GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
IPF(5) FreeBSD File Formats Manual IPF(5)

̾¾Î

ipf, ipf.conf, ipf6.conf - IP ¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¤Î¥ë¡¼¥ëʸˡ

²òÀâ

ipf ¤Î¥ë¡¼¥ë¥Õ¥¡¥¤¥ë¤Ï¡¢¤É¤ó¤Ê̾Á°¤Ç¤âÎɤ¯¡¢É¸½àÆþÎϤǤ⤫¤Þ¤¤¤Þ¤»¤ó¡£ ¥«¡¼¥Í¥ëÆâÉô¤Î¥Õ¥£¥ë¥¿¥ê¥¹¥È¤òɽ¼¨¤¹¤ë¤È¤­¡¢ ipfstat ¤Ï²ò¼á²Äǽ¤Ê¥ë¡¼¥ë¤ò½ÐÎϤ·¤Þ¤¹¤Î¤Ç¡¢ ¤³¤Î½ÐÎϤò ipf ¤Ø¤ÎÆþÎϤȤ·¤Æ¥Õ¥£¡¼¥É¥Ð¥Ã¥¯¤¹¤ë¤Î¤Ë»È¤¨¤Þ¤¹¡£ ¤è¤Ã¤Æ¡¢ÆþÎϥѥ±¥Ã¥È¤ËÂФ¹¤ëÁ´¥Õ¥£¥ë¥¿¤ò½üµî¤¹¤ë¤¿¤á¤Ë¤Ï¡¢¼¡¤Î¤è¤¦¤Ë¤·¤Þ¤¹:

# ipfstat -i | ipf -rf -

ʸˡ

ipf ¤¬¥Õ¥£¥ë¥¿¥ë¡¼¥ë¹½Ãۤ˻ÈÍѤ¹¤ë¥Õ¥©¡¼¥Þ¥Ã¥È¤Ï¡¢ BNF ¤ò»È¤Ã¤¿Ê¸Ë¡¤Ç¼¡¤Î¤è¤¦¤Ë¼¨¤¹¤³¤È¤¬¤Ç¤­¤Þ¤¹: 

filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
	      [ proto ] [ ip ] [ group ].
insert	= "@" decnumber .
action	= block | "pass" | log | "count" | skip | auth | call .
in-out	= "in" | "out" .
options	= [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] .
tos	= "tos" decnumber | "tos" hexnumber .
ttl	= "ttl" decnumber .
proto	= "proto" protocol .
ip	= srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
group	= [ "head" decnumber ] [ "group" decnumber ] .
block	= "block" [ return-icmp[return-code] | "return-rst" ] .
auth    = "auth" | "preauth" .
log	= "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
call	= "call" [ "now" ] function-name .
skip	= "skip" decnumber .
dup	= "dup-to" interface-name[":"ipaddr] .
froute	= "fastroute" | "to" interface-name[":"ipaddr] .
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
srcdst	= "all" | fromto .
fromto	= "from" [ "!" ] object "to" [ "!" ] object .


 
return-icmp = "return-icmp" | "return-icmp-as-dest" .
object	= addr [ port-comp | port-range ] .
addr	= "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
port-comp = "port" compare port-num .
port-range = "port" port-num range port-num .
flags	= "flags" flag { flag } [ "/" flag { flag } ] .
with	= "with" | "and" .
icmp	= "icmp-type" icmp-type [ "code" decnumber ] .
return-code = "("icmp-code")" .
keep	= "keep" "state" | "keep" "frags" .
loglevel = facility"."priority | priority .
nummask	= host-name [ "/" decnumber ] .
host-name = ipaddr | hostname | "any" .
ipaddr	= host-num "." host-num "." host-num "." host-num .
host-num = digit [ digit [ digit ] ] .
port-num = service-name | decnumber .
withopt = [ "not" | "no" ] opttype [ withopt ] .
opttype = "ipopts" | "short" | "frag" | "opt" optname .
optname	= ipopts [ "," optname ] .
ipopts  = optlist | "sec-class" [ secname ] .
secname	= seclvl [ "," secname ] .
seclvl  = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
	  "reserv-4" | "secret" | "topsecret" .
icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
	    "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
	    "inforep" | "maskreq" | "maskrep"  | decnumber .
icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
	    "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
	    "net-prohib" | "host-prohib" | "net-tos" | "host-tos" |
	    "filter-prohib" | "host-preced" | "cutoff-preced" .
optlist	= "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
	  "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" |
	  "addext" | "visa" | "imitd" | "eip" | "finn" .
facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" |
	   "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" |
	   "audit" | "logalert" | "local0" | "local1" | "local2" |
	   "local3" | "local4" | "local5" | "local6" | "local7" .
priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
	   "info" | "debug" . 
hexnumber = "0" "x" hexstring .
hexstring = hexdigit [ hexstring ] .
decnumber = digit [ decnumber ] .
compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" |
	  "gt" | "le" | "ge" .
range	= "<>" | "><" .
hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
digit	= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
flag	= "F" | "S" | "R" | "P" | "A" | "U" .

¤³¤Îʸˡ¤Ï¡¢²ÄÆÉÀ­¤Î¤¿¤á¤Ë¤¤¤¯¤Ö¤ó´Êά²½¤·¤Æ¤¤¤Þ¤¹¡£ ¤³¤Îʸˡ¤Ë¥Þ¥Ã¥Á¤¹¤ëÁȤ߹ç¤ï¤»¤Ç¤¢¤Ã¤Æ¤â¡¢ °ÕÌ£¤ò¤Ê¤µ¤Ê¤¤¤¿¤á¤Ë¥½¥Õ¥È¥¦¥§¥¢¤¬µö²Ä¤·¤Ê¤¤¤â¤Î¤¬¤¢¤ê¤Þ¤¹ (Èó TCP ¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë tcp flags ¤Ê¤É)¡£

¥Õ¥£¥ë¥¿¥ë¡¼¥ë

¡ÖºÇû¡×¤«¤ÄÍ­¸ú¤Ê¥ë¡¼¥ë¤Ï (¸½ºß¤Î¤È¤³¤í) ̵ưºî¤È¼¡¤Î·Á¼°¤Ç¤¹:



       block in all


       pass in all


       log out all


       count in all

¥Õ¥£¥ë¥¿¥ë¡¼¥ë¤Ï½çÈÖÄ̤ê¤Ë¥Á¥§¥Ã¥¯¤µ¤ì¡¢ ºÇ¸å¤Ë¥Þ¥Ã¥Á¤·¤¿¥ë¡¼¥ë¤¬¥Ñ¥±¥Ã¥È¤Î±¿Ì¿¤ò·è¤á¤Þ¤¹ (Îã³°: ¸å½Ò quick ¥ª¥×¥·¥ç¥ó¤ò»²¾È)¡£

¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï¡¢ ¥Õ¥£¥ë¥¿¤Ï¥«¡¼¥Í¥ë¤Î¥Õ¥£¥ë¥¿¥ê¥¹¥È¤ÎºÇ¸å¤Ë¥¤¥ó¥¹¥È¡¼¥ë¤µ¤ì¤Þ¤¹¡£ ¥ë¡¼¥ë¤ÎÁ°¤Ë @n ¤òÉÕ¤±¤ë¤È¡¢ ¸½ºß¤Î¥ê¥¹¥È¤Î n ÈÖÌܤΥ¨¥ó¥È¥ê¤È¤·¤ÆÁÞÆþ¤¹¤ë¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£ ¤³¤ì¤Ï¡¢¸½ºßÍ­¸ú¤Ê¥Õ¥£¥ë¥¿¤Î¥ë¡¼¥ë¥»¥Ã¥È¤ò½¤Àµ¤·¤¿¤ê¥Æ¥¹¥È¤¹¤ë¾ì¹ç¤ËÍ­ÍѤǤ¹¡£ ¹¹¤Ê¤ë¾ðÊó¤Ï ipf(8) ¤ò»²¾È¤·¤Æ¤¯¤À¤µ¤¤¡£

¥¢¥¯¥·¥ç¥ó

¥¢¥¯¥·¥ç¥ó¤Ï¡¢ ¥Õ¥£¥ë¥¿¥ë¡¼¥ë¤Î»Ä¤ê¤ÎÉôʬ¤Ë¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤¹¤ë¾ì¹ç¤Ë¡¢ ¤½¤Î¥Ñ¥±¥Ã¥È¤ò¤É¤Î¤è¤¦¤Ë°·¤¦¤Î¤«¤ò¼¨¤·¤Þ¤¹¡£ ³Æ¥ë¡¼¥ë¤Ï¡¢¥¢¥¯¥·¥ç¥ó¤ò 1 ¤Ä»ý¤Ä¤³¤È¤¬¡ÖɬÍפǤ¹¡×¡£ ¼¡¤Î¥¢¥¯¥·¥ç¥ó¤¬Ç§¼±¤µ¤ì¤Þ¤¹:

