Merge from vendor branch NTPD:

[dragonfly.git] / contrib / ipfilter / IPF.KANJI

IP filter \e$B%7%g!<%H%,%$%I\e(B                                  Dec, 1999

\e$B%[!<%`%Z!<%8\e(B:     http://coombs.anu.edu.au/~avalon/ip-filter.html
FTP:            ftp://coombs.anu.edu.au/pub/net/ip-filter/

                                        \e$B30;3\e(B \e$B=c@8\e(B <sumio@is.s.u-tokyo.ac.jp>
                                        \e$B;3K\\e(B \e$BBY1'\e(B <ymmt@is.s.u-tokyo.ac.jp>

-----
\e$B$O$8$a$K\e(B

IP filter \e$B$r\e(B gateway \e$B%^%7%s$K%$%s%9%H!<%k$9$k$3$H$G%Q%1%C%H%U%#\e(B
\e$B%k%?%j%s%0$r9T$&$3$H$,$G$-$^$9!#\e(B

\e$B%$%s%9%H!<%k$NJ}K!$O!"\e(BINSTALL\e$B$K=q$$$F$"$k$N$G!"$=$A$i$r;2>H$7$F\e(B
\e$B$/$@$5$$!#\e(BIP filter \e$B$N%P!<%8%g%s\e(B 3.3.5 \e$B$O!"\e(B
             Solaris/Solaris-x86 2.3 - 8 (early access)
             SunOS 4.1.1 - 4.1.4
             NetBSD 1.0 - 1.4
             FreeBSD 2.0.0 - 2.2.8
             BSD/OS-1.1 - 4
             IRIX 6.2
\e$B$GF0:n$9$k$3$H$,3NG'$5$l$F$$$^$9!#\e(B

\e$B$J$*!"\e(B64 bit kernel \e$B$NAv$C$F$k\e(B Solaris7 \e$B%^%7%s$G$O!"\e(Bgcc \e$B$H$+$G%3\e(B
\e$B%s%Q%$%k$7$?\e(B kernel driver \e$B$OF0:n$7$^$;$s!#\e(B

\e$B$=$N$h$&$J>l9g$K$O!"\e(Bprecompiled binary \e$B$r\e(B
ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.3.2-sparcv9.pkg.gz
(1999\e$BG/\e(B12\e$B7n\e(B14\e$BF|8=:_!"$^$@\e(B3.3.5\e$B$O%Q%C%1!<%8$K$J$C$F$$$^$;$s\e(B)
\e$B$+$i<h$C$F$/$k$+!"\e(BWorkshop Compiler 5.0 \e$B$G%3%s%Q%$%k$7$F\e(B 64bit
driver \e$B$r:n$C$F$/$@$5$$!#\e(B

-----
\e$B@_Dj%U%!%$%k$N5-=RJ}K!\e(B

IP filter\e$B$N@_Dj$O!V$I$N%"%I%l%9!W$N!V$I$N%]!<%H!W$+$i!V$I$N%"%I\e(B
\e$B%l%9!W$N!V$I$N%]!<%H!W$X$N%Q%1%C%H$r\e(B block \e$B$9$k$+\e(B pass \e$B$9$k$+!"\e(B
\e$B$r;XDj$9$k$3$H$G9T$$$^$9!#\e(B

\e$B0J2<$NNc$G$O!"2f!9$,4IM}$7$F$$$k%5%V%M%C%H$h$j30$+$iFb$N%"%/%;%9\e(B
\e$B$O!"0lIt$N%^%7%s$r=|$$$F$OA4$F%V%m%C%/$7!"Fb$+$i30$X$N%"%/%;%9$O!"\e(B
\e$B86B'$H$7$FA4$FAGDL$7$9$k%]%j%7!<$G5-=R$5$l$F$$$^$9!#\e(B

\e$B0J2<!"4IM}$7$F$$$k%5%V%M%C%H$r\e(B
        123.45.1.0/24
\e$B$H$7$FNc$r<($7$^$9!#\e(B24\e$B$O%5%V%M%C%H%^%9%/$G$9!#\e(B

\e$B$^$?!"\e(Bgateway \e$B$O\e(B
        123.45.1.111    (hme0)
\e$B$,\e(B LAN\e$BB&$N%$%s%?!<%U%'!<%9!"\e(B
        123.45.2.10     (hme1)
\e$B$,30B&$N%$%s%?!<%U%'!<%9$H$7$^$9!#\e(B


