ナビゲーション
FrontPage
FreeBSD
Linux
Citrix XenServer
VMware ESXi
Unixコマンド
MySQL
PostgreSQL
Windows
CMS/CRM
クラウド
用語
PHPスクリプト
Bashシェルスクリプト
Rubyスクリプト
開発日記
検索
ツールボックス
新しいページの作成
バックアップの表示
外部のリンク元
最近更新したページ
全ページ
ヘルプ
凍結
アップロード
ページ名の変更
最新の40件
2016-08-17
Linux/NagiosQL
Linux/CentOSチューニング
2016-02-23
Linux/ソフトウェアRAID復旧手順
2016-02-18
FreeBSD/DHCP
FreeBSD/squid
2016-02-15
Unixコマンド/file
2016-02-05
FreeBSD/DynaBook
FreeBSD/Linux compatibility
2016-01-21
PHPスクリプト/PEAR DBインストールできない
PHPスクリプト/PEAR DB
2016-01-20
PHP/フレームワーク/Zend Framework
PHP/フレームワーク
FreeBSD/Postfix+amavisd+clamav
2016-01-15
FreeBSD/sl
2015-12-04
Unixコマンド/dig
Unixコマンド/nslookup
Unixコマンド/traceroute
Linux/rsync
FreeBSD/rsync
Unixコマンド/vipw
2015-11-25
Linux/Postfix+MySQL+Postfix AdminによるバーチャルSMTPサーバの構築
Linux/Postfix + postgrey
2015-11-24
Linux/Postfix + amavisd + clamav
2015-05-25
Unixコマンド/ifconfig
2015-05-23
Unixコマンド/netstat
Unixコマンド/route
Unixコマンド/lsof
Unixコマンド/disown
Unixコマンド/time
Unixコマンド/crontab
2015-05-22
Unixコマンド/nohup
Unixコマンド/fgとbg
Unixコマンド/nice
Unixコマンド/kill
Unixコマンド/jobs
Unixコマンド/restor
Unixコマンド/dump
Unixコマンド/uncompress
Unixコマンド/compress
Unixコマンド/zcat
total:
3548
today:
1
yesterday:
0
now:
1
本文
ノート
?
編集
差分
一覧
FreeBSD/MPD+IPF+IPNAT の編集
*MPD+IPF+IPNAT [#pc2f7826] #contents **mpdのインストール [#cb4d511b] # cd /usr/ports/net/mpd # make install ***/usr/local/etc/mpd/mpd.conf編集 [#tbd3d57b] $ cat /usr/local/etc/mpd/mpd.conf default: load SAKURA SAKURA: new -i ng0 SAKURA PPPoE set iface addrs 1.1.1.1 2.2.2.2 set iface route default set iface disable on-demand set iface idle 0 set iface mtu 1454 set iface up-script /usr/local/etc/mpd/script-SAKURA.sh set bundle disable multilink set bundle authname [ユーザ名] set bundle password [パスワード] set link no acfcomp protocomp set link disable pap chap set link accept chap set link mtu 1454 set link mru 1454 set ipcp yes vjcomp set ipcp ranges 0.0.0.0/0 0.0.0.0/0 open iface ***/usr/local/etc/mpd/script-SAKURA.sh作成 [#t74cc853] $ cat /usr/local/etc/mpd/script-SAKURA.sh #!/bin/sh /sbin/ipf -y /sbin/ipnat -CF -f /etc/ipnat.rules ***/usr/local/etc/mpd/mpd.links作成 [#s6b20e48] PPPoE: set link type pppoe set pppoe iface fxp0 set pppoe service "whatever" set pppoe disable incoming set pppoe enable originate ***mpdの起動スクリプト作成 [#hfb95cdf] $ cat /usr/local/etc/rc.d/mpd.sh #!/bin/sh mpd_command="/usr/local/sbin/mpd" mpd_conf_file="/usr/local/etc/mpd/mpd.conf" case "$1" in start) if [ -x ${mpd_command} -a -f ${mpd_conf_file} ]; then ${mpd_command} -b echo "mpd start pppoe connection" fi sleep 5 /sbin/ipf -FA -Z -f /etc/ipf.rules #/sbin/ipf -y /sbin/ipnat -CF -f /etc/ipnat.rules ;; stop) echo "mpd stop pppoe connection" /usr/bin/killall mpd ;; *) echo "Usage: mpd.sh {start|stop}" exit 1 esac exit 0 **カーネル再構築 [#l99c72bc] カーネル再構築 ⇒ [[FreeBSD/カーネル再構築>FreeBSD/カーネル再構築]]~ 下記を追加してカーネル再構築 # for net/mpd options NETGRAPH options NETGRAPH_BPF options NETGRAPH_ETHER options NETGRAPH_IFACE options NETGRAPH_PPP options NETGRAPH_PPPOE options NETGRAPH_SOCKET options NETGRAPH_VJC # for IPFilter options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK options TCP_DROP_SYNFIN **/etc/rc.confの編集 [#t28ce05c] ipfilter_enable="YES" ipfilter_rules="/etc/ipf.rules" ipfilter_flags="" ipmon_enable="YES" ipmon_flags="-D /var/log/ipflog" ipnat_enable="YES" ipnat_rules="/etc/ipnat.rules" gateway_enable="YES" portmap_enable="NO" tcp_drop_synfin="YES" **IPF [#vc8439b3] とりあえず ipf.rules を作るという場合 # cat /etc/ipf.rules pass in all pass out all ***編集済み/etc/ipf.rules [#ac01c88d] $ cat /etc/ipf.rules #--- ipf.rules --- block in log quick from any to any with ipopts frag block in log quick proto tcp from any to any with short ## group 100 # pass in on ng0 all head 100 block in from 127.0.0.0/8 to any group 100 block in from 192.168.10.0/24 to any group 100 block in from 10.0.0.0/8 to any group 100 block in from 172.16.0.0/12 to any group 100 block in from 192.168.0.0/16 to any group 100 block in from 192.168.0.0/24 to any group 100 block in from 0.0.0.0/8 to any group 100 block in from 169.254.0.0/16 to any group 100 block in from 192.0.2.0/24 to any group 100 block in from 224.0.0.0/4 to any group 100 block in from 240.0.0.0/4 to any group 100 #NetBIOS block in quick proto tcp/udp from any port 136 >< 140 to any group 100 block in quick proto tcp/udp from any to any port 136 >< 140 group 100 block in proto udp all group 100 pass in quick proto tcp all flags A/A group 100 #ssh pass in quick proto tcp from any to any port = 22 flags S/SA group 100 #FTP pass in proto tcp from any port = 20 to any flags S/SA group 100 pass in quick proto tcp from any to any port = 20 flags A/A group 100 pass in proto tcp from any port = 21 to any flags A/A group 100 pass in quick proto tcp from any to any port = 21 flags S/SA group 100 #smtp pass in quick proto tcp from any to any port = 25 flags S/SA group 100 #deny IDENT block return-rst in quick proto tcp from any to any port = 113 group 100 #DNS pass in quick proto tcp from any to any port = 53 flags S/SA group 100 pass in quick proto udp from any to any port = 53 group 100 #WWW pass in quick proto tcp from any to any port = 80 flags S/SA group 100 #pass in quick proto tcp from any to any port = 443 flags S/SA group 100 block in log quick proto tcp all flags S/SA group 100 #return NTP pass in proto udp from any port = 123 to any group 100 #ping icmp pass in proto icmp all group 100 ## RFC2979 #pass in proto icmp all icmp-types 3 group 150 ##group200 # pass out on ng0 all head 200 pass out quick proto icmp from any to any keep state group 200 pass out quick proto udp from any to any keep state group 200 pass out quick proto tcp from any to any flags S/SAFR keep state group 200 pass out proto tcp from any to any port = 53 group 200 pass out proto tcp from any to any port = 53 flags S/SA group 200 pass out proto udp from any to any port = 53 group 200 pass out proto udp from any to any port = 123 group 200 block out proto icmp all group 200 pass out proto icmp all icmp-type 3 group 200 #NetBIOS block out quick proto tcp/udp from any port 136 >< 140 to any group 200 block out quick proto tcp/udp from any to any port 136 >< 140 group 200 ##group250 # pass out on ng1 all head 250 pass out quick proto icmp from any to any keep state group 250 pass out quick proto udp from any to any keep state group 250 pass out quick proto tcp from any to any flags S/SAFR keep state group 250 pass out proto tcp all flags A/A group 250 pass out proto tcp from any to