IPFilterŠÖ˜AƒXƒŒƒbƒ ..
2:1
NG NG.net
›ŒöŽ®
URLØݸ(coombs.anu.edu.au)
›HowToAƒŠƒ“ƒN‚È‚Ç
URLØݸ(www.obfuscation.org)
3:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
‰½‚¾‚æu‚©‚à‚æ‚ñv‚Á‚Ä
4:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
–³ˆÓ–¡‚È‹‘åAA‚æ‚è‚©‚Í‚¢‚‚ç‚©ƒ}ƒV‚©c
5:@
NG NG.net
SunScreen‚̘b‚à‚±‚±‚Å‚æ‚¢‚Ì‚©‚¢H
6:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
‚Ü‚Ÿ Windows specified ‚Șb‚µ‚©–³‚¢ ƒZƒLƒ…ƒŠƒeƒB” ‚É‚±‚ñ‚ȃXƒŒ—§‚Ä‚Ä‚à–³‘Ê‚¾‚æ‚Ë‚¥
7:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
‚µ‚©‚µA—§‚Ä‚½“–‰‚‚ç‚¢‚̓lƒ^U‚Á‚Ä·‚èã‚°‚½‚ç‚Ç‚¤‚¾B>>1
8:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
specific?
9:@
NG NG.net
ƒEƒCƒ“ƒhƒEƒTƒCƒY‚ÉŒÀ’肵‚½˜b‚Á‚Ä‚È‚ñ‚¾H
ƒI[ƒo[ƒtƒ[‚³‚¹‚Ä‚È‚ñ‚©ƒEƒ}ƒC‚±‚Æ‚â‚ñ‚ÌH
10:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
‚¿‚å‚Á‚Æ“\‚Á‚Æ‚‚©B
URLØݸ(www.wakhok.ac.jp)
11:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
—L–¼?
URLØݸ(www.tac.tsukuba.ac.jp)
12:keep flags
NG NG.net
ƒGƒ‰[‚Ì”¶Œ´ˆö‚ª‚í‚©‚炸ˆê“ú’†ƒ‹[ƒ‹‚Ì‘Š·‚¦‚ƃeƒXƒg‚ðŒJ‚è•Ô‚µ‚Ä‚¢‚½Ž–‚ª‚ ‚è‚Ü‚µ‚½B
13:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
FreeBSD‚Ìipfw‚Æ”ä‚ׂé‚Æ‚Ç‚Á‚¿‚ª’Ê‚Å‚·‚©?
14:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
nat‚â‚é‚È‚çipfilter‚Ì•û‚ª«”\—Ç‚¢B
’A‚µA‰´‚ñ‚¿‚Å‚Íipfilter‚̓XƒgƒŠ[ƒ~ƒ“ƒOØ‚ê‚éB
15:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
‚â‚Á‚ÏALinux‚Ìnetfilter‚Ì•û‚ª—Ç‚¢‚æ‚ËB
‚Å‚àFreeBSD‚Åipfilter‚¾‚ÆA‚b‚©‚ç’¼Ú’@‚¯‚é‚Ì‚Í–£—Í‚¾‚æ‚ËB
16:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>15
‚Ç‚±‚ª‚Ç‚¤—Ç‚¢‚Æ‚©‰ðà‚µ‚Ä‚‚ê‚È‚¢‚©?
17:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
keep frags
18:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>13
‚h‚o‚e‚v‚æ‚èׂ©‚§Œä‚Å‚«‚é
‚Æ>>11‚É‘‚¢‚Ä‚ ‚Á‚½B
19:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>14
pppoe(ƒtƒŒƒbƒc)‚ÉŒq‚®NATBox‚ÉIPF+IPNAT(NetBSD1.6)‚ðŽg‚Á‚Ä‚¢‚é‚ñ‚¾‚¯‚ê‚ÇA‚¤‚¿‚àƒXƒgƒŠ[ƒ~ƒ“ƒO‚ªØ‚ê‚鎞‚ª‚ ‚éB
‚Å‚àYBB‚¾‚Á‚½Žž‚Í‚±‚¤‚¢‚¤Ž–‚Í‹N‚±‚ç‚È‚©‚Á‚½‚µIPNAT‚Åmmsclamp‚ð‘‚¢‚Ä‚à‘Ê–Ú‚¾‚Á‚½‚Ì‚ÅA•Ê‚ÉŒ´ˆö‚ª‚ ‚é‚Ì‚©‚à???
20:‚±‚ê‚È‚©‚È‚©‚¢‚¢‚Á‚·‚Ë
NG NG.net
return-icmp-as-dest(port-unr)
21:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>20
‚±‚ê‚Á‚ÄHost Unreachable‚ð‹A‚·‚Á‚ÄŽ–?
22:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>13
’ʂ̓Aƒ“ƒiƒ“ƒo[ƒh‚¾‚©‚çnat•s—vA‚»‚µ‚đш槌À‚µ‚é‚©‚çipfwB
23:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>16
Linux/Netfilter‚¾‚ÆŠÈ’P‚Éo—ˆ‚邱‚Æ‚Ì—á
(1)ŒŽ—j‚©‚ç‹à—j‚Ì‚WŽž‚©‚ç‚P‚WŽž‚É“ž’…‚µ‚½ƒpƒPƒbƒg‚¾‚¯‚ð‹–‰Â
# iptables -A INPUT -m time --timestart 8:00 \
--timestop 18:00 \
--days Mon,Tue,Wed,Thu,Fri -j ACCEPT
(2)‚ ‚éIPƒAƒhƒŒƒX‚©‚ç‚Ì“¯Žž•Às‚ÅŠm—§‚·‚éHTTPƒRƒlƒNƒVƒ‡ƒ“”‚ð
‚S‚‚ɌÀ’è
# iptables -A INPUT -p tcp --syn --dport http \
-m iplimit --iplimit-above 4 -j REJECT
(3)—lX‚ÈðŒ(‚Ù‚ñ‚Ì‚µ‚Ì—á)
--uid-owner userid
ƒpƒPƒbƒg‚𶬂µ‚½ƒvƒƒZƒX‚ÌŽÀsƒ†[ƒU id (”’l)‚Ƀ}ƒbƒ`
--uid-owner groupid
ƒpƒPƒbƒg‚𶬂µ‚½ƒvƒƒZƒX‚ÌŽÀsƒOƒ‹[ƒv id (”’l) ‚Ƀ}ƒbƒ`
--pid-owner processid
ƒpƒPƒbƒg‚𶬂µ‚½ƒvƒƒZƒX‚̃vƒƒZƒX id ‚Ƀ}ƒbƒ`
--sid-owner sessionid
ƒpƒPƒbƒg‚𶬂µ‚½ƒvƒƒZƒX‚̃ZƒbƒVƒ‡ƒ“ƒOƒ‹[ƒv‚Ƀ}ƒbƒ`
--limit n
’PˆÊŽžŠÔ‚ ‚½‚è‚É‹–‚³‚ê‚镽‹Ïƒ}ƒbƒ`‰ñ”‚ÌÅ‘å’l‚ðŽw’èB
--limit-burst n
limit ‚ªì“®‚µŽn‚ß‚éŽè‘O‚ÌÅ‘åƒo[ƒXƒg’l(‹–—e‚Å‚«‚é“Ë”
“I‚È‘‘åŒW”‚ÅA•½‹ÏƒŒ[ƒg‚Ì”{”)‚ðŽw’è
24:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>23
‚»‚ê‚‚ç‚¢ABSDƒ†[ƒU‚̓AƒvƒŠ‚Å‘g‚Þ‚à‚Ì‚³B
25:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>24
> ‚»‚ê‚‚ç‚¢ABSDƒ†[ƒU‚̓AƒvƒŠ‚Å‘g‚Þ‚à‚Ì‚³B
•K Ž€ ‚¾ ‚È
26:–¼–³‚µ‚³‚ñ—‚d‚‚‚ƒ‚“
NG NG.net
>>24
1 ‚Í cron ‚Å‚â‚Á‚½‚Ù‚¤‚ª‚¢‚¢‚ÆŽv‚¤‚¯‚ÇC‚»‚Ì‘¼‚Í‚¿‚å‚Á‚Ɠ‚°D
netnice ‚Å‚Í‚â‚ê‚»‚¤‚È‹C‚ª‚·‚éDŽg‚Á‚½‚±‚Æ‚È‚¢‚¯‚ê‚ÇD
URLØݸ(www.asahikawa.wide.ad.jp)
27:–¼–³‚µ‚³‚ñ—ƒJƒ‰ƒAƒQ‚¤‚Ü‚¤‚Ü
NG NG.net
uid/gid‚É‚æ‚駌ä‚Íipfw‚Å‚à‚Å‚«‚éBipfilter‚Í‚Å‚«‚È‚©‚Á‚½‚ÆŽv‚¤‚¯‚ÇB
28:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
PPPoE‚ÅNAT‚É‚µ‚Ä‚él‚½‚¿‚ÍMMSƒuƒ‰ƒbƒNƒz[ƒ‹–â‘è‚Í‚Ç‚¤‘Έ‚µ‚Ä‚¢‚é‚ÌH
‚â‚Á‚Ï‚è‘Sƒ}ƒVƒ“‚ÌMTU’²®H
29:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
pf‚Å\•ª
30:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>28
ipnat.conf‚Émmsclamp‚ð‘‚B‚»‚ê‚Å‚àŠ®àø‚¶‚á‚È‚¢‚¯‚Çc
ÅŒã‚ÌŽè’i‚ÅŒo˜Hã‚É‚ ‚郋[ƒ^‚ÌŠÇ—ŽÒ‚ÉRFC2923“Ç‚ñ‚ʼnº‚³‚¢B
‚Æ‚©Œ¾‚Á‚ă‹[ƒ^‚Ìicmp‚ÌÝ’è‚ð•Ï‚¦‚Ä‚à‚炤‚µ‚©•û–@‚Í‚È‚¢‚ñ‚¶‚á‚È‚¢‚©‚Æc
31:30
NG NG.net
‚Ü‚¿‚ª‚¢‚Ü‚·‚½
mmsclamp > mssclamp
32:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
ipfstat -t ‚à‚¦
33:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>23
ƒTƒ“ƒNƒX
1)‚Í‚Å‚«‚È‚¢‚ÈB
2)‚ÍŽÀÛ‚É‚â‚Á‚½‚±‚Æ–³‚¢‚¯‚ÇAipfw2‚Åo—ˆ‚é‹C‚ª‚·‚éB
34:3-5•ª‚¨‚«
NG NG.net
>>21
‚»‚ê‚Í
block return-icmp-as-dest(host-unr)
‚¾‚È‚â
35:3-5•ª‚¨‚«
NG NG.net
block‚Í—]Œv‚¾‚Á‚½‚È‚â
36:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
‚b‚©‚ç’¼Ú’@‚±‚¤‚ÆŽv‚Á‚Ä‚¢‚Ü‚·B
FreeBSD 4.7-RELEASE‚É‚ÄAuman 4 ipfv‚ð‚·‚é‚ÆA
#include <netinet/ip_compat.h>
#include <netinet/ip_fil.h>
‚È‚Ç‚Æo‚Ä—ˆ‚é‚Ì‚ÉA‚±‚ê‚çƒwƒbƒ_ƒtƒ@ƒCƒ‹‚ªƒVƒXƒeƒ€
‚É“ü‚Á‚Ä‚¢‚Ü‚¹‚ñB
•Ê“rƒCƒ“ƒXƒg[ƒ‹‚Ì•K—v‚ ‚肾‚ÆŽv‚¤‚Ì‚Å‚·‚ªA
‚ǂ̃pƒbƒP[ƒW‚É‚È‚é‚Ì‚Å‚µ‚傤B
37:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>36
•W€‚Å“ü‚Á‚Ä‚È‚«‚áƒ}ƒY‚¢‚Á‚Äc
cvsup‚Å4.7-RELEASE-p3‚Éã‚°‚Ämake installworld‚·‚é‚æ‚낵
38:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>37
‘‘¬‚̃AƒhƒoƒCƒX‚ ‚肪‚Æ‚¤‚²‚´‚¢‚Ü‚·B
IPfilterŽæ‚Á‚Ä—ˆ‚ÄAƒpƒX‚ð–³—–î—’Ê‚µ‚½‚Ì‚Å‚·‚ªA
‰½‚©ˆá‚¤‚ÆŽv‚¢“Še‚µ‚½‚Æ‚±‚ë‚Å‚µ‚½B
cvsup‚Á‚Ä‚Í‚¶‚ß‚Ä‚â‚è‚Ü‚·BŠy‚µ‚Ý`B
39:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>23(1)‚Á‚ÄAƒJ[ƒlƒ‹“à‚Å—j“ú‚ðŒvŽZ‚µ‚Ä‚â‚Á‚Ä‚é‚ÌH‚»‚ê‚Í‚â‚è‚·‚¬‚È‹C‚ª‚·‚é‚æB(2), (3) ‚Í‚¨‚à‚ë‚¢‚ËB‚Å‚à ipfilter ‚Á‚Ä ifdef ‘½‚·‚¬‚Ä‚¢‚¶‚é‹C‚É‚È‚ê‚È‚¢ :-(
40:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
’‹‚©‚炸‚Á‚Æcvsup‚‚Ȃª‚ç‚È‚¢‚Ì‚Å‚·‚ªA
Ž„‚̃}ƒVƒ“‚ªNAT‚Ì— ‚É‚ ‚é‚Ì‚ª‚¢‚¯‚È‚¢??
