From owner-FreeBSD-users-jp@jp.freebsd.org  Thu Jul  2 20:38:23 1998
Received: (from daemon@localhost)
	by jaz.jp.freebsd.org (8.8.8+3.0Wbeta13/8.7.3) id UAA09780;
	Thu, 2 Jul 1998 20:38:23 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from yodh.kom.comm.waseda.ac.jp (root@yodh.kom.comm.waseda.ac.jp [133.9.95.20])
	by jaz.jp.freebsd.org (8.8.8+3.0Wbeta13/8.7.3) with ESMTP id UAA09775
	for <FreeBSD-users-jp@jp.freebsd.org>; Thu, 2 Jul 1998 20:38:22 +0900 (JST)
	(envelope-from kiku@kom.comm.waseda.ac.jp)
Received: from kom.comm.waseda.ac.jp (kiku@yodh [133.9.95.20])
	by yodh.kom.comm.waseda.ac.jp (8.8.8/3.6W-yodh) with ESMTP id UAA27706
	for <FreeBSD-users-jp@jp.freebsd.org>; Thu, 2 Jul 1998 20:33:47 +0900 (JST)
Message-Id: <199807021133.UAA27706@yodh.kom.comm.waseda.ac.jp>
To: FreeBSD-users-jp@jp.freebsd.org
X-Mailer: Mew version 1.69 on Emacs 19.28.1 / Mule 2.3
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Thu, 02 Jul 1998 20:33:46 +0900
From: KIKUCHI Shunsuke <kiku@kom.comm.waseda.ac.jp>
Reply-To: FreeBSD-users-jp@jp.freebsd.org
Precedence: bulk
X-Distribute: distribute [version 2.1 (Alpha) patchlevel=24e+ JFUG special]
X-Sequence: FreeBSD-users-jp 30372
Subject: [FreeBSD-users-jp 30372] natd & ipfw
Errors-To: owner-FreeBSD-users-jp@jp.freebsd.org
Sender: owner-FreeBSD-users-jp@jp.freebsd.org

$BAa0pED$N5FCO$H?=$7$^$9!#(B

natd $B$H(B ipfw $B$G$O$^$C$F$$$^$9!#$*=u$12<$5$$!#(B

ML$B$J$I$G0JA0N.$l$?$$$?$h$&$J0lHLE*$J(Bnatd$B$N@_Dj$H$O(B
$B>/!90[$J$kFC<l$JNc$KF~$k$h$&$J$N$G$9$,!"2?$H$b(B
$B$I$&$d$C$F$b%@%a$J$N$G<ALd$5$;$FBW$-$^$9!#(B

$BDL>o$N(B dual home host $B$J%^%7%s$G!"(Bhttp $B$@$1(B
firewall$BFb$N%^%7%s$K%U%)%o!<%I$9$k!"$H$$$&(BNAT$B$r(B
$B9=@.$7$?$$$H9M$($F$$$^$9!#(B

      xxx.xxx.xxx.5/24    yyy.yyy.yyy.5/24    yyy.yyy.yyy.8/24
                +---------+                  +-----------+
Internet -------+ FreeBSD +------------------+ WebServer +
                +---------+                  +-----------+
                  sendmail,                      httpd.
                  dns,
                  squid,
                  telnet,ftp...


$B$H$$$&9=@.$G(B FreeBSD $B%^%7%s$O(B dual home host($B$D$^$j(B
$B%Q%1%C%H%U%)%o!<%G%#%s%0$7$J$$(B) $B$H$7$F5!G=$5$;$k$Y$/!"(B
$B0J2<$N:n6H$r9T$$$^$7$?!#(B

0. natd $B$N$?$a$K(Bkernel$B:F9=C[(B
1. /etc/rc.firewall $B$K%U%#%k%?%j%s%0%k!<%k$r@_Dj(B
2. /etc/natd.conf $B$G(B nat$B$N5,B'$r@_Dj(B
3. rc.conf$B$d3:Ev2U=j$rJQ99$7$F%j%V!<%H(B