any port = 53 group 250 pass out proto udp from any to any port = 123 group 250 block out proto icmp all group 250 pass out proto icmp all icmp-type 3 group 250 #NetBIOS block out quick proto tcp/udp from any port 136 >< 140 to any group 250 block out quick proto tcp/udp from any to any port 136 >< 140 group 250 ##group 300 # pass in on rl1 all head 300 pass in quick proto icmp from any to any group 300 pass in quick proto udp from any to any group 300 pass in quick proto tcp from any to any flags S/SAFR group 300 ##group 400 # pass out on rl1 all head 400 pass out quick proto icmp from any to any group 400 pass out quick proto udp from any to any group 400 pass out quick proto tcp from any to any flags S/SAFR group 400 ##group 0 # pass in quick on lo0 all pass out quick on lo0 all #--- ipf.rules end --- ***IPFのルール追加 [#s99cd284] # echo "@1 block in quick from 192.168.1.20 to any" | /sbin/ipf -f - ***ルールの削除 [#o03ae484] # echo "block in quick from 192.168.1.20 to any" | /usr/sbin/ipf -r -f - ***設定の保存 現在の設定をファイルに書き込む [#b70ec9f2] # ipfstat -io > /etc/ipf.rules **IPNAT [#xabddc8b] # cat /etc/ipnat.rules map ng0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp mssclamp 1414 map ng0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto mssclamp 1414 map ng0 192.168.0.0/24 -> 0/32 mssclamp 1414 ***IPNATでリダイレクト(透過的に送る機能) [#o9950eaf] rdr ng0 0.0.0.0/0 port 80 -> 192.168.1.7 port 80 ***IPNATでの負荷分散 [#g9194d0b] この例では、202.11.97.29 の Web に来たパケットは最初は 192.168.0.2 に送り、次に来たコネクションは 192.168.0.3 に、その次は 192.168.0.4 にと巡回的に送ります。~ パケットを振り分ける(round robin) rdr ng0 202.11.97.29/32 port 80 -> 192.168.0.2 port 80 tcp round-robin rdr ng0 202.11.97.29/32 port 80 -> 192.168.0.3 port 80 tcp round-robin rdr ng0 202.11.97.29/32 port 80 -> 192.168.0.4 port 80 tcp round-robin ***IPF・IPNATの新しいルールの反映、確認のコマンド [#w441c1fa] ipf -Fa -Z -f /etc/ipf.rules ipf.rulesに書き換えたルールを反映させるコマンド ipfstat -i IPFilterのイン側の設定を見るコマンド ipfstat -o IPFilterのアウト側の設定を見るコマンド ipnat -l natの設定を確認するコマンド ipnat -CF -f /etc/ipnat.rules ipnat.rulesに書き換えた内容を反映させるコマンド http://x68k.net/nagai/pukiwiki/index.php?FreeBSD%2Frouter http://x68k.net/diary/?200310b#200310200 http://www.fujie.jp/freebsd/freebsd_router_ipfilter.html
タイムスタンプを変更しない
*MPD+IPF+IPNAT [#pc2f7826] #contents **mpdのインストール [#cb4d511b] # cd /usr/ports/net/mpd # make install ***/usr/local/etc/mpd/mpd.conf編集 [#tbd3d57b] $ cat /usr/local/etc/mpd/mpd.conf default: load SAKURA SAKURA: new -i ng0 SAKURA PPPoE set iface addrs 1.1.1.1 2.2.2.2 set iface route default set iface disable on-demand set iface idle 0 set iface mtu 1454 set iface up-script /usr/local/etc/mpd/script-SAKURA.sh set bundle disable multilink set bundle authname [ユーザ名] set bundle password [パスワード] set link no acfcomp protocomp set link disable pap chap set link accept chap set link mtu 1454 set link mru 1454 set ipcp yes vjcomp set ipcp ranges 0.0.0.0/0 0.0.0.0/0 open iface ***/usr/local/etc/mpd/script-SAKURA.sh作成 [#t74cc853] $ cat /usr/local/etc/mpd/script-SAKURA.sh #!/bin/sh /sbin/ipf -y /sbin/ipnat -CF -f /etc/ipnat.rules ***/usr/local/etc/mpd/mpd.links作成 [#s6b20e48] PPPoE: set link type pppoe set pppoe iface fxp0 set pppoe service "whatever" set pppoe disable incoming set pppoe enable originate ***mpdの起動スクリプト作成 [#hfb95cdf] $ cat /usr/local/etc/rc.d/mpd.sh #!