# # $Id: ipfw.conf.m4,v 1.3 2003/02/14 15:31:16 candy Exp candy $ # define(`OIF',fxp0) define(`OIP',xx.xx.xx.xx) define(`OUTSIDE',xx.xx.xx.xx:255.255.255.240) define(`IIF',fxp1) define(`IIP',yy.yy.yy.yy) define(`INSIDE',yy.yy.yy.yy:255.255.0.0) define(`IPV6_PEER1',zz.zz.zz.zz) ## ループバック add 100 pass all from any to any via lo0 add 200 deny all from any to 127.0.0.0/8 add 300 deny ip from 127.0.0.0/8 to any ## スプーフィング add deny all from INSIDE to any in via OIF add deny all from OUTSIDE to any in via IIF ## プライベート空間等 add deny all from any to 10.0.0.0/8 via OIF add deny all from any to 172.16.0.0/12 via OIF add deny all from any to 192.168.0.0/16 via OIF add deny all from any to 0.0.0.0/8 via OIF add deny all from any to 169.254.0.0/16 via OIF add deny all from any to 192.0.2.0/24 via OIF add deny all from any to 224.0.0.0/4 via OIF add deny all from any to 240.0.0.0/4 via OIF ## natd(8) に通す。 # divert は m4(1) の予約語なので、`' でクォートすること。 add `divert' natd all from any to any via OIF ## (NAT 後の)プライベート空間等 add deny all from 10.0.0.0/8 to any via OIF add deny all from 172.16.0.0/12 to any via OIF add deny all from 192.168.0.0/16 to any via OIF add deny all from 0.0.0.0/8 to any via OIF add deny all from 169.254.0.0/16 to any via OIF add deny all from 192.0.2.0/24 to any via OIF add deny all from 224.0.0.0/4 to any via OIF add deny all from 240.0.0.0/4 to any via OIF ### TCP セクション ## squid による透過型の HTTP プロクシ add fwd IIP,3128 tcp from INSIDE to any 80 in recv IIF # for transparent proxy ## established/frag add pass tcp from any to any established add pass all from any to any frag ## 外から自分へ add pass tcp from any to OIP 22 setup # SSH include(/usr/local/etc/ipfw.deny) add pass tcp from any to OIP 25 setup # SMTP add pass tcp from any to OIP 53 setup # DNS add pass tcp from any to OIP 80 setup # HTTP add reset tcp from any to OIP 113 # RST AUTH # PPTP VPN サーバへのアクセス許可 add pass tcp from any to OIP 1723 in recv OIF setup # PPTP add pass gre from any to OIP in recv OIF # PPTP add pass gre from OIP to any out xmit OIF # PPTP add pass ip from any to any via ng0 # PPTP ## 外から内へ add pass tcp from any 20 to INSIDE via OIF setup # NAT'ed FTP data add pass gre from any to INSIDE # PPTP from inside to world (NAT'ed) ## 内から外へ ## 外からは全て拒否 add deny log tcp from any to any in via OIF setup ## 残り全て許可 add pass tcp from any to any setup ### UDP セクション ## 自分から外へ add pass udp from OIP to any 53 keep-state # DNS add pass udp from any 53 to OIP # たまに keep-state からこぼれる事がある add pass udp from OIP to any 123 keep-state # NTP add pass udp from OIP to any 161 keep-state # SNMP add pass udp from OIP 32768-65535 to any 33434-33623 # traceroute (33434 + hop * 3) ## 外から自分へ add pass udp from any to OIP 53 keep-state # DNS add pass udp from any 32768-65535 to OIP 33434-33623 # traceroute ## DMZ から自分へ add pass udp from OUTSIDE to OIP 123 keep-state # NTP add pass udp from OUTSIDE to OIP 514 # syslog from router ## 内から外へ add deny udp from INSIDE to any 12000 # Buggy Ultima Online scan add pass udp from INSIDE to any keep-state ## 外から内へ add pass udp from any 53 to INSIDE # DNS reply (NAT'ed) add pass udp from any 123 to INSIDE # NTP reply (NAT'ed) add pass udp from any 161 to INSIDE # SNMP reply (NAT'ed) ### ICMP セクション # 0 = echo reply, 3 = dest unreach, 8 = echo request, 11 = ttl exceed add pass icmp from any to any icmptypes 0,3,8,11 ## Allow IPv6 over IPv4 add pass ipv6 from OIP to IPV6_PEER1 via OIF add pass ipv6 from IPV6_PEER1 to OIP via OIF ## 全て拒否 add deny log all from any to any