  Firewall And Proxy Server HOWTO
  Mark Grennan, mark@grennan.com
  v0.83, August 21, 2000
  {: JF Project (jf@linux.or.jp)
  v1.0.0j  Sep. 22, 2001

  ̓̕t@CAEH[̊bƋɁA Linux x[X̃VX
  eŃtB^yуvLVt@CAEH[\z邽߂̏ڍׂȏ
  AЉ܂B̕ HTML o[W http://www.gren-
  nan.com/Firewall-HOWTO.html ɂ܂B
  ______________________________________________________________________

  ڎ

  1. Љ
     1.1 tB[hobN
     1.2 ӔC
     1.3 쌠
     1.4 ̕R
     1.5 Xɓǂ݂l

  2. t@CAEH[𗝉
     2.1 t@CAEH[̃|V[
        2.1.1 ZLeB|V[̍쐬@
     2.2 t@CAEH[̎
        2.2.1 pPbgtB^Ot@CAEH[
        2.2.2 vLVT[o
        2.2.3 AvP[VvLV
        2.2.4 SOCKS vLV

  3. t@CAEH[̃A[LeN`({݌v)
     3.1 _CAbvA[LeN`
     3.2 P̃[^̃A[LeN`
     3.3 vLVT[o𔺂t@CAEH[
     3.4 璷ȃC^[lbg̐ݒ

  4. Linux tB^Ot@CAEH[ݒ肷
     4.1 ŒKvȃn[hEFȀ

  5. Kvȃ\tgEFA
     5.1 J[l̑I
     5.2 vLVT[oI

  6. Linux VXe
     6.1 J[l̃RpC
     6.2 񖇂̃lbg[NJ[hݒ肷
     6.3 lbg[NAhX̐ݒ
     6.4 lbg[NĂ݂
     6.5 t@CAEH[Sɂ

  7. IP tB^O̐ݒ(IPFWADM)
  8. IP tB^O̐ݒ(IPCHAINS)
  9.  squid vLVCXg[
  10. TIS vLVT[oCXg[
     10.1 \tgEFA肷
     10.2 TIS FWTK RpC
     10.3 TIS FWTK CXg[
     10.4 TIS FWTK ݒ肷
        10.4.1 netperm-table t@C
        10.4.2 /etc/services t@C

  11. SOCKS vLVT[o
     11.1 vLVT[oݒ肷
     11.2 vLVT[oݒ肷
        11.2.1 ANZXt@C
        11.2.2 [eBOt@C
        11.2.3 t@CAEH[̌ DNS 𓮂
     11.3 vLVT[o𓮂
        11.3.1 Unix
        11.3.2 Trumpet Winsock  MS Windows
        11.3.3 UDP pPbgœׂɃvLVT[o肷
     11.4 vLVT[ǒ_

  12. ㋉̐ݒ
     12.1 S̏dKvȑ傫ȃlbg[N
        12.1.1 lbg[Nݒ
        12.1.2 vLVݒ

  13. ȒPȊǗׂ̈
     13.1 t@CAEH[c[
     13.2 ėpc[

  14. vLVt@CAEH[߂ɂ
  15. APPENDEX A - XNvg̗
     15.1 GFCC p RC XNvg
     15.2 GFCC XNvg
     15.3 GFCC gȂ RC XNvg

  16. APPENDEX B - RedHat p VPN RC XNvg
  17. {ɂ

  ______________________________________________________________________

  1.  Љ

  David Rudder 񂪂 Firewall-HOWTO ̃IWi̕܂
  B 4NOAčipƂĂꂽނɊӂ܂B

  e؂ɂA̎Ǐǂ̕M҂`Ăꂽ Ian Gough ɂӂ
  B

  t@CAEH[́A܂ŃC^[lbgł̋ɂ̃ZLeBƂ
  ̒nʂ𓾂ė܂BAt@CAEH[͖wǂ̃lbg[NfoC
  ẌꕔɂȂĂ܂B̍ŐV̘bƓlA΂Όꂪ
  B̕ł́At@CAEH[̎̂ƁA\z@Ă܂B

  ̓J[l 2.2.14  RedHat 6.1 ̍̕쐬ɎgĂA
  ɕ̗͂̃fBXgr[VɂĂ܂BAȂ
  ̃fBXgr[VƂ̑_܂A email B
   howto XV܂B

  1.1.  tB[hobN

  ǂȃtB[hobNł}܂B ̊̕ԈႢĂ
  !!  ͐lԂłԈႢłBԈႢ玄ɒm
  点ĂBSĂ e-mail ɕԓ̂͂܂܂Ȃ̂łAZ
  ̂ŁAԎȂĂ{ȂłB

   email AhX mark@grennan.com <:mailto:mark@grennan.com> 
  B

  1.2.  ӔC

  o܂B͈̕ȑÓA``̓ZLeB[̃GLXp[g
  ͂ȂA܂AȂC܂B'' ƂȂĂ܂BA
  GLXp[gɂȂĂ܂܂Ď̌̓ZLeB[Ai
  XgłBƁÁAȑO菭͂܂ƂȎĂ邩
  ܂Bł킩ė~̂́A͂̕܂łF񂪂̕
  Tۂ̏ɂȂ邱ƂڎwĂ̂Ȃ̂łB͂̕
  ̐xグׂɎ̐lq͂܂BAȂ
  t@CAEH[̒m̑SĂ̕ɊÂ̂łȂ΁Ad
  t@CAEH[ɓqȂłB́A̕ɊÂs
  SĂ̑Qɑ΂Ă̐ӔC𕉂܂B

  1.3.  쌠

  ɋLqA Linux HOWTO ́Aꂼ̒҂ɒ쌠L
  ܂B͎łB Linux HOWTO ́A̒쌠\Ă
  ΁Aꕔ܂͑SĕҏWAdqI͕Iȕ@ɂ炸zz
  邱Ƃł܂ (ނAꂪ]܂)Bpzz}܂B
  A̕zzꍇ́AɃ[Œm点ĂB (
  Ɏ̖̂̂DȂ̂)B

  |AhiALinux HOWTO ւ̏W͂̒쌠\ɂ
  čsȂ΂Ȃ܂B́AzzɐVȐǉĂ͂
  ȂƂƂłB̃[ɉĂ邱ƂmMłꍇȊO
  ́ALinux HOWTO R[fBl[^ɘAĂB

  vɁAX͉\Ȍ̎iʂāȀ񂪍Lsn邱Ƃ
  ]ł܂BAX HOWTO hLg̒쌠ێ
  ɁAĔzžvm炳ꂽƂvĂ܂BA̒쌠\L
  cĂ΁AⓙȂɎgĂ܂܂B

  ^₪܂AɃ[Œm点ĂB(LQƂ̂)

  1.4.  ̕R

  NOAINz}B"C^[lbgǗ"ƂēĂƂɁA
  "BC^[lbgɂȂĂ"Ɨ܂܂B (: ̂Ƃ
  ́Â悤Ȍ͂܂łB͂̒PȂ鉽ł
  ̂łB) ŗǂ̕@́A\Ȍ̑̃t[\tg
  WNn[hEFAgƂłB Linux ƁAŘÂ 486 }V
  A邽߂̓łB

  Linux ]łB (č) Ap̃t@CAEH[͂
  łȕłBASẴt@CAEH[̓ڏq
  ́A̖wǂō@łB̌ʁAt@CAEH[
  ōグ͖̂wǕs\Ȃ̂Ǝv܂B

   American Floral Services (AFS) ł́At@CAEH[𓮂
  𗊂܂A̎_ł̓t@CAEH[̃\[XR[hJ[lɑgݍ
  ܂Ă܂BčĂсA Linux găt@CAEH[
  Ă܂BZAt@CAEH[͊A̕XV܂
  B

  Aꂩ6NoāA͑R̃t@CAEH[ŎdĂ܂B
  Ⴆ CheckPoint Firewall-1, Cisco Pix, đR̃[^̃t@CA
  EH[ƁASẴo[W Linux x[X̃t@CAEH[łB
  ́A Linux ݂̍ŗǂ̃t@CAEH[Ǝv܂BłA̐ݒ
  ͍łGȂ̂ł邩܂B

  1.5.  Xɓǂ݂l

  o  The Linux Networking Overview HOWTO
     <http://sunsite.unc.edu/mdw/HOWTO/Networking-Overview-HOWTO.html>

  o  The Ethernet HOWTO <http://sunsite.unc.edu/mdw/HOWTO/Ethernet-
     HOWTO.html>

  o  IPchains Firewalling made Easy! <http://ipchains.nerdherd.org/>
     y: L URI ͖łBz

  o  Linux Network Address Translation
     <http://www.linas.org/linux/load.html>

  o  The Net-HOWTO <http://metalab.unc.edu/mdw/HOWTO/Net-
     HOWTO/index.html>

  o  The NET-PPP HOWTO <http://metalab.unc.edu/mdw/HOWTO/PPP-
     HOWTO/index.html>

  o  Software to build secure VPNs across public networks
     <http://www.freeswan.org/>
  o  GFCC a GTK+ Firewall Control Center
     <http://icarus.autostock.co.kr/>

  o  ̓t@CAEH[̌납 ICQ ̐ڑ (`bgAt@C̑
     M) A|[gtH[fBOvLVłB (
     ܂ōȂsɂĂ܂B)
     <http://freshmeat.net/projects/icq-proxy/homepage/>

  o  ̃TCg Linux  IP Masquerading t@CAEH[̌ɂ
     IPSec  PPTP VPN ̃zXg (NCAgT[o) ɃANZX
     @ Ă܂B
     <http://freshmeat.net/projects/linuxvpnmasquerade/homepage/>

  o  rc.firewall ́Acȃlbg[NT[rX (NFS, IPSec, VPNs,
     Proxies) A}XJ[fBOA  |[gtH[fBOA IP A
     JEeBOT|[gA ipchains x[X̃t@CAEH[X
     NvgłB Xv[tBOy: UzAU[eBO/}X
     J[fBOA DoS y: Denial of Service: T[rXs\U
     zA smurf UAM|[gXLAX܂B ̃v
     Cx[gyьC^[tF[XT|[gĂ܂B
     <http://freshmeat.net/projects/rc.firewall/download/>

     y: L URI ͖łB݂́A rcf <http://rcf.mvlan.net/>
     ɕύXĂ܂Bz

     y: "smurf" Ƃ́A DoS ÜsUvO̖O
     Bڂ́A CERT ̕
     <http://www.cert.org/advisories/CA-1998-01.html> A CERT ̕
     { <http://isl.educ.fukushima-u.ac.jp/~shinoda/net-
     docs/CERT/CA-98.01.smurf.html> QƂĂBz

  o  ԈႢȂŗǂ̃vLVT[ołB <http://www.squid-cache.org/>

  o  ÂłAłB Socks̍ŐVo[Wɂ܂B
     <http://freshmeat.net/projects/socks5/homepage/>

  2.  t@CAEH[𗝉

  hΕǂƂ́AĂ邱ƂӐ}z\łBzɂ͗ł
  hΕǂAz̋Sɕ܂BԂ̖hΕǂ͋
  ǂŁAGWƏq̎Ƃ؂܂B

  C^[lbg̃t@CAEH[́AȂ̃vCx[g LAN ɃC^
  [lbg̒n̉NȂƂӐ}Ă܂B́AȂ
  LAN ̃o[A׈ȃC^[lbg̗Ufɑ΂čsANZX
  ֎~Aނɕۂ߂̂̂łB ;-)

  ̃Rs[^t@CAEH[́A̈قȂlbg[Nɐڑ
  ĂAoHsȂ Unix zXgłBЕ̃lbg[NJ[
  h̓C^[lbgɐڑAЕ̓vCx[g LAN ɐڑ
  ܂BvCx[glbg[NC^[lbg֓Bɂ́A
  t@CAEH[ (Unix) T[oɃOIȂ΂Ȃ܂łB
  ɃC^[lbgɃANZXׂɂ̃T[õ\[Xg܂BႦ
  ΁At@CAEH[VXe Netscape ̃uEU𓮍삳āA
  ̃}Vœ삷 X Window System ̃fBXvCɕ\ł
  Bt@CAEH[œ삷uEU͗̃lbg[NɃANZX
  ł܂B

  y: ̃Gs\[hɂẮAႦ Delegate
  <http://www.delegate.org/>  History of development
  <http://www.delegate.org/ftp/pub/DeleGate/doc/History-199801-ja.txt>
  ɂĂ܌邱Ƃł܂Bz

  ̗ނ́ufAz[VXe (dual homed system)v (2̃lbg
  [NɐڑĂVXe) ́AȂ̃lbg[Ñ[USĂ
  MłȂA͑f炵̂łBP Linux VXeZb
  gAbvāAC^[lbgփANZXlSĂɃAJEg𔭍s
  Ηǂ̂łB̐ݒɂāAȂ̃vCx[glbg[N
  ɂāAO̐EɂĂ邱ƂmRs[^́At@CA
  EH[ƂȂ܂BvCx[glbg[N̐l͒Ng
  [NXe[VփC^[lbg璼ڃ_E[h邱Ƃ͂ł
  BŏɃC^[lbgt@CAEH[փt@C_E[h
  ĂAɃt@CAEH[玩g̃[NXe[Vփ_E
  [hȂ΂Ȃ܂B

  ŏdv - SĂ̐N 99% ́AUΏۂ̃VXeɑ΂ăAJEgx
  ̃ANZX𓾂邱Ƃn܂܂Bł̂ŁA̎̃t@CAEH[
  ͂E߂܂B܂Ãt@CAEH[͐߂܂B

  2.1.  t@CAEH[̃|V[

  t@CAEH[}VȂ]ނ̂̑SĂłƐMׂł
  ܂B悸A|V[ݒ肵܂傤B

  t@CAEH[ 2̗prɎg܂B

  1. l ([ / NbJ[) ߏoׁB

  2. l (]ƈ / qB) ߂ׁB

  t@CAEH[ɎgłAĂЂ͔ނ̃lb
  g[NNbJ[ߏoƂA]ƈXpC邱Ƃɂ
  苻ĂƂɂƂĂ܂B

  ȂƂ̏B (INz}) ł́Aٗp҂͏]ƈɒf肳΁A
  ̓db̉bƃC^[lbg̗p󋵂Ď錠Ă܂
  B

  ƍٓÎ͐{ł͂ȂAƂ̂łB

  ȂłBlX͋ΖԒ͓ĂāAVł͂Ȃ
  łBĎ͋ΖϗI܂邱ƂĂ܂BȂ
  A͂܂"Ǘґ"ނ炪ݒ肵[̍łȌp҂
  邱ƂĎĂ܂Bʋ΃oX̌oHTׂɃC^[lbg
  gƂŎԋJ҂oc҂ɒꂽƓɁA܂ɂ̒
  soc҂Â݂ڋqAĂ߂̏㓙ȃXgi
  CgNuAΖԒɉԂlbgT[tBĂ̂Ă
  B

