Connecting to cvsup4.jp.freebsd.org Connected to cvsup4.jp.freebsd.org Server software version: SNAP_16_1f Negotiating file attribute support Exchanging collection information Establishing passive-mode data connection Cannot connect to data port: Connection refused Will retry at 18:16:05
block in quick on xx0 proto tcp from aaa.aaa.aaa.aaa/aa to any flags S/S block in quick on xx0 proto tcp from bbb.bbb.bbb.bbb/bb to any flags S/S <略> block in on xx0 proto udp from any to any pass in on xx0 proto udp from any to any port=*** #(udpポートは必要なとこだけ記述)
1 #! /sbin/ipf -Fa -Z -f 1 #pass in quick all 1 #pass out quick all 1 block in log quick from any to any with ipopts 1 block in log quick from any to any with short 1 # 1 # rules on lo0 1 # 1 pass in quick on lo0 all 1 pass out quick on lo0 all 1 # 1 # rules for icmp packets 1 # 1 block in on fxp0 proto icmp all 1 block out on fxp0 proto icmp all 1 pass in on fxp0 proto icmp all 1 pass out on fxp0 proto icmp all 1 # 1 # rules for tcp packets 1 # 1 block in log on fxp0 proto tcp all 1 block out log on fxp0 proto tcp all 1 pass in quick on fxp0 proto tcp all flags A/A 1 #lpr 1 pass in quick on fxp0 proto tcp from any to any port = 515 flags S/SA
59 名前:名無しさん@お腹いっぱい。 [03/01/29 06:33]
1 #afpd 1 pass in quick on fxp0 proto tcp from any to any port = 548 flags S/SA 1 #windows network 1 pass in quick on fxp0 proto tcp from any to any port 136 >< 140 flags S/SA 1 pass in quick on fxp0 proto tcp from any port 136 >< 140 to any flags S/SA 1 # 1 # rules for udp packets 1 # 1 block in log on fxp0 proto udp all 1 block out log on fxp0 proto udp all 1 #DNS 1 pass in quick on fxp0 proto udp from any port = 53 to any 1 pass out quick on fxp0 proto udp from any to any port = 53 1 #ntp 1 pass in quick on fxp0 proto udp from any port = 123 to any 1 pass out quick on fxp0 proto udp from any to any port = 123 1 #windows network 1 pass in quick on fxp0 proto udp from any to any port 136 >< 140 1 pass in quick on fxp0 proto udp from any port 136 >< 140 to any 1 pass out quick on fxp0 proto udp from any to any port 136 >< 140 1 pass out quick on fxp0 proto udp from any port 136 >< 140 to any
60 名前:名無しさん@お腹いっぱい。 [03/01/29 06:36]
たたき台 ざっと書いてみた
誰か間違いを修正してくれるとこのスレ的にネタ提供もできるし 漏れのpcも硬くなって一石二丁
とりあえず自分突っ込みで137-139を開いているのは根本的な誤り
61 名前:あぼーん mailto:あぼーん [あぼーん]
あぼーん
62 名前:60 mailto:sage [03/01/29 06:39]
>1 block in on fxp0 proto icmp all >1 block out on fxp0 proto icmp all >1 pass in on fxp0 proto icmp all >1 pass out on fxp0 proto icmp all > ?
