.\"
.\" %FreeBSD: src/sbin/ipfw/ipfw.8,v 1.133 2003/09/26 12:22:28 rse Exp %
.\"
.\" $FreeBSD$
.\"
.Dd August 13, 2002
.Dt IPFW 8
.Os
.Sh ̾¾Î
.Nm ipfw
.Nd IP ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤È¥È¥é¥Õ¥£¥Ã¥¯¥·¥§¥¤¥Ñ¤ÎÀ©¸æ¥×¥í¥°¥é¥à
.Sh ½ñ¼°
.Nm
.Op Fl cq
.Cm add
.Ar rule
.Nm
.Op Fl acdefnNStT
.Brq Cm list | show
.Op Ar rule | first-last ...
.Nm
.Op Fl f | q
.Cm flush
.Nm
.Op Fl q
.Brq Cm delete | zero | resetlog
.Op Cm set
.Op Ar number ...
.Nm
.Cm enable
.Brq Cm firewall | one_pass | debug | verbose | dyn_keepalive
.Nm
.Cm disable
.Brq Cm firewall | one_pass | debug | verbose | dyn_keepalive
.Pp
.Nm
.Cm set Oo Cm disable Ar number ... Oc Op Cm enable Ar number ...
.Nm
.Cm set move
.Op Cm rule
.Ar number Cm to Ar number
.Nm
.Cm set swap Ar number number
.Nm
.Cm set show
.Pp
.Nm
.Brq Cm pipe | queue
.Ar number
.Cm config
.Ar config-options
.Nm
.Op Fl s Op Ar field
.Brq Cm pipe | queue
.Brq Cm delete | list | show
.Op Ar number ...
.Pp
.Nm
.Op Fl cnNqS
.Oo
.Fl p Ar preproc
.Oo
.Ar preproc-flags
.Oc
.Oc
.Ar pathname
.Sh ²òÀâ
.Nm
¤È¤½¤Î¥æ¡¼¥Æ¥£¥ê¥Æ¥£¤Ï
.Fx
¤Î
.Xr ipfw 4
¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤È
.Xr dummynet 4
¥È¥é¥Õ¥£¥Ã¥¯¥·¥§¥¤¥Ñ¤òÀ©¸æ¤¹¤ë¥æ¡¼¥¶¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤Ç¤¹¡£
.Pp
.Bd -ragged -offset XXXX
.Em Ãí:
¤³¤Î¥Þ¥Ë¥å¥¢¥ë¥Ú¡¼¥¸¤Ï 2002 ǯ 7 ·î¤Ë
.Fx
CURRENT ¤ËƳÆþ¤µ¤ì
.Nm ipfw2
¤È¤·¤Æ¤âÃΤé¤ì¤Æ¤¤¤ë
.Nm
¤Î¿·¥Ð¡¼¥¸¥ç¥ó¤Ë¤Ä¤¤¤ÆÀâÌÀ¤·¤Æ¤¤¤Þ¤¹¡£
.Nm ipfw2
¤ÏµìÈǤΥե¡¥¤¥¢¥¦¥©¡¼¥ë
.Nm ipfw1
¤Î¥¹¡¼¥Ñ¥»¥Ã¥È¤Ç¤¹¡£¤³¤Î 2 ¤Ä¤Î°ã¤¤¤Ï¥»¥¯¥·¥ç¥ó
.Sx IPFW2 ³ÈÄ¥
¤ËÎóµó¤µ¤ì¤Æ¤¤¤Þ¤¹¡£¸Å¤¤¥ë¡¼¥ë¥»¥Ã¥È¤ò½ñ¤Ä¾¤·¡¢¤è¤ê¸úΨŪ¤Ë¤¹¤ë¤¿¤á¤Ë¡¢
¤³¤³¤òÆɤळ¤È¤ò¤ª´«¤á¤·¤Þ¤¹¡£
.Fx
STABLE ¤Ç
.Nm ipfw2
¤ò¼Â¹Ô¤¹¤ë¼ê½ç¤Ë¤Ä¤¤¤Æ¤Ï¡¢¥»¥¯¥·¥ç¥ó
.Sx FreeBSD-STABLE ¤Ç IPFW2 ¤ò»È¤¦
¤ò»²¾È²¼¤µ¤¤¡£
.Ed
.Pp
.Nm
¤ÎÀßÄê¡¢¤â¤·¤¯¤Ï
.Em ¥ë¡¼¥ë¥»¥Ã¥È
¤Ï¡¢1 ¤«¤é 65535 ¤Þ¤Ç¤ÎÈÖ¹æ¤ò¤Ä¤±¤é¤ì¤¿
.Em ¥ë¡¼¥ë
¤Î¥ê¥¹¥È¤«¤é¤Ê¤ê¤Þ¤¹¡£
¥Ñ¥±¥Ã¥È¤Ï
¥×¥í¥È¥³¥ë¥¹¥¿¥Ã¥¯Ãæ¤Î¤¤¤¯¤Ä¤«¤Î²Õ½ê¤«¤é
.Nm
¤ËÅϤµ¤ì¤Þ¤¹
(¥Ñ¥±¥Ã¥È¤Îȯ¿®¸µ¤È°¸Àè¤Ë¤è¤Ã¤Æ¤Ï¡¢
.Nm
¤ÏƱ¤¸¥Ñ¥±¥Ã¥È¤ËÂФ·¤ÆÊ£¿ô²óµ¯Æ°¤µ¤»¤é¤ì¤ë²ÄǽÀ¤¬¤¢¤ê¤Þ¤¹)¡£
¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤ËÅϤµ¤ì¤ë¥Ñ¥±¥Ã¥È¤Ï
¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Î
.Em ¥ë¡¼¥ë¥»¥Ã¥È
Ãæ¤Î¥ë¡¼¥ë¤½¤ì¤¾¤ì¤ËÂФ·¤Æ¾È¹ç¤µ¤ì¤Þ¤¹¡£
.Pp
¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¡¢¥Þ¥Ã¥Á¤·¤¿¥ë¡¼¥ë¤ËÂбþ¤¹¤ë¥¢¥¯¥·¥ç¥ó¤¬¼Â¹Ô¤µ¤ì¤Þ¤¹¡£
¥¢¥¯¥·¥ç¥ó¤È¼ÂºÝ¤Î¥·¥¹¥Æ¥à¤ÎÀßÄê¤Ë¤è¤Ã¤Æ¤Ï¡¢
¥Þ¥Ã¥Á¤·¤¿¥ë¡¼¥ë¤Î¸å¤Î¥ë¡¼¥ë¤Ç¤µ¤é¤Ë½èÍý¤ò¹Ô¤¦¤¿¤á¤Ë
¥Ñ¥±¥Ã¥È¤¬¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤ËºÆÃíÆþ¤µ¤ì¤ë¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£
.Pp
.Nm
¥ë¡¼¥ë¥»¥Ã¥È¤Ë¤Ï¾ï¤Ë
.Em ¥Ç¥Õ¥©¥ë¥È
¥ë¡¼¥ë (ÈÖ¹æ 65535) ¤¬´Þ¤Þ¤ì¤Þ¤¹¡£
¤³¤Î¥ë¡¼¥ë¤ÏÊѹ¹¤âºï½ü¤â¤Ç¤¤º¡¢
Á´¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.Em ¥Ç¥Õ¥©¥ë¥È
¥ë¡¼¥ë¤Ë´ØÏ¢ÉÕ¤±¤é¤ì¤ë¥¢¥¯¥·¥ç¥ó¤Ï
.Cm deny
¤«
.Cm allow
¤Î¤É¤Á¤é¤«¤Ë¤Ê¤ê¤Þ¤¹¤¬¡¢
¤³¤ì¤Ï¤É¤Î¤è¤¦¤Ë¥«¡¼¥Í¥ë¤òÀßÄꤷ¤¿¤«¤Ë°Í¸¤·¤Þ¤¹¡£
.Pp
¥ë¡¼¥ë¥»¥Ã¥È¤¬
¥ª¥×¥·¥ç¥ó
.Cm keep-state
¤Þ¤¿¤Ï
.Cm limit
ÉÕ¤¤Î¥ë¡¼¥ë¤ò´Þ¤à¾ì¹ç¡¢
.Nm
¤Ï
.Em ¥¹¥Æ¡¼¥È¥Õ¥ë (¾õÂְ͸·¿)
¤ÇÆ°ºî¤·¤Þ¤¹¡£¤¹¤Ê¤ï¤Á¡¢¤¢¤ë¥Þ¥Ã¥Á¤Î·ë²Ì¡¢
¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤Î¥Ñ¥é¥á¡¼¥¿¤Ë¤Á¤ç¤¦¤É°ìÃפ¹¤ë¥ë¡¼¥ë¤¬
ưŪ¤ËÀ¸À®¤µ¤ì¤Þ¤¹¡£
.Pp
¤³¤ì¤é¤ÎưŪ¥ë¡¼¥ë¤ÎÀ¸Â¸»þ´Ö¤Ï͸¤ǡ¢
.Cm check-state
¤Þ¤¿¤Ï
.Cm keep-state
¤Þ¤¿¤Ï
.Cm limit
¥ë¡¼¥ë¤¬ºÇ½é¤ËÀ¸¤¸¤¿¾ì½ê¤Ç¥Á¥§¥Ã¥¯¤µ¤ì¤Þ¤¹¡£
ưŪ¥ë¡¼¥ë¤Ï¡¢ÉáÄÌ¡¢ÀµÅö¤Ê¥È¥é¥Õ¥£¥Ã¥¯¤ò¥ª¥ó¥Ç¥Þ¥ó¥É¤Ç
¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤òÄ̲ᤵ¤»¤ë¤¿¤á¤ËÍѤ¤¤Þ¤¹¡£
.Nm
¤Î¥¹¥Æ¡¼¥È¥Õ¥ë¤ÊÆ°ºî¤Ë¤Ä¤¤¤Æ¹¹¤Ë¾ðÊó¤¬É¬Íפʤé¤Ð¡¢
°Ê²¼¤Î
.Sx ¥¹¥Æ¡¼¥È¥Õ¥ë¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë
¥»¥¯¥·¥ç¥ó¤È
.Sx »ÈÍÑÎã
¥»¥¯¥·¥ç¥ó¤ò»²¾È¤·¤Æ²¼¤µ¤¤¡£
.Pp
Á´¤Æ¤Î¥ë¡¼¥ë(ưŪ¥ë¡¼¥ë¤ò´Þ¤à)¤Ï¡¢
´ØÏ¢¤¹¤ë¥«¥¦¥ó¥¿¤ò¤¤¤¯¤Ä¤«»ý¤Ã¤Æ¤¤¤Þ¤¹¡£¤½¤ì¤é¤Ï¡¢
¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥È¡¢¥Ð¥¤¥È¥«¥¦¥ó¥È¡¢¥í¥°¥«¥¦¥ó¥È¡¢
ºÇ¸å¤Ë¥Þ¥Ã¥Á¤·¤¿»þ¹ï¤ò¼¨¤¹¥¿¥¤¥à¥¹¥¿¥ó¥×¤Ç¤¹¡£
¥«¥¦¥ó¥¿¤Ï¡¢
.Nm
¥³¥Þ¥ó¥É¤Ë¤è¤Ã¤Æɽ¼¨¤¹¤ë¤³¤È¤¬¤Ç¤¡¢¤Þ¤¿¥ê¥»¥Ã¥È¤¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
.Pp
¥ë¡¼¥ë¤ÎÄɲäÏ
.Cm add
¥³¥Þ¥ó¥É¤Ë¤Æ²Äǽ¤Ç¤¹¡£
¥ë¡¼¥ë¤Ò¤È¤Ä¤Ò¤È¤Ä¡¢¤Þ¤¿¤Ï¤Þ¤È¤á¤Æ¤Îºï½ü¤Ï
.Cm delete
¥³¥Þ¥ó¥É¤Ë¤Æ²Äǽ¤Ç¤¢¤ê¡¢(¥»¥Ã¥È 31 °Ê³°¤Î) ¤¹¤Ù¤Æ¤Î¥ë¡¼¥ë¤Îºï½ü¤Ï
.Cm flush
¥³¥Þ¥ó¥É¤Ë¤Æ²Äǽ¤Ç¤¹¡£
¥ë¡¼¥ë¤Îɽ¼¨
(¥ª¥×¥·¥ç¥ó¤Ç¥«¥¦¥ó¥¿ÆâÍƤò´Þ¤á¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹)
¤Ï¡¢
.Cm show
¥³¥Þ¥ó¥É¤ª¤è¤Ó
.Cm list
¥³¥Þ¥ó¥É¤Ë¤Æ²Äǽ¤Ç¤¹¡£
ºÇ¸å¤Ë¡¢¥«¥¦¥ó¥¿¤Î¥ê¥»¥Ã¥È¤Ï
.Cm zero
¥³¥Þ¥ó¥É¤ª¤è¤Ó
.Cm resetlog
¥³¥Þ¥ó¥É¤Ë¤Æ²Äǽ¤Ç¤¹¡£
.Pp
¤Þ¤¿¡¢³Æ¥ë¡¼¥ë¤Ï 32 ¸Ä¤Î
°Û¤Ê¤ë
.Em ¥»¥Ã¥È
¤Î 1 ¤Ä¤Ë½ê°¤·¡¢
¥»¥Ã¥È¤ËÂФ¹¤ë¥¢¥È¥ß¥Ã¥¯¤ÊÁàºî¡¢Î㤨¤Ð
͸ú²½¡¦Ìµ¸ú²½¡¦¥»¥Ã¥È¤ÎÆþ¤ì´¹¤¨¡¦¥»¥Ã¥ÈÆâ¤ÎÁ´¥ë¡¼¥ë¤òÊ̤Υ»¥Ã¥È¤Ø°ÜÆ°¡¦
¥»¥Ã¥ÈÆâ¤ÎÁ´¥ë¡¼¥ë¤Îºï½ü¤Ê¤É¤ò¹Ô¤¦¤¿¤á¤Î
.Nm
¥³¥Þ¥ó¥É¤¬¤¢¤ê¤Þ¤¹¡£
¤³¤ì¤é¤Ï°ì»þŪ¤ÊÀßÄê¤ò¥¤¥ó¥¹¥È¡¼¥ë¤·¤¿¤êÀßÄê¤Î¥Æ¥¹¥È¤ò¹Ô¤Ã¤¿¤ê¤¹¤ë¤È¤¤Ë
ÊØÍø¤Ç¤¹¡£
.Em ¥»¥Ã¥È
¤Ë´Ø¤¹¤ë¾ÜºÙ¤Ï¥»¥¯¥·¥ç¥ó
.Sx ¥ë¡¼¥ë¥»¥Ã¥È
¤ò»²¾È¤·¤Æ²¼¤µ¤¤¡£
.Pp
¼¡¤Î¥ª¥×¥·¥ç¥ó¤¬ÍøÍѲÄǽ¤Ç¤¹:
.Bl -tag -width indent
.It Fl a
¥ë¡¼¥ë¤Î¥ê¥¹¥È¤òɽ¼¨¤¹¤ëºÝ¤Ë¡¢
¥«¥¦¥ó¥¿Ãͤò¼¨¤·¤Þ¤¹¡£
.Cm show
¥³¥Þ¥ó¥É¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ò°ÅÌÛŪ¤Ë»ØÄꤷ¤¿¤À¤±¤Î¤â¤Î¤Ç¤¹¡£
.It Fl c
¥ë¡¼¥ë¤òÆþÎϤ·¤¿¤ê»²¾È¤·¤¿¤ê¤¹¤ë¤È¤¤Ë¡¢
¥³¥ó¥Ñ¥¯¥È¤Ê½ñ¼°¤Ç¥ë¡¼¥ë¤òɽ¼¨¤·¤Þ¤¹¡£
¤Ä¤Þ¤ê¡¢¥ë¡¼¥ë¤¬²¿¤ÎÄɲþðÊó¤â»ý¤¿¤Ê¤¤¤È¤¤Ï¡¢
¥ª¥×¥·¥ç¥Ê¥ë¤Êʸ»úÎó "ip from any to any" ¤òɽ¼¨¤·¤Þ¤»¤ó¡£
.It Fl d
¥ë¡¼¥ë¤Î¥ê¥¹¥È¤òɽ¼¨¤¹¤ëºÝ¤Ë¡¢
ÀÅŪ¥ë¡¼¥ë¤Ë²Ã¤¨¤ÆưŪ¥ë¡¼¥ë¤âɽ¼¨¤·¤Þ¤¹¡£
.It Fl e
¥ë¡¼¥ë¤Î¥ê¥¹¥È¤òɽ¼¨¤¹¤ëºÝ¤Ë¡¢
¤â¤·
.Fl d
¥ª¥×¥·¥ç¥ó¤¬»ØÄꤵ¤ì¤Æ¤¤¤ì¤Ð¡¢
´ü¸ÂÀÚ¤ì¤ÎưŪ¥ë¡¼¥ë¤âɽ¼¨¤·¤Þ¤¹¡£
.It Fl f
¸í¤Ã¤Æ»ÈÍѤ¹¤ë¤ÈÌäÂê¤òµ¯¤¹²ÄǽÀ¤Î¤¢¤ë¥³¥Þ¥ó¥É¡¢
.No ¤¹¤Ê¤ï¤Á Cm flush
¤ËÂФ·¤Æ¡¢¼Â¹Ô¤Î³Îǧ¤ò¹Ô¤¤¤Þ¤»¤ó¡£
¥×¥í¥»¥¹¤Ë´ØÏ¢ÉÕ¤±¤é¤ì¤¿ tty ¤¬Ìµ¤¤¾ì¹ç¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤¬
°ÅÌۤΤ¦¤Á¤Ë»ØÄꤵ¤ì¤¿¤È¤·¤Æ½èÍý¤µ¤ì¤Þ¤¹¡£
.It Fl n
¥³¥Þ¥ó¥Éʸ»úÎó¤Îʸˡ¤À¤±¤ò¥Á¥§¥Ã¥¯¤·¡¢
¼ÂºÝ¤Ë¤Ï¥«¡¼¥Í¥ë¤Ë¤ÏÅϤ·¤Þ¤»¤ó¡£
.It Fl N
½ÐÎϤ˴ޤޤì¤ë¥¢¥É¥ì¥¹¤È¥µ¡¼¥Ó¥¹Ì¾¤Î̾Á°²ò·è¤ò»î¤ß¤Þ¤¹¡£
.It Fl q
.Cm add ,
.Cm zero ,
.Cm resetlog ,
.Cm flush
¤ò¼Â¹Ô¤¹¤ëºÝ¡¢Æ°ºî¤Ë¤Ä¤¤¤ÆÊó¹ð¤·¤Þ¤»¤ó
(°ÅÌۤΤ¦¤Á¤Ë
.Fl f
¤¬»ØÄꤵ¤ì¤Þ¤¹)¡£
¥¹¥¯¥ê¥×¥È
(Î㤨¤Ð
.Ql sh\ /etc/rc.firewall )
¤ÎÃæ¤ÇÊ£¿ô¤Î
.Nm
¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤·¤Æ¥ë¡¼¥ë¤òÊѹ¹¤¹¤ë¾ì¹ç¤ä¡¢
¥ê¥â¡¼¥È¥í¥°¥¤¥ó¥»¥Ã¥·¥ç¥ó·Ðͳ¤Ç¿¿ô¤Î
.Nm
¥ë¡¼¥ë¤ò´Þ¤à¥Õ¥¡¥¤¥ë¤ò½èÍý¤¹¤ë¤³¤È¤Ë¤è¤ê¥ë¡¼¥ë¤òÊѹ¹¤¹¤ë¾ì¹ç¤Ë
ÍÍѤǤ¹¡£
Ä̾ï (¾éĹ) ¥â¡¼¥É¤Ç (¥Ç¥Õ¥©¥ë¥È¥«¡¼¥Í¥ëÀßÄê¤Ç) flush ¤ò¹Ô¤Ã¤¿¾ì¹ç¡¢
¥á¥Ã¥»¡¼¥¸¤òɽ¼¨¤·¤Þ¤¹¡£
¤¹¤Ù¤Æ¤Î¥ë¡¼¥ë¤¬¼Î¤Æ¤é¤ì¤Þ¤¹¤Î¤Ç¡¢
¥á¥Ã¥»¡¼¥¸¤Ï¥í¥°¥¤¥ó¥»¥Ã¥·¥ç¥ó¤ØÅϤ»¤Þ¤»¤ó¡£
¤Ä¤Þ¤ê¡¢¥ê¥â¡¼¥È¥í¥°¥¤¥ó¥»¥Ã¥·¥ç¥ó·Ðͳ¤Î¾ì¹ç¡¢¥»¥Ã¥·¥ç¥ó¤Ï¥¯¥í¡¼¥º¤µ¤ì¡¢
»Ä¤ê¤Î¥ë¡¼¥ë¥»¥Ã¥È¤Ï½èÍý¤µ¤ì¤Þ¤»¤ó¡£
¤³¤Î¾õÂÖ¤«¤é²óÉü¤¹¤ë¤¿¤á¤Ë¤Ï¥³¥ó¥½¡¼¥ë¤Ø¤Î¥¢¥¯¥»¥¹¤¬É¬Íפˤʤê¤Þ¤¹¡£
.It Fl S
¥ë¡¼¥ë¤Î¥ê¥¹¥È¤òɽ¼¨¤¹¤ëºÝ¤Ë¡¢
³Æ¥ë¡¼¥ë¤¬Â°¤¹¤ë
.Em ¥»¥Ã¥È
¤òɽ¼¨¤·¤Þ¤¹¡£
¤³¤Î¥Õ¥é¥°¤¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¡¢
̵¸ú²½¤µ¤ì¤Æ¤¤¤ë¥ë¡¼¥ë¤Ïɽ¼¨¤µ¤ì¤Þ¤»¤ó¡£
.It Fl s Op Ar field
¥Ñ¥¤¥×·Ðͳ¤Ç¥ê¥¹¥È½ÐÎϤ·¤Æ¤¤¤ëºÝ¤Ë¡¢4 ¤Ä¤Î¥«¥¦¥ó¥¿¤Î 1 ¤Ä¤Ë¤Ä¤¤¤Æ
À°Î󤵤»¤Þ¤¹ (Áí¥Ñ¥±¥Ã¥È¿ô/¥Ð¥¤¥È¿ô¤Þ¤¿¤Ï¸½ºß¤Î¥Ñ¥±¥Ã¥È¿ô/¥Ð¥¤¥È¿ô)¡£
.It Fl t
¥ë¡¼¥ë¤Î¥ê¥¹¥È¤òɽ¼¨¤¹¤ëºÝ¤Ë¡¢
ºÇ¸å¤Ë¥Þ¥Ã¥Á¤·¤¿¥¿¥¤¥à¥¹¥¿¥ó¥×¤òɽ¼¨¤·¤Þ¤¹ (ctime() ¤ÇÊÑ´¹¤µ¤ì¤Þ¤¹)¡£
.It Fl T
¥ë¡¼¥ë¤Î¥ê¥¹¥È¤òɽ¼¨¤¹¤ëºÝ¤Ë¡¢
ºÇ¸å¤Ë¥Þ¥Ã¥Á¤·¤¿¥¿¥¤¥à¥¹¥¿¥ó¥×¤òɽ¼¨¤·¤Þ¤¹ (´ð½à»þÅÀ¤«¤é¤ÎÉäÇɽ¼¨¤µ¤ì¤Þ¤¹)¡£
¤³¤Î½ñ¼°¤ÎÊý¤¬¡¢¥¹¥¯¥ê¥×¥È¤Ç¤Î¸å½èÍý¤Ë¸þ¤¤¤Æ¤¤¤Þ¤¹¡£
.El
.Pp
ËÁƬ¤Î½ñ¼°¤Î¹Ô¤Ç¼¨¤·¤¿¤è¤¦¤Ë¡¢
ÀßÄê¤ò´Êñ¤Ë¤¹¤ë¤¿¤á¡¢
¥ë¡¼¥ë¤ò
.Nm
¤Ë½èÍý¤µ¤»¤ë¥Õ¥¡¥¤¥ë¤Ëµ½Ò¤¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
.Ar pathname
¤Ë¤ÏÀäÂХѥ¹Ì¾¤ò»ÈÍѤ¹¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£
¤³¤Î¥Õ¥¡¥¤¥ë¤«¤é¤Ï 1 ¹Ô¤º¤ÄÆɤ߹þ¤Þ¤ì¡¢
.Nm
¥æ¡¼¥Æ¥£¥ê¥Æ¥£¤Î°ú¿ô¤È¤·¤Æ¼õ¤±ÉÕ¤±¤é¤ì¤Þ¤¹¡£
.Pp
.Fl p Ar preproc
¤ò»ÈÍѤ·¤Æ¡¢
.Ar pathname
¤¬¥Ñ¥¤¥×¤µ¤ì¤ë¥×¥ê¥×¥í¥»¥Ã¥µ¤ò»ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤Þ¤¹¡£
ÍÍѤʥץê¥×¥í¥»¥Ã¥µ¤Ë¤Ï¡¢
.Xr cpp 1
¤È
.Xr m4 1
¤¬¤¢¤ê¤Þ¤¹¡£
.Ar preproc
¤ÎºÇ½é¤Îʸ»ú¤¬¥¹¥é¥Ã¥·¥å
.Pq Ql /
¤«¤é»Ï¤Þ¤é¤Ê¤¤¾ì¹ç¡¢
.Ev PATH
¤ò»ÈÍѤ·¤¿Ä̾ï¤Î̾Á°¸¡º÷¤¬¹Ô¤ï¤ì¤Þ¤¹¡£
.Nm
¤¬¼Â¹Ô¤µ¤ì¤ë¤È¤¤Þ¤Ç¤ËÁ´¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à¤¬ (¤Þ¤À) ¥Þ¥¦¥ó¥È¤µ¤ì¤Ê¤¤¤è¤¦¤Ê´Ä¶
(Î㤨¤Ð NFS ·Ðͳ¤Ç¥Þ¥¦¥ó¥È¤µ¤ì¤ë¾ì¹ç) ¤Ç¤Ï¡¢¤³¤Î¤³¤È¤ËÃí°Õ¤·¤Æ¤¯¤À¤µ¤¤¡£
¤Ò¤È¤¿¤Ó
.Fl p
¤¬»ØÄꤵ¤ì¤ë¤È¡¢°Ê¹ß¤Î°ú¿ô¤¬¥×¥ê¥×¥í¥»¥Ã¥µ¤ËÅϤµ¤ì¤Þ¤¹¡£
¤³¤ì¤Ë¤è¤ê¡¢(¥í¡¼¥«¥ë¥Û¥¹¥È̾¤Ë¤è¤ê¾ò·ïÉÕ¤±¤¹¤ë¤Ê¤É)
½ÀÆðÀ¤Î¤¢¤ëÀßÄê¥Õ¥¡¥¤¥ë¤òºîÀ®²Äǽ¤È¤Ê¤ê¡¢IP ¥¢¥É¥ì¥¹¤Î¤è¤¦¤Ë
ÉÑÈˤËɬÍפȤʤë°ú¿ô¤ò½¸Ãæ´ÉÍý¤¹¤ë¤¿¤á¤Î¥Þ¥¯¥í¤ò»ÈÍѲÄǽ¤È¤Ê¤ê¤Þ¤¹¡£
.Pp
¸å½Ò¤Î
.Sx ¥È¥é¥Õ¥£¥Ã¥¯¥·¥§¥¤¥Ñ (DUMMYNET) ÀßÄê
¥»¥¯¥·¥ç¥ó¤Ç¼¨¤¹¤è¤¦¤Ë¡¢
.Nm
.Cm pipe
¤ª¤è¤Ó
.Cm queue
¥³¥Þ¥ó¥É¤ò»ÈÍѤ·¤Æ¡¢¥È¥é¥Õ¥£¥Ã¥¯¥·¥§¥¤¥Ñ¤ò¹½ÃÛ²Äǽ¤Ç¤¹¡£
.Pp
À¤³¦¤È¥«¡¼¥Í¥ë¤ÎÄ´»Ò¤¬³°¤ì¤ë¤È¡¢
.Nm
ABI ¤¬²õ¤ì¤Æ¤·¤Þ¤¤¡¢¤¤¤«¤Ê¤ë¥ë¡¼¥ë¤âÄɲäǤ¤Ê¤¯¤Ê¤ê¤Þ¤¹¡£
¤³¤ì¤Ï¥Ö¡¼¥È¤Ë°±Æ¶Á¤¬¤¢¤êÆÀ¤Þ¤¹¡£
.Nm
.Cm disable
.Cm firewall
¤Ç¡¢°ì»þŪ¤Ë¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤ò̵¸ú²½¤¹¤ë¤³¤È¤Ç¡¢
¥Í¥Ã¥È¥ï¡¼¥¯¥¢¥¯¥»¥¹¤òºÆ¼èÆÀ¤·¤ÆÌäÂê²ò·è¤Ç¤¤Þ¤¹¡£
.Sh ¥Ñ¥±¥Ã¥È¥Õ¥í¡¼
1 ¸Ä¤Î¥Ñ¥±¥Ã¥È¤¬¡¢¥×¥í¥È¥³¥ë¥¹¥¿¥Ã¥¯¤ÎÊ£¿ô¤Î¾ì½ê¤Ç¡¢
͸ú¤Ê¥ë¡¼¥ë¥»¥Ã¥È¤ËÂФ·¥Á¥§¥Ã¥¯¤µ¤ì¤Þ¤¹¡£¤³¤Î¥Á¥§¥Ã¥¯¤Ï
¤¤¤¯¤Ä¤«¤Î sysctl ÊÑ¿ô¤Ë´ð¤Å¤¤Þ¤¹¡£
¤³¤ì¤é¤Î¾ì½ê¤ÈÊÑ¿ô¤ò°Ê²¼¤Ë¼¨¤·¤Þ¤¹¡£
¥ë¡¼¥ë¥»¥Ã¥È¤òÀµ¤·¤¯À߷פ¹¤ë¤¿¤á¤Ë¤Ï¡¢¤³¤Î¿Þ¤ò¤è¤¯Íý²ò¤¹¤ë
¤³¤È¤¬ÂçÀڤǤ¹¡£
.Bd -literal -offset indent
^ to upper layers V
| |
+----------->-----------+
^ V
[ip_input] [ip_output] net.inet.ip.fw.enable=1
| |
^ V
[ether_demux] [ether_output_frame] net.link.ether.ipfw=1
| |