¤³¤Î¥Ñ¥±¥Ã¥È¤ò¡¢¥É¥í¥Ã¥×¤¹¤ë¤è¤¦¤Ë°õ¤òÉÕ¤±¤ë¤³¤È¤ò¼¨¤·¤Þ¤¹¡£ ¥Ñ¥±¥Ã¥È¤ò¥Ö¥í¥Ã¥¯¤¹¤ë¤³¤È¤ËÂФ·¡¢ ICMP ¥Ñ¥±¥Ã¥È (return-icmp) ¤«¡¢ ¸µ¤Î¥Ñ¥±¥Ã¥ÈÁ÷¿®°¸À赯¸»¤òÁõ¤¦ ICMP ¥Ñ¥±¥Ã¥È (return-icmp-as-dest) ¤«¡¢ TCP ¡Ö¥ê¥»¥Ã¥È¡× (return-rst) ¤Î¡¢¤¤¤º¤ì¤«¤ÎÊÖÅú¥Ñ¥±¥Ã¥È¤òÊÖ¤¹¤è¤¦¡¢ ¥Õ¥£¥ë¥¿¤Ë»Ø¼¨¤Ç¤­¤Þ¤¹¡£ ICMP ¥Ñ¥±¥Ã¥È¤Ï¡¢Ç¤°Õ¤Î IP ¥Ñ¥±¥Ã¥È¤Î±þÅú¤È¤·¤ÆÀ¸À®¤Ç¤­¡¢ ¤½¤Î¥¿¥¤¥×¤ò»ØÄꤹ¤ë¤³¤È¤â¤Ç¤­¤Þ¤¹¡£ TCP ¥ê¥»¥Ã¥È¤Ï¡¢TCP ¥Ñ¥±¥Ã¥È¤ËÂФ·¤ÆŬÍѤµ¤ì¤ë¥ë¡¼¥ë¤Ë¤ª¤¤¤Æ¤Î¤ß»ÈÍѤǤ­¤Þ¤¹¡£ return-icmp ¤Þ¤¿¤Ï return-icmp-as-dest ¤ò»È¤¦¤È¤­¡¢ ÅþãÉԲĤΠ'¥¿¥¤¥×' ¤ò»ØÄê²Äǽ¤Ç¤¹¡£ ¤³¤Î¥¿¥¤¥×¤È¤Ï¡¢ ¥Í¥Ã¥È¥ï¡¼¥¯ÅþãÉԲġ¢¥Ý¡¼¥ÈÅþãÉԲġ¢¸¢¸Â¤Ë¤è¤ë¶Ø»ß¤Î¤¤¤º¤ì¤«¤Ç¤¹¡£ »ØÄêÊýË¡¤Ï¡¢ return-icmp ¤Þ¤¿¤Ï return-icmp-as-dest ¤Îľ¸å¤Ë¡¢ ¥¿¥¤¥×¤Ë´ØÏ¢¤¹¤ë ICMP ¥³¡¼¥É¤ò³ç¸Ì¤Ç³ç¤ë¤È¤¤¤¦¤â¤Î¤Ç¤¹¡£ Î㤨¤Ð 


        block return-icmp(11) ...

¤È¤¹¤ë¤È¡¢Type-Of-Service (TOS) ICMP ÅþãÉԲĥ¨¥é¡¼¤òÊÖ¤·¤Þ¤¹¡£

¤³¤Î¥Ñ¥±¥Ã¥È¤ò¡¢¤½¤Î¤Þ¤Þ¥Õ¥£¥ë¥¿¤òÄ̲ᤵ¤»¤ë¤è¤¦¤Ë°õ¤òÉÕ¤±¤Þ¤¹¡£
¤³¤Î¥Ñ¥±¥Ã¥È¤Î¥í¥°¤ò¼è¤ê¤Þ¤¹ (¸å½Ò¤Î¥í¥®¥ó¥°ÀỲ¾È)¡£ ¥Ñ¥±¥Ã¥È¤¬¥Õ¥£¥ë¥¿¤òÄ̲á²Äǽ¤«Èݤ«¤Ë¤Ï¡¢±Æ¶Á¤òÍ¿¤¨¤Þ¤»¤ó¡£
¤³¤Î¥Ñ¥±¥Ã¥È¤ò¡¢¥Õ¥£¥ë¥¿¤Î¥¢¥«¥¦¥ó¥Æ¥£¥ó¥°Åý·×¤Ë´Þ¤á¤Þ¤¹¡£ ¥Ñ¥±¥Ã¥È¤¬¥Õ¥£¥ë¥¿¤òÄ̲á²Äǽ¤«Èݤ«¤Ë¤Ï¡¢±Æ¶Á¤òÍ¿¤¨¤Þ¤»¤ó¡£ Åý·×¤Ï ipfstat(8) ¤Ë¤Æ±ÜÍ÷²Äǽ¤Ç¤¹¡£
¤³¤Î¥¢¥¯¥·¥ç¥ó¤Ï»ØÄꤵ¤ì¤¿¥«¡¼¥Í¥ëÆâ´Ø¿ô¤ò¸Æ¤Ó½Ð¤¹¤¿¤á¤Ë»ÈÍѤµ¤ì¤Þ¤¹¡£ ¥«¡¼¥Í¥ëÆâ´Ø¿ô¤Ï¡¢ÆÃÄê¤Î¸Æ¤Ó½Ð¤·¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤òËþ¤¹É¬Íפ¬¤¢¤ê¤Þ¤¹¡£ ¥«¥¹¥¿¥Þ¥¤¥º¤·¤¿¥¢¥¯¥·¥ç¥ó¤È¥»¥Þ¥ó¥Æ¥£¥¯¥¹¤ò¼ÂÁõ¤·¡¢ ÍøÍѲÄǽ¤Ê¥¢¥¯¥·¥ç¥ó¤òÊ䤦¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£ Ã챤¬¤¢¤ë¥Ï¥Ã¥«¡¼¤¬»ÈÍѤ¹¤ëµ¡Ç½¤Ç¤¢¤ê¡¢¸½ºß¤Î¤È¤³¤íʸ½ñ²½¤µ¤ì¤Æ¤¤¤Þ¤»¤ó¡£
¥Õ¥£¥ë¥¿¤Ë¡¢¼¡¤Î n ¥Õ¥£¥ë¥¿¥ë¡¼¥ë¤ò¥¹¥­¥Ã¥×¤µ¤»¤Þ¤¹¡£ ¥¹¥­¥Ã¥×¤µ¤ì¤ëÈϰϤΥ롼¥ë¤ËÁÞÆþ¤Þ¤¿¤Ï½üµî¤¬¤¢¤Ã¤¿¾ì¹ç¡¢ n ¤ÎÃͤÏŬÀÚ¤ËÄ´À°¤µ¤ì¤Þ¤¹¡£
¤³¤ì¤Ë¤è¤ê¡¢ ¥æ¡¼¥¶¶õ´Ö¥×¥í¥°¥é¥à¤ò¼Â¹Ô¤·¤ÆÀµÅöÀ­¤ò³Îǧ¤¹¤ë¥Ñ¥±¥Ã¥È¾ðÊó¤òÂԤĤ³¤È¤Ë¤è¤ê¡¢ ǧ¾Ú¤Ç¤­¤Þ¤¹¡£ ¥×¥í¥°¥é¥à¤¬¥«¡¼¥Í¥ë¤ËÂФ·¤Æ¥Ñ¥±¥Ã¥ÈÄ̲á¤òµö¤¹¤«Èݤ«¤Î ¼ÂºÝ¤Î ¥Õ¥é¥°¤òÊÖ¤¹¤Þ¤Ç¤Î´Ö¡¢¥Ñ¥±¥Ã¥È¤ÏÆâÉô¥Ð¥Ã¥Õ¥¡¤ËÊÝ»ý¤µ¤ì¤Þ¤¹¡£ ¥Ñ¥±¥Ã¥ÈÄ̲á¤òµö¤¹Á°¤Þ¤¿¤Ï ǧ¼±¤µ¤ì¤Ê¤¤Á÷¿®¸µ¤«¤é¤Î¥Ñ¥±¥Ã¥È¤ò¥«¡¼¥Í¥ë¤ËÍ¤è¤¦»Ø¼¨¤¹¤ëÁ°¤Ë¡¢ ¤³¤Î¤è¤¦¤Ê¥×¥í¥°¥é¥à¤Ï¡¢ Á÷¿®¸µ¥¢¥É¥ì¥¹¤ò¸«¤ë¤«¤â¤·¤ì¤Þ¤»¤ó¤·¡¢ ¥æ¡¼¥¶¤«¤é¤Î (¥Ñ¥¹¥ï¡¼¥ÉÅù¤Î) ¤¢¤ë¼ï¤Îǧ¾Ú¤òµá¤á¤ë¤«¤â¤·¤ì¤Þ¤»¤ó¡£
¤³¤Î¥¯¥é¥¹¤Î¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ¤Ï¡¢ ¹¹¤Ê¤ëÌÀ³Î²½¤Î¤¿¤á¤Ë´û¤Ëǧ¾Ú¤µ¤ì¤¿¥ê¥¹¥È¤ò¸«¤ë¤Ù¤­¤Ç¤¢¤ë¤È¡¢ ¥Õ¥£¥ë¥¿¤Ë»Ø¼¨¤·¤Þ¤¹¡£ ¹¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤¬¸«ÉÕ¤«¤é¤Ê¤¤¤È¡¢¥Ñ¥±¥Ã¥È¤ÏÍî¤È¤µ¤ì¤Þ¤¹ (FR_PREAUTH ¤Ï FR_PASS ¤ÈƱ¤¸¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó)¡£ ¹¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤¬¸«ÉÕ¤«¤ë¤È¡¢¤½¤Î·ë²Ì¤¬»ÈÍѤµ¤ì¤Þ¤¹¡£ ¤³¤ì¤¬»ÈÍѤµ¤ì¤ë¾õ¶·¤Ï¡¢ ¥æ¡¼¥¶¤¬¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Ë¥í¥°¥¤¥ó¤·¡¢ ¤³¤Î¥æ¡¼¥¶¤Ë´Ø¤¹¤ë°ì»þŪ¤Ê¥ë¡¼¥ë¤òÀßÄꤹ¤ë¤è¤¦¤Ê¾ì¹ç¤Ç¤¹¡£