===================== \e$B$3$3$+$i\e(B ====================
########## quickly deny malicious packets
#
block in quick from any to any with short
block in log quick from any to any with ipopts
===================== \e$B$3$3$^$G\e(B ====================

\e$B$^$:$O$3$N%k!<%k$G!"IT@5$J%Q%1%C%H$r$O$M$^$9!#\e(Bblock \e$B$O\e(B block \e$B$9\e(B
\e$B$k0UL#$G!"H?BP$KDL$9>l9g$O\e(B pass \e$B$H$J$j$^$9!#\e(B

log \e$B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$9$k%Q%1%C%H$N%m%0$r<h$k;X<($G\e(B
\e$B$9!#%m%0$O\e(B /dev/ipl \e$B$H$$$&%G%P%$%9%U%!%$%k$+$i%"%/%;%9$G$-$^$9$,!"\e(B
\e$B$3$N%G%P%$%9$O\e(B bounded buffer \e$B$J$N$G!"$"$kDxEY0J>e$N%m%0$O>C$($F\e(B
\e$B$7$^$$$^$9!#\e(B

/dev/ipl \e$B$NFbMF$rFI$_=P$9$K$O\e(B ipmon \e$B$H$$$&%W%m%0%i%`$r;H$$$^$9!#\e(B
ipmon \e$B$O\e(B stdout, syslog, \e$B$b$7$/$ODL>o$N%U%!%$%k$K%m%0$r=PNO$7$^\e(B
\e$B$9!#5/F0;~$K\e(B ipmon \e$B$rN)$A>e$2$k$J$i!"<!$N$h$&$J9T$r\e(B rc \e$B%U%!%$%k\e(B
\e$B$K=q$/$H$h$$$G$7$g$&!#\e(B

ipmon -n -o I ${IPMONLOG} < /dev/null > /dev/null 2>&1 &

${IPMONLOG} \e$B$OE,Ev$J%U%!%$%kL>$KCV49$7$F$/$@$5$$!#\e(Bsyslog \e$B$K=PNO\e(B
\e$B$9$k>l9g$O!"\e(B-s \e$B%*%W%7%g%s$rIU$1$^$9!#\e(Bsyslog \e$B$K=PNO$9$k>l9g!"\e(B
local0.info \e$B$r5-O?$9$k$h$&$K\e(B syslog.conf \e$B$rJT=8$7$F$/$@$5$$!#\e(B
\e$BNc$($P!"\e(B

local0.info                     ifdef(`LOGHOST', /var/log/syslog, @loghost)


quick \e$B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$O0J9_$N%k!<%k$r\e(B
\e$BD4$Y$:$K!"%"%/%7%g%s\e(B(block or pass)\e$B$K=>$o$;$k$H$$$&$b$N$G$9!#$?\e(B
\e$B$@$7!"Nc30$,$"$j$^$9!#8e=R$7$^$9!#\e(B


===================== \e$B$3$3$+$i\e(B ====================
########## group setup
#
block in on hme1 all head 100
block out on hme1 all head 150
pass in quick on hme0 all
pass out quick on hme0 all
===================== \e$B$3$3$^$G\e(B ====================

\e$B<!$K@)8f$r$+$1$k%$%s%?!<%U%'!<%9Kh$K%Q%1%C%H$KE,MQ$9$k%k!<%k$rJ,\e(B
\e$BN`$7$^$9!#\e(Bhme0 \e$B$O\e(B LAN \e$BB&$N%$%s%?!<%U%'!<%9$J$N$G!"B(:B$K5v2D\e(B
(pass quick)\e$B$7$F$$$^$9!#\e(B

all \e$B$H$$$&$N$O!"\e(Bfrom any to any \e$B$N>JN,7A$G$9!#\e(B

\e$B30It$H$N%$%s%?!<%U%'!<%9$G$"$k\e(B hme1 \e$B$O\e(B incoming \e$B$H\e(B outgoing \e$B$G!"\e(B
\e$B$=$l$>$l\e(B group 100 \e$BHV$H\e(B 150 \e$BHV$KJ,N`$7$^$9!#\e(Bhead \e$B$H$$$&$N$O!"$3\e(B
\e$B$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$r<!$NHV9f$N%0%k!<%W$KJ,N`$9$k$H$$$&\e(B
\e$B0UL#$G$9!#\e(B