+-->--[bdg_forward]-->--+ net.link.ether.bridge_ipfw=1
^ V
| to devices |
.Ed
.Pp
¾å¿Þ¤Ë¼¨¤µ¤ì¤ë¤è¤¦¤Ë¡¢
Ʊ°ì¤Î¥Ñ¥±¥Ã¥È¤¬¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤òÄ̲᤹¤ë²ó¿ô¤Ï¡¢
¥Ñ¥±¥Ã¥È¤Îȯ¿®¸µ¤ä°¸Àè¡¢¥·¥¹¥Æ¥à¤ÎÀßÄê¤Ë¤è¤ê¡¢
0 ²ó¤«¤é 4 ²ó¤ÎÈϰϤÇÊÑÆ°¤·¤Þ¤¹¡£
.Pp
¥Ñ¥±¥Ã¥È¤¬¥¹¥¿¥Ã¥¯¤òÄ̲᤹¤ë¤Ë¤Ä¤ì¥Ø¥Ã¥À¤¬ºï½ü / Äɲ䵤ì¤ë
²ÄǽÀ¤¬¤¢¤ê¡¢¥Ø¥Ã¥À¤¬¥Á¥§¥Ã¥¯¤Ë»È¤¨¤¿¤ê»È¤¨¤Ê¤«¤Ã¤¿¤ê¤¹¤ë
¤³¤È¤ËÃí°Õ¤·¤Æ²¼¤µ¤¤¡£
Î㤨¤Ð¡¢³°¤«¤éÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤Ï
.Cm ether_demux()
¤«¤é
.Nm
¤¬¼Â¹Ô¤µ¤ì¤ë¤È¤¤Ë¤Ï MAC ¥Ø¥Ã¥À¤ò´Þ¤ó¤Ç¤¤¤ë¤Ï¤º¤Ç¤¹¤¬¡¢
¤½¤ÎƱ¤¸¥Ñ¥±¥Ã¥È¤¬¡¢
.Cm ip_input()
¤«¤é
.Nm
¤¬¼Â¹Ô¤µ¤ì¤¿¤È¤¤Ë¤Ï MAC ¥Ø¥Ã¥À¤Ï¼è¤ê½ü¤«¤ì¤Æ¤¤¤ë¤Ï¤º¤Ç¤¹¡£
.Pp
¤Þ¤¿¡¢³Æ¥Ñ¥±¥Ã¥È¤Ï¾ï¤Ë¥ë¡¼¥ë¥»¥Ã¥ÈÁ´ÂΤËÂФ·¥Á¥§¥Ã¥¯¤µ¤ì¤ë¤³¤È¤Ë¤â
Ãí°Õ¤·¤Æ¤¯¤À¤µ¤¤¡£
¤³¤ì¤Ï¡¢¥Á¥§¥Ã¥¯¤¬À¸¤¸¤¿¾ì½ê¡¢¥Ñ¥±¥Ã¥È¤Î¥½¡¼¥¹¤Ë´Ø·¸¤¢¤ê¤Þ¤»¤ó¡£
¼Â¹Ô¤µ¤ì¤¿²Õ½ê¤Ë¤è¤Ã¤Æ¤Ï̵¸ú¤È¤Ê¤ë¤è¤¦¤Ê
¥Þ¥Ã¥Á¥Ñ¥¿¡¼¥ó¤ä¥¢¥¯¥·¥ç¥ó
(Î㤨¤Ð¡¢
.Cm ip_input()
Ãæ¤Ç MAC ¥Ø¥Ã¥À¤È¥Þ¥Ã¥Á¤ò»î¤ß¤ë¤è¤¦¤Ê¤â¤Î)
¤ò¥ë¡¼¥ë¤¬´Þ¤ó¤Ç¤¤¤ë¤Ê¤é¡¢¤½¤Î¥Ñ¥¿¡¼¥ó¤Ï¥Þ¥Ã¥Á¤·¤Ê¤¤¤³¤È¤Ë¤Ê¤ê¤Þ¤¹¡£
¤È¤Ï¤¤¤¨¡¢¤½¤Î¤è¤¦¤Ê¥Ñ¥¿¡¼¥ó¤ÎÁ°¤Ë
.Cm not
¥ª¥Ú¥ì¡¼¥¿¤òµ½Ò¤¹¤ì¤Ð¡¢¤³¤Î¥Ñ¥¿¡¼¥ó¤Ï
.Em ¾ï¤Ë
¤½¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¤³¤È¤Ë¤Ê¤ê¤Þ¤¹¡£
¤·¤¿¤¬¤Ã¤Æ¡¢É¬Íפ˱þ¤¸¡¢À¸¤¸ÆÀ¤ë¾ì½ê¤Î°ã¤¤¤òÍý²ò¤·¤Æ¡¢
ŬÀڤʥ롼¥ë¥»¥Ã¥È¤òµ½Ò¤¹¤ë¤³¤È¤Ï¥×¥í¥°¥é¥Þ¤ÎÀÕǤ¤Ç¤¹¡£
¤½¤³¤Ç
.Cm skipto
¥ë¡¼¥ë¤¬Ìò¤ËΩ¤Ä¤³¤È¤Ç¤·¤ç¤¦¡£
Î㤨¤Ð¼¡¤Î¤è¤¦¤Ë¤·¤Þ¤¹¡£
.Bd -literal -offset indent
# ether_demux ¤Þ¤¿¤Ï bdg_forward ¤«¤é¤Î¥Ñ¥±¥Ã¥È
ipfw add 10 skipto 1000 all from any to any layer2 in
# ip_input ¤«¤é¤Î¥Ñ¥±¥Ã¥È
ipfw add 10 skipto 2000 all from any to any not layer2 in
# ip_output ¤«¤é¤Î¥Ñ¥±¥Ã¥È
ipfw add 10 skipto 3000 all from any to any not layer2 out
# ether_output_frame ¤«¤é¤Î¥Ñ¥±¥Ã¥È
ipfw add 10 skipto 4000 all from any to any layer2 out
.Ed
.Pp
(¤½¤¦¤Ç¤¹¡¢º£¤Î¤È¤³¤í ether_demux ¤È bdg_forward ¤È¤ò
¶èÊ̤¹¤ëÊýË¡¤Ï¤¢¤ê¤Þ¤»¤ó)¡£
.Sh ʸˡ
°ìÈ̤ˡ¢³Æ¥¡¼¥ï¡¼¥É¤â¤·¤¯¤Ï°ú¿ô¤Ï¡¢ÊÌ¡¹¤Î¥³¥Þ¥ó¥É¹Ô°ú¿ô¤È¤·¤ÆÍ¿¤¨¤é¤ì¡¢
¤½¤ÎÁ°¤ä¸å¤Ë¤Ï¶õÇò¤ÏÉÕ¤¤Þ¤»¤ó¡£
¥¡¼¥ï¡¼¥É¤Ï¡¢Âçʸ»ú¾®Ê¸»ú¤ò¶èÊ̤·¤Þ¤¹¤¬¡¢
°ú¿ô¤Ï¡¢¤½¤ÎÀ¼Á¤Ë°Í¸¤·¡¢Âçʸ»ú¾®Ê¸»ú¤ò¶èÊ̤¹¤ë¤«¤â¤·¤ì¤Þ¤»¤ó¤·¡¢
¤·¤Ê¤¤¤«¤â¤·¤ì¤Þ¤»¤ó (Î㤨¤Ð uid ¤Ï¶èÊ̤·¤Þ¤¹¤¬¡¢hostname ¤Ï¤·¤Þ¤»¤ó)¡£
.Pp
.Nm ipfw2
¤Ç¤Ï¡¢¥³¥ó¥Þ ',' ¤Î¸å¤Ë¶õÇò¤òÆþ¤ì¡¢¹Ô¤òÆɤ߰פ¯¤Ç¤¤Þ¤¹¡£
¤Þ¤¿¡¢¥³¥Þ¥ó¥ÉÁ´ÂÎ (¥Õ¥é¥°¤ò´Þ¤à) ¤ò¡¢Ã±°ì°ú¿ô¤ËÆþ¤ì¤é¤ì¤Þ¤¹¡£
Î㤨¤Ð¡¢¼¡¤Î½ñ¼°¤ÏÅù²Á¤Ç¤¹:
.Bd -literal -offset indent
ipfw -q add deny src-ip 10.0.0.0/24,127.0.0.1/8
ipfw -q add deny src-ip 10.0.0.0/24, 127.0.0.1/8
ipfw "-q add deny src-ip 10.0.0.0/24, 127.0.0.1/8"
.Ed
.Sh ¥ë¡¼¥ë½ñ¼°
.Nm
¥ë¡¼¥ë¤Î½ñ¼°¤Ï¼¡¤ÎÄ̤ê¤Ç¤¹¡£
.Bd -ragged -offset indent
.Op Ar rule_number
.Op Cm set Ar set_number
.Op Cm prob Ar match_probability
.br
.Ar " " action
.Op Cm log Op Cm logamount Ar number
.Ar body
.Ed
.Pp
¤³¤ÎÃæ¤Ç¡¢¥ë¡¼¥ë¤Î¥Ü¥Ç¥£ (body) ¤Ï¼¡¤ÎÃ椫¤é¤É¤Î¾ðÊó¤ò»ÈÍѤ·¤Æ
¥Ñ¥±¥Ã¥È¤ò¥Õ¥£¥ë¥¿¤¹¤ë¤«¤ò»ØÄꤷ¤Þ¤¹¡£
.Pp
.Bl -tag -width "Source and dest. addresses and ports" -offset XXX -compact
.It ¥ì¥¤¥ä 2 ¥Ø¥Ã¥À¥Õ¥£¡¼¥ë¥É
²Äǽ¤Ê¤é¤Ð
.It IPv4 ¥×¥í¥È¥³¥ë
TCP, UDP, ICMP ¤Ê¤É
.It Á÷¿®¸µ¤ª¤è¤Ó°¸Àè¤Î¥¢¥É¥ì¥¹¤È¥Ý¡¼¥È
.It Êý¸þ
¥»¥¯¥·¥ç¥ó
.Sx ¥Ñ¥±¥Ã¥È¥Õ¥í¡¼
¤ò»²¾È¤·¤Æ²¼¤µ¤¤
.It Á÷¿®¤ª¤è¤Ó¼õ¿®¥¤¥ó¥¿¥Õ¥§¡¼¥¹
̾Á°¤Þ¤¿¤Ï¥¢¥É¥ì¥¹
.It ¤½¤Î¾¤Î IP ¥Ø¥Ã¥À¥Õ¥£¡¼¥ë¥É
¥Ð¡¼¥¸¥ç¥ó¡¢¥µ¡¼¥Ó¥¹¥¿¥¤¥×¡¢¥Ç¡¼¥¿¥°¥é¥àĹ¡¢¼±Ê̻ҡ¢
¥Õ¥é¥°¥á¥ó¥È¥Õ¥é¥° (0 ¤Ç¤Ê¤¤ IP ¥ª¥Õ¥»¥Ã¥È)¡¢
À¸Â¸»þ´Ö
.It IP ¥ª¥×¥·¥ç¥ó
.It ¤½¤Î¾¤Î TCP ¥Ø¥Ã¥À¥Õ¥£¡¼¥ë¥É
TCP ¥Õ¥é¥° (SYN, FIN, ACK, RST ¤Ê¤É)¡¢
¥·¡¼¥±¥ó¥¹Èֹ桢³Îǧ±þÅúÈֹ桢¥¦¥£¥ó¥É¥¦
.It TCP ¥ª¥×¥·¥ç¥ó
.It ICMP ¥¿¥¤¥×
ICMP ¥Ñ¥±¥Ã¥È¤Î¾ì¹ç
.It ¥æ¡¼¥¶/¥°¥ë¡¼¥× ID
¥Ñ¥±¥Ã¥È¤ò¥í¡¼¥«¥ë¥½¥±¥Ã¥È¤Ë´ØÏ¢¤Å¤±¤ë¤³¤È¤¬²Äǽ¤Ê¾ì¹ç
.El
.Pp
¾åµ¤Î¾ðÊó¤Î¤¦¤Á´ö¤Ä¤«¡¢
Î㤨¤Ð¡¢Á÷¿®¸µ MAC ¥¢¥É¥ì¥¹¤Þ¤¿¤Ï IP ¥¢¥É¥ì¥¹¤È TCP/UDP ¥Ý¡¼¥È
¤ÏÍưפ˺¾¾Î¤¬²Äǽ¤Ç¤¢¤ë¤³¤È¤ËÃí°Õ¤·¤Æ²¼¤µ¤¤¡£
¤·¤¿¤¬¤Ã¤Æ¡¢¤³¤ì¤é¤Î¥Õ¥£¡¼¥ë¥É¤Î¤ß¤Ç¥Õ¥£¥ë¥¿¤¹¤ë¤³¤È¤Ï
ɬ¤º¤·¤â˾¤Þ¤·¤¤·ë²Ì¤òÊݾڤ·¤Þ¤»¤ó¡£
.Bl -tag -width indent
.It Ar rule_number
³Æ¥ë¡¼¥ë¤Ï¡¢1 ¤«¤é 65535 ¤ÎÈϰϤÎ
.Ar rule_number
¤Ë´ØÏ¢¤Å¤±¤é¤ì¤Æ¤ª¤ê¡¢
¸å¼Ô¤Ï
.Em ¥Ç¥Õ¥©¥ë¥È
¥ë¡¼¥ë¤Î¤¿¤á¤ËͽÌ󤵤ì¤Æ¤¤¤Þ¤¹¡£
¥ë¡¼¥ë¤Ï¥ë¡¼¥ëÈÖ¹æ¤Î½ç¤Ë¥Á¥§¥Ã¥¯¤µ¤ì¤Þ¤¹¡£
Ê£¿ô¤Î¥ë¡¼¥ë¤¬Æ±°ì¤ÎÈÖ¹æ¤ò»ý¤Ä¤³¤È¤¬²Äǽ¤Ç¡¢
¤½¤Î¾ì¹ç¤ÏÄɲ䵤줿½ç½ø¤Ç¥Á¥§¥Ã¥¯¤µ¤ì¤Þ¤¹ (ɽ¼¨¤¹¤ë¾ì¹ç¤âƱÍͤǤ¹) ¡£
ÈÖ¹æ¤Î»ØÄê¤Ê¤·¤Ç¥ë¡¼¥ë¤¬ÆþÎϤµ¤ì¤¿¾ì¹ç¡¢
¥«¡¼¥Í¥ë¤Ï¡¢¤½¤Î¥ë¡¼¥ë¤¬
.Em ¥Ç¥Õ¥©¥ë¥È
¥ë¡¼¥ë¤è¤êÁ°¤Ë¤¢¤ë¥ë¡¼¥ë¤ÎÃæ¤ÇºÇ¸å¤Ë¤Ê¤ë¤è¤¦¤Ë³ä¤êÅö¤Æ¤Þ¤¹¡£
¼«Æ°Åª¤Ë¤Ä¤±¤é¤ì¤ë¥ë¡¼¥ëÈÖ¹æ¤Ï¡¢
¥Ç¥Õ¥©¥ë¥È¤ò½ü¤¤¤¿Ãæ¤ÇºÇ¸å¤È¤Ê¤ë¥ë¡¼¥ëÈÖ¹æ¤ò¡¢
sysctl ÊÑ¿ô
.Ar net.inet.ip.fw.autoinc_step
¤ÎÃͤÀ¤±Áý²Ã¤µ¤»¤Æ³ä¤êÅö¤Æ¤é¤ì¤Þ¤¹¡£
¤³¤ÎÊÑ¿ô¤Î¥Ç¥Õ¥©¥ë¥È¤Ï 100 ¤Ç¤¹¡£
¤â¤·¡¢¤³¤ÎÁàºî¤¬
(Î㤨¤Ðµö²Ä¤µ¤ì¤¿ºÇÂç¥ë¡¼¥ëÈÖ¹æ¤ò±Û¤¨¤ë¤È¤¤¤Ã¤¿Íýͳ¤Ç)
ÉÔ²Äǽ¤Ç¤¢¤ì¤Ð¡¢
ºÇ¸å¤Î¥Ç¥Õ¥©¥ë¥È¤Ç¤Ê¤¤Ãͤ¬Âå¤ï¤ê¤Ë»ÈÍѤµ¤ì¤Þ¤¹¡£
.It Cm set Ar set_number
³Æ¥ë¡¼¥ë¤Ï 0 ¤«¤é 31 ¤ÎÈϰϤÎ
.Ar set_number
¤Ë´ØÏ¢¤Å¤±¤é¤ì¤Æ¤¤¤Þ¤¹¡£
¥»¥Ã¥È¤Ï¸ÄÊ̤Ë̵¸ú²½¤·¤¿¤ê͸ú²½¤·¤¿¤ê¤¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
¤·¤¿¤¬¤Ã¤Æ¡¢¤³¤Î¥Ñ¥é¥á¡¼¥¿¤Ï¥¢¥È¥ß¥Ã¥¯¤Ê¥ë¡¼¥ë¥»¥Ã¥ÈÁàºî¤ò¹Ô¤¦¤¿¤á¤Ë
ɬÍ×ÉԲķç¤Ê¤â¤Î¤Ç¤¹¡£
¤³¤Î¥Ñ¥é¥á¡¼¥¿¤ò»È¤¦¤³¤È¤Ç¡¢¥ë¡¼¥ë¤ò¤Þ¤È¤á¤Æºï½ü¤¹¤ë¤³¤È¤ò
ñ½ã¤Ë¤¹¤ë¤³¤È¤â¤Ç¤¤Þ¤¹¡£
¥»¥Ã¥ÈÈÖ¹æ¤ò»ØÄꤻ¤º¤Ë¥ë¡¼¥ë¤òÆþÎϤ·¤¿¾ì¹ç¡¢
¥»¥Ã¥È 0 ¤¬»ÈÍѤµ¤ì¤Þ¤¹¡£
.br
¥»¥Ã¥È 31 ¤ÏÆÃÊ̤Ǥ¢¤ê¡¢Ìµ¸ú²½¤Ç¤¤Þ¤»¤ó¤·¡¢¤³¤ÎÃæ¤Î¥ë¡¼¥ë¤Ï
.Nm ipfw flush
¥³¥Þ¥ó¥É¤Çºï½ü¤Ç¤¤Þ¤»¤ó (¤·¤«¤·¡¢
.Nm ipfw delete set 31
¥³¥Þ¥ó¥É¤Çºï½ü¤¹¤ë¤³¤Ï¤Ç¤¤Þ¤¹)¡£
¥»¥Ã¥È 31 ¤Ï¤Þ¤¿¡¢
.Em ¥Ç¥Õ¥©¥ë¥È
¥ë¡¼¥ë¤È¤·¤Æ¤â»ÈÍѤµ¤ì¤Þ¤¹¡£
.It Cm prob Ar match_probability
»ØÄꤷ¤¿³ÎΨ (0 ¤«¤é 1 ¤Þ¤Ç¤ÎÉâÆ°¾®¿ôÅÀ¿ô¤Ç¤¹)
¤Ç¤·¤«¥Þ¥Ã¥Á¤·¤Ê¤¤¥Þ¥Ã¥Á¤òÀë¸À¤·¤Þ¤¹¡£
¥é¥ó¥À¥à¤Ë¥Ñ¥±¥Ã¥È¤òÍî¤È¤¹±þÍѤ䡢
(
.Xr dummynet 4
¤È¶¦¤Ë»ÈÍѤ·¤Æ)
¥Ñ¥±¥Ã¥ÈÅþã½ç½ø¤ÎÍð¤ì¤ò°ú¤µ¯¤³¤¹Ê£¿ô·ÐÏ©¤Î¸ú²Ì¤ò¥·¥ß¥å¥ì¡¼¥È¤¹¤ë
±þÍѤʤɡ¢Â¿¤¯¤Î±þÍѤËÍÍѤǤ¹¡£
.Pp
Ãí: ¤³¤Î¾ò·ï¤Ï¡¢Â¾¤Î¾ò·ï¤ÎÁ°¤Ë¥Á¥§¥Ã¥¯¤µ¤ì¤Þ¤¹¡£
¤³¤ì¤Ë¤Ï¡¢keep-state ¤ä check-state ¤È¤¤¤Ã¤¿ÉûºîÍѤΤ¢¤ë¤â¤Î¤â´Þ¤Þ¤ì¤Þ¤¹¡£
.It Cm log Op Cm logamount Ar number
¥Ñ¥±¥Ã¥È¤¬
.Cm log
¥¡¼¥ï¡¼¥É¤ò»ý¤Ã¤¿¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¡¢
¥á¥Ã¥»¡¼¥¸¤¬
.Xr syslogd 8
¤Ë
.Dv LOG_SECURITY
¥Õ¥¡¥·¥ê¥Æ¥£¤ÇµÏ¿¤µ¤ì¤Þ¤¹¡£
sysctl ÊÑ¿ô
.Em net.inet.ip.fw.verbose
¤¬ 1
(¥«¡¼¥Í¥ë¤¬
.Dv IPFIREWALL_VERBOSE
¤Ç¥³¥ó¥Ñ¥¤¥ë¤µ¤ì¤Æ¤¤¤ì¤Ð¤³¤ì¤¬¥Ç¥Õ¥©¥ë¥È¤Ç¤¹)
¤ËÀßÄꤵ¤ì¤Æ¤ª¤ê¡¢
¤½¤Î¥ë¡¼¥ë¤Ë¤Ä¤¤¤Æ¤³¤ì¤Þ¤ÇµÏ¿¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤Î¿ô¤¬
¤½¤Î
.Cm logamount
¥Ñ¥é¥á¡¼¥¿¤ò±Û¤¨¤Æ¤¤¤Ê¤±¤ì¤Ð¡¢µÏ¿¤¬¹Ô¤ï¤ì¤Þ¤¹¡£
.Cm logamount
¤¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¡¢À©¸Â¤Ï sysctl ÊÑ¿ô
.Em net.inet.ip.fw.verbose_limit
¤«¤é»²¾È¤µ¤ì¤Þ¤¹¡£
ξ¼Ô¤ÎÃͤ¬ 0 ¤Ç¤¢¤ì¤ÐµÏ¿¤ÎÀ©¸Â¤Ï¼è¤ê½ü¤«¤ì¤Þ¤¹¡£
.Pp
°ìÅÙÀ©¸Â¤Ë㤷¤¿¤Ê¤é¡¢
¤³¤Î¥¨¥ó¥È¥ê¤ËÂФ¹¤ë¥í¥®¥ó¥°¥«¥¦¥ó¥¿¤«¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤ò¥¯¥ê¥¢¤¹¤ì¤Ð
µÏ¿¤òºÆ¤Ó͸ú¤Ë¤¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
.Cm resetlog
¥³¥Þ¥ó¥É¤ò»²¾È¤·¤Æ²¼¤µ¤¤¡£
.Pp
Ãí: ¥í¥°¤¬¼Â¹Ô¤µ¤ì¤ë¤Î¤Ï¡¢
¤¹¤Ù¤Æ¤Î¥Ñ¥±¥Ã¥È¥Þ¥Ã¥Á¾ò·ï¤¬À®¸ù΢¤Ë³Îǧ¤µ¤ì¤¿¸å¤Ç¤¢¤ê¡¢
ºÇ¸å¤ÎÆ°ºî (¼õÍý¤äµñÈÝÅù) ¤ò¥Ñ¥±¥Ã¥È¤Ë¼Â»Ü¤¹¤ëÁ°¤Ç¤¹¡£
.El
.Ss ¥ë¡¼¥ë¥¢¥¯¥·¥ç¥ó
¥ë¡¼¥ë¤Ï¼¡¤Ë¼¨¤¹¥¢¥¯¥·¥ç¥ó¤Î 1 ¤Ä¤È´ØÏ¢¤Å¤±¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
¤³¤ì¤Ï¥Ñ¥±¥Ã¥È¤¬¥ë¡¼¥ë¤Î¥Ü¥Ç¥£¤Ë¥Þ¥Ã¥Á¤·¤¿¤È¤¤Ë¼Â¹Ô¤µ¤ì¤Þ¤¹¡£
.Bl -tag -width indent
.It Cm allow | accept | pass | permit
¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤¹¤ë¥Ñ¥±¥Ã¥È¤ò¼õ¤±ÉÕ¤±¤Þ¤¹¡£
¸¡º÷¤Ï½ªÎ»¤·¤Þ¤¹¡£
.It Cm check-state
ưŪ¥ë¡¼¥ë¥»¥Ã¥È¤ËÂФ·¤Æ¥Ñ¥±¥Ã¥È¤Î¥Á¥§¥Ã¥¯¤ò¹Ô¤Ê¤¤¤Þ¤¹¡£
¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¡¢
¤½¤ÎưŪ¥ë¡¼¥ë¤òÀ¸À®¤·¤¿¥ë¡¼¥ë¤Ë´ØÏ¢¤Å¤±¤é¤ì¤¿¥¢¥¯¥·¥ç¥ó¤ò¼Â¹Ô¤·¡¢
¥Þ¥Ã¥Á¤·¤Ê¤«¤Ã¤¿¾ì¹ç¡¢¼¡¤Î¥ë¡¼¥ë¤Ë°Ü¤ê¤Þ¤¹¡£
.br
.Cm check-state
¥ë¡¼¥ë¤Ï¥Ü¥Ç¥£¤ò»ý¤Á¤Þ¤»¤ó¡£
.Cm check-state
¥ë¡¼¥ë¤¬¸«¤Ä¤«¤é¤Ê¤¤¤È¤¤Ï¡¢
ưŪ¥ë¡¼¥ë¥»¥Ã¥È¤ÏºÇ½é¤Î
.Cm keep-state
¥ë¡¼¥ë¡¢¤â¤·¤¯¤Ï
.Cm limit
¥ë¡¼¥ë¤Î¾ì½ê¤Ç¥Á¥§¥Ã¥¯¤µ¤ì¤Þ¤¹¡£
.It Cm count
¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤¿Á´¤Æ¤Î¥Ñ¥±¥Ã¥È¤Î¥«¥¦¥ó¥¿¤ò¹¹¿·¤·¤Þ¤¹¡£
¸¡º÷¤Ï¼¡¤Î¥ë¡¼¥ë¤Ø³¹Ô¤·¤Þ¤¹¡£
.It Cm deny | drop
¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤¿Á´¤Æ¤Î¥Ñ¥±¥Ã¥È¤òÇË´þ¤·¤Þ¤¹¡£
¸¡º÷¤Ï½ªÎ»¤·¤Þ¤¹¡£
.It Cm divert Ar port
¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤¹¤ë¥Ñ¥±¥Ã¥È¤ò
¥Ý¡¼¥È
.Ar port
¤Ë¥Ð¥¤¥ó¥É¤µ¤ì¤Æ¤¤¤ë
.Xr divert 4
¥½¥±¥Ã¥È¤ËÁ÷½Ð¤·¤Þ¤¹¡£
¸¡º÷¤Ï½ªÎ»¤·¤Þ¤¹¡£
.It Cm fwd | forward Ar ipaddr Ns Op , Ns Ar port
¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤Î¼¡¤Î¥Û¥Ã¥×¤ò
.Ar ipaddr
¤ËÊѹ¹¤·¤Þ¤¹¡£
¤³¤ì¤Ë¤Ï IP ¥¢¥É¥ì¥¹¤È¤·¤Æ¡¢¿ô»ú 4 ¤ÄÁÈ·Á¼°
¤Þ¤¿¤Ï¥Û¥¹¥È̾¤¬»ÈÍѤǤ¤Þ¤¹¡£
¤³¤Î¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¡¢¸¡º÷¤Ï½ªÎ»¤·¤Þ¤¹¡£
.Pp
.Ar ipaddr
¤¬¥í¡¼¥«¥ë¥¢¥É¥ì¥¹¤Î¾ì¹ç¡¢¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤Ï¥í¡¼¥«¥ë¥Þ¥·¥ó¤Î
.Ar port
(¤Þ¤¿¤Ï¡¢¥ë¡¼¥ë¤Ç»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ï¤½¤Î¥Ñ¥±¥Ã¥È¤Î¥Ý¡¼¥ÈÈÖ¹æ)
¤ËžÁ÷¤µ¤ì¤Þ¤¹¡£
.br
.Ar ipaddr
¤¬¥í¡¼¥«¥ë¥¢¥É¥ì¥¹¤Ç¤Ê¤¤¾ì¹ç¡¢
¥Ý¡¼¥ÈÈÖ¹æ¤Ï (»ØÄꤵ¤ì¤Æ¤¤¤Æ¤â) ̵»ë¤µ¤ì¡¢
¥Ñ¥±¥Ã¥È¤Ï
¥í¡¼¥«¥ë¤Ê·ÐÏ©¥Æ¡¼¥Ö¥ë¤Ë¸ºß¤¹¤ë¤½¤Î IP ¤ËÂФ¹¤ë·ÐÏ©¤ò»ÈÍѤ·¤Æ
¥ê¥â¡¼¥È¥¢¥É¥ì¥¹¤ËžÁ÷¤µ¤ì¤Þ¤¹¡£
.br
.Ar fwd
¥ë¡¼¥ë¤Ï¥ì¥¤¥ä 2 ¥Ñ¥±¥Ã¥È
(¤½¤ì¤é¤Ï ether_input, ether_output, bridged ¤Ç¼õ¿®¤µ¤ì¤Þ¤¹)
¤Ë¤Ï¥Þ¥Ã¥Á¤·¤Þ¤»¤ó¡£
.br
.Cm fwd
¥¢¥¯¥·¥ç¥ó¤Ï¥Ñ¥±¥Ã¥È¤ÎÆâÍƤò¤Þ¤Ã¤¿¤¯Êѹ¹¤·¤Þ¤»¤ó¡£
¼ÂºÝ¡¢°¸À襢¥É¥ì¥¹¤¬½¤Àµ¤µ¤ì¤º¤Ë»Ä¤ë¤Î¤Ç¡¢
žÁ÷À襷¥¹¥Æ¥à¤¬¤½¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤ò¼è¤ê¹þ¤à¥ë¡¼¥ë¤ò»ý¤¿¤Ê¤¤¸Â¤ê¡¢
¾¤Î¥·¥¹¥Æ¥à¤ËžÁ÷¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤Ï¡¢Ä̾ïžÁ÷Àè¤Î¥·¥¹¥Æ¥à¤ÇµñÈݤµ¤ì¤Þ¤¹¡£
¥í¡¼¥«¥ë¤ËžÁ÷¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤Î¾ì¹ç¡¢
¥½¥±¥Ã¥È¤Î¥í¡¼¥«¥ë¥¢¥É¥ì¥¹¤Ï¥Ñ¥±¥Ã¥È¤¬¸µ¡¹»ý¤Ã¤Æ¤¤¤¿