  Ζ̊Ǘׂ̈̃XpCśׂA Monster.com ŎdTĂl
  邱Ƃł܂BłA͌oc҂J҂̏i "GC
  YɂĂ邩mȂ" ǂ`FbNׂɔ/ޏN
  ǗTCgɖKꂽƂ邩ۂĂ鎞ɁA͔ϗIł
  ƂɋCt܂B

  ZLeB̎d͋낵ƂɂȂ肩˂܂BȂt@CA
  EH[̊Ǘ҂ȂAȂ̔wɂӂB

  2.1.1.  ZLeB|V[̍쐬@

  ͍܂ŃZLeB|V[̍쐬@ɊւuzgɋXv
  Ă܂BȂ̂MĂ͂܂BZLeB|
  V[邱Ƃ͂ƂĂPȂ̂łB

  1. ^̂o

  2. ȂT[rX񋟂l̃O[vo

  3. eX̃O[vKvƂANZX͂ǂ̃T[rXȂ̂o

  4. eX̃O[vւ̃T[rXɁAǂ̂悤ɈSmۂ邩o
     

  5. ̂ANZX́ASăZLeBᔽł|̐錾
     

     Ȃ̃|V[͎Ƌɂ蕡GɂȂł傤ǂA
     Jo[悤Ƃ͂ȂłBPŖɂ邱ƂS
     B

  2.2.  t@CAEH[̎

  t@CAEH[ɂ 2 ނ܂B

  1. tB^Ot@CAEH[ - Ilbg[NpPbgu
     bN܂B

  2. vLVT[o (΂΃t@CAEH[ƌĂ΂܂) - lbg[
     Nւ̐ڑ񋟂܂B

  2.2.1.  pPbgtB^Ot@CAEH[

  pPbgtB^O Linux J[lɑgݍ܂^Cṽt@CA
  EH[łB

  tB^Ot@CAEH[̓lbg[Nxœ삵܂Bt@C
  AEH[[Af[^̓VXeoĂƂ
  ܂BBpPbǵAeX̃pPbgɊ܂܂ĂށAMA
  hXAAhXAă|[g̏ɂătB^O
  B

  ̃lbg[N[^͂x̃t@CAEH[T[rX
  @\Ă܂BtB^Ot@CAEH[̗͂ނ̃[^
  Ɠƍl܂B̂߁A𓮍삳ɂ IP pPbg
  ̍\ɑ΂[KvƂ܂B

  ́EL^f[^͔ɏ̂ŁAtB^Ot@CAEH[
   CPU ׂwǕKvƂ܂񂵁Albg[N̒xwǐ܂
  B

  tB^Ot@CAEH[̓pX[hs܂B[U͎
  F؂邱Ƃ͂ł܂B[UʂB̕@́A[NX
  e[VɊ蓖Ăꂽ IP AhXłB̂Ƃ DHCP (Dynamic
  IP assignments: I IP 蓖) ̎gpӐ}ĂꍇɖЂ
  N\܂B[ IP AhX肪ɂĂ̂ŁA
  V IP AhX蓖ĂxɃ[𒲐Ȃ΂ȂȂ
  Ȃ܂B͂pm܂B

  tB^Ot@CAEH[̓[UɂƂĂ蓧ߓIłB[U
  C^[lbgփANZXׂɎgpAvP[VɃ[ݒ
  Kv܂Bwǂ̃vLVT[oł͐ݒ̕Kv܂B

  2.2.2.  vLVT[o

  vLV͖wǂ̏ꍇAOւ̃gtBbN𐧌܂͊ĎׂɎg
  ܂Bvꂽf[^LbVAvP[VvLV
  ܂B̂ƂɂĕKvƂlbg[ÑohቺA
  ̃[Uɑ΂ēf[^ւ̃ANZXቺ܂BƋɉ
  ]ꂽ̂𓮂ʏ؋ƂĒ񋟂܂B

  vLVT[oɂ 2ނ܂B

  1. AvP[VvLV - Ȃׂ̈ɎdĂ܂B

  2. SOCKS vLV  - NXC|[głB

  2.2.3.  AvP[VvLV

  łǂ́Al̃Rs[^ telnet ڑĂÃR
  s[^OE telnet ڑ邱ƂłBAvP[VvLVT
  [óA̎菇܂BȂOE telnet ڑƁA悸
  NCAg͂ȂvLV֑o܂BvLV͎ɂȂv
   (OE) T[o֐ڑAf[^Ȃ֕Ԃ܂B

  vLVT[o͑SĂ̐ڑ̂ŁA(Ȃ܂߂)ANZX
  SĂ̋OL^邱Ƃł܂B HTTP (web) vLVɂ
  ́AȂ{TCg URL ̂̂܂܂܂B FTP vLV
  ẮAȂ_E[hSẴt@C܂܂܂BȂ
  KTCg "sK" trAEBXXL
  ܂B

  AvP[VvLVT[o̓[UF؂ł܂BO̐ڑs
  OɁAT[o̓[Uɑ΂čŏɃOCÑ܂B web 
  [UɂẮASẴTCgɂăOCv悤Ɍ
  B

  2.2.4.  SOCKS vLV

  SOCKS T[o͋^̃XCb`{[hɑϗǂĂ܂B͒PɁA
  Ȃ̐ڑʂ̊O̐ڑɃVXeŌq܂B

  wǂ SOCKS T[o TCP ^Cv̐ڑł̂ݓ삵܂BătB^
  Ot@CAEH[ƓlA[UF؂̋@\͑Ă܂B
  ȂA[Uǂɐڑ̂L^邱Ƃ͂ł܂B

  3.  t@CAEH[̃A[LeN`({݌v)

  t@CAEH[păVXeh䂷悤ȃlbg[N\ɂ́A
  lXȎނ܂B

  [^ʂăC^[lbg֐pڑĂȂA[^𒼐ڃt@
  CAEH[VXeɐڑĂł傤B邢̓nu܂
  t@CAEH[̊OɃT[oQuAɃtANZX񋟂
  łł傤B

  3.1.  _CAbvA[LeN`

  Ɠǎ҂ ISDN ̂悤ȃ_CAbvT[rX𗘗pĂ邱
  ł傤B̏ꍇAÕlbg[NJ[hpătB^O
   DMZ y: Demilitarized Zone: 񕐑nсzô
  ܂B΃C^[lbgT[rXSɃRg[ł
  ܂Aʏ̃lbg[N͐؂藣Ă܂B

                    __________
     _/\__/\_      | t@CA |           __________________
    |C^[|     | EH[ |  (LAN)   |                  |
   /  lbg  \----| VXe |--(nu)--|[NXe[V|
   \_  _  _  _/    |__________|          |__________________|
     \/ \/ \/           |
                      (DMZ)
                      (nu)

  3.2.  P̃[^̃A[LeN`

  Ȃ̃}VƃC^[lbg̊ԂɃ[^P[ufꍇ
  l܂傤B̃[^Ȃ̏LȂÃ[^ɋłȃtB
  ^[ݒłł傤B[^ ISP ̏LȂAKvȃRg
  [sƂ͑łȂł傤B ISP ɃtB^ݒ肷悤
  ނƂ͂ł邩܂B

                    _________            __________
     _/\__/\_      | [^  |          | t@CA |           _______________
    |C^[|     |     |  (DMZ)   | EH[ |  (LAN)   |    [N     |
   /  lbg  \----|P[u |--(nu)--| VXe |--(nu)--|  Xe[V |
   \_  _  _  _/    | f  |    |     |__________|          |_______________|
     \/ \/ \/      |_________|    |
                                (O)
                               (T[o)

  3.3.  vLVT[o𔺂t@CAEH[

  lbg[Ñ[ŨANZXj^KvAlbg[N
  K͂Ȃ΁At@CAEH[ɃvLVT[o𓝍ł܂B
  ISP ɂẮAsă[ŨXgA}[PeBOs
  Ă㗝XɔĂ悤ȂƂ܂B

                     __________
      _/\__/\_      |vLV/ |           ______________
     |C^[|     | t@CA |  (LAN)   |   [N     |
    /  lbg  \----| EH[ |--(nu)--| Xe[V |
    \_  _  _  _/    | VXe |          |______________|
      \/ \/ \/      |__________|

  vLVT[óALAN ɂDȂ悤ɐݒuł܂B̏ꍇÃv
  LVT[o񋟂ĂT[rXɂẮAvLVT[oC^
  [lbgɐڑł悤ɂׂłB΃[U̓vLVT[
  oʂĂC^[lbgɐڑłȂȂ܂B

                    __________
     _/\__/\_      | t@CA |           _______________
    |C^[|     | EH[ |  (LAN)   |    [N     |
   /  lbg  \----| VXe |--(nu)--|  Xe[V |
   \_  _  _  _/    |__________|    |     |_______________|
     \/ \/ \/                      |     ______________
                                   |    |              |
                                   +----|vLVT[o|
                                        |______________|

  3.4.  璷ȃC^[lbg̐ݒ

  YAHOO  SlashDot ̂悤ȃT[rXғȂA璷ȃ[^
  ƃt@CAEH[păVXe\zȂ邱Ƃł傤B (High
  Availability HowTo ɂȂĂB) y: Linux High
  Availability HOWTO  http://www.ibiblio.org/pub/Linux/ALPHA/linux-
  ha/High-Availability-HOWTO.html
  <http://www.ibiblio.org/pub/Linux/ALPHA/linux-ha/High-Availability-
  HOWTO.html> ɂ܂B High Availability ́upvӖ
  Bz

  1 URL ƕ ISP 畡 web T[oւ̃ANZX񋟂A
  round-robin DNS ̋Zpg΁AP URL ɑ΂ANZX𕡐
  web ɎJƂł܂B High availability ZpgĂ
  ISPE[^Et@CAEH[𕡐p邱ƂɂāA 100% tғ
  ̃T[rXł܂B

  y: round-robin Ƃ́A~`ɏ菑Ӗ܂Bł
  DNS ɂ URL ɑ΂ĕ̃T[ȏΉ֌W񋓂ÃN
  CAg̗vɑ΂ẴXgԂɎgp邱ƂɂAוU
  @łB DNS ̍Ō̃GgɓBŏɖ߂Ďg
  񂷗Ll round-robin ƂtŐĂ܂Bz

     _/\__/\_                                       _/\__/\_
    |        |                                     |        |
   /  ISP #1  \______                  (WAN)______/p[gi[\
   \_  _  _  _/      |                 (nu)     \_  _  _  _/
     \/ \/ \/        |                ___|____      \/ \/ \/
                   __|___            |_______ |
     _/\__/\_     |_____ |          |t@CA||           ______
    |        |   |      ||  (DMZ)   |EH[||  (LAN)   |      |
   /  ISP #2  \--|[^||--(nu)--|VXe||--(nu)--| WS/s |
   \_  _  _  _/  |______|     |     | (VPN)  |     |     |______|
     \/ \/ \/                 |     |________|     |      ________
            |              (O)        |         |     |        |
    ------  |             (T[o)     (L)      +-----|vLV|
   | WS/s | |                         (T[o)           |________|
   | VPN  |-+
   |______|

  lbg[N͂ɂȂ̎ɕȂȂ̂łBSĂ̐ڑc
  ĂB[UfĂāÃf LAN ɐN
  ꂽA LAN ͊@Ɋׂ܂B

  4.  Linux tB^Ot@CAEH[ݒ肷

  4.1.  ŒKvȃn[hEFȀ

  tB^Ot@CAEH[ɍȃn[hEFA͕svłBPȃ
  [^ɖт悤Ȃ̂ŗp܂B

  KvȂ̂ -

  1. 486DX2 66MHz  32 MB 

  2. 250MB ̃n[hfBXN (500MB ȏオE߂ł)

  3. lbg[Nڑ (LAN J[hAVA|[gACX?)

  4. j^ƃL[{[h

  y: ܘ_Aȃ[XybNȃn[hEFÂ𑵂͋pč
  łB_œłn[hEFÂňȂ̂ŏ\ł
  BAA肵ĉғт̂]܂邱Ƃ͌܂ł
  ܂B܂AÕiwȂAn[hfBXN̂悤
  ̒Ẑɂ͒ӂĂBƁÃXgɂ̓rfIJ[h
  Ă܂B OS̃CXg[̍ۂɂ͕KvƎvtbs[fB
  XNhCu CD-ROM hCuĂ܂BӂBz

  VXeɂĂ̓VA|[gR\[gp邱ƂŁAj^ƃL
  [{[hȗ邱Ƃ\łB

  y: VAR\[̃T|[g̓J[l 2.2 nȍ~ƂȂĂ
  Bz

  cȃgtBbNJvLVT[oKvƂȂA肵
  ōŋ̃n[hEFAXybNKvɂȂ܂B̂ȂA[Uڑ
  sxɃvZX邩łB 50lȏ㓯ɐڑ悤ȏ
  ́Aȉ̂悤ȃXybNKvƎv܂ -

  1. yeBA II  64MB 

  2. SẴOL^ׂ 2GB ̃n[hfBXN

  3. 2̃lbg[Nւ̐ڑ

  4. j^ƃL[{[h

     y: ̕|󂵂Ă鎞_ł́ALXybN͂ŋł
     ȂłˁB:-)zlbg[Nڑ͂ނz肳܂ (NIC,
     ISDN, f̏ꍇ邩܂)B

  5.  Kvȃ\tgEFA

  5.1.  J[l̑I

  tB^Ot@CAEH[\zׂɓʂȃ\tgEFA͗v
  B Linux s܂B̕Ă鎞_ŁA RedHat 6.1
  gĂ܂B

  Linux ɑgݍ݂̃t@CAEH[͉xύXĂ܂BÂJ[
  l(1.0.x ͂Â)gĂȂAV̂
  ĂBÂJ[l http://www.xos.nl/linux/ipfwadm/ 
  ipfwadm gĂAT|[gĂ܂B

  y: g̃J[l̃o[W Ipfwadm ̃o[Wɒӂ
  B http://www.xos.nl/linux/ipfwadm/versions.html mFĂ
  Bz