cvsup2 ‚Å‚à“¯‚¶‚Å‚µ‚½B
Connecting to cvsup4.jp.freebsd.org
Connected to cvsup4.jp.freebsd.org
Server software version: SNAP_16_1f
Negotiating file attribute support
Exchanging collection information
Establishing passive-mode data connection
Cannot connect to data port: Connection refused
Will retry at 18:16:05
41:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>39
Linux/Netfilter‚É‚ÍAƒpƒPƒbƒg“à‚̃f[ƒ^ƒ}ƒbƒ`
‚È‚ñ‚Ä‚à‚Ì‚à‚ ‚è‚Ü‚·B‚Å‚àIDS‚Ì‘ã‚í‚è‚É‚ÍŽg‚¦‚Ü‚¹‚ñB
ƒpƒPƒbƒg–ˆ‚Ƀ`ƒFƒbƒN‚·‚é‚©‚çAƒtƒ‰ƒOƒƒ“ƒg‚µ‚Ä
‚½‚ç‚·‚蔲‚¯‚¿‚ႤB
D‚«ŸŽè‚ÉŠJ”‚·‚é‚Ì‚ªLinux‚̃Xƒ^ƒCƒ‹‚¾‚©‚çA
‰½‚Å‚ào‚Ä—ˆ‚¿‚Ⴄ‚ñ‚¾‚¯‚Ç‚ËB
42:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
NAT ‚Q’i‚©‚Ü‚µ‚Ă邯‚ÇA‚‚¢‚³‚Á‚«Acvsup2 ‚ÅXV‚Å‚«‚½‚æ‚ñB
port 5999 (‚¾‚Á‚¯H)‚͋󂢂ĂéH
43:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>42
’†‚©‚çŠO‚̃|[ƒg‚Í‘S•”‹ó‚¯‚Ä‚¢‚Ü‚·‚ªA
ŠO‚©‚ç’†‚ÍA‹A‚è‚̃pƒPƒbƒg‚¾‚¯‚Å‚·(ƒXƒe[ƒgƒtƒ‹FW)B
‚à‚µ‚©‚µ‚ÄFTP‚Ý‚½‚¢‚É‚â‚₱‚µ‚¢˜b‚É‚È‚é‚Ì‚Å‚·‚©?
‚Æ‚è‚ ‚¦‚¸tcpdump‚µ‚Ä‚Ý‚Ä‚Ý‚Ü‚·B
44:43
NG NG.net
>>42
‚¢‚Ü cvsup2‚ÅXV’†‚Å‚· :)))
‚³‚Á‚«‚È‚ñ‚Åo—ˆ‚È‚©‚Á‚½‚©‚í‚©‚è‚Ü‚¹‚ñB
45:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
‚¸‚Á‚Æ‹^–â‚ÉŽv‚Á‚Ä‚é‚ñ‚¾‚ªA
ipfilter‚̃‹[ƒ‹‚Á‚ÄA‚È‚ñ‚Ålast match‚È‚Ì??(quickƒ‹[ƒ‹‚ª‚ ‚邯‚Ç)
ƒAƒ‹ƒSƒŠƒYƒ€“I‚É‚àAƒpƒPƒbƒg–ˆ‚É‘S•”‚̃‹[ƒ‹‚ð
ŒŸ¸‚µ‚È‚‚¿‚á‚¢‚¯‚È‚‚Ä’x‚¢‚Æ‚¨‚à‚¤‚ñ‚¾‚¯‚ÇB
# •ª‚©‚è‚â‚·‚¢•ª‚©‚è‚É‚‚¢‚Í‚Æ‚à‚©‚‚Æ‚µ‚ÄB
46:14
NG NG.net
URLØݸ(home.earthlink.net)‚Ý‚Ä
net.inet.tcp.recvspace: 57344 -> 32768
‚É‚µ‚Ä‚Ý‚½BƒKƒ“ƒ_ƒ€(ŽŽs‰ñ”ˆê‰ñ)Ø‚ê‚È‚©‚Á‚½B
47:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>46
ƒTƒ“ƒNƒXB
‚¿‚È‚Ý‚Émss‚Í‚¢‚‚‚ɂµ‚Ä‚éH 1414? 1412?
48:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
Å‹ß‚Æ‚Ä‚à‚¤‚´‚Š´‚¶‚é‚悤‚É‚È‚Á‚Ä‚«‚½ŠØ‘‚â’†‘‚©‚ç“Í‚‘å—ʂ̃pƒPƒbƒg‚ðŽÕ’f‚µ‚½‚¢‚ñ‚Å‚·‚ªA‚±‚ñ‚ÈŠ´‚¶‚ÅOK‚Å‚·‚©H
xx0 <= wan‘¤nic
block in quick on xx0 proto tcp from aaa.aaa.aaa.aaa/aa to any flags S/S
block in quick on xx0 proto tcp from bbb.bbb.bbb.bbb/bb to any flags S/S
ƒ—ª„
block in on xx0 proto udp from any to any
pass in on xx0 proto udp from any to any port=*** #(udpƒ|[ƒg‚Í•K—v‚È‚Æ‚±‚¾‚¯‹Lq)
49:14
NG NG.net
ƒXƒ}ƒ\AÄ“xŽŽ‚µ‚½‚ç‚â‚Á‚Ï؂ꂽB
50:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>48
ƒƒO‚ªƒEƒUƒC‚È‚ç log level local1.debug ‚Æ‚©‚·‚ê‚Î
‚¢‚¢‚ñ‚¶‚á‚È‚¢‚©‚ÈBƒƒO‚È‚µ‚Í‚»‚ê‚Í‚»‚ê‚Å‹°‚¢‚悤‚ÈB
incoming HTTP “™‚ðR‚肽‚¢‚ñ‚È‚ç flags S/S ‚Í—v‚ç‚È‚¢
‚Ì‚Å‚Í‚È‚¢‚©‚µ‚çB
51:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>50
“Á’è‚̃|[ƒg‚̓ƒO‚àŽæ‚é‚悤‚ȃ‹[ƒ‹‚É‚µ‚Ä‚¢‚é‚Ì‚Å‚·‚ªA‚»‚ꂪ“Á‚É–Ú“I‚»‚Ì‚à‚Ì‚ÉŠÖŒW‚·‚鎖‚Å‚Í–³‚¢‚̂ŃTƒ“ƒvƒ‹‚É‚Í‘‚«‚Ü‚¹‚ñ‚Å‚µ‚½B
–”‚»‚à‚»‚à‚¤‚´‚¢‚ÆŠ´‚¶‚é‚̂̓ƒO‚ɑ΂µ‚Ä‚Å‚Í‚È‚‚ÄA•Ï‚ȃ[ƒ€‚ª”‚·‚éƒpƒPƒbƒg‚Ì‘—MŒ³‚ª‚XŠ„Œ^‚±‚Ì‚Q‚‚©‚ç‚È‚Ì‚ÅA‚»‚ꂪŒ´ˆö‚ÅŠ´‚¶‚éS—“I‚È”æ˜JŠ´•sˆÀŠ´‚Å‚·B
>incoming HTTP “™‚ðR‚肽‚¢‚ñ‚È‚ç flags S/S ‚Í—v‚ç‚È‚¢
>‚Ì‚Å‚Í‚È‚¢‚©‚µ‚çB
‚Å‚àflag‚‚¯‚È‚¢‚ÆACK‚Ü‚Å‹‘”Û‚µ‚Ä‚µ‚Ü‚¤‚Ì‚ÅŒü‚±‚¤‚̃z[ƒ€ƒy[ƒW‚ªŒ©‚ê‚È‚©‚Á‚½‚è‚·‚é‚ñ‚Å‚·B
‚½‚¾flag S/S‚¶‚á‚È‚‚Äflag S‚Å‚à‚¢‚¢‚©‚à‚µ‚ê‚Ü‚¹‚ñ‚ªB
52:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>51
‚à‚µ‚©‚µ‚ăXƒe[ƒgƒtƒ‹ƒCƒ“ƒXƒyƒNƒVƒ‡ƒ“‹@”\‚ðŽg‚Á‚Ä‚È‚¢‚Æ‚©?
pass out quick proto tcp from any to any flags S/SA keep state keep frags
53:ŽRèÂ
NG NG.net
iOOj
54:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>52
‚»‚¤‚¢‚¤Žè‚ª‚ ‚Á‚½‚©B
60•bƒ‹[ƒ‹‚Æ‚¢‚¤‚Ì‚ª‚¿‚å‚Á‚Æ•sˆÀ‚ÈŠ´‚¶‚à‚µ‚Ü‚·(•ÏX‰Â”\?)‚ªŽŽ‚µ‚Ä‚Ý‚Ü‚·c
ŽŽ‚µ‚Ä‚Ý‚½‚Æ‚±‚ëA‚Ç‚¤‚àŠù‘¶‚̃‹[ƒ‹‚ɂ‚¯‚½‚µ‚Å‚â‚镪‚É‚Í•s“s‡‚ª
‚ ‚é‚Ý‚½‚¢‚ÅV‚µ‚ƒ‹[ƒ‹‚ðì‚è’¼‚³‚È‚‚Ä‚Í‚¢‚¯‚È‚³‚»‚¤‚Å‚·B
55:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
FreeBSD 4-STABLE‚ÅA
ipnat‚Æports/net/linuxigd‚ÅUPnP‚µ‚悤‚Æ‚µ‚Ä‚¢‚é‚Ì‚Å‚·‚ªA
upnpd‚ª—Ž‚¿‚Ä‚µ‚Ü‚Á‚½‚èAWinXP‚ª—Ž‚¿‚Ä‚µ‚Ü‚Á‚½‚è‚ÅA
•s—v‚ȃŠƒ_ƒCƒŒƒNƒg‚̃‹[ƒ‹‚ªŽc‚Á‚Ä‚µ‚Ü‚¤‚±‚Æ‚ª‚ ‚è‚Ü‚·B
‚¨ŽèŒy‚Å‚¤‚Ü‚¢•û–@‚ª‚ ‚ê‚΂¢‚¢‚Ì‚Å‚·‚ªA
‰½‚©‘Îô‚ð‚³‚ê‚Ä‚¢‚é•û‚Í‚¢‚ç‚Á‚µ‚á‚¢‚Ü‚¹‚ñ‚©?
56:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
S/SA‚Á‚ÄS/AS‚Á‚Ä‘‚¢‚¿‚á‘Ê–Ú‚È‚ñ‚Å‚·‚©?