°¸À襢¥É¥ì¥¹¤ËÀßÄꤵ¤ì¤Þ¤¹¡£
¤³¤Î¤³¤È¤Ë¤è¤Ã¤Æ
.Xr netstat 1
¤¬½ÐÎϤ¹¤ë¥¨¥ó¥È¥ê¤Ï¼ã´³´ñ̯¤Ê¸«¤¨Êý¤Ë¤Ê¤ê¤Þ¤¹¤¬¡¢
¤³¤ì¤ÏÆ©²á¥×¥í¥¥·¥µ¡¼¥Ð¤Ç¤Î»ÈÍѤò°Õ¿Þ¤·¤Æ¤¤¤Þ¤¹¡£
.It Cm pipe Ar pipe_nr
¥Ñ¥±¥Ã¥È¤ò
.Xr dummynet 4
.Dq ¥Ñ¥¤¥×
(¥Ð¥ó¥ÉÉýÀ©¸Â¡¢ÃÙ±ä¤Ê¤É¤Ë»ÈÍѤµ¤ì¤Þ¤¹)
¤ØÅϤ·¤Þ¤¹¡£
¾Ü¤·¤¤¾ðÊó¤Ë¤Ä¤¤¤Æ¤Ï
.Sx ¥È¥é¥Õ¥£¥Ã¥¯¥·¥§¥¤¥Ñ (DUMMYNET) ÀßÄê
¥»¥¯¥·¥ç¥ó¤ò»²¾È¤·¤Æ¤¯¤À¤µ¤¤¡£
¸¡º÷¤Ï½ªÎ»¤·¤Þ¤¹¡£
¤·¤«¤·¡¢¥Ñ¥¤¥×¤«¤éÈ´¤±¤¿¤È¤¤Ë
.Xr sysctl 8
ÊÑ¿ô
.Em net.inet.ip.fw.one_pass
¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢
¥Ñ¥±¥Ã¥È¤Ï¡¢¤¹¤°¼¡¤Î¥ë¡¼¥ë¤«¤é»Ï¤Þ¤ë¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¥³¡¼¥É¤Ø
ºÆÅÙÅϤµ¤ì¤Þ¤¹¡£
.It Cm queue Ar queue_nr
¥Ñ¥±¥Ã¥È¤ò
.Xr dummynet 4
.Dq ¥¥å¡¼
(WF2Q+ ¤ò»È¤Ã¤¿¥Ð¥ó¥ÉÉýÀ©¸Â¤Ë»ÈÍѤµ¤ì¤Þ¤¹)
¤ØÅϤ·¤Þ¤¹¡£
.It Cm reject
(Èó¿ä¾©)¡£
.Cm unreach host
¤ÈƱµÁ¤Ç¤¹¡£
.It Cm reset
¤³¤Î¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤òÇË´þ¤·¤Þ¤¹¡£
¤µ¤é¤Ë¡¢¤½¤Î¥Ñ¥±¥Ã¥È¤¬ TCP ¥Ñ¥±¥Ã¥È¤Ç¤¢¤ì¤Ð¡¢
TCP ¥ê¥»¥Ã¥È (RST) ÄÌÃΤòÁ÷½Ð¤·¤è¤¦¤È»î¤ß¤Þ¤¹¡£
¸¡º÷¤Ï½ªÎ»¤·¤Þ¤¹¡£
.It Cm skipto Ar number
¤½¤ì°Ê¹ß¤Î¥ë¡¼¥ë¤Î¤¦¤Á
.Ar number
¤è¤ê¾®¤µ¤ÊÈÖ¹æ¤Î¤â¤Î¤¹¤Ù¤Æ¤òÈô¤Ó±Û¤·¤Æ¡¢
.Ar number
°Ê¾å¤ÎÈÖ¹æ¤Î¥ë¡¼¥ë¤ÇºÇ½é¤Ë¸ºß¤¹¤ë¤â¤Î¤«¤é¡¢¸¡º÷¤ò·Ñ³¤·¤Þ¤¹¡£
.It Cm tee Ar port
¤³¤Î¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤ÎÊ£À½¤ò¡¢
¥Ý¡¼¥È
.Ar port
¤Ë¥Ð¥¤¥ó¥É¤µ¤ì¤¿
.Xr divert 4
¥½¥±¥Ã¥È¤ËÁ÷½Ð¤·¤Þ¤¹¡£
¸¡º÷¤Ï½ªÎ»¤·¡¢¸µ¤Î¥Ñ¥±¥Ã¥È¤Ï¼õ¤±ÉÕ¤±¤é¤ì¤Þ¤¹
(¤¿¤À¤·¡¢°Ê²¼¤Î¥»¥¯¥·¥ç¥ó
.Sx ¥Ð¥°
¤ò»²¾È¤·¤Æ²¼¤µ¤¤)¡£
.It Cm unreach Ar code
¤³¤Î¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤òÇË´þ¤·¡¢
¥³¡¼¥É
.Ar code
¤Î ICMP ÅþãÉÔ²ÄÄÌÃΤòÁ÷½Ð¤·¤è¤¦¤È»î¤ß¤Þ¤¹¡£
¤³¤³¤Ç
.Ar code
¤Ï 0 ¤«¤é 255 ¤Î¿ô»ú¡¢¤Þ¤¿¤Ï¼¡¤Î¥¨¥¤¥ê¥¢¥¹¤Î¤¤¤º¤ì¤«¤Ç¤¹:
.Cm net , host , protocol , port ,
.Cm needfrag , srcfail , net-unknown , host-unknown ,
.Cm isolated , net-prohib , host-prohib , tosnet ,
.Cm toshost , filter-prohib , host-precedence ,
.Cm precedence-cutoff
¡£
¸¡º÷¤Ï½ªÎ»¤·¤Þ¤¹¡£
.El
.Ss ¥ë¡¼¥ë¥Ü¥Ç¥£
¥ë¡¼¥ë¤Î¥Ü¥Ç¥£¤Ï 0 ¸Ä°Ê¾å¤Î¥Ñ¥¿¡¼¥ó
(Á÷¿®¸µ¤È°¸À襢¥É¥ì¥¹¤ä¥Ý¡¼¥È¤Î»ØÄê¡¢
¥×¥í¥È¥³¥ë¥ª¥×¥·¥ç¥ó¡¢¼õ¿®¤Þ¤¿¤ÏÁ÷¿®¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤Î»ØÄê¤Ê¤É)
¤ò´Þ¤ß¤Þ¤¹¡£¤³¤Î¥Ñ¥¿¡¼¥ó¤Ï
¥Ñ¥±¥Ã¥È¤ò¼±Ê̤¹¤ë¤¿¤á¤Ë¥Þ¥Ã¥Á¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¤â¤Î¤Ç¤¹¡£
°ìÈ̤ˡ¢¥Ñ¥¿¡¼¥ó¤Ï (°ÅÌÛŪ¤Ë)
.Cm and
¥ª¥Ú¥ì¡¼¥¿¤ÇÀܳ¤µ¤ì¤Þ¤¹ -- ¤Ä¤Þ¤ê¡¢¥ë¡¼¥ë¤¬¥Þ¥Ã¥Á¤¹¤ë¤¿¤á¤Ë¤Ï
Á´¤Æ¤¬¥Þ¥Ã¥Á¤·¤Ê¤±¤ì¤Ð¤Ê¤ê¤Þ¤»¤ó¡£
¸Ä¡¹¤Î¥Ñ¥¿¡¼¥ó¤Ë¤Ï¡¢¥Þ¥Ã¥Á¤Î·ë²Ì¤òȿž¤µ¤»¤ë¤¿¤á¤Ë
.Cm not
¥ª¥Ú¥ì¡¼¥¿¤òÁ°ÃÖ¤¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
¤³¤ì¤Ï¼¡¤Î¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£
.Pp
.Dl "ipfw add 100 allow ip from not 1.2.3.4 to any"
.Pp
¤µ¤é¤Ë¡¢
¼¡¤Î¤è¤¦¤Ë
.Cm or
¥ª¥Ú¥ì¡¼¥¿¤ò»ÈÍѤ·¡¢
´Ý³ç¸Ì () ¤ä ¥Ö¥ì¡¼¥¹ {} ¤Ç³ç¤é¤ì¤¿ÆâÉô¤Ë¥Ñ¥¿¡¼¥ó¤òÎóµó¤¹¤ë¤³¤È¤Ç¡¢
¿·¤·¤¤¥Þ¥Ã¥Á¥Ñ¥¿¡¼¥ó¤Î¥»¥Ã¥È (
.Em ÏÀÍýÏÂ¥Ö¥í¥Ã¥¯
) ¤ò¹½ÃÛ¤¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹:
.Pp
.Dl "ipfw add 100 allow ip from { x or not y or z } to any"
.Pp
³ç¸Ì¤Î¥ì¥Ù¥ë¤Ï 1 ¤Ä¤Î¤ß¤¬²Äǽ¤Ç¤¹¡£
¤Û¤È¤ó¤É¤Î¥·¥§¥ë¤¬´Ý³ç¸Ì¤ä¥Ö¥ì¡¼¥¹¤ËÆÃÊ̤ʰÕÌ£¤ò»ý¤¿¤»¤Æ¤¤¤ë¤³¤È¤Ë
Ãí°Õ¤·¤Æ²¼¤µ¤¤¡£
¤·¤¿¤¬¤Ã¤Æ¡¢¤½¤Î¤è¤¦¤Ê²ò¼á¤¬µ¯¤³¤é¤Ê¤¤¤è¤¦¤Ë¥Ð¥Ã¥¯¥¹¥é¥Ã¥·¥å \\ ¤ò
¤½¤ÎÁ°¤ËÃÖ¤¯¤³¤È¤ò´«¤á¤Þ¤¹¡£
.Pp
¥ë¡¼¥ë¤Î¥Ü¥Ç¥£¤Ï¡¢°ìÈ̤ËÁ÷¿®¸µ¤È°¸À襢¥É¥ì¥¹¤Î»ØÄê¤ò´Þ¤Þ¤Ê¤±¤ì¤Ð¤Ê¤ê¤Þ¤»¤ó¡£
¥¡¼¥ï¡¼¥É
.Ar any
¤Ïɬ¿Ü¥Õ¥£¡¼¥ë¥É¤ÎÆâÍƤ¬½ÅÍפǤʤ¤¤³¤È¤ò»ØÄꤹ¤ë¤¿¤á¤Ë
ÍÍ¡¹¤Ê²Õ½ê¤Ç»ÈÍѤ¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
.Pp
¥ë¡¼¥ë¥Ü¥Ç¥£¤Ï°Ê²¼¤Î½ñ¼°¤Ç»ØÄꤷ¤Þ¤¹¡£
.Bd -ragged -offset indent
.Op Ar proto Cm from Ar src Cm to Ar dst
.Op Ar options
.Ed
.Pp
ºÇ½é¤ÎÉôʬ (proto from src to dst) ¤Ï
.Nm ipfw1
¤È¤Î¸åÊý¸ß´¹¤Î¤¿¤á¤Ë¤¢¤ê¤Þ¤¹¡£
.Nm ipfw2
¤Ç¤Ï¡¢Ç¤°Õ¤Î¥Þ¥Ã¥Á¥Ñ¥¿¡¼¥ó
(MAC ¥Ø¥Ã¥À¡¢IPv4 ¥×¥í¥È¥³¥ë¡¢¥¢¥É¥ì¥¹¡¢¥Ý¡¼¥È¤ò´Þ¤à)
¤¬
.Ar options
¥»¥¯¥·¥ç¥ó¤Ç»ØÄê¤Ç¤¤Þ¤¹¡£
.Pp
¥ë¡¼¥ë¥Õ¥£¡¼¥ë¥É¤Ï°Ê²¼¤Î°ÕÌ£¤ò»ý¤Á¤Þ¤¹¡£
.Bl -tag -width indent
.It Ar proto : protocol | Cm { Ar protocol Cm or ... }
.It Ar protocol : Oo Cm not Oc Ar protocol-name | protocol-number
IPv4 ¤Ë¤ª¤±¤ë¥×¥í¥È¥³¥ë
¤ò¡¢¿ô»ú¤ä̾Á°¤Ç»ØÄꤷ¤Þ¤¹
(´°Á´¤Ê¥ê¥¹¥È¤Ï
.Pa /etc/protocols
¤ò»²¾È¤·¤Æ²¼¤µ¤¤)¡£
.Cm ip
¤Þ¤¿¤Ï
.Cm all
¤Î¥¡¼¥ï¡¼¥É¤ò»ÈÍѤ¹¤ë¤È¡¢¤¹¤Ù¤Æ¤Î¥×¥í¥È¥³¥ë¤¬¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.Pp
.Cm { Ar protocol Cm or ... }
½ñ¼°
.Em ( ÏÀÍýÏÂ¥Ö¥í¥Ã¥¯ )
¤Ï¡¢´ÊÊؤµ¤Î¤¿¤á¤À¤±¤ËÄ󶡤µ¤ì¤Æ¤ª¤ê¡¢²ÁÃͤ¬Äã²¼¤·¤Æ¤¤¤Þ¤¹¡£
.It Ar src No and Ar dst : Bro Cm addr | Cm { Ar addr Cm or ... } Brc Op Oo Cm not Oc Ar ports
ñ°ì¤Î¥¢¥É¥ì¥¹ (¤Þ¤¿¤Ï¥ê¥¹¥È¡¢¸å½Ò) ¤Ç¡¢
¥ª¥×¥·¥ç¥ó¤È¤·¤Æ¡¢¤½¤Î¸å¤Ë
.Ar ports
»Ø¼¨»Ò¤ò³¤±¤ÆÃÖ¤¯¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
.Pp
Âè 2 ¤Î½ñ¼° (Ê£¿ô¥¢¥É¥ì¥¹ÉÕ¤¤Î
.Em ÏÀÍýÏÂ¥Ö¥í¥Ã¥¯ )
¤Ï¡¢´ÊÊؤµ¤Î¤¿¤á¤À¤±¤ËÄ󶡤µ¤ì¤Æ¤ª¤ê¡¢²ÁÃͤ¬Äã²¼¤·¤Æ¤¤¤Þ¤¹¡£
.It Ar addr : Oo Cm not Oc Brq Cm any | me | Ar addr-list | Ar addr-set
.It Cm any
Ǥ°Õ¤Î IP ¥¢¥É¥ì¥¹¤¬¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.It Cm me
¥·¥¹¥Æ¥à¤Î¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤ËÀßÄꤵ¤ì¤¿Ç¤°Õ¤Î IP ¥¢¥É¥ì¥¹¤¬¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
¥¢¥É¥ì¥¹¤Î¥ê¥¹¥È¤Ï¥Ñ¥±¥Ã¥È¤¬²òÀϤµ¤ì¤ë¤È¤¤Ëɾ²Á¤µ¤ì¤Þ¤¹¡£
.It Ar addr-list : ip-addr Ns Op Ns , Ns Ar addr-list
.It Ar ip-addr :
¼¡¤ÎÊýË¡¤Ç»ØÄꤵ¤ì¤ë¡¢¥Û¥¹¥È¤â¤·¤¯¤Ï¥µ¥Ö¥Í¥Ã¥È¤Î¥¢¥É¥ì¥¹:
.Bl -tag -width indent
.It Ar numeric-ip | hostname
¥É¥Ã¥È¤Ç¶èÀڤä¿¿ô»ú 4 ¤ÄÁȤޤ¿¤Ï¥Û¥¹¥È̾¤Ç»ØÄꤷ¤¿¡¢
1 ¤Ä¤Î IPv4 ¥¢¥É¥ì¥¹¤¬¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
¥Û¥¹¥È̾¤Î̾Á°²ò·è¤Ï¡¢¤½¤Î¥ë¡¼¥ë¤¬¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Î¥ê¥¹¥È¤Ë
Äɲ䵤ì¤ë¤È¤¤Ë¹Ô¤ï¤ì¤Þ¤¹¡£
.It Ar addr Ns / Ns Ar masklen
¥Ù¡¼¥¹¤È¤Ê¤ë
.Ar addr
(¥É¥Ã¥È¤Ç¶èÀڤä¿¿ô»ú 4¤ÄÁȤޤ¿¤Ï¥Û¥¹¥È̾¤Ç»ØÄꤷ¤Þ¤¹)
¤È
.Cm masklen
¥Ó¥Ã¥ÈÉý¤Î¥Þ¥¹¥¯
¤Ë°ìÃפ¹¤ëÁ´¤Æ¤Î¥¢¥É¥ì¥¹¤¬¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
Î㤨¤Ð¡¢1.2.3.4/25 ¤Ï 1.2.3.0 ¤«¤é 1.2.3.127 ¤Þ¤Ç¤Î
Á´¤Æ¤Î IP ¥¢¥É¥ì¥¹¤¬¥Þ¥Ã¥Á¤¹¤ë¤³¤È¤Ë¤Ê¤ê¤Þ¤¹¡£
.It Ar addr Ns : Ns Ar mask
¥Ù¡¼¥¹¥¢¥É¥ì¥¹¤¬
.Ar addr
(¥É¥Ã¥È¤Ç¶èÀڤä¿ 4 ¤Ä¤Î¿ô»ú¤Þ¤¿¤Ï¥Û¥¹¥È̾¤Ç»ØÄꤵ¤ì¤Þ¤¹)
¤Ç¤¢¤ê¡¢¥Þ¥¹¥¯¤¬
.Ar mask
(¥É¥Ã¥È¤Ç¶èÀڤä¿ 4 ¤Ä¤Î¿ô»ú¤Ç»ØÄꤵ¤ì¤Þ¤¹)
¤Ç¤¢¤ëÁ´¤Æ¤Î¥¢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
Î㤨¤Ð¡¢1.2.3.4/255.0.255.0 ¤Ï¡¢1.*.3.* ¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
¤³¤Î·Á¼°¤Ï¡¢Ï¢Â³¤Ç¤Ê¤¤¥Þ¥¹¥¯¤Î¾ì¹ç¤Ë¤À¤±»ÈÍѤ¹¤ë¤³¤È¤ò¿ä¾©¤·¤Þ¤¹¡£
Ϣ³¤Ê¥Þ¥¹¥¯¤Î¾ì¹ç¤Ï¡¢¤è¤ê¥³¥ó¥Ñ¥¯¥È¤Ç¤è¤ê´Ö°ã¤¤¤Ë¤¯¤¤¡¢
.Ar addr Ns / Ns Ar masklen
¤ò»È¤¤¤Þ¤¹¡£
.El
.It Ar addr-set : addr Ns Oo Ns / Ns Ar masklen Oc Ns Cm { Ns Ar list Ns Cm }
.It Ar list : Bro Ar num | num-num Brc Ns Op Ns , Ns Ar list
¥Ù¡¼¥¹¥¢¥É¥ì¥¹¤¬
.Ar addr
(¥É¥Ã¥È¤Ç¶èÀڤä¿¿ô»ú 4¤ÄÁȤޤ¿¤Ï¥Û¥¹¥È̾¤Ç»ØÄꤷ¤Þ¤¹)
¤Ç¤¢¤ê¡¢ºÇ¸å¤Î¥Ð¥¤¥È¤¬¥Ö¥ì¡¼¥¹ {} ¤ÎÃæ¤ËÎóµó¤µ¤ì¤Æ¤¤¤ë
Á´¤Æ¤Î¥¢¥É¥ì¥¹¤¬¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
¥Ö¥ì¡¼¥¹¤È¿ô»ú¤Î´Ö¤Ë¤Ï¶õÇò¤òÃÖ¤¤¤Æ¤Ï¤¤¤±¤Ê¤¤¤³¤È¤ËÃí°Õ¤·¤Æ²¼¤µ¤¤
(¥³¥ó¥Þ¤Î¸å¤Î¶õÇò¤Ïµö¤µ¤ì¤Æ¤¤¤Þ¤¹)¡£
¥ê¥¹¥È¤ÎÍ×ÁǤϡ¢Ã±°ì¹àÌܤ⤷¤¯¤ÏÈϰϤ¬»ØÄê²Äǽ¤Ç¤¹¡£
.Ar masklen
¥Õ¥£¡¼¥ë¥É¤Ï¥¢¥É¥ì¥¹¤Î¥»¥Ã¥È¤Î¥µ¥¤¥º¤ËÀ©¸Â¤ò¤Ä¤±¤ë¤¿¤á¤Ë»ÈÍѤµ¤ì¡¢
24 ¤«¤é 32 ¤Î´Ö¤ÎǤ°Õ¤ÎÃͤò¤È¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç 24 ¤¬²¾Äꤵ¤ì¤Þ¤¹¡£
.br
¤³¤Î½ñ¼°¤Ï 1 ¤Ä¤Î¥ë¡¼¥ë¤Ç¤Þ¤Ð¤é¤Ê¥¢¥É¥ì¥¹·²¤ò¼è¤ê°·¤¦¤È¤¤Ë
ÆäËÊØÍø¤Ç¤¹¡£
¥Ó¥Ã¥È¥Þ¥¹¥¯¤ò»ÈÍѤ·¤Æ¥Þ¥Ã¥Á¤ò¹Ô¤¦¤Î¤Ç¡¢
Äê¿ô»þ´Ö¤Ç½èÍý¤Ç¤¡¢¥ë¡¼¥ë¥»¥Ã¥È¤ÎÊ£»¨¤µ¤¬·àŪ¤Ë¸º¾¯¤·¤Þ¤¹¡£
.br
Î㤨¤Ð¡¢¥¢¥É¥ì¥¹¤ò 1.2.3.4/24{128,35-55,89} ¤È¤·¤Æ»ØÄꤷ¤¿¾ì¹ç¡¢
¼¡¤Î¥¢¥É¥ì¥¹¤¬¥Þ¥Ã¥Á¤·¤Þ¤¹:
.br
1.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2.3.89 .
.It Ar ports : Bro Ar port | port Ns \&- Ns Ar port Ns Brc Ns Op , Ns Ar ports
(TCP ¤ä UDP ¤Ê¤É¤Î¤è¤¦¤Ë) ¥Ý¡¼¥ÈÈÖ¹æ¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤ë
¥×¥í¥È¥³¥ë¤Ë¤Ä¤¤¤Æ¡¢¥ª¥×¥·¥ç¥ó¤È¤·¤Æ¡¢
.Cm ports
¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
1 ¤Ä°Ê¾å¤Î¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥È¤ÎÈϰϤò¶õÇò¤Ê¤·¤Î¥³¥ó¥Þ¶èÀÚ¤ê¤Ç»ØÄꤷ¤Þ¤¹¡£
¤µ¤é¤Ë¥ª¥×¥·¥ç¥ó¤È¤·¤Æ¡¢
.Cm not
¥ª¥Ú¥ì¡¼¥¿¤òÉղ䷤ƻØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
µ¹æ
.Ql \&-
¤Ë¤è¤ëɽ¸½¤Ï¡¢¥Ý¡¼¥ÈÈÏ°Ï (ξü´Þ¤à) ¤ò»ØÄꤷ¤Þ¤¹¡£
.Pp
¥Ý¡¼¥È¿ôÃͤÎÂå¤ï¤ê¤Ë (¥Õ¥¡¥¤¥ë
.Pa /etc/services
¤«¤é¼è¤Ã¤¿) ¥µ¡¼¥Ó¥¹Ì¾¤ò»ÈÍѤǤ¤Þ¤¹¡£
¥Ý¡¼¥È¥ê¥¹¥È¤ÎŤµ¤Ï 30 ¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤËÀ©¸Â¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢
¥ë¡¼¥ë¤Î
.Cm options
¥»¥¯¥·¥ç¥ó¤Ç
.Em ÏÀÍýÏÂ¥Ö¥í¥Ã¥¯
¤ò»ÈÍѤ¹¤ë¤³¤È¤Ë¤è¤ê¡¢¤è¤ê¹¤¤ÈϰϤò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
.Pp
¥Ð¥Ã¥¯¥¹¥é¥Ã¥·¥å
.Pq Ql \e
¤ò»ÈÍѤ¹¤ë¤³¤È¤Ë¤è¤ê¡¢¥µ¡¼¥Ó¥¹Ì¾Ãæ¤Î¥À¥Ã¥·¥å
.Pq Ql -
ʸ»ú¤ò¥¨¥¹¥±¡¼¥×²Äǽ¤Ç¤¹
(¥·¥§¥ë¤«¤éÆþÎϤ¹¤ë¤È¤¡¢
¥·¥§¥ë¼«¿È¤¬¥¨¥¹¥±¡¼¥×ʸ»ú¤È¤·¤Æ»ÈÍѤµ¤ì¤Ê¤¤¤è¤¦¤Ë¤¹¤ë¤¿¤á¤Ë¡¢
¥Ð¥Ã¥¯¥¹¥é¥Ã¥·¥å¤ò 2 ²ó¥¿¥¤¥×¤·¤Ê¤±¤ì¤Ð¤Ê¤ê¤Þ¤»¤ó)¡£
.Pp
.Dl "ipfw add count tcp from any ftp\e\e-data-ftp to any"
.Pp
ÃÇÊÒ²½¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤Ç¥ª¥Õ¥»¥Ã¥È¤¬Èó 0 ¤Î¤â¤Î
(¤¹¤Ê¤ï¤Á¡¢ºÇ½é¤ÎÃÇÊҤǤϤʤ¤¤â¤Î) ¤Ï¡¢
1 ¤Ä°Ê¾å¤Î¥Ý¡¼¥È»ØÄê¤ò»ý¤Ä¥ë¡¼¥ë¤Ë¤Ï¥Þ¥Ã¥Á¤·¤Þ¤»¤ó¡£
ÃÇÊÒ²½¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤Ø¤Î¥Þ¥Ã¥Á¥ó¥°¤Ë´Ø¤¹¤ë¾ÜºÙ¤Ï
.Cm frag
¥ª¥×¥·¥ç¥ó¤ò»²¾È¤·¤Æ¤¯¤À¤µ¤¤¡£
.El
.Ss ¥ë¡¼¥ë¥ª¥×¥·¥ç¥ó (¥Þ¥Ã¥Á¥Ñ¥¿¡¼¥ó)
¥ë¡¼¥ëÆâ¤ÇÄɲäΥޥåÁ¥Ñ¥¿¡¼¥ó¤ò»ÈÍѤ¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
¤³¤ì¤é¤Ï¥ë¡¼¥ëÆâ¤Ë 0 ¸Ä°Ê¾åÃÖ¤±¤ë¤Î¤Ç
.Em ¥ª¥×¥·¥ç¥ó
¤È¸Æ¤Ð¤ì¤Æ¤ª¤ê¡¢¥ª¥×¥·¥ç¥ó¤Ç
.Cm not
¥ª¥Ú¥é¥ó¥É¤òÁ°ÃÖ¤¹¤ë¤³¤È¤¬¤Ç¤¡¢
.Em ÏÀÍýÏÂ¥Ö¥í¥Ã¥¯
¤È¤·¤Æ¥°¥ë¡¼¥×²½¤¹¤ë¤³¤È¤¬²Äǽ¤Ç¤¹¡£
.Pp
°Ê²¼¤Î¥Þ¥Ã¥Á¥Ñ¥¿¡¼¥ó¤¬»ÈÍѤǤ¤Þ¤¹ (¥¢¥ë¥Õ¥¡¥Ù¥Ã¥È½ç¤Ëʤ٤Ƥ¤¤Þ¤¹)¡£
.Bl -tag -width indent
.It Cm // this is a comment.
