From owner-FreeBSD-users-jp@jp.FreeBSD.org Mon Jan 21 10:23:03 2002
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) id g0L1N3c06695;
	Mon, 21 Jan 2002 10:23:03 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from captain.netlinks.co.jp (IDENT:root@captain.netlinks.co.jp [210.196.70.122])
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) with ESMTP/inet id g0L1N2m06690
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Mon, 21 Jan 2002 10:23:02 +0900 (JST)
	(envelope-from ymatsu@netlinks.co.jp)
Received: by captain.netlinks.co.jp (3.7W-MailService) id g0L1N2704574
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Mon, 21 Jan 2002 10:23:02 +0900
Date: Mon, 21 Jan 2002 10:27:27 +0900
From: =?ISO-2022-JP?B?GyRCJF4kRCRiJEgkZiQ/JCsbKEI=?= <ymatsu@netlinks.co.jp>
To: FreeBSD users <FreeBSD-users-jp@jp.FreeBSD.org>
X-Face: $]l7r1&Sx.Y<5LDj9[yzj=:nXZ(7qKC"WZ3D+*<,'wR|!bHGoYQpivY8!gfYebD1U2sY\X* aF)^}LAjW7"Bu`FM#T%lueGEmxAg
Message-Id: <20020121102244.0ACD.YMATSU@netlinks.co.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
X-Mailer: Becky! ver. 2.00.07
Reply-To: FreeBSD-users-jp@jp.FreeBSD.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+011218
X-Sequence: FreeBSD-users-jp 66525
Subject: [FreeBSD-users-jp 66525] ipfw + natd
 =?ISO-2022-JP?B?GyRCJCxGMDpuQ2YkSyQqJCskNyQvJEokaxsoQg==?= 
Errors-To: owner-FreeBSD-users-jp@jp.FreeBSD.org
Sender: owner-FreeBSD-users-jp@jp.FreeBSD.org
X-Originator: ymatsu@netlinks.co.jp

$B>>K\!w@n:j;T:_=;$G$9!%(B

ipfw+natd $B$,;~!9$*$+$7$/$J$k$H$$$&OC$G$9!%(B

$B@_Dj$N>u67(B
Yahoo!BB ADSL$B!!(B-> ADSL Modem -> FW$BMQ(BPC$B!!(B-> Win2000
FW$BMQ(BPC--Win200$B4V$O%m!<%+%k(BIP$B!$(B
FW$BMQ(BPC$B$O!$(BYahoo$BB&$+$i(BDHCP$B$K$F%"%I%l%9<hF@!%(B
FW$BMQ(BPC$B$O!$(Bipfw , natd $B$r5/F0!%@_Dj%U%!%$%k$O:G8e$KE:IU$7$^$9!%(B
FW$BMQ(BPC$B$O!$(B24$B;~4VF0$+$7$F$$$^$9!%(B

$B$*$+$7$J>I>u(B
Win2000$B$rN)$A>e$2$?$H$-$K30$K@\B3$K$$$1$J$/$J$C$F$$$k;v$,(B
$B$"$j$^$9!%(B
$B$=$N;~(B,Win2000 $B$+$i(B TeraTerm $B$G(BFW$BMQ(BPC$B$K$O@\B3$K$$$1$^$9!%(B
$B$?$@$7!$2?8N$+$=$NC<Kv$+$i(B su $B%3%^%s%I$rC!$/$H=hM}$,;_$^$C$F$$$^$9!%(B
Ctrl-C $B$GH4$1$l$^$9!%(BFW$BMQ(BPC$B$K@\B3$5$l$F$$$k%7%j%"%kC<Kv(B(200LX)$B$G$b(B
$BF1MM$G$9!%%7%j%"%kC<Kv$G(B root $B$G%m%0%$%s$O$G$-$^$9!%(B
ipfw -a list $B$9$k$H!$(Bdivert $B$N9T$,L5$+$C$?$h$&$G$9!%<!2s$3$N8=>]$,(B
$BH/@8$7$?$i$A$c$s$HJ]B8$7$F$*$-$^$9!%(B
natd $B$O!$(Bps $B%3%^%s%I$G$O8+$l$^$7$?!%(B
/etc/rc.firewall $B$r:FEY<B9T$7$?$j(BFW$BMQ(BPC$B$r:F5/F0$9$k$H@5>o$KLa$j$^$9!%(B

$B$5$F!$(B
$B%m%0$r8+$?$j$7$?$N$G$9$,$A$g$C$H5$$K$J$k$N$O!$(B/var/log/security$B$N(B

Jan 16 21:44:12 keeper natd[236]: failed to write packet back (Permission denied)