57:age
NG NG.net
age
58:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
1 #! /sbin/ipf -Fa -Z -f
1 #pass in quick all
1 #pass out quick all
1 block in log quick from any to any with ipopts
1 block in log quick from any to any with short
1 #
1 # rules on lo0
1 #
1 pass in quick on lo0 all
1 pass out quick on lo0 all
1 #
1 # rules for icmp packets
1 #
1 block in on fxp0 proto icmp all
1 block out on fxp0 proto icmp all
1 pass in on fxp0 proto icmp all
1 pass out on fxp0 proto icmp all
1 #
1 # rules for tcp packets
1 #
1 block in log on fxp0 proto tcp all
1 block out log on fxp0 proto tcp all
1 pass in quick on fxp0 proto tcp all flags A/A
1 #lpr
1 pass in quick on fxp0 proto tcp from any to any port = 515 flags S/SA
59:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
1 #afpd
1 pass in quick on fxp0 proto tcp from any to any port = 548 flags S/SA
1 #windows network
1 pass in quick on fxp0 proto tcp from any to any port 136 >< 140 flags S/SA
1 pass in quick on fxp0 proto tcp from any port 136 >< 140 to any flags S/SA
1 #
1 # rules for udp packets
1 #
1 block in log on fxp0 proto udp all
1 block out log on fxp0 proto udp all
1 #DNS
1 pass in quick on fxp0 proto udp from any port = 53 to any
1 pass out quick on fxp0 proto udp from any to any port = 53
1 #ntp
1 pass in quick on fxp0 proto udp from any port = 123 to any
1 pass out quick on fxp0 proto udp from any to any port = 123
1 #windows network
1 pass in quick on fxp0 proto udp from any to any port 136 >< 140
1 pass in quick on fxp0 proto udp from any port 136 >< 140 to any
1 pass out quick on fxp0 proto udp from any to any port 136 >< 140
1 pass out quick on fxp0 proto udp from any port 136 >< 140 to any
60:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
‚½‚½‚«‘ä
‚´‚Á‚Æ‘‚¢‚Ä‚Ý‚½
’N‚©ŠÔˆá‚¢‚ðC³‚µ‚Ä‚‚ê‚é‚Æ‚±‚̃XƒŒ“I‚Ƀlƒ^’ñ‹Ÿ‚à‚Å‚«‚邵
˜R‚ê‚Ìpc‚àd‚‚È‚Á‚ĈêΓñ’š
‚Æ‚è‚ ‚¦‚¸Ž©•ª“Ë‚Áž‚Ý‚Å137-139‚ðŠJ‚¢‚Ä‚¢‚é‚̂ͪ–{“I‚ÈŒë‚è
61:‚ ‚Ú[‚ñ
NG NG.net
‚ ‚Ú[‚ñ
62:60
NG NG.net
>1 block in on fxp0 proto icmp all
>1 block out on fxp0 proto icmp all
>1 pass in on fxp0 proto icmp all
>1 pass out on fxp0 proto icmp all
>
?
s“ª‚Ì1‚Í–³Ž‹
63:‚ ‚Ú[‚ñ
NG NG.net
‚ ‚Ú[‚ñ
64:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
> block in on fxp0 proto icmp all
> block out on fxp0 proto icmp all
> pass in on fxp0 proto icmp all
> pass out on fxp0 proto icmp all
block‚ª–³ˆÓ–¡
65:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
FreeBSD ‚ðƒ‹[ƒ^(ipnat)‚É‚µ‚Ä LAN ‚Å Winny ‚â‚낤‚Æ‚µ‚Ä‚é‚ñ‚Å‚·‚ª
‚¤‚Ü‚‚¢‚«‚Ü‚¹‚ñB‚²Žw“삨Šè‚¢‚µ‚Ü‚·c
ƒlƒbƒg‘¤(fxp0)‚Í PPPoE(ƒtƒŒƒbƒc) ALAN‘¤(fxp1 192.168.0.1)‚É
Win ƒ}ƒVƒ“(192.168.0.2)‚ð‚‚Ȃ¢‚Å‚Ü‚·B
ipf.rules ‚Í
pass in quick proto tcp from any to 192.168.0.2 port = 7743
pass in quick proto tcp from any to 192.168.0.2 port = 7744
pass in quick all
pass out quick all
ipnat ‚Í
map pppoe0 192.168.0.1/24 -> 0/32 proxy port ftp ftp/tcp
map pppoe0 192.168.0.1/24 -> 0/32 portmap tcp/udp 40000:60000
map pppoe0 192.168.0.1/24 -> 0/32
‚Å‚·‚ªA‚±‚ê‚Å‚àƒ|[ƒgŒx‚ªo‚¿‚Ⴄcc(;L„DM)
66:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
nyƒ†[ƒU‚̓tƒBƒ‹ƒ^[‚È‚ñ‚¼‚·‚é‚ÈBƒCƒ“ƒ^[ƒlƒbƒg’¼Œ‹ƒtƒ‹ƒI[ƒvƒ“‚ÅÀ‚¯B
67:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
‚È‚É‚ðŽv‚Á‚½‚©Ž©‰ÆLAN‚Ìgateway‚ðSolaris8(x86)‚É‚µ‚Ä‚Ý‚½B
‚Æ‚¤‚º‚ñNAT‚É‚µ‚½‚킯‚¾‚ªANAT‚ª‚Å‚«‚éƒ\ƒtƒgƒEƒFƒA‚ª"SunScreen"‚Æ"ipf"‚µ‚©‚È‚¢B
ˆêŒ©ŽèŒy‚»‚¤‚É‚Ý‚¦‚½ipf‚ð“ü‚ê‚Ä‚Ý‚½‚ª‚©‚È‚è‚Ä‚±‚¸‚Á‚½B
LAN ->ŠO ‚Éftp‚ª‚Æ‚¨‚ç‚È‚¢B
ftp-proxy‚Æ‚©‚¢‚ë‚¢‚뎎‚µ‚Ä‚Ý‚½‚ªA
Žå—Í‚Å‚ ‚éDebianƒNƒ‰ƒCƒAƒ“ƒg‚©‚çapt-get‚ÅŠO‚ɂ‚Ȃ®‚Æ
‚È‚ñ‚ÆSolarisNAT” ‚ªƒnƒ“ƒOƒAƒbƒv‚·‚éB
ipf‚̃o[ƒWƒ‡ƒ“‚ðˆÀ’肵‚Ä‚»‚¤‚Ȍ¢‚Ì‚É—Ž‚Æ‚µ‚ÄA
ipf.conf‚Í"‚È‚É‚à‚µ‚È‚‚Ä‚¢‚¢‚Å‚·‚æ"‚Æ‚¢‚¤‚Ì‚É‚µ‚½B
‚»‚Ìã‚Åwww‚Æftp‚Ì‚ÝLAN“à‚ÌŽIƒ}ƒVƒ“‚Éforward‚·‚éA‚Æ‚¢‚¤Ý’è‚ð
ipnat.conf‚É‘‚¢‚Ă悤‚₈À’肵‚½B
ŠO‚Ö‚Ìftp‚Ípassive‚Å‚µ‚©‚Å‚«‚È‚¢‚¯‚ÇA
‚Ç‚¤‚µ‚Ä‚à•K—v‚ÈꇂÍ
ssh‚Ń‹[ƒ^‚܂Ńgƒ“ƒlƒ‹‚ðŒ@‚é‚Æ‚¢‚¤‚±‚Ƃő˦‚µ‚½B
68:67
NG NG.net
# Solaris(x86)ƒ‹[ƒ^‚ÌÝ’è
# ipfstat -i
pass in quick on rf0 from any to any
pass in quick on ni0 from any to any
pass in quick on lo0 from any to any
# ipnat -l
map ni0 192.168.0.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:60000
map ni0 192.168.0.0/24 -> 0.0.0.0/32
rdr ni0 0.0.0.0/0 port 80 -> 192.168.0.253 port 80 tcp //LAN“àwebŽI—p
rdr ni0 0.0.0.0/0 port 20 -> 192.168.0.253 port 20 tcp //ˆÈ‰ºLAN“àftpŽI—p
rdr ni0 0.0.0.0/0 port 21 -> 192.168.0.253 port 21 tcp
rdr ni0 0.0.0.0/0 port 30011 -> 192.168.0.253 port 30011 tcp
rdr ni0 0.0.0.0/0 port 30012 -> 192.168.0.253 port 30012 tcp
rdr ni0 0.0.0.0/0 port 30013 -> 192.168.0.253 port 30013 tcp //LAN“àftpŽI—ppassive ports (30011-30080)
...
rdr ni0 0.0.0.0/0 port 30080 -> 192.168.0.253 port 30080 tcp
# ndd /dev/tcp tcp_smallest_anon_port tcp_largest_anon_port
32768
65535
# Debian‚ÌÝ’è
$ cat /etc/apt/apt.conf
ftp
{
Passive "true";
};
69:67
NG NG.net
# ipf‚̃o[ƒWƒ‡ƒ“
$ pkginfo -l ipf
PKGINST: ipf
NAME: IP Filter
CATEGORY: system
ARCH: i386(32-bit)
VERSION: 3.3.22
VENDOR: Darren Reed
DESC: This package contains tools for building a firewall
INSTDATE: Jan 29 2003 13:07
EMAIL: darrenr@pobox.com
STATUS: completely installed
FILES: 75 installed pathnames
11 shared pathnames
1 linked files
21 directories
10 executables
1214 blocks used (approx)
ŠO‚©‚çLAN“àftpŽI‚É‚¿‚á‚ñ‚Ƃ‚Ȃª‚é‚Ì‚©A‚¿‚å‚Á‚Æ•sˆÀB
‚Ç‚È‚½‚©‚æ‚©‚Á‚½‚çƒeƒXƒg‚æ‚낵‚±
fURLØݸ(lev.ii2.cc)
70:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>67
‰SŽÒ‚È‚ñ‚Å‚·‚¯‚ÇA‹³‚¦‚Ä‚¢‚½‚¾‚¯‚Ü‚·‚©H
Solaris8(x86)‚Åipfilter‚ðƒRƒ“ƒpƒCƒ‹‚·‚é‚ƃGƒ‰[‚ª‚Å‚Ü‚·B
3.4.31‚Å‚·B
ƒo[ƒWƒ‡ƒ“‚Í‚¢‚‚‚̂à‚Ì‚ðŽg‚Á‚Ä‚Ü‚·‚©H
71:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
‚Í‚ŸB
configureoŒ»ˆÈ‘OƒtƒŠ[ƒ\ƒtƒg‚̓Rƒ“ƒpƒCƒ‹ƒGƒ‰[‚ªo‚Ä“–‘R‚¾‚Á‚½‚ñ‚¾‚ªB
72:67
NG NG.net
>>70
‚킽‚µ‚àƒg[ƒVƒ‚Å‚·‚ªA
3.4.31/3.3.22‹¤‚ÉSFWgcc
# pkginfo -l SFWgcc | grep VERSION
VERSION: 2.95.3,REV=2001.11.28.08.39
‚ðŽg‚Á‚ăRƒ“ƒpƒCƒ‹‚µ‚Ü‚µ‚½B
SFWncur‚Ìncurses‚̃wƒbƒ_‚ªSolaris•W€‚Ìcurses‚̃wƒbƒ_‚Æconflict‚µ‚Ä‚¢‚é‚悤‚¾‚Á‚½‚Ì‚Å
ƒRƒ“ƒpƒCƒ‹‚·‚é‚Æ‚«‚¾‚¯ pkgrm SFWncur ‚µ‚Ä‚Ý‚½‚Æ‚±‚낤‚Ü‚‚¢‚«‚Ü‚µ‚½B
‚ÅA‚±‚Ì‚ ‚¢‚¾‚Ì‘±•ñ‚Å‚·‚ª
NIC‚ðŠI+ŠIƒ³ƒhƒ‰ƒCƒo(rtls)‚ÉŒðŠ·/’²®‚µ‚½‚Æ‚±‚ëAƒ‹[ƒ‹‚ðݒ肵‚Ä‚àƒnƒ“ƒOƒAƒbƒv‚µ‚È‚‚È‚è‚Ü‚µ‚½B
‚Ç‚¤‚â‚猴ˆö‚Íipf‚Å‚Í‚È‚ANIC(+”ñƒ³ƒhƒ‰ƒCƒo)‚Ì‚Ù‚¤‚¾‚Á‚½‚悤‚Å‚·B
Solaris‚ªŽ€‚Ê’¼‘O‚Éo‚µ‚Ä‚¢‚½ƒƒbƒZ[ƒW«
[ID 503123 kern.warning] WARNING: rf0: transmit timeout,cr: d<RE,TE,BUFE>, isr: 0, msr: 8<SPEED_10>
[ID 252603 kern.notice] rf0: tx-list: head:-19 tail:-15
73:67
NG NG.net
Œ»ÝˆÈ‰º‚̂悤‚ȃ‹[ƒ‹‚ʼnõ’²‚É“®‚¢‚Ä‚¢‚Ü‚·B