行頭の1は無視
63 名前:あぼーん mailto:あぼーん [あぼーん]
あぼーん
64 名前:名無しさん@お腹いっぱい。 mailto:sage [03/01/29 22:03]
> block in on fxp0 proto icmp all > block out on fxp0 proto icmp all > pass in on fxp0 proto icmp all > pass out on fxp0 proto icmp all blockが無意味
65 名前:名無しさん@お腹いっぱい。 mailto:sage [03/01/29 23:25]
FreeBSD をルータ(ipnat)にして LAN で Winny やろうとしてるんですが うまくいきません。ご指南お願いします…
ipf.rules は pass in quick proto tcp from any to 192.168.0.2 port = 7743 pass in quick proto tcp from any to 192.168.0.2 port = 7744 pass in quick all pass out quick all
現在以下のようなルールで快調に動いています。 pass in quick on lo0 from any to any pass in quick on rtls0 from any to any block in log on rtls1 from any to any block in log quick on rtls1 from 127.0.0.0/8 to any block in log quick on rtls1 from 192.168.0.0/24 to any block in log quick on rtls1 from any to any with opt lsrr block in log quick on rtls1 from any to any with opt ssrr block in log quick on rtls1 proto tcp from any to any with short pass in quick on rtls1 proto tcp from any to any port = 20 flags S/SA keep state pass in quick on rtls1 proto tcp from any to any port = 21 flags S/SA keep state pass in quick on rtls1 proto tcp from any to any port = 22 flags S/SA keep state pass in quick on rtls1 proto tcp from any to any port = 25 flags S/SA keep state pass in quick on rtls1 proto tcp from any to any port = 80 flags S/SA keep state pass in quick on rtls1 proto tcp from any to any port = 113 flags S/SA keep state pass in quick on rtls1 proto tcp from any to any port 30010 >< 30081 flags S/SA keep state pass in quick proto icmp from any to any icmp-type echorep pass in quick proto icmp from any to any icmp-type unreach pass in quick proto icmp from any to any icmp-type squench pass in quick proto icmp from any to any icmp-type echo pass in quick proto icmp from any to any icmp-type timex
またipnat.confのてっぺんに↓を追加するとLAN内部から普通のモードでftpできるようになりました。 map rtls1 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
コピペばっかでごめんなさいでした。退散。
74 名前:名無しさん@お腹いっぱい。 mailto:sage [03/02/01 02:36]
keep state するんなら大抵 port 番号を見てると思うけど、 その場合は keep frags も足した方がいいと思うよ。
pass in quick on rtls0 from any to any pass out quick on rtls0 from any to any pass out quick on rtls1 proto icmp from any to any keep state pass out quick on rtls1 proto udp from any to any keep state pass out quick on rtls1 proto tcp from any to any flags S keep state keep frags block in log on rtls1 from any to any block in log quick on rtls1 from 127.0.0.0/8 to any block in log quick on rtls1 from 192.168.0.0/24 to any block in log quick on rtls1 from any to any with opt lsrr block in log quick on rtls1 from any to any with opt ssrr block in log quick on rtls1 proto tcp from any to any with short pass in quick on rtls1 proto tcp from any to any port = 20 flags S keep state keep frags pass in quick on rtls1 proto tcp from any to any port = 21 flags S keep state keep frags pass in quick on rtls1 proto tcp from any to any port = 22 flags S keep state keep frags pass in quick on rtls1 proto tcp from any to any port = 25 flags S keep state keep frags pass in quick on rtls1 proto tcp from any to any port = 80 flags S keep state keep fragsいてます。 pass in quick on rtls1 proto tcp from any to any port = 113 flags S keep state keep frags pass in quick on rtls1 proto tcp from any to any port 30010 >< 30081 flags S keep state keep frags pass in quick proto icmp from any to any icmp-type echorep pass in quick proto icmp from any to any icmp-type unreach pass in quick proto icmp from any to any icmp-type squench pass in quick proto icmp from any to any icmp-type echo pass in quick proto icmp from any to any icmp-type timex pass in quick on lo0 from any to any pass out quick on lo0 from any to any