===================== \e$B$3$3$+$i\e(B ====================
########## deny IP spoofing
#
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from 123.45.2.10/32 to any group 100
block in log quick from 123.45.1.111/24 to any group 100
#
########## deny reserved addresses
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
===================== \e$B$3$3$^$G\e(B ====================

IP \e$B%"%I%l%9$r2~cb$7$?%Q%1%C%H$rB(:B$K5qH]$7$F$$$^$9!#KvHx$N\e(B 
group 100 \e$B$H$$$&$N$O\e(B head 100 \e$B$GJ,N`$5$l$?%Q%1%C%H$K$N$_%^%C%A$9\e(B
\e$B$k%k!<%k$H$$$&0UL#$G$9!#\e(B

-----
\e$B$3$3$^$G$G!"4pK\E*$K\e(BLAN\e$BFb$NDL?.$OAGDL$7$@$,30It$H$NDL?.$O%G%U%)\e(B
\e$B%k%H$G0l@Z6X;_$H$$$&@_Dj$K$J$j$^$9!#0J9_$G$O!"$=$N%G%U%)%k%H$KBP\e(B
\e$B$9$kNc30$H$$$&7A$G!"DL$7$?$$%Q%1%C%H$r5-=R$7$F$$$-$^$9!#\e(B

\e$B$^$:!"FbIt$+$i30It$X$N@\B3$K4X$9$k@_Dj$r$7$^$9!#\e(B
===================== \e$B$3$3$+$i\e(B ====================
########## OUTGOING
#
## allow ping out
#
pass out quick proto icmp from any to any keep state group 150
#
## allow all outgoing UDP packets except for netbios ports (137-139).
#
pass out quick proto udp from any to any keep state head 160 group 150
block out log quick proto udp from any to any port 136 >< 140 group 160
#
## pass all TCP connection setup packets except for netbios ports (137-139).
#
pass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150
block out log quick proto tcp from any to any port 136 >< 140 group 170
===================== \e$B$3$3$^$G\e(B ====================

\e$B$3$l$O4pK\E*$KA4$F$N%Q%1%C%H$r5v$9%k!<%k$G$9!#$7$+$7!"\e(Bnetbios
(137-139/udp, tcp)\e$B$N%]!<%H$@$1$O6X;_$7$F$$$^$9!#\e(Bnetbios\e$B$O\e(B Windows
\e$B$N%U%!%$%k6&M-$G;H$o$l$k%]!<%H$G!"$3$N%]!<%H$,3+$$$F$$$k$H!"\e(B
Windows\e$B$N@_Dj$K$h$C$F$O!"@$3&Cf$+$i%U%!%$%k$rFI$_=q$-$G$-$k\e(B
\e$B62$l$,$"$j$^$9!#\e(B

\e$B$3$3$G!"4JC1$K=q<0$r8+$F$*$/$H!"\e(B
* \e$B:G=i$NC18l$G!"\e(Bblock\e$B$9$k$+\e(Bpass\e$B$9$k$+;XDj$9$k\e(B
* proto \e$B$N8e$NC18l$G!"\e(Bprotocol\e$B$r;XDj$9$k\e(B(udp, tcp, icmp, etc.)\e$B!#\e(B
* from A to B \e$B$G!"$I$3$+$i$I$3$X$N%Q%1%C%H$+$r;XDj$9$k\e(B
* head XXX\e$B$r;XDj$9$k$H!"$=$N9T$G;XDj$5$l$"$?%Q%1%C%H$O!"\e(Bgroup
  XXX\e$B$H$7$F;2>H$G$-$k\e(B
* group\e$B$r;XDj$9$k$3$H$G!"5,B'$rE,MQ$9$k8uJd$r\e(B(\e$BM=$a\e(Bhead\e$B$G@_Dj$7$?\e(B)
  group\e$B$K8BDj$G$-$k!#\e(B