¼¡¤Î¸ì¤Ï in ¤« out ¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£ ¥«¡¼¥Í¥ëÆâÉô¤òÄ̲᤹¤ë¥Ñ¥±¥Ã¥È¤Ï¡¢Æâ¸þ¤­ (¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤Ë¤Æ¼õ¿®¤µ¤ì¤¿ ¤Ð¤«¤ê¤Ç¡¢ ¥«¡¼¥Í¥ë¤Î¥×¥í¥È¥³¥ë½èÍýÉô¤Ë¸þ¤Ã¤Æ°ÜÆ°¤·¤Æ¤¤¤ë) ¤«¡¢ ³°¸þ¤­ (¥×¥í¥È¥³¥ë¥¹¥¿¥Ã¥¯¤Ë¤è¤êÁ÷½Ð¤Þ¤¿¤ÏžÁ÷¤µ¤ì¡¢ ¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤Ë¸þ¤«¤Ã¤Æ¤¤¤ë) ¤«¤Î¤¤¤º¤ì¤«¤Ç¤¹¡£ ³Æ¥Õ¥£¥ë¥¿¥ë¡¼¥ë¤¬Æþ½ÐÎϤΤɤÁ¤é¦¤ËŬÍѤµ¤ì¤ë¤Î¤«¤ò¡¢ ÌÀ¼¨Åª¤Ë¼¨¤¹É¬Íפ¬¤¢¤ê¤Þ¤¹¡£

¥ª¥×¥·¥ç¥ó

¥ª¥×¥·¥ç¥ó¤Î°ìÍ÷¤Ïû¤¯¡¢»ö¼Â¤¹¤Ù¤Æ¾Êά²Äǽ¤Ç¤¹¡£ ¥ª¥×¥·¥ç¥ó¤¬»ÈÍѤµ¤ì¤ë¤È¤³¤í¤Ç¤Ï¡¢¤³¤³¤Ë¼¨¤¹½ç½ø¤ÇÃÖ¤«¤ì¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£ ¼¡¤Î¥ª¥×¥·¥ç¥ó¤¬¸½ºß¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Þ¤¹:

ºÇ¸å¤Ë¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤Î¾ì¹ç¡¢ ¥Ñ¥±¥Ã¥È¥Ø¥Ã¥À¤¬ ipl ¥í¥°¤Ë½ñ¤­¹þ¤Þ¤ì¤Þ¤¹ (¸å½Ò¤Î¥í¥®¥ó¥°ÀỲ¾È)¡£
¥Õ¥£¥ë¥¿¤ò¹â®²½¤·¤¿¤ê¸å³¤Î¥ë¡¼¥ë¤è¤ê¤âÍ¥À褵¤»¤ë¤¿¤á¤Ë¡¢ ¥ë¡¼¥ë¤Î¡Ö¥·¥ç¡¼¥È¥«¥Ã¥È¡×¤òµö¤·¤Þ¤¹¡£ ¥Ñ¥±¥Ã¥È¤¬ quick ¤Î°õ¤¬ÉÕ¤¤¤¿¥Õ¥£¥ë¥¿¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤¹¤ë¾ì¹ç¡¢ ¤³¤Î¥ë¡¼¥ë¤¬ºÇ¸å¤Ë¥Á¥§¥Ã¥¯¤µ¤ì¤ë¥ë¡¼¥ë¤Ë¤Ê¤ê¡¢ ¡ÖûÍí (short-circuit)¡×¥Ñ¥¹¤Ë¤è¤ê¸å³¤Î¥ë¡¼¥ë¤¬ ¤³¤Î¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ½èÍý¤µ¤ì¤Ê¤¯¤Ê¤ê¤Þ¤¹¡£ (¸½ºß¤Î¥ë¡¼¥ë¤¬Å¬ÍѤµ¤ì¤¿¸å¤Ë) ¥Ñ¥±¥Ã¥È¤Î¸½ºß¤Î¾õÂÖ¤¬¡¢ ¥Ñ¥±¥Ã¥È¤¬Ä̲ᤵ¤ì¤ë¤«¥Ö¥í¥Ã¥¯¤µ¤ì¤ë¤«¤ò·èÄꤷ¤Þ¤¹¡£
¤³¤Î¥ª¥×¥·¥ç¥ó¤¬»ØÄꤵ¤ì¤Ê¤¤¤È¡¢ ¥ë¡¼¥ë¤Ï¡Ö·Ñ³(fall-through)¡×¥ë¡¼¥ë¤È¤µ¤ì¤Þ¤¹¡£ ¤Ä¤Þ¤ê¡¢¥Þ¥Ã¥Á¤Î·ë²Ì (¥Ö¥í¥Ã¥¯/Ä̲á) ¤¬Êݸ¤µ¤ì¡¢ ¹¹¤Ê¤ë¥Þ¥Ã¥Á¤¬¤¢¤ë¤«¤ò¤ß¤ë¤¿¤á½èÍý¤¬·Ñ³¤µ¤ì¤Þ¤¹¡£
¥Þ¥Ã¥Á¼ê³¤­¤Ë¥¤¥ó¥¿¥Õ¥§¡¼¥¹Ì¾¤òÁȤ߹þ¤ß¤Þ¤¹¡£ ¥¤¥ó¥¿¥Õ¥§¡¼¥¹Ì¾¤Ï "netstat -i" ¤Çɽ¼¨¤Ç¤­¤Þ¤¹¡£ ¤³¤Î¥ª¥×¥·¥ç¥ó¤ò»ÈÍѤ¹¤ë¤È¡¢ »ØÄꤷ¤¿Êý¸þ (Æþ½ÐÎÏ) ¤Ë¤³¤Î¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤òÄ̲᤹¤ë¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ¤Î¤ß¡¢ ¤³¤Î¥ë¡¼¥ë¤¬¥Þ¥Ã¥Á¤·¤Þ¤¹¡£ ¤³¤Î¥ª¥×¥·¥ç¥ó¤¬»ØÄꤵ¤ì¤Ê¤¤¤È¡¢ ¥ë¡¼¥ë¤Ï¤³¤Î¥Ñ¥±¥Ã¥È¤¬ÃÖ¤«¤ì¤¿¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤Ë°Í¸¤»¤º¤Ë (¤¹¤Ê¤ï¤ÁÁ´¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤Ë) ŬÍѤµ¤ì¤Þ¤¹¡£ ¥Õ¥£¥ë¥¿¥ë¡¼¥ë¥»¥Ã¥È¤ÏÁ´¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤Ë¶¦Ä̤Ǥ¢¤ê¡¢ ³Æ¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤ËÂФ·¤Æ¥Õ¥£¥ë¥¿¥ê¥¹¥È¤ò»ý¤Ä¤Î¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó¡£
¤³¤Î¥ª¥×¥·¥ç¥ó¤ÏÆäˡ¢Ã±½ã¤Ê IP º¾¾Î (IP spoofing) ¤ËÂФ¹¤ëËɸæ¤È¤·¤ÆÍ­ÍѤǤ¹: »ØÄꤷ¤¿¥¤¥ó¥¿¥Õ¥§¡¼¥¹¾å¤Ç¡¢ »ØÄꤷ¤¿Á÷¿®¸µ¥¢¥É¥ì¥¹¤Ç¤¢¤ë¤È¤µ¤ì¤ëÆþÎϥѥ±¥Ã¥È¤Î¤ß¤òÄ̤·¡¢ ¾¤Î¥Ñ¥±¥Ã¥È¤ò¥í¥°¤·¤¿¤ê¥É¥í¥Ã¥×¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£
¥Ñ¥±¥Ã¥È¤ò¥³¥Ô¡¼¤·¡¢ Ê£¼Ì¤·¤¿¥Ñ¥±¥Ã¥È¤ò»ØÄꤷ¤¿¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤ËÂФ·¤Æ³°¸þ¤­¤ËÁ÷¤ê¤Þ¤¹¡£ ¤Þ¤¿¡¢°¸Àè IP ¥¢¥É¥ì¥¹¤ò»ØÄꤷ¤Æ¡¢Êѹ¹¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£ ¥Í¥Ã¥È¥ï¡¼¥¯¥¹¥Ë¥Õ¥¡¤ò»ÈÍѤ·¤Æ¡¢¥Û¥¹¥È³°¤Ç¥í¥°¤¹¤ë¤¿¤á¤ËÍ­ÍѤǤ¹¡£
»ØÄꤷ¤¿¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤Ë¤ª¤¤¤Æ¡¢¥Ñ¥±¥Ã¥È¤ò³°¸þ¤­¥­¥å¡¼¤Ë°ÜÆ°¤µ¤»¤Þ¤¹¡£ ¥«¡¼¥Í¥ë¤Î¥ë¡¼¥Æ¥£¥ó¥°¤ò²óÈò¤¹¤ë¤¿¤á¤Ë»ÈÍѤǤ­¡¢ ¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë»Ä¤ê¤Î¥«¡¼¥Í¥ë½èÍý¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë¤¿¤á¤Ë¤â»ÈÍѤǤ­¤Þ¤¹ (Æâ¸þ¤­¥ë¡¼¥ë¤ËŬÍѤµ¤ì¤¿¾ì¹ç)¡£ ¤è¤Ã¤Æ¡¢¥ë¡¼¥¿¤Ç¤Ï¤Ê¤¯¡¢¥Õ¥£¥ë¥¿¥ê¥ó¥°¥Ï¥Ö¤ä¥¹¥¤¥Ã¥Á¤Î¤è¤¦¤Ë¡¢ Æ©²áŪ¤ËÆ°ºî¤¹¤ë¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤ò¹½ÃÛ¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£ fastroute ¥­¡¼¥ï¡¼¥É¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎƱµÁ¸ì¤Ç¤¹¡£