/bin/sh mpd_command="/usr/local/sbin/mpd" mpd_conf_file="/usr/local/etc/mpd/mpd.conf" case "$1" in start) if [ -x ${mpd_command} -a -f ${mpd_conf_file} ]; then ${mpd_command} -b echo "mpd start pppoe connection" fi sleep 5 /sbin/ipf -FA -Z -f /etc/ipf.rules #/sbin/ipf -y /sbin/ipnat -CF -f /etc/ipnat.rules ;; stop) echo "mpd stop pppoe connection" /usr/bin/killall mpd ;; *) echo "Usage: mpd.sh {start|stop}" exit 1 esac exit 0 **カーネル再構築 [#l99c72bc] カーネル再構築 ⇒ [[FreeBSD/カーネル再構築>FreeBSD/カーネル再構築]]~ 下記を追加してカーネル再構築 # for net/mpd options NETGRAPH options NETGRAPH_BPF options NETGRAPH_ETHER options NETGRAPH_IFACE options NETGRAPH_PPP options NETGRAPH_PPPOE options NETGRAPH_SOCKET options NETGRAPH_VJC # for IPFilter options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK options TCP_DROP_SYNFIN **/etc/rc.confの編集 [#t28ce05c] ipfilter_enable="YES" ipfilter_rules="/etc/ipf.rules" ipfilter_flags="" ipmon_enable="YES" ipmon_flags="-D /var/log/ipflog" ipnat_enable="YES" ipnat_rules="/etc/ipnat.rules" gateway_enable="YES" portmap_enable="NO" tcp_drop_synfin="YES" **IPF [#vc8439b3] とりあえず ipf.rules を作るという場合 # cat /etc/ipf.rules pass in all pass out all ***編集済み/etc/ipf.rules [#ac01c88d] $ cat /etc/ipf.rules #--- ipf.rules --- block in log quick from any to any with ipopts frag block in log quick proto tcp from any to any with short ## group 100 # pass in on ng0 all head 100 block in from 127.0.0.0/8 to any group 100 block in from 192.168.10.0/24 to any group 100 block in from 10.0.0.0/8 to any group 100 block in from 172.16.0.0/12 to any group 100 block in from 192.168.0.0/16 to any group 100 block in from 192.168.0.0/24 to any group 100 block in from 0.0.0.0/8 to any group 100 block in from 169.254.0.0/16 to any group 100 block in from 192.0.2.0/24 to any group 100 block in from 224.0.0.0/4 to any group 100 block in from 240.0.0.0/4 to any group 100 #NetBIOS block in quick proto tcp/udp from any port 136 >< 140 to any group 100 block in quick proto tcp/udp from any to any port 136 >< 140 group 100 block in proto udp all group 100 pass in quick proto tcp all flags A/A group 100 #ssh pass in quick proto tcp from any to any port = 22 flags S/SA group 100 #FTP pass in proto tcp from any port = 20 to any flags S/SA group 100 pass in quick proto tcp from any to any port = 20 flags A/A group 100 pass in proto tcp from any port = 21 to any flags A/A group 100 pass in quick proto tcp from any to any port = 21 flags S/SA group 100 #smtp pass in quick proto tcp from any to any port = 25 flags S/SA group 100 #deny IDENT block return-rst in quick proto tcp from any to any port = 113 group 100 #DNS pass in quick proto tcp from any to any port = 53 flags S/SA group 100 pass in quick proto udp from any to any port = 53 group 100 #WWW pass in quick proto tcp from any to any port = 80 flags S/SA group 100 #pass in quick proto tcp from any to any port = 443 flags S/SA group 100 block in log quick proto tcp all flags S/SA group 100 #return NTP pass in proto udp from any port = 123 to any group 100 #ping icmp pass in proto icmp all group 100 ## RFC2979 #pass in proto icmp all icmp-types 3 group 150 ##group200 # pass out on ng0 