  2.2.13 ȍ~gĂȂA http://netfilter.samba.org/ipchains/ 
  Jꂽ ipchains gpł܂B

  ŐV 2.4 J[lgĂȂAVdl̃t@CAEH[
  [eBeB܂B߂ɂɂď܂B

  5.2.  vLVT[oI

  vLVT[o̐ݒȂÃpbP[ŴǂꂩKv
  B

  1. Squid

  2. The TIS Firewall Toolkit (FWTK)

  3. SOCKS

     y:  vLVT[ovO DeleGate ܂B DeleGate 
     Ă͎̂ƂQlɂĂB
     http://www.delegate.org/delegate/z

  Squid ͂ƂĂf炵pbP[W Linux ̓߃vLV (Transparent
  Proxy) @\Ƌɓ삵܂B̃T[oݒ肷@ɂď
  v܂B

  ̕Ă鎞_ŁA Network Associates
  <http://www.networkassociates.com/>  Trusted Information System's
  (TIS) ͍Ă܂BύXɂĂ̏ڍ׏Ɋւ web TCgɒ
  ӂĂ܂傤BAc[ނ͂܂̂Ƃɂ܂B
  http://www.tis.com/research/software/
  <http://www.tis.com/research/software/>

  Trusted Information System  t@CAEH[̐ݒȒPɂ悤
  ݌vꂽvOQ񋟂Ă܂B̃c[ނgƂŁA
  ꂼ̃T[rX (WWW  telnet Ȃ) ̃f[ɐݒł
  B

  y: Trusted Information System ɂĂ͎̂ƂQlɂĂ
  B http://www.uth.tmc.edu/oac_docs/trust/trusted.htmz

  6.  Linux VXe

  ł邾K͂ŁALinux VXeCXg[܂BCX
  g[Ƃ́A܂T[o̐ݒsA /etc/inetd.conf 
  sKvȃT[rXO܂BXɃZLeB߂ȂAsKvȃT
  [rX̓ACXg[Ă܂܂傤B

  wǂ̃fBXgr[V͎̖ړIɉJ[lɂȂĂ܂
  񂩂A̖ړIɂJ[lɃRpCȂ΂܂B
  t@CAEH[ȊÕRs[^ŃRpCłȂAꂪ
  ǂ@łB C RpCȂǂ̃[eBeBt@CAEH[ɃC
  Xg[Ă܂ꍇ́AJ[l̐ݒ肪ō폜܂
  B

  6.1.  J[l̃RpC

  gɂȂ\ Linux fBXgr[V̍ŏx̃CXg[
  n߂ĂB\tgEFA点΁Ag̃T[oł̃ZL
  eB̌ɂȂZLeBz[obNhA (sȎił̐N
  ) A̓oOȂǂ菭ȂȂ܂B

  ł̃J[l肵ĂB̃VXeł̓J[l 2.2.13 
  gĂ܂B͂̊̕ł̐ݒ{ɂ܂B

  K؂ȃIvV Linux ̃J[lRpCȂ΂܂B
  J[l̍č\zoȂȂAsO Kernel HOWTO,
  Ethernet HOWTO, NET-2 HOWTO ǂ݂܂傤B

  Ƀlbg[N֘A̐ݒ܂Bꂪ삷邱Ƃ͊mFĂ
  ܂B̍ڂɂ ? ƂĂ܂B̂悤Ȑݒg
  ȂA`FbNđIĂB

  J[l̐ݒׂ̈ɁA "make menuconfig" gĂ܂B

  y: X̍ڂɂẮAConfigure.help ̓{łQlɂĂ
  B http://www.linux.or.jp/JF/JFdocs/Configure.help/z

      <*> Packet socket
      [ ] Kernel/User netlink socket
      [*] Network firewalls
      [ ] Socket Filtering
      <*> Unix domain sockets
      [*] TCP/IP networking
      [ ] IP: multicasting
      [*] IP: advanced router
      [ ] IP: kernel level autoconfiguration
      [*] IP: firewalling
      [?] IP: always defragment (required for masquerading)
      [?] IP: transparent proxy support
      [?] IP: masquerading
      --- Protocol-specific masquerading support will be built as modules.
      [?] IP: ICMP masquerading
      --- Protocol-specific masquerading support will be built as modules.
      [ ] IP: masquerading special modules support
      [*] IP: optimize as router not host
      < > IP: tunneling
      < > IP: GRE tunnels over IP
      [?] IP: aliasing support
      [*] IP: TCP syncookie support (not enabled per default)
      --- (it is safe to leave these untouched)
      < > IP: Reverse ARP
      [*] IP: Allow large windows (not recommended if <16Mb of memory)
      < > The IPv6 protocol (EXPERIMENTAL)
      ---
      < > The IPX protocol
      < > Appletalk DDP
      < > CCITT X.25 Packet Layer (EXPERIMENTAL)
      < > LAPB Data Link Driver (EXPERIMENTAL)
      [ ] Bridging (EXPERIMENTAL)
      [ ] 802.2 LLC (EXPERIMENTAL)
      < > Acorn Econet/AUN protocols (EXPERIMENTAL)
      < > WAN router
      [ ] Fast switching (read help!)
      [ ] Forwarding between high speed interfaces
      [ ] PU is too slow to handle full bandwidth
      QoS and/or fair queueing  --->

  SĂ̐ݒĂAăRpCAJ[lăCXg[AċN
  ܂B

  ̂悤ȃR}hōs܂ -

  1s̃R}hőSsɂ́Â悤ɂ܂B make dep;make
  clean;make bzlilo;make modules;make modules_install;init 6

  6.2.  񖇂̃lbg[NJ[hݒ肷

  Rs[^ɓ񖇂̃lbg[NJ[h}ĂȂAIRQ Ɠ񖇂̃J
  [h̃AhX /etc/lilo.conf t@C append gĖIɉ
  Ȃ΂ȂȂꍇ܂B lilo  append ŝ͎悤ɂȂ
  Ă܂ -

  append="ether=12,0x300,eth0 ether=15,0x340,eth1"

  y: lbg[NJ[h̐ݒ́Â悤ȕQlɂĂ
  B http://www.linux.or.jp/JF/JFdocs/Ethernet-HOWTO.html

  http://www.linux.or.jp/JF/JFdocs/Multiple-Ethernet.htmlz

  6.3.  lbg[NAhX̐ݒ

  āA\zƂʔƂɂĂ܂B̕ł LAN ݒ肷
  @ɂĐ[͐܂B̌ɂĂ̂Ȃ̖
  ɂ́A Networking-HOWTO ǂłB

  y: Networking-HOWTO ̓{́ÂƂɂ܂B
  http://www.linux.or.jp/JF/JFdocs/NET3-4-HOWTO.htmlz

  Ȃ̖ړÍAtB^Ot@CAEH[ʂāA̃lbg
  [Nڑ񋟂邱ƂłBC^[lbgɈ(SłȂ) LAN
  () ɈƂƂɂȂ܂B

  ƂɂA̂Ƃ肵Ȃ΂Ȃ܂B

  1. { IP ԍg܂AƂ LAN ɂ͓KȔԍw肵܂
     B

  2. Ȃ ISP 犄蓖Ăԍg܂AƂAÓI
     IP ԍg܂B

  vCx[gȃlbg[NɃC^[lbg̃ANZX
  킯łA "{̃AhX" gKv͂܂BvCx[g
  LAN ɑ΂ēKȃAhXU邱Ƃ͂ł܂A͂߂ł܂
  Bf[^ LAN 炠oHʂĘRĂ܂Aǂ̃VXe
  ̃|[g܂œ͂Ă܂܂B

  vCx[glbg[NpɎ킯Ă̃C^[lbgA
  hX͈̔͂܂B 192.168.1.xxx ̒ɓĂāA̕
  ł͂Ɏg܂B

  ̐lgׂɂ IP }XJ[hgKv܂B̕@
  t@CAEH[̓pPbgtH[hāAC^[lbg "{
  " AhXɕϊ܂B

  ̂悤ȃ[eBOłȂ IP AhXg΁AȂ̃lbg[
  N͂SɂȂ܂BC^[lbg[^́Â悤ȃvCx[g
  AhX̂pPbgʂ܂B

  ̌ɊւẮA̕ǂ񂾂ق悢ł傤B IP Masquerading
  HOWTO <http://members.home.net/ipmasq/>
  y: IP Masquerade HOWTO ̓{́ÂƂɂ܂B
  <http://www.linux.or.jp/JF/JFdocs/IP-Masquerade.html>z

              24.94.1.123  __________    192.168.1.1
        _/\__/\_        \ | t@CA | /           _______________
       |C^[|        \| EH[ |/           |     [N    |
      /  lbg  \--------| VXe |------------|  Xe[V |
      \_  _  _  _/        |__________|            |_______________|
        \/ \/ \/

  g̃C^[lbgplbg[NJ[hɊ蓖Ă邽߂ "{"
  IP AhXĂȂ΂܂B̃AhX́AȂɉi
  IɊ蓖Ăꂽ (ÓI IP AhX) łłA PPP v
  ZXɂlbg[Nւ̐ڑɊ蓖Ăꂽ̂ł܂܂B

   IP ԍ蓖Ă܂BƂ LAN J[hɑ΂ 192.168.1.1
  ̂悤ɂ܂B̓Q[gEFCAhXɂȂ܂Bی삳ꂽlbg
  [N (LAN) ɂ鑼̑SẴ}Vɂ́A 192.168.1.xxx ͈̔
  (192.168.1.2  192.168.1.254 ܂) ̔ԍ蓖Ă邱Ƃł
  B

   RedHat Linux gpĂ܂BNɃlbg[Nݒ肷邽
  ߁A /etc/sysconfig/network-scripts ƂfBNgɂ
  ifcfg-eth1 t@CɋLqǉĂ܂B̃fBNg ifcfg-
  ppp0  ifcfg-tr0 Ƃt@C͂łB'ifcfg-' Ƃt@C
  ́A RedHat ŁANɃlbg[NfoCXݒ肵Agp\ɂ
  ׂɎgĂ܂Bڑ̃^CvɂĖOĂ܂B

  ꂪ ifcfg-eth1(ڂ̃C[TlbgJ[h)̗ł -

      DEVICE=eth1
      IPADDR=192.168.1.1
      NETMASK=255.255.255.0
      NETWORK=192.168.1.0
      BROADCAST=192.168.1.255
      GATEWAY=24.94.1.123
      ONBOOT=yes

  _CAAbvڑȂAifcfg-ppp0  chat-ppp0 Ȃ
  ΂Ȃ܂B PPP ڑ𐧌䂵܂B

  ̏ꍇ ifcfg t@Ĉ͎悤ɂȂ܂ -

      DEVICE="ppp0"
      ONBOOT="yes"
      USERCTL="no"
      MODEMPORT="/dev/modem"
      LINESPEED="115200"
      PERSIST="yes"
      DEFABORT="yes"
      DEBUG="yes"
      INITSTRING="ATZ"
      DEFROUTE="yes"
      HARDFLOWCTL="yes"
      ESCAPECHARS="no"
      PPPOPTIONS=""
      PAPNAME="LoginID"
      REMIP=""
      NETMASK=""
      IPADDR=""
      MRU=""
      MTU=""
      DISCONNECTTIMEOUT=""
      RETRYTIMEOUT="5"
      BOOTPROTO="none"

  6.4.  lbg[NĂ݂

  ifconfig  route R}hgĂ݂܂傤B񖇂̃lbg[NJ[h
  gĂȂÂ悤ɕ\܂B

    #ifconfig
    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              UP LOOPBACK RUNNING  MTU:3924  Metric:1
              RX packets:1620 errors:0 dropped:0 overruns:0
              TX packets:1620 errors:0 dropped:0 overruns:0
              collisions:0 txqueuelan:0

    eth0      Link encap:10Mbps Ethernet  HWaddr 00:00:09:85:AC:55
              inet addr:24.94.1.123 Bcast:24.94.1.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:1000 errors:0 dropped:0 overruns:0
              TX packets:1100 errors:0 dropped:0 overruns:0
              collisions:0 txqueuelan:0
              Interrupt:12 Base address:0x310

    eth1      Link encap:10Mbps Ethernet  HWaddr 00:00:09:80:1E:D7
              inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:1110 errors:0 dropped:0 overruns:0
              TX packets:1111 errors:0 dropped:0 overruns:0
              collisions:0 txqueuelan:0
              Interrupt:15 Base address:0x350

  XɌoHe[û͎悤ɂȂ܂ -

    #route -n
    Kernel routing table
    Destination     Gateway         Genmask         Flags MSS    Window Use Iface
    24.94.1.0       *               255.255.255.0   U     1500   0       15 eth0
    192.168.1.0     *               255.255.255.0   U     1500   0        0 eth1
    127.0.0.0       *               255.0.0.0       U     3584   0        2 lo
    default         24.94.1.123     *               UG    1500   0       72 eth0

   -  24.94.1.0 ́Ãt@CAEH[̃C^[lbgŁA
  192.168.1.0 ̓vCx[g( LAN )ɂȂ܂B

  LAN ɂSẴRs[^At@CAEH[VXe̓̃Ah
  X ping ł邩ǂ𒲂ׂ܂傤 (ł 192.168.1.1 
  Ă܂)B܂łȂȂAēx NET-2 HOWTO ĂB
  āAlbg[NɂĒׂĂB

  ɁAt@CAEH[C^[lbgVXe ping Ă݂
  B̓eXg|CgƂwww.internic.net gĂ܂B
  ܂Ȃ΁Ag ISP ł̃T[oĂ݂܂Bꂪ
  ܂Ȃ΁AȂ̃C^[lbgڑ̂ǂƐݒ肳
  Ă܂Bt@CAEH[́AC^[lbĝꏊɐڑ
  łȂ΂Ȃ܂BftHg̃Q[gEFC̐ݒĂ
  B_CAAbvڑgĂȂA[U ID ƃpX[h
  ĂB Net-2 HOWTO xǂłēxĂB

  ______________________________________________________________________
  Ȃ LAN ɂRs[^At@CAEH[(24.94.1.123) 
  ÕAhX ping Ă݂܂B
  ͓Ȃ͂łB
   ping łȂAȂ̓}XJ[hsĂ邩A
  IP tH[fBOgĂ邩AȂ͊ɉ炩
  pPbgtB^Oݒ肵Ă̂łB
  𖳌ɂčēxĂB
  tB^OԂɂ邱ƂmFȂ΂Ȃ܂B
  ______________________________________________________________________