¥Þ¥Ã¥Á¥ó¥°¥Ñ¥é¥á¡¼¥¿

¤³¤ÎÀá¤Ëµ­ºÜ¤µ¤ì¤Æ¤¤¤ë¥­¡¼¥ï¡¼¥É¤Ï¡¢¥ë¡¼¥ë¤¬¥Þ¥Ã¥Á¤¹¤ë¤«Èݤ«¤ò·èÄꤹ¤ë¤È¤­¤Ë¡¢ ¥Ñ¥±¥Ã¥È¤Î¤É¤Î°À­¤ò»ÈÍѤ¹¤ë¤Î¤«¤òµ­½Ò¤¹¤ë¤¿¤á¤Ë»ÈÍѤµ¤ì¤Þ¤¹¡£ °Ê²¼¤ÎÈÆÍÑ°À­¤¬¥Þ¥Ã¥Á¥ó¥°¤Ë»ÈÍѤǤ­¡¢¤³¤Î½ç½ø¤Ç»ÈÍѤ¹¤ëɬÍפ¬¤¢¤ê¤Þ¤¹:

°Û¤Ê¤ë¥µ¡¼¥Ó¥¹·¿ (Type-Of-Service) Ãͤò»ý¤Ä¥Ñ¥±¥Ã¥È¤ò¥Õ¥£¥ë¥¿¤Ç¤­¤Þ¤¹¡£ ¤³¤Î¾å¡¢¸Ä¡¹¤Î¥µ¡¼¥Ó¥¹¥ì¥Ù¥ë¤äÁȤ߹ç¤ï¤»¤Ç¥Õ¥£¥ë¥¿¤Ç¤­¤Þ¤¹¡£ TOS ¥Þ¥¹¥¯¤ËÂФ¹¤ëÃͤϡ¢16 ¿Ê¿ô¤Þ¤¿¤Ï 10 ¿Ê¿ô¤ÎÀ°¿ô¤Çɽ¸½¤µ¤ì¤Þ¤¹¡£
¥Ñ¥±¥Ã¥È¤òÀ¸Â¸»þ´Ö (Time-To-Live) ÃͤÇÁªÂò¤¹¤ë¤³¤È¤â¤Ç¤­¤Þ¤¹¡£ ¥Õ¥£¥ë¥¿¥ë¡¼¥ë¤ÇÍ¿¤¨¤é¤ì¤ëÃͤϡ¢ ¥Þ¥Ã¥Á¤¬¹Ô¤ï¤ì¤ë¥Ñ¥±¥Ã¥È¤ÎÃͤȸ·Ì©¤Ë¥Þ¥Ã¥Á¤¹¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£ ¤³¤ÎÃͤϡ¢10 ¿Ê¿ô¤ÎÀ°¿ô¤Ç¤Î¤ßÍ¿¤¨¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£
ÆÃÄê¤Î¥×¥í¥È¥³¥ë¤ËÂФ·¤Æ¥Þ¥Ã¥Á¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£ /etc/protocols Ãæ¤ÎÁ´¥×¥í¥È¥³¥ë̾¤¬Ç§¼±¤µ¤ì¤Þ¤¹¤·¡¢»ÈÍѲÄǽ¤Ç¤¹¡£ ¤Þ¤¿¡¢¥×¥í¥È¥³¥ë¤ò 10 ¿Ê¿ô¤Ç»ØÄꤹ¤ë¤³¤È¤â¤Ç¤­¤Þ¤¹¡£ ¤³¤ì¤Ë¤è¤ê¡¢¤¢¤Ê¤¿Æȼ«¤Î¥×¥í¥È¥³¥ë¤ä ¿·¤·¤¤¥×¥í¥È¥³¥ë¤Ç¤¢¤ë¤¿¤á¥ê¥¹¥È¤¬¸Å¤¯¤Æ·ÇºÜ¤µ¤ì¤Æ¤¤¤Ê¤¤¤â¤Î¤ËÂФ·¡¢ ¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤òºîÀ®¤Ç¤­¤Þ¤¹¡£
TCP ¤Þ¤¿¤Ï UDP ¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¡¢ Æüì¤Ê¥×¥í¥È¥³¥ë¥­¡¼¥ï¡¼¥É tcp/udp ¤ò»ÈÍѤ¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£ ¤³¤Î¥­¡¼¥ï¡¼¥É¤Ï¡¢ Ʊ¤¸¥ë¡¼¥ë¤ò¤¤¤¯¤Ä¤â½ñ¤«¤Ê¤¯¤Æ¤â¤è¤¤¤è¤¦¤Ë¤¹¤ë¤¿¤á¡¢Äɲ䵤ì¤Þ¤·¤¿¡£

from ¤È to ¤Î¥­¡¼¥ï¡¼¥É¤Ï¡¢ IP ¥¢¥É¥ì¥¹ (¤ª¤è¤Ó¾Êά²Äǽ¤Ê¥Ý¡¼¥ÈÈÖ¹æ) ¤È¥Þ¥Ã¥Á¤µ¤»¤ë¤¿¤á¤Ë»ÈÍѤµ¤ì¤Þ¤¹¡£ Á÷¿®¸µ¤ÈÁ÷¿®Àè¤Î¡ÖξÊý¤Î¡×¥Ñ¥é¥á¡¼¥¿¤ò»ØÄꤹ¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£