»ØÄꤷ¤¿¥Æ¥¥¹¥È¤ò¡¢¥ë¡¼¥ëÃæ¤Ë¥³¥á¥ó¥È¤È¤·¤ÆÁÞÆþ¤·¤Þ¤¹¡£
// ¤Ë³¤¯¤¹¤Ù¤Æ¤¬¥³¥á¥ó¥È¤È¤·¤Æ°·¤ï¤ì¡¢¥ë¡¼¥ëÃæ¤Ë³ÊǼ¤µ¤ì¤Þ¤¹¡£
¥³¥á¥ó¥È¤Î¤ß¤Î¥ë¡¼¥ë¤ò»ý¤Ä¤³¤È¤â²Äǽ¤Ç¤¢¤ê¡¢¤½¤ì¤Ï
.Cm count
¥¢¥¯¥·¥ç¥ó¤Ë³¤¤¤Æ¥³¥á¥ó¥È¤¬É½¼¨¤µ¤ì¤Þ¤¹¡£
.It Cm bridged
¥Ö¥ê¥Ã¥¸¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.It Cm dst-ip Ar ip-address
°¸Àè IP ¥¢¥É¥ì¥¹¤¬°ú¿ô¤Ç»ØÄꤷ¤¿¥¢¥É¥ì¥¹¤Î 1 ¤Ä¤Ç¤¢¤ë
IP ¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.It Cm dst-port Ar ports
°¸Àè¥Ý¡¼¥È¤¬°ú¿ô¤Ç»ØÄꤷ¤¿¥Ý¡¼¥È¤Î 1 ¤Ä¤Ç¤¢¤ë
IP ¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.It Cm established
RST ¤« ACK ¥Ó¥Ã¥È¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤ë TCP ¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.It Cm frag
IP ¥Ç¡¼¥¿¥°¥é¥à¤Î¥Õ¥é¥°¥á¥ó¥È¤Ç¤¢¤ê¡¢¤«¤Ä¡¢ºÇ½é¤Î¥Õ¥é¥°¥á¥ó¥È¤Ç¤Ê¤¤
¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
¤³¤ì¤é¤Î¥Ñ¥±¥Ã¥È¤Ï¼¡¤Î¥×¥í¥È¥³¥ë¥Ø¥Ã¥À (Î㤨¤Ð TCP, UDP) ¤ò»ý¤¿¤Ê¤¤¤Î¤Ç¡¢
¤³¤ì¤é¤Î¥Ø¥Ã¥À¤òÄ´¤Ù¤ë¥ª¥×¥·¥ç¥ó¤Ï¥Þ¥Ã¥Á¤¹¤ë¤³¤È¤¬¤Ç¤¤Ê¤¤¤³¤È¤Ë
Ãí°Õ¤·¤Æ²¼¤µ¤¤¡£
.It Cm gid Ar group
.Ar group
¤Ë¤è¤Ã¤ÆÁ÷¿®¤µ¤ì¤¿¡¢¤Þ¤¿¤Ï¤½¤ì¤ËÂФ·¤Æ¼õ¿®¤µ¤ì¤¿
Á´¤Æ¤Î TCP ¤â¤·¤¯¤Ï UDP ¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.Ar group
¤Ï̾Á°¤«¿ôÃͤǻØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
.It Cm icmptypes Ar types
.Ar types
¤Ç»ØÄꤷ¤¿¥ê¥¹¥ÈÃæ¤Ë¸ºß¤¹¤ë ICMP ¥¿¥¤¥×¤ò»ý¤Ä
ICMP ¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
¥ê¥¹¥È¤Ï¥¿¥¤¥×¤ª¤Î¤ª¤Î¤ò¥³¥ó¥Þ¤Ç¶èÀڤ俤â¤Î¤Ç¤¹¡£
.Em ÈϰϤϵö¤µ¤ì¤Þ¤»¤ó¡£
¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤ë ICMP ¥¿¥¤¥×¤Ï¼¡¤ÎÄ̤ê¤Ç¤¹¡£
.Pp
¥¨¥³¡¼±þÅú
.Pq Cm 0 ,
°¸ÀèÅþãÉÔ²Ä
.Pq Cm 3 ,
ȯ¿®¸µÍÞÀ©
.Pq Cm 4 ,
¥ê¥À¥¤¥ì¥¯¥È
.Pq Cm 5 ,
¥¨¥³¡¼Í×µá
.Pq Cm 8 ,
¥ë¡¼¥¿¹¹ð
.Pq Cm 9 ,
¥ë¡¼¥¿Í×ÀÁ
.Pq Cm 10 ,
»þ´ÖĶ²á
.Pq Cm 11 ,
IP ¥Ø¥Ã¥À°Û¾ï
.Pq Cm 12 ,
¥¿¥¤¥à¥¹¥¿¥ó¥×Í×µá
.Pq Cm 13 ,
¥¿¥¤¥à¥¹¥¿¥ó¥×±þÅú
.Pq Cm 14 ,
¥¤¥ó¥Õ¥©¥á¡¼¥·¥ç¥óÍ×µá
.Pq Cm 15 ,
¥¤¥ó¥Õ¥©¥á¡¼¥·¥ç¥óÊÖÅú
.Pq Cm 16 ,
¥¢¥É¥ì¥¹¥Þ¥¹¥¯Í×µá
.Pq Cm 17 ,
¥¢¥É¥ì¥¹¥Þ¥¹¥¯±þÅú
.Pq Cm 18
.It Cm in | out
¤½¤ì¤¾¤ìÅþÃå¤Þ¤¿¤ÏÁ÷½Ð¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.Cm in
¤È
.Cm out
¤Ï¸ß¤¤¤ËÇÓ¾Ū¤Ç¤¹
(¼ÂºÝ¡¢
.Cm out
¤Ï
.Cm not in Ns
¤È¤·¤Æ¼ÂÁõ¤µ¤ì¤Æ¤¤¤Þ¤¹)¡£
.It Cm ipid Ar id-list
.Cm ip_id
¥Õ¥£¡¼¥ë¥É¤¬
.Ar id-list
¤Ë´Þ¤Þ¤ì¤ë IP ¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.Ar id-list
¤Ï¡¢Ã±°ì¤ÎÃͤ«¡¢
.Ar ports
¤ÈƱÅù¤ÎÊýË¡¤Ç»ØÄꤵ¤ì¤ë¡¢ÃͤΥꥹ¥È¤«ÈϰϤǤ¹¡£
.It Cm iplen Ar len-list
¥Ø¥Ã¥À¤È¥Ç¡¼¥¿¤ò´Þ¤ó¤ÀÁ´ÂΤÎŤµ¤¬
.Ar len-list
¤Ë´Þ¤Þ¤ì¤ë IP ¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.Ar len-list
¤Ï¡¢Ã±°ì¤ÎÃͤ«¡¢
.Ar ports
¤ÈƱÅù¤ÎÊýË¡¤Ç»ØÄꤵ¤ì¤ë¡¢ÃͤΥꥹ¥È¤«ÈϰϤǤ¹¡£
.It Cm ipoptions Ar spec
.Ar spec
¤Ç»ØÄꤷ¤¿¥³¥ó¥Þ¶èÀÚ¤ê¥ê¥¹¥È¥ª¥×¥·¥ç¥ó¤ò´Þ¤à IP ¥Ø¥Ã¥À¤ò»ý¤Ä
¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
IP ¥ª¥×¥·¥ç¥ó¤Ï¼¡¤Î¤â¤Î¤¬¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Þ¤¹:
.Pp
.Cm ssrr
(¥¹¥È¥ê¥¯¥È¥½¡¼¥¹¥ë¡¼¥Æ¥£¥ó¥°),
.Cm lsrr
(¥ë¡¼¥º¥½¡¼¥¹¥ë¡¼¥Æ¥£¥ó¥°),
.Cm rr
(¥ì¥³¡¼¥É¥ë¡¼¥È),
.Cm ts
(¥¿¥¤¥à¥¹¥¿¥ó¥×)¡£
.Ql \&!
¤òÃÖ¤¯¤³¤È¤ÇÆÃÄê¤Î¥ª¥×¥·¥ç¥ó¤¬Â¸ºß¤·¤Ê¤¤¤È¤¤¤¦µ½Ò¤¬¤Ç¤¤Þ¤¹¡£
.It Cm ipprecedence Ar precedence
Àè¹Ô¥Õ¥£¡¼¥ë¥É¤¬
.Ar precedence
¤ËÅù¤·¤¤ IP ¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.It Cm ipsec
IPSEC ¥Ò¥¹¥È¥ê¤ò»ý¤Ä¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹
(¤¹¤Ê¤ï¤Á¡¢ÆþÎϥѥ±¥Ã¥È¤¬ IPSEC ¤Ç¥«¥×¥»¥ë²½¤µ¤ì¤Æ¤ª¤ê¡¢
¥«¡¼¥Í¥ë¤¬ IPSEC ¤È IPSEC_FILTERGIF ¤Î¥ª¥×¥·¥ç¥ó¤ò¥µ¥Ý¡¼¥È¤·¡¢
Àµ¤·¤¯¥Ñ¥±¥Ã¥È¤Î¥«¥×¥»¥ë²½¤ò²ò½ü¤Ç¤¤¿¾ì¹ç¤Ç¤¹)¡£
.Pp
.Cm ipsec
¤ò»ØÄꤹ¤ë¤³¤È¤Ï¡¢
.Cm proto Ar ipsec
¤ò»ØÄꤹ¤ë¤³¤È¤È¤Ï°ã¤¤¤Þ¤¹¡£
²¿¸Î¤Ê¤é¸å¼Ô¤Ï¡¢IPSEC ¥«¡¼¥Í¥ë¥µ¥Ý¡¼¥È¤ÎÍ̵¤ª¤è¤Ó IPSEC ¥Ç¡¼¥¿¤ÎÀµÅöÀ
¤Ë¤«¤«¤ï¤é¤º¡¢ÆÃÄê¤Î IP ¥×¥í¥È¥³¥ë¥Õ¥£¡¼¥ë¥É¤Î¤ß¤ò¸«¤ë¤«¤é¤Ç¤¹¡£
.It Cm iptos Ar spec
.Ar spec
¤Ç»ØÄꤷ¤¿¥³¥ó¥Þ¶èÀÚ¤ê¥ê¥¹¥È¤Î¥µ¡¼¥Ó¥¹¥¿¥¤¥×¤ò´Þ¤à
.Cm tos
¥Õ¥£¡¼¥ë¥É¤ò»ý¤Ä
IP ¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤ë¥µ¡¼¥Ó¥¹¤Î IP ¥¿¥¤¥×¤Ï¼¡¤ÎÄ̤ê¤Ç¤¹¡£
.Pp
.Cm lowdelay
.Pq Dv IPTOS_LOWDELAY ,
.Cm throughput
.Pq Dv IPTOS_THROUGHPUT ,
.Cm reliability
.Pq Dv IPTOS_RELIABILITY ,
.Cm mincost
.Pq Dv IPTOS_MINCOST ,
.Cm congestion
.Pq Dv IPTOS_CE
¡£
.Ql \&!
¤òÃÖ¤¯¤³¤È¤ÇÆÃÄê¤Î¥ª¥×¥·¥ç¥ó¤¬Â¸ºß¤·¤Ê¤¤¤È¤¤¤¦µ½Ò¤¬¤Ç¤¤Þ¤¹¡£
.It Cm ipttl Ar ttl-list
À¸Â¸»þ´Ö¤¬
.Ar ttl-list
¤Ë´Þ¤Þ¤ì¤ë IP ¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.Ar ttl-list
¤Ï¡¢Ã±°ì¤ÎÃͤ«¡¢
.Ar ports
¤ÈƱÅù¤ÎÊýË¡¤Ç»ØÄꤵ¤ì¤ë¡¢ÃͤΥꥹ¥È¤«ÈϰϤǤ¹¡£
.It Cm ipversion Ar ver
IP ¥Ð¡¼¥¸¥ç¥ó¥Õ¥£¡¼¥ë¥É¤¬
.Ar ver
¤Ç¤¢¤ë IP ¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.It Cm keep-state
¥Þ¥Ã¥Á¤¹¤ëºÝ¤Ë¡¢¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤ÏưŪ¥ë¡¼¥ë¤òºîÀ®¤·¤Þ¤¹¡£
ºîÀ®¤µ¤ì¤ë¥ë¡¼¥ë¤Ï¡¢¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï¡¢Æ±¤¸¥×¥í¥È¥³¥ë¤ò»ÈÍѤ·¤Æ¤¤¤ë
ȯ¿®¸µ¤È°¸Àè IP/¥Ý¡¼¥È´Ö¤Ç¤ÎÁÐÊý¸þ¤Î¥È¥é¥Õ¥£¥Ã¥¯¤Ë¥Þ¥Ã¥Á¤¹¤ë¤è¤¦¤Ê
Æ°ºî¤È¤Ê¤ê¤Þ¤¹¡£
¤³¤Î¥ë¡¼¥ë¤Ë¤Ï͸¤ÎÀ¸Â¸»þ´Ö (
.Xr sysctl 8
ÊÑ¿ô¤Î½¸¹ç¤Ë¤è¤êÀ©¸æ¤µ¤ì¤Þ¤¹)
¤¬¤¢¤ê¡¢
À¸Â¸»þ´Ö¤Ï¥Þ¥Ã¥Á¤¹¤ë¥Ñ¥±¥Ã¥È¤¬¸«¤Ä¤«¤ë¤¿¤Ó¤Ë¥ê¥Õ¥ì¥Ã¥·¥å¤µ¤ì¤Þ¤¹¡£
.It Cm layer2
¥ì¥¤¥ä 2 ¤Î¥Ñ¥±¥Ã¥È¡¢
¤Ä¤Þ¤ê¡¢
ether_demux() ¤È ether_output_frame() ¤«¤é
.Nm
¤ØÅϤµ¤ì¤ë¥Ñ¥±¥Ã¥È¤Î¤ß¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.It Cm limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N
¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Ï¡¢
¤³¤Î¥ë¡¼¥ë¤Ç»ØÄꤷ¤¿¤â¤Î¤ÈƱ¤¸¥Ñ¥é¥á¡¼¥¿¤Î½¸¹ç¤ò»ý¤ÄÀܳ¤ò¡¢
.Ar N
¸Ä¤À¤±µö²Ä¤·¤Þ¤¹¡£
1 ¤Ä°Ê¾å¤Îȯ¿®¸µ¤È°¸À襢¥É¥ì¥¹¤ª¤è¤Ó¥Ý¡¼¥È¤¬»ØÄê¤Ç¤¤Þ¤¹¡£
.It Cm { MAC | mac } Ar dst-mac src-mac
Í¿¤¨¤é¤ì¤¿
.Ar dst-mac
¥¢¥É¥ì¥¹¤È
.Ar src-mac
¥¢¥É¥ì¥¹¤ò»ý¤Ä¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
¥¢¥É¥ì¥¹¤Ï¡¢
.Cm any
¥¡¼¥ï¡¼¥É (Ǥ°Õ¤Î MAC ¥¢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹) ¤Þ¤¿¤Ï
¥³¥í¥ó¤Ç¶èÀڤä¿ 16 ¿Ê¿ô 6 ¸Ä¤ÎÁȤǻØÄꤷ¤Þ¤¹¡£
¤³¤Î 6 ¸ÄÁÈ¥¢¥É¥ì¥¹¤Î¸å¤í¤Ë¤Ï¡¢¥ª¥×¥·¥ç¥ó¤È¤·¤Æ¡¢
½ÅÍפʥӥåȤòɽ¸½¤¹¤ë¥Þ¥¹¥¯¤ò¤Ä¤±¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
¥Þ¥¹¥¯¤Ï¼¡¤Î¤¤¤º¤ì¤«¤ÎÊýË¡¤Ç»ØÄê²Äǽ¤Ç¤¹:
.Bl -enum -width indent
.It
¥¹¥é¥Ã¥·¥å
.Pq /
¤Ë³¤±¤Æ¡¢½ÅÍפʥӥåȿô¤ò»ØÄꤷ¤Þ¤¹¡£
Î㤨¤Ð¡¢½ÅÍפʥӥåȤ¬ 33 ¥Ó¥Ã¥È¤Ç¤¢¤ë¥¢¥É¥ì¥¹¤Ï¼¡¤Î¤è¤¦¤Ë»ØÄꤷ¤Þ¤¹:
.Pp
.Dl "MAC 10:20:30:40:50:60/33 any"
.Pp
.It
¥¢¥ó¥Ñ¥µ¥ó¥É
.Pq &
¤Ë³¤±¤Æ¡¢
¥³¥í¥ó¶èÀÚ¤ê¤Î 6 ÁȤΠ16 ¿Ê¿ô¤È¤·¤Æ»ØÄꤵ¤ì¤ë¥Ó¥Ã¥È¥Þ¥¹¥¯¤ò»ØÄꤷ¤Þ¤¹¡£
Î㤨¤Ð¡¢ºÇ¸å¤Î 16 ¥Ó¥Ã¥È¤¬½ÅÍפǤ¢¤ë¥¢¥É¥ì¥¹¤Ï¼¡¤Î¤è¤¦¤Ë»ØÄꤷ¤Þ¤¹:
.Pp
.Dl "MAC 10:20:30:40:50:60&00:00:00:00:ff:ff any"
.Pp
¿¤¯¤Î¥·¥§¥ë¤Ç¥¢¥ó¥Ñ¥µ¥ó¥Éʸ»ú¤ÏÆÃÊ̤ʰÕÌ£¤ò»ý¤Á¤Þ¤¹¤Î¤Ç¡¢
ÉáÄ̤ϥ¨¥¹¥±¡¼¥×¤¬É¬ÍפǤ¢¤ë¤³¤È¤ËÃí°Õ¤·¤Æ¤¯¤À¤µ¤¤¡£
.Pp
.El
MAC ¥¢¥É¥ì¥¹¤Î½ç½ø (°¸À褬ºÇ½é¤Ç 2 ÈÖÌܤËȯ¿®¸µ) ¤Ï
ʪÍýŪ¤ÊÀþ¾å¤Î¤â¤Î¤ÈƱ¤¸¤Ç¤¹¤¬¡¢
IP ¥¢¥É¥ì¥¹¤Ç»ÈÍѤµ¤ì¤ë¤â¤Î¤È¤ÏÈ¿ÂФǤ¢¤ë¤³¤È¤ËÃí°Õ¤·¤Æ²¼¤µ¤¤¡£
.It Cm mac-type Ar mac-type
¥¤¡¼¥µ¥Í¥Ã¥È¥¿¥¤¥×¥Õ¥£¡¼¥ë¥É¤¬
°ú¿ô¤Ç»ØÄꤷ¤¿¤â¤Î¤Î 1 ¤Ä¤È°ìÃפ¹¤ë
¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.Ar mac-type
¤Ï
.Cm port numbers
¤ÈƱ¤¸ÊýË¡¤Ç»ØÄꤷ¤Þ¤¹
(¤Ä¤Þ¤ê¡¢Ã±°ì¤ÎÃͤޤ¿¤ÏÈϰϤ¬¡¢1 ¸Ä°Ê¾å¥³¥ó¥Þ¤Ç¶èÀÚ¤é¤ì¤¿¤â¤Î¤Ç¤¹)¡£
.Em vlan , ipv4 , ipv6
¤Î¤è¤¦¤Ê´ûÃΤÎÃͤËÂФ·¤Æ¤Ï¡¢¥·¥ó¥Ü¥ë̾¾Î¤ò»ÈÍѤ¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
ÃÍ¤Ï 10 ¿Ê¿ô¤« 16 ¿Ê¿ô (0x ¤¬Æ¬¤Ë¤Ä¤¯¾ì¹ç) ¤ÇÆþÎϤ¹¤ë¤³¤È¤¬¤Ç¤¡¢
¾ï¤Ë 16 ¿Ê¿ô¤Ç½ÐÎϤµ¤ì¤Þ¤¹ (¤³¤ì¤Ï
.Cm -N
¥ª¥×¥·¥ç¥ó¤¬»ÈÍѤµ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ç¤¹¡£
.Cm -N
¥ª¥×¥·¥ç¥ó¤¬»ÈÍѤµ¤ì¤ë¤È¥·¥ó¥Ü¥ë̾¾Î¤Î²ò·è¤¬»î¤ß¤é¤ì¤Þ¤¹)¡£
.It Cm proto Ar protocol
Âбþ¤¹¤ë IPv4 ¤Î¥×¥í¥È¥³¥ë¤ò»ý¤Ä¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.It Cm recv | xmit | via Brq Ar ifX | Ar if Ns Cm * | Ar ipno | Ar any
»ØÄꤷ¤¿¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤«¤é
¼õ¿®¤·¤¿¥Ñ¥±¥Ã¥È¡¢Á÷¿®¤·¤¿¥Ñ¥±¥Ã¥È¡¢Ä̲ᤷ¤¿¥Ñ¥±¥Ã¥È¤¬
¤½¤ì¤¾¤ì¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤Î»ØÄê¤Ï¡¢Àµ³Î¤Ê̾Á°
.Ns No ( Ar ifX Ns No ) ¡¢
¤Þ¤¿¤Ï¥Ç¥Ð¥¤¥¹Ì¾
.Ns No ( Ar if Ns Ar * Ns No ) ¡¢
IP ¥¢¥É¥ì¥¹¤Ç¹Ô¤Ê¤¦¤«¡¢
¤â¤·¤¯¤Ï²¿¤é¤«¤Î¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤òÄ̤¸¤Æ¹Ô¤Ê¤¤¤Þ¤¹¡£
.Pp
.Cm via
¥¡¼¥ï¡¼¥É¤Ë¤è¤ê¡¢»ØÄꤷ¤¿¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤¬¾ï¤Ë¥Á¥§¥Ã¥¯¤µ¤ì¤ë
¤³¤È¤Ë¤Ê¤ê¤Þ¤¹¡£
.Cm recv
¤ä
.Cm xmit
¤¬
.Cm via
¤ÎÂå¤ï¤ê¤Ë»ÈÍѤµ¤ì¤¿¾ì¹ç¡¢
¤½¤ì¤¾¤ì¡¢¼õ¿®¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤Î¤ß¡¢¤Þ¤¿¤ÏÁ÷¿®¥¤¥ó¥¿¥Õ¥§¡¼¥¹
¤Î¤ß¤¬¥Á¥§¥Ã¥¯¤µ¤ì¤Þ¤¹¡£
ξÊý¤È¤â»ØÄꤷ¤¿¾ì¹ç¡¢
Á÷¿®¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤È¼õ¿®¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤ÎξÊý¤Ë´ð¤Å¤¯
¥Ñ¥±¥Ã¥È¤Î¥Þ¥Ã¥Á¤¬²Äǽ¤Ë¤Ê¤ê¤Þ¤¹¡£
Î㤨¤Ð¼¡¤Î¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£
.Pp
.Dl "ipfw add deny ip from any to any out recv ed0 xmit ed1"
.Pp
.Cm recv
¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤ÏÅþÃå¤Þ¤¿¤ÏÁ÷½Ð¥Ñ¥±¥Ã¥È¤Î¤É¤Á¤é¤«¤Ë¤Ä¤¤¤Æ
¸¡ºº¤¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¤¬¡¢
.Cm xmit
¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤ÏÁ÷½Ð¥Ñ¥±¥Ã¥È¤Î¤ß¤Ë¤Ä¤¤¤Æ¸¡ºº¤¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
¤·¤¿¤¬¤Ã¤Æ
.Cm xmit
¤ò»ÈÍѤ¹¤ë¾ì¹ç¤Ë¤Ï
.Cm out
¤Ïɬ¿Ü¤Ç¤¹ (¤½¤·¤Æ
.Cm in
¤Ï̵¸ú¤È¤Ê¤ê¤Þ¤¹)¡£
.Pp
¥Ñ¥±¥Ã¥È¤¬¼õ¿®¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤äÁ÷¿®¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤ò»ý¤¿¤Ê¤¤¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£
¥í¡¼¥«¥ë¥Û¥¹¥È¤«¤éȯÀ¸¤·¤¿¥Ñ¥±¥Ã¥È¤Ï¼õ¿®¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤ò»ý¤Á¤Þ¤»¤ó¤·¡¢
¥í¡¼¥«¥ë¥Û¥¹¥È¤ËÅþÃ夹¤ëͽÄê¤Î¥Ñ¥±¥Ã¥È¤ÏÁ÷¿®¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤ò»ý¤Á¤Þ¤»¤ó¡£
.It Cm setup
SYN ¥Ó¥Ã¥È¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤ë¤¬ ACK ¥Ó¥Ã¥È¤ò»ý¤¿¤Ê¤¤
TCP ¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
¤³¤ì¤Ï
.Dq Li tcpflags\ syn,!ack
¤Îû½Ì·Á¤Ç¤¹¡£
.It Cm src-ip Ar ip-address
°ú¿ô¤Ç»ØÄꤷ¤¿¥¢¥É¥ì¥¹¤Î 1 ¸Ä¤òȯ¿®¸µ IP ¤È¤·¤Æ»ý¤Ä
IP ¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.It Cm src-port Ar ports
°ú¿ô¤Ç»ØÄꤷ¤¿¥Ý¡¼¥È¤Î 1 ¸Ä¤òȯ¿®¸µ¥Ý¡¼¥È¤È¤·¤Æ»ý¤Ä
IP ¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.It Cm tcpack Ar ack
TCP ¥Ñ¥±¥Ã¥È¤Î¤ß¤Ç¤¹¡£
TCP ¥Ø¥Ã¥À¤Î³Îǧ±þÅúÈÖ¹æ¥Õ¥£¡¼¥ë¥É¤¬
.Ar ack
¤ËÀßÄꤵ¤ì¤Æ¤¤¤ì¤Ð¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.It Cm tcpflags Ar spec
TCP ¥Ñ¥±¥Ã¥È¤Î¤ß¤Ç¤¹¡£
TCP ¥Ø¥Ã¥À¤¬
.Ar spec
¤Ç»ØÄꤷ¤¿¥³¥ó¥Þ¶èÀÚ¤ê¤Î¥Õ¥é¥°¤Î¥ê¥¹¥È¤ò´Þ¤ó¤Ç¤¤¤ì¤Ð¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤ë TCP ¥Õ¥é¥°¤Ï¼¡¤ÎÄ̤ê¤Ç¤¹¡£
.Pp
.Cm fin ,
.Cm syn ,
.Cm rst ,
.Cm psh ,
.Cm ack ,
.Cm urg
¡£
.Ql \&!
