# # /etc/ipf.rules # IP-filter rule-sets # # group 内容 # 200 in # 250 in(icmp) # 300 in(udp) # 350 in(tcp) # 210 in: 構内 LAN(global-IP)(DMZ への転送含む) # 211 in: 構内 LAN(global-IP) Server/Client # 212 in: 構内 LAN(global-IP) Server # 215 in: 構内 LAN(local-IP)(DMZ への転送含む) # 216 in: 構内 LAN(local-IP) DMZ へ転送 # 217 in: 構内 LAN(local-IP) Server/Client # 220 in: DMZ 直接指定 # 230 in: フロア内 LAN # 232 in: フロア内 LAN server # 249 in: 169.254/16 # 400 out # 450 out(icmp) # 500 out(udp) # 550 out(tcp) # 410 out: 構内 LAN(global-IP)(DMZ への転送含む) # 415 out: 構内 LAN(local-IP)(DMZ への転送含む) # 416 out: 構内 LAN(local-IP) DMZ へ転送 # 420 out: DMZ 直接指定 # 430 out: フロア内 LAN # 449 out: 169.254/16 # # # # BASE RULE # # UPnP MS-Windows XP, ROOTER block in quick ttl 1 proto igmp from 192.168.0.0/16 to 239.255.255.250 with ipopts block in quick ttl 1 proto igmp from 192.168.0.0/16 to 224.0.0.2 with ipopts block in quick ttl 1 proto igmp from 192.168.0.0/16 to 224.0.0.22 with ipopts block in quick ttl 1 proto igmp from 0.0.0.0 to 224.0.0.22 with ipopts # 偽造パケットの拒絶 block in log body level local7.alert quick all with opt rtralrt block in log body level local7.alert quick all with ipopts # 不正な IP オプションの拒絶 block in log body level local7.crit quick all with opt lsrr block in log body level local7.crit quick all with opt ssrr # TCP/IP のショートフラグメントの拒絶 block in log body level local7.crit quick proto tcp all with short # # # # Allow All Loopback pass in quick on lo0 all keep state keep frags pass out quick on lo0 all keep state keep frags # 偽造 IP 禁止 block in log body level local7.emerg quick from 127.0.0.0/8 to any block in log body level local7.emerg quick from any to 127.0.0.0/8 block out log body level local4.emerg quick from 127.0.0.0/8 to any block out log body level local4.emerg quick from any to 127.0.0.0/8 # # # # Default Rule #block in quick all #block out quick all #pass in log level local7.err quick all keep state keep frags #pass out log level local4.err quick all keep state keep frags block in log level local7.err quick all head 200 block out log level local4.err quick all head 400 # # グルーピング # Blocking rule, have priority block in log level local7.err all head 201 group 200 block out log level local4.err all head 401 group 400 block out log level local4.err all head 409 group 400 # アドレス別 block in log level local7.err from x.x.x.0/16 to any keep frags head 210 group 200 block in log level local7.err from x.x.x.96/30 to any keep frags head 211 group 210 block in log level local7.err from x.x.x.96 to any keep frags head 212 group 211 block in log level local7.err from 172.16.0.0/12 to any keep frags head 215 group 200 block in log level local7.err from 172.x.x.100/30 to any keep frags head 216 group 215 block in log level local7.err from 172.x.x.96/30 to any keep frags head 217 group 215 block in log level local7.err from 10.0.0.0/8 to any keep frags head 220 group 200 block in log level local7.err from 192.168.0.0/16 to any keep frags head 230 group 200 block in log level local7.err from 192.168.0.2 to any keep frags head 232 group 230 block in log level local7.err from 169.254.0.0/16 to any keep frags head 249 group 200 # 基本的に、外出力禁止、内出力許可 pass out log level local4.debug from any to x.x.x.0/16 keep state keep frags head 410 group 400 pass out log level local4.debug from any to 172.16.0.0/12 keep state keep frags head 415 group 400 pass out log level local4.debug from any to 172.x.x.100/30 keep state keep frags head 416 group 415 pass out log level local4.debug from any to 10.0.0.0/8 keep state keep frags head 420 group 400 pass out log level local4.debug from any to 192.168.0.0/16 keep state keep frags head 430 group 400 pass out log level local4.debug from any to 169.254.0.0/16 keep state keep frags head 449 group 400 # プロトコル別 block in log level local7.err proto icmp all head 250 group 200 block in log level local7.err proto udp all head 300 group 200 block in log level local7.err proto tcp all flags S/AUPRS head 350 group 200 block out log level local4.err proto icmp all head 450 group 400 block out log level local4.err proto udp all head 500 group 400 block out log level local4.err proto tcp all flags S/AUPRS head 550 group 400 # # # # OUTPUT SECTION # # ICMP pass out log level local4.notice quick proto icmp all icmp-type unreach keep state group 450 # 3 pass out log level local4.notice quick proto icmp all icmp-type squench keep state group 450 # 4 pass out log level local4.notice quick proto icmp all icmp-type echo keep state group 