  2.1.102 VJ[lɑ΂ẮAȉ̃R}hg܂ -

      echo "0" > /proc/sys/net/ipv4/ip_forward

  (͕̂܂) ÂJ[lgĂȂAtH[h
  ɂăJ[lăRpCȂ΂Ȃł傤 (J[l
  AbvO[ĥɂ傤ǂ@ł)B

  ēxt@CAEH[ (24.94.1.123) ̃AhX̊OɌ ping 
  ܂BĂ͂Ȃ̂łB

  ܂łmFƂŁAIP tH[fBOy/ IP }XJ[
  hLɂ܂BȂ LAN ̂ǂȃVXeC^[lbg
  ̂ǂ̂悤ȏꏊɂ ping \ɂȂ͂łB

      echo "1" > /proc/sys/net/ipv4/ip_forward

  dvȒ - AȂ LAN ŁA (192.168.1.* ł͂Ȃ) "{"
  IP AhXgĂāAC^[lbg ping łȂAȂ
  t@CAEH[̃C^[lbgɂ ping łꍇ́Aڑ ISP
  Ȃ̃vCx[glbg[ÑAhX̃pPbg[eB
  OĂ邩ǂmFĂB

  y: ł̓[Ũ}VSĂɃO[o IP 蓖ĂĂꍇ
  Ă܂Bz

  ̖eXgɂ́AC^[lbg̒N (Ⴆ΃[J̃v
  oC_gĂFlɗ) ɁAȂ̃lbg[N traceroute
  Ă炤ƂłB traceroute ɂoHTAȂgĂv
  oC_̃[^Œ~ȂAvoC_͂Ȃ̃gtBbN]
  ĂȂ̂łB

  ܂? f炵Bꏊ͏I܂B:-)

  6.5.  t@CAEH[Sɂ

  t@CAEH[́Aꂪ삵ĂVXê̂AUɑ΂
  LJɂȂ܂܂ƁAȂӖȂ܂B "z" 
  t@CAEH[ȊÕT[rXʂăANZXĂ܂܂AD
  ɕύXĂ܂܂BsvȃT[rX͂ǂɂȂ΂Ȃ܂
  B

  /etc/inetd.conf t@CĂB "super server" ƂĒm
   inetd ݒ肷t@CłB inetd ͑R̃T[of[
  䂵A"well known" |[gւ̗vpPbgƁAX^[
  g܂B

  y: well known port ́A TCP/UDP |[gԍ 1024 Ԉȉ̃|[g
  w܂Bz

  echo, discard, daytime, chargen, ftp, gopher, shell, login, exec,
  talk, ntalk, pop-2, pop-3, netstat, systat, tftp, bootp, finger,
  cfinger, time, swat  linuxconfig ͑SĖɂ܂傤B

  T[rXύXɂ́AT[rXs̍ŏ̕ # u܂Bꂪ
  ς񂾂 "kill -HUP <pid>" 𑗂܂B <pid> ɂ́Ainetd ̃vZX
  ܂BƂ̐ݒt@CēǂAVXe~
  ȂōăX^[g܂B

  y: killall ƂR}h܂B man killall ׂĂ
  B killall -HUP inetd g܂Bz

  t@CAEH[ port 15 (netstat) ɑ΂ telnet Ă݂Ă
  Bo͂悤ȂAT[rX͖ɂȂĂ܂B

  telnet localhost 19

  /etc/nologin Ƃt@C쐬邱Ƃł܂B BUZZ OFF (q
  ̈Ӗ) ̂悤ɁÃt@CɂƂeLXg܂B
  t@C݂ƁA login ̓[ŨOI܂B[U
  ͂̃t@C̓e邱ƂɂȂAOC͋ۂ܂B root 
  OCł܂B

  /etc/securetty Ƃt@CҏWł܂B[U root ȂA
  /etc/securetty ɗ񋓂ꂽ tty 炵OCł܂Bs
  ƁA syslog @\ŋL^܂B̗̃Rg[Lɂ
  ΁At@CAEH[ւ̃OÍA root ƂăR\[oRłs
  ȂȂ܂B

  ΂ telnet  root ƂăOCĂ͂܂B[g root 
  KvƂȂASSH (Secure Shell) ŃANZX܂B telnet ͖
  ׂł傤B

  SzȐĺAlids (Linux Intrusion Detect System 荞݌mVXe
  ) gKv邩܂B Linux J[lɑ΂N
  ֎~VXẽpb`łBdvȃt@C₂܂B̎dg
  gƁA hΏۂ̃t@CfBNgAXɂ̔z̃TufB
  Ng (root ܂߂) NύXłȂȂ܂B̂悤ȈS
  ꂽt@CύXɂ́A LILO ̐ݒ security=1 w肵ăVXe
  u[gȂ΂Ȃ܂ (ȂVO[U[hŋN
  ł傤)B

  7.  IP tB^O̐ݒ(IPFWADM)

  J[l 2.1.102 ȏgĂȂ炱̏͂΂āA IPCHAINS
  ̏͂ɐiłB

  ȑÕJ[lł IP Forwarding ̓ftHgŃJ[lɑgݍ܂L
  ɂȂĂ܂B]āAlbg[Nݒ肷ꍇ́A܂SĂ
  AȑOɒuĂ ipfw ̃[jׂłBȉ̂悤ȃX
  Nvg (̈ꕔ) Albg[N̋NXNvg
  (/etc/rc.d/init.d/network) ɏĂȂ΂܂B

    #
    # IP packet Accounting  Forwarding ̐ݒ
    #
    #   Forwarding
    #
    # ftHgőSẴT[rXsɂB
    ipfwadm -F -p deny
    # SẴR}hjB
    ipfwadm -F -f
    ipfwadm -I -f
    ipfwadm -O -f

  āAX͋ɂ̃t@CAEH[\z܂Bʂ܂B

   /etc/rc.d/rc.firewall Ƃt@C쐬܂B̃XNv
  g email, web, DNS gtBbN܂B ;-)

  #! /bin/sh
  #
  # rc.firewall
  #
  # ֐Cuǂݍ
  . /etc/rc.d/init.d/functions

  # ݒ擾
  . /etc/sysconfig/network

  # lbg[NNĂ邩`FbN
  if [ ${NETWORKING} = "no" ]
  then
          exit 0
  fi
  case "$1" in
    start)
    echo -n "Starting Firewall Services: "
    # T[oɓ email B
    /sbin/ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 192.1.2.10 25
    # O email T[oւ̐ڑ
    /sbin/ipfwadm -F -a accept -b -P tcp -S 192.1.2.10 25 -D 0.0.0.0/0 1024:65535
    # Ȃ Web T[o Web ڑB
    /sbin/ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 192.1.2.11 80
    # O Web T[oւ Web ڑB
    /sbin/ipfwadm -F -a accept -b -P tcp -S 192.1.2.* 80 -D 0.0.0.0/0 1024:65535
    # DNS gtBbNB
    /sbin/ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 192.1.2.0/24
    ;;
    stop)
    echo -n "Stooping Firewall Services: "
    ipfwadm -F -p deny
    ;;
    status)
    echo -n "Now do you show firewall stats?"
    ;;
    restart|reload)
          $0 stop
          $0 start
          ;;
    *)
          echo "Usage: firewall {start|stop|status|restart|reload}"
          exit 1
  esac

   - ̗ł́A192.1.2.10  email (smtp) T[oāA|[g
  25 őMłȂ΂ȂȂƂĂ܂B web T[o
  192.1.2.11 ŉ^pĂ܂B LAN ɂSĂ̗p҂AO web T
  [o DNS T[oɓBł悤ɂĂ܂B

  ͊SɊƂ͌܂BȂȂ port 80 ́Aweb |[gƂ
  gȂ΂ȂȂ킯ł͂ȂAnbJ[Ȃ炱̃|[ggāA
  t@CAEH[z鉼zvCx[glbg[N (VPN) 
  傤Bɂ́A web vLVݒ肵AvLVt@C
  AEH[ʉ߂ł悤ɂ邱ƂłB LAN ̃[UOweb T
  [oɓBׂɂ̓vLVoRȂ΂ȂȂ悤ɂ܂B

  t@CAEH[ʂgtBbN̊ɂł傤B̃X
  Nvg͑SẴpPbg𐔂܂BȂ̓VOVXeɌp
  Pbg𐔂ׂɈAs邱Ƃł܂B

    # ݂̃AJEg[jB
    ipfwadm -A -f
    # Accounting
    /sbin/ipfwadm -A -f
    /sbin/ipfwadm -A out -i -S 192.1.2.0/24 -D 0.0.0.0/0
    /sbin/ipfwadm -A out -i -S 0.0.0.0/0 -D 192.1.2.0/24
    /sbin/ipfwadm -A in -i -S 192.1.2.0/24 -D 0.0.0.0/0
    /sbin/ipfwadm -A in -i -S 0.0.0.0/0 -D 192.1.2.0/24

  KvȂ̂tB^Ot@CAEH[ȂAȂ͂Őݒ
  I邱Ƃł܂BeXgĂ^pĂB

  8.  IP tB^O̐ݒ(IPCHAINS)

  Linux  ipchains ́A Linux IPv4 firewalling R[h ipfwadm 
  ̂łB ipfwadm  BSD  ipfw ̂Ǝv
  B ipchains  Linux ̃J[l 2.1.102 ȍ~ IP pPbgtB^
  Ǘ̂ɕKvłB

  ȑÕR[h̓tOgy: fragment: fЉꂽpPbgz
  ܂񂵁A (ȂƂ Intel pł) 32 rbg̃JE^܂
  񂵁A TCP/UDP/ICMP ȊO̎dl̃vgRlĂ܂񂵁AAg
  ~bN(uԓI)ɑ傫([)ύX邱Ƃł܂񂵁At[
  ܂񂵁AȕȂ܂AǗɂ ([Ũ~
  X₷) ̂ƍ҂͌Ă܂B

  y: ̈߂ IPCHAINS-HOWTO  1.2 Ȃ?
  <http://www.linux.or.jp/JF/JFdocs/IPCHAINS-HOWTO-1.html#ss1.2> Ɩw
  łBz

   ipchains gt@CAEH[̐ɂāAŐ[͏q
  ͂܂B̌ɂĂ͂ƂĂ悭o HOWTO ̂
  ɂ܂Ał͊{ɂĂqׂ܂B
  http://netfilter.samba.org/ipchains/HOWTO.html
  <http://netfilter.samba.org/ipchains/HOWTO.html> HOWTO ܂B

  `FC͖Oň܂B܂Ainput, output  forward Ƃg
  ݍݍς݃`FCA͍폜ł܂BŃ`FC
  Ƃł܂BāÃ`FC̃[Zbgɑ΂ă[
  ǉ폜ĂƂł܂B

  SẴ`FCɑ΂čs鑀͈ȉ̒ʂł -

  1. V`FC (-N).

  2. ̃`FC폜 (-X).

  3. gݍ݃`FC̃|V[ύX (-P).

  4. `FCɂ郋[Xg (-L).

  5. `FC̃[Sď܂ (-F).

  6. `FCɂSẴ[̃pPbgƃoCg̃JE^[ɂ
      (-Z).

  `FCŃ[𑀍삷ɂ͂̕@܂ -

  1. `FCɐV[ (-A).

  2. `FC̓KȏꏊɐV[ (-I).

  3. `FC̓KȏꏊŃ[u (-R).

  4. `FC̓KȏꏊŃ[폜 (-D).

  5. `FCɓKŏ̃[폜 (-D).

  ipchains ̓}XJ[fBȎ̒uꏊƂĂǂȂ̂ŁA
  ׂ̑삪܂ -

  1. ݂̃}XJ[hꂽڑXg (-M -L).

  2. }XJ[h̃^CAEglݒ肷 (-M -S).

  t@CAEH[[̕ύXɊւĂ̓^C~O̖肪
  BӐ[ȂƁAύXĂԂɕsSȂƂ납pPbg
  Ă܂܂BƂPȕ@͎̂悤ɂ邱Ƃł -

       # ipchains -I input 1 -j DENY
       # ipchains -I output 1 -j DENY
       # ipchains -I forward 1 -j DENY

  ... ύX܂ ...

       # ipchains -D input 1
       # ipchains -D output 1
       # ipchains -D forward 1
       #

  ̕@́AύXĂԂɑSẴpPbg𗎂܂B

   ipchains ɂāA܂ŏqׂt@CAEH[[܂Ƃ
  ̂łB

  #!/bin/sh
  #
  # rc.firewall ̋LqB
  #
  ## SĂjčŏnB
    /sbin/ipchains -F input
    /sbin/ipchains -F output
    /sbin/ipchains -F forward

  ## HTTP ߃vLVɑ΂ă_CNgB
    #$IPCHAINS  -A input -p tcp -s 192.1.2.0/24 -d 0.0.0.0/0 80 -j REDIRECT 8080

  ## Ȃg̃`FCB
    /sbin/ipchains -N my-chain
    # T[oɗ email B
    /sbin/ipchains -A my-chain -s 0.0.0.0/0 smtp -d 192.1.2.10 1024:-j ACCEPT
    # O email T[o email ڑB
    /sbin/ipchains -A my-chain -s 192.1.2.10 -d 0.0.0.0/0 smtp -j ACCEPT
    # Ȃ web T[o Web ڑB
    /sbin/ipchains -A my-chain -s 0.0.0.0/0 www -d 192.1.2.11 1024: -j ACCEPT
    # O Web T[o Web ڑB
    /sbin/ipchains -A my-chain -s 192.1.2.0/24 1024: -d 0.0.0.0/0 www -j ACCEPT
    # DNS gtBbNB
    /sbin/ipchains -A my-chain -p UDP -s 0.0.0.0/0 dns -d 192.1.2.0/24 -j ACCEPT

  ## }XJ[hgĂȂA
    # ւ̃gtBbN}XNȂB
    /sbin/ipchains -A forward -s 192.1.2.0/24 -d 192.1.2.0/24 -j ACCEPT
    # OC^[tF[X𒼐ڃ}XNȂB
    /sbin/ipchains -A forward -s 24.94.1.0/24 -d 0.0.0.0/0 -j ACCEPT
    # OɌSĂ̓ IP }XJ[hB
    /sbin/ipchains -A forward -s 192.1.2.0/24 -d 0.0.0.0/0 -j MASQ

  ## SĂsɂB
    /sbin/ipchains -P my-chain input DENY

  ł߂Ă͂܂B͊ȃt@CAEH[ł͂܂
  AȂ͒񋟂Ă鑼̃T[rX͂łBJԂ܂
  IPCHAINS-HOWTO ǂ݂܂傤B

  y: IPCHAINS-HOWTO {
  <http://www.linux.or.jp/JF/JFdocs/IPCHAINS-HOWTO-1.html> 
  Bz

  9.   squid vLVCXg[

  squid vLV͎̂Ƃœł܂B ftp://ftp.squid-
  cache.org/pub/ <ftp://ftp.squid-cache.org/pub/>

  SQUID ̊J҂ RedHat  Debian pbP[W񋟂Ă܂B\Ȃ
  pbP[Ŵǂꂩgp܂B

  y: ł SQUID Ƒ啶ŏĂ̂łA{ł
  squid ƂĂ܂̂łӂB

  squid  Cy[WFAQ y[Ŵ͎Ƃɂ܂B
  http://www.squid-cache.org/
  http://www.squid-cache.org/Doc/FAQ/FAQ.html z

  10.  TIS vLVT[oCXg[

  10.1.  \tgEFA肷

  TIS FWTK ͎̂Ƃœł܂B
  http://www.tis.com/research/software/
  <http://www.tis.com/research/software/>

  悤ȊԈႢĂ͂܂B TIS t@C ftp 
  A README ǂłB TIS fwtk ̓T[ỏBfBN
  gɒuĂ܂B

  TIS ́Ȁꏊ
  http://www.tis.com/research/software/fwtk_readme.html
  <http://www.tis.com/research/software/fwtk_readme.html> ӏǂ݁A
  ꂩBfBNĝ̖m点Ă炤ׂɖ{ɓӂ
  (accepted)ƂĎ̃AhXɃ[𑗂悤vĂ
  B fwtk-request@tislabs.com <mailto:fwtk-request@tislabs.com>
  subject ͕svłB TIS ̃VXe̓\[X_E[hł (12 
  ԗL) fBNg̖[ԑĂ܂B

  ̕Ă鎞_ł FWTK ̍ŐVł 2.1 łB

  10.2.  TIS FWTK RpC

  FWTK  Version 2.1 ́Ał̂ǂȒPɃRpCł܂B

  ͂ꂾ!!!

