̾??

ipfirewall —

IP ?ѥ??åȥե??륿?????ӥȥ??ե??å?¬??

????

#include <sys/types.h> #include <sys/queue.h> #include <netinet/in.h> #include <netinet/ip_fw.h> int setsockopt(raw_socket, IPPROTO_IP, ipfw option, struct ipfw, size)

????

ipfirewall (??̾ ipfw) ?ϡ??????ƥ??Υ??󥿥ե????????̲᤹?? IP ?ѥ??åȤ? ?Ф??ƥե??륿???󥰤????????쥯?Ȥʤɤν??????Ԥ??????ƥ??ε?ǽ?Ǥ??? ?ѥ??åȤ?Ŭ?礹?????Τ????Ĥ????ޤǥѥ??????롼???ν??ꥹ?ȤȾȤ餷???蘆?? ?ޤ???Ŭ?礹???롼?뤬???Ĥ??ä??????Ǥ??????б?????ư?????¹Ԥ??ޤ??? ?롼???? 1 ???? 65534 ?ޤǤ??ֹ??򿶤??졢 ʣ???Υ롼?뤬Ʊ???ֹ?????ͭ???뤳?Ȥ???ǽ?Ǥ???

ͣ??ɬ??¸?ߤ????롼???Ȥ??ƥ롼???ֹ? 65535 ???????ޤ??? ???Υ롼?????̾??Ϥ??٤ƤΥѥ??åȤ??˴????ޤ??? ???????äơ????????꾮?????ֹ??Υ롼????Ŭ?礷?ʤ??ä??ѥ??åȤϤ??٤? ?˴??????ޤ??? ?????????????ͥ??򥳥??ѥ??뤹?????Υ??ץ????? “IPFIREWALL_DEFAULT_TO_ACCEPT” ?????ꤹ???ȡ??????ԤϤ??٤? (?Υѥ??åȤ??̲???) ???Ĥ????褦?? ???θ????롼?????ѹ????뤳?Ȥ??Ǥ??ޤ???

setsockopt() ???Ϥ??????ͤϡ??롼???򵭽Ҥ??Ƥ??? ip_fw ??¤?? (????????) ?Ǥ??? (IP_FW_DEL ?Τ褦??) ?????Ĥ??Υ??????Ǥϥ롼???ֹ??Τߤ????פˤʤ??ޤ???

???ޥ???

?롼???ꥹ?Ȥ򰷤??????˼??Υ????åȥ??ץ????????Ȥ??ޤ?:

IP_FW_ADD ?ϡ??롼???ꥹ?Ȥ˥롼???????????ޤ???

IP_FW_DEL ?ϡ?Ŭ?礹???롼???ֹ??????ĥ롼???򤹤٤ƺ??????ޤ???

IP_FW_GET ?ϡ?Ŭ?礹???롼???ֹ??? (?ǽ???) ?롼?????֤??ޤ???

IP_FW_ZERO ?ϡ? Ŭ?礹???롼???ֹ??????Ĥ??٤ƤΥ롼???˴ؤ??????פ? 0 ?ˤ??ޤ??? ?롼???ֹ椬 0 ?ξ????ˤϤ??٤ƤΥ롼???? 0 ?ˤ??ޤ???

IP_FW_FLUSH (65535 ??????) ???٤ƤΥ롼?????õ?ޤ???

?????ͥ??Υ????????ƥ????٥뤬 2 ?????礭???????? IP_FW_GET ?Τߤ????Ĥ????ޤ???

?롼?빽¤??

?롼???ϼ??ι?¤?Τǵ??Ҥ????Ƥ??ޤ?:

/* 1 ?ĤΥ??󥿥ե??????????? */
union ip_fw_if {
    struct in_addr fu_via_ip;   /* IP ???ɥ쥹?ǻ??? */
    struct {                    /* ???󥿥ե?????̾?ǻ??? */
#define FW_IFNLEN       6       /* ??¤?Τ? 2^x ???????֤? */
            char  name[FW_IFNLEN];
            short unit;         /* -1 ??Ǥ?դΥ??˥åȤ?Ŭ?? */
    } fu_via_if;
};