450 # 8 pass out log level local4.notice quick proto icmp all icmp-type timex keep state group 450 # 11 pass out log level local4.notice quick proto icmp all icmp-type paramprob keep state group 450 # 12 pass out log level local4.warn quick proto icmp all keep state group 410 pass out log level local4.warn quick proto icmp all keep state group 415 pass out log level local4.warn quick proto icmp all keep state group 420 pass out log level local4.warn quick proto icmp all keep state group 430 pass out log level local4.warn quick proto icmp all keep state group 449 # # Routing-Information Multicast to ALL-router pass out quick proto igmp from any to 224.0.0.2 group 400 # # # INTERNAL SERVICES # # IPsec pass out quick proto udp from any to any port = isakmp keep state group 430 pass out quick proto esp from any to any keep state group 430 pass out quick proto ah from any to any keep state group 430 # # DHCP #pass out quick proto udp from 0.0.0.0 port = dhcpc to 255.255.255.255 port = dhcps keep state group 500 pass out quick proto udp from any port = dhcpc to 255.255.255.255 port = dhcps keep state group 500 pass out quick proto udp from any port = dhcpc to any port = dhcps keep state group 430 # # Kerberos V pass out quick proto tcp from any to any port = kerberos-sec flags S/AUPRS keep state keep frags group 430 pass out quick proto udp from any to any port = kerberos-sec keep state keep frags group 430 pass out quick proto tcp from any to any port = kerberos-iv flags S/AUPRS keep state keep frags group 430 pass out quick proto udp from any to any port = kerberos-iv keep state keep frags group 430 pass out quick proto tcp from any to any port = krb524 flags S/AUPRS keep state keep frags group 430 pass out quick proto udp from any to any port = krb524 keep state keep frags group 430 pass out quick proto tcp from any to any port = kerberos_master flags S/AUPRS keep state keep frags group 430 pass out quick proto tcp from any to any port = kerberos-adm flags S/AUPRS keep state keep frags group 430 pass out quick proto udp from any to any port = kpasswd5 keep state keep frags group 430 # # NTP pass out quick proto udp from any to any port = ntp keep state group 410 pass out quick proto udp from any to any port = ntp keep state group 415 pass out quick proto udp from any to any port = ntp keep state group 420 pass out quick proto udp from any to any port = ntp keep state group 430 # # LPR pass out quick proto tcp from any to any port = printer flags S/AUPRS keep state keep frags group 410 pass out quick proto tcp from any to any port = printer flags S/AUPRS keep state keep frags group 415 pass out quick proto tcp from any to any port = printer flags S/AUPRS keep state keep frags group 420 pass out quick proto tcp from any to any port = printer flags S/AUPRS keep state keep frags group 430 pass out quick proto tcp from any to any port = ipp flags S/AUPRS keep state keep frags group 410 pass out quick proto tcp from any to any port = ipp flags S/AUPRS keep state keep frags group 415 pass out quick proto tcp from any to any port = ipp flags S/AUPRS keep state keep frags group 420 pass out quick proto tcp from any to any port = ipp flags S/AUPRS keep state keep frags group 430 pass out quick proto tcp from any to any port = 170 flags S/AUPRS keep state keep frags group 410 pass out quick proto tcp from any to any port = 170 flags S/AUPRS keep state keep frags group 415 pass out quick proto tcp from any to any port = 170 flags S/AUPRS keep state keep frags group 420 pass out quick proto tcp from any to any port = 170 flags S/AUPRS keep state keep frags group 430 pass out quick proto tcp from any to any port = 9100 flags S/AUPRS keep state keep frags group 410 pass out quick proto tcp from any to any port = 9100 flags S/AUPRS keep state keep frags group 415 pass out quick proto tcp from any to any port = 9100 flags S/AUPRS keep state keep frags group 420 pass out quick proto tcp from any to any port = 9100 flags S/AUPRS keep state keep frags group 430 # # WNN pass out quick proto tcp from any to any port = wnn4 flags S/AUPRS keep state keep frags group 430 pass out quick proto tcp from any to any port = wnn4_Cn flags S/AUPRS keep state keep frags group 430 pass out quick proto tcp from any to any port = wnn4_Tw flags S/AUPRS keep state keep frags group 430 pass out quick proto tcp from any to any port = wnn4_Kr flags S/AUPRS keep state keep frags group 430 pass out quick proto tcp from any to any