$B$H$3$m$,!"(Btelnet,ftp,smtp$B$J$I$$$o$f$k(B dual home host $B$H$7$F(B
$B5!G=$7$FM_$7$$ItJ,$K$D$$$F$OLdBj$J$$$N$G$9$,!"4N?4$N(B
yyy,yyy,yyy,8:80 $B$X$N%"%/%;%9$,DL$j$^$;$s!#(B

$B$*$=$i$/%U%#%k%?%j%s%0$N%k!<%k$,$$$1$J$$$N$@$m$&$H;W$$(B
$B$$$m$$$m;n$7$^$7$?$,$I$&$d$C$F$b$&$^$/9T$-$^$;$s!#(B
$B3'$5$s$NCN7C$r$*B_$72<$5$$!#(B

$B$^$:!"(Bnatd.conf $B$G$9$,!"(B
-----
log			no
deny_incoming		yes
use_sockets		no
same_ports		yes
verbose			no
unregistered_only	yes
redirect_port		tcp yyy,yyy,yyy.8:80 80
redirect_port		udp yyy,yyy,yyy,8:80 80
port			6668
interface		fxp1
-----
$B$H$7$F$$$^$9!#$3$l$K$h$j!"(Bxxx.xxx.xxx.5:80 $B08$N%Q%1%C%H$,(B
yyy.yyy.yyy.8:80 $B08$XJQ49$5$l$k$3$H$r4|BT$7$F$$$^$9!#(B
interface fxp1 $B$O(BInternet$BB&$G$9!#(B

$B4N?4$N!"%U%#%k%?%j%s%0%k!<%k$G$9$,!"(B
-----
01000      64790    7445604 allow ip from any to any via lo0
01010          0          0 deny ip from 127.0.0.0/8 to 127.0.0.0/8
01110      95489   84304911 divert 6668 tcp from any 80 to any via fxp1
01210     101544   10446967 divert 6668 tcp from any to any 80 via fxp1
01310          0          0 divert 6668 udp from any 80 to any via fxp1
01410          0          0 divert 6668 udp from any to any 80 via fxp1
01510     152670   90257626 allow ip from yyy.yyy.yyy.5 to yyy.yyy.yyy.0/24 via fxp0
01610     160852   24483385 allow ip from yyy.yyy.yyy.0/24 to yyy.yyy.yyy.5 via fxp0
01910     140368  107897333 allow ip from any to xxx.xxx.xxx.5 via fxp1
02010     138400   16465038 allow ip from xxx.xxx.xxx.5 to any via fxp1
02310        229      13284 allow ip from any to yyy.yyy.yyy.8
02410        327      66387 allow ip from yyy.yyy.yyy.8 to any
65535      39143    4165116 deny ip from any to any
-----
$B$N$h$&$K$J$C$F$$$^$9!#$3$l$O!"(B ipfw show $B$N=PNO7k2L$G$9!#(B

$B;d$N2r<a$H$7$F$O!"9T$-$O(B

1. 01210     101544   10446967 divert 6668 tcp from any to any 80 via fxp1
   $B$K$h$j!"(Bfxp1$B$+$i$d$C$FMh$?%Q%1%C%H$O!"(Bnatd$B$XAw$i$l$k!#(B

2. natd$B$G08@h%[%9%H$,(B xxx.xxx.xxx.5:80 $B$+$i(B yyy.yyy.yyy.8:80 $B$K(B
   $BJQ49$5$l$k(B

3. 02310        229      13284 allow ip from any to yyy.yyy.yyy.8
   $B$K$h$j!"%Q%1%C%H$,%+!<%M%k$KAw$i$l$k(B

4. $B%Q%1%C%H$O(B fxp0 $B$KAw$i$l(B

5. 02310        229      13284 allow ip from any to yyy.yyy.yyy.8
   $B$K$h$j%Q%1%C%H$,Aw=P$5$l!"(Byyy.yyy.yyy.8 $B$KFO$/(B