pass in quick on lo0 from any to any
pass in quick on rtls0 from any to any
block in log on rtls1 from any to any
block in log quick on rtls1 from 127.0.0.0/8 to any
block in log quick on rtls1 from 192.168.0.0/24 to any
block in log quick on rtls1 from any to any with opt lsrr
block in log quick on rtls1 from any to any with opt ssrr
block in log quick on rtls1 proto tcp from any to any with short
pass in quick on rtls1 proto tcp from any to any port = 20 flags S/SA keep state
pass in quick on rtls1 proto tcp from any to any port = 21 flags S/SA keep state
pass in quick on rtls1 proto tcp from any to any port = 22 flags S/SA keep state
pass in quick on rtls1 proto tcp from any to any port = 25 flags S/SA keep state
pass in quick on rtls1 proto tcp from any to any port = 80 flags S/SA keep state
pass in quick on rtls1 proto tcp from any to any port = 113 flags S/SA keep state
pass in quick on rtls1 proto tcp from any to any port 30010 >< 30081 flags S/SA keep state
pass in quick proto icmp from any to any icmp-type echorep
pass in quick proto icmp from any to any icmp-type unreach
pass in quick proto icmp from any to any icmp-type squench
pass in quick proto icmp from any to any icmp-type echo
pass in quick proto icmp from any to any icmp-type timex
‚Ü‚½ipnat.conf‚Ì‚Ä‚Á‚Ø‚ñ‚É«‚ð’ljÁ‚·‚é‚ÆLAN“à•”‚©‚畒ʂ̃‚[ƒh‚Åftp‚Å‚«‚é‚悤‚É‚È‚è‚Ü‚µ‚½B
map rtls1 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
ƒRƒsƒy‚΂Á‚©‚Å‚²‚ß‚ñ‚È‚³‚¢‚Å‚µ‚½B‘ÞŽUB
74:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
keep state ‚·‚é‚ñ‚È‚ç‘å’ï port ”Ô†‚ðŒ©‚Ä‚é‚ÆŽv‚¤‚¯‚ÇA
‚»‚Ìê‡‚Í keep frags ‚à‘«‚µ‚½•û‚ª‚¢‚¢‚ÆŽv‚¤‚æB
75:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>74
‚²Žw“±‚ ‚肪‚Æ‚¤‚²‚´‚¢‚Ü‚·B
¡‰ñipf‚Ì“ú–{ŒêƒhƒLƒ…ƒƒ“ƒg‚ðƒlƒbƒg‚Å‚¢‚ë‚¢‚ë‘{‚µ‚½‚Ì‚Å‚·‚ªA
tarball‚É‚àŠÜ‚Ü‚ê‚Ä‚¢‚é"IPF.KANJI"ˆÈŠO‚É‚Í
’f•Ð“I‚ÈÝ’è—Ⴊ”Œ©‚Å‚«‚½‚¾‚¯‚Å‚µ‚½B
‚«‚Á‚¿‚è‰ðà‚µ‚Ä‚ ‚é‚à‚Ì‚Æ‚È‚é‚ÆA‚â‚Í‚è
URLØݸ(coombs.anu.edu.au)
URLØݸ(www.unixcircle.com)
‚ ‚½‚è‚̉pŒê‚ð“Ç‚Ü‚È‚¢‚Æ‚¢‚¯‚È‚¢‚悤‚Å‚·‚ªA
‚»‚à‚»‚à"IPƒpƒPƒbƒg"‚Ì\‘¢‚ª‚í‚©‚Á‚Ä‚¢‚È‚¢‚Æ—‰ð‚͓‚¢‚悤‚ÅA
Ž„‚É‚Í‚æ‚‚í‚©‚è‚Ü‚¹‚ñ‚Å‚µ‚½B
[flags] ‚Í RFC793‚Æ‚©‚É‘‚¢‚Ä‚ ‚é"tcpƒwƒbƒ_"‚ÌURG ACK PSH RST SYN FIN ‚Ȃǂ𓪕¶Žš‚Å–¼Žw‚µ‚ÅŽw’è‚Å‚«‚é(‚炵‚¢?)
[S] ‚¾‚¯Žw’è‚·‚é‚Æ S/AUPRFS ‚ðŽw’肵‚½‚±‚Æ‚É‚È‚é(‚炵‚¢?)
[S/SA] ‚Æ‚Í‚¢‚í‚ä‚é"established"‚ðŽw‚·(‚炵‚¢?)‚ª"UPRFS"‚ÍŒ©‚È‚¢(‚炵‚¢?)
[keep state] ‚Í“ü‚Á‚Ä‚«‚½ƒpƒPƒbƒg‚Ì[ʼn‚Ì•”•ª]‚ª[‰ö‚µ‚‚È‚¢]‚à‚Ì‚Æ”»’肳‚ê‚ê‚ÎA"state table"‚É“o˜^‚µ‚Ä
ˆÈ~‚̓`ƒFƒbƒN‚µ‚È‚¢(‚炵‚¢?)
[keep frags] ‚Í’f•Ð‰»‚µ‚½ƒpƒPƒbƒg‚ª“ü‚Á‚Ä—ˆ‚é‚ÆAŽc‚è‚Ì•”•ª‚ð—\‘ª‚µ‚ÄA‚»‚Ì•”•ª‚Í’Ê‚·(‚炵‚¢?)
...‚悤‚·‚é‚É"‚¦‚炓‚¢"‚Æ‚¢‚¤‚±‚Æ‚Í—‰ð‚Å‚«‚½‹C‚ª‚µ‚Ü‚·B
76:67
NG NG.net
ˆÈã‚ðl—¶‚µ‚ă‹[ƒ‹‚͈ȉº‚̂悤‚É‚È‚è‚Ü‚µ‚½B
pass in quick on rtls0 from any to any
pass out quick on rtls0 from any to any
pass out quick on rtls1 proto icmp from any to any keep state
pass out quick on rtls1 proto udp from any to any keep state
pass out quick on rtls1 proto tcp from any to any flags S keep state keep frags
block in log on rtls1 from any to any
block in log quick on rtls1 from 127.0.0.0/8 to any
block in log quick on rtls1 from 192.168.0.0/24 to any
block in log quick on rtls1 from any to any with opt lsrr
block in log quick on rtls1 from any to any with opt ssrr
block in log quick on rtls1 proto tcp from any to any with short
pass in quick on rtls1 proto tcp from any to any port = 20 flags S keep state keep frags
pass in quick on rtls1 proto tcp from any to any port = 21 flags S keep state keep frags
pass in quick on rtls1 proto tcp from any to any port = 22 flags S keep state keep frags
pass in quick on rtls1 proto tcp from any to any port = 25 flags S keep state keep frags
pass in quick on rtls1 proto tcp from any to any port = 80 flags S keep state keep frags‚¢‚Ä‚Ü‚·B
pass in quick on rtls1 proto tcp from any to any port = 113 flags S keep state keep frags
pass in quick on rtls1 proto tcp from any to any port 30010 >< 30081 flags S keep state keep frags
pass in quick proto icmp from any to any icmp-type echorep
pass in quick proto icmp from any to any icmp-type unreach
pass in quick proto icmp from any to any icmp-type squench
pass in quick proto icmp from any to any icmp-type echo
pass in quick proto icmp from any to any icmp-type timex
pass in quick on lo0 from any to any
pass out quick on lo0 from any to any
...ˆêŒ©‰õ’²‚É“®‚¢‚Ä‚é‚悤‚Å‚·‚ªA
‚ ‚©‚炳‚Ü‚É‘û‚È•”•ª‚ª‚ ‚è‚Ü‚µ‚½‚ç‚Ü‚½‚²Žw“±‚¨Šè‚¢‚µ‚Ü‚·B‚Å‚Í‚±‚Ì‚Ö‚ñ‚Å
‘ÞŽUB
77:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
ÅŒã‚Éblockƒ‹[ƒ‹‚ŃƒOŽæ‚éB
78:70
NG NG.net
>>67
‚Ü‚¾ƒGƒ‰[‚ªo‚Ü‚·B
ESFWgcc‚ÌVERSION: 2.95.3,‚É‚ ‚°‚Ü‚µ‚½BiREV=2001.11.28.08.39‚Å‚Í‚È‚¢j
Epkgrm SFWncur ‚ð‚µ‚Ü‚µ‚½B
ƒ\[ƒX‚ÉŽè‚ð“ü‚ê‚é•K—v‚ ‚è‚Ü‚·‚©‚ËH
‚¿‚È‚Ý‚ÉSFWncur‚̃\[ƒX‚¾‚Æ‚¢‚¤‚Ì‚Í‚Ç‚±‚ðŒ©‚ê‚Εª‚©‚é‚ñ‚Å‚µ‚傤‚©H
79:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>76
head, group Žg‚Á‚Ä‚Ý
block in log on rtls1 from any to any head 100
block in log quick from 127.0.0.0/8 to any group 100
....
block in log proto tcp from any to any head 110 group 100
pass in quick proto tcp from any to any port = 22 flags S keep state keep frags group 110
....
‚Æ‚©‚È
>>75 ‚Ý‚½‚¢‚É‚Ü‚Æ‚ß‚Ä‚é‚Ì‚ðŒ©‚é‚ÆA¬’·‚ª‚Ý‚ç‚ê‚Ä”÷΂܂µ‚‚ÄA(¥Í¥)²²!!
80:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
S/SA‚Á‚ÄS/AS‚Æ‘‚¢‚Ä‚Í‚¾‚ß‚È‚Ì‚Å‚·‚©?
Syn->
<-AckSyn
Ack->
‚Æ‚¢‚¤‚悤‚ɕ׋‚µ‚Ä‚¢‚½‚Ì‚ÅSA‚Æ‘‚‚Æ‚Ç‚¤‚àˆá˜aŠ´‚ª....
ŽÀÛŽŽ‚µ‚ÄŒ©‚½‚Æ‚±‚ë“Á‚É–â‘è‚Í–³‚“®ì‚µ‚Ä‚¢‚é‚悤‚È‚Ì‚Å‚·‚ªA‚à‚µ‚©‚µ‚½‚ç
ƒ‹[ƒ‹‚Ƀ}ƒbƒ`‚µ‚Ä‚¢‚é‚ÆŽv‚Á‚½‚‚à‚è‚ÅŽÀ‚̓}ƒbƒ`‚µ‚Ä‚¢‚È‚¢‚Ì‚©‚à‚µ‚ê‚Ü‚¹‚ñB
81:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
224Œ
URLØݸ(www.google.com)
4590Œ
URLØݸ(www.google.com)
82:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>80
‡”Ô‚Í‘S‚–â‘è‚È‚¢B
=== common.c ===
char flagset[] = "FSRPAUEC";
u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG,
TH_ECN, TH_CWR };
``
u_char tcp_flags(flgs, mask, linenum)
``
if (!(t = index(flagset, *s))) {
fprintf(stderr, "%d: unknown flag (%c)\n", linenum, *s);
return 0;
}
*fp |= flags[t - flagset];
83:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
Å‹ß‚ÌŽGŽ‚É‚ÍACK+SYN‚Æ‘‚¢‚Ä‚ ‚Á‚½
84:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
•ÛŽç
85:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
OpenBSD‚©‚猩Ž–‚ÉŠO‚³‚ꂽIPF¶Ü²¿³
86:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>85
‚¾‚Á‚Äipf‚̃‰ƒCƒZƒ“ƒX‚IJ԰݂Ȃñ‚¾‚à‚ñ
87:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
OpenBSD ‚Ì pf ‚Á‚Ä ipf ŒÝŠ·?