  A make s܂傤B

  10.3.  TIS FWTK CXg[

  make install s܂傤B

  ftHgŃCXg[fBNǵA/usr/local/etc łB
  (͕ύX͂Ă܂) CXg[fBNg͂ƈSȃfB
  NgɕύXł܂B̓ftHg̃fBNg 'chmod 700' 
  ύXĂ܂B

  ŌɃt@CAEH[ݒ肷dcĂ܂B

  10.4.  TIS FWTK ݒ肷

  āAɓ܂B̐VT[rX̌ĂяoVXe
  ɋĂA𐧌䂷e[uȂĂ͂܂B

   TIS FWTK ̃}jAx͂܂B
  mFݒA͂܂肱񂾖A@ɂ
  `܂B

  \O̃t@C܂B

  o  /etc/services

     o  T[rXǂ̃|[gōs邩VXeɒm点B

  o  /etc/inetd.conf

     o  ҂T[rX|[g@ƂɁAĂяovO
        XgăVXeɒm点B

  o  /usr/local/etc/netperm-table

     o  T[rXƋۂĂ҂ FWTK T[rXɒm点B

  FWTK ̋@\gׂɁÃt@C菇ɏ]ĕҏWȂ΂
  ܂B inetd.conf  netperm-table t@C𐳂ݒ肵ȂŃT
  [rXt@CҏWƁAg̃VXeɃANZXłȂȂ
  B

  10.4.1.  netperm-table t@C

  ̃t@C TIS FWTK ̃T[rXɃANZXł҂Rg[
  Bt@CAEH[̗̃gtBbNɂčlȂ΂
  Blbg̊O̐l̓ANZXOɔF؂ׂłAlbg
  [N̓̐l͒Pɒʉ߂悤ɐݒ肷ꍇ܂B

  Ń[UgF؂ł悤ɁAt@CAEH[̓[U
  ID ƃpX[h̃f[^x[Xۊǂ authsrv ƌĂ΂vO
  g܂B netperm-table ̔Fؕ́Af[^x[Xۑꏊ
  ƁAɃANZXłlRg[܂B

  ́ÃT[rXւ̃ANZX~߂Ă܂guɑ܂BS
  Ă̐lANZXł悤ɁA '*' gĂ premit-host sɒӂ
  ĂBƂł悤ɂȂȂ΁A̍s̐ݒ
  .Pp

    #
    # Proxy configuration table
    #
    # Authentication server and client rules
    authsrv:      database /usr/local/etc/fw-authdb
    authsrv:      permit-hosts *
    authsrv:      badsleep 1200
    authsrv:      nobogus true
    # Client Applications using the Authentication server
    *:            authserver 127.0.0.1 114

  f[^x[X邽߁Asu  root ɂȂ܂B
  /var/local/etc ŊǗp[UL^쐬ׂ ./authsrv 𓮂
  BĂ܂B

  FWTK ̕ǂ users  groups @ɂĒׂĂB

      #
      # authsrv
      authsrv# list
      authsrv# adduser admin "Auth DB admin"
      ok - user added initially disabled
      authsrv# ena admin
      enabled
      authsrv# proto admin pass
      changed
      authsrv# pass admin "plugh"
      Password changed.
      authsrv# superwiz admin
      set wizard
      authsrv# list
      Report for users in database
      user   group  longname           ok?    proto   last
      ------ ------ ------------------ -----  ------  -----
      admin         Auth DB admin      ena    passw   never
      authsrv# display admin
      Report for user admin (Auth DB admin)
      Authentication protocol: password
      Flags: WIZARD
      authsrv# ^D
      EOT
      #

  telnet gateway (tn-gw) Rg[͐mɁAŏɐݒs
  ΂Ȃ܂B

  ̗ł́AvCx[glbg[ÑzXgɂ͎g̔F؂ȂŒ
  ߂Ă܂(permit-hosts 19961.2.* -passok) BȂ
  [U̓vLVgׂɁA ID ƃpX[h͂Ȃ΂Ȃ
  ܂ (permit-hosts * -auth)B

  ł͂܂A̕ʂ̃VXe(192.1.2.202)̓t@CAEH[
  ʂȂŁAڃt@CAEH[}Vւ̃ANZXĂ܂B
  inetacl-in.telnetd ss܂Bǂ̂悤ɂĂ̍s
  Ăяo邩͌Ő܂B

  telnet ̃^CAEg͒Zق悢ł傤B

    # telnet Q[gEFC[ -
    tn-gw:                denial-msg      /usr/local/etc/tn-deny.txt
    tn-gw:                welcome-msg     /usr/local/etc/tn-welcome.txt
    tn-gw:                help-msg        /usr/local/etc/tn-help.txt
    tn-gw:                timeout 90
    tn-gw:                permit-hosts 192.1.2.* -passok -xok
    tn-gw:                permit-hosts * -auth
    # Ǘ҂|[g 24 oRŃt@CAEH[ɒ telnet ł܂B
    netacl-in.telnetd: permit-hosts 192.1.2.202 -exec /usr/sbin/in.telnetd

  (rlogin  rcp  rshȂǂ)[g֘AR}h telnet Ɠ悤
  @œ܂B

    # rlogin Q[gEFC[ -
    rlogin-gw:    denial-msg      /usr/local/etc/rlogin-deny.txt
    rlogin-gw:    welcome-msg     /usr/local/etc/rlogin-welcome.txt
    rlogin-gw:    help-msg        /usr/local/etc/rlogin-help.txt
    rlogin-gw:    timeout 90
    rlogin-gw:    permit-hosts 192.1.2.* -passok -xok
    rlogin-gw:    permit-hosts * -auth -xok
    # Ǘ҂|[gʂăt@CAEH[ɒ telnetł܂B
    netacl-rlogind: permit-hosts 192.1.2.202 -exec /usr/libexec/rlogind -a

  FTP ܂߁At@CAEH[𒼐ڃANZXł悤ɂׂł͂
  B̂߃t@CAEH[ FTP T[ouĂ͂܂B

   permit-hosts śAی삳ꂽlbg[NɋSĂ̎҂ɃC^
  [lbgւ̎RȃANZXȂ̎҂͎gF؂Ȃ
  ΂Ȃ܂B͑MSẴt@C̋L^ݒ܂߂Ă
  ܂B (-log { retr stor })

  ftp ̃^CAEǵAڑ͂Ȃ܂܃I[vɂȂĂ鎞Ԃ
  ꂭ炢ɂ̂Ɠ悤ɁAsȐڑ~̂ɕKvȎԂ
  ꂭ炢ɂ邩𐧌䂵܂B

    # ftp gateway rules:
    ftp-gw:               denial-msg      /usr/local/etc/ftp-deny.txt
    ftp-gw:               welcome-msg     /usr/local/etc/ftp-welcome.txt
    ftp-gw:               help-msg        /usr/local/etc/ftp-help.txt
    ftp-gw:               timeout 300
    ftp-gw:               permit-hosts 192.1.2.* -log { retr stor }
    ftp-gw:               permit-hosts * -authall -log { retr stor }

  Web, gopher, uEUg ftp  http-gw ɂĐ䂳܂B
  ̓s ftp t@CAEH[ʂēnĂ悤 web 
  ufBNg܂B͂̃t@C root LɂAroot
  ݂̂ANZXłfBNgɒuĂ܂B

  Web ڑ͒Zق悢ł傤B[UsȐڑłǂꂭ炢
  𐧌䂵܂B

    # www and gopher gateway rules:
    http-gw:      userid          root
    http-gw:      directory       /jail
    http-gw:      timeout 90
    http-gw:      default-httpd   www.afs.net
    http-gw:      hosts           192.1.2.* -log { read write ftp }
    http-gw:      deny-hosts      *

  ssl-gw ͎ۂ͂ȂłʂĂ܂ gateway łBӂĂB
  ̗ł́A̓AhX 127.0.0.*  192.1.1.* ꂩA|[g 443 
   563 łAlbg[N̊Ôǂ̃T[oɂڑ邽ߕی삳
  ꂽlbg[N̓őSĂ̐lĂ܂B|[g 443  563
   SSL |[głB

    # ssl gateway rules:
    ssl-gw:         timeout 300
    ssl-gw:         hosts           192.1.2.* -dest { !127.0.0.* !192.1.1.* *:443:563 }
    ssl-gw:         deny-hosts      *

  ł́AVT[oɐڑׂ plug-gw ǂ̂悤Ɏg
  ɂĂ̗܂B̗ŁA͕ی삳ꂽlbg[N̓ň
  ̃VXeɂڑAꂪV|[gɂڑ̂SĂ̐l
  ɋ܂B

  sڂ͕ی삳ꂽlbg[Nɂ̃f[^߂ׂɐVT[o
  ܂B

  wǂ̃NCAg̓[Uj[XǂłԂ͐ڑԂɂ邱
  ҂܂Aj[XT[õ^CAEg͒ĂׂłB

    # NetNews Pluged gateway
    plug-gw:        timeout 3600
    plug-gw: port nntp 192.1.2.* -plug-to 24.94.1.22 -port nntp
    plug-gw: port nntp 24.94.1.22 -plug-to 192.1.2.* -port nntp

  finger gateway ̓VvłBی삳ꂽlbg[N̓̐l͒N
  ŏɃOCȂ΂Ȃ炸Ǎt@CAEH[ finger v
  OgƂł܂BȊȎSĂ̐l͎̂悤ȃbZ[W
  󂯎܂B

    # Enable finger service
    netacl-fingerd: permit-hosts 192.1.2.* -exec /usr/libexec/fingerd
    netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt

   Mail  X Window System ̃T[rX̐ݒĂȂ̂ŁA
  ͗܂߂Ă܂BǂȂĂȂ e-mail Ŏ
  ĂB

  10.4.2.  /etc/services t@C

  SĂ̎n܂łBNCAgt@CAEH[ɐڑƂA
  m̃|[g( 1024 ȉ)ɐڑ܂BƂtelnet ̓|[g23 
  ɐڑ܂Binetd f[͂̐ڑmƁA /etc/services t@C
  ɂ邱̃T[rX̖OT܂Bꂩ /etc/inetd.conf
  t@Cɂ閼OɊ蓖ĂꂽvOĂяo܂B

  ꂪ쐬ĂT[rX̂̂́Aʂ /etc/services t@
  Cɂ͂܂BȂ́A]ނǂꂩ̃|[gɉ̃T[rX
  蓖Ă邱Ƃł܂BႦ΁A͊Ǘ҂ telnet |[g
  (telnet-a) |[g24 Ɋ蓖ĂĂ܂B]݂Ȃ|[g 2323 ɂ
  蓖Ă邱Ƃł܂Bt@CAEH[ɒڐڑǗ(
  )ɑ΂āAs悤ɁAȂ netperm-table t@C
  ݒ肷Ȃ|[g23 ł͂ȂA|[g24 telnet KvA
  삳ꂽlbg[N̓ŁA̃VXe炱ł悤ɂ
  łB

    telnet-a        24/tcp
    ftp-gw          21/tcp           # this named changed
    auth            113/tcp   ident    # User Verification
    ssl-gw          443/tcp

  11.  SOCKS vLVT[o

  11.1.  vLVT[oݒ肷

  SOCKS vLVT[ô͎Ƃ납ł܂B
  http://www.socks.nec.com/

  g̃VXẽfBNgŃt@C𓀁AWJAwɂ
   make ĂBsƂ͏肠܂BMakefile 
  ƂmFĂB

  厖ȂƂ́AvLVT[o /etc/inetd.conf ɒǉȂ΂
  ܂BvƂғ悤T[oɓ`邽߁A̍sǉ
  Ă -

    socks  stream  tcp  nowait  nobody  /usr/local/etc/sockd  sockd

  11.2.  vLVT[oݒ肷

  SOCKS vOɂ͓̓Ɨݒt@CKvłB̓ANZ
  XƂ`A͓K؂ȃvLVT[oւ̗vɑ΂
  oH߂̂łB[eBOt@C͑SĂ UNIX }Vɒu
  ĂȂĂ͂܂B DOS ƁAԂ}bLgbV͎Ń[
  eBOsł傤B