$B$G$9!%$G$b$3$N%a%C%;!<%8$O@5>o;~$b$G$F$$$k$_$?$$$G$9!%(B
$B$*$+$7$J8=>]$O2?EY$+H/@8$7$F$$$^$9$,!$860x$rDI5a$9$k;~4V$,<h$l$J$+$C$?(B
$B$N$G(Brc.firewall$B$N:F5/F0$G8mKb2=$7$F$$$^$7$?!%(B
$B8=:_$O(B natd $B$N5/F0;~%*%W%7%g%s(B dynamic on $B$K$7$FMM;R$r8+$F$$$^$9!%(B
$B$3$NMM$J>I>u$G2?$+9M;!$G$-$^$9$G$7$g$&$+!)(B
$B<!2s$3$N8=>]$,H/@8$7$?$i$I$N$h$&$J=j$r%A%'%C%/$7$?$[$&$,NI$$$G$7$g$&$+!%(B
$B$40U8+$h$m$7$/$*4j$$$7$^$9!%(B

natd.conf(natd $B$N5/F0;~$KFI$_9~$`(B)
---
dynamic yes
log yes
verbose no
deny_incoming no
log_denied yes
log_facility security
use_sockets yes
same_ports yes
unregistered_only yes
punch_fw 1000:100
redirect_port tcp 192.168.200.2:389 389
redirect_port tcp 192.168.200.2:522 522
redirect_port tcp 192.168.200.2:1503 1503
redirect_port tcp 192.168.200.2:1720 1720
redirect_port tcp 192.168.200.2:1731 1731
redirect_port udp 192.168.200.2:1024-65535 1024-65535
---

/etc/rc.firewall $B$O$A$g$C$HD9$$$N$G8=:_$N(B ipfw -a l $B$N=PNO(B
---
00100    8    384 allow ip from any to any via lo0
00200    0      0 deny ip from any to 127.0.0.0/8
00300    0      0 deny ip from 127.0.0.0/8 to any
00400   20   1920 deny udp from any 137-139 to any
00500    0      0 deny tcp from any 137-139 to any
00600    0      0 deny udp from any to any 137-139
00700    0      0 deny tcp from any to any 137-139
00800    0      0 deny ip from 192.168.200.0/24 to any in recv ed0
00900    0      0 deny ip from any to 10.0.0.0/8 via ed0
01100    0      0 deny ip from any to 192.168.0.0/16 via ed0
01200    0      0 deny ip from any to 0.0.0.0/8 via ed0
01300    0      0 deny ip from any to 169.254.0.0/16 via ed0
01400    0      0 deny ip from any to 192.0.2.0/24 via ed0
01500    0      0 deny ip from any to 224.0.0.0/4 via ed0
01600  217   6592 deny ip from any to 240.0.0.0/4 via ed0
01700 3225 432857 divert 8668 ip from any to any via ed0
01800    0      0 deny ip from 10.0.0.0/8 to any via ed0
01900    0      0 deny ip from 172.16.0.0/12 to any via ed0
02000    0      0 deny ip from 192.168.0.0/16 to any via ed0
02100    0      0 deny ip from 0.0.0.0/8 to any via ed0
02200    0      0 deny ip from 169.254.0.0/16 to any via ed0
02300    0      0 deny ip from 192.0.2.0/24 to any via ed0
02400    0      0 deny ip from 224.0.0.0/4 to any via ed0
02500    0      0 deny ip from 240.0.0.0/4 to any via ed0
02600 2790 502758 allow tcp from any to any established
02700    0      0 deny ip from any to any frag
02800    0      0 allow tcp from 192.168.200.0/24 to any 25 setup
02900    0      0 allow tcp from any to any 53 setup
03000    0      0 allow tcp from any 53 to any setup
03100   35   2307 allow udp from any to any 53
03200  210  10080 allow tcp from any to any 80 setup
03300    1     48 allow tcp from any to any 22 setup
03400    0      0 allow tcp from any to any 389 setup
03500    0      0 allow tcp from any to any 522 setup
03600    0      0 allow tcp from any to any 1503 setup
03700    0      0 allow tcp from any to any 1720 setup
03800    0      0 allow tcp from any to any 1731 setup
03900   35   5660 allow udp from any to any 1024-65535
04000    0      0 deny log logamount 100 tcp from any to any in recv ed0 setup
04100    2     96 allow tcp from any to any setup
04200    0      0 allow udp from any to any 53
04300    0      0 allow udp from any 53 to any
04400  199  15124 allow udp from any to me 123
04500  200  15200 allow udp from me to any 123
65535    1    576 deny ip from any to any
---

-- 
$B$^$D$b$H$f$?$+(B <ymatsu@netlinks.co.jp>