IP ¥¢¥É¥ì¥¹¤Î»ØÄêÊýË¡¤Ï¡¢¼¡¤Î 2 ¤Ä¤Î¤¦¤Á¤Î¤¤¤º¤ì¤«¤Ç¤¹: ¿ôÃͤˤè¤ë¥¢¥É¥ì¥¹/¥Þ¥¹¥¯¤Þ¤¿¤Ï¡¢¥Û¥¹¥È̾ mask ¥Í¥Ã¥È¥Þ¥¹¥¯¡£ ¥Û¥¹¥È̾¤Ï¡¢hosts ¥Õ¥¡¥¤¥ë¤Þ¤¿¤Ï DNS Ãæ (ÀßÄê¤ä¥é¥¤¥Ö¥é¥ê¤Ë°Í¸¤·¤Þ¤¹) ¤ÎÍ­¸ú¤Ê¥Û¥¹¥È̾¤«¡¢¥É¥Ã¥ÈÉÕ¤­¿ôÃÍ·Á¼°¤Ç¤¹¡£ ¥Í¥Ã¥È¥ï¡¼¥¯»ØÄê¤È¤·¤ÆÆÃÊ̤ʵ­Ë¡¤Ï¤¢¤ê¤Þ¤»¤ó¤¬¡¢¥Í¥Ã¥È¥ï¡¼¥¯Ì¾¤Ïǧ¼±¤µ¤ì¤Þ¤¹¡£ ¥Õ¥£¥ë¥¿¥ë¡¼¥ë¤ò DNS ¤Ë°Í¸¤µ¤»¤ë¤È¹¶·â¤Î;ÃϤòƳÆþ¤·¤Æ¤·¤Þ¤¦¤Î¤Ç¡¢ ´«¤á¤é¤ì¤Þ¤»¤ó¡£

¥Û¥¹¥È̾¤Ë¤ÏÆüì¤Ê any ¤¬µö¤µ¤ì¡¢0.0.0.0/0 ¤Èǧ¼±¤µ¤ì¤Þ¤¹ (¸å½Ò¤Î¥Þ¥¹¥¯½ñ¼°»²¾È)¡£¤³¤ì¤ÏÁ´ IP ¥¢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£ "any" ¤À¤±¤¬¥Þ¥¹¥¯¤ò°ÅÌÛŪ¤Ë»ØÄꤷ¤Þ¤¹¤Î¤Ç¡¢ ¾¤Î¾õ¶·¤Ç¤Ï¡¢¥Û¥¹¥È̾¤Ï¥Þ¥¹¥¯¤È¤È¤â¤Ë»ØÄꤹ¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£ ¥Û¥¹¥È¤È¥Þ¥¹¥¯¤ËÂФ·¤Æ "any" ¤ò»ØÄê¤Ç¤­¤ë¤â¤Î¤Î¡¢ ¤³¤Î¸À¸ì¤Ë¤ª¤¤¤Æ¤Ï¡¢°ÕÌ£¤ò»ý¤¿¤Ê¤¯¤Ê¤ê¤Þ¤¹¡£

¿ôÃÍ¥Õ¥©¡¼¥Þ¥Ã¥È "x/y" ¤Ï¡¢ 1 ¤Î¥Ó¥Ã¥È¤¬ MSB ¤«¤é³«»Ï¤·¤Æ y ¸ÄϢ³¤¹¤ë¥Þ¥¹¥¯¤ÎÀ¸À®¤ò¼¨¤·¤Þ¤¹¡£ ¤è¤Ã¤Æ¡¢y ¤ÎÃͤ¬ 16 ¤Ç¤¢¤ë¾ì¹ç¤Ë¤Ï¡¢0xffff0000 ¤Ë¤Ê¤ê¤Þ¤¹¡£ ¥·¥ó¥Ü¥ê¥Ã¥¯¤Ê "x mask y" ¤Ï¡¢ ¥Þ¥¹¥¯ y ¤¬¥É¥Ã¥ÈÉÕ¤­ IP ɽ¸½¡¢ ¤Þ¤¿¤Ï 0x12345678 ¤Î·Á¼°¤Î 16 ¿Ê¿ô¤Ç¤¢¤ë¤³¤È¤ò¼¨¤·¤Þ¤¹¡£ ¥Ó¥Ã¥È¥Þ¥¹¥¯¤¬¼¨¤¹ IP ¥¢¥É¥ì¥¹¤ÎÁ´¥Ó¥Ã¥È¤È¡¢ ¥Ñ¥±¥Ã¥È¤Î¥¢¥É¥ì¥¹¤È¤¬¡¢¸·Ì©¤Ë¥Þ¥Ã¥Á¤¹¤ëɬÍפ¬¤¢¤ê¤Þ¤¹; ¸½ºß¡¢¥Þ¥Ã¥Á¤Î°ÕÌ£¤òȿž¤¹¤ëÊýË¡¤Ï¤¢¤ê¤Þ¤»¤ó¤·¡¢ ¥Ó¥Ã¥È¥Þ¥¹¥¯¤Ë¤ÆÍưפËɽ¸½²Äǽ¤Ç¤Ï¤Ê¤¤ IP ¥¢¥É¥ì¥¹ÈϰϤ˥ޥåÁ¤µ¤»¤ëÊýË¡¤â¤¢¤ê¤Þ¤»¤ó (¤¿¤È¤¨¤ë¤Ê¤é¡¢¤³¤³¤Þ¤Ç¼Â¸½¤¹¤ë¤È¡¢¤â¤Ï¤äÄ«¿©¤È¤Ï¸À¤¨¤Ê¤¤¤Ç¤¹¤Í)¡£

Á÷¿®¸µ¤ÈÁ÷¿®Àè¤Î¤É¤Á¤é¤«¤Þ¤¿¤Ïξ¼Ô¤Ë port ¥Þ¥Ã¥Á¤ò´Þ¤à¾ì¹ç¡¢ TCP ¤È UDP ¤Î¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ¤Î¤ßŬÍѤµ¤ì¤Þ¤¹¡£ proto ¥Þ¥Ã¥Á¥Ñ¥é¥á¡¼¥¿¤¬Ìµ¤¤¾ì¹ç¡¢ ¤É¤Á¤é¤Î¥×¥í¥È¥³¥ë¤Î¥Ñ¥±¥Ã¥È¤âÈæ³Ó¤µ¤ì¤Þ¤¹¡£ ¤³¤ì¤Ï¡¢"proto tcp/udp" ¤ÈÅù²Á¤Ç¤¹¡£ port ¤ÎÈæ³Ó¤ò¹Ô¤¦¤È¤­¤Ë¤Ï¡¢ ¥µ¡¼¥Ó¥¹Ì¾¤ª¤è¤Ó¿ôÃͤΥݡ¼¥ÈÈÖ¹æ¤Î¤É¤Á¤é¤Ç¤â»ÈÍѤǤ­¤Þ¤¹¡£ ¥Ý¡¼¥È¤ÎÈæ³Ó¤ò¹Ô¤¦ºÝ¡¢¿ôÃÍ·Á¼°¤òÈæ³Ó±é»»»Ò¤È¤È¤â¤Ë»ÈÍѤ·¤¿¤ê¡¢ ¥Ý¡¼¥ÈÈϰϤò»ØÄꤷ¤¿¤ê¤Ç¤­¤Þ¤¹¡£ ¥Ý¡¼¥È¤¬ from ¥ª¥Ö¥¸¥§¥¯¥È¤Î°ìÉô¤È¤·¤ÆÅо줹¤ë¾ì¹ç¡¢ Á÷¿®¸µ¥Ý¡¼¥ÈÈÖ¹æ¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£ ¥Ý¡¼¥È¤¬ to ¥ª¥Ö¥¸¥§¥¯¥È¤Î°ìÉô¤È¤·¤ÆÅо줹¤ë¾ì¹ç¡¢ Á÷¿®Àè¥Ý¡¼¥ÈÈÖ¹æ¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£ ¹¹¤Ê¤ë¾ðÊó¤Ï»ÈÍÑÎã¤ò»²¾È¤·¤Æ¤¯¤À¤µ¤¤¡£

all ¥­¡¼¥ï¡¼¥É¤Ï¡¢ËܼÁŪ¤Ë¡¢ ¾¤Î¥Þ¥Ã¥Á¥Ñ¥é¥á¡¼¥¿¤òȼ¤ï¤Ê¤¤ "from any to any" ¤ÎƱµÁ¸ì¤Ç¤¹¡£

