next up previous contents
Next: 6.4.13 テスト Up: 6.4 フィルタリングルール Previous: 6.4.11 禁止すべきアクセス

6.4.12 ここまでのまとめ

ここまでの内容を少し整理したものが次のルールです。

#
block  in  log on out0 all head 100
block  out log on out0 all head 200
pass   in  log on in1 all head 300
pass   out log on in1 all head 400
#
block in log quick from any to any with ipopts group 100
block in log quick proto tcp from any to any with short group 100
#
# Deny reserved addresses
block in log quick from 10.0.0.0/8     to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12  to any group 100
#
# Deny ip spoofing
block in  log quick on out0 from 202.11.97.16/28 to any group 100
block out log quick on out0 from any to 202.11.97.16/28 group 200
#
# block from loop back address
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from any to 127.0.0.0/8 group 100
block in log quick from 127.0.0.0/8 to any group 300
block in log quick from any to 127.0.0.0/8 group 300
#
# /* 次のページに続く */
# block other reserved address
block in quick on out0 from any to 0.0.0.0/8 group 100
block in quick on out0 from any to 169.254.0.0/16 group 100
block in quick on out0 from any to 192.0.2.0/24 group 100
# block in quick on out0 from any to 224.0.0.0/4 group 100 # multicast
block in quick on out0 from any to 240.0.0.0/4 group 100
# block irregular IP options
block in log quick on out0 from any to any with opt rr group 100
block in log quick on out0 from any to any with opt ts group 100
block in log quick on out0 from any to any with opt ssrr group 100
block in log quick on out0 from any to any with opt lsrr group 100
#
# pass loop back on lo0
pass  in  quick on lo0 all
pass  out quick on lo0 all
#
# ICMP
pass in  quick proto icmp all icmp-type 3  group 100
pass in  quick proto icmp all icmp-type 4  group 100
pass in  quick proto icmp all icmp-type 11 group 100
pass out quick proto icmp all icmp-type 3  group 200
pass out quick proto icmp all icmp-type 4  group 200
pass out quick proto icmp all icmp-type 8 keep state  group 200
pass out quick proto icmp all icmp-type 11 group 200
#
pass in  quick proto icmp all icmp-type 3  group 300
pass in  quick proto icmp all icmp-type 4  group 300
pass in  quick proto icmp all icmp-type 8 keep state  group 300
pass in  quick proto icmp all icmp-type 11 group 300
pass out quick proto icmp all icmp-type 3  group 400
pass out quick proto icmp all icmp-type 4  group 400
pass out quick proto icmp all icmp-type 8 keep state  group 400
pass out quick proto icmp all icmp-type 11 group 400
#
# block access to FIREWALL from outside
block return-icmp-as-dest(port-unr) in quick from any to FIREWALL group 100
#
# ssh to FIREALL from inside
pass  in quick proto tcp from any to FIREWALL port = 22 
                               flags S keep state keep frags group 300
# other access from inside
block in quick from any to FIREWALL group 300
#
# traceroute to outside
pass out proto udp from any to any port 33434><33690 keep state group 200
#
# /* 次のページに続く */
# DNS
pass in  quick proto udp from any to MYDNS port = 53 keep state group 100
pass out quick proto udp from any to any port = 53   keep state group 200
#
# mail
pass in  quick proto tcp from any to MAIL port = 25 flags S keep state group 100
pass out quick proto tcp from MAIL to any port = 25 flags S keep state group 200
#
# WWW
pass in  quick proto tcp from any to WWW port = 80 flags S keep state group 100
pass out quick proto tcp from any to any port = 80 flags S keep state group 200
#
# write any services to pass

但し、ここで、WWW,MAIL,FIREWALL はそれぞれの IP アドレスです。

このルールでは、内側に対する制限は緩く、内側から ファイアーウォール へのアクセスのみを禁止して、それ以外の ファイアーウォール を通過するパケットについてはそのまま通すようにしています。 勿論、mail gateway や DNS をファイアーウォール上で動かす場合には、 その部分へのアクセスは許可しなければなりません。



Noriyo Kanayama