port = wnn6_DS flags S/AUPRS keep state keep frags group 430 # # X11 pass out quick proto tcp from any to any port = x11 flags S/AUPRS keep state keep frags group 430 pass out quick proto tcp from any to any port 5999 >< 6010 flags S/AUPRS keep state keep frags group 430 pass out quick proto tcp from any to any port = x11-ssh flags S/AUPRS keep state keep frags group 430 # # IP-Messenger pass out log level local4.warn proto udp from any port 1023 >< 5001 to 255.255.255.255 port = 2425 keep state group 500 pass out log level local4.warn proto udp from any port 1023 >< 5001 to any port = 2425 keep state group 430 pass out log level local4.warn proto udp from any port = 2425 to any port >= 1024 keep state group 410 pass out log level local4.warn proto udp from any port = 2425 to any port >= 1024 keep state group 415 pass out log level local4.warn proto udp from any port = 2425 to any port >= 1024 keep state group 420 pass out log level local4.warn proto udp from any port = 2425 to any port >= 1024 keep state group 430 pass out quick proto udp from any port = 2425 to 255.255.255.255 port = 2425 keep state group 500 pass out quick proto udp from any port = 2425 to any port = 2425 keep state group 430 # # YP/NIS pass out quick proto udp from any to any port = sunrpc keep state keep frags group 430 # # CORBA # omniORB Naming Service pass out quick proto tcp from any to any port = 2809 flags S/AUPRS keep state keep frags group 430 # # NETBIOS pass out quick proto udp from any port = netbios-ns to any port = netbios-ns keep state group 430 pass out quick proto udp from any port >= 49152 to any port = netbios-ns keep state group 430 pass out quick proto udp from any port = netbios-dgm to any port = netbios-dgm keep state group 430 pass out quick proto tcp from any port >= 49152 to any port = netbios-ssn flags S/AUPRS keep state keep frags group 430 pass out quick proto tcp from any port >= 49152 to any port = microsoft-ds flags S/AUPRS keep state keep frags group 430 # # MELCO AirStation Setting pass out quick proto tcp from 1.0.0.0/8 port 1023 >< 5001 to 1.1.1.1 port = http keep state keep frags group 550 # # NTTCP - Network Benchmark Test pass out log level local4.info quick proto tcp from any to any port = 5037 flags S/AUPRS keep state keep frags group 430 pass out log level local4.info quick proto tcp from any to any port = 5038 flags S/AUPRS keep state keep frags group 430 pass out log level local4.info quick proto udp from any to any port = 5038 keep state keep frags group 430 # NETPERF - Network Benchmark Test pass out log level local4.info quick proto tcp from any to any port = 12865 flags S/AUPRS keep state keep frags group 430 pass out log level local4.info quick proto udp from any to any port = 12865 keep state keep frags group 430 # # IP-Masquerade by Linux ipchains #pass out log first level local4.debug quick proto tcp from any to 192.168.0.1 port 61000 >< 65095 keep state keep frags group 550 #pass out log first level local4.debug quick proto udp from any to 192.168.0.1 port 61000 >< 65095 keep state keep frags group 500 # # VoIP/H323 pass out quick proto tcp from any port > 1023 to any port = 1720 flags S/AUPRS keep state keep frags group 430 # VoIP/SIP pass out quick proto udp from any port = 5060 to any port = 5060 keep state keep frags group 430 # # TeamSpeak # weblist.teamspeak.org has address 213.202.254.116 block out log level local4.debug proto tcp from any port 1023 >< 5001 to 213.202.254.116 port = http group 401 # TeamSpeak Server block out log level local4.debug proto udp from any port 1023 >< 5001 to 213.202.254.116 port = 45647 group 401 block out log level local4.debug proto udp from any port = 8767 to 213.202.254.116 port = 45647 group 401 block out log level local4.warn proto udp from any to any port = 45647 group 401 pass out quick proto udp from any port = 8767 to any keep state keep frags group 430 pass out quick proto tcp from any port 1023 >< 5001 to any port = 14534 flags S/AUPRS keep state keep frags group 430 pass out quick proto tcp from any port 1023 >< 5001 to any port = 51234 flags S/AUPRS keep state keep frags group 430 # TeamSpeak Client block out log level local4.debug proto tcp from any port 1023 >< 5001 to 213.202.254.116 port = 45648 flags S/AUPRS group 401 block out log level local4.warn proto tcp from any to any port = 45648 group 401 pass out quick proto udp from any port 1023 >< 5001 to any port = 8767 keep state keep frags group 430 # # RemoteDesktop pass out quick proto tcp from any port 1023 >< 5001 to any port = 3389 flags S/AUPRS keep state keep frags group 430 # # # EXTERNAL SERVICES # # DNS pass out quick proto udp from any to any port = domain keep state group 500 pass out quick proto tcp from any to any port = domain keep state keep frags group 550 pass out log first level local4.info quick proto tcp from any to any port = whois keep state keep frags group 550 # mDNS - Multicast DNS block out quick proto udp from any port = 5353 to 224.0.0.251 port = 5353 group 500 block in quick proto udp from any port = 5353 to 224.0.0.251 port = 5353 group 230 block in quick proto udp from any port 1023 >< 5001 to 224.0.0.251 port = 5353 group 230 block out quick proto igmp from any to 224.0.0.251 group 401 block in quick proto igmp from any to 224.0.0.251 group 230 block in quick proto igmp from any to 224.0.0.251 group 249 # # SSH pass out quick proto tcp from any to any port = ssh keep state keep frags group 550 # # MAIL pass out quick proto tcp from any to any port = smtp keep state keep frags group 550 pass out quick proto tcp from any to any port = smtps keep state keep frags group 550 pass out quick proto tcp from any to any port = submission keep state keep frags group 550 pass out quick proto tcp from any to any port = pop3 keep state keep frags group 550 pass out quick proto tcp from any to any port = pop3s keep state keep frags group 550 pass out quick proto tcp from any to any port = imap keep state keep frags group 550 pass out quick proto tcp from any to any port = imaps keep state keep frags group 550 # # WEB(external) block out log first level local4.warn proto tcp from any to any port = http group 550 block out log first level local4.warn proto tcp from any to any port = https group 550 block out log first level local4.warn proto tcp from any to any port = 3128 group 550 # squid block out log first level local4.warn proto tcp from any to any port = 8080 group 550 # delegate pass out quick proto tcp from any to any port = http keep state keep frags group 550 pass out quick proto tcp from any to any port = https keep state keep frags group 550 pass out quick proto tcp from any to any port = 3128 keep state keep frags group 550 # squid pass out quick proto tcp from any to any port = 8080 keep state keep frags group 550 # delegate # こちらから SYN を送った時に、SYN+ACK を返さずに、 # ACK のみを返す web サイトがたまに存在する。 # あと、京セラのアホルータが週1回の定例発狂した時も、 # 相手サイトからのSを食べちゃってAとAF(AFP)しか抜けて来なくなる。 block return-rst in log body first level local7.info quick proto tcp from any port = http to any port >= 49152 flags A group 200 block return-rst in log body first level local7.info quick proto tcp from any port = https to any port >= 49152 flags A group 200 block return-rst in log body first level local7.err quick proto tcp from any port = http to any port >= 49152 flags AF/AURFS group 200 block return-rst in log body first level local7.err quick proto tcp from any port = https to any port >= 49152 flags AF/AURFS group 200 # 転送中に回線を切るか、keep alive で相手が先にタイムアウトすると、RF か R が戻って来る。 # それが何故か pass out の keep state にマッチしない事がある。 block in log first level local7.info quick proto tcp from any port = http to any port >= 49152 flags R/AUPRS group 200 block in log first level local7.info quick proto tcp from any port = https to any port >= 49152 flags R/AUPRS group 200 block in log first level local7.info quick proto tcp from any port = ftp to any port >= 49152 flags R/AUPRS group 200 # 相手サイトが応答しないと、TCP のタイムアウト後に AF 3回 AR 1回出る。 # その頃には ipf の pass out の keep state が、タイムアウトで消えていて、 # デフォルトルールにマッチしてしまってうるさい。 block return-rst out log first level local4.info quick proto tcp from any port >= 49152 to any port = http flags AF group 409 block return-rst out log first level local4.info quick proto tcp from any port >= 49152 to any port = http flags AR group 409 block return-rst out log first level local4.info quick proto tcp from any port >= 49152 to any port = https flags AF group 409 block return-rst out log first level local4.info quick proto tcp from any port >= 49152 to any port = https flags AR group 409 # WEB(internal) pass out quick proto tcp from any to any port = http flags S/AUPRS keep state keep frags group 410 pass out quick proto tcp from any to any port = http flags S/AUPRS keep state keep frags group 415 pass out quick proto tcp from any to any port = http flags S/AUPRS keep state keep frags group 420 pass out quick proto tcp from any to any port = http flags S/AUPRS