\e$B$^$?!"\e(Bfrom A to B\e$B$N\e(BA\e$B$d\e(BB\e$B$O!"\e(BIP\e$B%"%I%l%9$H\e(Bport\e$B$r=q$/$3$H$,$G$-$^$9!#\e(B
     from any to any port 136 >< 140
\e$B$H$$$&$N$O!"\e(B
  \e$B!VG$0U$N%]!<%H$NG$0U$N%"%I%l%9$+$i!"\e(B137\e$BHV$+$i\e(B139\e$BHV%]!<%H$NG$0U$N\e(B
    \e$B%"%I%l%9$X$N%Q%1%C%H!W\e(B
\e$B;XDj$7$F$$$k$3$H$K$J$j$^$9!#$^$?!"HV9f$NBe$o$j$K\e(B/etc/service\e$B$K5-\e(B
\e$B=R$5$l$F$$$k%5!<%S%9L>$r5-=R$9$k$3$H$b$G$-$^$9!#\e(B
\e$B$?$H$($P\e(B
      from any to any port = telnet
\e$B$H\e(B
      from any to any port = 23
\e$B$OF1$80UL#$H$J$j$^$9!#\e(B

\e$B$5$F!"$3$3$G\e(B quick \e$B$NNc30$r@bL@$7$F$*$-$^$9!#\e(Bquick \e$B$NIU$$$?\e(B
rule \e$B$,\e(B head \e$B$G?7$?$J%0%k!<%W$r:n$k>l9g!"=hM}$O$^$@$3$N;~E@\e(B
\e$B$G$O3NDj$7$^$;$s!#0J9_!"!V\e(Bhead \e$B$G@k8@$5$l$?%0%k!<%W$N%k!<%k!W\e(B
\e$B$N$_=hM}$9$k$H$$$&0UL#$K$J$j$^$9!#$G$9$+$i>e$N!"\e(B

pass out quick proto udp from any to any keep state head 160 group 150
block out log quick proto udp from any to any port 136 >< 140 group 160

\e$B$O!"$^$:\e(B 150\e$BHV%0%k!<%W$K%^%C%A$9$k\e(B UDP \e$B%Q%1%C%H$OAGDL$7\e(B
\e$B$9$k!"$,!"0J2<$N\e(B 160\e$BHV$KB0$9$k%k!<%k$r$^$@=hM}$9$k!#\e(B
\e$B$=$7$F\e(B2\e$B9TL\$G\e(B 160\e$BHV%0%k!<%W$KBP$7$F\e(B netbios packet \e$B$r\e(B
block \e$B$7$F$$$kLu$G$9!#\e(B
\e$B0l9TL\$K%^%C%A$7$?%Q%1%C%H$O0J2<$K$b$7\e(B150\e$BHV$N%0%k!<%W$N\e(B
\e$B%k!<%k$,$"$C$?$H$7$F$b!"L5;k$9$k$3$H$KCm0U$7$F$/$@$5$$!#\e(B

----------
\e$B<!$K!"30It$+$iFbIt$X$N%"%/%;%9$N@_Dj$r$7$^$9!#\e(B

* \e$B%k!<%F%#%s%0>pJs\e(B(RIP)\e$B$N%Q%1%C%H$O!"A4It5v$7$^$9!#\e(B
pass in quick proto udp from any to any port = 520 keep state group 100

* ICMP\e$B$N%Q%1%C%H$OA4It5v$7$^$9!#\e(B
pass in quick proto icmp from any to any group 100

* \e$BFbIt$+$i30It$X$N\e(Bftp\e$B$r5v$9$?$a$K!"\e(Bftp-data port\e$B$+$i0lHL%]!<%H$X\e(B
  \e$B$NG$0U$N@\B3$r<u$1IU$1$^$9!#$3$l$O\e(Bpassive mode\e$B$G$J$$\e(BFTP\e$B$N5sF0\e(B
  \e$B$G$9!#\e(B
pass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100

  \e$B$7$+$7!"$3$l$O0lHL$K8@$C$FB?>/4m81$J9T0Y$G$9!#@\B3$G$-$k$N$,\e(B
  1024\e$BHV0J9_$N0lHL%]!<%H$K8BDj$O$5$l$^$9$,!"$"$^$j$*4+$a$G$-$^$;$s!#\e(B
  \e$B$3$N9T$r2C$($:$K!"\e(Bpassive mode (ftp \e$B$G\e(B pasv \e$B%3%^%s%I$GF~$l$k\e(B)
  \e$B$G\e(B FTP \e$B$r$9$k$3$H$r4+$a$^$9!#$J$*!":G6a$N\e(B FTP client \e$B$O:G=i\e(B
  \e$B$+$i\e(B passive mode \e$B$KL5>r7o$G$7$F$7$^$&$b$N$,B?$$$h$&$G$9!#\e(B
  
