| Systemwalker Centric Manager 導入手引書 - UNIX/Windows(R)共通 - |
|
目次
索引
|
| 第4章 部門管理サーバ・業務サーバの環境構築 | > 4.8 Solarisサーバでファイアウォールの設定 |
部門管理サーバ、業務サーバのファイアウォール機能の設定例を以下に示します。
本設定は、以下の条件のもと作成されています。
基本的な書式は以下のとおりです。
|
passまたはblock inまたはout [on I/F名] from *** to *** [オプション] |
上記以外については、OSのマニュアルを参照してください。
# 運用管理/部門管理/業務サーバ共通の必須設定 # 自サーバ内通信の許可 # "lo0"は、ループバックデバイス名 pass in quick on lo0 all pass out quick on lo0 all # すべての通信を拒否する設定 # はじめにすべての通信を拒否してから、使用するポートの設定を行います。 # 以下の2行を削除すると、すべての通信が許可されます。 block in log on hme0 all block out log on hme0 all # ICMP通信の許可 pass in quick on hme0 proto icmp all keep state pass out quick on hme0 proto icmp all keep state # 部門管理サーバの必須ポート pass in quick on hme0 proto tcp from any to any port = 9294 keep state pass out quick on hme0 proto tcp from any to any port = 9294 keep state pass out quick on hme0 proto tcp from any to any port = 5968 keep state pass in quick on hme0 proto tcp from any to any port = 5967 keep state pass in quick on hme0 proto tcp from any to any port = 5968 keep state pass in quick on hme0 proto tcp from any to any port = 4013 keep state # 以下より、使用機能により選択が可能。 # 使用しない機能の場合は、先頭行に"#"を追加し、コメントアウトをすること # ノードの自動検出/MIBしきい値監視/稼働状態の表示/DHCP監視 # 性能監視、性能情報の表示で使用するSNMPポートの設定 pass in quick on hme0 proto udp from any to any port = 161 keep state pass out quick on hme0 proto udp from any to any port = 161 keep state # SNMPトラップの監視のための設定 pass in quick on hme0 proto udp from any to any port = 162 keep state pass out quick on hme0 proto udp from any to any port = 162 keep state # MIBしきい値の監視を行う場合で、かつ部門管理サーバが存在する場合の設定 pass in quick on hme0 proto tcp from any to any port = 5971 keep state pass out quick on hme0 proto tcp from any to any port = 5971 keep state # サーバへの資源配付を行うための設定 pass in quick on hme0 proto tcp from any to any port = 9324 keep state pass out quick on hme0 proto tcp from any to any port = 9324 keep state # クライアントへの資源配付および資源配付GUIの接続のための設定 pass in quick on hme0 proto tcp from any to any port = 9231 keep state # HTTP通信を用いたサーバへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9394 keep state pass out quick on hme0 proto tcp from any to any port = 9394 keep state # HTTP通信を用いたクライアントへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9393 keep state # HTTPS通信を用いたサーバへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9398 keep state pass out quick on hme0 proto tcp from any to any port = 9398 keep state # HTTPS通信を用いたクライアントへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9399 keep state # 強制配付機能を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 4098 keep state # イベント監視定義GUIを接続するための設定 pass in quick on hme0 proto tcp from any to any port = 9345 keep state pass in quick on hme0 proto tcp from any to any port = 9371 keep state # 性能監視、性能情報の表示を行うための設定 # 本機能を利用する場合は、161/udpの設定も行うこと pass in quick on hme0 proto tcp from any to any port = 2750 keep state pass out quick on hme0 proto tcp from any to any port = 2750 keep state # アプリケーションの稼働/性能監視、および操作を行うための設定 pass in quick on hme0 proto tcp from any to any port = 2425 keep state pass out quick on hme0 proto tcp from any to any port = 2425 keep state # リモートコマンドを利用するための設定 pass in quick on hme0 proto udp from any to any port = 9294 keep state pass out quick on hme0 proto udp from any to any port = 9294 keep state # サーバの電源投入・切断を行うための設定 pass in quick on hme0 proto tcp from any to any port = 9373 keep state # 自動アクションを行うための設定 pass out quick on hme0 proto tcp from any to any port = 6961 keep state pass in quick on hme0 proto tcp from any to any port = 9369 keep state pass in quick on hme0 proto tcp from any to any port = 9370 keep state # 監査ログ管理を行うための設定 # 修正の配付を行うための設定 pass out quick on hme0 proto tcp from any to any port = 1105 keep state pass in quick on hme0 proto tcp from any to any port = 1105 keep state # 以下の9371/tcpポートは、イベント監視GUIと共通 #pass in quick on hme0 proto tcp from any to any port = 9371 keep state # その他業務で必要な設定を追記してください。 