  11.2.1.  ANZXt@C

  socks4.2 Beta ł́AANZXt@C "sockd.conf" ƂOɂȂ
  ܂BƋۍs 2s܂Bꂼ̍s͎O̃Gg[
  ܂B

  o  The Identifier (permit/deny)

  o  The IP address

  o  The address modifier

  Identifier ͋(permit/deny)̂ǂ炩łBƋۂ̗
  悤ɂȂ΂Ȃ܂B

  IP AhX͒ʏ IP 10 ihbgL@  4 oCgAhXŏ
  BႦ΁A192.168.1.0 ̂悤ɂȂ܂B

  AhXC܂ʏ IP AhX 4 oCgłBlbg}XN̂
  ɓ܂B 32 bits (1 ܂ 0 Ȃ)ɂȂ悤ɂ̐lz肵
  ܂B bit  1 ȂA\񂳂ĂAhXɑΉ bit ́AIP A
  hẌ̗őΉ bit ɈvȂ΂܂BႦ΁Â
  ȍs̏ꍇ -

      permit 192.168.1.23 255.255.255.255

  192.168.1.23 ɑSĂ bit v IP AhXA܂ 192.168.1.23
  ܂B̂悤ȍs̏ꍇł -

      permit 192.168.1.0 255.255.255.0

  192.168.1.255  192.168.1.0 ̃O[vɂ C NX̃hC
  SĂ̐l܂B̂悤ȍsׂł͂܂ -

      permit 192.168.1.0 0.0.0.0

  ̏ꍇ́ASẴAhX܂ȂɋĂ܂܂B

  ŁA܂SẴAhXAꂩAcۂ
  BhC 192.168.1.xxx ŁASĂɂ͎̂悤ɂ܂ -

      permit 192.168.1.0 255.255.255.0
      deny 0.0.0.0 0.0.0.0

  ͂܂ł傤Bۍsɂŏ  "0.0.0.0" ɒӂĂ
  BAhXC 0.0.0.0 ɂȂĂ̂ŁAIP AhẌ͈Ӗ
  ܂BʏS 0 ŁA͓͂ȒPȂ߂łB

  ǂɑ΂Ăӂȏ̃Ggw肷邱Ƃł܂B

  ʂȃ[U܂邢͋ۂ邱Ƃł܂B ident F
  ؂ʂčs܂BTrumpet Winsock łAident T|[g
  ĂȂVXe邽߁A͂łɂĂ͏qׂ܂B̌
  ɂẮAsocks t̕ӂ킵ł傤B

  11.2.2.  [eBOt@C

  SOCKS ̃[eBOt@C "socks.conf" Ƃ܂悭ȂO
  ȂĂ܂BA"܂悭ȂO" ƌ̂́AANZXt@C
  ̖Oɂ悭Ă̂ŁA̓₷ƂRłB

  [eBOt@C SOCKS NCAg socks gpׂƂƁA
  gȂĂƂ`ׂɂ܂BႦ΁Ãlbg[N
  ŁA 192.168.1.3  192.168.1.1 ̃t@CAEH[Ƙbׂ socks 
  gKv͂܂BC[TlbgʂĒڂȂĂ
  B127.0.0.1 loopback ƂĎIɒ`܂B񎩕g
  Ƙbׂ SOCKS ͕Kvł͂܂Bɂ͎O̃Gg[Q
  ܂B

  o  deny

  o  direct

  o  sockd

  (deny) SOCKS ɗvۂꍇ`܂B̃Gg[
  ́A sockd.conf t@CŁAidentifier Aaddress āAmodifier 
  O̕܂B͈ʓI sockd.conf A܂ANZXt@C
  ɂĂ̂ŁAAhXCtB[h 0.0.0.0 ɐݒ肳
  ܂BǂłĂяoȂ悤gOȂAŐ
  ł܂B

  direct Gg[́Aǂ̃AhX socks gȂ`܂Bv
  LVT[oȂɓBłSẴAhX܂Bł܂
  identifierAaddressAmodifier̎O̕܂B̗ł
  ̂悤ɂȂĂ܂B

      direct 192.168.1.0 255.255.255.0

  Ȃ̕ی삳ꂽlbg[Nł͒Nɑ΂Ăڐڑ܂B

  sockd ̃Gg[͂ǂ̃zXg socks T[of[Ă邩
  Rs[^ɓ`܂B\͎̂悤ɂȂ܂B

    sockd @=<serverlist> <IP address> <modifier>

  @= ƂGg[ɒӂĂB̓vLVT[õXg
  IP AhX̐ݒ܂B̗ł́A̃vLVT[o
  głAȂ͂傫ȕׂ邱Ƃő悤
  łAsꍇ̌JԂ̂ߕŎw肷邱Ƃł܂B

  IP AhX modifier ́̕AʂɎƓlɓ܂Bǂ̃A
  hXʉ߂Ăw肵܂B

  11.2.3.  t@CAEH[̌ DNS 𓮂

  t@CAEH[̌ DNS(hCl[T[o)ݒ肷̂́Ar
  IȒPȂƂłBPɃt@CAEH[}V DNS ݒ肷΂
  łB̂悤 DNS gׂɃt@CAEH[̌둤łꂼ
  ̃}Vݒ肵܂B

  11.3.  vLVT[o𓮂

  11.3.1.  Unix

  vLVT[oŃAvP[V𓮂ׂɂ́A "SOCKS (sockified)
  "KvłB̃R~jP[VpɈƁAvLVT[oʂ
  ẴR~jP[Vp̓ނ telnet KvłBSOCKS ɂ̓vO
  ǂ̂悤 SOCK 邩ɂĂ̎菇ƁASOCKS 
  ȂvO𓯕Ă܂BȂǂɒڐڑ邽
  SOCKS ꂽłgȂA SOCKS ͎IɂȂׂ̈ɒڐڑp
  ̔łɕύXł傤B̂߁Aی삳ꂽlbg[NőSĂ̊֘A
  vOl[AƂƂ̖Ô̂ SOCK ꂽvO
  Œu킯łB "Finger"   "finger.orig", ɁA "telnet" 
  "telnet.orig", ̂悤ɂȂ܂B include/socks.h łꂼ
   SOCKS ɓ`ĂȂĂ͂܂B

  ̃vO͂ꎩgŃ[eBO SOCKS ܂B
  Netscape ͂̈łB Netscape ŃvLV̂Ƃ SOCK ̏ꏊ
  ɃT[õAhX(̏ꍇ́A192.168.1.1 )͂ăvLVT
  [ogƂł܂BȂƂꂼ̃AvP[V́Av
  LVT[oǂ̂悤ɎgɊւ炸A̎s͕KvłB

  11.3.2.  Trumpet Winsock  MS Windows

  Trumpet Winsock ɂ̓vLVT[o@\gݍ܂Ă܂B
  "ZbgAbv"j[ŁAT[o IP AhXƁAړIɓB\ȑS
  ẴRs[^̃AhX͂܂B Trumpet ͊OɌ
  SẴpPbg܂B

  y: Trumpet Winsock  Windows 3.1 ׂ̈ TCP/IP vgRX^b
  N\tgEFAłBڍׂ PC-TCPIP-FAQ-J <http://www.naoe.hiroshima-
  u.ac.jp/staffs/hirata/pc-tcpip/> Bz

  11.3.3.  UDP pPbgœׂɃvLVT[o肷

  SOCKS pbP[WTCP pPbgAUDP ͈܂B̂
  ߁ÃpbP[WSɂȂʂoĂ܂Btalk  Archie
  ̂悤ȑ̗LpȃvO UDP g܂BTom Fitzgerald
  <fitz@wang.com> ɂāA UDP relay ƌĂ΂ UDP pPbgɑ΂
  ăvLVT[oƂĎg悤ɐ݌vꂽpbP[W쐬Ă
  BAcOłA̕Ă鎞_ł Linux Ƃ̌݊
  ͂܂B

  11.4.  vLVT[ǒ_

  vLVT[o͂Ƃ킯ZLeBfoCX łBꂽ IP Ah
  XŃC^[lbgւ̃ANZX𑝂₷ׂɃvLVĝ́Ǎ
  _܂BvLVT[o͕ی삳ꂽlbg[N̓Oւ
  葽̃ANZX܂AO͊SɓANZXł܂
  B̂悤ɂƃT[ogȂA talk  archieւ̐ڑł
  A邢͓̃Rs[^ɒڃ[łȂƂƂɂȂ
  B̌_͎ɂȂƂ̂悤ɂv܂Â悤ɍl
  ČĂB

  o  Ȃ̓t@CAEH[ŕی삳ꂽlbg[N̓ɂR
     s[^ɁAݎ肩Ă郌|[gYĂ܂B͉Ƃ
     āAt@CAEH[z悤ƌŜłAǂĂz
     ܂BRs[^̓t@CAEH[̌ɂ̂ŃA
     NZXł܂BȂ΂ƃt@CAEH[ɃOC悤
     ܂At@CAEH[ɂ͒NvLVT[ooRŃANZX
     ܂At@CAEH[}Vɂ͂Ȃ̃AJEgݒ肳
     Ȃ߃OCł܂B

  o  Ȃ̖͑wɍsĂ܂BȂ͔ޏ email 𑗂肽Ƃ
     ܂BvCx[gȗp`̂ŁAȂ̃[𒼐ږ
     ̃}Vɑ肽̂łBȂ̓VXeǗ҂SɐMĂ
     ܂AłȂA̓vCx[gȃ[Ȃ̂łB

  o  UDP pPbggƂłȂƂ̂́AvLVT[ô
     Ȍ_łB UDP @\͂܂Ȃ邾낤ƎvĂ
     ܂B

  FTP ̓vLVT[oŕʂ̖N܂BlsgƁA FTP T[o
  NCAg}VŃ\PbgJA𑗂܂BvLV
  T[o͂Ă܂̂ŁA FTP ͂̏ꍇɂ͓܂B

  XɁAvLVT[o͒xłB̂ǂȕ@I[owbh傫
  Ȃ̂ŁAvLVT[ooRȊO̎iŃANZXȂ
  B

  {IɁAȂ IP AhXĂĂAZLeBɂĔY
  łȂȂAt@CAEH[vLVT[ogȂĂ悢̂
  BIP AhXĂȂȂAZLeBɂĂ܂Y܂Ȃ
  ł傤ATerm, Slirp  TIA ̂悤 IP G~[^gĂ݂
  ł傤B Term ftp://sunsite.unc.edu <ftp://sunsite.unc.edu>œ
  ł܂BSlirp ftp://blitzen.canberra.edu.au/pub/slirp
  <ftp://blitzen.canberra.edu.au/pub/slirp>ł܂B TIA  
  marketplace.com œł܂B

  ̃pbP[W͂荂ɓA悢ڑAC^[lb
  glbg[Nɂ葽̃ANZX񋟂܂BvLVT[o
  ͐ݒƈێɎԂȂ̂ŁA葁C^[lbgɐڑ
  ̃zXgĂ悤ȃlbg[NɂƂĂ͕֗Ȃ̂
  B

  12.  ㋉̐ݒ

  ̕߂OɁAݒ肪܂BA܂ł̊Tv
  ̐ő啔̐l͑ł傤BA̍ł̋^
  łƏ㋉̐ݒƎv܂B܂ŐĂƂ
  ł͂Ȃ̋^łȂ̂ȂA邢́AvLVT[oƃt@C
  AEH[ɂĂǂقǑʂȐݒ肪\Ȃ̂Ƃ_ɋ
  Aǂł݂ĂB

  12.1.  S̏dKvȑ傫ȃlbg[N

  āAƂāAȂ millisha ƂЂ̃[_[ŁATCglb
  g[NɐڑƎvĂ܂B 50 ̃Rs[^ 32  (5
  rbg)  IP ԍ̃Tulbg܂BM]҂ɈقȂ邱ƂR
  Albg[Nł̗lXȃANZX̃xKvłB̌ʁA
  lbg[N̓蕔ȊO̕ی삷Kvł傤B

  ̃x -

  1. external(O) xBNł郌xłBVu҂
     ɁAMIȉhȃptH[}XsȂāAʑOɎB
     ̃C[W͂ƈۂÂ邽߂̏ꏊłB

  2. Troop(s) external xzl̃xłB͎
     ȕ@ł̐lSAe̐@ɂċƂłB

  3. Mercenary(Qd{)  ͖{̌vێĂ܂B̃x
     ɂ́AE̕@AԂ𑛂̐^Ȃǂ̑SĂ̏񂪕
     Ă܂B

     y: 󕶂͓{ł邱Ƃӂ݌ƈĂ܂B͈
     ̂Ƃ - Here is where the real plans are keep. In this level
     is stored all the information on how the 3rd world government is
     going to take over the world, your plans involving Newt Gingrich,
     Oklahoma City, lown care products and what really is stored in that
     hangers at area 51.z

  12.1.1.  lbg[Nݒ

  IP ԍ̎茈 -

  o  ԍ 1 ł 192.168.1.255 ́Au[hLXgAhXȂ̂
     gpł܂B

  o  32  IP AhX̓ 23  23 ̃}VɊ蓖Ă܂B
     ̃}V̓C^[lbgɃANZXł悤ɂ܂B

  o  1  extra(ʂ) IP AhXlbg[N Linux box ɗ^
     ܂B

  o  1  extra IP AhXlbg[N̈قȂ Linux box ɗ^
     B

  o  2  IP AhX[^ɗ^܂B

  o  4 cĂ܂AhC paul, ringo, john, george ɗ^܂B
     ͂ƖʐH킵łB

  o  ی삳ꂽ̃lbg[N̓AhX 192.168.1.xxx łB

  ɁA 2̃lbg[NAꂼقȂɍ\z܂B
  2̃lbg[N͐ԊOC[TlbggĐڑ܂BȂ̂ŁA
  lbg[N͕̊O犮SɉB܂BKɂԊOC[Tlb
  ǵAʂ̃C[TlbgƑSlɓ삵܂B

  ̃lbg[ŃAextra IP AhXg Linux box  1ɐ
  ܂B

  ی삳ꂽ 2̃lbg[Nڑꂽt@CT[o܂B
  Troop ȏ̐lX֗^鐢Evp̃T[ołBt@CT[o
  Troop lbg[Np 192.168.1.17 ̃AhXA Mercenary lbg
  [Np 192.168.1.23 Ă܂BقȂC[TlbgJ[h
  ΂ȂȂ̂ŁAقȂ IP AhXȂ΂Ȃ܂B
  IP Forwarding ̓Itɂ܂B

   Linux box  IP Forwarding Itɂ܂B[^͓Ɏw肵
   192.168.1.xxx ɌpPbg͓]Ȃ̂ŁAC^[lbg
  ė܂B IP Forwarding Itɂ邱Ƃ́ATroop lbg
  [ÑpPbg Mercenary lbg[NɓBȂƂƁA
  ̋t̗ȂƂӖ܂B