88:pf‚ÍŽg‚Á‚½Ž–‚Í‚È‚¢‚¯‚Ç
NG NG.net
config file‚Ì‹L–@‚ªŽ—‚Ä‚¢‚é‚Á‚Ä•·‚¢‚½‚¯‚ÇA–{“–?
89:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
Ž—‚Ä‚éBpass in quick on tun0 proto tcp from any to any port ssh
‚±‚ñ‚È‚Ó‚¤‚ÉAipf ‚̃‹[ƒ‹‚ª‚»‚Ì‚Ü‚Ü pf ‚Å‚à‘‚¯‚邱‚Æ‚à‚ ‚éB
‚Å‚à pf ‚É‚Í ipf ‚Ì headAgroup ‚Í–³‚¢‚µA“®ì‚à”÷–‚ɈႤ‚Ì‚ÅãˆÊŒÝŠ·‚Æ‚¢‚¤‚킯‚Å‚Í‚È‚¢B
(groupƒL[ƒ[ƒh‚̓pƒPƒbƒg‚ðo‚µ‚½ƒ\ƒPƒbƒg‚Ìowner‚ÌðŒ‚Æ‚µ‚ÄŽg‚í‚ê‚é)
90:88
NG NG.net
>89 »Ý¸½º
91:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
IP‚ɃtƒBƒ‹ƒ^‚ð‚©‚¯‚é‚Æ‚»‚ê‚̓pƒPƒbƒg‚É‚È‚Á‚Ä‚µ‚Ü‚¤‚Ì‚Å‚·B
92:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>87
OpenBSDŽg‚Á‚Ä‚é‚ñ‚¾‚Á‚½‚çApf‚Å—Ç‚¢‚¶‚á‚ñBipf‚È‚ñ‚ÄŠÖŒW‚È‚¢‚¾‚ëB
93:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
OpenBSD —p‚Ì ipf ‚àAipfilter.org ‚Ì•û‚ÅA‚Ü‚¾•ÛŽç‚³‚ê‚Ä‚é‚ñ
‚¶‚á‚È‚©‚Á‚½‚Á‚¯H ‚¢‚â‚Ü‚ A•’Ê‚ÉŽg‚¤‚ñ‚È‚ç pf Žg‚¤•û‚ª
Šy‚¾‚Æ‚ÍŽv‚¤‚¯‚Ç‚³B
‚ ‚ÆApf ‚Ì NAT ‚Á‚ÄA¡‚Å‚Í ipf ‚Ì NAT ‹@”\‘S‚Ä”õ‚¦‚Ä‚¢‚é‚ñ
‚¾‚Á‚¯H ‚È‚ñ‚©A‚Å‚«‚È‚¢‹@”\‚ª‚¢‚ë‚¢‚ë‚ ‚Á‚½‚悤‚ÈŠo‚¦‚ª
‚ ‚é‚ñ‚¾‚¯‚ÇB
94:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>93
‚ ‚ê‚ÍTheoŒN‚ªipf‚É‚Ô‚¿‚«‚ê‚Äì‚Á‚½‚à‚ñ‚¾‚©‚ç‚Ë‚¥
‘½‚Í‹@”\‚ª—Ž‚¿‚é‚Ì‚©‚à
95:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>‚ ‚ÆApf ‚Ì NAT ‚Á‚ÄA¡‚Å‚Í ipf ‚Ì NAT ‹@”\‘S‚Ä”õ‚¦‚Ä‚¢‚é‚ñ
>‚¾‚Á‚¯H ‚È‚ñ‚©A‚Å‚«‚È‚¢‹@”\‚ª‚¢‚ë‚¢‚ë‚ ‚Á‚½‚悤‚ÈŠo‚¦‚ª
>‚ ‚é‚ñ‚¾‚¯‚ÇB
IPv6‚ª‚ ‚邶‚á‚È‚¢‚©B
96:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
pf‚Íipf‚æ‚茩ˆÕ‚‚ÄãY—í‚ÆŽv‚¤B
‚‚©ipf‚ă\[ƒXŒ©‚è‚á‚í‚©‚邪Œ‹\‚®‚¿‚á‚®‚¿‚á‚È‹C‚ªB
97:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>65’xƒŒƒX‚¾‚¯‚ÇDDD
Ú‚µ‚‚È‚¢‚¯‚ÇP2P‚ÌWinny‚Å‚ÍA³Šm‚Ƀ|[ƒgƒ}ƒbƒsƒ“ƒO
‚µ‚Ä‚â‚ç‚È‚¢‚Ƴ퓮삵‚È‚¢‚Ì‚Å‚Í‚È‚¢‚©‚ÆŽv‚¤B
‚¾‚©‚çAipnat‚Érdr‚Å“]‘—ƒ|[ƒg‚ðƒ[ƒJƒ‹‚ÌIPƒAƒhƒŒƒX‘¤‚É
—¬‚µ‚Ä‚â‚éB
—Ⴆ‚ÎA
rdr xxx.xxx.xxx.xxx/32 port yyyyy -> rdr 192.168.0.1 port zzzzz tcp
‚Æ‚©B
‚â‚Á‚Ä‚Ý‚½‚çH‚Á‚Ä‚à‚¤‚â‚Á‚Ä‚é‚©DDD
98:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>97
ŠÔˆá‚¦
„rdr xxx.xxx.xxx.xxx/32 port yyyyy -> rdr 192.168.0.1 port zzzzz tcp
rdr xxx.xxx.xxx.xxx/32 port yyyyy -> 192.168.0.1 port zzzzz tcp
99:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
rdr ‚𑂈ʒu‚Á‚Ä “Á‚É‹C‚É‚·‚é•K—v‚Í‚ ‚é‚ñ‚Å‚·‚©?
map ‚Ì’¼Œã‚Å‚¢‚¢‚ñ‚Å‚·‚æ‚Ëc
100:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>99
•’Ê‚Ímap‚̌ゾ‚ÆŽv‚¤‚¯‚ÇAŒ©‰h‚¦‚¾‚¯‚Ì–â‘è‚©‚ÈB
ˆÊ’u‚Ínat‚ÌꇓÁ‚É–â‘è‚È‚µB
101:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
ƒ|[ƒgÚ‘±‚𑼃zƒXƒg‚ÉŠÛ“Š‚°‚Á‚Ä‚Å‚«‚Ü‚¹‚ñ‚©?
ˆê‚ˆê‚ rdr ‘‚©‚È‚¢‚Æ–³—?
102:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>101
Œ¾‚Á‚Ä‚¢‚éˆÓ–¡‚ª‚í‚©‚ç‚È‚¢‚Ì‚¾‚ªDDD
103:–¼–³‚µ‚³‚ñ—‚d‚‚‚ƒ‚“
NG NG.net
>>101
rdr if x.x.x.x/32 port 0-65535 -> y.y.y.y port 0 tcp/udp
‚Ý‚½‚¢‚È‚±‚ÆH
‚¢‚âA‚±‚ê‚Å“®‚‚©‚Í’m‚ç‚ñ‚ªcB
104:101
NG NG.net
rdr fx0 0.0.0.0/0 port 1025 -> 192.168.0.2 port 1025 tcp
rdr fx0 0.0.0.0/0 port 1026 -> 192.168.0.2 port 1026 tcp
rdr fx0 0.0.0.0/0 port 1027 -> 192.168.0.2 port 1027 tcp
(’†—ª)
rdr fx0 0.0.0.0/0 port 20000 -> 192.168.0.2 port 20000 tcp
‚ðƒ|[ƒg1‚‚É1s‚Å‚Í‚È‚A—ª‚µ‚Ä‘‚¯‚È‚¢‚Ì‚©‚Æ‚¢‚¤‚±‚Æ‚Å‚·B
105:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
‰´‚ÍÚ‚µ‚‚È‚¢‚Å‚·‚ªAipf-howtoiƒOƒO‚Á‚Ä‚Ý‚êj‚ðŒ©‚½‚¯‚ÇA
‚»‚¤‚¢‚¤‘‚«•û‚ÍÚ‚Á‚Ä‚Ü‚¹‚ñ‚Å‚µ‚½B
ŠÛ“Š‚°‚̓ZƒLƒ…ƒŠƒeƒBã‚æ‚‚È‚¢‚悤‚ÈBŬŒÀ‚É‚µ‚½•û‚ª‚¢‚¢‚Æ
Žv‚¤B‚Â[‚©AIPFilter“ü‚ê‚Ä‚¢‚éˆÓ–¡‚È‚‚È‚¢H
106:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
URLØݸ(www.ietf.org)
‚É‚ ‚é@Security Flag ‚ª—§‚Á‚Ä‚¢‚éƒpƒPƒbƒg‚ð—Ž‚Æ‚·‚É‚Í‚Ç‚¤‚µ‚½‚ç‚æ‚¢‚Å‚·‚©H
107:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>106
URLØݸ(www.freebsd.org)
108:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>101
ƒIƒ“ƒ‰ƒCƒ“ƒQ[ƒ€‚ŃzƒXƒg‚𗧂Ă悤‚Æ‚µ‚½ŽžA‚Ç‚¤‚µ‚Ä‚àrdr‹Lq‚·‚é•K—v‚ª‚ ‚Á‚½‚Ì‚Å“¯‚¶‚悤‚Ɉêsˆês‹Lq‚µ‚Ü‚·‚½B
ƒQ[ƒ€‚̃}ƒjƒ…ƒAƒ‹‚É‚Íu2300-2400‚ð‹ó‚¯‚év‚Æ‚©‘‚¢‚Ä‚ ‚Á‚Äipnat.conf‚É2300-2400‚Ü‚ÅAƒ|[ƒg‚ˆêsˆês100s‚à’ljÁ‹Lq....
Œ©‰h‚¦ˆ«‚¢‚µŠÈ—ª‰»o—ˆ‚È‚¢‚Á‚·‚©‚Ë‚¥....
ƒIƒ“ƒ‰ƒCƒ“ƒQ[ƒ€‚ŃzƒXƒg–ð‚·‚él‚Íipf+ipnatŽg‚¤‚È‚Á‚ÄŽ–‚©‚È....
109:–¼–³‚µ‚³‚ñ—ƒJƒ‰ƒAƒQ‚¤‚Ü‚¤‚Ü
NG NG.net
‚»[‚ä[‚Ì‚ÍŽè‚Å’¼Ú‘‚‚Ì‚Å‚Í‚È‚A
ƒXƒNƒŠƒvƒg‚ÅŽ©“®¶¬‚µ‚Ä‚â‚é‚Æ‚æ‚낵‚¢‚©‚ÆB
ipfilter ‚ÍŽg‚Á‚½‚±‚Æ‚È‚¢‚¯‚ÇA‚±‚ñ‚ÈŠ´‚¶‚Å‚¢‚¢‚Ì‚©‚ÈH
% cat hoge.m4
divert(-1)
define(`forloop',
`pushdef(`$1', `$2')_forloop(`$1', `$2', `$3', `$4')popdef(`$1')')
define(`_forloop',
`$4`'ifelse($1, `$3', ,
`define(`$1', incr($1))_forloop(`$1', `$2', `$3', `$4')')')
divert`'dnl
forloop(`i', 2300, 2400, `rdr fx0 0.0.0.0/0 port i -> 192.168.0.2 port i tcp
')dnl
% m4 hoge.m4
rdr fx0 0.0.0.0/0 port 2300 -> 192.168.0.2 port 2300 tcp
rdr fx0 0.0.0.0/0 port 2301 -> 192.168.0.2 port 2301 tcp
rdr fx0 0.0.0.0/0 port 2302 -> 192.168.0.2 port 2302 tcp
...
forloop ƒ}ƒNƒ‚ɂ‚¢‚Ä‚Í GNU m4 ‚Ì info ‚ÉÚ‚Á‚Ä‚é‚Å‚·B
110:–¼–³‚µ‚³‚ñ—‚d‚‚‚ƒ‚“
NG NG.net
‚»‚¤‚¢‚¤‚Ì‚Í
rdr fx0 0.0.0.0/0 port 2300-2400 -> 192.168.0.2 port 2300 tcp
‚Á‚Ä‚·‚é‚ñ‚¾‚Á‚Ä‚³
111:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>110
‚¨‚©‚µ‚‚È‚¢‚©?
112:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>110
‚P‚O‚OŒÂ•ª‚̃|[ƒg‚ª‘S‚Äport:2300‚ÉDDD
113:110
NG NG.net
‚Ü‚ŸA‚±‚ê‚Å‚àŒ©‚Ä‚âB
FreeBSD 4.7-STABLE #0: Sat Feb 8 08:14:20 JST 2003
/usr/src/sys/contrib/ip_nat.c
int ip_natin(ip, fin)
ip_t *ip;
fr_info_t *fin;
{
...[[snip snip snip]].....
for (np = rdr_rules[hv]; np; np = np->in_rnext) {
...[[snip snip snip]].....
if ((!np->in_pmin || (np->in_flags & IPN_FILTER) ||
((ntohs(np->in_pmax) >= ntohs(dport)) &&
(ntohs(dport) >= ntohs(np->in_pmin)))))
if ((nat = nat_new(fin, ip, np, NULL, nflags,
NAT_INBOUND))) {
np->in_hits++;
break;
}
114:110
NG NG.net
ƒtƒ@ƒCƒ‹–¼typo /usr/src/sys/contrib/ipfilter/netinet/ip_nat.c
115:ŽRèÂ
NG NG.net
iOOj
116:‚ ‚Ú[‚ñ
NG NG.net
‚ ‚Ú[‚ñ
117:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
age
118:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
’á”]‚ȉ´‚Íipfw‚Å‚¢‚¢‚âB
119:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
‚»‚ñ‚È‚±‚ÆŒ¾‚킸‚É‚ª‚ñ‚΂邾‚æ‚à‚ñ
120:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
‚ª‚ނ΂é‚È‚è‚æ
121:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
‚¨–¡‘X`‚Ì‚¨—g‚°‚Í‚¨D‚«‚Å‚·‚©H
122:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
block in quick from >>121 to 2ch.net
123:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>121
‚Í‚¢A‘åD‚«‚Å‚·i³Ì¯
124:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
Œƒ‚µ‚Š¨ˆá‚¢‚µ‚Ä‚¢‚邱‚Æ‚Í‚ ‚«‚ç‚©‚È‚ñ‚Å‚·‚ªAestablished ‚ª S/SA(or S/AS) ‚Æ•\Œ»‚³‚ê‚é‚Ì‚ª
‚Ç‚¤‚à‚µ‚Á‚‚è‚«‚Ü‚¹‚ñB
Syn->
<-AckSyn
Ack->
‚È‚Ì‚ÅAestablished ‚¾‚Á‚½‚ç AckSyn ‚© Ack ‚ª‚‚¢‚Ä‚é‚Á‚Ä‚±‚Æ‚ÅA
AS/A‚Æ•\Œ»‚·‚é‹C‚ª‚µ‚Ä‚È‚è‚Ü‚¹‚ñB
‚¾‚ê‚©Ž„‚ÌŒë‰ð‚ð‰ð‚¢‚Ä‚‚¾‚³‚¢B
125:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>124
>>80-83
126:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>125
‚¢‚¦ASyn‚¾‚¯‚©AckSyn‚ª‚‚¢‚Ä‚é‚Ì‚ªestablished‚¾‚Æ‚¢‚¤‚ñ‚È‚ç80-83‚Å”[“¾‚¢‚‚ñ‚Å‚·‚ªA
Syn‚¾‚¯‚È‚Ì‚Íestablished(Šm—§Ï‚Ý)‚¶‚á‚È‚¢‚ñ‚¶‚á‚È‚¢‚Ì‚©‚ÈA‚ÆB
Ž„‚ÍŠ®‘S‚ÉŠ¨ˆá‚¢‚µ‚Ä‚é‚ñ‚Å‚µ‚傤‚©?
127:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
flags yyy/xxx ‚ÅAxxx ‚Ń}ƒXƒN‚µ‚½‚à‚Ì‚ð yyy ‚Æ”ä‚ׂé‚ñ‚¾‚©‚çA
AS/A ‚Íâ‘΂Ƀ}ƒbƒ`‚µ‚È‚¢‚Ì‚Å‚ÍB
ŠO‚©‚ç‚ÌSyn‚ðblock‚·‚ê‚΂¢‚¢‚¾‚¯‚̘b‚È‚ñ‚¾‚©‚çA
@block in quick proto tcp from any to any flags S/SA
@pass in quick proto tcp from any to any
‚â
@pass in quick proto tcp from any to any flags A/A
@block in quick proto tcp from any to any
‚Æ‘‚¯‚邾‚¯‚̘bB
128:126
NG NG.net
>>127
‰ðà‚ ‚肪‚Æ‚¤‚²‚´‚¢‚Ü‚·B‚â‚Í‚è‘å‚«‚ÈŠ¨ˆá‚¢‚ð‚µ‚Ä‚¢‚Ü‚µ‚½B
ˆÈ‘OŒŸõ‚µ‚½‚Æ‚«Aipf.conf‚É‚©‚©‚ê‚Ä‚¢‚é S ‚â A ‚Í Syn ‚â Ack ‚ð•\‚µ‚Ä‚¢‚ÄA
u•¡”‘‚«‚½‚¢‚Æ‚«‚Í / ‚ł‚Ȃ®v‚Á‚Ä‘‚©‚ê‚Ä‚éƒy[ƒW‚ð“Ç‚ñ‚ʼnL“Û‚Ý‚É‚µ‚Ä‚µ‚Ü‚Á‚Ä‚¢‚Ü‚µ‚½B
/ ‚ÌŒã‚ë‚É‚©‚©‚ê‚Ä‚¢‚é‚̂̓}ƒXƒN‚¾‚Á‚½‚ñ‚Å‚·‚ËB
‚Æ‚Ä‚à•ª‚©‚è‚â‚·‚¢à–¾A–{“–‚É‚ ‚肪‚Æ‚¤‚²‚´‚¢‚Ü‚µ‚½B
129:‚ ‚Ú[‚ñ
NG NG.net
‚ ‚Ú[‚ñ
130:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>128
‚à‚¤‚¿‚å‚Á‚ÆŠî‘b‚©‚çÚ‚µ‚à–¾‚µ‚Ä‚‚ê‚æB
131:‚ ‚Ú[‚ñ
NG NG.net
‚ ‚Ú[‚ñ
132:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>10‚̃Šƒ“ƒNæ‚ÌAuMail‚ÆWebv‚ð‚æ‚“Ç‚ñ‚Å‚²‚ç‚ñ‚È‚³‚¢B
133:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
NATƒ‹[ƒ^‚ðŽdã‚°‚½‚‚à‚è‚È‚ñ‚Å‚·‚ªA‚È‚ñ‚¾‚©‚¤‚Ü‚“®‚¢‚Ä‚¢‚Ü‚¹‚ñB
webƒAƒNƒZƒX‚Å‚µ‚©ƒ`ƒFƒbƒN‚µ‚Ä‚¢‚È‚¢‚Ì‚Å‚·‚ªA
2ch‚â‚»‚Ì‘¼ˆê•”‚̃y[ƒW‚Í•’ʂɃAƒNƒZƒX‚Å‚«‚é‚Ì‚ÉAwww.yahoo.co.jp‚È‚Ç‚É‚¤‚Ü‚ƒAƒNƒZƒX‚Å‚«‚È‚¢‚Ì‚Å‚·B
log‚ðŒ©‚Ä‚Ý‚é‚Æ
sppp0 @100:18 b img.yahoo.co.jp[211.14.14.240],80 -> 192.168.10.29,2315 PR tcp len 20 40 -R IN
‚Æo—Í‚³‚ê‚Ä‚¨‚èAƒy[ƒW‚É‚ ‚鑼‚̃T[ƒo‚̉摜‚È‚Ç‚ª‚¤‚Ü‚Ž‚Á‚Ä‚±‚ê‚Ä‚¢‚È‚¢‚悤‚Å‚·B
ipf.conf‚É‚Í
pass in quick proto tcp from any to any flags A/A group 100
‚Æ‚©‚¢‚ÄAŠm—§Ï‚Ý‚È’ÊM‚Í’Ê‚µ‚Ä‚¢‚é‚‚à‚è‚È‚Ì‚Å‚·‚ªA‚±‚ꂪŒø‚¢‚Ä‚‚ê‚Ü‚¹‚ñB
ƒ‹[ƒ^‚É‚È‚Á‚Ä‚¢‚éPC‚Å‚Í‚±‚ÌÇ󂪂µƒ}ƒV‚È‚Ì‚ÅANATŽü‚肪Œ´ˆö‚¾‚ÆŽv‚¤‚ñ‚Å‚·‚ªA
ƒ‹[ƒ^PC‚Å‚Í‚Ü‚Á‚½‚Çó‚ªo‚È‚¢‚Æ‚¢‚¤‚킯‚Å‚à‚È‚¢‚Ì‚Å‚·B
ipnat.conf‚Í
map sppp0 192.168.10.0/24 -> xxx.xxx.xxx.xxx/32 proxy port ftp ftp/tcp
map sppp0 192.168.10.0/24 -> xxx.xxx.xxx.xxx/32 portmap tcp/udp 10000:65000
map sppp0 192.168.10.0/24 -> xxx.xxx.xxx.xxx/32
‚Æ‚µ‚Ä‚¢‚Ü‚·Bxxx.xxx.xxx.xxx‚̓‹[ƒ^PC‚ÌŠO‘¤‚̃Cƒ“ƒ^ƒtƒF[ƒX‚ÌIPƒAƒhƒŒƒX‚Å‚·B
‚Æ‚Ä‚àŠî–{“I‚È‚±‚Æ‚©‚à‚µ‚ê‚È‚¢‚ñ‚Å‚·‚ªA‹³‚¦‚Ä‚¢‚½‚¾‚¯‚È‚¢‚Å‚µ‚傤‚©B
134:110
NG NG.net
>>133
map sppp0 192.168.10.0/24 -> xxx.xxx.xxx.xxx/32 proxy port ftp ftp/tcp mssclamp 1414
map sppp0 192.168.10.0/24 -> xxx.xxx.xxx.xxx/32 portmap tcp/udp 10000:65000 mssclamp 1414
map sppp0 192.168.10.0/24 -> xxx.xxx.xxx.xxx/32 mssclamp 1414
‚Å‚Ç‚¤‚æH
135:133
NG NG.net
>>134
‚ ‚肪‚Æ‚¤‚²‚´‚¢‚Ü‚·Aƒoƒbƒ`ƒŠ‚Å‚µ‚½B
ƒ‹[ƒ^PC‚ÌMTU-20-20‚Á‚Ä‚±‚Æ‚Å‚·‚ËB
‚»‚ñ‚È‚±‚Æ‘S‘RŽv‚¢‚‚©‚È‚‚Ä3ŽžŠÔ‚‚ç‚¢”Y‚Ý”²‚¢‚Ä‚¢‚Ü‚µ‚½B
136:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
ipfw2‚Á‚Ä‚Ç‚¤‚æH
137:‚ ‚Ú[‚ñ
NG NG.net
‚ ‚Ú[‚ñ
138:‚ ‚Ú[‚ñ
NG NG.net
‚ ‚Ú[‚ñ
139:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
netfilter ‚Å nat ‚Ì OUTPU ‚Æ filter ‚Ì OUTPU ‚Ì·‚ª‚æ‚‚í‚©‚ç‚È‚¢‚Ì‚Å‚·‚ªC
’N‚©‹³‚¦‚Ä‚‚ê‚Ü‚¹‚ñ‚Å‚µ‚傤‚©H
google ‚Å’²‚ׂ½‚Æ‚±‚ëC
nat-OUTPUT ƒ[ƒJƒ‹¶¬‚̃lƒbƒgƒ[ƒNƒpƒPƒbƒg‚ª ‘—M‚³‚ê‚é‘O‚É‚»‚ê‚ð•ÏX‚µ‚Ü‚·
filter-OUTPUT ƒ[ƒJƒ‹¶¬‚̃lƒbƒgƒ[ƒNƒpƒPƒbƒg‚É“K—p‚µ‚Ü‚·
‚炵‚¢‚Ì‚Å‚·‚ª‚±‚Ì—¼ŽÒ‚Ì·‚ª‚æ‚‚í‚©‚ç‚È‚¢‚Å‚·D
iptables ‚Åó‘Ô‚ðŒ©‚é‚Æ nat-OUTPUT ‚Ì•û‚ª’ʉߗʂª‘½‚¢‚½‚ßC—¼ŽÒ‚͈Ⴄ‚à‚Ì‚¾‚Æl‚¦‚ç‚ê‚é‚Ì‚Å‚·‚ª...
140:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>139
Netfilter(iptables)‚͔ˆႢB‚±‚±‚Í ip_fil3.4.32.tar.gz ‚Æ‚©‚Å”z•z‚³‚ê‚Ä‚é
IP Filter‚̃XƒŒ‚Ì‚Í‚¸B
Linux‚Ìiptables‚ÍŠµ‚ê‚Ä‚È‚¢‚Ì‚ÅAIP Filter‚ªLinux‚É‚à‘Ήž‚µ‚Ä—~‚µ‚¢‚Æ‚ÍŽv‚¤‚ªEE
‚½‚µ‚©Akernel 2.0.x ‚܂ł͑Ήž‚µ‚Ä‚½‚ªA‚»‚Ì‚ ‚Æ•ú’u‚³‚ꂽ‚ÆŽv‚¤EE
141:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
iptables‚̘b‘è‚ÍLinux”‚̕û‚ª‰ñ“š‚ð–á‚¢‚â‚·‚¢‚ÆŽv‚í‚ê
142:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>140,141
‚±‚ê‚æ‚è‘OCLinux ”Â‚É netfilter ‚ÉŠÖŒW‚·‚éƒXƒŒ‚ªŒ©“–‚½‚ç‚È‚©‚Á‚½‚Ì‚ÅC
Linux ”‚̂‚¾Ž¿ƒXƒŒ‚É“¯‚¶‚±‚Æ‚ð‘‚«ž‚ñ‚¾‚Ì‚Å‚·‚ª’N‚à“š‚¦‚Ä‚‚ê‚él‚Í‚¢‚È‚©‚Á‚½‚ñ‚Å‚·D
Linux ”‚ð‚à‚¤‚µ’Tõ‚µ‚Ä“K“–‚ȃXƒŒ‚ð’T‚µ‚Ä‚Ý‚Ü‚·D
143:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
‚±‚ñ‚È–¾‚ç‚©‚ȃXƒŒ‚ª‚ ‚é‚Ì‚É–Ú‚É“ü‚ç‚È‚©‚Á‚½‚Ì‚¾‚낤‚©c
½ÚØݸ(linux”Â)
144:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>143
‚ ‚肪‚Æ‚¤‚²‚´‚¢‚Ü‚·D
ƒXƒŒˆê——‚Å Firebird ‚É‚ÄŒŸõ(netfilter,iptables‚Å)‚µ‚½‚Í‚¸‚È‚Ì‚Å‚·‚ª...
‰½‚ÅŒ©‚‚©‚ç‚È‚©‚Á‚½‚ñ‚¾‚낤...ŸT‚¾...‚¢‚â’ˆÓ—Í•s‘«‚©...
145:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>144
‚±‚̔‚ÌZl‚̑唼‚Ínetfilter‚ÍŽg‚Á‚Ä‚È‚¢‚¾‚낤A‘½•ªB
‚¾‚©‚玿–₵‚Ä‚àƒXƒŒŒš‚Ä‚Ä‚à“š‚¦‚ª–Ⴆ‚È‚¢‰Â”\«‚ª‘åB
ƒXƒŒƒ^ƒC‚ÅŒŸõ‚·‚é‚È‚ç i-mode ”Å‚ð w3m ‚Æ•¹—p‚·‚é‚Æ‚¢‚¢B
146:‚ ‚Ú[‚ñ
NG NG.net
‚ ‚Ú[‚ñ
147:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
•ÛŽç
148:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
(¥Í¥)É
149:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
R(EÍE)l(EÍE)É
150:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
URLØݸ(jbbs.shitaraba.com)
151:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
•ÛŽç
152:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
‚¨‚µ‚¦‚Ä‚‚¾‚³‚¢
ipf ‚ÅAƒAƒhƒŒƒX‚Ì‚Æ‚±‚É0.0.0.0‚Ý‚½‚¢‚È•\‹L‚µ‚Ä‚é‚Ì‚Á‚Ä
‚Ç‚¤‚¢‚¤ˆÓ–¡‚È‚ñ‚Å‚µ‚傤‚©?
0.0.0.0/0 ‚Æ 0.0.0.0/32 ‚ňӖ¡‚Í•Ï‚í‚è‚·‚©?
‚ ‚ÆA’P‚É 0 ‚Á‚Ä‘‚‚Ɖ½‚ð·‚·‚Ì‚Å‚µ‚傤??
153:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>152
0.0.0.0/0 ‚Í 0.0.0.0‚Ì0bit•ª‚ð”äŠr‚·‚é‚Ì‚ÅA‚Ç‚ñ‚ȃAƒhƒŒƒX‚É‚àmatch‚·‚éB
]‚Á‚Ä 0.0.0.0/0 ‚à 1.2.3.4/0 ‚à“¯‚¶ˆÓ–¡B
0.0.0.0/32 ‚Í 0.0.0.0‚Ì32bit•ª‚ð”äŠr‚·‚é‚Ì‚ÅA0.0.0.0‚É‚µ‚©match‚µ‚È‚¢B
0‚̓AƒhƒŒƒX‚Æ‚µ‚Ä‚Í0.0.0.0‚Æ“¯‹`B‚±‚ê‚Íinet_aton()‚ ‚½‚è‚ÌŽd—l‚¾‚ªA
ƒ‰ƒCƒuƒ‰ƒŠ‚É‚æ‚Á‚Ä‚Íparse‚Å‚«‚È‚¢(‚µ‚È‚¢)‚à‚Ì‚àBSEE ALSO inet_aton(3)
‚ ‚ÆA0.0.0.0 ‚Í‘‚ꊂɂæ‚Á‚Ä‚Í“ÁŽê‚ȈӖ¡‚ðŽ‚Âê‡‚à‚ ‚éB
ipnat.conf‚Å‚Íinterface‚ɂ‚¢‚Ä‚éƒAƒhƒŒƒX‚É’uŠ·‚³‚ꂽ‚èBÚ‚µ‚‚ÍŠeman‚ð“Ç‚ßB
154:152
NG NG.net
‚ ‚肪‚Æ‚¤‚²‚´‚¢‚Ü‚·B
‚Æ‚‚ÉAu...bit•ª‚ð”äŠr‚·‚é‚Ì‚Åv‚Á‚Ä‚Æ‚±A
‚à‚â‚à‚₪‚·‚Á‚«‚肵‚Ü‚µ‚½B
155:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
ipf+ipnat‚ðŽg‚Á‚ă‹[ƒ^‚É‚µ‚Ä‚él‚É•·‚«‚½‚¢‚ñ‚¾‚¯‚ÇA
ipf‚̃‹[ƒ‹‚Á‚Ä‚â‚Á‚Ï‚è‘S’Ê‚µ‚µ‚Ä‚é‚ÌH
156:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>155
‚¢‚¢‚¦
157:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>156
‡d
158:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
•ÛŽç
159:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
ng0‚É“®“I‚ȃOƒ[ƒoƒ‹IPƒAƒhƒŒƒX‚ªŠ„‚è“–‚Ä‚ç‚ê‚Ä‚é‚ñ‚Å‚·‚ªipfilter‚Å‚±‚ÌIPƒAƒhƒŒƒX‚ð
Žw’è‚·‚é‚ɂ͂ǂ̂悤‚É‹Lq‚µ‚½‚ç‚¢‚¢‚ñ‚Å‚µ‚傤‚©H
ipnat‚Ìmap‚̂悤‚É0/32‚Ý‚½‚¢‚É‘‚¯‚Ü‚·‚©H
160:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>159
‚±‚ꂶ‚Ⴞ‚ß‚È‚ÌH
block in quick on ng0 proto tcp from any to any port = 123456
‚Ý‚½‚¢‚ÈB
161:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
•ÛŽç
162:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
Set 1 now inactive
‚Ì1‚Æ‚¢‚¤”Žš‚Á‚Ä‚Ç‚¤‚¢‚¤ˆÓ–¡H
163:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>162
ƒ‹[ƒ‹ƒZƒbƒg1‚𖳌ø‚É‚µ‚ÄAƒ‹[ƒ‹ƒZƒbƒg0‚ð—LŒø‚É‚µ‚½‚Æ‚¢‚¤‚±‚ÆB
ipf‚ɂ̓‹[ƒ‹ƒZƒbƒg0‚ƃ‹[ƒ‹ƒZƒbƒg1‚Ì2‚‚ª‚ ‚Á‚ÄA‚Ç‚¿‚ç‚ð—LŒø‚É‚·‚é‚©‚ð
ˆêu‚ÅØ‚è•Ï‚¦‚ç‚ê‚éB
‚½‚Æ‚¦‚Έê“xƒ‹[ƒ‹‚ð‚²”jŽZ‚µ‚Äadd‚µ‚È‚¨‚µ‚½‚¢Žž‚È‚ñ‚©‚ÉA
inactive‚È•û‚Ƀ‹[ƒ‹‚ðݒ肵Aactive‚Æinactive‚ðswap‚·‚ê‚ÎA
ƒtƒ@ƒCƒAƒEƒH[ƒ‹“I‚ɂ͈êu‚½‚è‚Æ‚àƒtƒBƒ‹ƒ^–³‚µ‚Ìó‘Ô‚Í”¶‚µ‚È‚¢B
164:‹³‚¦‚Ä‚‚ñ‚·‚Ý‚Ü‚¹‚ñ
NG NG.net
ƒƒOƒtƒ@ƒCƒ‹‚ð•ÒW‚µ‚ăAƒNƒZƒXŒ ‚ð•ÏX‚¹‚¸‚Éã‘‚«•Û‘¶‚ð‚µ‚½‚çA
‚ë‚®‚ð‹Lq‚µ‚È‚‚È‚Á‚Ä‚µ‚Ü‚¢‚Ü‚µ‚½c ŠÂ‹«‚ÍNetBSD1.6.1‚Æʼn‚©‚ç“ü‚Á‚Ä‚¢‚éipf‚Å‚·B
rc.conf‚É‚Í
ipmon_flags="-D /kubota/kakurei/kanbai/filter.logfile"
‚̂悤‚É‹Lq‚µ‚ÄAƒƒOƒtƒ@ƒCƒ‹/kubota/kakurei/kanbai/filter.logfile‚̃AƒNƒZƒXŒ ‚Í777‚É‚µ‚Ä‚ ‚è‚Ü‚·B
ipf.conf‚ɃƒO‚ª‹L˜^‚³‚ê‚郋[ƒ‹‚Ƀ}ƒbƒ`‚·‚é‚悤‚È󋵂ɂµ‚ÄŽÀŒ±‚ð‚µ‚Ä‚à
