From owner-FreeBSD-users-jp@jp.FreeBSD.org Fri Mar 22 11:17:19 2002
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) id g2M2HJj40629;
	Fri, 22 Mar 2002 11:17:19 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from polymer3.scphys.kyoto-u.ac.jp (polymer3.scphys.kyoto-u.ac.jp [130.54.56.153])
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) with ESMTP/inet id g2M2HHc40624
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Fri, 22 Mar 2002 11:17:17 +0900 (JST)
	(envelope-from turutani@scphys.kyoto-u.ac.jp)
Received: from polymer5.scphys.kyoto-u.ac.jp (polymer5.scphys.kyoto-u.ac.jp [130.54.56.155])
	by polymer3.scphys.kyoto-u.ac.jp (8.11.6/8.11.6/20020306-1) with SMTP id g2M2HIN97837;
	Fri, 22 Mar 2002 11:17:18 +0900 (JST)
	(envelope-from turutani@scphys.kyoto-u.ac.jp)
Message-Id: <200203220217.AA00715@polymer5.scphys.kyoto-u.ac.jp>
From: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
Date: Fri, 22 Mar 2002 11:17:15 +0900
To: FreeBSD-users-jp@jp.FreeBSD.org
In-Reply-To: <867kowwdym.wl@chrysanthe.oikumene.gcd.org>
References: <867kowwdym.wl@chrysanthe.oikumene.gcd.org>
MIME-Version: 1.0
X-Mailer: AL-Mail32 Version 1.12
Content-Type: text/plain; charset=iso-2022-jp
Reply-To: FreeBSD-users-jp@jp.FreeBSD.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+020312
X-Sequence: FreeBSD-users-jp 67740
Subject: [FreeBSD-users-jp 67740] Re: natd + ipfw
 =?ISO-2022-JP?B?GyRCJEckTiQqNCskYUBfRGokcjY1JCgkRiQvJEAbKEI=?=
 =?ISO-2022-JP?B?GyRCJDUkJBsoQg==?= 
Errors-To: owner-FreeBSD-users-jp@jp.FreeBSD.org
Sender: owner-FreeBSD-users-jp@jp.FreeBSD.org
X-Originator: turutani@scphys.kyoto-u.ac.jp

$B$3$s$K$A$O!"$D$k$?$K$G$9!#(B

 $B$($i$/$U$k$$OC$G?=$7Lu$"$j$^$;$s$,!"$d$C$H3NG'$9$k;~4V$,(B
$B$H$l$?$N$G!"Js9p$7$^$9!#(B

"Masuda,Masashi" <mmasuda@ba2.so-net.ne.jp> $B$5$s(B>

> firewall_type="natd" $B$O;n$5$l$^$7$?$+!)(B

($B>/$J$/$H$b:G6a$O(B)$B8z$$$F$J$$$H;W$$$^$9!#(B

Yuki Yamamoto <yuki1scp@mbox.nc.kyushu-u.ac.jp> $B$5$s(B>

> natd_flags="-d yes"

 $B$3$l(B + firewall_script="/etc/rc.firewall" + firewall_type="SIMPLE"
$B$G$OFbIt$+$i30It$X$ODL$j$^$;$s$G$7$?!#(B
 nat$BH"$G$N$=$NB>$N(Bdaemon$B$X$N@\B3$b$G$-$J$$$h$&$G$7$?!#(B

Hiroo Ono <hiroo@oikumene.gcd.org> $B$5$s(B>

> > firewall_type="OPEN"
> 
> $B$r(B
>   firewall_type="/etc/SOME_FILE_NAME"
> $B$HJQ$($F!"(B
> 
> /etc/SOME_FILE_NAME $B$K(B ipfw $B$N%k!<%k$r=q$$$F$$$C$?J}$,!"(B
> FreeBSD $B$r%P!<%8%g%s%"%C%W$9$k:]$K3Z$@$H;W$$$^$9!#(B

$B$C$F$3$H$bF'$^$(!"<j$r2C$($k$3$H$K$7$^$7$?!#(B
$B%k!<%k$NItJ,$O!"(B

${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
oif="ed0"
onet="aaa.bbb.0.0"
omask="255.255.0.0"
oip="aaa.bbb.0.2"
iif="ed1"
inet="192.168.0.0"
imask="255.255.255.0"
iip="192.168.0.1"
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
${fwcmd} add deny all from any to ${inet}:${imask} in via ${oif}
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
case ${natd_enable} in
[Yy][Ee][Ss])
	if [ -n "${natd_interface}" ]; then
		${fwcmd} add divert natd all from any to any via 
${natd_interface}
	fi
	;;
esac
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
${fwcmd} add pass ip from any to any

$B$C$F$3$H$G!"FbIt$+$i30It$,LdBj$J$/DL$k$h$&$K$7$^$7$?!#(B
$B30It$+$iD>@\FbIt!"$C$F$N$O!"(B
${fwcmd} add deny all from any to ${inet}:${imask} in via ${oif}
$B$GMn$H$9$3$H$K$7$^$7$?!#(B
$B$H$j$"$($:!"$3$l$G$&$^$/$$$C$F$$$k$h$&$G$9!#(B
$B$"$j$,$H$&$4$6$$$^$7$?!#(B

-- 
$BDaC+!!D><y(B@$B9bJ,;RJ*M}(B.$BJ*M}Bh0l(B.$B5~ETBg(B
E-mail: turutani@scphys.kyoto-u.ac.jp