block in log on rtls1 from any to any head 100 block in log quick from 127.0.0.0/8 to any group 100 .... block in log proto tcp from any to any head 110 group 100 pass in quick proto tcp from any to any port = 22 flags S keep state keep frags group 110 .... とかな
NetBSD 1.6.2から2.0にしたらなにやらipfilter周りの挙動が訳わからなく。。 ルールにflags S/SAとか設定してると通らないし,, reloadするとioctl(add/insert rule): No such processとか怒られるし。 でもちゃんとフィルタはされてたり。
ルールは # pfctl -sr scrub in on ng1 all fragment reassemble block return in quick on ng1 from <bann_ip> to any block return in quick on ng1 proto tcp from any to any port = loc-srv block return in quick on ng1 proto tcp from any to any port = netbios-ns block return in quick on ng1 proto tcp from any to any port = netbios-ssn block return in quick on ng1 proto tcp from any to any port = microsoft-ds block return in quick on ng1 proto udp from any to any port = loc-srv block return in quick on ng1 proto udp from any to any port = netbios-ns block return in quick on ng1 proto udp from any to any port = netbios-ssn block return in quick on ng1 proto udp from any to any port = microsoft-ds pass in quick on lo0 all pass in quick on dc1 all pass in all pass out all block return in log on ng1 all pass in log on ng1 inet proto udp from (ng1) to 224.0.0.0/4 pass in on ng1 proto tcp from <office_ip> to (ng1) port = ssh keep state pass out on ng1 proto tcp all keep state pass out on ng1 proto udp all keep state pass out on ng1 proto icmp all keep state block return out on ng1 inet proto udp from any to 224.0.0.0/4 port = 1900 pass in on ng1 inet proto tcp from any to (ng1) user = 62 keep state # pfctl -sn nat on ng1 inet from 192.168.0.0/24 to any -> (ng1) round-robin rdr on dc1 inet proto tcp from any to ! 192.168.0.0/24 port = ftp -> 127.0.0.1 port 8021 と、特に怪しくないはずだけど。pfってまだ駄目?
例えばhttpを見に行きたい場合、 pass in quick proto tcp all flags A/A group 100 pass out quick proto tcp all flags A/A group 150 pass out quick proto tcp from any to any port = 80 flags S/SA group 100 みたいな感じで許可するのと、 pass out quick proto tcp from any to any port = 80 flags S keep state group 100 みたいな感じではどっちが良いでしょうか。
Host name resolution and interface to address translation are done at ruleset load-time. When the address of an interface (or host name) changes (under DHCP or PPP, for instance), the ruleset must be reloaded for the change to be reflected in the kernel. Surrounding the interface name in parentheses changes this behaviour. When the interface name is surrounded by parentheses, the rule is automatically updated whenever the interface changes its address. The ruleset does not need to be reloaded. This is especially useful with nat.
188 名前:名無しさん@お腹いっぱい。 [2005/06/16(木) 03:41:27 ]
age
189 名前:名無しさん@お腹いっぱい。 [2005/08/09(火) 12:25:34 ]
持ち逃げ、捏造、連Q、IMにて暴言、違法ファイル所持、
ユーザ名: MGC ユーザ名: ingomaster サーバ: Inc
IPアドレス 219.104.169.90 ホスト名 ktsk130090.catv.ppp.infoweb.ne.jp IPアドレス 割当国 ※ 日本 (JP) 都道府県 東京都 市外局番 03 接続回線 CATV Domain Information: [ドメイン情報] a. [ドメイン名] INFOWEB.NE.JP b. [ねっとわーくさーびすめい] c. [ネットワークサービス名] InfoWeb d. [Network Service Name] InfoWeb k. [組織種別] ネットワークサービス l. [Organization Type] Network Service m. [登録担当者] KH071JP n. [技術連絡担当者] KN6902JP p. [ネームサーバ] ns.web.ad.jp p. [ネームサーバ] ns2.web.ad.jp p. [ネームサーバ] ns3.web.ad.jp [状態] Connected (2006/01/31) [登録年月日] 1997/01/22 [接続年月日] 1997/01/31 [最終更新] 2005/02/01 01:05:35 (JST)
PF(Packet Filter)でTCP SYN flood攻撃防御のため pass in on $ext_if proto tcp from any to $ext_if port $tcp_sv flags S/SA keep state を、 pass in on $ext_if proto tcp from any to $ext_if port $tcp_sv flags S/SA synproxy state と書いたら弾かれてしまうんですが
# TCP SYN プロキシ synproxy state は、その動作原理から keep state および modulate state の機能も含んでいます。