/* 1 ?Ĥ? ipfw ?롼?? */
struct ip_fw {
    u_long fw_pcnt,fw_bcnt;         /* ?ѥ??åȤȥХ??ȿ??Υ??????? */
    struct in_addr fw_src, fw_dst;  /* ?????Ƚ????? IP ???ɥ쥹 */
    struct in_addr fw_smsk, fw_dmsk;/* ?????Ƚ????? IP ???ɥ쥹?Υޥ??? */
    u_short fw_number;              /* ?롼???ֹ? */
    u_short fw_flg;                 /* ?ե饰?? */
#define IP_FW_MAX_PORTS 10          /* ???ɤ??????? */
    u_short fw_pts[IP_FW_MAX_PORTS];/* Ŭ?礹???ݡ????ֹ??????? */
    u_char fw_ipopt,fw_ipnopt;      /* IP ???ץ??????Υ??å?/???󥻥å? */
    u_char fw_tcpf,fw_tcpnf;        /* TCP ?ե饰?Υ??å?/???󥻥å? */
#define IP_FW_ICMPTYPES_DIM (256 / (sizeof(unsigned) * 8))
    unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP ?????פΥӥåȥޥå? */
    long timestamp;                 /* ?ǽ?Ŭ???Υ????ॹ?????? (tv_sec) */
    union ip_fw_if fw_in_if, fw_out_if;/* ????/???ϤΥ??󥿥ե????? */
    union {
        u_short fu_divert_port;     /* Divert/tee ?ݡ??? */
        u_short fu_skipto_rule;     /* SKIPTO ???ޥ??ɥ롼???ֹ? */
        u_short fu_reject_code;     /* REJECT ?????????? */
    } fw_un;
    u_char fw_prot;                 /* IP ?ץ??ȥ??? */
    u_char fw_nports;               /* ?ݡ??????????Ρ??????ݡ??ȿ???   */
                                    /* ?????ݡ??ȿ? (?????ݡ??Ȥ?????   */
                                    /* ?ݡ??Ȥ˸?³???????Ƿ? 10 ?ݡ??? */
                                    /* 0 ?????ݡ??ȥޥå??ΰ?̣)        */
};

/* ????/?????Υݡ??ȿ??? "fw_nports" ?˥??󥳡??? */

#define IP_FW_GETNSRCP(rule)            ((rule)->fw_nports & 0x0f)
#define IP_FW_SETNSRCP(rule, n)         do {                            \
                                          (rule)->fw_nports &= ~0x0f;   \
                                          (rule)->fw_nports |= (n);     \
                                        } while (0)
#define IP_FW_GETNDSTP(rule)            ((rule)->fw_nports >> 4)
#define IP_FW_SETNDSTP(rule, n)         do {                            \
                                          (rule)->fw_nports &= ~0xf0;   \
                                          (rule)->fw_nports |= (n) << 4;\
                                        } while (0)

/* flags" ?ե????????ѥե饰?? */

#define IP_FW_F_IN      0x0001  /* ???ϥѥ??åȤ??????å?               */
#define IP_FW_F_OUT     0x0002  /* ???ϥѥ??åȤ??????å?               */
#define IP_FW_F_IIFACE  0x0004  /* ???ϥ??󥿥ե??????ƥ??Ȥ?Ŭ??       */
#define IP_FW_F_OIFACE  0x0008  /* ???ϥ??󥿥ե??????ƥ??Ȥ?Ŭ??       */

#define IP_FW_F_COMMAND 0x0070  /* Ϣ?????????ȥ??ѤΥޥ???             */
#define IP_FW_F_DENY    0x0000  /* ?????ϵ??ݥ롼??                     */
#define IP_FW_F_REJECT  0x0010  /* ???ݤ??Ʊ????ѥ??åȤ?????           */
#define IP_FW_F_ACCEPT  0x0020  /* ?????ϼ????롼??                     */
#define IP_FW_F_COUNT   0x0030  /* ?????Ϸ׿??롼??                     */
#define IP_FW_F_DIVERT  0x0040  /* ?????? divert ?롼??                 */
#define IP_FW_F_TEE     0x0050  /* ??????ʬ???롼??                     */
#define IP_FW_F_SKIPTO  0x0060  /* ?????ϥ????åץ롼??                 */

#define IP_FW_F_PRN     0x0080  /* ???Υ롼?뤬Ŭ?礷????????ɽ??       */

#define IP_FW_F_SRNG    0x0100  /* ?ǽ??? 2 ?Ĥλ????ݡ??Ȥϡ??Ǿ???    *
                                 * ???????ϰ? (?ۥ??ȤΥХ??Ƚ??ǳ?Ǽ)  */

#define IP_FW_F_DRNG    0x0200  /* ?ǽ??? 2 ?Ĥν????ݡ??Ȥϡ??Ǿ???    *
                                 * ???????ϰ? (?ۥ??ȤΥХ??Ƚ??ǳ?Ǽ)  */

#define IP_FW_F_IIFNAME 0x0400  /* ???ϥ??󥿥ե???????̾??/???˥å?    *
                                 * (IP ?ǤϤʤ?)                        */
#define IP_FW_F_OIFNAME 0x0800  /* ???ϥ??󥿥ե???????̾??/???˥å?    *
                                 * (IP ?ǤϤʤ?)                        */

#define IP_FW_F_INVSRC  0x1000  /* ?????????å??ΰ?̣??ȿž             */
#define IP_FW_F_INVDST  0x2000  /* ?????????å??ΰ?̣??ȿž             */

#define IP_FW_F_FRAG    0x4000  /* ????                                 */

#define IP_FW_F_ICMPBIT 0x8000  /* ICMP ?????ץӥåȥޥåפ?ͭ??        */

#define IP_FW_F_MASK    0xFFFF  /* ???ꤦ?뤹?٤ƤΥե饰?ӥåȤΥޥ??? */

?롼????ư??