keep state keep frags group 430 pass out quick proto tcp from any to any port = https flags S/AUPRS keep state keep frags group 410 pass out quick proto tcp from any to any port = https flags S/AUPRS keep state keep frags group 415 pass out quick proto tcp from any to any port = https flags S/AUPRS keep state keep frags group 420 pass out quick proto tcp from any to any port = https flags S/AUPRS keep state keep frags group 430 pass out quick proto tcp from any to any port = 3128 flags S/AUPRS keep state keep frags group 410 # squid pass out quick proto tcp from any to any port = 3128 flags S/AUPRS keep state keep frags group 415 # squid pass out quick proto tcp from any to any port = 3128 flags S/AUPRS keep state keep frags group 420 # squid pass out quick proto tcp from any to any port = 3128 flags S/AUPRS keep state keep frags group 430 # squid pass out quick proto tcp from any to any port = 8080 flags S/AUPRS keep state keep frags group 410 # delegate pass out quick proto tcp from any to any port = 8080 flags S/AUPRS keep state keep frags group 415 # delegate pass out quick proto tcp from any to any port = 8080 flags S/AUPRS keep state keep frags group 420 # delegate pass out quick proto tcp from any to any port = 8080 flags S/AUPRS keep state keep frags group 430 # delegate # # NTP/DAYTIME/TIMESERVER pass out quick proto udp from any port = ntp to 210.173.160.27 keep state group 500 pass out quick proto udp from any to 210.173.160.27 port = ntp keep state group 500 pass out log first level local4.info quick proto udp from any to any port = ntp keep state group 500 pass out log first level local4.info quick proto tcp from any to any port = ntp keep state keep frags group 550 pass out log first level local4.info quick proto tcp from any to any port = daytime keep state keep frags group 550 pass out log first level local4.info quick proto tcp from any to any port = timeserver keep state keep frags group 550 # # FINGER pass out log first level local4.info quick proto tcp from any to any port = finger keep state keep frags group 550 # # IDENT pass out log first level local4.info quick proto tcp from any to any port = ident keep state keep frags group 550 # # TELNET pass out quick proto tcp from any to any port = telnet keep state keep frags group 550 # # TFTP/FTP pass out quick proto udp from any to any port = tftp keep state keep frags group 500 pass out quick proto tcp from any to any port = ftp keep state keep frags group 550 # FTP-Client to FTP-PROXY (Passive Mode) pass out quick proto tcp from any port 1023 >< 5001 to any port >= 64544 flags S/AUPRS keep state keep frags group 416 # FTP-Server (Active Mode) pass out quick proto tcp from any port = ftp-data to any port >= 1024 keep state keep frags group 550 # FTP-Client Direct Connection (Passive Mode) pass out log first level local4.warn quick proto tcp from any port 1023 >< 5001 to any port >= 1024 keep state keep frags group 550 # # IRC pass out quick proto tcp from any port 1023 >< 5001 to any port 6659 >< 6670 keep state keep frags group 550 # # PGP/GPG pass out quick proto tcp from any to any port = 11371 keep state keep frags group 550 # pgpkeyserver # # CVSUP pass out quick proto tcp from any to any port = cvsup keep state keep frags group 550 # # CDDB pass out quick proto tcp from any to any port = 888 keep state keep frags group 550 # # # INTERNAL SERVICES (2) # # NFS-server pass out quick proto udp from any port = sunrpc to any port <= 1023 keep state keep frags group 430 pass out quick proto udp from any port = nfsd to any port <= 1023 keep state keep frags group 430 pass out quick proto udp from any port = lockd to any port <= 1023 keep state keep frags group 430 # NFS-client pass out quick proto udp from any port <= 1023 to any port = sunrpc keep state keep frags group 430 pass out quick proto udp from any port <= 1023 to any port = nfsd keep state keep frags group 430 pass out quick proto tcp from any port <= 1023 to any port = nfsd flags S/AUPRS keep state keep frags group 430 pass out quick proto udp from any port <= 1023 to any port = lockd keep state keep frags group 430 pass out quick proto tcp from any port <= 1023 to any port = lockd flags S/AUPRS keep state keep frags group 430 pass out log first level local4.err quick proto udp from any port <= 1023 to any port <= 1023 keep state keep frags group 430 pass out log first level local4.err quick proto tcp from any port <= 1023 to any port <= 1023 flags S/AUPRS