pass in quick on hme0 proto tcp from any to any port = 23 keep state pass out quick on hme0 proto tcp from any to any port = 23 keep state pass in quick on hme0 proto tcp/udp from any to any port = nfsd keep state pass out quick on hme0 proto tcp/udp from any to any port = nfsd keep state pass in quick on hme0 proto tcp from any to any port = ftp keep state pass in quick on hme0 proto tcp from any to any port = ftp-data keep state pass out quick on hme0 proto tcp from any to any port = ftp keep state pass out quick on hme0 proto tcp from any to any port = ftp-data keep state
# 運用管理/部門管理/業務サーバ共通の必須設定 # 自サーバ内通信の許可 # "lo0"は、ループバックデバイス名 pass in quick on lo0 all pass out quick on lo0 all # すべての通信を拒否する設定 # はじめにすべての通信を拒否してから、使用するポートの設定を行います。 # 以下の2行を削除すると、すべての通信が許可されます。 block in log on hme0 all block out log on hme0 all # ICMP通信の許可 pass in quick on hme0 proto icmp all keep state pass out quick on hme0 proto icmp all keep state # 業務サーバの必須ポート pass in quick on hme0 proto tcp from any to any port = 9294 keep state pass out quick on hme0 proto tcp from any to any port = 9294 keep state pass in quick on hme0 proto tcp from any to any port = 5968 keep state pass in quick on hme0 proto tcp from any to any port = 5967 keep state pass in quick on hme0 proto tcp from any to any port = 4013 keep state # 以下より、使用機能により選択が可能。 # 使用しない機能の場合は、先頭行に"#"を追加し、コメントアウトをすること # ノードの自動検出/MIBしきい値監視/稼働状態の表示/DHCP監視 # 性能監視、性能情報の表示で使用するSNMPポートの設定 pass in quick on hme0 proto udp from any to any port = 161 keep state pass out quick on hme0 proto udp from any to any port = 161 keep state # SNMPトラップの監視のための設定 pass out quick on hme0 proto udp from any to any port = 162 keep state # サーバへの資源配付を行うための設定 pass in quick on hme0 proto tcp from any to any port = 9324 keep state pass out quick on hme0 proto tcp from any to any port = 9324 keep state # クライアントへの資源配付および資源配付GUIの接続のための設定 pass in quick on hme0 proto tcp from any to any port = 9231 keep state # HTTP通信を用いたサーバへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9394 keep state pass out quick on hme0 proto tcp from any to any port = 9394 keep state # HTTP通信を用いたクライアントへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9393 keep state # HTTPS通信を用いたサーバへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9398 keep state pass out quick on hme0 proto tcp from any to any port = 9398 keep state # HTTPS通信を用いたクライアントへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9399 keep state # 強制配付機能を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 4098 keep state # イベント監視定義GUIを接続するための設定 pass in quick on hme0 proto tcp from any to any port = 9345 keep state pass in quick on hme0 proto tcp from any to any port = 9371 keep state # アプリケーションの稼働/性能監視、および操作を行うための設定 pass in quick on hme0 proto tcp from any to any port = 2425 keep state pass out quick on hme0 proto tcp from any to any port = 2425 keep state # リモートコマンドを利用するための設定 pass in quick on hme0 proto udp from any to any port = 9294 keep state pass out quick on hme0 proto udp from any to any port = 9294 keep state # サーバの電源投入・切断を行うための設定 pass in quick on hme0 proto tcp from any to any port = 9373 keep state # 自動アクションを行うための設定 pass out quick on hme0 proto tcp from any to any port = 6961 keep state pass in quick on hme0 proto tcp from any to any port = 9369 keep state pass in quick on hme0 proto tcp from any to any port = 9370 keep state # 監査ログ管理を行うための設定 # 修正の配付を行うための設定 pass out quick on hme0 proto tcp from any to any port = 1105 keep state pass in quick on hme0 proto tcp from any to any port = 1105 keep state # 以下の9371/tcpポートは、イベント監視GUIと共通 #pass in quick on hme0 proto tcp from any to any port = 9371 keep state # その他業務で必要な設定を追記してください。 pass in quick on hme0 proto tcp from any to any port = 23 keep state pass out quick on hme0 proto tcp from any to any port = 23 keep state pass in quick on hme0 proto tcp/udp from any to any port = nfsd keep state pass out quick on hme0 proto tcp/udp from any to any port = nfsd keep state pass in quick on hme0 proto tcp from any to any port = ftp keep state pass in quick on hme0 proto tcp from any to any port = ftp-data keep state pass out quick on hme0 proto tcp from any to any port = ftp keep state pass out quick on hme0 proto tcp from any to any port = ftp-data keep state
|
目次
索引
|