* sendmail\e$B$d\e(Bftpd\e$B$K7R$0$H!"Aj<j$,\e(Bident\e$B%]!<%H$X%"%/%;%9$7$F$/$k$3\e(B
  \e$B$H$,$"$k$N$G!"\e(Bident port\e$B$r3+$1$^$9!#\e(Bident \e$B$ODL>o$O5/F0$5$l$F$$\e(B
  \e$B$J$$\e(B daemon \e$B$J$N$G!"AGDL$7$7$F$b%;%-%e%j%F%#%[!<%k$K$J$k$3$H$O$"\e(B
  \e$B$j$^$;$s\e(B(connection refused\e$B$K$J$k$@$1$G$9\e(B)\e$B!#$3$l$r3+$1$J$$$H!"\e(B
  \e$BAj<jB&$O\e(B timeout \e$B$9$k$^$G@h$K?J$^$J$$$N$G!"\e(BFTP \e$B$d\e(B mail \e$B$NAw?.\e(B
  \e$B$,$d$?$i$KCY$/$J$k$3$H$,$"$j$^$9!#\e(B
  \e$B$b$7\e(B 113 \e$BHV%]!<%H$K@\B3$G$-$k$h$&$J$i!"$=$N%5!<%S%9$OB(:B$K\e(B
  \e$BDd;_$9$k$3$H$r4+$a$^$9!#\e(B
pass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100

------
\e$B<!$K!"30It$+$i\e(B firewall \e$B$X$N%"%/%;%9$r5v$9%5!<%S%9$r5-=R$7$F$$$-\e(B
\e$B$^$9!#$^$:$O!"30It$+$i$N@\B3$r5v$7$?$$%[%9%H$K$D$$$F!"%0%k!<%WHV\e(B
\e$B9f$r$D$1$^$9!#\e(B

===================== \e$B$3$3$+$i\e(B ====================
## grouping by host
block in log quick proto tcp from any to 123.45.1.X flags S/SA head 110 group 100
block in log quick proto tcp from any to 123.45.1.Y flags S/SA head 111 group 100
===================== \e$B$3$3$^$G\e(B ====================

\e$B$3$l$G!"\e(B
        \e$B30It$+$i\e(B 123.45.1.X \e$B$X$N@\B3$O\e(B group 110
        \e$B30It$+$i\e(B 123.45.1.Y \e$B$X$N@\B3$O\e(B group 111
\e$B$G;2>H$9$k$3$H$,$G$-$^$9!#\e(B

\e$BB>$K$b5v$7$?$$%[%9%H$rA}$d$7$?$$$H$-$O!">e$HF1MM$K$7$F!"\e(Bhead\e$B$N8e\e(B
\e$B$K!"?7$7$$?t;z\e(B(112, 113\e$B$J$I\e(B)\e$B$r3d$jEv$F$F$/$@$5$$!#\e(B

\e$B$b$&0lEYCm0U$7$F$*$-$^$9$,!"\e(Bquick \e$B$H\e(B head \e$B$,F1;~$K8=$l$k%k!<%k\e(B
\e$B0J9_$G$O!"\e(Bhead \e$B$G@k8@$5$l$?%0%k!<%W$N%k!<%k$7$+E,MQ$5$l$J$/$J$j\e(B
\e$B$^$9!#$G$9$+$i!">e$N\e(B ident \e$B$d\e(B ftp data-port \e$B$N$h$&$K!"FbIt$N\e(B
\e$BA4$F$N%[%9%H$K%^%C%A$9$k%k!<%k$O!"$3$N%[%9%H$K$h$k%0%k!<%WJ,$1\e(B
\e$B$NA0$KCV$/I,MW$,$"$j$^$9!#\e(B


X\e$B$X$O!"\e(Btelnet, ftp, ssh \e$B$r!"\e(BY\e$B$X$O!"\e(Bftp, http, smtp, pop \e$B$r5v$9$3\e(B
\e$B$H$K$7$^$9!#\e(B

* X(group 110)\e$B$X$N\e(Btelnet\e$B$r5v$7$^$9\e(B
pass in quick proto tcp from any to any port = telnet keep state group 110