keep state keep frags group 430 # # # *** EXTERNAL OUTPUT *** # #block out log first level local4.warn quick proto udp from any port 1023 >< 5001 to any port 1023 >< 50001 group 509 #block out log first level local4.err quick proto udp from any to any group 509 pass out log first level local4.warn quick proto tcp from any port 1023 >< 5001 to any port >= 1024 keep state keep frags group 550 pass out log first level local4.warn quick proto tcp from any port >= 49152 to any port >= 1024 keep state keep frags group 550 #block out log first level local4.err quick proto tcp from any to any keep frags group 550 # # # # # INPUT SECTION # # 偽造 IP の拒絶 block in log body level local7.err quick from x.x.x.255 to any group 201 block in log body level local7.err quick from x.x.x.0 to any group 201 block in log body level local7.err quick from 172.31.255.255 to any group 201 block in log body level local7.err quick from 172.16.0.0 to any group 201 block in log body level local7.err quick from 192.168.255.255 to any group 201 block in log body level local7.err quick from 192.168.0.0 to any group 201 # # ident 拒絶 # mail, ftp では、接続されたサーバが ident を返してくる事があるので、 # 本来は TCP RST(return-rst オプション付加)をしなければならない。 # でも、昨今の御時制、ネットワークの治安が悪過ぎるので # 応答さえ返すわけにはいかない。 #block return-icmp(3) in log level local7.err quick proto tcp from 192.168.0.1 port 1023 >< 5001 to any port = ident group 350 #block return-icmp-as-dest(port-unr) in log level local7.err quick proto tcp from 192.168.0.1 port 1023 >< 5001 to any port = ident group 350 block in log level local7.err quick proto tcp from any to any port = ident group 350 # # # Junk... # TestPort : Discard block in log level local7.err quick proto tcp/udp from any to any port = null group 201 # # # BROADCASTING PACKET # # RIP: NetworkManagement packet block in quick proto udp from any port = router to any port = router group 210 block in quick proto udp from any port = router to any port = router group 215 block in quick proto udp from any port = router to any port = router group 230 # # SNMP block in quick proto udp from any to any port = snmp group 230 block in quick proto tcp from any to any port = snmp group 230 # # Macintosh File Share #block in quick proto udp from any to any port = 2222 group 210 # # IPP : Internet Printing Protocol, Common Unix Printing System #block in quick proto udp from x.x.x.161 port = 631 to x.x.x.255 port = 631 group 300 # # UPnP block in quick proto udp from any to 239.255.255.250 port = 1900 group 230 block in quick proto igmp from any to 239.255.255.250 group 230 # # MELCO AirStation Setting block in quick proto udp from any port 1023 >< 5001 to 255.255.255.255 port = 22359 group 230 block in quick proto udp from any port = 22359 to 255.255.255.255 port 1023 >< 5001 group 230 # MELCO AirStation SSID Scan ? #block in quick proto udp from any port 1023 >< 5001 to 255.255.255.255 port = 22616 group 230 #block in quick proto udp from any port = 22616 to 255.255.255.255 port 1023 >< 5001 group 230 # MELCO AirStation EthernetConverterMode Setting block in quick proto udp from any port 1023 >< 5001 to 255.255.255.255 port = 4000 group 230 # # IO-DATA AirPort EthernetConverterMode Setting? block in quick proto udp from any port = 65 to 255.255.255.255 port = 65 group 230 block in quick proto udp from any port 1023 >< 5001 to 255.255.255.255 port = 65 group 230 # # FU-SE-N-SHI (MS-Windows) block in quick proto udp from any port = 59630 to 255.255.255.255 port = 59630 group 230 # # ICQ? #block in quick proto udp from any port = 4000 to 255.255.255.255 port = 1066 group 230 #block in quick proto udp from any port 1023 >< 5001 to 255.255.255.255 port = 4000 group 230 # # # UNKNOWN PACKET # # ? #block in quick proto udp from x.x.x.111 port = 15557 to x.x.x.255 port = 15557 group 300 # # Routing Information ? block in quick proto udp from any to any port = snmp group 215 block in quick proto udp from any to any port = route group 215 # # Routing-Information Multicast to ALL-host pass in quick proto igmp from any to 224.0.0.1 group 230 # Routing-Information Multicast to ALL-router pass in quick proto igmp from any to 224.0.0.2 group 230 # MSWIN membership report ? block in quick proto igmp from any to 224.0.0.22 group 230 # Multicast #block in log level local4.debug quick proto igmp all group 230 #block in log level local4.debug quick from any to 224.0.0.0/8 group 230 # # # INTERNAL SERVICES # # IPsec pass in quick proto udp from any to any port = isakmp keep