Á÷¿®¸µ¤ª¤è¤ÓÁ÷¿®Àè¤Î¥Þ¥Ã¥Á¥Ñ¥é¥á¡¼¥¿¤Î¸å¤Ë¡¢¼¡¤ÎÄɲäΥѥé¥á¡¼¥¿¤ò»ÈÍѲÄǽ¤Ç¤¹:

¤¢¤ë¼ï¤Î¥Ñ¥±¥Ã¥È¤Î¤ß¤¬»ý¤ÄÆüì¤Ê°À­¤Ë¥Þ¥Ã¥Á¤¹¤ë¾ì¹ç¤Ë»ÈÍѤ·¤Þ¤¹¡£ °ìÈ̤ˡ¢IP ¥ª¥×¥·¥ç¥ó¤¬Â¸ºß¤¹¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤µ¤»¤ë¤Ë¤Ï¡¢with ipopts ¤ò»ÈÍѤ·¤Þ¤¹¡£ ´°Á´¤Ê¥Ø¥Ã¥À¤ò³ÊǼ¤¹¤ë¤Ë¤Ïû¤«¤¹¤®¤ë¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤µ¤»¤ë¤Ë¤Ï¡¢ with short ¤ò»ÈÍѤ·¤Þ¤¹¡£ ÃÇÊÒ²½¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤µ¤»¤ë¤¿¤á¤Ë¤Ï¡¢with frag ¤ò»ÈÍѤ·¤Þ¤¹¡£ ¹¹¤Ë¡¢IP ¥ª¥×¥·¥ç¥ó¸ÇÍ­¤Î¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Ë´Ø¤·¤Æ¤Ï¡¢ ³Æ¥ª¥×¥·¥ç¥ó¤òÎóµó²Äǽ¤Ç¤¹¡£
with ¥­¡¼¥ï¡¼¥É¤Î¸å¤Ë¥Ñ¥é¥á¡¼¥¿¤ò³¤±¤ëÁ°¤Ë¡¢ ¸ì not ¤Þ¤¿¤Ï no ¤òÁÞÆþ¤·¡¢ ¥ª¥×¥·¥ç¥ó¤¬Â¸ºß¤·¤Ê¤¤¾ì¹ç¤Ë¤Î¤ß¥Õ¥£¥ë¥¿¥ë¡¼¥ë¤¬¥Þ¥Ã¥Á¤¹¤ë¤è¤¦¤Ë¤Ç¤­¤Þ¤¹¡£
with Àá¤òϢ³¤·¤Æµ­½Ò¤¹¤ë¤³¤È¤¬µö¤µ¤ì¤Þ¤¹¡£ ¤Þ¤¿¡¢¥­¡¼¥ï¡¼¥É and ¤ò¡¢with ¤ÎÂå¤ê¤Ë»ÈÍѤ¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£ ¤³¤ì¤Ï¡¢½ã¿è¤Ë²ÄÆÉÀ­¸þ¾å¤Î¤¿¤á¤Ç¤¹ ("with ... and ...")¡£ Ê£¿ô¤ÎÀá¤òÎóµó¤·¤¿¤È¤­¡¢¤¹¤Ù¤Æ¤¬¥Þ¥Ã¥Á¤¹¤ë¤È¤­¤Ë¡¢¥ë¡¼¥ë¤¬¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
TCP ¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Ë¤ª¤¤¤Æ¤Î¤ßÍ­¸ú¤Ç¤¹¡£ »ÈÍѲÄǽ¤Ê¥ì¥¿¡¼¤Ï¡¢TCP ¥Ø¥Ã¥À¤Ë¤ÆÀßÄê²Äǽ¤Ê¥Õ¥é¥°¤Î 1 ¤Ä¤òɽ¸½¤·¤Þ¤¹¡£ ´ØÏ¢¤Ï¼¡¤ÎÄ̤ê¤Ç¤¹:



        F - FIN


        S - SYN


        R - RST


        P - PUSH


        A - ACK


        U - URG
ÍÍ¡¹¤Ê¥Õ¥é¥°¥·¥ó¥Ü¥ë¤òÁȤ߹ç¤ï¤»¤Æ»ÈÍѤǤ­¤Þ¤¹¤Î¤Ç¡¢ "SA" ¤Ï¥Ñ¥±¥Ã¥ÈÃæ¤Î SYN-ACK ¤ÎÁȤ߹ç¤ï¤»¤òɽ¸½¤·¤Þ¤¹¡£ "SFR" ¤Ê¤É¤ÎÁȤ߹ç¤ï¤»¤Î»ØÄê¤òÀ©¸Â¤¹¤ë¤â¤Î¤Ï¤¢¤ê¤Þ¤»¤ó¡£ ¤³¤ÎÁȤ߹ç¤ï¤»¤Ï¡¢µ¬Â§¤ò¼é¤Ã¤Æ¤¤¤ë TCP ¼ÂÁõ¤Ç¤ÏÄ̾ïÀ¸À®¤µ¤ì¤Þ¤»¤ó¡£ ¤·¤«¤·¤Ê¤¬¤é¡¢°Û¾ï¤òÈò¤±¤ë¤¿¤á¤Ë¡¢ ¤É¤Î¥Õ¥é¥°¤ËÂФ·¤Æ¥Õ¥£¥ë¥¿¥ê¥ó¥°¤·¤Æ¤¤¤ë¤Î¤«¤ò¼¨¤¹É¬Íפ¬¤¢¤ê¤Þ¤¹¡£ ¤³¤Î¤¿¤á¤Ë¡¢¤É¤Î TCP ¥Õ¥é¥°¤òÈæ³Ó¤¹¤ë¤Î¤« (¤¹¤Ê¤ï¤Á¡¢¤É¤Î¥Õ¥é¥°¤ò½ÅÍפȹͤ¨¤ë¤«) ¤ò¼¨¤¹¥Þ¥¹¥¯¤ò»ØÄê¤Ç¤­¤Þ¤¹¡£ ¤³¤ì¤Ï¡¢¥Þ¥Ã¥ÁÂоݤΠTCP ¥Õ¥é¥°½¸¹ç¤Î¸å¤Ë¡¢"/<flags>" ¤òÉÕ¤±¤ë¤³¤È¤Ç ¼Â¸½¤Ç¤­¤Þ¤¹¡£ Î㤨¤Ð:

	... flags S
			# "flags S/AUPRFS" ¤Ë¤Ê¤ê¡¢SYN ¥Õ¥é¥°¡Ö¤Î¤ß¡×
			# ¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
	... flags SA
			# "flags SA/AUPRFSC" ¤Ë¤Ê¤ê¡¢SYN ¤ª¤è¤Ó ACK ¤Î¥Õ¥é¥°
			# ¤Î¤ß¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
	... flags S/SA
			# SYN-ACK ¤ÎÁȤΤ¦¤Á¡¢SYN ¥Õ¥é¥°¤Î¤ß¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë
			# ¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤·¤Þ¤¹¡£¤³¤ì¤Ï¶¦Ä̤ΡֳÎΩ¡×
			# ¥­¡¼¥ï¡¼¥ÉÆ°ºî¤Ç¤¹¡£"S/SA" ¤Ï SYN ¤È ACK ¤ÎÁȤÎ
			# ¡ÖξÊý¡×¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¤â¤Î¤Ë¤Ï¥Þ¥Ã¥Á¡Ö¤·¤Þ¤»¤ó¡×
			# ¤¬¡¢"SFP" ¤Ë¤Ï¥Þ¥Ã¥Á¡Ö¤·¤Þ¤¹¡×¡£
proto icmp ¤È¤È¤â¤Ë»ÈÍѤ·¤¿¾ì¹ç¤Ë¤Î¤ßÍ­¸ú¤Ç¤¢¤ê¡¢ flags ¤È¤È¤â¤Ë»ÈÍѤ·¤Æ¤Ï¡Ö¤Ê¤ê¤Þ¤»¤ó¡×¡£ ¿¤¯¤Î¥¿¥¤¥×¤¬¤¢¤ê¡¢¤³¤Î¸À¸ì¤Çǧ¼±¤µ¤ì¤ëû½Ì·Á¤ä¡¢ ¤³¤ì¤Ë´ØÏ¢ÉÕ¤±¤é¤ì¤¿¿ôÃͤǻØÄê¤Ç¤­¤Þ¤¹¡£ ¥»¥­¥å¥ê¥Æ¥£¤Î´ÑÅÀ¤«¤é¤ß¤ÆºÇ¤â½ÅÍפʤâ¤Î¤Ï ICMP ¥ê¥À¥¤¥ì¥¯¥È¤Ç¤¹¡£