$B$G!"(Bweb server $B>e$G=hM}$,9T$o$l!"5"$j$N%Q%1%C%H$,(B

6. 02410        327      66387 allow ip from yyy.yyy.yyy.8 to any
   $B$K$h$j(B yyy.yyy.yyy.8:80 $B$+$i%Q%1%C%H$,FO$-%+!<%M%k$XAw$i$l$k(B

7. $B%+!<%M%kFb$G%Q%1%C%H$,(B fxp1 $B$XAw$i$l(B

8. 01110      95489   84304911 divert 6668 tcp from any 80 to any via fxp1
   $B$K$h$jH/?J85%"%I%l%9$,(B yyy.yyy.yyy.8:80 $B$+$i(Bxxx.xxx.xxx.5$B$KJQ49$5$l$k(B

9. 02010     138400   16465038 allow ip from xxx.xxx.xxx.5 to any via fxp1
   $B$K$h$j(Bxxx.xxx.xxx.5$B$+$i(Bweb$B%/%i%$%"%s%H$K%Q%1%C%H$,FO$/(B

$B$H$J$k$O$:$J$N$G$9$,!"$=$&$O$J$j$^$;$s!#(B

$B<B:]$K!"(B1. 2. $B$^$G$O5!G=$7$F$$$k$3$H$r(B natd -verbose $B$J$I$r;H$C$F(B
$B3N$+$a$i$l$?$N$G$9$,!"JVEz$N%Q%1%C%H$,%/%i%$%"%s%HB&$K5"$C$FMh$^$;$s!#(B

$B2?$,$$$1$J$$$N$G$7$g$&$+!#(B

$B<B$O!"%Q%1%C%H$N=hM}$H(Bnatd$B$K$h$k%"%I%l%9JQ49$,$I$N%?%$%_%s%0$G(B
$B9T$o$l$k$N$+$r!";d$,@5$7$/M}2r$7$F$$$J$$$N$,:,K\E*860x$@$m$&$H(B
$B;W$C$F$$$k$N$G$9$,!"(Bnatd$B$N%^%K%e%"%k$rFI$s$G8+$F$bM}2r$G$-$^$;$s!#(B

$B;d$,?d;!$9$k$K$O!"$^$:308~$-$N%$%s%?%U%'!<%9$+$i%Q%1%C%H$,$d$C$FMh(B
$B$k$H!"(B

1. $B30B&$N%$%s%?%U%'!<%9(B(fxp1)$B$N%-%e!<$KN/$j!"(B
2. $B$=$3$G%U%#%k%?%j%s%0%k!<%k$,E,MQ$5$l!"(B
3. natd$B$rDL$j!"(B
4. $B:F$S%U%#%k%?%j%s%0%k!<%k$,E,MQ$5$l$F!"(B
5. pass$B$9$k$H%+!<%M%kFbIt$KAw$i$l!"(B
6. $B%+!<%M%kFbIt$G%k!<%F%#%s%0$,9T$o$l$F!"(B
7. $BFbB&$N%$%s%?%U%'!<%9(B(fpx0)$B$K%Q%1%C%H$,Aw$i$l!"%-%e!<$KN/$j!"(B
8. $B$=$3$G%U%#%k%?%j%s%0%k!<%k$,E,MQ$5$l$F(B
9  pass $B$9$k$HFbB&$N%M%C%H%o!<%/$KAw=P$5$l$k(B

$B$H$$$&%W%m%;%9$rC)$k$N$@$m$&!"9M$($F$$$^$9!#$=$l$K4p$E$$$F(B
$B%U%#%k%?%j%s%0$N%k!<%k$r=q$$$?$D$b$j$G$9!#(B

$B$I$J$?$+CN7C$r$465<x2<$5$$!#(B
--
KIKUCHI, Shunsuke
WASEDA University