¤òÃÖ¤¯¤³¤È¤ÇÆÃÄê¤Î¥Õ¥é¥°¤¬Â¸ºß¤·¤Ê¤¤¤È¤¤¤¦µ½Ò¤¬¤Ç¤¤Þ¤¹¡£
.Cm tcpflags
¤Î»ØÄê¤ò´Þ¤à¥ë¡¼¥ë¤Ï¡¢0 ¤Ç¤Ê¤¤¥ª¥Õ¥»¥Ã¥È¤ò»ý¤Ä¥Õ¥é¥°¥á¥ó¥È¥Ñ¥±¥Ã¥È¤Ë¤Ï
·è¤·¤Æ¥Þ¥Ã¥Á¤¹¤ë¤³¤È¤Ï¤¢¤ê¤¨¤Þ¤»¤ó¡£
¥Õ¥é¥°¥á¥ó¥È¥Ñ¥±¥Ã¥È¤Î¥Þ¥Ã¥Á¤Ë¤Ä¤¤¤Æ¤Î¾ÜºÙ¤Ï
.Cm frag
¥ª¥×¥·¥ç¥ó¤ò»²¾È¤·¤Æ²¼¤µ¤¤¡£
.It Cm tcpseq Ar seq
TCP ¥Ñ¥±¥Ã¥È¤Î¤ß¤Ç¤¹¡£
TCP ¥Ø¥Ã¥À¤Î¥·¡¼¥±¥ó¥¹ÈÖ¹æ¥Õ¥£¡¼¥ë¥É¤¬
.Ar seq
¤ËÀßÄꤵ¤ì¤Æ¤¤¤ì¤Ð¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.It Cm tcpwin Ar win
TCP ¥Ñ¥±¥Ã¥È¤Î¤ß¤Ç¤¹¡£
TCP ¥Ø¥Ã¥À¤Î¥¦¥£¥ó¥É¥¦¥Õ¥£¡¼¥ë¥É¤¬
.Ar win
¤ËÀßÄꤵ¤ì¤Æ¤¤¤ì¤Ð¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.It Cm tcpoptions Ar spec
TCP ¥Ñ¥±¥Ã¥È¤Î¤ß¤Ç¤¹¡£
.Ar spec
¤Ç»ØÄꤷ¤¿¥³¥ó¥Þ¶èÀÚ¤ê¤Î¥ª¥×¥·¥ç¥ó¤Î¥ê¥¹¥È¤¬
TCP ¥Ø¥Ã¥À¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ì¤Ð¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤ë TCP ¥ª¥×¥·¥ç¥ó¤Ï¼¡¤ÎÄ̤ê¤Ç¤¹¡£
.Pp
.Cm mss
(ºÇÂ祻¥°¥á¥ó¥È¥µ¥¤¥º),
.Cm window
(TCP ¥¦¥£¥ó¥É¥¦¹¹ð),
.Cm sack
(ÁªÂòŪ ACK),
.Cm ts
(RFC1323 ¥¿¥¤¥à¥¹¥¿¥ó¥×),
.Cm cc
(RFC1644 T/TCP ¥³¥Í¥¯¥·¥ç¥ó¥«¥¦¥ó¥È)¡£
.Ql \&!
¤òÃÖ¤¯¤³¤È¤ÇÆÃÄê¤Î¥ª¥×¥·¥ç¥ó¤¬Â¸ºß¤·¤Ê¤¤¤È¤¤¤¦µ½Ò¤¬¤Ç¤¤Þ¤¹¡£
.It Cm uid Ar user
.Ar user
¤¬Á÷¿®¤·¤¿¤Þ¤¿¤Ï¼õ¿®¤¹¤ë¡¢
¤¹¤Ù¤Æ¤Î TCP ¥Ñ¥±¥Ã¥È¤È UDP ¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.Ar user
¤Ï¡¢Ì¾Á°¤Ç¤â ID ÈÖ¹æ¤Ç¤â¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.It Cm verrevpath
Æâ¸þ¤¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ¤Ï¡¢¥Ñ¥±¥Ã¥È¤Î¥½¡¼¥¹¥¢¥É¥ì¥¹¤ËÂФ·¡¢
·ÐÏ©¥Æ¡¼¥Ö¥ë¤¬¸¡º÷¤µ¤ì¤Þ¤¹¡£
¥Ñ¥±¥Ã¥È¤¬¥·¥¹¥Æ¥à¤ËÆþ¤Ã¤ÆÍ褿¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤È¡¢
·ÐÏ©¤Î½ÐÎÏ¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤¬¥Þ¥Ã¥Á¤¹¤ë¾ì¹ç¡¢
¥Ñ¥±¥Ã¥È¤Ï¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤¬¥Þ¥Ã¥Á¤·¤Ê¤¤¾ì¹ç¡¢¥Ñ¥±¥Ã¥È¤Ï¥Þ¥Ã¥Á¤·¤Þ¤»¤ó¡£
³°¸þ¤¥Ñ¥±¥Ã¥È¤ä¡¢ÆþÎÏ¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤ò»ý¤¿¤Ê¤¤¥Ñ¥±¥Ã¥È¤Ï¡¢¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
.Pp
¤³¤Î¥ª¥×¥·¥ç¥ó¤Î̾¾Î¤Èµ¡Ç½¤Ï¡¢°Õ¿ÞŪ¤Ë²¼µ Cisco IOS ¥³¥Þ¥ó¥É¤ÈƱ¤¸¤Ç¤¹:
.Pp
.Dl ip verify unicast reverse-path
.Pp
ËÜ¥ª¥×¥·¥ç¥ó¤Ï¡¢ÂÐ¥¹¥×¡¼¥Õ¥£¥ó¥°¥ë¡¼¥ë¤òºîÀ®¤¹¤ë¤Î¤Ë»ÈÍѲÄǽ¤Ç¤¹¡£
.El
.Sh ¥ë¡¼¥ë¤Î¥»¥Ã¥È
³Æ¥ë¡¼¥ë¤Ï 32 ¸Ä¤Î°Û¤Ê¤ë
.Em ¥»¥Ã¥È
¤Î¤Ò¤È¤Ä¤Ë°¤·¤Æ¤¤¤Þ¤¹¡£¥»¥Ã¥È¤Ë¤Ï 0 ¤«¤é 31 ¤Þ¤Ç¤ÎÈÖ¹æ¤ò¤Ä¤±¤é¤ì¤Æ¤¤¤Þ¤¹¡£
¥»¥Ã¥È 31 ¤Ï¥Ç¥Õ¥©¥ë¥È¥ë¡¼¥ë¤Î¤¿¤á¤ËͽÌ󤵤ì¤Æ¤¤¤Þ¤¹¡£
.Pp
¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï¡¢
¿·µ¬¤Î¥ë¡¼¥ë¤òÆþÎϤ¹¤ëºÝ¤Ë
.Cm set N
¥¢¥È¥ê¥Ó¥å¡¼¥È¤ò»ÈÍѤ·¤Ê¤±¤ì¤Ð¡¢
¥ë¡¼¥ë¤Ï¥»¥Ã¥È 0 ¤ËÃÖ¤«¤ì¤Þ¤¹¡£
¥»¥Ã¥È¤Ï¸ÄÊ̤ˡ¢¤«¤Ä¡¢¥¢¥È¥ß¥Ã¥¯¤Ë͸ú²½¤·¤¿¤ê̵¸ú²½¤·¤¿¤ê¤Ç¤¤ë¤Î¤Ç¡¢
¤³¤Îµ¡¹½¤Ë¤è¤Ã¤Æ¡¢¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤ÎÀßÄê¤òÊ£¿ô¸Ä³ÊǼ¤·¡¢
¤½¤ì¤é¤òÁÇÁ᤯ (¤«¤Ä¥¢¥È¥ß¥Ã¥¯¤Ë) ÀÚ¤êÂؤ¨¤ë¤¿¤á¤ÎÊýË¡¤¬
´Êñ¤Ë¤Ê¤ê¤Þ¤¹¡£
¥»¥Ã¥È¤ò͸ú²½/̵¸ú²½¤¹¤ë¥³¥Þ¥ó¥É¤Ï¼¡¤ÎÄ̤ê¤Ç¤¹¡£
.Bd -ragged -offset indent
.Nm
.Cm set Oo Cm disable Ar number ... Oc Op Cm enable Ar number ...
.Ed
.Pp
¤³¤³¤Ç¤ÏÊ£¿ô¤Î
.Cm enable
¤Þ¤¿¤Ï
.Cm disable
¥»¥¯¥·¥ç¥ó¤¬»ØÄê²Äǽ¤Ç¤¹¡£
¥³¥Þ¥ó¥É¤Ç»ØÄꤷ¤¿¥»¥Ã¥ÈÁ´¤Æ¤Ë¤Ä¤¤¤Æ¡¢
¥³¥Þ¥ó¥É¤Ï¥¢¥È¥ß¥Ã¥¯¤Ë¼Â¹Ô¤µ¤ì¤Þ¤¹¡£
¥Ç¥Õ¥©¥ë¥È¤Ç¤ÏÁ´¤Æ¤Î¥»¥Ã¥È¤Ï͸ú²½¤µ¤ì¤¿¾õÂ֤Ǥ¹¡£
.Pp
¥»¥Ã¥È¤ò̵¸ú²½¤¹¤ë¤È¡¢¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤ÎÀßÄêÃæ¤Ë¤½¤Î¥ë¡¼¥ë¤¬
¸ºß¤·¤Ê¤¤¤«¤Î¤è¤¦¤Ë¿¶¤ëÉñ¤¤¤Þ¤¹¡£
¤¿¤À¤·Îã³°¤¬ 1 ¤Ä¤À¤±¤¢¤ê¤Þ¤¹¡£
.Bd -ragged -offset indent
̵¸ú²½¤µ¤ì¤ë°ÊÁ°¤Ë¥ë¡¼¥ë¤«¤éÀ¸À®¤µ¤ì¤¿Æ°Åª¥ë¡¼¥ë¤Ï¡¢
´ü¸ÂÀÚ¤ì¤È¤Ê¤ë¤Þ¤Ç¤Ï¤Þ¤À³èÆ°²Äǽ¤Ê¾õÂ֤Ǥ¹¡£
ưŪ¥ë¡¼¥ë¤òºï½ü¤¹¤ë¤¿¤á¤Ë¤Ï¡¢
¤½¤Î¥ë¡¼¥ë¤òÀ¸À®¤·¤¿¿Æ¥ë¡¼¥ë¤òÌÀ¼¨Åª¤Ëºï½ü¤·¤Ê¤±¤ì¤Ð¤Ê¤ê¤Þ¤»¤ó¡£
.Ed
.Pp
¥ë¡¼¥ë¤Î¥»¥Ã¥ÈÈÖ¹æ¤Ï¼¡¤Î¥³¥Þ¥ó¥É¤ÇÊѹ¹¤Ç¤¤Þ¤¹¡£
.Bd -ragged -offset indent
.Nm
.Cm set move
.Brq Cm rule Ar rule-number | old-set
.Cm to Ar new-set
.Ed
.Pp
¤Þ¤¿¡¢¼¡¤Î¥³¥Þ¥ó¥É¤ò»ÈÍѤ·¤Æ 2 ¤Ä¤Î¥ë¡¼¥ë¥»¥Ã¥È¤ò
¥¢¥È¥ß¥Ã¥¯¤ËÆþ¤ì´¹¤¨¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
.Bd -ragged -offset indent
.Nm
.Cm set swap Ar first-set second-set
.Ed
.Pp
¥ë¡¼¥ë¤Î¥»¥Ã¥È¤Î»È¤¤Êý¤Î¤¤¤¯¤Ä¤«¤Ï¡¢
.Sx »ÈÍÑÎã
¥»¥¯¥·¥ç¥ó¤ò»²¾È¤·¤Æ²¼¤µ¤¤¡£
.Sh ¥¹¥Æ¡¼¥È¥Õ¥ë¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë
¥¹¥Æ¡¼¥È¥Õ¥ë¥ª¥Ú¥ì¡¼¥·¥ç¥ó¤Ï¡¢
Í¿¤¨¤é¤ì¤¿¥Ñ¥¿¡¼¥ó¤Ë¥Þ¥Ã¥Á¤¹¤ë¥Ñ¥±¥Ã¥È¤¬¸¡½Ð¤µ¤ì¤¿¤È¤¤Ë¡¢
¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤¬ÆÃÄê¤Î¥Õ¥í¡¼¤Ë¤Ä¤¤¤Æ¤Î¥ë¡¼¥ë¤òưŪ¤Ë
ºîÀ®¤¹¤ë¤¿¤á¤ÎÊýË¡¤Ç¤¹¡£
¥¹¥Æ¡¼¥È¥Õ¥ë¥ª¥Ú¥ì¡¼¥·¥ç¥ó¤ËÂФ¹¤ë¥µ¥Ý¡¼¥È¤Ï
.Nm ¥ë¡¼¥ë
¤Î
.Cm check-state , keep-state, limit
¥ª¥×¥·¥ç¥ó¤òÄ̤¸¤ÆÄ󶡤µ¤ì¤Þ¤¹¡£
.Pp
ưŪ¥ë¡¼¥ë¤¬À¸À®¤µ¤ì¤ë¤Î¤Ï¡¢¥Ñ¥±¥Ã¥È¤¬
.Cm keep-state
¤ä
.Cm limit
¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤¿¤È¤¤Ç¡¢¤½¤Î·ë²Ì¡¢
Í¿¤¨¤é¤ì¤¿
.Em protocol
¤ò»ý¤Á¡¢
.Em src-ip/src-port dst-ip/dst-port
¤Î¥¢¥É¥ì¥¹¤ÎÁȤδ֤Υѥ±¥Ã¥ÈÁ´¤Æ¤Î¤ß¤Ë¥Þ¥Ã¥Á¤¹¤ë
.Em ưŪ
¥ë¡¼¥ë¤¬À¸À®¤µ¤ì¤Þ¤¹ (
.Em src
¤È
.Em dst
¤Ï¤³¤³¤Ç¤ÏºÇ½é¤Ë¥Þ¥Ã¥Á¤·¤¿¥¢¥É¥ì¥¹¤ò¶èÊ̤¹¤ë¤¿¤á¤Ë¤Î¤ß
»ÈÍѤ·¤Æ¤¤¤Þ¤¹¡£¤½¤Î¸å¡¢Î¾¼Ô¤Ï´°Á´¤ËÅù²Á¤Ë¤Ê¤ê¤Þ¤¹)¡£
ưŪ¥ë¡¼¥ë¤ÏºÇ½é¤Ë
.Cm check-state, keep-state, limit
¤¬À¸¤¸¤¿¤È¤³¤í¤Ç¥Á¥§¥Ã¥¯¤µ¤ì¡¢
¥Þ¥Ã¥Á¤·¤¿ºÝ¤Ë¼Â¹Ô¤µ¤ì¤ë¥¢¥¯¥·¥ç¥ó¤Ï¿Æ¥ë¡¼¥ë¤ÈƱ¤¸¤â¤Î¤Ë¤Ê¤ê¤Þ¤¹¡£
.Pp
ưŪ¥ë¡¼¥ë¤Ç¤Ï¡¢¥×¥í¥È¥³¥ë¡¢IP ¥¢¥É¥ì¥¹¡¢¥Ý¡¼¥È°Ê³°¤Î
°À¤¬¥Á¥§¥Ã¥¯¤µ¤ì¤Ê¤¤¤³¤È¤ËÃí°Õ¤·¤Æ²¼¤µ¤¤¡£
.Pp
ưŪ¥ë¡¼¥ë¤Îŵ·¿Åª¤Ê»È¤¤Êý¤Ï¡¢
¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤ÎÀßÄê¤òÊĤ¸¤¿¾õÂ֤ˤ·¤Æ¤ª¤¤Ä¤Ä¡¢
ÆâÉô¥Í¥Ã¥È¥ï¡¼¥¯¤«¤é¤ÎºÇ½é¤Î TCP SYN ¥Ñ¥±¥Ã¥È¤Ë¡¢
¤½¤Î¥Õ¥í¡¼¤ËÂФ¹¤ëưŪ¥ë¡¼¥ë¤ò¥¤¥ó¥¹¥È¡¼¥ë¤µ¤»¡¢
¤½¤Î¥»¥Ã¥·¥ç¥ó¤Ë°¤¹¤ë¥Ñ¥±¥Ã¥È¤¬¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤ò
Ä̲á¤Ç¤¤ë¤è¤¦¤Ë¤¹¤ë¤È¤¤¤¦¤â¤Î¤Ç¤¹¡£
.Pp
.Dl "ipfw add check-state"
.Dl "ipfw add allow tcp from my-subnet to any setup keep-state"
.Dl "ipfw add deny tcp from any to any"
.Pp
ƱÍͤʥ¢¥×¥í¡¼¥Á¤¬ UDP ¤ËÂФ·¤Æ¤â»È¤¨¤Þ¤¹¡£
ÆâÉô¤«¤éÍ褿 UDP ¥Ñ¥±¥Ã¥È¤ËưŪ¥ë¡¼¥ë¤ò¥¤¥ó¥¹¥È¡¼¥ë¤µ¤»¡¢
¤½¤Î±þÅú¤¬¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤òÄ̲᤹¤ë¤è¤¦¤Ë¤·¤Þ¤¹¡£
.Pp
.Dl "ipfw add check-state"
.Dl "ipfw add allow udp from my-subnet to any keep-state"
.Dl "ipfw add deny udp from any to any"
.Pp
ưŪ¥ë¡¼¥ë¤Ï¡¢¤¢¤ë»þ´Ö¤Î¸å¡¢´ü¸ÂÀÚ¤ì¤È¤Ê¤ê¤Þ¤¹¡£
¤½¤Î»þ´Ö¤Ï¡¢
¥Õ¥í¡¼¤Î¾õÂ֤Ȥ¤¤¯¤Ä¤«¤Î
.Cm sysctl
ÊÑ¿ô¤ÎÀßÄê¤Ë°Í¸¤·¤Þ¤¹¡£
¾ÜºÙ¤Ï¥»¥¯¥·¥ç¥ó
.Sx sysctl ÊÑ¿ô
¤ò»²¾È¤·¤Æ²¼¤µ¤¤¡£
TCP ¥»¥Ã¥·¥ç¥ó¤Ç¤Ï¡¢
ưŪ¥ë¡¼¥ë¤ËÂФ·¡¢Äê´üŪ¤Ë¥¡¼¥×¥¢¥é¥¤¥Ö¥Ñ¥±¥Ã¥È¤òÁ÷½Ð¤µ¤»¤ë¤è¤¦¤Ë
»Ø¼¨¤·¡¢´ü¸ÂÀÚ¤ì¤Ë¤Ê¤ëº¢¤Ë¥ë¡¼¥ë¤Î¾õÂÖ¤ò¥ê¥Õ¥ì¥Ã¥·¥å¤µ¤»¤ë¤³¤È¤¬
¤Ç¤¤Þ¤¹¡£
.Pp
ưŪ¥ë¡¼¥ë¤Î»ÈÍÑÊýË¡¤Ë´Ø¤¹¤ë¾¤ÎÎã¤Ï
¥»¥¯¥·¥ç¥ó
.Sx »ÈÍÑÎã
¤ò»²¾È¤·¤Æ²¼¤µ¤¤¡£
.Sh ¥È¥é¥Õ¥£¥Ã¥¯¥·¥§¥¤¥Ñ (DUMMYNET) ÀßÄê
.Nm
¤Ï¡¢
.Xr dummynet 4
¥È¥é¥Õ¥£¥Ã¥¯¥·¥§¥¤¥Ñ¤Ø¤Î¥æ¡¼¥¶¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤âÄ󶡤·¤Þ¤¹¡£
.Pp
.Nm dummynet
¤ÎÆ°ºî¤Ï¡¢¤Þ¤º¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤òÍѤ¤¤Æ¥Ñ¥±¥Ã¥È¤ò¥¯¥é¥¹Ê¬¤±¤·¡¢
¤½¤ì¤é¤ò
.Em ¥Õ¥í¡¼(flow)
¤Ëʬ³ä¤·¤Þ¤¹¡£¤½¤ÎºÝ¤Ë¡¢
.Nm
¥ë¡¼¥ë¤Ç»ÈÍѤǤ¤ëÇ¡²¿¤Ê¤ë¥Þ¥Ã¥Á¥Ñ¥¿¡¼¥ó¤ò¤â»ÈÍѤǤ¤Þ¤¹¡£
¥í¡¼¥«¥ë¥Ý¥ê¥·¤Ë¤è¤ê¡¢¥Õ¥í¡¼ 1 ¸Ä¤Ë TCP ¥³¥Í¥¯¥·¥ç¥ó 1 ¸Ä¤Î
¥Ñ¥±¥Ã¥È¤ò´Þ¤á¤ë¤³¤È¤â¤Ç¤¤Þ¤¹¤·¡¢»ØÄꤷ¤¿¥Û¥¹¥È¤Î¥Ñ¥±¥Ã¥È¤Ç¤â¡¢
¥µ¥Ö¥Í¥Ã¥ÈÁ´ÂΤΥѥ±¥Ã¥È¤Ç¤â¡¢¤¢¤ë¥×¥í¥È¥³¥ë¥¿¥¤¥×¤Î¥Ñ¥±¥Ã¥È¤Ç¤â
´Þ¤á¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
.Pp
Ʊ°ì¤Î¥Õ¥í¡¼¤Ë°¤¹¤ë¥Ñ¥±¥Ã¥È¤Ï¡¢¤½¤Î¸å¡¢¥È¥é¥Õ¥£¥Ã¥¯¤Ø¤ÎÀ©¸Â¤ò
¼ÂÁõ¤¹¤ë 2¤Ä¤Î¥ª¥Ö¥¸¥§¥¯¥È¤Î¤¤¤º¤ì¤«°ìÊý¤ËÅϤµ¤ì¤Þ¤¹¡£
.Bl -hang -offset XXXX
.It Em pipe
¥Ñ¥¤¥× (pipe) ¤Ï¡¢»ØÄꤷ¤¿¥Ð¥ó¥ÉÉý¡¢ÅÁÈÂÃٱ䡢¥¥å¡¼¥µ¥¤¥º¡¢
¥Ñ¥±¥Ã¥È»¼ºÎ¨¤ò»ý¤Ä¥ê¥ó¥¯ 1 ¸Ä¤ò¥¨¥ß¥å¥ì¡¼¥È¤·¤Þ¤¹¡£
¥¯¥é¥¹Ê¬¤±¤ò¼õ¤±¤¿¸å¡¢¥Ñ¥±¥Ã¥È¤Ï¡¢¥Ñ¥¤¥×¤ËÆþ¤ëÁ°¤Ë¥¥å¡¼¤ËÃߤ¨¤é¤ì¡¢
¥Ñ¥¤¥×¤Î¥Ñ¥é¥á¡¼¥¿¤Ë½¾¤¤¥Ñ¥¤¥×Ãæ¤òÅÁÁ÷¤µ¤ì¤Þ¤¹¡£
.Pp
.It Em queue
¥¥å¡¼ (queue) ¤Ï¡¢WF2Q+ (Worst-case Fair Weighed Fair Queueing:
ºÇ°¶ÑÅù½Å¤ßÉÕ¤±¶ÑÅùÂÔ¤Á¹ÔÎó) ¥Ý¥ê¥·¤ò¼ÂÁõ¤¹¤ë¤¿¤á¤ËÍѤ¤¤ëÃê¾Ý²½¤Ç¤¹¡£
¤³¤Î¥Ý¥ê¥·¤Ï¡¢WFQ ¥Ý¥ê¥·¤Î¸úΨŪ¤ÊÊѼï¤Ç¤¹¡£
.br
¥¥å¡¼¤Ï
.Em ½Å¤ß (weight)
¤È¥Ñ¥¤¥×¤Î»²¾È¤ò¡¢¸Ä¡¹¤Î¥Õ¥í¡¼¤ËÂбþÉÕ¤±¤Þ¤¹¡£
Ʊ¤¸¥Ñ¥¤¥×¤Ë·ë¹ç¤µ¤ì¥Ð¥Ã¥¯¥í¥°¤ò»ý¤Ä (¥¥å¡¼¤Ë¥Ñ¥±¥Ã¥È¤¬¤¢¤ë)
¥Õ¥í¡¼Á´¤Æ¤Ç¡¢¤½¤ì¤¾¤ì¤Î½Å¤ß¤ËÈæÎ㤷¤Æ¤½¤Î¥Ñ¥¤¥×¤Î¥Ð¥ó¥ÉÉý¤ò
»³Ê¬¤±¤·¤Þ¤¹¡£
½Å¤ß¤ÏÍ¥ÀèÅ٤ǤϤʤ¤¤³¤È¤ËÃí°Õ¤·¤Æ²¼¤µ¤¤¡£Â礤¤½Å¤ß¤ò»ý¤Ä¥Õ¥í¡¼¤¬
¤º¤Ã¤È¥Ð¥Ã¥¯¥í¥°¤òÊú¤¨¤Æ¤¤¤¿¤È¤·¤Æ¤â¡¢¤½¤ì¤è¤ê·Ú¤¤½Å¤ß¤ò»ý¤Ä
¥Õ¥í¡¼¤â¡¢¥Ð¥ó¥ÉÉý¤ò¼«Ê¬¤Î³ä¹ç¤Îʬ¤ÏÆÀ¤ë¤³¤È¤ÏÊݾڤµ¤ì¤Þ¤¹¡£
.Pp
.El
¼ÂºÝ¤Î»È¤¤Êý¤È¤·¤Æ¡¢
.Em pipe
¤ò»È¤¤¡¢¥Õ¥í¡¼¤¬¼è¤êÆÀ¤ë¥Ð¥ó¥ÉÉý¤Ë¥Ï¡¼¥É¥ê¥ß¥Ã¥È¤òÀߤ±¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
°ìÊý¤Ç¡¢
.Em queue
¤ò»È¤¤¡¢°Û¤Ê¤ë¥Õ¥í¡¼¤¬¤É¤Î¤è¤¦¤Ë¤·¤ÆÍøÍѲÄǽ¤Ê¥Ð¥ó¥ÉÉý¤ò»³Ê¬¤±¤¹¤ë¤«¤ò
·èÄꤹ¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
.Pp
.Em pipe
¤È
.Em queue
¤ÎÀßÄꥳ¥Þ¥ó¥É¤Ï¼¡¤ÎÄ̤ê¤Ç¤¹¡£
.Bd -ragged -offset indent
.Cm pipe Ar number Cm config Ar pipe-configuration
.Pp
.Cm queue Ar number Cm config Ar queue-configuration
.Ed
.Pp
¼¡¤Î¥Ñ¥é¥á¡¼¥¿¤ò¥Ñ¥¤¥×¤ËÂФ·¤ÆÀßÄê²Äǽ¤Ç¤¹¡£
.Pp
.Bl -tag -width indent -compact
.It Cm bw Ar bandwidth | device
¥Ð¥ó¥ÉÉý¤Ç¡¢Ã±°Ì¤Ï
.Sm off
.Op Cm K | M
.Brq Cm bit/s | Byte/s
.Sm on
¤Ç¤¹¡£
.Pp
ÃÍ 0 (¥Ç¥Õ¥©¥ë¥È) ¤Ï̵¸Â¤Î¥Ð¥ó¥ÉÉý¤ò°ÕÌ£¤·¤Þ¤¹¡£
ñ°Ì¤Ï¡¢¼¡¤Î
.Pp
.Dl "ipfw pipe 1 config bw 300Kbit/s"
.Pp
¤Î¤è¤¦¤Ë¡¢¿ôÃͤÎľ¸å¤Ë³¤±¤Æ½ñ¤¯É¬Íפ¬¤¢¤ê¤Þ¤¹¡£
¼¡¤Î
.Pp
.Dl "ipfw ipie 1 config bw tun0"
.Pp