ÍúÎòÊݸ

¥Õ¥£¥ë¥¿¥ë¡¼¥ë¤ËÀßÄê²Äǽ¤Ê¡¢ºÇ¸å¤«¤é 2 ÈÖÌܤΥѥé¥á¡¼¥¿¤Ï¡¢ ¥Ñ¥±¥Ã¥È¤ÎÍúÎò¾ðÊó¤òµ­Ï¿¤¹¤ë¤«Èݤ«¡¢¤ª¤è¤Ó¤É¤Î¤è¤¦¤ÊÍúÎò¤òÊݸ¤¹¤ë¤«¤Ç¤¹¡£ °Ê²¼¤Î¾ðÊó¤òÊݸ¤Ç¤­¤Þ¤¹:

ÄÌ¿®¥»¥Ã¥·¥ç¥ó¤Î¥Õ¥í¡¼¾ðÊó¤òÊݸ¤·¤Þ¤¹¡£ TCP, UDP, ICMP ¤Î³Æ¥Ñ¥±¥Ã¥È¤Ë´Ø¤·¤Æ¾õÂÖ¤¬Êݸ¤µ¤ì¤Þ¤¹¡£
ÃÇÊÒ²½¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤Î¾ðÊó¤òÊݸ¤·¤Þ¤¹¡£ ¤³¤Î¾ðÊó¤Ï¡¢¸å¤ËÃÇÊÒ²½¤¹¤ëºÝ¤Ë»ÈÍѤ·¤Þ¤¹¡£

¤³¤ì¤é¤Ë¥Þ¥Ã¥Á¤¹¤ë¥Ñ¥±¥Ã¥È¤ÏÁÇÄ̤·¤·¡¢¥¢¥¯¥»¥¹À©¸æ¥ê¥¹¥È¤òÄ̤·¤Þ¤»¤ó¡£

¥°¥ë¡¼¥×

¥Ñ¥é¥á¡¼¥¿¤ÎºÇ¸å¤ÎÁȤϥե£¥ë¥¿¥ë¡¼¥ë¤Î¡Ö¥°¥ë¡¼¥Ô¥ó¥°¡×¤òÀ©¸æ¤·¤Þ¤¹¡£ ¾¤Î¥°¥ë¡¼¥×¤¬»ØÄꤵ¤ì¤Ê¤¤¸Â¤ê¡¢ ¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï¡¢Á´¥Õ¥£¥ë¥¿¥ë¡¼¥ë¤Ï¥°¥ë¡¼¥× 0 ¤ËÃÖ¤«¤ì¤Þ¤¹¡£ Èó¥Ç¥Õ¥©¥ë¥È¤Î¥°¥ë¡¼¥×¤Ë¥ë¡¼¥ë¤òÄɲ乤ë¤Ë¤Ï¡¢ ¥°¥ë¡¼¥×¤Î¡ÖƬ (head)¡×¤òºîÀ®¤¹¤ë¤È¤³¤í¤«¤é¡¢¥°¥ë¡¼¥×¤ò³«»Ï¤·¤Þ¤¹¡£ ¥Ñ¥±¥Ã¥È¤¬¥°¥ë¡¼¥×¤Î¡ÖƬ¡×¤Î¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤¹¤ë¾ì¹ç¡¢ ¥Õ¥£¥ë¥¿½èÍý¤Ï¤½¤Î¥°¥ë¡¼¥×¤ËÀÚ¤êÂؤï¤ê¡¢ ¤½¤Î¥ë¡¼¥ë¤ò¤½¤Î¥°¥ë¡¼¥×¤Î¥Ç¥Õ¥©¥ë¥È¤È¤·¤Æ»ÈÍѤ·¤Þ¤¹¡£ quick ¤ò head ¥ë¡¼¥ë¤È¤È¤â¤Ë»ÈÍѤ¹¤ë¾ì¹ç¡¢ ¤½¤Î¥°¥ë¡¼¥×¤Î½èÍý¤«¤éÌá¤ë¤Þ¤Ç¤Ï¡¢¥ë¡¼¥ë½èÍý¤ÏÄä»ß¤·¤Þ¤»¤ó¡£

¤¢¤ë¥ë¡¼¥ë¤Ï¡¢¿·µ¬¥°¥ë¡¼¥×¤ÎƬ¤Ç¤¢¤ê¤«¤Ä¡¢ Èó¥Ç¥Õ¥©¥ë¥È¥°¥ë¡¼¥×¤Î¥á¥ó¥Ð¤Ç¤¢¤ë¤³¤È¤¬²Äǽ¤Ç¤¹ (head ¤È group ¤òƱ°ì¥ë¡¼¥ëÆâ¤ÇƱ»þ¤Ë»ÈÍѲÄǽ¤Ç¤¹)¡£

¿·µ¬¥°¥ë¡¼¥× (ÈÖ¹æ n) ¤òºîÀ®¤¹¤ë¤³¤È¤ò¼¨¤·¤Þ¤¹¡£
¤³¤Î¥ë¡¼¥ë¤ò¡¢¥°¥ë¡¼¥× 0 ¤Ç¤Ï¤Ê¤¯¡¢¥°¥ë¡¼¥× (ÈÖ¹æ n) ¤ËÃÖ¤¯¤³¤È¤ò¼¨¤·¤Þ¤¹¡£

¥í¥®¥ó¥°

log ¥¢¥¯¥·¥ç¥ó¤Þ¤¿¤Ï¥ª¥×¥·¥ç¥ó¤Ë¤Æ¡¢¥Ñ¥±¥Ã¥È¤Î¥í¥°¤ò¹Ô¤¦¤È¤­¡¢ ¥Ñ¥±¥Ã¥È¤Î¥Ø¥Ã¥À¤¬ ipl ¥Ñ¥±¥Ã¥È¥í¥®¥ó¥°µ¼»÷¥Ç¥Ð¥¤¥¹¤Ë½ñ¤­¹þ¤Þ¤ì¤Þ¤¹¡£ log ¥­¡¼¥ï¡¼¥É¤Îľ¸å¤Ë¡¢¼¡¤Î½¤¾þ¸ì¶ç¤ò (¤³¤Î½ç½ø¤Ç) »ÈÍѤǤ­¤Þ¤¹:

¥Ñ¥±¥Ã¥È¤ÎÆâÍƤκǽé¤Î 128 ¥Ð¥¤¥È¤ò¡¢¥Ø¥Ã¥À¤Î¸å¤Ç¥í¥°¤¹¤ë¤³¤È¤ò¼¨¤·¤Þ¤¹¡£
¥í¥°¤¬ "keep" ¥ª¥×¥·¥ç¥ó¤È¶¦¤Ë»ÈÍѤµ¤ì¤ë¾ì¹ç¡¢ ËÜ¥ª¥×¥·¥ç¥ó¤â»ØÄꤹ¤ë¤³¤È¤ò´«¤á¤Þ¤¹¡£ ¤³¤ì¤Ë¤è¤ê¡¢¥È¥ê¥¬¤È¤Ê¤ë¥Ñ¥±¥Ã¥È¤Î¤ß¤ò¥í¥°¤·¤Æ¡¢ ¤³¤Î¸å¤Ë¾õÂÖ¾ðÊó¤Ë¥Þ¥Ã¥Á¤¹¤ëÁ´¥Ñ¥±¥Ã¥È¤ò¥í¥°¤·¤Ê¤¤¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£
¤Ê¤ó¤é¤«¤ÎÍýͳ¤Ç¥Õ¥£¥ë¥¿¤¬¥í¥°¤ò¼è¤ì¤Ê¤¤¾ì¹ç (¥í¥°Æɤ߼è¤ê¤¬Èó¾ï¤ËÃÙ¤¤¾ì¹ç¤Ê¤É)¡¢ ¤³¤Î¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¤³¤Î¥ë¡¼¥ë¤Î¥¢¥¯¥·¥ç¥ó¤¬ block ¤Ç¤¢¤Ã¤¿¤È²ò¼á ¤µ¤»¤Þ¤¹¡£
¤³¤Î¥Ñ¥±¥Ã¥È¤Î¾ðÊó¥í¥°¤Ë¡¢ ¤É¤Î¥í¥°¥Õ¥¡¥·¥ê¥Æ¥£¤ÈÍ¥ÀèÅÙ¤ò»ÈÍѤ¹¤ë¤«¡¢ ¤Þ¤¿¤Ï¥Ç¥Õ¥©¥ë¥È¥Õ¥¡¥·¥ê¥Æ¥£¤Ç¤É¤ÎÍ¥ÀèÅÙ¤ò»ÈÍѤ¹¤ë¤«¤ò»ØÄꤷ¤Þ¤¹¡£ ¾ðÊó¥í¥°¤Ë¤Ï¡¢ipmon ¤Î -s ¥ª¥×¥·¥ç¥ó¤ò»ÈÍѤ·¤Þ¤¹¡£