* X\e$B$X$N\e(Bftp\e$B$r5v$7$^$9!#\e(Bftp-data port \e$B$b3+$1$F$*$-$^$9!#\e(B
  (\e$BI,MW$,$"$k$+$I$&$+3NG'$O$7$F$$$^$;$s$,!"3+$1$F$$$F$b0BA4$G$7$g$&\e(B)\e$B!#\e(B
pass in quick proto tcp from any to any port = ftp keep state group 110
pass in quick proto tcp from any to any port = ftp-data keep state group 110

* X\e$B$X$N\e(Bssh\e$B$r5v$7$^$9!#\e(B
pass in quick proto tcp from any to any port = 22 keep state group 110

* Y\e$B$X$N\e(Bftp\e$B$r5v$7$^$9!#\e(B
pass in quick proto tcp from any to any port = ftp keep state group 111
pass in quick proto tcp from any to any port = ftp-data keep state group 111
pass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111

  Y\e$B$O\e(B anonoymous ftp \e$B%5!<%P$r1?1D$7$F$$$k$?$a\e(B wu-ftpd \e$B$r;H$C$F$$\e(B
  \e$B$^$9!#\e(Bwu-ftpd \e$B$O\e(B passive mode \e$B$N\e(BFTP\e$B$K$bBP1~$7$F$$$^$9$N$G!"$I\e(B
  \e$B$N%]!<%H$r\e(BPASV\e$BMQ$K;H$&$+!"\e(Bwu-ftpd \e$B$N@_Dj$K=q$$$F$*$/I,MW$,$"$j\e(B
  \e$B$^$9!#$3$3$G$O\e(B3000\e$B$+$i\e(B3099\e$BHV%]!<%H$r;HMQ$9$k$h$&$K!"\e(Bwu-ftpd \e$B$r\e(B
  \e$B@_Dj$7$F$$$^$9!#\e(B

  passive FTP \e$B$K$D$$$F2r@b$7$^$9!#\e(Bpassive FTP \e$B$O!"%/%i%$%"%s%H$,\e(B
  \e$B%U%!%$%"%&%)!<%k$NFbB&$K$$$k>l9g$N$?$a$K3+H/$5$l$?%W%m%H%3%k$G\e(B
  \e$B$9!#%G%U%)%k%H$G$O>e$G@bL@$7$?$h$&$K!"%G!<%?E>Aw$N$?$a!"%5!<%P\e(B
  \e$B$N\e(B ftp-data port \e$B$+$i%/%i%$%"%s%H$K@\B3$,$$$-$^$9!#\e(B

  passive FTP \e$B$G$O!"%G!<%?E>Aw$b\e(B client \e$B$+$i%5!<%P$K@\B3$9$k$h$&\e(B
  \e$B$K$J$j$^$9!#$=$N:]!"%5!<%P$OE,Ev$J%]!<%HHV9f$r3d$j?6$C$F!"$=$3\e(B
  \e$B$K%/%i%$%"%s%H$,@\B3$9$k$h$&;X<($7$^$9!#\e(B

  \e$B$3$N$?$a!"%5!<%P$,%U%!%$%"%&%)!<%kFb$K$$$k>l9g!"E,Ev$J%]!<%HHV\e(B
  \e$B9f$O%U%!%$%"%&%)!<%k$G$O$M$i$l$F$7$^$$$^$9!#$=$3$G!"\e(Bwu-ftpd \e$B$N\e(B
  \e$B@_Dj$G!"3d$j?6$k%]!<%HHV9f$NHO0O$r8BDj$7$F!"$=$3$@$1%U%!%$%"\e(B
  \e$B%&%)!<%k$K7j$r3+$1$F$$$k$o$1$G$9!#\e(Bwu-ftpd \e$B$N>l9g$O!"\e(Bftpaccess
  \e$B$H$$$&%U%!%$%k$K\e(B

  # passive ports <cidr> <min> <max>
  passive ports 0.0.0.0/0 3000 3099

  \e$B$HDI2C$9$k$3$H$G@_Dj$G$-$^$9!#\e(Bftpaccess(5)\e$B$r;2>H$7$F$/$@$5$$!#\e(B

* Y\e$B$X$N\e(Bhttp\e$B$r5v$7$^$9!#\e(B
pass in quick proto tcp from any to any port = 80 keep state group 111

* Y\e$B$X$N\e(Bsmtp\e$B$r5v$7$^$9!#\e(B
pass in quick proto tcp from any to any port = smtp keep state group 111