?ƥ롼???ϡ??ե饰?????? IP_FW_F_COMMAND ?ӥåȤǼ??????롢????ư?????????ޤ???

IP_FW_F_DENY - ?ѥ??åȤ??˴????ޤ?
IP_FW_F_REJECT - ?ѥ??åȤ??˴?????ICMP ?ޤ??? TCP ????ͳ???Ƶ??ݤ????Τ??ޤ?
IP_FW_F_ACCEPT - ?ѥ??åȤ??????????ޤ?
IP_FW_F_COUNT - ?????󥿤????ä??????ޥå??󥰤?³???ޤ?
IP_FW_F_DIVERT - ?ѥ??åȤ? divert(4) ?????åȤˤ??餷?ޤ?
IP_FW_F_TEE - ?ѥ??åȤ? divert(4) ?????åȤ˥??ԡ???????³???ޤ?
IP_FW_F_SKIPTO - ?롼???ֹ? fu_skipto_rule ?إ????åפ??ޤ?

IP_FW_F_REJECT ?ξ??硢fu_reject_code ???ֹ椬 0 ???? 255 ?ʤ??? ?б????륳???ɤȤȤ??˼????????ѥ??åȤλ????? IP ???ɥ쥹?? ICMP unreachable ?ѥ??åȤ??????֤??ޤ??? ?????ǤϤʤ??????ˤϡ??ͤ? 256 ?ǥץ??ȥ??뤬 IPPROTO_TCP ?Ǥ???ɬ?פ????ꡢ ???ξ??? TCP reset ?ѥ??åȤ????????ޤ???

IP_FW_F_SKIPTO ?????Ѥ????ȡ?fu_skipto_rule ???꾮?????롼???ֹ??????? ???٤Ƥ?Ϣ³?????롼?뤬?????åפ????ޤ???

?????ͥ륪?ץ?????

?????ͥ??????ե??????ǤΥ??ץ?????:
IPFIREWALL - ipfirewall ??ͭ???ˤ??ޤ?
IPFIREWALL_VERBOSE - firewall ?ν??Ϥ?ͭ???ˤ??ޤ?
IPFIREWALL_VERBOSE_LIMIT - firewall ?ν??Ϥ????????ޤ?
DIVERT - divert(4) ?????åȤ?ͭ???ˤ??ޤ?

?ѥ??åȤ? IP_FW_F_PRN ?ӥåȤ????åȤ????Ƥ????롼????Ŭ?礷?? IPFIREWALL_VERBOSE ??ͭ???ˤ????Ƥ????????ˤϥ??å??????????󥽡????? ???Ϥ????ޤ??? IPFIREWALL_VERBOSE_LIMIT ?Ϥ??줾???Υ롼?뤬???????å??????????ϤǤ??? ?????κ????ͤ????¤??ޤ??? ?????????ѿ??? sysctl(3) ???󥿥ե?????????ͳ???????ѤǤ??ޤ???

????

[EINVAL] IP ???ץ????????󤬺Ǿ??ͤ???û???????󶡤??줿???ץ?????
?Хåե?????Ĺ????Ŭ?ڤʷ????Ǥ?????ip_fw ??¤?Τǹ?¤Ū
?ʥ??顼??ȯ?????ޤ??? (n_src_p+n_dst_p ???硢ALL/ICMP
?ץ??ȥ????Τ????Υݡ??ȥ??åȤʤ?)???????ʥ롼???ֹ椬
?Ȥ????ޤ?????

??Ϣ????

setsockopt(2), divert(4), ip(4), ipfw(8), sysctl(8)

?Х?

``tee'' ?롼???Ϥޤ??????????Ƥ??ޤ??? (???ߤϸ??̤??????ޤ???)??

???? man ?ڡ????Ϥޤ????Ȥ?ɬ?פǤ???

????

ipfw ??ǽ?Ϻǽ??? BSDI ?ؤΥѥå??????Ȥ??? Daniel Boulet <danny@BouletFermat.ab.ca> ?ˤ??äƽ񤫤??ޤ????? Ugen J.S.Antsilevich <ugen@NetVision.net.il> ?????????ѹ?????FreeBSD ?ذܿ????ޤ?????

Archie Cobbs <archie@whistle.com> ?ˤ??äƤ????Ĥ??γ?ĥ???ä??????ޤ?????