¤Î¤è¤¦¤Ë¡¢¿ôÃͤÎÂå¤ê¤Ë¥Ç¥Ð¥¤¥¹Ì¾¤ò»ØÄꤷ¤¿¾ì¹ç¡¢
Á÷¿®¥¯¥í¥Ã¥¯¤Ï»ØÄꤷ¤¿¥Ç¥Ð¥¤¥¹¤«¤éÍ¿¤¨¤é¤ì¤Þ¤¹¡£
¸½ºß¤Î¤È¤³¤í¡¢
.Xr tun 4
¥Ç¥Ð¥¤¥¹¤Î¤ß¤¬¤³¤Îµ¡Ç½¤òÄ󶡤·¤Æ¤ª¤ê¡¢
.Xr ppp 8
¤ÈÁȤ߹ç¤ï¤»¤Æ»ÈÍѤ·¤Þ¤¹¡£
.Pp
.It Cm delay Ar ms-delay
ÅÁãÃÙ±ä»þ´Ö¤Ç¤¢¤ê¡¢¥ß¥êÉÃñ°Ì¤Ç»ØÄꤷ¤Þ¤¹¡£
Ãͤϡ¢¥¯¥í¥Ã¥¯¥Æ¥£¥Ã¥¯¤ÎÇÜ¿ô
(ŵ·¿Åª¤Ë¤Ï 10ms ¤Ç¤¹¤¬¡¢
¥«¡¼¥Í¥ë¤ò
.Dq "options HZ=1000"
¤ÇÆ°ºî¤µ¤»¤ÆÀºÅÙ¤ò 1ms ¤«¤½¤ì°Ê²¼¤Ë¤¹¤ë¤ÈÎɤ¤
¤³¤È¤¬·Ð¸³Åª¤ËÃΤé¤ì¤Æ¤¤¤Þ¤¹) ¤Ë´Ý¤á¤é¤ì¤Þ¤¹¡£
¥Ç¥Õ¥©¥ë¥ÈÃÍ¤Ï 0 ¤Ç¤¢¤ê¡¢ÃÙ±ä̵¤·¤ò°ÕÌ£¤·¤Þ¤¹¡£
.El
.Pp
¼¡¤Î¥Ñ¥é¥á¡¼¥¿¤ò¥¥å¡¼¤ËÂФ·¤ÆÀßÄê¤Ç¤¤Þ¤¹¡£
.Pp
.Bl -tag -width indent -compact
.It Cm pipe Ar pipe_nr
¥¥å¡¼¤ò»ØÄꤷ¤¿¥Ñ¥¤¥×¤ËÀܳ¤·¤Þ¤¹¡£
Ê£¿ô¤Î¥¥å¡¼
(Ʊ¤¸½Å¤ß¤Î¾ì¹ç¤â°Û¤Ê¤ë½Å¤ß¤Î¾ì¹ç¤â¤¢¤ê¤Þ¤¹)
¤òƱ°ì¤Î¥Ñ¥¤¥×¤ËÀܳ¤¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
¥Ñ¥¤¥×¤Ï¥¥å¡¼¤Î½¸¹ç¤ËÂФ¹¤ë½¸Ì󤵤줿¥ì¡¼¥È¤ò»ØÄꤷ¤Þ¤¹¡£
.Pp
.It Cm weight Ar weight
¤³¤Î¥¥å¡¼¤Ë¥Þ¥Ã¥Á¤¹¤ë¥Õ¥í¡¼¤ËŬÍѤ¹¤ë½Å¤ß¤ò»ØÄꤷ¤Þ¤¹¡£
½Å¤ß¤Ï 1 ¤«¤é 100 ¤ÎÈϰϤǤʤ±¤ì¤Ð¤Ê¤é¤º¡¢
¥Ç¥Õ¥©¥ë¥È¤Ï 1 ¤Ç¤¹¡£
.El
.Pp
ºÇ¸å¤Ë¡¢¼¡¤Î¥Ñ¥é¥á¡¼¥¿¤ò¥Ñ¥¤¥×¤ä¥¥å¡¼¤ËÂФ·¤ÆÀßÄê¤Ç¤¤Þ¤¹¡£
.Pp
.Bl -tag -width XXXX -compact
.Pp
.It Cm buckets Ar hash-table-size
ÍÍ¡¹¤Ê¥¥å¡¼¤ò³ÊǼ¤¹¤ë¥Ï¥Ã¥·¥åɽ¤Î¥µ¥¤¥º¤ò»ØÄꤷ¤Þ¤¹¡£
¥Ç¥Õ¥©¥ë¥È¤Ï 64 ¤Ç¡¢
.Xr sysctl 8
ÊÑ¿ô
.Em net.inet.ip.dummynet.hash_size
¤Ë¤è¤Ã¤ÆÀ©¸æ¤µ¤ì¤Þ¤¹¡£
»ØÄê²Äǽ¤ÊÈÏ°Ï¤Ï 16 ¤«¤é 65536 ¤Þ¤Ç¤Ç¤¹¡£
.Pp
.It Cm mask Ar mask-specifier
.Nm
¥ë¡¼¥ë¤Ë¤è¤ê
»ØÄꤷ¤¿¥Ñ¥¤¥×¤â¤·¤¯¤Ï¥¥å¡¼¤ËÂФ·¤ÆÁ÷¤é¤ì¤¿¥Ñ¥±¥Ã¥È¤ò¡¢¤µ¤é¤Ë
Ê£¿ô¤Î¥Õ¥í¡¼¤Ë¥¯¥é¥¹Ê¬¤±¤¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£¤½¤Î¸å¡¢¤½¤ì¤¾¤ì¤Î
¥Ñ¥±¥Ã¥È¤Ï¡¢°Û¤Ê¤ë
.Em ưŪ¤Ê
¥Ñ¥¤¥×¤â¤·¤¯¤Ï¥¥å¡¼¤ËÁ÷¤é¤ì¤Þ¤¹¡£
¥Õ¥í¡¼¼±Ê̻Ҥϡ¢¥Ñ¥¤¥×¤â¤·¤¯¤Ï¥¥å¡¼¤ÎÀßÄêÃæ¤Î
.Cm mask
¥ª¥×¥·¥ç¥ó¤Î»ØÄê¤Ë±þ¤¸¤Æ
IP ¥¢¥É¥ì¥¹¡¢¥Ý¡¼¥È¡¢¥×¥í¥È¥³¥ë¥¿¥¤¥×¤ò¥Þ¥¹¥¯¤¹¤ë¤³¤È¤Ë¤è¤ê
¹½ÃÛ¤µ¤ì¤Þ¤¹¡£
°Û¤Ê¤ë¥Õ¥í¡¼¼±Ê̻Ҥ½¤ì¤¾¤ì¤ËÂФ·¡¢¿·¤·¤¤¥Ñ¥¤¥×¤â¤·¤¯¤Ï¥¥å¡¼¤¬
¸µ¤È¤Ê¤ë¥ª¥Ö¥¸¥§¥¯¥È¤ÈƱ°ì¤Î¥Ñ¥é¥á¡¼¥¿¤È¤È¤â¤ËÀ¸À®¤µ¤ì¡¢
¥Þ¥Ã¥Á¤¹¤ë¥Ñ¥±¥Ã¥È¤¬¤½¤³¤ËÁ÷¤é¤ì¤Þ¤¹¡£
.Pp
¤³¤Î¤è¤¦¤Ë¤·¤Æ¡¢
.Em ưŪ¥Ñ¥¤¥×
¤ò»ÈÍѤ¹¤ë¤È¤¡¢¥Õ¥í¡¼¤½¤ì¤¾¤ì¤Ï¥Ñ¥¤¥×¤Ç»ØÄꤷ¤¿¤â¤Î¤È
Ʊ¤¸¥Ð¥ó¥ÉÉý¤òÆÀ¤Þ¤¹¡£°ìÊý¡¢
.Em ưŪ¥¥å¡¼
¤ò»ÈÍѤ¹¤ë»þ¡¢¥Õ¥í¡¼¤½¤ì¤¾¤ì¤Ï¡¢Æ±¤¸¥¥å¡¼¤Ë¤è¤êÀ¸À®¤µ¤ì¤¿
¾¤Î¥Õ¥í¡¼¤È¡¢¿Æ¥Ñ¥¤¥×¤Î¥Ð¥ó¥ÉÉý¤ò¶ÑÅù¤Ë»³Ê¬¤±¤·¤Þ¤¹ (°Û¤Ê¤ë½Å¤ß¤ò
»ý¤Ä¾¤Î¥¥å¡¼¤¬Æ±¤¸¥Ñ¥¤¥×¤ËÀܳ¤µ¤ì¤ë¾ì¹ç¤¬¤¢¤ë¤³¤È¤Ë
Ãí°Õ¤·¤Æ²¼¤µ¤¤)¡£
.br
»ÈÍѲÄǽ¤Ê¥Þ¥¹¥¯»ØÄê»Ò¤Ï¡¢¼¡¤òÁȤ߹ç¤ï¤»¤¿¤â¤Î¤Ç¤¹¡£
.Pp
.Cm dst-ip Ar mask ,
.Cm src-ip Ar mask ,
.Cm dst-port Ar mask ,
.Cm src-port Ar mask ,
.Cm proto Ar mask ,
.Cm all
.Pp
ºÇ¸å¤Î»ØÄê»Ò¤Ï¡¢
¤¹¤Ù¤Æ¤Î¥Õ¥£¡¼¥ë¥É¤Î¤¹¤Ù¤Æ¤Î¥Ó¥Ã¥È¤¬¸¡ºº¤µ¤ì¤ë¤³¤È¤ò°ÕÌ£¤·¤Æ¤¤¤Þ¤¹¡£
.Pp
.It Cm noerror
¥Ñ¥±¥Ã¥È¤¬ dummynet ¤Î¥¥å¡¼¤ä¥Ñ¥¤¥×¤Ë¤è¤Ã¤ÆÍ¤ì¤¿¤È¤¡¢
Ä̾ï¤Ï¡¢
¥Ç¥Ð¥¤¥¹¥¥å¡¼¤¬°ìÇդˤʤ俤Ȥ¤ËÀ¸¤¸¤ë¤Î¤ÈƱÍͤʷÁ¤Ç¡¢
¥¨¥é¡¼¤¬¥«¡¼¥Í¥ëÆâ¤Î¸Æ¤Ó½Ð¤·¸µ¥ë¡¼¥Á¥ó¤ËÊó¹ð¤µ¤ì¤Þ¤¹¡£
¤³¤Î¥ª¥×¥·¥ç¥ó¤òÀßÄꤹ¤ë¤È¡¢
¥Ñ¥±¥Ã¥È¤ÎÇÛÁ÷¤ËÀ®¸ù¤·¤¿¤«¤Î¤è¤¦¤ËÊó¹ð¤µ¤ì¤Þ¤¹¡£
¤³¤ì¤Ï¡¢
±ó³ÖÃϤˤ¢¤ë¥ë¡¼¥¿¤Ç¤Î»¼º¤äíÕíÔ¤ò¥·¥ß¥å¥ì¡¼¥È¤·¤¿¤¤¤È¤¤¤¦
°ìÉô¤Î¼Â¸³Åª¤ÊÀßÄê¤Î¤¿¤á¤ËɬÍפȤµ¤ì¤Æ¤¤¤Þ¤¹¡£
.Pp
.It Cm plr Ar packet-loss-rate
¥Ñ¥±¥Ã¥È¤Î»¼ºÎ¨¤Ç¤¹¡£
°ú¿ô
.Ar packet-loss-rate
¤Ï 0 ¤«¤é 1 ¤Þ¤Ç¤ÎÉâÆ°¾®¿ôÅÀ¿ô¤Ç¡¢
0 ¤Ï»¼º¤¬¤Ê¤¤¤³¤È¤ò¡¢1 ¤Ï 100% ¼º¤ï¤ì¤ë¤³¤È¤ò°ÕÌ£¤·¤Þ¤¹¡£
»¼ºÎ¨¤ÏÆâÉôŪ¤Ë¤Ï 31 ¥Ó¥Ã¥È¤Çɽ¸½¤µ¤ì¤Æ¤¤¤Þ¤¹¡£
.Pp
.It Cm queue Brq Ar slots | size Ns Cm Kbytes
¥¹¥í¥Ã¥È¿ô
.Ar slots
¤Þ¤¿¤Ï
.Cm KBytes
¤Çɽ¤·¤¿¥¥å¡¼¤Î¥µ¥¤¥º¤Ç¤¹¡£
¥Ç¥Õ¥©¥ë¥È¤Ï 50 ¥¹¥í¥Ã¥È¤Ç¡¢
¤³¤ì¤Ï¥¤¡¼¥µ¥Í¥Ã¥È¥Ç¥Ð¥¤¥¹¤Ë¤ª¤±¤ëŵ·¿Åª¤Ê¥¥å¡¼¤Î¥µ¥¤¥º¤Ç¤¹¡£
Ä㮥ê¥ó¥¯¤Î¤¿¤á¤Ë¥¥å¡¼¤Î¥µ¥¤¥º¤ò¾®¤µ¤¤¤Þ¤Þ¤Ë¤·¤Æ¤ª¤¯¤³¤È¤¬¿ä¾©¤µ¤ì¤Þ¤¹¡£
¤½¤¦¤·¤Ê¤¤¤È¥¥å¡¼¤ÎÃٱ䤬¥È¥é¥Õ¥£¥Ã¥¯¤ËµÚ¤Ü¤¹±Æ¶Á¤¬
Ãø¤·¤¯¤Ê¤ë¤«¤â¤·¤ì¤Þ¤»¤ó¡£
Î㤨¤Ð¡¢ºÇÂ祵¥¤¥º¤Î¥¤¡¼¥µ¥Í¥Ã¥È¥Ñ¥±¥Ã¥È (1500 ¥Ð¥¤¥È) ¤¬ 50 ¸Ä¤Î¤È¤¡¢
600Kbit¡¢ ¤Ä¤Þ¤ê 30Kbit/Éà ¤Î¥Ñ¥¤¥×¤Ç 20 ÉäȤ¤¤¦¤³¤È¤Ë¤Ê¤ê¤Þ¤¹¡£
¤½¤ì¤è¤ê¤â¤º¤Ã¤ÈÂç¤¤Ê MTU ¤ò»ý¤Ã¤¿¥¤¥ó¥¿¥Õ¥§¡¼¥¹
(Î㤨¤Ð¥ë¡¼¥×¥Ð¥Ã¥¯¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤Ï 16KB ¥Ñ¥±¥Ã¥È¤Ç¤¹)
¤«¤é¥Ñ¥±¥Ã¥È¤ò¼õ¤±¼è¤ë¾ì¹ç¡¢¤µ¤é¤Ë°¤¤·ë²Ì¤È¤Ê¤ë¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£
.Pp
.It Cm red | gred Ar w_q Ns / Ns Ar min_th Ns / Ns Ar max_th Ns / Ns Ar max_p
RED (Random Early Detection) ¥¥å¡¼´ÉÍý¥¢¥ë¥´¥ê¥º¥à¤ò»ÈÍѤ·¤Þ¤¹¡£
.Ar w_q
¤È
.Ar max_p
¤Ï 0 ¤«¤é 1 (0 ¤ò´Þ¤ß¤Þ¤»¤ó) ¤ÎÈϰϤÎÉâÆ°¾®¿ôÅÀ¿ô¤Ç¤¢¤ê¡¢
.Ar min_th
¤È
.Ar max_th
¤Ï¥¥å¡¼´ÉÍýÍѤÎïçÃͤò»ØÄꤹ¤ëÀ°¿ô¤Ç¤¹
(¥¥å¡¼¤¬¥Ð¥¤¥È¿ô¤Ç»ØÄꤵ¤ì¤¿¾ì¹ç¤ÏïçÃͤϥХ¤¥È¤Ç·×»»¤µ¤ì¡¢
¤½¤¦¤Ç¤Ê¤¤¾ì¹ç¤Ï¥¹¥í¥Ã¥È¿ô¤Ç·×»»¤µ¤ì¤Þ¤¹)¡£
.Xr dummynet 4
¤Ï¡¢gentle RED ¤È¤¤¤¦ÊÑ·¿ (gred) ¤â¥µ¥Ý¡¼¥È¤·¤Þ¤¹¡£
RED ¤ÎÆ°ºî¤òÀ©¸æ¤¹¤ë¤¿¤á¤Ë¡¢3 ¸Ä¤Î
.Xr sysctl 8
ÊÑ¿ô¤ò»ÈÍѲÄǽ¤Ç¤¹¡£
.Bl -tag -width indent
.It Em net.inet.ip.dummynet.red_lookup_depth
¥ê¥ó¥¯¤¬¥¢¥¤¥É¥ë¤Î»þ¤Î¡¢Ê¿¶Ñ¥¥å¡¼¤Î·×»»ÀºÅÙ¤ò»ØÄꤷ¤Þ¤¹
(¥Ç¥Õ¥©¥ë¥È¤Ï 256 ¤Ç¤¢¤ê¡¢0 ¤è¤êÂ礤¤É¬Íפ¬¤¢¤ê¤Þ¤¹)
.It Em net.inet.ip.dummynet.red_avg_pkt_size
¥Ñ¥±¥Ã¥È¥µ¥¤¥º¤ÎÊ¿¶Ñ¤Î´üÂÔÃͤò»ØÄꤷ¤Þ¤¹
(¥Ç¥Õ¥©¥ë¥È¤Ï 512 ¤Ç¤¢¤ê¡¢0 ¤è¤êÂ礤¤É¬Íפ¬¤¢¤ê¤Þ¤¹)
.It Em net.inet.ip.dummynet.red_max_pkt_size
¥Ñ¥±¥Ã¥È¥µ¥¤¥º¤ÎºÇÂçÃͤδüÂÔÃͤò»ØÄꤷ¤Þ¤¹¡£
¥¥å¡¼¤ÎïçÃͤ¬¥Ð¥¤¥È¤Î¾ì¹ç¤Î¤ß»ÈÍѤµ¤ì¤Þ¤¹
(¥Ç¥Õ¥©¥ë¥È¤Ï 1500 ¤Ç¤¢¤ê¡¢0 ¤è¤êÂ礤¤É¬Íפ¬¤¢¤ê¤Þ¤¹)
.El
.El
.Sh ¥Á¥§¥Ã¥¯¥ê¥¹¥È
¥ë¡¼¥ë¤ò¹½À®¤¹¤ëºÝ¤Ë¹Íθ¤¹¤Ù¤½ÅÍפÊÅÀ¤ò¤¤¤¯¤Ä¤«½Ò¤Ù¤Þ¤¹¡£
.Bl -bullet
.It
¤«¤Ê¤é¤ºÁ÷¿®¥Ñ¥±¥Ã¥È¤È¼õ¿®¥Ñ¥±¥Ã¥È¤ÎξÊý¤Î¥Ñ¥±¥Ã¥È¤ò¥Õ¥£¥ë¥¿¥ê¥ó¥°¤·¤Þ¤¹¡£
¤Û¤È¤ó¤É¤Î¥Í¥Ã¥È¥ï¡¼¥¯¥³¥Í¥¯¥·¥ç¥ó¤Ç¤Ï¥Ñ¥±¥Ã¥È¤¬ÁÐÊý¸þ¤Ëή¤ì¤ë¤³¤È¤¬É¬ÍפǤ¹¡£
.It
¥Æ¥¹¥È¤ÏºÙ¿´¤ÎÃí°Õ¤òʧ¤Ã¤Æ¹Ô¤Ê¤¤¤Þ¤¹¡£¥Æ¥¹¥È¤ÎºÝ¤Ë¤Ï¥³¥ó¥½¡¼¥ë¤Î¶á¤¯¤Ë¤¤¤ë
¤Î¤¬¤è¤¤¤Ç¤·¤ç¤¦¡£
¥³¥ó¥½¡¼¥ë¤Ë¶á´ó¤ì¤Ê¤¤¾ì¹ç¡¢
.Pa /usr/share/examples/ipfw/change_rules.sh
¤Ë¤¢¤ë¤è¤¦¤Ê¼«Æ°²óÉü¥¹¥¯¥ê¥×¥È¤ò»ÈÍѤ·¤Æ¤¯¤À¤µ¤¤¡£
.It
¥ë¡¼¥×¥Ð¥Ã¥¯¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤Î¤³¤È¤ò˺¤ì¤Æ¤Ï¤Ê¤ê¤Þ¤»¤ó¡£
.El
.Sh ºÙ¤«¤¤»öÊÁ
.Bl -bullet
.It
¥Õ¥é¥°¥á¥ó¥È²½¤µ¤ì¤¿¥Ç¡¼¥¿¥°¥é¥à¤¬Ìµ¾ò·ï¤ÇÇË´þ¤µ¤ì¤ë¾õ¶·¤¬¤¢¤ê¤Þ¤¹¡£
TCP ¥Ñ¥±¥Ã¥È¤Ï¡¢ºÇÄã 20 ¥Ð¥¤¥È¤Î TCP ¥Ø¥Ã¥À¤ò´Þ¤Þ¤Ê¤¤¾ì¹ç¡¢ÇË´þ¤µ¤ì¤Þ¤¹¡£
UDP ¥Ñ¥±¥Ã¥È¤Ï¡¢´°Á´¤Ê 8 ¥Ð¥¤¥È¤Î UDP ¥Ø¥Ã¥À¤ò´Þ¤Þ¤Ê¤¤¾ì¹ç¡¢ÇË´þ¤µ¤ì¤Þ¤¹¡£
ICMP ¥Ñ¥±¥Ã¥È¤Ï¡¢4 ¥Ð¥¤¥È¤Î ICMP ¥Ø¥Ã¥À¡¢
¤¹¤Ê¤ï¤Á ICMP ¥¿¥¤¥×¤È¥³¡¼¥É¤È¥Á¥§¥Ã¥¯¥µ¥à¤ò´Þ¤Þ¤Ê¤¤¾ì¹ç¡¢ÇË´þ¤µ¤ì¤Þ¤¹¡£
¤³¤ì¤é¤Î¥Ñ¥±¥Ã¥È¤Ï¡¢Ã±¤Ë
.Dq pullup failed
¤È¤·¤Æ¥í¥°¤µ¤ì¤Þ¤¹¡£
²¿¸Î¤Ê¤é¡¢¥Ñ¥±¥Ã¥ÈÃæ¤ËÍ°Õ¤Ê¥í¥°¥¨¥ó¥È¥ê¤òÀ¸À®¤¹¤ë¤À¤±¤ÎÍÍѤʥǡ¼¥¿¤¬
´Þ¤Þ¤ì¤Ê¤¤¤«¤â¤·¤ì¤Ê¤¤¤¿¤á¤Ç¤¹¡£
.It
̵¾ò·ï¤ÇÇË´þ¤µ¤ì¤ë¤â¤¦ 1 ¼ïÎà¤Î¥Ñ¥±¥Ã¥È¤Ï¡¢
¥Õ¥é¥°¥á¥ó¥È¥ª¥Õ¥»¥Ã¥È¤¬ 1 ¤Î TCP ¥Ñ¥±¥Ã¥È¥Õ¥é¥°¥á¥ó¥È¤Ç¤¹¡£
¤³¤ì¤Ï¥Ñ¥±¥Ã¥È¤È¤·¤Æ¤Ï͸ú¤Ê¤â¤Î¤Ç¤¹¤¬¡¢ÍøÍÑÌÜŪ¤Ï¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤ò
¤«¤¤¤¯¤°¤ë¤³¤È¤·¤«¤¢¤ê¤Þ¤»¤ó¡£
¥í¥°¤¬Í¸ú¤Ê¾ì¹ç¡¢
¤³¤ì¤é¤Î¥Ñ¥±¥Ã¥È¤Ï¥ë¡¼¥ë -1 ¤Ë¤è¤êÇË´þ¤µ¤ì¤¿¤ÈÊó¹ð¤µ¤ì¤Þ¤¹¡£
.It
¥Í¥Ã¥È¥ï¡¼¥¯±Û¤·¤Ë¥í¥°¥¤¥ó¤·¤Æ¤¤¤ë¾ì¹ç¡¢
.Xr kld 4
¥Ð¡¼¥¸¥ç¥ó¤Î
.Nm
¤ò¥í¡¼¥É¤¹¤ë¤³¤È¤Ï¤½¤ì¤Û¤Éñ½ã¤Ê¤³¤È¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó¡£
°Ê²¼¤Î¥³¥Þ¥ó¥É¤ò¾©¤á¤Þ¤¹¡£
.Bd -literal -offset indent
kldload ipfw && \e
ipfw add 32000 allow ip from any to any
.Ed
.Pp
¤³¤ì¤Ë°ú³¤¡¢Æ±¤¸¤è¤¦¤Ê¾õ¶·¤Ç
.Bd -literal -offset indent
ipfw flush
.Ed
.Pp
¤È¤¹¤ë¤Î¤ÏÎɤ¯¤¢¤ê¤Þ¤»¤ó¡£
.It
¥·¥¹¥Æ¥à¥»¥¥å¥ê¥Æ¥£¥ì¥Ù¥ë¤¬ 3 °Ê¾å¤ËÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢
.Nm
¥Õ¥£¥ë¥¿¥ê¥¹¥È¤òÊѹ¹¤Ç¤¤Þ¤»¤ó (¥·¥¹¥Æ¥à¥»¥¥å¥ê¥Æ¥£¥ì¥Ù¥ë¤Ë¤Ä¤¤¤Æ¤Ï
.Xr init 8
¤ò»²¾È¤·¤Æ¤¯¤À¤µ¤¤)¡£
.El
.Sh ¥Ñ¥±¥Ã¥È¤Î¹Ô¤ÀèÊѹ¹
»ØÄꤵ¤ì¤¿¥Ý¡¼¥È¤Ë¥Ð¥¤¥ó¥É¤µ¤ì¤¿
.Xr divert 4
¥½¥±¥Ã¥È¤Ï¡¢
¤½¤Î¥Ý¡¼¥È¤Ø¹Ô¤ÀèÊѹ¹¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ò¡¢
Á´Éô¼õ¤±¤È¤ê¤Þ¤¹¡£
°¸Àè¥Ý¡¼¥È¤Ë¥Ð¥¤¥ó¥É¤µ¤ì¤¿¥½¥±¥Ã¥È¤¬¤Ê¤¤¾ì¹ç¤ä¡¢
¥«¡¼¥Í¥ë¤¬¥Ñ¥±¥Ã¥È¤Î¹Ô¤ÀèÊѹ¹¥½¥±¥Ã¥È¤ò¥µ¥Ý¡¼¥È¤¹¤ë¤è¤¦¤Ë¤Ï
¥³¥ó¥Ñ¥¤¥ë¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢
¥Ñ¥±¥Ã¥È¤ÏÇË´þ¤µ¤ì¤Þ¤¹¡£
.Sh SYSCTL ÊÑ¿ô
.Xr sysctl 8
ÊÑ¿ô¤Î½¸¹ç¤Ï¡¢¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤È
´ØÏ¢¤¹¤ë¥â¥¸¥å¡¼¥ë (
.Nm dummynet, bridge
) ¤ÎÆ°ºî¤òÀ©¸æ¤·¤Þ¤¹¡£
¥Ç¥Õ¥©¥ë¥ÈÃͤȰÕÌ£¤È¶¦¤Ë¡¢¤³¤ì¤é¤ò°Ê²¼¤ËÎóµó¤·¤Þ¤¹
(¤É¤ÎÃͤ¬¼ÂºÝ¤Ë»ÈÍѤµ¤ì¤ë¤«¤Ï
.Xr sysctl 8
¤Ç³Îǧ¤·¤Æ¤¯¤À¤µ¤¤)¡£
.Bl -tag -width indent
.It Em net.inet.ip.dummynet.expire : No 1
̤½èÍý¤Î¥È¥é¥Õ¥£¥Ã¥¯¤ò»ý¤¿¤Ê¤¤Æ°Åª¥Ñ¥¤¥×/¥¥å¡¼¤òÂÕÂƤ˺ï½ü¤·¤Þ¤¹¡£
¤³¤ÎÊÑ¿ô¤ò 0 ¤ËÀßÄꤹ¤ë¤³¤È¤Ç¤³¤ÎÆ°ºî¤ò̵¸ú¤Ë¤¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
¤³¤Î¾ì¹ç¡¢¥Ñ¥¤¥×/¥¥å¡¼¤ÏïçÃͤË㤷¤¿¾ì¹ç¤Ë¤Î¤ßºï½ü¤µ¤ì¤ë¤³¤È¤Ë¤Ê¤ê¤Þ¤¹¡£
.It Em net.inet.ip.dummynet.hash_size : No 64
ưŪ¥Ñ¥¤¥×/¥¥å¡¼¤Ë»ÈÍѤµ¤ì¤ë¥Ï¥Ã¥·¥åɽ¤Î¥Ç¥Õ¥©¥ë¥È¤ÎÂ礤µ¤Ç¤¹¡£
¤³¤ÎÃͤϥѥ¤¥×/¥¥å¡¼¤òÀßÄꤹ¤ë¤È¤¤Ë
.Cm buckets
¥ª¥×¥·¥ç¥ó¤¬»ØÄꤵ¤ì¤Ê¤«¤Ã¤¿¾ì¹ç¤Ë»ÈÍѤµ¤ì¤Þ¤¹¡£
.It Em net.inet.ip.dummynet.max_chain_len : No 16
¥Ï¥Ã¥·¥å¥Ð¥±¥Ã¥È (hash bucket) Æâ¤Î¥Ñ¥¤¥×/¥¥å¡¼¤ÎºÇÂç¸Ä¿ô¤ÎÃͤǤ¹¡£
.Cm net.inet.ip.dummynet.expire=0
¤Ç¤¢¤Ã¤Æ¤â¡¢ÀÑ
.Cm max_chain_len*hash_size
¤¬¶õ¤Î¥Ñ¥¤¥×/¥¥å¡¼¤¬´ü¸ÂÀÚ¤ì¤Ë¤Ê¤Ã¤¿¤È¤¹¤ëïçÃͤò·èÄꤹ¤ë¤Î¤Ë»ÈÍѤµ¤ì¤Þ¤¹¡£
.It Em net.inet.ip.dummynet.red_lookup_depth : No 256
.It Em net.inet.ip.dummynet.red_avg_pkt_size : No 512
.It Em net.inet.ip.dummynet.red_max_pkt_size : No 1500
RED ¥¢¥ë¥´¥ê¥º¥à¤Ç»È¤¦Â»¼º³ÎΨ¤Î·×»»¤Ë»ÈÍѤµ¤ì¤ë¥Ñ¥é¥á¡¼¥¿¤Ç¤¹¡£
.It Em net.inet.ip.fw.autoinc_step : No 100
¥ë¡¼¥ëÈÖ¹æ¤ò¼«Æ°À¸À®¤¹¤ëºÝ¤Î¥ë¡¼¥ëÈÖ¹æ´Ö¤ÎÁýʬ¤Ç¤¹¡£
¤³¤ÎÃÍ¤Ï 1 ¤«¤é 1000 ¤ÎÈϰϤǤʤ±¤ì¤Ð¤Ê¤ê¤Þ¤»¤ó¡£
