$m$7$/$*4j$$$7$^$9!#(B

http://www.tac.tsukuba.ac.jp/~hiromi/ipfw4.html$B$N(B
$B%k!<%k$r;29M$K$5$;$F$$$?$@$-$^$7$?!#(B


# IPFW$B!\(BNAT$B!\(BVPN$B%k!<%k@_Dj%9%/%j%W%H(B

# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
	if [ -r /etc/defaults/rc.conf ]; then
		. /etc/defaults/rc.conf
		source_rc_confs
	elif [ -r /etc/rc.conf ]; then
		. /etc/rc.conf
	fi
fi

fwcmd ="/sbin/ipfw -q"

# $B%k!<%k$rA4It<N$F$k(B
${fwcmd} -f flush

###############################
# $B%$%s%?!<%M%C%H!J30!KB&$N%$%s%?!<%U%'!<%9(B
oif="sis0"
onet="ABC.ABC.ABC.ABC/28"
oip="ABC.ABC.ABC.ABC"

# $B%W%i%$%Y!<%H!JFb!KB&$N%$%s%?!<%U%'!<%9(B
iif="vr0"
inet="XYZ.XYZ.XYZ.XYZ/24"
iip="XYZ.XYZ.XYZ.XYZ"

# VPN$BMQ$NAj<j@h%[%9%H(B
trusted_host="DEF.DEF.DEF.DEF"

###############################
# $B%k!<%W%P%C%/$X$N%k!<%k(B
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8

# $BCGJR2=$5$l$?%Q%1%C%H$rGK4~(B
${fwcmd} add deny all from any to any via ${oif} frag

# NetBIOS$B$rGK4~(B
${fwcmd} add deny udp from any 137-139 to any
${fwcmd} add deny tcp from any 137-139 to any
${fwcmd} add deny udp from any to any 137-139
${fwcmd} add deny tcp from any to any 137-139

# $B56Au$5$l$?%Q%1%C%H$rGK4~(B
${fwcmd} add deny all from ${inet} to any in via ${oif}
${fwcmd} add deny all from ${onet} to any in via ${iif}

# $B%W%i%$%Y!<%H%"%I%l%9$d%^%k%A%-%c%9%H$J$I$NGK4~(B
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0./12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0./16 via ${oif}
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

#######################################
# NAT
${fwcmd} add divert natd all from any to any via ${natd_interfaces}

# $B%W%i%$%Y!<%H%"%I%l%9$d%^%k%A%-%c%9%H$J$I$NGK4~(B
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}

# $B@\B35v2D$5$l$?(BTCP$B%Q%1%C%H$r5v2D(B
${fwcmd} add pass tcp from any to any established

# VPN$BMQ%Q%1%C%H%U%#%k%?%j%s%0%k!<%k(B
${fwcmd} add pass all from ${trusted_host} to ${oip} setup
${fwcmd} add pass all from ${oip} to ${trusted_host} setup
${fwcmd} add pass all from ${trusted_host} to ${oip}
${fwcmd} add pass all from ${oip} to ${trusted_host}

# $B30It$+$i$N(BSSH$B$N@\B33+;O$r5v2D(B
${fwcmd} add pass tcp from any to any ${oip} 22 setup

# Allow setup of any other TCP connection
${fwcmd} add allow tcp from any to any out xmit ${oif} setup

# $BFbB&%$%s%?!<%U%'!<%9$OA4$F$N%Q%1%C%H$rDL$7$^$9(B
${fwcmd} add allow all from any to any via ${iif}

# $B$=$l0J30$N30B&$+$i$N#T#C#P@\B3$r5qH]$7!"%m%0$K;D$9(B
${fwcmd} add deny log tcp from any to any in via ${oif} setup

$B0J>e(B

-- 
$B3t<02q<R%M%C%H%&%#%s(B
$BLn8}!!7rB@(B
noguchi@netw.co.jp