state group 230 pass in quick proto esp from any to any keep state group 230 pass in quick proto ah from any to any keep state group 230 # # DHCP block in quick proto udp from 0.0.0.0 port = dhcpc to 255.255.255.255 port = dhcps group 300 block in quick proto udp from any port = dhcpc to 255.255.255.255 port = dhcps group 230 block in quick proto udp from any port = dhcps to 255.255.255.255 port = dhcpc group 230 pass in quick proto udp from any port = dhcps to any port = dhcpc keep state group 230 # # NTP pass in quick proto udp from any to any port = ntp keep state group 232 # # NETBIOS # smbclient で閲覧をかけると、 # 発 ローカルマシン:DefaultPort 宛先 broadcast:137 に対し、 # 発 リモートマシン:137 宛先 ローカルマシン:DefaultPort の、 # 応答が来る。これは pass out keep state できない。 block return-icmp(3) in log level local7.info quick proto tcp from any port 1023 >< 5001 to any port = http group 230 pass in quick proto udp from any port = netbios-ns to any port = netbios-ns keep state group 230 pass in quick proto udp from any port 1023 >< 5001 to any port = netbios-ns keep state group 230 pass in quick proto udp from any port >= 49152 to any port = netbios-ns keep state group 230 pass in quick proto udp from any port = netbios-ns to any port 1023 >< 5001 keep state group 230 pass in quick proto udp from any port = netbios-ns to any port >= 49152 keep state group 230 pass in log first level local7.warn quick proto udp from any port = netbios-dgm to any port = netbios-dgm keep state group 230 pass in log first level local7.warn quick proto tcp from any port 1023 >< 5001 to any port = netbios-ssn flags S/AUPRS keep state keep frags group 230 pass in log first level local7.warn quick proto tcp from any port >= 49152 to any port = netbios-ssn flags S/AUPRS keep state keep frags group 230 pass in log first level local7.warn quick proto tcp from any port 1023 >< 5001 to any port = microsoft-ds flags S/AUPRS keep state keep frags group 230 pass in log first level local7.warn quick proto tcp from any port >= 49152 to any port = microsoft-ds flags S/AUPRS keep state keep frags group 230 block in log level local7.notice quick proto udp from any to any port = netbios-ssn group 210 block in log level local7.notice quick proto udp from any to any port = netbios-ssn group 215 block in log level local7.notice quick proto udp from any to any port = netbios-ssn group 230 block in log level local7.notice quick proto udp from any to any port = microsoft-ds group 210 block in log level local7.notice quick proto udp from any to any port = microsoft-ds group 215 block in log level local7.notice quick proto udp from any to any port = microsoft-ds group 230 block in log level local7.err quick proto tcp/udp from any to any port = netbios-ns group 200 block in log level local7.err quick proto tcp/udp from any to any port = netbios-dgm group 200 block in log level local7.err quick proto tcp/udp from any to any port = netbios-ssn group 200 block in log level local7.err quick proto tcp/udp from any to any port = microsoft-ds group 200 # # CFS block in log level local7.err quick proto tcp/udp from any to any port = 3049 group 201 # # X11 #pass in quick proto tcp from any to any port = x11 flags S/AUPRS keep state keep frags group 230 #pass in quick proto tcp from any to any port 5999 >< 6010 flags S/AUPRS keep state keep frags group 230 #pass in quick proto tcp from any to any port = x11-ssh flags S/AUPRS keep state keep frags group 230 # # IP-Messenger pass in log level local7.warn proto udp from any port = 2425 to any port 1023 >< 5001 keep state group 230 pass in log level local7.warn proto udp from any port >= 1024 to any port = 2425 keep state group 230 pass in quick proto udp from any port = 2425 to 255.255.255.255 port = 2425 keep state group 300 pass in quick proto udp from any port = 2425 to any port = 2425 keep state group 230 # # YP/NIS pass in quick proto udp from any port = sunrpc to any keep state keep frags group 232 block in quick proto udp from any port 1023 >< 49152 to any port = sunrpc group 230 # # CORBA # omniORB Naming Service pass in quick proto tcp from any to any port = 2809 flags S/AUPRS keep state keep frags group 230 # # NTTCP - Network Benchmark Test pass in log level local7.info quick proto tcp from any to any port = 5037 flags S/AUPRS keep state keep frags group 230 pass in log level local7.info quick proto tcp from any to any port = 5038 flags S/AUPRS keep state keep frags group 230 pass in log level local7.info quick proto udp from