この記事は2005年頃に執筆した文書がもとになっている。
序
使用した OS は FreeBSD5.3-RELEASE。IP Filter のバージョンは 3.4.35。
有効化
カーネルを再構築しても良いが、最近のトレンドはモジュールをカーネルにロードする方法らしいので、手軽な方を選ぶ。kldstat で ipl.ko がなかったら、
起動時に組み込むには、
2 | ipfilter_rules="/etc/ipf.rules" |
5 | ipmon_flags="-D /var/log/ipf_log" |
ipmon を指定する事でログを採取してもらえる。
設定
デフォルトの ipf.rules を作成。grep -v inet6 で IPv6 非使用。
# perl /usr/src/contrib/ipfilter/mkfilters | grep -v inet6 > /etc/ipf.rules |
以下は ipf.rules の設定例。ローカルネットワークは 192.168.1.0/24、サーバのアドレスは、192.168.1.10/32、NIC は ed0、httpd・ftpd・sshd・ntpd・IRC 用の bot が走っていて、ルータから syslog を受け取っていると仮定する。
02 | # The following routes should be configured, if not already: |
05 | block in log quick from any to any with ipopts |
06 | block in log quick proto tcp from any to any with short |
08 | pass out quick on lo0 all |
09 | pass in quick on lo0 all |
13 | pass out on ed0 all head 150 |
15 | block out log quick from any to 192.168.1.10/32 group 150 |
16 | block out log from 127.0.0.0/8 to any group 150 |
17 | block out log from any to 127.0.0.0/8 group 150 |
21 | block in log quick on ed0 all head 100 |
23 | block in log quick from 10.0.0.0/8 to any group 100 |
24 | block in log quick from 172.16.0.0/12 to any group 100 |
25 | block in log quick from 0.0.0.0/8 to any group 100 |
26 | block in log quick from 169.254.0.0/16 to any group 100 |
27 | block in log quick from 224.0.0.0/4 to any group 100 |
28 | block in log quick from 240.0.0.0/4 to any group 100 |
29 | block in log quick from 192.168.1.10/32 to any group 100 |
30 | block in log quick from 127.0.0.0/8 to any group 100 |
31 | block in log quick from any to 127.0.0.0/8 group 100 |
33 | pass in quick proto tcp from any to 192.168.1.10/32 port = 80 flags S keep state group 100 |
35 | pass in quick proto tcp from any port = 80 to 192.168.1.10/32 flags A/A group 100 |
36 | pass in quick proto tcp from any port = 443 to 192.168.1.10/32 flags A/A group 100 |
38 | pass in quick proto udp from any to 192.168.1.10/32 port = 123 keep state group 100 |
40 | pass in quick proto udp from 192.168.0.1/32 to 192.168.1.10/32 port = 514 keep state group 100 |
42 | pass in quick proto udp from 192.168.0.1/32 port = 53 to 192.168.1.10/32 group 100 |
44 | pass in quick proto tcp from 192.168.1.0/24 to 192.168.1.10/32 port = 20 flags A/A group 100 |
45 | pass in quick proto tcp from 192.168.1.0/24 to 192.168.1.10/32 port = 21 flags S keep state group 100 |
46 | pass in quick proto tcp from any port = 20 to 192.168.1.10/32 flags S group 100 |
47 | pass in quick proto tcp from any port = 21 to 192.168.1.10/32 flags S group 100 |
49 | pass in quick proto tcp from 192.168.1.0/24 to 192.168.1.10/32 port = 22 flags S/SA keep state group 100 |
51 | pass in quick proto tcp from any port = 6667 to 192.168.1.10/32 flags A/A group 100 |
53 | pass in quick proto tcp from any port = 5999 to 192.168.1.10/32 flags A/A group 100 |
ログをローテートする。
1 | /var/log/ipf_log 640 10 * #M1D0 Z |
起動
ルールを再読み込み。
# ipf -FA -Z -f /etc/ipf.rules |
out と in の設定を確認するにはそれぞれ、