ƒƒO‚ª‹L˜^‚³‚ê‚Ü‚¹‚ñB‚‚¢‚³‚Á‚«‚܂ųí‚ɃƒO‚É‹L˜^‚³‚ê‚Ä‚¢‚½‚Ì‚É‚¢‚«‚È‚è‚Ì‚±‚Æ‚Å‚³‚Ï[‚è
Œ´ˆö‚ª‚í‚©‚è‚Ü‚¹‚ñB‚Ç‚¤‚©‚¨•‚¯‚‚¾‚³‚¢‚Ü‚¹B
165:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
ipmon ‚ðƒŠƒXƒ^[ƒg‚·‚ê‚Î’¼‚éB
ipmon ‚ÉŒÀ‚炸AUNIX ‚̃tƒ@ƒCƒ‹ƒI[ƒvƒ“‚ÌŽd‘g‚Ý‚ð’m‚Á‚Ä‚ê‚Î
“–‘R‚È‚ñ‚¾‚ªc
ŽÀÛ‚É‚ÍAŒN‚ªƒtƒ@ƒCƒ‹‚ð•ÒW‚µ‚Ä•Û‘¶‚·‚邱‚Æ‚Å휂³‚ꂽA
ŒÃ‚¢ƒtƒ@ƒCƒ‹‚Ì•û‚É‚¸‚Á‚ƃƒO‚ª‹L˜^‚³‚ꑱ‚¯‚Ä‚¢‚½”¤B
(UNIX ‚Ìê‡A휂³‚ꂽƒtƒ@ƒCƒ‹‚à–¼‘O‚ª‘¶Ý‚µ‚È‚¢‚¾‚¯‚ÅA
ƒI[ƒvƒ“‚µ‚Ä‚¢‚éƒvƒƒZƒX‚ª‘¶Ý‚·‚éŒÀ‚èAƒtƒ@ƒCƒ‹‚ÌŽÀ‘Ì‚ª
‘¶Ý‚µ‘±‚¯‚é)
ŒN‚ÌŽg‚Á‚Ä‚¢‚éƒGƒfƒBƒ^‚Ìê‡Aã‘‚«•Û‘¶‚Æ‚¢‚¤‚Ì‚ÍAŽÀÛ‚É‚Í
ã‘‚«‚Å‚Í‚È‚AV‚µ‚¢ƒtƒ@ƒCƒ‹‚ð•Û‘¶‚µ‚ĉü–¼‚Æ‚¢‚¤Žè‡‚Å“®‚¢
‚Ä‚¢‚½‚悤‚¾‚ËB
‚»‚à‚»‚àAƒƒO‚ð•ÒW‚·‚é‚Æ‚¢‚¤”‘z‚ª‰½‚©•Ï‚¾BƒƒO‚̈Ӗ¡‚ª
‚È‚‚È‚é‚©‚çA‚»‚¤‚¢‚¤‚±‚Æ‚Í‚â‚ß‚½•û‚ª‚¢‚¢B
166:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>165
ƒTƒ“ƒNƒX‚Å‚·BƒŠƒXƒ^[ƒg‚ð‚µ‚½‚ç‰ðŒˆ‚µ‚Ü‚µ‚½B•s•×‹‚Å\‚µ–ó‚È‚¢‚Å‚·B
ƒƒOƒtƒ@ƒCƒ‹‚𔃖ŒŽ‚Ù‚Á‚½‚ç‚©‚µ‚É‚µ‚Ä‚¢‚½‚¹‚¢‚ŃƒO‚ª‹‘剻‚µ
ƒfƒBƒXƒNƒXƒy[ƒX‚ðˆ³”—‚µ‚Ä‚¢‚½‚̂ňê“xƒoƒbƒNƒAƒbƒv‚ð‚Æ‚Á‚Ä‚©‚çV‚µ‚
ƒƒOƒtƒ@ƒCƒ‹‚ðì‚낤‚Æ‚µ‚½‚çAƒoƒbƒNƒAƒbƒv‚³‚¦Žæ‚ê‚È‚¢’öƒƒOƒtƒ@ƒCƒ‹‚ª‹‘剻
‚µ‚Ä‚¢‚½‚Ì‚ÅAƒoƒbƒNƒAƒbƒv‚Í’ú‚߂ăƒOƒtƒ@ƒCƒ‹‚Ì’†‚©‚çd—v‚»‚¤‚È‚à‚Ì‚¾‚¯
’Šo‚µ‚ÄŒã‚ÍíœA‚Æ‚¢‚¤Š´‚¶‚Å•ÒW‚µ‚½‚Ì‚Å‚·B–ܘ_Pí“I‚É‚â‚Á‚Ä‚Í
‚¢‚È‚¢‚Ì‚Å¡‰ñ‚¾‚¯‚ÍŽ©•ª‚Ì‘Ó–‚ªµ‚¢‚½‚±‚Æ‚Å“Á•Ê‚Å‚µ‚½B
ˆÈã•‚©‚è‚Ü‚µ‚½B—L“ŒäÀ‚¢‚Ü‚·B
167:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
ƒƒO‚Í•’ÊŽ©“®‚Å rotate ‚µ‚Æ‚‚à‚ñ‚æB
‰´‚à NetBSD ‚¾‚ªAipf ‚̃ƒO‚Í syslog Œo—R‚Åo‚µ‚ÄA
newsyslog ‚ðŽg‚Á‚Ä rotate ‚µ‚Ä‚éB
‚±‚ñ‚ÈŠ´‚¶B
/etc/rc.conf
ipmon=YES ipmon_flags="-s"
/etc/syslog.conf
local0.info /var/log/ipflog
/etc/newsyslog.conf
/var/log/ipflog 640 7 30 * Z
‘S‚ẴƒO‚ðŽc‚µ‚½‚¢‚È‚çA’èŠú“I‚ɃoƒbƒNƒAƒbƒv
‚ð‚Æ‚é‚悤‚É‚·‚邱‚ÆB
168:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
˜R‚ê‚¿‚å‚Á‚Æ‘O‚ÉBSDŽn‚ß‚½‚ñ‚¾‚¯‚Ç@WEB‚ɂ͉SŽÒ‚É—D‚µ‚¢IPF‚Ìà–¾‚µ‚Ä‚éƒy[ƒW‚È‚¢‚ÛEE
ŽÀ“sample‚Ý‚½‚¢‚È‚Ì’u‚¢‚Ä‚‚ê‚é‚Æ‚ ‚肪‚½‚¢‚ñ‚¾‚¯‚ÇEEE
‚±‚±‚ÉŽÀ“sample‚ ‚Á‚½‚æŒZŽÒI
169:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
NAT‚¾‚Æmms‚ð‰z‚¦‚ç‚ê‚È‚¢‚Å‚·‚©H
‚·‚êˆá‚¢‚©‚àB‚·‚Ü‚»
170:166
NG NG.net
>>167
‹TƒŒƒX‚Å\‚µ–ó‚ ‚è‚Ü‚¹‚ñB
‚±‚¤‚¢‚Á‚½Žw“ì‚ÍŽ„‚̂悤‚ÈlŠÔ‚É‚Æ‚Á‚Ä‚Í‘å•Ï‚ ‚肪‚½‚¢‚Å‚·B
‘‘¬ŽŽ‚µ‚Ä‚Ý‚Ü‚·B–{“–‚É—L“‚²‚´‚¢‚Ü‚µ‚½B
171:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>169
mms:‚àrtsp:‚àA‚Æ‚‚ɉ½‚àl‚¦‚¸‚ÉNAT(ipnat)‚ð’Ê‚Á‚ăAƒNƒZƒX‚Å‚«‚Ä‚¢‚Ü‚·‚ªA‰½‚©H
172:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
NetBSD 1.6.2‚©‚ç2.0‚É‚µ‚½‚ç‚È‚É‚â‚çipfilterŽü‚è‚Ì‹““®‚ª–ó‚í‚©‚ç‚È‚BB
ƒ‹[ƒ‹‚Éflags S/SA‚Æ‚©Ý’肵‚Ä‚é‚Æ’Ê‚ç‚È‚¢‚µCC
reload‚·‚é‚Æioctl(add/insert rule): No such process‚Æ‚©“{‚ç‚ê‚邵B
‚Å‚à‚¿‚á‚ñ‚ƃtƒBƒ‹ƒ^‚Í‚³‚ê‚Ä‚½‚èB
‚È‚É‚©‘Ž®‚Æ‚©•Ï‚í‚Á‚Ä‚½‚è‚·‚é‚ñ‚Å‚µ‚傤‚©EEE(‚„D`)
173:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
>>172
FreeBSD‚¾‚©‚çŠÖŒW‚È‚³‚»‚¤‚¾‚¯‚Ç5.2¨5.3‚É‚µ‚Ä‚©‚çipf‚Ì‹““®‚ª‚킯‚í‚©‚ç‚ñB
’Ê‚Á‚½‚è’Ê‚ç‚È‚©‚Á‚½‚èB
ƒ‹[ƒ‹‚Í“Á‚É•ÏX‚µ‚Ä‚È‚¢‚ñ‚¾‚¯‚Ç‚Ë‚¦B
‚±‚ÌÛpf‚É‚µ‚悤‚©‚È
174:1.6.2
NG NG.net
pf‚͊ȈՔł¾‚©‚ç‚¿‚å‚Æ’ïR‚ ‚é‚Èc
ifp‘¤‚É–â‘肪‚ ‚é‚Ì‚©‚Ë‚¥B
175:–¼–³‚µ‚³‚ñ—‚¨• ‚¢‚Á‚Ï‚¢B
NG NG.net
pfƒXƒŒ‚ª–³‚¢‚Ì‚Å‚±‚±‚ÅŽ¿–â
FreeBSD 6-current(12ŒŽŽn‚ß‚‚ç‚¢)‚Åpf—˜—pAÚ‘±‚Ímpd‚Ådc0ã‚ÅPPPoE(ng1)‚ðŽg—pB
ƒ}ƒ‹ƒ`ƒLƒƒƒXƒgˆ¶‚Ä‚ÌSRCƒAƒhƒŒƒX==Ž©ƒAƒhƒŒƒX‚Æ‚È‚é•sŽv‹c‚ȃpƒPƒbƒg‚É”Y‚ñ‚Å‚éB
tcpdump -nei ng1 dst host 239.255.255.250
20:24:58.016297 AF 2 318: IP xxx.xxx.xxx.xxx.55382 > 239.255.255.250.1900: UDP, length: 290
(20ŒÂA“¯—l‚̃ƒO)
‚ÆAng1‚É“ü‚Á‚Ä‚«‚½‚悤‚ÉŒ©‚¦‚éB
pf‚Ń}ƒ‹ƒ`ƒLƒƒƒXƒg‚Ƀ}ƒbƒ`‚·‚郋[ƒ‹ì‚Á‚Ä‚¨‚¢‚ÄAtcpdump -ner /var/log/pflog‚Å‚à
20:54:28.012920 rule 15/0(match): pass in on ng1: IP xxx.xxx.xxx.xxx.52327 > 239.255.255.250.1900: UDP, length: 290
(18ŒÂA“¯—l‚̃ƒO)©2ŒÂ‚È‚¢B
‚Æ‚±‚낪A
tcpdump -ni dc0‚Å‚Í
20:24:28.759625 PPPoE [ses 0xc11a] IP zzz.zzz.zzz.zzz.80 > xxx.xxx.xxx.xxx.53185: . ack 1542 win 5840
20:24:28.938608 PPPoE [ses 0xc11a] IP xxx.xxx.xxx.xxx.53185 > zzz.zzz.zzz.zzz.80: . ack 16188 win 55293
20:30:01.219286 PPPoE [ses 0xc11a] LCP, Echo-Request (0x09), id 75, Magic-Num 0x00d1b68f, length 8
20:30:01.223649 PPPoE [ses 0xc11a] LCP, Echo-Reply (0x0a), id 75, Magic-Num 0xf8178dc6, length 8
‚È‚Ì‚ÅAƒCƒ“ƒ^[ƒlƒbƒg‘¤‚©‚ç—ˆ‚½‚à‚Ì‚Å‚Í‚È‚¢B
‘±‚...
ŽŸƒy[ƒWÅVƒŒƒX•\Ž¦ƒXƒŒƒbƒh‚ÌŒŸõ—ÞŽ—ƒXƒŒˆê——˜b‘è‚̃jƒ…[ƒX‚¨‚Ü‚©‚¹ƒŠƒXƒg¥ƒIƒvƒVƒ‡ƒ“‚ð•\Ž¦‰É‚‚Ԃµ2ch
35“ú‘O‚ÉXV/61 KB
’S“–:undef