any to any port = 5038 keep state keep frags group 230 # NETPERF - Network Benchmark Test pass in log level local7.info quick proto tcp from any to any port = 12865 flags S/AUPRS keep state keep frags group 230 pass in log level local7.info quick proto udp from any to any port = 12865 keep state keep frags group 230 # # VoIP/H323 pass in quick proto tcp from any port > 1023 to any port = 1720 flags S/AUPRS keep state keep frags group 230 # VoIP/SIP pass in quick proto udp from any port = 5060 to any port = 5060 keep state keep frags group 230 # # TeamSpeak Server #pass in quick proto tcp from any to any port = 14534 flags S/AUPRS keep state keep frags group 230 #pass in quick proto tcp from any to any port = 51234 flags S/AUPRS keep state keep frags group 230 pass in quick proto udp from any to any port = 8767 keep state keep frags group 230 # TeamSpeak Client #pass in quick proto udp from any port = 8767 to any port 1023 >< 5001 keep state keep frags group 230 # # # EXTERNAL SERVICES # # ICMP pass in log level local7.debug proto icmp all icmp-type echorep keep state group 250 # 0 pass in log level local7.notice proto icmp all icmp-type unreach keep state group 250 # 3 pass in log level local7.info quick proto icmp from any to any icmp-type unreach keep state group 200 # 3 pass in log level local7.info quick proto icmp from any to any icmp-type unreach keep state group 215 # 3 pass in log level local7.info quick proto icmp from any to any icmp-type unreach keep state group 220 # 3 pass in log level local7.info quick proto icmp from any to any icmp-type unreach keep state group 230 # 3 pass in log level local7.notice proto icmp all icmp-type squench keep state group 250 # 4 pass in quick proto icmp from any to any icmp-type echo keep state group 211 # 8 pass in quick proto icmp from any to any icmp-type echo keep state group 217 # 8 pass in log level local7.debug quick proto icmp from any to any icmp-type echo keep state group 230 # 8 pass in quick proto icmp from any to any icmp-type timex keep state group 211 # 11 pass in quick proto icmp from any to any icmp-type timex keep state group 217 # 11 pass in log level local7.debug quick proto icmp from any to any icmp-type timex keep state group 230 # 11 pass in log level local7.notice proto icmp all icmp-type paramprob keep state group 250 # 12 # # DNS #pass in quick proto udp from x.x.x.x port = domain to any keep state group 300 # # SSH pass in log level local7.warn proto tcp from any to any port = ssh keep state keep frags group 350 pass in quick proto tcp from any to any port = ssh flags S/AUPRS keep state keep frags group 211 pass in quick proto tcp from any to any port = ssh flags S/AUPRS keep state keep frags group 215 pass in quick proto tcp from any to any port = ssh flags S/AUPRS keep state keep frags group 230 # # FTP-PROXY (Active Mode) pass in quick proto tcp from any port >= 64544 to any port 1023 >< 5001 flags S/AUPRS keep state keep frags group 216 pass in quick proto tcp from any port >= 64544 to any port >= 49152 flags S/AUPRS keep state keep frags group 216 # # # INTERNAL SERVICES (2) # # NFS-client pass in log first level local7.info quick proto udp from any port = sunrpc to any port <= 1023 keep state keep frags group 230 pass in log first level local7.info quick proto udp from any port = nfsd to any port <= 1023 keep state keep frags group 230 pass in log first level local7.info quick proto tcp from any port = nfsd to any port <= 1023 flags S/AUPRS keep state keep frags group 230 pass in log first level local7.info quick proto udp from any port = lockd to any port <= 1023 keep state keep frags group 230 pass in log first level local7.info quick proto tcp from any port = lockd to any port <= 1023 flags S/AUPRS keep state keep frags group 230 # NFS-server pass in log first level local7.info quick proto udp from any port <= 1023 to any port = sunrpc keep state keep frags group 230 pass in log first level local7.info quick proto udp from any port <= 1023 to any port = nfsd keep state keep frags group 230 pass in log first level local7.info quick proto tcp from any port <= 1023 to any port = nfsd flags S/AUPRS keep state keep frags group 230 pass in log first level local7.err quick proto udp from any port <= 1023 to any port <= 1023 keep state keep frags group 230 pass in log first level local7.err quick proto tcp from any port <= 1023 to any port <= 1023 flags S/AUPRS keep state keep frags group 230 # # [ End of File ]