  ܂AقȂlbg[NɈقȂt@C񋟂ݒ NFS T[o
  ł܂B͖𗧂ƂŁAV{bNNpƂ
  v̂ŁAʂ̃t@CSċL邱Ƃł܂B̐ݒƂꖇ
  ̃C[TlbgJ[hp邱ƂŁA 3SẴlbg[Nɂ̈
  t@CT[oŃt@C񋟂邱Ƃł܂B

  12.1.2.  vLVݒ

  āA 3SẴx̓Ǝׂ̎ȖړÏׂɃlbg[N̏
  Tł悤ɂ̂ŁA 3SĂŃlbg[NɃANZXłKv
  ܂B external lbg[N͒ڃC^[lbgɐڑ
  ŁÅEʂɃvLVT[ouĂ͂Ȃ܂B Mercenary  Troop
  ̃lbg[N̓t@CAEH[̌ɂ̂ŁAɃvLVT[o
  ݒ肷Kv܂B

  ̃lbg[N͔ɎݒɂȂ܂B̃lbg[N͓
  IP AhX蓖Ă܂BƋ[̂ɂׂɁA
  ̗vfĂ݂Ǝv܂B

  1. Nt@CT[oC^[lbgANZXpɎgĂ͂Ȃ܂B
     t@CT[oEBX⑼̈ӒnȂƂɂ炳邱Ƃ́A
     dvȂƂȂ̂ŁA֎~łB

  2. troop lbg[N烏[hChEFuɃANZX邱Ƃ͋
     ܂Bނ͌PłA̎̊Ȍ̌Ƃ͌
     ʂƂėLQȌʂɏI邱Ƃ܂܂̂łB

  ATroop  Linux box  sockd.conf t@Cɂ͎̍s
  B

      deny 192.168.1.17 255.255.255.255

  āAMercenary ̃}Vɂ -

      deny 192.168.1.23 255.255.255.255

  ܂B܂ATroop  Linux box ɂ͎̍s -

      deny 0.0.0.0 0.0.0.0 eq 80

  80 ɓ (eq) |[g (http ̃|[g) ɃANZX݂SẴ}V
   (deny) ܂B̑SẴT[rX܂Ă܂BEFuAN
  ZX̂݋ۂĂ܂B

  ɁÃ}Ṽt@Cɂ -

      permit 192.168.1.0 255.255.255.0

  A192.168.1.xxx ̃lbg[N̑SẴRs[^Aɋ
   (Ȃ킿 Troop lbg[Ñt@CT[oƃEFuւ
  ANZX) ÃvLVT[ogƂ܂B

  Troop ̕ sockd.conf t@Ĉ͎悤ɂȂ܂ -

      deny 192.168.1.17 255.255.255.255
      deny 0.0.0.0 0.0.0.0 eq 80
      permit 192.168.1.0 255.255.255.0

   Mercenary ̃̕t@Ĉ͎悤ɂȂ܂ -

      deny 192.168.1.23 255.255.255.255
      permit 192.168.1.0 255.255.255.0

  SĂ̎𐳂ݒ肵͂łBelbg[N͓K؂ɁAǂ
  ۂĕ܂B

  13.  ȒPȊǗׂ̈

  13.1.  t@CAEH[c[

  t@CAEH[ȒPɊǗ邽߂̃\tgEFApbP[W
  ܂B

  ̃c[ȂŊǗ\͂Ȃ΁A͎gȂƂɒ
  ĂB̃XNvg͊Ǘ𐳂sƂɖ𗧂܂A
  lɊԈǗȒPɍs킹Ă܂B

  Linux ̃tB^[Ɠ삳ׂɁAOtBJȃEFux[X̃C
  ^[tF[XJĂ܂BXɐЂ Linux ɂ box ɓ
  ̊ǗvOuƂɂ菤pt@CAEH[쐬Ă
  B (f炵)

  ͎̂Ƃ GUI Ył͂܂BAԁAt@CAEH
  [ GUI C^[tF[XgƂ܂BڂőSẴ[
  邱Ƃ̏of炵|[g񋟂@\𗧂Ƃm
  B

  gfcc (GTK+ Firewall Control Center)  GTK+ AvP[V
  ŁAipchains pbP[WɊÂALinux ̃t@CAEH[|V[ƃ
  [𐧌ł܂Bhttp://icarus.autostock.co.kr
  <http://icarus.autostock.co.kr/> KA_E[hĂB
  ͖{ɂc[łB

  appendex A  RC XNvgڂ܂B̃XNvg gfcc 
  ĂȂĂ삵܂B

  t@CAEH[̐ݒɗp\ȃXNvg񂠂܂B
  ɊSȃXNvg
  http://www.jasmine.org.uk/~simon/bookshelf/papers/instant-
  firewall/instant-firewall.html
  <http://www.jasmine.org.uk/~simon/bookshelf/papers/instant-
  firewall/instant-firewall.html> ł܂B͂悭ł
  XNvg http://www.pointman.org/ <http://www.pointman.org/> 
  ł܂B

  Kfirewall  ipchains  ipfwadm (gpJ[lo[WɈˑ
  ) p GUI tgGhłB
  http://megaman.ypsilonia.net/kfirewall/
  <http://megaman.ypsilonia.net/kfirewall/>

  FCT ̓t@CAEH[̐ݒp HTML x[X̃c[łB̃C^[
  tF[XƂ̃C^[lbgT[rXp̃t@CAEH[ŁAIP
  tB^R}h (ipfwadm) ̃XNvg܂B
  http://www.fen.baynet.de/~ft114/FCT/firewall.htm
  <http://www.fen.baynet.de/~ft114/FCT/firewall.htm>

  13.2.  ėpc[

  WebMin ͔ėpIȃVXeǗpbP[WłBt@CAEH[[
  Ǘɂ͖𗧂Ȃł傤Af[ƃvZX̋Nƒ~ɂ͖𗧂
  ł傤B̃vO͂ƂĂ̂łAJ. Cameron  IPCHAINS
  ̃W[Ă邱Ƃ]ł܂B http://www.webmin.com/
  <http://www.webmin.com/>

  ISP ̕ȂAIPFA (IP Firewall Acounting) http://www.soaring-
  bird.com/ipfa/ <http://www.soaring-bird.com/ipfa/> ɂĒm肽
  傤B//̋L^AEFux[X GUI Ǘj[
  ܂B

  14.  vLVt@CAEH[߂ɂ

  Ȃ̐l䖳ɂĂȂɃZLeBɂĊ֐S
  ׂɁAvLVt@CAEH[߂ɂ邱ƂǂȂɊȒP
  ܂B

  ̕ɏĂSĂ̏ûŁAɈSȃT[oƃlbg
  [NɂȂĂ܂B DMZ Albg[Nɂ͒N肱߂AO
  lbg[Nւ̐ڑ͑SċL^悤Ȋȃlbg[NłB[
  U̓C^[lbgɐڑ̂ɃvLVoR܂BڃC^[lb
  gɐڑł郆[U͂܂B

  ̌Al̃[UAp̃RlNVׂ̈ɁAhttptunnel
  <http://www.nocrew.org/software/httptunnel.html> ݂̑ɋCÂ܂
  B httptunnel  HTTP ̃NGXgŃglOꂽỏzI
   (HTTP ȊÕvgRʂ) f[^pX܂B HTTP NG
  Xg𑗂肽ȂAHTTP vLVoRłł܂B

  ́A[Ug̃VXe Virtual Private Network (vpn) C
  Xg[܂B http://sunsite.auc.dk/vpnd/
  <http://sunsite.auc.dk/vpnd/> QƂ̂ƁB

  ́APɁA[Ug NT VXeɃfqA[eBO
  IɂĂ܂܂B

  ŌɁAvCx[g LAN ̃[NXe[VŁAC^[lbg
  ̐VoHw悤ftHgQ[gEFCύX܂B

  ȂÃ[NXe[VǂւłsƂł܂B
  t@CAEH[Ǘ҂ڂɂB́̕AɒXƑ DNS bN
  Abv̐ڑ܂B

  E̎ł!

  15.  APPENDEX A - XNvg̗

  15.1.  GFCC p RC XNvg

  #!/bin/bash
  #
  # Firewall Script - Version 0.9.1
  #
  # chkconfig: 2345 09 99
  # Tv: 2.2.x J[lpt@CAEH[XNvg
  # eXg̍ۂɂ
  # -x ǉ邱ƁB
  #
  #  -
  #
  # ̃XNvg RedHat 6.0 yтȍ~̃o[Wɏ
  # ܂B
  #
  # EFu ftp T[ô悤ȌJT[rX񋟂ꍇ͒ӂ
  # B
  #
  # CXg[ -
  #  1. /etc/rc.d/init.d ̒ɂ̃t@Cu܂B
  #     (root ɂȂȂ΂ȂȂł傤...)
  #     "firewall" ̂悤ȖOɂ܂    :-)
  #     L root ɂ܂ -->  "chown root.root (t@C)"
  #     s𗧂Ă܂     -->  "chmod 755 (t@C)"
  #
  #  2. t@CAEH[[ׂ GFCC gA
  #     t@C /etc/gfcc/rules/firewall.rule.sh ɏʂ܂B
  #
  #  3. RedHat  init XNvgɃt@CAEH[
  #     ǉ܂ --> "chkconfig --add (t@C)"
  #     񃋁[^N firewall T[rXIɋN͂ł!
  #     *O菭* ƎłȂȂĂ̂ŁA͂QĂB
  #
  # [Xm[g
  #   30 Jan, 2000 - GFCC XNvgɕύX
  #   11 Dec, 1999 - Mark Grennan <mark@grennan.com> ɂXV
  #   20 July, 1999 - ŏ̍i - Anthony Ball <tony@LinuxSIG.org>
  #

  ################################################

  # ֐Cuǂݍ݂܂B
  . /etc/rc.d/init.d/functions

  # lbg[Nݒǂݍ݂܂B
  . /etc/sysconfig/network

  # lbg[NNĂ邩`FbN܂B
  [ ${NETWORKING} = "no" ] && exit 0

  # Ăяoꂽ܂B
  case "$1" in

    start)
          # ANZX@\̒񋟂Jn܂B
          action "Starting firewall: " /bin/true
          /etc/gfcc/rules/firewall.rule.sh
          action "Loading firewall modules: " /bin/true
  #       /sbin/insmod ip_masq_autofw
  #       /sbin/insmod ip_masq_suseeme
          /sbin/insmod ip_masq_ftp
          /sbin/insmod ip_masq_irc
  #       /sbin/insmod ip_masq_mfw
  #       /sbin/insmod ip_masq_portfw
  #       /sbin/insmod ip_masq_quake
          /sbin/insmod ip_masq_raudio
  #       /sbin/insmod ip_masq_user
  #       /sbin/insmod ip_masq_vdolive
          echo
          ;;

    stop)
          action "Stoping firewall: " /bin/true
          echo 0 > /proc/sys/net/ipv4/ip_forward
          /sbin/ipchains -F input
          /sbin/ipchains -F output
          /sbin/ipchains -F forward

          echo
          ;;

    restart)
          action "Restarting firewall: " /bin/true
          $0 stop
          $0 start

          echo
          ;;

    status)
          # ݒeXg\܂B
          /sbin/ipchains -L
          ;;

    test)
          action "Test Mode firewall: " /bin/true
          /sbin/ipchains -F input
          /sbin/ipchains -F output
          /sbin/ipchains -F forward
          echo 1 > /proc/sys/net/ipv4/ip_forward
          /sbin/ipchains -A input -j ACCEPT
          /sbin/ipchains -A output -j ACCEPT
          /sbin/ipchains -P forward DENY
          /sbin/ipchains -A forward -i $PUBLIC -j MASQ

          echo
          ;;

    *)
          echo "Usage: $0 {start|stop|restart|status|test}"
          exit 1

  esac

  15.2.  GFCC XNvg

  ̃XNvg Graphical Firewall program (GFCC) ɂĐ
  B͓삷郋[Zbgł͂܂B]ʂꂽ[Zbg
  łB

  #!/bin/sh
  # Gtk+ t@CAEH[Rg[Z^[܂B

  IPCHAINS=/sbin/ipchains

  localnet="192.168.1.0/24"
  firewallhost="192.168.1.1/32"
  localhost="172.0.0.0/8"
  DNS1="24.94.163.119/32"
  DNS2="24.94.163.124/32"
  Broadcast="255.255.255.255/32"
  Multicast="224.0.0.0/8"
  Any="0.0.0.0/0"
  mail_grennan_com="192.168.1.1/32"
  mark_grennan_com="192.168.1.3/32"

  $IPCHAINS -P input DENY
  $IPCHAINS -P forward ACCEPT
  $IPCHAINS -P output ACCEPT

  $IPCHAINS -F
  $IPCHAINS -X

  # input [
  $IPCHAINS -A input -s $Any -d $Broadcast -j DENY
  $IPCHAINS -A input -p udp -s $Any -d $Any netbios-ns -j DENY
  $IPCHAINS -A input -p tcp -s $Any -d $Any netbios-ns -j DENY
  $IPCHAINS -A input -p udp -s $Any -d $Any netbios-dgm -j DENY
  $IPCHAINS -A input -p tcp -s $Any -d $Any netbios-dgm -j DENY
  $IPCHAINS -A input -p udp -s $Any -d $Any bootps -j DENY
  $IPCHAINS -A input -p udp -s $Any -d $Any bootpc -j DENY
  $IPCHAINS -A input -s $Multicast -d $Any -j DENY
  $IPCHAINS -A input -s $localhost -d $Any -i lo -j ACCEPT
  $IPCHAINS -A input -s $localnet -d $Any -i eth1 -j ACCEPT
  $IPCHAINS -A input -s $localnet -d $Broadcast -i eth1 -j ACCEPT
  $IPCHAINS -A input -p icmp -s $Any -d $Any -j ACCEPT
  $IPCHAINS -A input -p tcp -s $Any -d $Any -j ACCEPT ! -y
  $IPCHAINS -A input -p udp -s $DNS1 domain -d $Any 1023:65535 -j ACCEPT
  $IPCHAINS -A input -p udp -s $DNS2 domain -d $Any 1023:65535 -j ACCEPT
  $IPCHAINS -A input -p tcp -s $Any -d $Any ssh -j ACCEPT
  $IPCHAINS -A input -p tcp -s $Any -d $Any telnet -j ACCEPT
  $IPCHAINS -A input -p tcp -s $Any -d $Any smtp -j ACCEPT
  $IPCHAINS -A input -p tcp -s $Any -d $Any pop-3 -j ACCEPT
  $IPCHAINS -A input -p tcp -s $Any -d $Any auth -j ACCEPT
  $IPCHAINS -A input -p tcp -s $Any -d $Any www -j ACCEPT
  $IPCHAINS -A input -p tcp -s $Any -d $Any ftp -j ACCEPT
  $IPCHAINS -A input -s $Any -d $Any -j DENY -l

