トップ 一覧 検索 ヘルプ RSS ログイン

FB-ipfwの変更点

  • 追加された行はこのように表示されます。
  • 削除された行はこのように表示されます。
!IPFW 
 ##############################################################
 ##
 firewall_enable="YES"
 firewall_type="/etc/ipfw.conf"
 #
 ##############################################################

!IPFW sample
 
 #!/bin/sh
 
 IPFWC="/sbin/ipfw -q add"
 ipfw -q -f flush
 
 #loopback
 $IPFWC 10 allow all from any to any via lo0
 $IPFWC 20 deny all from any to 127.0.0.0/8
 $IPFWC 30 deny all from 127.0.0.0/8 to any
 $IPFWC 40 deny tcp from any to any frag
  
 # statefull
 $IPFWC 50 check-state
 $IPFWC 60 allow tcp from any to any established
 $IPFWC 70 allow all from any to any out keep-state
 $IPFWC 80 allow icmp from any to any
 
 ## ftp (20,21) ports
 $IPFWC 100 allow tcp from any to any 20 in
 $IPFWC 110 allow tcp from any to any 20 out
 $IPFWC 120 allow tcp from any to any 21 in
 $IPFWC 130 allow tcp from any to any 21 out
 ## ssh (22) ports
 $IPFWC 140 allow tcp from any to any 22 in
 $IPFWC 150 allow tcp from any to any 22 out
 ## mail(25) ports
 $IPFWC 160 allow tcp from any to any 25 in
 $IPFWC 170 allow tcp from any to any 25 out
 ## domain(53) ports // DNS
 $IPFWC 180 allow udp from any to any 53 in
 $IPFWC 185 allow tcp from any to any 53 in
 $IPFWC 190 allow udp from any to any 53 out
 $IPFWC 195 allow tcp from any to any 53 out
 ## http(80) ports
 $IPFWC 200 allow tcp from any to any 80 in
 $IPFWC 210 allow tcp from any to any 80 out
 # $IPFWC 240 allow tcp from any to any 443 in
 # $IPFWC 250 allow tcp from any to any 443 out
 ## ntp(123) ports
 $IPFWC 1010 allow tcp from any to any 123 in
 $IPFWC 1020 allow tcp from any to any 123 out
 ## https(443)
 $IPFWC 1030 allow tcp from any to any 443 in
 $IPFWC 1040 allow tcp from any to any 443 out
 ## submission( 587 ) ports
 $IPFWC 1050 allow tcp from any to any 587 in
 $IPFWC 1060 allow tcp from any to any 587 out
 ## imaps(993)
 # $IPFWC 1070 allow tcp from any to any 993 in
 # $IPFWC 1080 allow tcp from any to any 993 out
 
 $IPFWC 1050 allow tcp from any to any 587 in
 $IPFWC 1060 allow tcp from any to any 587 out
 
 
 # deny and log everything
 $IPFWC 9000 deny log all from any to any

----
!delay & 
 # 1Mbps, 80msec, パケットロス率 10% (それなりな LTE 程度)
 ipfw pipe 1 config bw 1Mbit/s delay 80ms plr 0.1
 
 # 180kbps, 300msec, パケットロス率 30% (MVNOの遅いやつ程度)
 ipfw pipe 1 config bw 180Kbit/s delay 300ms plr 0.3
 
 # 100kbps, 800msec, パケットロス率 50% (パケ詰まり)
 ipfw pipe 1 config bw 100Kbit/s delay 800ms plr 0.5
----
Tips
http://murasaki.cocolog-nifty.com/cloud/2009/08/ipfw-a0b2.html