¤³¤Î¥Ç¥Ð¥¤¥¹¤Ë½ñ¤­¹þ¤Þ¤ì¤ë¥ì¥³¡¼¥É¤Î¥Õ¥©¡¼¥Þ¥Ã¥È¤Ë¤Ä¤¤¤Æ¤Ï ipl(4) ¤ò»²¾È¤·¤Æ¤¯¤À¤µ¤¤¡£ ¤³¤Î¥í¥°¤òÆɤ߼è¤Ã¤ÆÀ°·Á¤¹¤ë¤Ë¤Ï¡¢ipmon(8) ¤ò»ÈÍѤ·¤Þ¤¹¡£

»ÈÍÑÎã

quick ¥ª¥×¥·¥ç¥ó¤Ï¼¡¤Î¤è¤¦¤Ê¥ë¡¼¥ë¤ËÂФ·¤ÆÅԹ礬Îɤ¤¤Ç¤¹: 

block in quick from any to any with ipopts

¤³¤ì¤Ï¡¢ ɸ½àŪ¤ÊŤµ¤Ç¤Ï¤Ê¤¤¥Ø¥Ã¥À¤ò»ý¤Ä (IP ¥ª¥×¥·¥ç¥ó¤ò»ý¤Ä) ¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¡¢ ¤³¤ÎÀè¤Î¥ë¡¼¥ë½èÍý¤ò¹Ô¤ï¤º¤Ë¡¢ ¥Þ¥Ã¥Á¤¬È¯À¸¤·¤¿¤³¤È¤È¥Ñ¥±¥Ã¥È¤ò¥Ö¥í¥Ã¥¯¤¹¤Ù¤­¤³¤È¤òµ­Ï¿¤·¤Þ¤¹¡£

¼¡¤Î¤è¤¦¤Ê¡Ö·Ñ³¡×¥ë¡¼¥ë¤Î²ò¼á¤Ë¤è¤ê:



        block in from any to any port < 6000


        pass in from any to any port >= 6000


        block in from any to any port > 6003

ÈÏ°Ï 6000-6003 ¤¬µö¤µ¤ì¡¢Â¾¤Ïµö¤µ¤Ê¤¤¤è¤¦¤ËÀßÄê¤Ç¤­¤Þ¤¹¡£ ºÇ½é¤Î¥ë¡¼¥ë¤Î¸ú²Ì¤è¤ê¤â¡¢¸å³¥ë¡¼¥ë¤¬Í¥À褹¤ë¤³¤È¤ËÃí°Õ¤·¤Æ¤¯¤À¤µ¤¤¡£ Ʊ¤¸¤³¤È¤ò¹Ô¤¦¡¢Â¾¤Î (ÍưפÊ) ÊýË¡¤Ï¼¡¤ÎÄ̤ê¤Ç¤¹:



        block in from any to any port 6000 <> 6003


        pass in from any to any port 5999 >< 6004

¸ú²Ì¤ò»ý¤¿¤»¤ë¤¿¤á¤Ë¤Ï¡¢ "block" ¤ª¤è¤Ó "pass" ¤ÎξÊý¤ò¤³¤³¤Ë½ñ¤¯É¬Íפ¬¤¢¤ê¤Þ¤¹¡£ ¤Ê¤¼¤Ê¤é¡¢"block" ¥¢¥¯¥·¥ç¥ó¤Ë¥Þ¥Ã¥Á¤·¤Ê¤¤¤³¤È¤¬Ä̲á¤ò°ÕÌ£¤¹¤ë¤ï¤±¤Ç¤Ï¤Ê¤¯¡¢ ¥ë¡¼¥ë¤¬¸ú²Ì¤ò»ý¤¿¤Ê¤¤¤³¤È¤ò°ÕÌ£¤¹¤ë¤À¤±¤À¤«¤é¤Ç¤¹¡£ ¥Ý¡¼¥È¤¬1024̤Ëþ¤Î¤â¤Î¤òµö¤¹¤Ë¤Ï¡¢¼¡¤Î¤è¤¦¤Ê¥ë¡¼¥ë¤ò»ÈÍѤ·¤Þ¤¹:



        pass in quick from any to any port < 1024

¤³¤ì¤Ï¡¢ºÇ½é¤Î¥Ö¥í¥Ã¥¯¤ÎÁ°¤ËÃÖ¤¯É¬Íפ¬¤¢¤ê¤Þ¤¹¡£ le0/le1/lo0 ¤«¤é¤Î¤¹¤Ù¤Æ¤ÎÆâ¸þ¤­¥Ñ¥±¥Ã¥È¤ò½èÍý¤·¡¢ ¥Ç¥Õ¥©¥ë¥È¤Ç¤ÏÆâ¸þ¤­¤ÎÁ´¥Ñ¥±¥Ã¥È¤ò¥Ö¥í¥Ã¥¯¤¹¤ë ¿·µ¬¥°¥ë¡¼¥×¤òºîÀ®¤¹¤ë¤Ë¤Ï¡¢¼¡¤Î¤è¤¦¤Ë¤·¤Þ¤¹:



       block in all


       block in quick on le0 all head 100


       block in quick on le1 all head 200


       block in quick on lo0 all head 300

¤½¤·¤Æ¡¢le0 ¤Ç ICMP ¥Ñ¥±¥Ã¥È¤Î¤ß¤òµö¤¹¤Ë¤Ï¡¢¼¡¤Î¤è¤¦¤Ë¤·¤Þ¤¹:



       pass in proto icmp all group 100

le0 ¤«¤é¤ÎÆâ¸þ¤­¥Ñ¥±¥Ã¥È¤Î¤ß¤¬¥°¥ë¡¼¥× 100 ¤Ç½èÍý¤µ¤ì¤Þ¤¹¤Î¤Ç¡¢ ¥¤¥ó¥¿¥Õ¥§¡¼¥¹Ì¾¤òºÆÅÙ»ØÄꤹ¤ëɬÍפ¬¤Ê¤¤¤³¤È¤ËÃí°Õ¤·¤Æ¤¯¤À¤µ¤¤¡£ ƱÍͤˡ¢¼¡¤Î¤è¤¦¤Ë TCP ¤Ê¤É¤Î½èÍý¤òʬ²ò¤Ç¤­¤Þ¤¹:



       block in proto tcp all head 110 group 100


       pass in from any to any port = 23 group 110

ºÇ½ª¹Ô¤ò¡¢¥°¥ë¡¼¥×¤ò»ÈÍѤ»¤º¤Ëµ­½Ò¤¹¤ë¤È¡¢¼¡¤Î¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹:



       pass in on le0 proto tcp from any to any port = telnet

"port = telnet" ¤Èµ­½Ò¤·¤¿¤¤¾ì¹ç¤Ë¤Ï¡¢"proto tcp" ¤ò»ØÄꤹ¤ëɬÍפ¬¤¢¤ë¤³¤È¤Ë Ãí°Õ¤·¤Æ¤¯¤À¤µ¤¤¡£ ¤Ê¤¼¤Ê¤é¡¢ ¥Ñ¡¼¥¶¤Ï¼«¸Ê¤Ë´ð¤Å¤¤¤Æ¥ë¡¼¥ë¤ò²ò¼á¤·¡¢ »ØÄꤵ¤ì¤¿¥×¥í¥È¥³¥ë¤Ë¤è¤Ã¤ÆÁ´¥µ¡¼¥Ó¥¹/¥Ý¡¼¥È̾¤ò½¤¾þ¤¹¤ë¤«¤é¤Ç¤¹¡£

´ØÏ¢¥Õ¥¡¥¤¥ë

/dev/ipauth
/dev/ipl
/dev/ipstate
/etc/hosts
/etc/services

´ØÏ¢¹àÌÜ

ipftest(1), iptest(1), mkfilters(1), ipf(4), ipnat(5), ipf(8), ipfstat(8)

Search for    or go to Top of page |  Section 5 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.