  # forward [
  $IPCHAINS -A forward -s $localnet -d $Any -j MASQ

  # output [

  15.3.  GFCC gȂ RC XNvg

  ͎菑ō\zt@CAEH[̃[ZbgłB GFCC ͎g
  ܂B

  #!/bin/bash
  #
  # Firewall Script - Version 0.9.0

  # chkconfig: 2345 09 99
  # Tv: 2.2.x J[lpt@CAEH[XNvg

  # eXg̍ۂɂ
  # -x ǉ邱ƁB

  #
  #  -
  #
  # ̃XNvg RedHat 6.0 yтȍ~̃o[WɏĂ܂B
  #
  #  ̃t@CAEH[XNvǵA啔̃_CAAbvP[uf
  #  gp[^œłB
  #  RedHat fBXgr[Vpɍ쐬܂B
  #
  #  web  ftp T[ô悤ȌJT[rX񋟂ꍇ͒ӂĂB
  #
  # CXg[ -
  #  1. ̃t@C RedHat VXepɍĂ܂B̂܂܂ő
  #     fBXgr[VłƎv܂AxmF
  #     ł傤B
  #     ēȂȂ?!!?
  #     ̎菇 RedHat VXeɓKp܂B
  #
  #  2. /etc/rc.d/init.d ̒ɂ̃t@Cu܂ (root ɂȂ...)
  #     "firewall" ̂悤ȖOɂ܂    :-)
  #     L root ɂ܂ -->  "chown root.root <t@C>"
  #     s܂ -->  "chmod 755 <t@C>"
  #
  #  3. lbg[NAgpC^[tF[XADNS T[o̐ݒ܂B
  #     uncomment Ŏn܂s̉ŁAtT[rXILɂ܂B
  #     "eth0" gp NIC mF܂ (͂Ȃ̃VXẽlbg[N
  #     C^[tF[XɕύX܂)B
  #     eXgɂ -->  "/etc/rc.d/init.d/<t@C> start"
  #     [ꗗɂ -->  "ipchains -L -n"
  #     肪ΏC܂傤...  :-)
  #
  #  4. RedHat  init XNvgɃt@CAEH[ǉ܂
  #                                     --> "chkconfig --add <t@C>"
  #     񃋁[^N firewall T[rXIɋN͂łI
  #     *O菭* ƎłȂȂĂ̂ŁA͂QĂB
  #
  # [Xm[g
  #   20 July, 1999 - ŏ̍i - Anthony Ball <tony@LinuxSIG.org>
  #   11 Dec, 1999 - Mark Grennan <mark@grennan.com> ɂXV
  #

  ################################################
  #  Ȃ̃[Jlbg[NɓKlLĂB

  PRIVATENET=xxx.xxx.xxx.xxx/xx

  PUBLIC=ppp0
  PRIVATE=eth0

  # Ȃ dns T[o̐ݒ
  DNS1=xxx.xxx.xxx.xxx
  DNS2=xxx.xxx.xxx.xxx

  ################################################
  # lbg[N̐ݒɗpėpIȒl`܂B
  ANY=0.0.0.0/0
  ALLONES=255.255.255.255

  # ֐Cuǂݍ݂܂B
  . /etc/rc.d/init.d/functions

  # lbg[Nݒǂݍ݂܂B
  . /etc/sysconfig/network

  # lbg[NNĂ邩`FbN܂B
  [ ${NETWORKING} = "no" ] && exit 0

  # Ăяoꂽ܂B
  case "$1" in

    start)
          # ANZX@\̒񋟂Jn܂B
          action "Starting firewall: " /bin/true

          ##
          ## ݒ
          ##
          # SẴ`FC̃XgS܂B
          /sbin/ipchains -F input
          /sbin/ipchains -F output
          /sbin/ipchains -F forward

          # input `FCɊWԂāASẴ|[gӂ܂B
          /sbin/ipchains -I input 1 -j DENY

          # |V[ے (DENY) ɐݒ肵܂B (ftHgACCEPT)
          /sbin/ipchains -P input DENY
          /sbin/ipchains -P output ACCEPT
          /sbin/ipchains -P forward ACCEPT

          # pPbgtH[fBOLɂ܂B
          echo 1 > /proc/sys/net/ipv4/ip_forward

          ##
          ## W[̃CXg[
          ##
          # ANeBu ftp W[ǂݍ݂܂B
          # [Jlbg[Ñ}VɔpbV ftp ANZX
          # ł悤ɂ܂B
          # (AA[^g̓}XJ[hĂȂ̂ŏO܂B)
          if ! ( /sbin/lsmod | /bin/grep masq_ftp > /dev/null ); then
              /sbin/insmod ip_masq_ftp
          fi

          ##
          ## ZLeB֌W
          ##
          # lbg[NC^[tF[Xэ㔭ł낤
          # lbg[NC^[tF[Xɑ΂AMAhX̗؂ƋUی
          # Lɂ܂B
          #
          #
          if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
              for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
                  echo 1 > $f
              done
          else
              echo
              echo "PROBLEMS SETTING UP IP SPOOFING PROTECTION.  BE WORRIED."
              echo
          fi

          # SẴlbg[NC^[tF[X̃u[hLXg
          # ے肵܂B
          /sbin/ipchains -A input -d 0.0.0.0 -j DENY
          /sbin/ipchains -A input -d 255.255.255.255 -j DENY

          # ̓OL^邱ƂȂے肵܂B
          /sbin/ipchains -A input -p udp -d $ANY 137 -j DENY   # NetBIOS over IP
          /sbin/ipchains -A input -p tcp -d $ANY 137 -j DENY   #   ""
          /sbin/ipchains -A input -p udp -d $ANY 138 -j DENY   #   ""
          /sbin/ipchains -A input -p tcp -d $ANY 138 -j DENY   #   ""
          /sbin/ipchains -A input -p udp -d $ANY 67 -j DENY    # bootp
          /sbin/ipchains -A input -p udp -d $ANY 68 -j DENY    #   ""
          /sbin/ipchains -A input -s 224.0.0.0/8 -j DENY       # Multicast addresses

          ##
          ## vCx[glbg[N甭pPbg܂B
          ##
          # [vobNC^[tF[X̑SẴpPbg܂B
          /sbin/ipchains -A input -i lo -j ACCEPT

          #  "Mł" C^[tF[X甭pPbgS
          # ܂B
          /sbin/ipchains -A input -i $PRIVATE -s $PRIVATENET -d $ANY -j ACCEPT
          /sbin/ipchains -A input -i $PRIVATE -d $ALLONES -j ACCEPT

          ##
          ## t@CAEH[ւ̊OT[rX܂B
          ##
          # ICMP ܂B
          /sbin/ipchains -A input -p icmp -j ACCEPT
          # TCP ܂B
          # y: tcp syn pPbgȊO܂Bz
          /sbin/ipchains -A input -p tcp ! -y -j ACCEPT

          # (t@CAEH[)DNST܂B
          /sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY 1023: -j ACCEPT
          /sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY 1023: -j ACCEPT
          # 邢 (ǂĂƂ) LbV DNS T[o[^
          # ғAL̑Ɉȉ̍sp܂B
          # /sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY domain -j ACCEPT
          # /sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY domain -j ACCEPT

          # ȉ̍s ssh ܂B
          /sbin/ipchains -A input -p tcp -d $ANY 22 -j ACCEPT

          # ȉ̍s telnet ܂B (E߂܂!!)
          /sbin/ipchains -A input -p tcp -d $ANY telnet -j ACCEPT

          # ȉ̍sŃ[^ NTP (network time protocol: lbg[N
          # ^CvgR) ܂B
          # /sbin/ipchains -A input -p udp -d $ANY ntp -j ACCEPT

          # SMTP ܂B ([NCAgׂ̈ł͂܂ - T[o
          # ł)
          /sbin/ipchains -A input -p tcp -d $ANY smtp -j ACCEPT

          # POP3 ܂B([NCAgp)
          /sbin/ipchains -A input -p tcp -d $ANY 110 -j ACCEPT

          # [M܂ ftp ANZXɗp auth vgR
          # ܂B
          /sbin/ipchains -A input -p tcp -d $ANY auth -j ACCEPT

          # O HTTP ANZX܂B
          # ([^ web T[oғĂꍇɌ܂B)
          /sbin/ipchains -A input -p tcp -d $ANY http -j ACCEPT
          # O FTP ANZX܂B
          /sbin/ipchains -A input -p tcp -d $ANY ftp -j ACCEPT

          ##
          ## }XJ[h֌W
          ##
          # lbg[N]ꂽpPbg}XJ[h܂B
          /sbin/ipchains -A forward -s $PRIVATENET -d $ANY -j MASQ

          ##
          ## LȊȎSĂۂA /var/log/messages փOL^܂B
          ##
          /sbin/ipchains -A input -l -j DENY

          # input `FCɂԂĂWO܂B
          /sbin/ipchains -D input 1

          ;;

    stop)
          action "Stoping firewall: " /bin/true
          echo 0 > /proc/sys/net/ipv4/ip_forward
          /sbin/ipchains -F input
          /sbin/ipchains -F output
          /sbin/ipchains -F forward

          echo
          ;;

    restart)
          action "Restarting firewall: " /bin/true
          $0 stop
          $0 start

          echo
          ;;

    status)
          # ݒeXg\܂B
          /sbin/ipchains -L
          ;;

    test)
          ##
          ## ƂĂPȃt@CAEH[̃eXgłB
          ## (*S*ZLAł͂܂)
          ## y: pPbgtB^O̐ݒSĎ蕥A
          ## }XJ[h̐ݒ̂ݗLɂ܂B
          ## ̐ݒ͒ԑĂ͂Ȃ܂Bz
          action "WARNING Test Firewall: " /bin/true
          /sbin/ipchains -F input
          /sbin/ipchains -F output
          /sbin/ipchains -F forward
          echo 1 > /proc/sys/net/ipv4/ip_forward
          /sbin/ipchains -A input -j ACCEPT
          /sbin/ipchains -A output -j ACCEPT
          /sbin/ipchains -P forward DENY
          /sbin/ipchains -A forward -i $PUBLIC -j MASQ

          echo
          ;;

    *)
          echo "Usage: $0 {start|stop|restart|status|test}"
          exit 1

  esac

  16.  APPENDEX B - RedHat p VPN RC XNvg

  #!/bin/sh
  #
  # vpnd            {VFXNvg vpnd (Vertual Privage Network
  #                 connections / zvCx[glbg[Nڑ) 
  #                 Nƒ~󂯂܂B
  #
  # chkconfig: - 96 96
  # Tv: vpnd
  #

  # ֐Cuǂݍ݂܂B
  . /etc/rc.d/init.d/functions

  # lbg[Nݒǂݍ݂܂B
  . /etc/sysconfig/network

  # lbg[NNĂ邩`FbN܂B
  [ ${NETWORKING} = "no" ] && exit 0

  [ -f /usr/sbin/vpnd ] || exit 0

  [ -f /etc/vpnd.conf ] || exit 0

  RETVAL=0

  # Ăяoꂽ܂B
  case "$1" in
    start)
          # f[̋NB
          echo -n "Starting vpnd: "
          daemon vpnd
          RETVAL=$?
          [ $RETVAL -eq 0 ] && touch /var/lock/subsys/vpnd
          echo
          ;;
    stop)
          # f[̒~B
          echo -n "Shutting down vpnd: "
          killproc vpnd
          RETVAL=$?
          [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/vpnd
          echo
          ;;
    restart)
          $0 stop
          $0 start
          ;;
    *)
          echo "Usage: vpnd {start|stop|restart}"
          exit 1
  esac

  exit $RETVAL

  17.  {ɂ

  ̕ Firewalling and Proxy Server HOWTO v0.83, August 21, 2000
  ł̓{łB

  v0.4, 8 November 1996 ́A܂݂Ђ낳 <isle@st.rim.or.jp> 
  {ɖ|󂵂܂B(1997/03/26)

  Firewalling and Proxy Server HOWTO v0.83, August 21, 2000 
  {: 2001N 9 22
  JF Project u`[ Firewallv |҈ꗗ(h̗):

  o  1  FNN <jn7vvc@hkg.odn.ne.jp> cz
     <matsuda@palnet.or.jp>

  o  2͂4    cz <matsuda@palnet.or.jp>

  o  5͂11   JG <jeanne@mbox.kyoto-inet.or.jp>

  o  12͂16  {_ <hng@ps.ksky.ne.jp>

  ̕|󂷂ɂAȉ̕XAhoCX܂
  B(50)
  {ɂ肪Ƃ܂B

  1͂4

  o  MATSUDA Yoh-ichi  <matsuda@palnet.or.jp>

  o  MIZUHARA Bun  <mizuhara@acm.org>

  o  NAKANO Takeo  <nakano@apm.seikei.ac.jp>

  o  TAKEI Nobumitsu  <takei@webmasters.gr.jp>

  o  OBATA Noboru  <obata-ml@bk.iij4u.or.jp>

  5͂11

  o  NAKANO Takeo  <nakano@apm.seikei.ac.jp>

  o  TAKEI Nobumitsu  <takei@webmasters.gr.jp>

  o  HAYAKAWA Hitoshi  <uv9h-hykw@asahi-net.or.jp>

  o  Seiji Kaneko  <se-kane@str.hitachi.co.jp>

  o  kanjikanji  <kanjikanji@club-internet.fr>

  12͂16

  o  RcT炳 <trueheart@anet.ne.jp>

  o  Seiji Kaneko <skaneko@a2.mbn.or.jp>

  o  Hiro YAMAZAKI <hiro@linux.or.jp>

  o  Konkiti <konkiti@lares.dti.ne.jp>

  o  앐r <kgh12351@nifty.ne.jp>

  o  Masaharu Goto   <magotou@fubyshare.gr.jp>

  o  Keitaro Yosimura  <ramsy@linux.or.jp>

  o  Tsutomu Kawashima  <kawawa@mail.interq.or.jp>

  o  NAKANO Takeo  <nakano@apm.seikei.ac.jp>

