next up previous contents
Next: テスト Up: フィルタリングルール Previous: 禁止すべきアクセス

ここまでのまとめ

ここまでの内容を少し整理したものが次のルールです。


#
block  in  log on fxp0 all head 100
block  out log on fxp0 all head 200
pass   in  log on fxp1 all head 300
pass   out log on fxp1 all head 400
#
block in log quick from any to any with ipopts group 100
block in log quick proto tcp from any to any with short group 100
#
# Deny reserved addresses
block in log quick from 10.0.0.0/8     to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12  to any group 100
#
# Deny ip spoofing
block in  log quick on fxp0 from 202.11.96.0/24 to any group 100
block out log quick on fxp0 from any to 202.11.96.0/24 group 200
#
# block from loop back address
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from any to 127.0.0.0/8 group 100
block in log quick from 127.0.0.0/8 to any group 300
block in log quick from any to 127.0.0.0/8 group 300
#
# /* 次のページに続く */

#
# pass loop back on lo0
pass  in  quick on lo0 all
pass  out quick on lo0 all
#
# ICMP
pass in  quick proto icmp all icmp-type 3  group 100
pass in  quick proto icmp all icmp-type 4  group 100
pass in  quick proto icmp all icmp-type 11 group 100
pass out quick proto icmp all icmp-type 3  group 200
pass out quick proto icmp all icmp-type 4  group 200
pass out quick proto icmp all icmp-type 8 keep state  group 200
pass out quick proto icmp all icmp-type 11 group 200
#
pass in  quick proto icmp all icmp-type 3  group 300
pass in  quick proto icmp all icmp-type 4  group 300
pass in  quick proto icmp all icmp-type 8 keep state  group 300
pass in  quick proto icmp all icmp-type 11 group 300
pass out quick proto icmp all icmp-type 3  group 400
pass out quick proto icmp all icmp-type 4  group 400
pass out quick proto icmp all icmp-type 8 keep state  group 400
pass out quick proto icmp all icmp-type 11 group 400
#
# block access to FIREWALL from outside
block return-icmp-as-dest(port-unr) in quick from any to FIREWALL group 100
#
# ssh to FIREALL from inside
pass  in quick proto tcp from any to FIREWALL port = 22 
                               flags S keep state keep frags group 300
# other access from inside
block in quick from any to FIREWALL group 300
#
# traceroute to outside
pass out proto udp from any to any port 33434><33690 keep state group 200
#
# DNS
pass in  quick proto udp from any to MYDNS port = 53 keep state group 100
pass out quick proto udp from any to any port = 53   keep state group 200
#
# mail
pass in  quick proto tcp from any to MAIL port = 25 flags S keep state group 100
pass out quick proto tcp from MAIL to any port = 25 flags S keep state group 200
#
# /* 次のページに続く */

# WWW
pass in  quick proto tcp from any to WWW port = 80 flags S keep state group 100
pass out quick proto tcp from any to any port = 80 flags S keep state group 200
#
# write any services to pass

但し、ここで、WWW,MAIL,FIREWALL はそれぞれの IP アドレスです。

このルールでは、内側に対する制限は緩く、内側から ファイアーウォール へのアクセスのみを禁止して、それ以外の ファイアーウォール を通過するパケットについてはそのまま通すようにしています。 勿論、mail gateway や DNS をファイアーウォール上で動かす場合には、 その部分へのアクセスは許可しなければなりません。



Noriyo Kanayama