¤³¤ÎÊÑ¿ô¤Ï
.Nm ipfw2
¤Ë¤Î¤ß¸ºß¤·¡¢
.Nm ipfw1
¤Ç¤Ïº¹Ê¬¤Ï 100 ¤Ë¸ÇÄꤵ¤ì¤Æ¤¤¤Þ¤¹¡£
.It Em net.inet.ip.fw.curr_dyn_buckets : Em net.inet.ip.fw.dyn_buckets
ưŪ¥ë¡¼¥ë¤Î¥Ï¥Ã¥·¥åɽÆâ¤Î¸½ºß¤Î¥Ð¥±¥Ã¥È¤Î¸Ä¿ô¤Ç¤¹ (Æɤ߽Ф·¤Î¤ß²Äǽ)¡£
.It Em net.inet.ip.fw.debug : No 1
.Nm
¤¬À¸À®¤¹¤ë¥Ç¥Ð¥Ã¥°¥á¥Ã¥»¡¼¥¸¤òÀ©¸æ¤·¤Þ¤¹¡£
.It Em net.inet.ip.fw.dyn_buckets : No 256
ưŪ¥ë¡¼¥ë¤Ç»ÈÍѤµ¤ì¤ë¥Ï¥Ã¥·¥åɽ¤Ë´Þ¤Þ¤ì¤ë¥Ð¥±¥Ã¥È¤Î¸Ä¿ô¤Ç¤¹¡£
2 ¤ÎÎß¾è¤Ç¤Ê¤±¤ì¤Ð¤Ê¤é¤º¡¢¾å¸Â¤Ï 65536 ¤Ç¤¹¡£
Á´¤Æ¤ÎưŪ¥ë¡¼¥ë¤¬´ü¸ÂÀÚ¤ì¤È¤Ê¤Ã¤¿¤È¤¤Ë¤Î¤ß¸ú²Ì¤¬¸½¤ì¤ë¤Î¤Ç¡¢
³Î¼Â¤Ë¥Ï¥Ã¥·¥åɽ¤Î¥µ¥¤¥º¤¬Êѹ¹¤µ¤ì¤ë¤è¤¦¤Ë¤¹¤ë¤Ë¤Ï
.Cm flush
¥³¥Þ¥ó¥É¤ò»ÈÍѤ¹¤ë¤Ù¤¤Ç¤·¤ç¤¦¡£
.It Em net.inet.ip.fw.dyn_count : No 3
¸½ºß¤ÎưŪ¥ë¡¼¥ë¤Î¿ô¤Ç¤¹
(Æɤ߹þ¤ßÀìÍÑ)¡£
.It Em net.inet.ip.fw.dyn_keepalive : No 1
TCP ¥»¥Ã¥·¥ç¥ó¤Ë¤ª¤¤¤Æ
.Cm keep-state
¥ë¡¼¥ë¤Î¤¿¤á¤Î¥¡¼¥×¥¢¥é¥¤¥Ö¥Ñ¥±¥Ã¥È¤òÀ¸À®¤¹¤ë¤è¤¦¤Ë¤·¤Þ¤¹¡£
¥¡¼¥×¥¢¥é¥¤¥Ö¥Ñ¥±¥Ã¥È¤Ï
¥ë¡¼¥ë¤ÎÀ¸Â¸»þ´Ö¤¬»Ä¤ê 20 ÉäȤʤ俤Ȥ¤Ë
Àܳ¤Îξü¤Ë¸þ¤±¤Æ 5 ÉÃËè¤Ë
À¸À®¤µ¤ì¤Þ¤¹¡£
.It Em net.inet.ip.fw.dyn_max : No 8192
ưŪ¥ë¡¼¥ë¤ÎºÇÂçÃͤǤ¹¡£¤³¤Î¸Â³¦¤Ë¤¤¤¤Ä¤¯¤È¡¢
¸Å¤¤¥ë¡¼¥ë¤¬Ìµ¸ú¤Ë¤Ê¤ë¤Þ¤Ç¤Ï¡¢¤½¤ì°Ê¾å¡¢Æ°Åª¥ë¡¼¥ë¤ò
ÁȤ߹þ¤à¤³¤È¤Ï¤Ç¤¤Þ¤»¤ó¡£
.It Em net.inet.ip.fw.dyn_ack_lifetime : No 300
.It Em net.inet.ip.fw.dyn_syn_lifetime : No 20
.It Em net.inet.ip.fw.dyn_fin_lifetime : No 1
.It Em net.inet.ip.fw.dyn_rst_lifetime : No 1
.It Em net.inet.ip.fw.dyn_udp_lifetime : No 5
.It Em net.inet.ip.fw.dyn_short_lifetime : No 30
¤³¤ì¤é¤ÎÃͤϡ¢Æ°Åª¥ë¡¼¥ë¤ÎÀ¸Â¸»þ´Ö¤òÉÃñ°Ì¤Ç¥³¥ó¥È¥í¡¼¥ë¤·¤Þ¤¹¡£
ºÇ½é¤Î SYN ¸ò´¹¤ÎºÝ¤Ë¤ÏÀ¸Â¸»þ´Ö¤¬Ã»´ü (short) ¤Ë¤Ê¤ê¡¢
¤½¤Î¸å¸ß¤¤¤Î SYN ¤¬¸¡½Ð¤µ¤ì¤¿¸å¤ÏÁý²Ã¤µ¤»¤é¤ì¡¢
ºÇ¸å¤Î FIN ¸ò´¹¤Î´Ö¡¢
¤Þ¤¿¤Ï RST ¤ò¼õ¿®¤·¤¿ºÝ¤ËºÆ¤Ó¸º¤é¤µ¤ì¤Þ¤¹¡£
.Em dyn_fin_lifetime
¤ª¤è¤Ó
.Em dyn_rst_lifetime
¤Ï¸·Ì©¤Ë 5 Éà (¥¡¼¥×¥¢¥é¥¤¥Ö¤ò·«¤êÊÖ¤¹¼þ´ü) ¤è¤êû¤¯¤Ê¤±¤ì¤Ð¤Ê¤ê¤Þ¤»¤ó¡£
¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Ç¤Ï¤³¤ì¤¬¶¯À©¤µ¤ì¤Þ¤¹¡£
.It Em net.inet.ip.fw.enable : No 1
¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤ò͸ú¤Ë¤·¤Þ¤¹¡£
¤³¤ÎÊÑ¿ô¤ò 0 ¤ËÀßÄꤹ¤ë¤È¡¢
¥Þ¥·¥ó¤¬¥³¥ó¥Ñ¥¤¥ë»þ¤Ë͸ú¤ÎÀßÄ꤬¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ç¤¢¤Ã¤Æ¤â¡¢
¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤¬¤Ê¤¤¾õÂ֤Ǽ¹Ԥµ¤ì¤Þ¤¹¡£
.It Em net.inet.ip.fw.one_pass : No 1
ÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢
.Xr dummynet 4
¥Ñ¥¤¥×¤«¤é½Ð¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤Ï
ºÆÅÙ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤òÄ̲᤹¤ë¤³¤È¤Ï¤¢¤ê¤Þ¤»¤ó¡£
¤½¤¦¤Ç¤Ê¤¤¾ì¹ç¡¢
¥Ñ¥¤¥×¥¢¥¯¥·¥ç¥ó¤Î¸å¡¢
¥Ñ¥±¥Ã¥È¤Ï¼¡¤Î¥ë¡¼¥ë¤Ç¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤ËºÆÃíÆþ¤µ¤ì¤Þ¤¹¡£
.It Em net.inet.ip.fw.verbose : No 1
¾éĹ¥á¥Ã¥»¡¼¥¸¤ò͸ú¤Ë¤·¤Þ¤¹¡£
.It Em net.inet.ip.fw.verbose_limit : No 0
¾éĹ½ÐÎϤò¹Ô¤¦¤è¤¦¤ËÀßÄꤵ¤ì¤¿¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤¬
À¸À®¤¹¤ë¥á¥Ã¥»¡¼¥¸¿ô¤òÀ©¸Â¤·¤Þ¤¹¡£
.It Em net.link.ether.ipfw : No 0
.Nm
¤¬¥ì¥¤¥ä 2 ¥Ñ¥±¥Ã¥È¤òÄ̤¹¤«¤É¤¦¤«¤òÀ©¸æ¤·¤Þ¤¹¡£
¥Ç¥Õ¥©¥ë¥È¤Ï no ¤Ç¤¹¡£
.It Em net.link.ether.bridge_ipfw : No 0
.Nm
¤¬¥Ö¥ê¥Ã¥¸¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤òÄ̤¹¤«¤É¤¦¤«¤òÀ©¸æ¤·¤Þ¤¹¡£
¥Ç¥Õ¥©¥ë¥È¤Ï no ¤Ç¤¹¡£
.El
.Sh FreeBSD-STABLE ¤Ç IPFW2 ¤ò»È¤¦
.Nm ipfw2
¤Ï¡¢
.Fx
CURRENT ¤Çɸ½à¤È¤Ê¤Ã¤Æ¤¤¤Þ¤¹¤¬¡¢
.Fx
STABLE ¤Ç¤Ï¡¢
¥«¡¼¥Í¥ë¤ò
.Cm options IPFW2
¤òÉÕ¤±¤Æ¥³¥ó¥Ñ¥¤¥ë¤·¡¢
.Nm /sbin/ipfw
¤È
.Nm /usr/lib/libalias
¤ò
.Cm -DIPFW2
¤òÉÕ¤± (buildworld ¤ÎÁ°¤Ë
.Nm /etc/make.conf
¤Ë
.Cm IPFW2=TRUE
¤òÄɲ䷤Ƥª¤¯¤³¤È¤ÇƱ¤¸¸ú²Ì¤òÆÀ¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹)
ºÆ¥³¥ó¥Ñ¥¤¥ë¡¢ºÆ¥¤¥ó¥¹¥È¡¼¥ë¤·¤Ê¤¤¸Â¤ê¡¢
º£¤Ç¤â
.Nm ipfw1
¤ò»ÈÍѤ·¤Þ¤¹¡£
.Pp
.Sh IPFW2 ³ÈÄ¥
¤³¤Î¥»¥¯¥·¥ç¥ó¤Ç¤Ï
.Nm ipfw2
¤ÇƳÆþ¤µ¤ì¡¢
.Nm ipfw1
¤Ë¤Ï¸ºß¤·¤Ê¤«¤Ã¤¿µ¡Ç½¤Î°ìÍ÷¤ò¼¨¤·¤Þ¤¹¡£
¤³¤³¤Ç¤Ï¥ë¡¼¥ë¥»¥Ã¥È¤òµ½Ò¤¹¤ëºÝ¤Ë±Æ¶Á¤¬Â礤¤¤È»×¤ï¤ì¤ë½ç¤Ë¼¨¤·¤Þ¤¹¡£
¤è¤ê¸ú²ÌŪ¤Ê¤ä¤êÊý¤Ç¥ë¡¼¥ë¥»¥Ã¥È¤òµ½Ò¤¹¤ë¤¿¤á¤Ë
¤³¤ì¤é¤Îµ¡Ç½¤ò»ÈÍѤ·¤¿¤¤¤È»×¤¦¤«¤â¤·¤ì¤Þ¤»¤ó¡£
.Bl -tag -width indent
.It ʸˡ¤È¥Õ¥é¥°
.Nm ipfw1
¤Ï¡¢
.Fl n
¥Õ¥é¥° (ʸˡ¥Á¥§¥Ã¥¯¤Î¤ß) ¤ò¥µ¥Ý¡¼¥È¤·¤Þ¤»¤ó¤·¡¢
¥³¥ó¥Þ¤Î¸å¤Î¶õÇò¤ò¥µ¥Ý¡¼¥È¤·¤Þ¤»¤ó¤·¡¢
ñ°ì°ú¿ôÃæ¤Ç¤ÎÁ´¥ë¡¼¥ë¥Õ¥£¡¼¥ë¥É¤ò¥µ¥Ý¡¼¥È¤·¤Þ¤»¤ó
.It Èó IPv4 ¤Î¥Ñ¥±¥Ã¥È¤Î¼è¤ê°·¤¤
.Nm ipfw1
¤ÏÁ´¤Æ¤ÎÈó IPv4 ¥Ñ¥±¥Ã¥È¤òÌۤäƼõ¤±ÉÕ¤±¤Þ¤¹ (
.Nm ipfw1
¤Ï
.Em net.link.ether.bridge_ipfw=1 Ns
¤Î¾ì¹ç¤Ë¤Î¤ßÈó IPv4 ¥Ñ¥±¥Ã¥È¤ò»²¾È¤·¤Þ¤¹)¡£
.Nm ipfw2
¤Ï
Á´¤Æ¤Î¥Ñ¥±¥Ã¥È (Èó IPv4 ¥Ñ¥±¥Ã¥È¤ò´Þ¤à) ¤ò
¥ë¡¼¥ë¥»¥Ã¥È¤Ë¤·¤¿¤¬¤Ã¤Æ¥Õ¥£¥ë¥¿¤·¤Þ¤¹¡£
.Nm ipfw1
¤ÈƱ¤¸¤è¤¦¤ÊÆ°ºî¤ò¤µ¤»¤¿¤¤¾ì¹ç¤Ï
¥ë¡¼¥ë¥»¥Ã¥È¤ÎÀèƬ¤Ç¼¡¤Î¤è¤¦¤Ë¤·¤Þ¤¹¡£
.Pp
.Dl "ipfw add 1 allow layer2 not mac-type ip"
.Pp
.Cm layer2
¥ª¥×¥·¥ç¥ó¤Ï¾éŤǤ¢¤ë¤è¤¦¤Ë¸«¤¨¤Þ¤¹¤¬¡¢É¬ÍפǤ¹¡£
¥ì¥¤¥ä 3 ¤«¤é¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤òÄ̤ë¥Ñ¥±¥Ã¥È¤Ï MAC ¥Ø¥Ã¥À¤ò»ý¤¿¤Ê¤¤¤Î¤Ç¡¢
.Cm mac-type ip
¥Ñ¥¿¡¼¥ó¤Ï¥ì¥¤¥ä3¤Î¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ¾ï¤Ë¼ºÇÔ¤·¤Þ¤¹¡£
¤Ä¤Þ¤ê¡¢
.Cm not
¥ª¥Ú¥ì¡¼¥¿¤ò¤ª¤¯¤ÈÁ´¤Æ¤òÄ̲ᤵ¤»¤ë¥ë¡¼¥ë¤Ë¤Ê¤Ã¤Æ¤·¤Þ¤¤¤Þ¤¹¡£
.It °¸Àè
.Nm ipfw1
¤Ï¥¢¥É¥ì¥¹¥»¥Ã¥È¤ä°¸Àè¥ê¥¹¥È¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤Þ¤»¤ó¡£
.Pp
.It ¥Ý¡¼¥È¤Î»ØÄê
.Nm ipfw1
¤Ç¤Ï TCP ¤È UDP ¤Î¥Ý¡¼¥È¤ò»ØÄꤹ¤ëºÝ¤Ë
»ØÄê¤Ç¤¤ë¥Ý¡¼¥ÈÈÏ°Ï¤Ï 1 ¤Ä¤À¤±¤Ç¤·¤¿¡£
¤Þ¤¿¡¢
.Nm ipfw2
¤Ç 15 ¥¨¥ó¥È¥ê²Äǽ¤Ç¤¢¤ë¤Î¤ËÂФ·¡¢10 ¥¨¥ó¥È¥ê¤ËÀ©¸Â¤µ¤ì¤Æ¤¤¤Þ¤·¤¿¡£
¤Þ¤¿¡¢
.Nm ipfw1
¤Ç¤Ï
.Cm tcp
¤Þ¤¿¤Ï
.Cm udp
¥Ñ¥±¥Ã¥È¤òÍ׵᤹¤ë¥ë¡¼¥ë¤Î¾ì¹ç¤Ë¸Â¤Ã¤Æ
¥Ý¡¼¥È¤ò»ØÄꤹ¤ë¤³¤È¤¬²Äǽ¤Ç¤¹¡£
.Nm ipfw2
¤Ç¤ÏÁ´¤Æ¤Î¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤µ¤»¤ë¥ë¡¼¥ë¤Ç¥Ý¡¼¥È¤Î»ØÄê¤ò¹Ô¤¦¤³¤È¤¬²Äǽ¤Ç¡¢
¥Þ¥Ã¥Á¤Ï¥Ý¡¼¥È¼±Ê̻Ҥò´Þ¤ó¤À¥×¥í¥È¥³¥ë¤ò±¿¤Ö¥Ñ¥±¥Ã¥È¤Î¤ß¤ËŬÍѤµ¤ì¤Þ¤¹¡£
.Pp
ºÇ¸å¤Ë¡¢
.Nm ipfw1
¤Ç¤Ï
ºÇ½é¤Î¥Ý¡¼¥È¥¨¥ó¥È¥ê¤ò
.Ar port:mask
¤È»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤Þ¤·¤¿¡£
¤³¤³¤Ç
.Ar mask
¤ÏǤ°Õ¤Î 16 ¥Ó¥Ã¥È¥Þ¥¹¥¯¤¬»ÈÍѲÄǽ¤Ç¤¹¡£
¤³¤Îʸˡ¤¬ÍÍѤǤ¢¤ë¤«¤É¤¦¤«¤Ïµ¿Ìä¤Ê¤Î¤Ç
.Nm ipfw2
¤Ç¤Ï¤â¤Ï¤ä¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Þ¤»¤ó¡£
.It ÏÀÍýÏÂ¥Ö¥í¥Ã¥¯
.Nm ipfw1
¤ÏÏÀÍýÏÂ¥Ö¥í¥Ã¥¯¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤Þ¤»¤ó¡£
.It ¥¡¼¥×¥¢¥é¥¤¥Ö
.Nm ipfw1
¤Ï¾õÂְ͸¥»¥Ã¥·¥ç¥ó¤Î¤¿¤á¤Î¥¡¼¥×¥¢¥é¥¤¥Ö¤òÀ¸À®¤·¤Þ¤»¤ó¡£
·ë²Ì¤È¤·¤Æ¡¢
µÙ»ß¾õÂ֤Υ»¥Ã¥·¥ç¥ó¤Ï
ưŪ¥ë¡¼¥ë¤ÎÀ¸Â¸»þ´Ö¤¬´ü¸ÂÀÚ¤ì¤È¤Ê¤ë¤¿¤á¤Ë
Í¤ì¤ë¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£
.It ¥ë¡¼¥ë¥»¥Ã¥È
.Nm ipfw1
¤Ï¥ë¡¼¥ë¥»¥Ã¥È¤ò¼ÂÁõ¤·¤Æ¤¤¤Þ¤»¤ó¡£
.It MAC ¥Ø¥Ã¥À¤Ë¤è¤ë¥Õ¥£¥ë¥¿¤È¥ì¥¤¥ä 2 ¤Î¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë
.Nm ipfw1
¤Ï MAC ¥Ø¥Ã¥À¥Õ¥£¡¼¥ë¥É¤Ë¤è¤ë¥Õ¥£¥ë¥¿¤ò¼ÂÁõ¤·¤Æ¤¤¤Þ¤»¤ó¤·¡¢
.Cm ether_demux()
¤È
.Cm ether_output_frame()
¤«¤é¤Î¥Ñ¥±¥Ã¥È¤Ë¤è¤Ã¤Æ¤âµ¯Æ°¤·¤Þ¤»¤ó¡£
sysctl ÊÑ¿ô
.Em net.link.ether.ipfw
¤Ï¤³¤³¤Ç¤Ï²¿¤Î¸ú²Ì¤â¤¢¤ê¤Þ¤»¤ó¡£
.It ¥ª¥×¥·¥ç¥ó
.Nm ipfw1
¤Ç¤Ï¡¢¼¡¤Î¥ª¥×¥·¥ç¥ó¤Ïñ°ìÃͤΤ߼õ¤±ÉÕ¤±¤Þ¤¹:
.Pp
.Cm ipid, iplen, ipttl
.Pp
¼¡¤Î¥ª¥×¥·¥ç¥ó¤Ï
.Nm ipfw1
¤Ç¤Ï¼ÂÁõ¤µ¤ì¤Æ¤¤¤Þ¤»¤ó:
.Pp
.Cm dst-ip, dst-port, layer2, mac, mac-type, src-ip, src-port
.Pp
¤µ¤é¤Ë¡¢¼¡¤Î¥ª¥×¥·¥ç¥ó¤Ï RELENG_4 ¤Î
.Nm ipfw1
¤Ç¤Ï¼ÂÁõ¤µ¤ì¤Æ¤¤¤Þ¤»¤ó:
.Pp
.Cm ipid, iplen, ipprecedence, iptos, ipttl,
.Cm ipversion, tcpack, tcpseq, tcpwin
.It dummynet ¥ª¥×¥·¥ç¥ó
.Nm dummynet
¥Ñ¥¤¥×/¥¥å¡¼ÍѤμ¡¤Î¥ª¥×¥·¥ç¥ó¤Ï¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Þ¤»¤ó¡£
.Pp
.Cm noerror
.El
.Sh »ÈÍÑÎã
.Nm
¤Ï¤¢¤Þ¤ê¤Ë¤â¿¤¯¤Î»ÈÍÑÊýË¡¤¬¤¢¤ë¤Î¤Ç
¤³¤Î¥»¥¯¥·¥ç¥ó¤Ç¤Ï»ÈÍÑÎã¤Î¤Û¤ó¤Î°ìÉô¤ò¼¨¤¹¤Î¤ß¤Ë¤·¤Æ¤ª¤¤Þ¤¹¡£
.Pp
.Ss ´ðËÜŪ¤Ê¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°
¼¡¤Î¥³¥Þ¥ó¥É¤Ï
.Em cracker.evil.org
¤«¤é
.Em wolf.tambov.su
¤Î telnet ¥Ý¡¼¥È¤ØÁ÷¤é¤ì¤ë¤¹¤Ù¤Æ¤Î TCP ¥Ñ¥±¥Ã¥È¤òµñÈݤ¹¤ë¥ë¡¼¥ë¤òÄɲä·¤Þ¤¹¡£
.Pp
.Dl "ipfw add deny tcp from cracker.evil.org to wolf.tambov.su telnet"
.Pp
¼¡¤Î¥³¥Þ¥ó¥É¤Ï¥¯¥é¥Ã¥«¡¼¤Î¥Í¥Ã¥È¥ï¡¼¥¯Á´ÂΤ«¤é¥Û¥¹¥È my ¤Ø¤Î
¤¹¤Ù¤Æ¤Î¥³¥Í¥¯¥·¥ç¥ó¤òµñÈݤ·¤Þ¤¹¡£
.Pp
.Dl "ipfw add deny ip from 123.45.67.0/24 to my.host.org"
.Pp
ºÇ½é¤Ë¸úΨÎɤ¯ (ưŪ¥ë¡¼¥ë¤òÍѤ¤¤º¤Ë) ¥¢¥¯¥»¥¹¤òÀ©¸Â¤¹¤ëÊýË¡¤Ï¡¢
¼¡¤Î¥ë¡¼¥ë¤òÍѤ¤¤ë¤³¤È¤Ç¤¹¡£
.Pp
.Dl "ipfw add allow tcp from any to any established"
.Dl "ipfw add allow tcp from net1 portlist1 to net2 portlist2 setup"
.Dl "ipfw add allow tcp from net3 portlist3 to net3 portlist3 setup"
.Dl "..."
.Dl "ipfw add deny tcp from any to any"
.Pp
ºÇ½é¤Î¥ë¡¼¥ë¤ÏÄ̾ï¤Î TCP ¥Ñ¥±¥Ã¥È¤Ë¤¹¤°¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¤¬¡¢
ºÇ½é¤Î SYN ¥Ñ¥±¥Ã¥È¤Ë¤Ï¥Þ¥Ã¥Á¤·¤Þ¤»¤ó¡£
»ØÄꤷ¤¿È¯¿®¸µ/°¸Àè¤ÎÁȤΠSYN ¥Ñ¥±¥Ã¥È¤Î¤ß¡¢¼¡¤Î
.Cm setup
¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£¤³¤ì¤é°Ê³°¤Î SYN ¥Ñ¥±¥Ã¥È¤Ï¡¢ºÇ¸å¤Î
.Cm deny
¥ë¡¼¥ë¤Ë¤è¤êµÑ²¼¤µ¤ì¤Þ¤¹¡£
.Pp
¤â¤·¡¢1 ¤Ä°Ê¾å¤Î¥µ¥Ö¥Í¥Ã¥È¤Î´ÉÍý¼Ô¤Ê¤é¡¢
.Nm ipfw2
¤Îʸˡ¤ÎÍøÅÀ¤ò³èÍѤ·¤Æ
¥¢¥É¥ì¥¹¥»¥Ã¥È¤ÈÏÀÍýÏÂ¥Ö¥í¥Ã¥¯¤ò»ØÄꤹ¤ë¤³¤È¤Ç¡¢
¼¡¤Î¤è¤¦¤Ë¡¢
¥¯¥é¥¤¥¢¥ó¥È¤Î¥Ö¥í¥Ã¥¯¤Ë¥µ¡¼¥Ó¥¹¤òÁªÂòŪ¤ËÍøÍѲÄǽ¤È¤¹¤ë
¶Ë¤á¤Æ¥³¥ó¥Ñ¥¯¥È¤Ê¥ë¡¼¥ë¥»¥Ã¥È¤òµ½Ò¤¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
.Pp
.Dl "goodguys=\*q{ 10.1.2.0/24{20,35,66,18} or 10.2.3.0/28{6,3,11} }\*q"
.Dl "badguys=\*q10.1.2.0/24{8,38,60}\*q"
.Dl ""
.Dl "ipfw add allow ip from ${goodguys} to any"
.Dl "ipfw add deny ip from ${badguys} to any"
.Dl "... normal policies ..."
