{"id":144,"date":"2007-01-15T15:26:07","date_gmt":"2007-01-15T06:26:07","guid":{"rendered":"http:\/\/popi.jp\/wp\/?p=144"},"modified":"2007-01-15T15:26:07","modified_gmt":"2007-01-15T06:26:07","slug":"","status":"publish","type":"post","link":"https:\/\/popi.jp\/wp\/?p=144","title":{"rendered":"ipfilter"},"content":{"rendered":"

\u305a\u3044\u3076\u3093\u524d\u306b\u8a2d\u5b9a\u3057\u305f\u5185\u5bb9\u3060\u3051\u3069\u3069\u3046\u3084\u3089\u30e1\u30e2\u3063\u3066\u3044\u306a\u304b\u3063\u305f\u3088\u3046\u306a\u306e\u3067\u3001\u601d\u3044\u51fa\u3057\u306a\u304c\u3089\u30e1\u30e2\u30e1\u30e2\u3002
\n\/etc\/ipf\/pfil.ap\u304b\u3089\u4f7f\u7528\u3059\u308b\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30fc\u30b9\u3092\u6307\u5b9a<\/p>\n

\n# IP Filter pfil autopush setup
\n#
\n# See autopush(1M) manpage for more information.
\n#
\n# Format of the entries in this file is:
\n#
\n#major minor lastminor modules
\n#le -1 0 pfil
\n#qe -1 0 pfil
\n#hme -1 0 pfil
\n#qfe -1 0 pfil
\neri -1 0 pfil
\n#ce -1 0 pfil
\n#bge -1 0 pfil
\n#be -1 0 pfil
\n#vge -1 0 pfil
\n#ge -1 0 pfil
\n#nf -1 0 pfil
\n#fa -1 0 pfil
\n#ci -1 0 pfil
\n#el -1 0 pfil
\n#ipdptp -1 0 pfil
\n#lane -1 0 pfil
\n#dmfe -1 0 pfil
\n\u6700\u521d\u306f\u5168\u90e8\u30b3\u30e1\u30f3\u30c8\u306b\u306a\u3063\u3066\u3044\u308b\u306eeri(\u3046\u3061\u306e\u5834\u5408)\u3092\u6709\u52b9\u306b\u3059\u308b\u3002\n<\/div>\n

ipf.conf\u3092\u7de8\u96c6\u3059\u308b<\/p>\n

\n#
\n# outgoing\u3092\u8a31\u53ef
\n#
\npass out quick on eri0 proto tcp\/udp all keep state
\npass out quick on eri0 proto icmp all keep state
\n#
\n# \u4f7f\u7528\u3057\u3066\u3044\u306a\u3044IP Address\u304c\u6765\u305f\u3068\u304d\u306b\u306f\u3058\u304f
\n# (\u3046\u3061\u306f192\u306a\u306e\u3067\u9664\u5916\u3057\u3066\u307e\u3059)
\n#
\nblock in log quick on eri0 from 127.0.0.0\/8 to any
\nblock in log quick on eri0 from 10.0.0.0\/8 to any
\nblock in log quick on eri0 from 169.254.0.0\/16 to any
\nblock in log quick on eri0 from 172.16.0.0\/12 to any
\n#
\n# \u30d6\u30ed\u30c3\u30af\u3059\u308b\u30bb\u30b0\u30e1\u30f3\u30c8\u3092\u8a18\u8ff0
\n#
\nblock in log quick on eri0 from XX.YY.0.0\/16 to any
\n\u4ee5\u4e0b\u3064\u3065\u304f\u2026\u2026
\n\u3046\u3061\u3067\u306fCN,KR,TW\u8fba\u308a\u306eIP Address\u3092block\u3057\u3066\u3044\u307e\u3059\u3002
\n#
\n# \u8a31\u53ef\u3059\u308bincoming
\n#
\npass in quick on eri0 proto tcp from any to any port=XX keep state
\npass in quick on eri0 proto tcp from any to any port=YY keep state
\npass in quick on eri0 proto tcp from any to any port=ZZ keep state
\n#
\npass in quick on eri0 proto tcp from any to any port 32767><33769 keep state\n#\n# \u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u304b\u3089\u306e\u8a31\u53ef\npass in quick on eri0 from 192.168.X.Y\/24 to any\n#\n# \u305d\u308c\u4ee5\u5916\u306f\u6368\u3066\n#\nblock in log on eri0 all\n<\/div>\n

syslog\u306e\u8a2d\u5b9a<\/p>\n

\nlocal0.debug \/var\/log\/ipf.log
\n\u65b0\u898f\u8ffd\u52a0\u306a\u306e\u3067touch\u3057\u3066\u304a\u304f\u3002
\n# touch \/var\/log\/ipf.log\n<\/div>\n

\u3053\u306e\u5f8cipf\u306e\u30e2\u30b8\u30e5\u30fc\u30eb\u3092\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30fc\u30b9\u306b\u7d44\u307f\u8fbc\u307e\u306a\u3044\u3068\u884c\u3051\u306a\u3044\u306e\u3067\u4e00\u5ea6\u30ea\u30d6\u30fc\u30c8
\n\u30b5\u30fc\u30d3\u30b9\u306e\u6709\u52b9\u5316<\/p>\n

\n# svcs enable svc:\/network\/ipfilter:default\n<\/div>\n

\u52d5\u3044\u3066\u308b\uff1f<\/p>\n

\n# ipfstat -io
\nipf.conf\u306e\u5185\u5bb9\u304c\u8868\u793a\u3055\u308c\u308b\u3002
\nipfmon\u30b3\u30de\u30f3\u30c9\u3067\u30e2\u30cb\u30bf\u30ea\u30f3\u30b0\u51fa\u6765\u308b\u306e\u3067\u500b\u5225\u306b\u30af\u30e9\u30a4\u30a2\u30f3\u30c8IP\u30a2\u30c9\u30ec\u30b9\u3092block\u3057\u3066log\u3059\u308b\u306a\u3069\u3059\u308b\u3068\u78ba\u8a8d\u51fa\u6765\u307e\u3059\u3002\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\u305a\u3044\u3076\u3093\u524d\u306b\u8a2d\u5b9a\u3057\u305f\u5185\u5bb9\u3060\u3051\u3069\u3069\u3046\u3084\u3089\u30e1\u30e2\u3063\u3066\u3044\u306a\u304b\u3063\u305f\u3088\u3046\u306a\u306e\u3067\u3001\u601d\u3044\u51fa\u3057\u306a\u304c\u3089\u30e1\u30e2\u30e1\u30e2\u3002 \/etc\/ipf\/pfil.ap\u304b\u3089\u4f7f\u7528\u3059\u308b\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30fc\u30b9\u3092\u6307\u5b9a # IP Filter pfil autopush set […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":""},"categories":[6],"tags":[17,24],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/popi.jp\/wp\/index.php?rest_route=\/wp\/v2\/posts\/144"}],"collection":[{"href":"https:\/\/popi.jp\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/popi.jp\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/popi.jp\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/popi.jp\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=144"}],"version-history":[{"count":0,"href":"https:\/\/popi.jp\/wp\/index.php?rest_route=\/wp\/v2\/posts\/144\/revisions"}],"wp:attachment":[{"href":"https:\/\/popi.jp\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/popi.jp\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/popi.jp\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}