* Y\e$B$X$N\e(Bpop\e$B$r5v$7$^$9!#\e(B
pass in quick proto tcp from any to any port = 110 keep state group 111

\e$B0J>e$N@_Dj$K$h$j!"\e(BX, Y \e$B0J30$N%^%7%s$X$N!"30It$+$i$N@\B3$O!"0l@Z\e(B
\e$B9T$($J$/$J$j$^$9$N$G!"\e(Bremote exploit \e$BBP:v$O!"\e(BX, Y \e$B$K$N$_9T$($P$h\e(B
\e$B$/$J$j!"4IM}$N<j4V$,7Z8:$G$-$^$9!#\e(B

\e$BB>$N%W%m%H%3%k$rDL$9>l9g$b!">e$r;29M$K$7$FDL$7$?$$%]!<%HHV9f$r=q\e(B
\e$B$/$@$1$G$9$,!"$$$/$D$+Cm0UE@$,$"$j$^$9!#0J2<$bL\$rDL$7$F$/$@$5$$!#\e(B

-----
\e$B$=$NB>$NCm0U\e(B

1) gateway \e$B%^%7%s$N$h$&$K!"J#?t$N\e(BIP\e$B%"%I%l%9$r;}$D%^%7%s$G%5!<%S\e(B
\e$B%9$rN)$A>e$2$k>l9g$O!"$=$l$>$l$N\e(BIP\e$B%"%I%l%9$KBP$7$F!"\e(Bport \e$B$r3+$/\e(B
\e$BI,MW$,$"$j$^$9!#Nc$($P\e(B X \e$B$,\e(B IP:a \e$B$H\e(B IP:b \e$B$r;}$D$J$i!"\e(Bgroup \e$B$O\e(B a,
b \e$B$=$l$>$lMQ0U$7$F!"N>J}$N%0%k!<%WMQ$K\e(B rule \e$B$rDI2C$9$kI,MW$,$"$j\e(B
\e$B$^$9!#0J2<$NNc$G$O!"%2!<%H%&%'%$%^%7%s\e(B(123.45.2.10\e$B$H\e(B123.45.1.111
\e$B$N\e(BIP\e$B$r;}$D\e(B)\e$B$K\e(BNNTP\e$B%5!<%P$rN)$F$F$$$^$9!#\e(B

(\e$BNc\e(B)
#### grouping by host
block in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100
block in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100
#### allow NNTP
pass in quick proto tcp from any to any port = nntp keep state group 112
pass in quick proto tcp from any to any port = nntp keep state group 113

gateway \e$B$,\e(B2\e$B$D0J>e$"$k%M%C%H%o!<%/$G$O!"N>J}$N\e(B gateway \e$B$K\e(B IP
filter \e$B$,I,MW$K$J$j!"@_Dj$O99$KJ#;($K$J$j$^$9!#$=$N$h$&$J4D6-$N\e(B
\e$B>l9g$K$O!"%^%K%e%"%k$rFI$s$G8!F$$7$F$/$@$5$$!#\e(B

2) NFS\e$B$H\e(Brsh\e$B$O%W%m%H%3%k$N4X78>e!"\e(Bfirewall\e$BD6$($OIT2DG=$G$9!#\e(B
   NFS\e$B$NBeBX$K$D$$$F$OITL@$G$9$,!"\e(Brsh\e$B$NBeBX$H$7$F$O\e(Bssh\e$B$,;H$($^$9!#\e(B

3) \e$B30It$N\e(BX client \e$B$r!"%U%!%$%"%&%)!<%kFb$N\e(BX\e$B%5!<%P$K@\B3$5$;$?$$!"\e(B
   \e$B$H$$$&$N$O\e(B FAQ \e$B$N0l$D$G$9!#$*4+$a$N2r7h:v$O!"\e(Bssh \e$B$N\e(B X forwarding
   \e$B5!9=$r;H$&$3$H$G$9!#\e(Bssh\e$B$G@\B3$G$-$k$J$i$P!"$3$l$O40A4$K\e(B secure
   \e$B$GHFMQE*$JJ}K!$G$9!#\e(B