.Pp
.Nm ipfw1
¤Îʸˡ¤Ç¤Ï¡¢
¾å¤ÎÎã¤Ç¤Ï³Æ IP ¤ËÊÌ¡¹¤Î¥ë¡¼¥ë¤òÍÑ°Õ¤¹¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£
.Pp
.Cm verrevpath
¥ª¥×¥·¥ç¥ó¤ò»ÈÍѤ·¡¢²¼µ¤ò¥ë¡¼¥ë¥»¥Ã¥È¤ÎÀèƬ¤ËÃÖ¤¯¤³¤È¤Ç¡¢
¼«Æ°Åª¤ÊÂÐ¥¹¥×¡¼¥Õ¥£¥ó¥°¤¬²Äǽ¤Ë¤Ê¤ê¤Þ¤¹:
.Pp
.Dl "ipfw add deny ip from any to any not verrevpath in"
.Pp
¤³¤Î¥ë¡¼¥ë¤Ï¡¢ÊѤʥ¤¥ó¥¿¥Õ¥§¡¼¥¹¤«¤é¥·¥¹¥Æ¥à¤ËÍ褿¤è¤¦¤Ë¸«¤¨¤ë
Æâ¸þ¤¥Ñ¥±¥Ã¥È¤ò¤¹¤Ù¤ÆÍî¤È¤·¤Þ¤¹¡£
Î㤨¤Ð¡¢Êݸ¤ì¤¿ÆâÉô¥Í¥Ã¥È¥ï¡¼¥¯¾å¤Î¥Û¥¹¥È¤Ë°¤¹¤ë¥½¡¼¥¹¥¢¥É¥ì¥¹¤ò»ý¤Ä
¥Ñ¥±¥Ã¥È¤Ï¡¢³°Éô¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤«¤é¥·¥¹¥Æ¥à¤ËÆþ¤í¤¦¤È¤·¤¿¾ì¹ç¡¢Íî¤È¤µ¤ì¤Þ¤¹¡£
.Ss ưŪ¥ë¡¼¥ë
¤Ë¤»¤Î TCP ¥Ñ¥±¥Ã¥È¤ò´Þ¤àÅÜÅó¤Î¹¶·â (flood attack) ¤«¤é
¥µ¥¤¥È¤òÊݸ¤ë¤¿¤á¤Ë¡¢¼¡¤ÎưŪ¥ë¡¼¥ë¤òÍѤ¤¤¿Êý¤¬°ÂÁ´¤Ç¤¹¡£
.Pp
.Dl "ipfw add check-state"
.Dl "ipfw add deny tcp from any to any established"
.Dl "ipfw add allow tcp from my-net to any setup keep-state"
.Pp
¤³¤ì¤é¤Î¥ë¡¼¥ë¤Ë¤è¤ê¡¢¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Ï¡¢¼«Ê¬¤¿¤Á¤Î¥Í¥Ã¥È¥ï¡¼¥¯¤Î
Æ⦤«¤éÅþÃ夹¤ëÄ̾ï¤Î SYN ¥Ñ¥±¥Ã¥È¤Ç»Ï¤Þ¤ë¥³¥Í¥¯¥·¥ç¥ó¤ËÂФ·¤Æ
¤Î¤ßưŪ¥ë¡¼¥ë¤òÁȤ߹þ¤ß¤Þ¤¹¡£Æ°Åª¥ë¡¼¥ë¤Ï¡¢ºÇ½é¤Î
.Cm check-state
¥ë¡¼¥ë¡¢¤Þ¤¿¤Ï¡¢
.Cm keep-state
¥ë¡¼¥ë¤ËÁø¶ø¤·¤¿»þÅÀ¤Ç¥Á¥§¥Ã¥¯¤µ¤ì¤Þ¤¹¡£
¥ë¡¼¥ë¥»¥Ã¥È¤Î¥¹¥¥ã¥óÎ̤òºÇ¾®¤Ë¤¹¤ë¤¿¤á¤Ë¡¢
.Cm check-state
¥ë¡¼¥ë¤Ï¡¢¥ë¡¼¥ë¥»¥Ã¥È¤ÎºÇ½é¤Î¤Û¤¦¤ËÃÖ¤¯¤³¤È¤Ë¤Ê¤ë¤Î¤¬ÉáÄ̤Ǥ¹¡£
¼ÂºÝ¤ÎdzÈñ¤ÏÊÑÆ°¤·¤Þ¤¹¡£
.Pp
¥æ¡¼¥¶¤¬³«¤±¤ëÀܳ¿ô¤òÀ©¸Â¤¹¤ë¤Ë¤Ï¡¢¼¡¤Î¥¿¥¤¥×¤Î¥ë¡¼¥ë¤ò»ÈÍѲÄǽ¤Ç¤¹¡£
.Pp
.Dl "ipfw add allow tcp from my-net/24 to any setup limit src-addr 10"
.Dl "ipfw add allow tcp from any to me setup limit src-addr 4"
.Pp
Á°¼Ô (¥²¡¼¥È¥¦¥§¥¤¾å¤ÇÆ°ºî¤¹¤ë¤³¤È¤ò²¾Äê) ¤Ï¡¢/24 ¥Í¥Ã¥È¾å¤Î³Æ¥Û¥¹¥È¤¬
ºÇÂç 10 ¸Ä¤Î TCP Àܳ¤ò³«¤¯¤³¤È¤òµö¤·¤Þ¤¹¡£
¸å¼Ô¤Ï¡¢¥µ¡¼¥Ð¾å¤ËÀßÄê²Äǽ¤Ç¤¢¤ê¡¢
ñ°ì¤Î¥¯¥é¥¤¥¢¥ó¥È¤¬Æ±»þ¤Ë 4 ¸Ä¤ò±Û¤¨¤ëÀܳ¤ò»ÈÍѤǤ¤Ê¤¤¤è¤¦¤Ë¤·¤Þ¤¹¡£
.Pp
.Em Ãí°Õ :
¥¹¥Æ¡¼¥È¥Õ¥ë¤Ê¥ë¡¼¥ë¤Ï¡¢ÅÜÅó¤Î SYN ¹¶·â¤Ë¤è¤ê¶Ë¤á¤ÆÂçÎ̤ÎưŪ¥ë¡¼¥ë¤ò
ºî¤Ã¤Æ¤·¤Þ¤¤¡¢¥µ¡¼¥Ó¥¹ÉÔǽ¹¶·â¤ò¼õ¤±¤ë¤³¤È¤Ë¤Ê¤ë²ÄǽÀ¤¬¤¢¤ê¤Þ¤¹¡£
¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤ÎÆ°ºî¤ò¥³¥ó¥È¥í¡¼¥ë¤¹¤ë
.Xr sysctl 8
ÊÑ¿ô¤Ë½¾¤¤¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤¬Æ°ºî¤¹¤ë¤³¤È¤Ë¤è¤Ã¤Æ¡¢
¤³¤Î¤è¤¦¤Ê¹¶·â¤Î±Æ¶Á¤òÉôʬŪ¤Ë¤Ç¤âÀ©¸Â¤¹¤ë¤³¤È¤Ï¤Ç¤¤Þ¤¹¡£
.Pp
¤³¤³¤Ç¡¢¥«¥¦¥ó¥È¤µ¤ì¤Æ¤¤¤ë¾ðÊó¤È¥¿¥¤¥à¥¹¥¿¥ó¥×¾ðÊó¤ò¸«¤ë
.Cm list
¥³¥Þ¥ó¥É¤Î¤è¤¤Îã¤ò¼¨¤·¤Þ¤¹¡£
.Pp
.Dl ipfw -at list
.Pp
¤³¤ì¤Ï¥¿¥¤¥à¥¹¥¿¥ó¥×¤ò¾Êά¤·¤Æ¼¡¤Î¤è¤¦¤Ë»ØÄê¤Ç¤¤Þ¤¹¡£
.Pp
.Dl ipfw -a list
.Pp
¤³¤ì¤Ï¼¡¤Î»ØÄê¤ÈÅù²Á¤Ç¤¹¡£
.Pp
.Dl ipfw show
.Pp
¼¡¤Î¥ë¡¼¥ë¤Ï 192.168.2.0/24 ¤«¤é¤Î¤¹¤Ù¤Æ¤Î¼õ¿®¥Ñ¥±¥Ã¥È¤ò¡¢5000 È֤Υݡ¼¥È¤Ë
¹Ô¤ÀèÊѹ¹¤¹¤ë¤â¤Î¤Ç¤¹¡£
.Pp
.Dl ipfw divert 5000 ip from 192.168.2.0/24 to any in
.Pp
.Ss ¥È¥é¥Õ¥£¥Ã¥¯¥·¥§¥¤¥Ñ
¼¡¤Î¥ë¡¼¥ë¤Ï¡¢
.Nm
¤È
.Xr dummynet 4
¤ò¥·¥ß¥å¥ì¡¼¥·¥ç¥ó¤Ê¤É¤Ç»È¤¦ºÝ¤Î»ÈÍÑÊýË¡¤ò¼¨¤·¤Æ¤¤¤Þ¤¹¡£
.Pp
¤³¤Î¥ë¡¼¥ë¤Ï 5% ¤Î³ÎΨ¤Ç¥é¥ó¥À¥à¤Ë¥Ñ¥±¥Ã¥È¤òÍ¤Þ¤¹¡£
.Pp
.Dl "ipfw add prob 0.05 deny ip from any to any in"
.Pp
ƱÍͤθú²Ì¤Ï dummynet ¥Ñ¥¤¥×¤Ç¼Â¸½²Äǽ¤Ç¤¹¡£
.Pp
.Dl "ipfw add pipe 10 ip from any to any"
.Dl "ipfw pipe 10 config plr 0.05"
.Pp
¿Í¹©Åª¤Ë¥Ð¥ó¥ÉÉý¤òÀ©¸Â¤¹¤ë¤¿¤á¤Ë¥Ñ¥¤¥×¤ò»ÈÍѲÄǽ¤Ç¤¹¡£
Î㤨¤Ð¥ë¡¼¥¿¤È¤·¤ÆÆ°ºî¤¹¤ë¥Þ¥·¥ó¾å¤Ç¡¢
192.168.2.0/24 ¾å¤Î¥í¡¼¥«¥ë¥¯¥é¥¤¥¢¥ó¥È¤«¤é¤Î¥È¥é¥Õ¥£¥Ã¥¯¤òÀ©¸Â¤·¤¿¤¤¾ì¹ç¡¢
¼¡¤Î¤è¤¦¤Ë¤·¤Þ¤¹¡£
.Pp
.Dl "ipfw add pipe 1 ip from 192.168.2.0/24 to any out"
.Dl "ipfw pipe 1 config bw 300Kbit/s queue 50KBytes"
.Pp
.Cm out
»Ø¼¨»Ò¤ò»ÈÍѤ·¤Æ¡¢¥ë¡¼¥ë¤¬ 2 ÅٻȤï¤ì¤Ê¤¤¤è¤¦¤Ë¤·¤Æ¤¤¤ë¤³¤È¤Ë
Ãí°Õ¤·¤Æ¤¯¤À¤µ¤¤¡£
.Nm
¥ë¡¼¥ë¤Ï¡¢¼ÂºÝ¤Ë¤Ï¡¢
ÆþÎϥѥ±¥Ã¥È¤È½ÐÎϥѥ±¥Ã¥È¤ÎξÊý¤ËŬÍѤµ¤ì¤ë¤³¤È¤ò³Ð¤¨¤Æ¤ª¤¤¤Æ¤¯¤À¤µ¤¤¡£
.Pp
¥Ð¥ó¥ÉÉý¤ËÀ©¸Â¤¬¤¢¤ëÁÐÊý¸þ¥ê¥ó¥¯¤ò¥·¥ß¥å¥ì¡¼¥È¤¹¤ë¾ì¹ç¡¢
Àµ¤·¤¤ÊýË¡¤Ï¼¡¤ÎÄ̤ê¤Ç¤¹¡£
.Pp
.Dl "ipfw add pipe 1 ip from any to any out"
.Dl "ipfw add pipe 2 ip from any to any in"
.Dl "ipfw pipe 1 config bw 64Kbit/s queue 10Kbytes"
.Dl "ipfw pipe 2 config bw 64Kbit/s queue 10Kbytes"
.Pp
Î㤨¤Ð¡¢¤¢¤Ê¤¿¤ÎÁõ¾þŪ¤Ê¥¦¥§¥Ö¥Ú¡¼¥¸¤¬
Ä㮥ê¥ó¥¯¤Î¤ß¤ÇÀܳ¤µ¤ì¤Æ¤¤¤ëºßÂð¥æ¡¼¥¶¤Ë¤É¤¦¸«¤¨¤Æ¤¤¤ë¤«
ÃΤꤿ¤¤¾ì¹ç¤Ê¤É¤Ë¡¢
¾å½Ò¤ÎÊýË¡¤ÏÈó¾ï¤ËÍÍѤ«¤â¤·¤ì¤Þ¤»¤ó¡£
ȾÆó½Å¥á¥Ç¥£¥¢ (Î㤨¤Ð appletalk, Ethernet, IRDA) ¤ò¥·¥ß¥å¥ì¡¼¥È¤·¤¿¤¤
¾ì¹ç¤ò½ü¤¡¢Ã±°ì¤Î¥Ñ¥¤¥×¤òξÊý¤ÎÊý¸þ¤Ë»ÈÍѤ¹¤Ù¤¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó¡£
ξÊý¤Î¥Ñ¥¤¥×¤¬Æ±¤¸ÀßÄê¤Ç¤¢¤ëɬÍפϤʤ¤¤Î¤Ç¡¢
ÈóÂоΥê¥ó¥¯¤â¥·¥ß¥å¥ì¡¼¥È²Äǽ¤Ç¤¹¡£
.Pp
RED ¥¥å¡¼´ÉÍý¥¢¥ë¥´¥ê¥º¥à¤ò»ÈÍѤ·¤Æ¥Í¥Ã¥È¥ï¡¼¥¯Àǽ¤ò¸¡¾Ú¤¹¤ë¤Ë¤Ï¡¢
¼¡¤Î¤è¤¦¤Ë¤·¤Þ¤¹¡£
.Pp
.Dl "ipfw add pipe 1 ip from any to any"
.Dl "ipfw pipe 1 config bw 500Kbit/s queue 100 red 0.002/30/80/0.1"
.Pp
¥È¥é¥Õ¥£¥Ã¥¯¥·¥§¥¤¥Ñ¤Î¾¤Îŵ·¿Åª¤Ê±þÍѤϡ¢
¤¤¤¯¤Ð¤¯¤«¤ÎÄÌ¿®ÃÙ±ä¤òƳÆþ¤¹¤ë¤³¤È¤Ç¤¹¡£
¤³¤ì¤Ï¡¢¥Ð¥ó¥ÉÉý¤è¤ê¤âÀܳ¤Î¥é¥¦¥ó¥É¥È¥ê¥Ã¥×»þ´Ö¤¬À©ÌóÍ×°ø¤È¤Ê¤ë
¤³¤È¤¬¤·¤Ð¤·¤Ð¤È¤¤¤¦¾õ¶·²¼¤Ç¡¢
±ó³Ö¼ê³¤¸Æ¤Ó½Ð¤·¤ò¿ÍѤ¹¤ë¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤ËÂФ·
Èó¾ï¤ËÂ礤ʱƶÁ¤òÍ¿¤¨¤Þ¤¹¡£
.Pp
.Dl "ipfw add pipe 1 ip from any to any out"
.Dl "ipfw add pipe 2 ip from any to any in"
.Dl "ipfw pipe 1 config delay 250ms bw 1Mbit/s"
.Dl "ipfw pipe 2 config delay 250ms bw 1Mbit/s"
.Pp
¥Õ¥í¡¼¤´¤È¤Î¥¥å¡¼¤Ï¤µ¤Þ¤¶¤Þ¤ÊÍÑÅÓ¤ËÍÍѤǤ¹¡£
Èó¾ï¤Ëñ½ã¤ÊÍÑÅӤϡ¢¥È¥é¥Õ¥£¥Ã¥¯¤Î½¸·×¤Ç¤¹¡£
.Pp
.Dl "ipfw add pipe 1 tcp from any to any"
.Dl "ipfw add pipe 1 udp from any to any"
.Dl "ipfw add pipe 1 ip from any to any"
.Dl "ipfw pipe 1 config mask all"
.Pp
¾å½Ò¤Î¥ë¡¼¥ë¥»¥Ã¥È¤Ï¡¢
¤¹¤Ù¤Æ¤Î¥È¥é¥Õ¥£¥Ã¥¯¤ËÂФ¹¤ë¥¥å¡¼¤òÀ¸À® (¤·¤ÆÅý·×¾ðÊó¤ò¼ý½¸) ¤·¤Þ¤¹¡£
¥Ñ¥¤¥×¤Ë¤ÏÀ©¸Â¤ò¤Ä¤±¤Æ¤¤¤Ê¤¤¤Î¤Ç¡¢Åý·×¾ðÊó¤ò½¸¤á¤ë¸ú²Ì¤·¤«¤¢¤ê¤Þ¤»¤ó¡£
ºÇ¸å¤Î¥ë¡¼¥ë¤À¤±¤Ç¤Ê¤¯ 3 ¸Ä¤Î¥ë¡¼¥ë¤¬É¬Íפʤ³¤È¤ËÃí°Õ¤·¤Æ¤¯¤À¤µ¤¤¡£
.Nm
¤¬ IP ¥Ñ¥±¥Ã¥È¤Î¥Þ¥Ã¥Á¤ò»î¤ß¤ë¤È¤¤Ë¥Ý¡¼¥È¤ò¹Íθ¤·¤Ê¤¤¤¿¤á¡¢
ÊÌ¡¹¤Î¥Ý¡¼¥È¾å¤ÎÀܳ¤¬°ã¤¦¤â¤Î¤È¤·¤Æ¸«¤¨¤Þ¤»¤ó¡£
.Pp
¤è¤êÀöÎý¤µ¤ì¤¿Îã¤Ï¡¢
¥Í¥Ã¥È¥ï¡¼¥¯¤Î½ÐÎϥȥé¥Õ¥£¥Ã¥¯¤ò¡¢
¥Í¥Ã¥È¥ï¡¼¥¯Ëè¤ËÀ©Ì󤹤ë¤Î¤Ç¤Ï¤Ê¤¯¡¢¥Û¥¹¥ÈËè¤ËÀ©Ì󤹤ë¤â¤Î¤Ç¤¹¡£
.Pp
.Dl "ipfw add pipe 1 ip from 192.168.2.0/24 to any out"
.Dl "ipfw add pipe 2 ip from any to 192.168.2.0/24 in"
.Dl "ipfw pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
.Dl "ipfw pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
.Ss ¥ë¡¼¥ë¥»¥Ã¥È
¥ë¡¼¥ë¥»¥Ã¥È¤ò¥¢¥È¥ß¥Ã¥¯¤ËÄɲ乤ë¤Ë¤Ï¡¢
Î㤨¤Ð¥»¥Ã¥È 18 ¤Ê¤é¡¢¼¡¤Î¤è¤¦¤Ë¤·¤Þ¤¹¡£
.Pp
.Dl "ipfw set disable 18"
.Dl "ipfw add NN set 18 ... # ɬÍפ˱þ¤¸¤Æ·«¤êÊÖ¤¹"
.Dl "ipfw set enable 18"
.Pp
¥ë¡¼¥ë¥»¥Ã¥È¤ò¥¢¥È¥ß¥Ã¥¯¤Ëºï½ü¤¹¤ë¤Ë¤Ï¡¢Ã±¤Ë¼¡¤Î¥³¥Þ¥ó¥É¤Ç¤è¤¤¤Ç¤¹¡£
.Pp
.Dl "ipfw delete set 18"
.Pp
¥ë¡¼¥ë¥»¥Ã¥È¤Î¥Æ¥¹¥È¤ò¹Ô¤Ã¤¿¤ê¡¢
²¿¤«´Ö°ã¤¤¤¬¤¢¤Ã¤¿¾ì¹ç¤Ë¥ë¡¼¥ë¥»¥Ã¥È¤òºï½ü¤·¤ÆÀ©¸æ¤ò²óÉü¤¹¤ë¤Ë¤Ï¡¢
¼¡¤Î¤è¤¦¤Ë¤·¤Þ¤¹¡£
.Pp
.Dl "ipfw set disable 18"
.Dl "ipfw add NN set 18 ... # ɬÍפ˱þ¤¸¤Æ·«¤êÊÖ¤¹"
.Dl "ipfw set enable 18; echo done; sleep 30 && ipfw set disable 18"
.Pp
¤³¤³¤Ç³ÆÀßÄ꤬¤¦¤Þ¤¯¤¤¤Ã¤¿¾ì¹ç¡¢
\&"sleep" ¤¬½ªÎ»¤¹¤ëÁ°¤Ë control-C ¤ò²¡¤¹¤È¡¢
¥ë¡¼¥ë¥»¥Ã¥È¤Ï³èÆ°¾õÂ֤ΤޤޤȤʤê¤Þ¤¹¡£
¤½¤¦¤Ç¤Ê¤¤¾ì¹ç¡¢
¤¿¤È¤¨È¢¤Ë¥¢¥¯¥»¥¹¤¹¤ë¤³¤È¤¬¤Ç¤¤Ê¤«¤Ã¤¿¤È¤·¤Æ¤â¡¢
¥ë¡¼¥ë¥»¥Ã¥È¤Ï sleep ¤¬½ªÎ»¤·¤¿¸å¤Ç̵¸ú¤Ê¾õÂ֤ˤʤë¤Î¤Ç
°ÊÁ°¤Î¾õÂÖ¤¬Éü¸µ¤µ¤ì¤Þ¤¹¡£
.Sh ´ØÏ¢¹àÌÜ
.Xr cpp 1 ,
.Xr m4 1 ,
.Xr bridge 4 ,
.Xr divert 4 ,
.Xr dummynet 4 ,
.Xr ip 4 ,
.Xr ipfirewall 4 ,
.Xr protocols 5 ,
.Xr services 5 ,
.Xr init 8 ,
.Xr kldload 8 ,
.Xr reboot 8 ,
.Xr sysctl 8 ,
.Xr syslogd 8
.Sh ¥Ð¥°
ǯ·î¤È¤È¤â¤Ëʸˡ¤¬Â礤¯¤Ê¤ê¡¢¤È¤¤É¤Ìõ¤¬¤ï¤«¤é¤Ê¤¤¤È¤³¤í¤â
¤¢¤ë¤«¤â¤·¤ì¤Þ¤»¤ó¡£
ÉÔ¹¬¤Ë¤·¤Æ¡¢¸åÊý¸ß´¹À¤Î¤¿¤á¤ËÀΤ·¤Ç¤«¤·¤¿Ê¸Ë¡ÄêµÁ¤Î¸í¤ê¤ò
ÄûÀµ¤Ç¤¤Ê¤¤¤Ç¤¤¤Þ¤¹¡£
.Pp
.Em !!! ·Ù¹ð !!!
.Pp
¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤ò¸í¤Ã¤ÆÀßÄꤹ¤ë¤È¥³¥ó¥Ô¥å¡¼¥¿¤¬
»ÈÍÑÉÔǽ¤Ê¾õÂ֤ˤʤꡢ
¤³¤È¤Ë¤è¤ë¤È¡¢¥Í¥Ã¥È¥ï¡¼¥¯¥µ¡¼¥Ó¥¹¤òÄä»ß¤µ¤»¤Æ¤·¤Þ¤¤¡¢
À©¸æ¤ò²óÉü¤¹¤ë¤¿¤á¤Ë¥³¥ó¥½¡¼¥ë¥¢¥¯¥»¥¹¤¬É¬ÍפȤʤäƤ·¤Þ¤¦
²ÄǽÀ¤¬¤¢¤ê¤Þ¤¹¡£
.Pp
.Cm divert
¤Ë¤è¤Ã¤Æ¹Ô¤Àè¤òÊѹ¹¤µ¤ì¤ë¤«
.Cm tee
¤µ¤ì¤¿¡¢Æþ¤Ã¤Æ¤¤¿¥Ñ¥±¥Ã¥È¤ÎÃÇÊÒ (¥Õ¥é¥°¥á¥ó¥È) ¤Ï¡¢
¥½¥±¥Ã¥È¤ËÇÛÁ÷¤µ¤ì¤ëÁ°¤ËºÆ¹½À®¤µ¤ì¤Þ¤¹¡£
¤³¤ì¤é¤Î¥Ñ¥±¥Ã¥È¤Ç»ÈÍѤµ¤ì¤ë¥¢¥¯¥·¥ç¥ó¤Ï
¥Ñ¥±¥Ã¥È¤ÎºÇ½é¤Î¥Õ¥é¥°¥á¥ó¥È¤Ë¥Þ¥Ã¥Á¤·¤¿¥ë¡¼¥ë¤Î¤â¤Î¤Ç¤¹¡£
.Pp
.Cm tee
¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤¹¤ë¥Ñ¥±¥Ã¥È¤Ï¡¢
¨»þ¤Ë¼õÍý¤µ¤ì¤ë¤Ù¤¤Ç¤Ï¤Ê¤¯¡¢¥ë¡¼¥ë¥ê¥¹¥È¤ò¹¹¤ËÄ̤ë¤Ù¤¤Ç¤¹¡£
¤³¤ì¤Ï¡¢°Ê¹ß¤Î¥Ð¡¼¥¸¥ç¥ó¤Ç½¤Àµ¤µ¤ì¤ë¤«¤â¤·¤ì¤Þ¤»¤ó¡£
.Pp
¥æ¡¼¥¶¥é¥ó¥É¤Ø¸þ¤±¤é¤ì¡¢
¥æ¡¼¥¶¥é¥ó¥É¤Î¥×¥í¥»¥¹
¤Ë¤è¤Ã¤ÆºÆÅêÆþ¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤Ï¡¢
¥Ñ¥±¥Ã¥È¤Îȯ¿®¸µ¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤ò´Þ¤à
¥Ñ¥±¥Ã¥È°À¤Î¤¤¤í¤¤¤í¤ò¼º¤Ã¤Æ¤¤¤Þ¤¹¡£
¥Ñ¥±¥Ã¥È¤Î»ÏÅÀ¥¤¥ó¥¿¥Õ¥§¡¼¥¹Ì¾¤Ï¡¢8 ¥Ð¥¤¥È̤Ëþ¤Ç¤¢¤Ã¤Æ¡¢
¥æ¡¼¥¶¥é¥ó¥É¤Î¥×¥í¥»¥¹¤¬Êݸ¤·¤³¤ì¤ò sockaddr_in ¤ÇºÆ»ÈÍѤ¹¤ë¤Î¤Ç¤¢¤ì¤Ð¡¢
ÊÝ»ý¤µ¤ì¤Þ¤¹
.Xr ( natd 8
¤Ï¤½¤¦¤·¤Þ¤¹)¡£
¤µ¤â¤Ê¤¯¤Ð¡¢¤³¤Î¾ðÊó¤Ï¼º¤ï¤ì¤Þ¤¹¡£
¥Ñ¥±¥Ã¥È¤¬¤³¤ÎÊýË¡¤ÇºÆÅêÆþ¤µ¤ì¤¿¾ì¹ç¡¢
¸å¤Î¥ë¡¼¥ë¤ÏÀµ¤·¤¯Å¬ÍѤµ¤ì¤Ê¤¤¤«¤â¤·¤ì¤Þ¤»¤ó¡£
¥ë¡¼¥ë¤ÎʤӤˤª¤±¤ë
.Cm divert
¥ë¡¼¥ë¤Î½ç½ø¤ÏÈó¾ï¤Ë½ÅÍפʤâ¤Î¤È¤Ê¤ê¤Þ¤¹¡£
.Sh ºî¼Ô
.An Ugen J. S. Antsilevich ,
.An Poul-Henning Kamp ,
.An Alex Nash ,
.An Archie Cobbs ,
.An Luigi Rizzo .
.Pp
.An -nosplit
API ¤Ï
.An Daniel Boulet
¤¬ BSDI ÍѤ˵½Ò¤·¤¿¥³¡¼¥É¤Ë´ð¤Å¤¤¤Æ¤¤¤Þ¤¹¡£
.Pp
.Xr dummynet 4
¥È¥é¥Õ¥£¥Ã¥¯¥·¥§¥¤¥Ñ¤Ï Akamba Corp. ¤¬¥µ¥Ý¡¼¥È¤·¤Þ¤·¤¿¡£
.Sh Îò»Ë
.Nm
¤Ï¡¢
.Fx 2.0
¤ÇºÇ½é¤Ë¸½¤ì¤Þ¤·¤¿¡£
.Xr dummynet 4
¤Ï
.Fx 2.2.8
¤«¤éƳÆþ¤µ¤ì¤Þ¤·¤¿¡£
¥¹¥Æ¡¼¥È¥Õ¥ë³ÈÄ¥¤Ï¡¢
.Fx 4.0
¤«¤éƳÆþ¤µ¤ì¤Þ¤·¤¿¡£
.Nm ipfw2
¤Ï 2002 ǯ²Æ¤ËƳÆþ¤µ¤ì¤Þ¤·¤¿¡£