all head 200 pass out quick proto icmp from any to any keep state group 200 pass out quick proto udp from any to any keep state group 200 pass out quick proto tcp from any to any flags S/SAFR keep state group 200 pass out proto tcp from any to any port = 53 group 200 pass out proto tcp from any to any port = 53 flags S/SA group 200 pass out proto udp from any to any port = 53 group 200 pass out proto udp from any to any port = 123 group 200 block out proto icmp all group 200 pass out proto icmp all icmp-type 3 group 200 #NetBIOS block out quick proto tcp/udp from any port 136 >< 140 to any group 200 block out quick proto tcp/udp from any to any port 136 >< 140 group 200 ##group250 # pass out on ng1 all head 250 pass out quick proto icmp from any to any keep state group 250 pass out quick proto udp from any to any keep state group 250 pass out quick proto tcp from any to any flags S/SAFR keep state group 250 pass out proto tcp all flags A/A group 250 pass out proto tcp from any to any port = 53 group 250 pass out proto udp from any to any port = 123 group 250 block out proto icmp all group 250 pass out proto icmp all icmp-type 3 group 250 #NetBIOS block out quick proto tcp/udp from any port 136 >< 140 to any group 250 block out quick proto tcp/udp from any to any port 136 >< 140 group 250 ##group 300 # pass in on rl1 all head 300 pass in quick proto icmp from any to any group 300 pass in quick proto udp from any to any group 300 pass in quick proto tcp from any to any flags S/SAFR group 300 ##group 400 # pass out on rl1 all head 400 pass out quick proto icmp from any to any group 400 pass out quick proto udp from any to any group 400 pass out quick proto tcp from any to any flags S/SAFR group 400 ##group 0 # pass in quick on lo0 all pass out quick on lo0 all #--- ipf.rules end --- ***IPFのルール追加 [#s99cd284] # echo "@1 block in quick from 192.168.1.20 to any" | /sbin/ipf -f - ***ルールの削除 [#o03ae484] # echo "block in quick from 192.168.1.20 to any" | /usr/sbin/ipf -r -f - ***設定の保存 現在の設定をファイルに書き込む [#b70ec9f2] # ipfstat -io > /etc/ipf.rules **IPNAT [#xabddc8b] # cat /etc/ipnat.rules map ng0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp mssclamp 1414 map ng0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto mssclamp 1414 map ng0 192.168.0.0/24 -> 0/32 mssclamp 1414 ***IPNATでリダイレクト(透過的に送る機能) [#o9950eaf] rdr ng0 0.0.0.0/0 port 80 -> 192.168.1.7 port 80 ***IPNATでの負荷分散 [#g9194d0b] この例では、202.11.97.29 の Web に来たパケットは最初は 192.168.0.2 に送り、次に来たコネクションは 192.168.0.3 に、その次は 192.168.0.4 にと巡回的に送ります。~ パケットを振り分ける(round robin) rdr ng0 202.11.97.29/32 port 80 -> 192.168.0.2 port 80 tcp round-robin rdr ng0 202.11.97.29/32 port 80 -> 192.168.0.3 port 80 tcp round-robin rdr ng0 202.11.97.29/32 port 80 -> 192.168.0.4 port 80 tcp round-robin ***IPF・IPNATの新しいルールの反映、確認のコマンド [#w441c1fa] ipf -Fa -Z -f /etc/ipf.rules ipf.rulesに書き換えたルールを反映させるコマンド ipfstat -i IPFilterのイン側の設定を見るコマンド ipfstat -o IPFilterのアウト側の設定を見るコマンド ipnat -l natの設定を確認するコマンド ipnat -CF -f /etc/ipnat.rules ipnat.rulesに書き換えた内容を反映させるコマンド http://x68k.net/nagai/pukiwiki/index.php?FreeBSD%2Frouter http://x68k.net/diary/?200310b#200310200 http://www.fujie.jp/freebsd/freebsd_router_ipfilter.html
テキスト整形のルールを表示する
ログインまたはアカウント作成