\e$B$=$l$,=PMh$J$$>l9g$O!"2f!9$O@\B3$5$;$?$$%[%9%H$N%Z%"$r%f!<%6$KJs\e(B
\e$B9p$7$F$b$i$C$F!"0J2<$N$h$&$J%k!<%k$rDI2C$7$F$$$^$9!#\e(B
# X:0 \e$B$O\e(B tcp:6000 \e$BHV$K$J$j$^$9!#\e(B

# 123.45.1.Z:0 (server) <-> A.B.C.D (client)
pass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100

-----
\e$B:G8e$K!";D$k%Q%1%C%H$OA4$F%V%m%C%/$5$l$kLu$G$9$,!"$=$l$K$D$$$F$N\e(B
\e$BA4$F$N%m%0$r;D$9$3$H$r4uK>$9$k>l9g!"<!$N%k!<%k$r!VI,$::G8e$K!W2C\e(B
\e$B$($^$9!#\e(B

## log blocked packets
block in log quick from any to 123.45.1.111/24 group 100
block in log quick from any to 123.45.2.10 group 100

------
\e$B:#Kx$N@_Dj$r$R$H$D$K$^$H$a$?%U%!%$%k$r:G8e$KE:IU$7$^$9!#\e(B

===================== \e$B$3$3$+$i\e(B ====================
########## Packet Filtering Rules for 123.45.1. ##########
#
# The following routes should be configured, if not already:
#
# route add 123.45.1.111 localhost 0 (hme0)     (LAN)
# route add 123.45.2.10 localhost 0   (hme1)    (upstream)
#
########## quickly deny malicious packets
#
block in quick from any to any with short
block in log quick from any to any with ipopts
#
########## group setup
#
block in on hme1 all head 100
block out on hme1 all head 150
pass in quick on hme0 all
pass out quick on hme0 all
#
########## deny IP spoofing
#
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from 123.45.2.10/32 to any group 100
block in log quick from 123.45.1.111/24 to any group 100
#
########## deny reserved addresses
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
########## OUTGOING
#
## allow ping out
pass out quick proto icmp from any to any keep state group 150
#
## allow all outgoing UDP packets except for netbios ports (137-139).
#
pass out quick proto udp from any to any keep state head 160 group 150
block out log quick proto udp from any to any port 136 >< 140 group 160
#
## pass all TCP connection setup packets except for netbios ports (137-139).
#
pass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150
block out log quick proto tcp from any to any port 136 >< 140 group 170
#
######### INCOMING
## ICMP
pass in quick proto icmp from any to any group 100
## RIP
pass in quick proto udp from any to any port = 520 keep state group 100
## FTP
pass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100
## IDENT
pass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100
#
## grouping by host (112 & 113 is the gateway address)
block in log quick proto tcp from any to 123.45.1.X flags S/SA head 110 group 100
block in log quick proto tcp from any to 123.45.1.Y flags S/SA head 111 group 100
block in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100
block in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100
#
## telnet, ftp, ssh, www, smtp, pop
pass in quick proto tcp from any to any port = telnet keep state group 110
pass in quick proto tcp from any to any port = ftp keep state group 110
pass in quick proto tcp from any to any port = ftp-data keep state group 110
pass in quick proto tcp from any to any port = 22 keep state group 110
pass in quick proto tcp from any to any port = ftp keep state group 111
pass in quick proto tcp from any to any port = ftp-data keep state group 111
pass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111
pass in quick proto tcp from any to any port = 80 keep state group 111
pass in quick proto tcp from any to any port = smtp keep state group 111
pass in quick proto tcp from any to any port = 110 keep state
group 111
#
## allow NNTP on the gateway
pass in quick proto tcp from any to any port = nntp keep state group 112
pass in quick proto tcp from any to any port = nntp keep state group 113
#
## X connections
# 123.45.1.Z:0 (server) <-> A.B.C.D (client)
pass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100
#
## log blocked packets
## THIS MUST BE THE LAST RULE!
block in log quick from any to 123.45.1.111/24 group 100
block in log quick from any to 123.45.2.10 group 100
===================== \e$B$3$3$^$G\e(B ====================

----
\e$B$3$NJ8=q$N<h$j07$$$K$D$$$F\e(B
Copyright (C) 1999 TOYAMA Sumio <sumio@is.s.u-tokyo.ac.jp>
                   and YAMAMOTO Hirotaka <ymmt@is.s.u-tokyo.ac.jp>

THIS DOCUMENT IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.

Permission to modify this document and to distribute it is hereby
granted, as long as above notices and copyright notice are retained.