部門管理サーバ、業務サーバのファイアウォール機能の設定例を以下に示します。
本設定は、以下の条件のもと作成されています。
Systemwalker Centric Managerで使用するネットワークインタフェースカードは、“hme0”です。
Systemwalker Centric Manager以外で使用するポートはすべて遮断します。
Systemwalker Centric Managerで使用するポートで、外部から接続されるポートは、IPアドレスなどにより特に制限を設けません。
基本的な書式は以下のとおりです。
passまたはblock inまたはout [on I/F名] from *** to *** [オプション] |
指定した通信を許可/拒否します。
受信/送信パケットを指定します。
インタフェース名(hem0やlo0など)を指定します。
通信元を指定します。
通信先を指定します。
特定のポート番号を指定する場合や、プロトコル(tcp/udpなど)を指定できます。
上記以外については、OSのマニュアルを参照してください。
ファイアウォール機能の設定例(部門管理サーバ)
【IPv4】
# 運用管理/部門管理/業務サーバ共通の必須設定 # 自サーバ内通信の許可 # "lo0"は、ループバックデバイス名 pass in quick on lo0 all pass out quick on lo0 all # すべての通信を拒否する設定 # はじめにすべての通信を拒否してから、使用するポートの設定を行います。 # 以下の2行を削除すると、すべての通信が許可されます。 block in log on hme0 all block out log on hme0 all # ICMP通信の許可 pass in quick on hme0 proto icmp all keep state pass out quick on hme0 proto icmp all keep state # 部門管理サーバの必須ポート pass in quick on hme0 proto tcp from any to any port = 9294 keep state pass out quick on hme0 proto tcp from any to any port = 9294 keep state pass out quick on hme0 proto tcp from any to any port = 5968 keep state pass in quick on hme0 proto tcp from any to any port = 5967 keep state pass in quick on hme0 proto tcp from any to any port = 5968 keep state pass in quick on hme0 proto tcp from any to any port = 4013 keep state # 以下より、使用機能により選択が可能。 # 使用しない機能の場合は、先頭行に"#"を追加し、コメントアウトをすること # ノードの自動検出/MIBしきい値監視/稼働状態の監視/DHCP監視 # 性能監視、性能情報の表示で使用するSNMPポートの設定 pass in quick on hme0 proto udp from any to any port = 161 keep state pass out quick on hme0 proto udp from any to any port = 161 keep state # SNMPトラップの監視のための設定 pass in quick on hme0 proto udp from any to any port = 162 keep state pass out quick on hme0 proto udp from any to any port = 162 keep state # MIBしきい値の監視を行う場合で、かつ部門管理サーバが存在する場合の設定 pass in quick on hme0 proto tcp from any to any port = 5971 keep state pass out quick on hme0 proto tcp from any to any port = 5971 keep state # サーバへの資源配付を行うための設定 pass in quick on hme0 proto tcp from any to any port = 9324 keep state pass out quick on hme0 proto tcp from any to any port = 9324 keep state # クライアントへの資源配付および資源配付GUIの接続のための設定 pass in quick on hme0 proto tcp from any to any port = 9231 keep state # HTTP通信を用いたサーバへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9394 keep state pass out quick on hme0 proto tcp from any to any port = 9394 keep state # HTTP通信を用いたクライアントへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9393 keep state # HTTPS通信を用いたサーバへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9398 keep state pass out quick on hme0 proto tcp from any to any port = 9398 keep state # HTTPS通信を用いたクライアントへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9399 keep state # 強制配付機能を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 4098 keep state # イベント監視定義GUIを接続するための設定 pass in quick on hme0 proto tcp from any to any port = 9345 keep state pass in quick on hme0 proto tcp from any to any port = 9371 keep state # 性能監視、性能情報の表示を行うための設定 # 本機能を利用する場合は、161/udpの設定も行うこと pass in quick on hme0 proto tcp from any to any port = 2750 keep state pass out quick on hme0 proto tcp from any to any port = 2750 keep state # アプリケーションの稼働/性能監視、および操作を行うための設定 pass in quick on hme0 proto tcp from any to any port = 2425 keep state pass out quick on hme0 proto tcp from any to any port = 2425 keep state # リモートコマンドを利用するための設定 pass in quick on hme0 proto udp from any to any port = 9294 keep state pass out quick on hme0 proto udp from any to any port = 9294 keep state # サーバの電源投入・切断を行うための設定 pass in quick on hme0 proto tcp from any to any port = 9373 keep state # 自動アクションを行うための設定 pass out quick on hme0 proto tcp from any to any port = 6961 keep state pass in quick on hme0 proto tcp from any to any port = 9369 keep state pass in quick on hme0 proto tcp from any to any port = 9370 keep state # 監査ログ管理を行うための設定 # 修正の配付を行うための設定 pass out quick on hme0 proto tcp from any to any port = 1105 keep state pass in quick on hme0 proto tcp from any to any port = 1105 keep state # 以下の9371/tcpポートは、イベント監視GUIと共通 #pass in quick on hme0 proto tcp from any to any port = 9371 keep state # その他業務で必要な設定を追記してください。 pass in quick on hme0 proto tcp from any to any port = 23 keep state pass out quick on hme0 proto tcp from any to any port = 23 keep state pass in quick on hme0 proto tcp/udp from any to any port = nfsd keep state pass out quick on hme0 proto tcp/udp from any to any port = nfsd keep state pass in quick on hme0 proto tcp from any to any port = ftp keep state pass in quick on hme0 proto tcp from any to any port = ftp-data keep state pass out quick on hme0 proto tcp from any to any port = ftp keep state pass out quick on hme0 proto tcp from any to any port = ftp-data keep state
【IPv6】
# 運用管理/部門管理/業務サーバ共通の必須設定 # 自サーバ内通信の許可 # "lo0"は、ループバックデバイス名 pass in quick on lo0 all pass out quick on lo0 all # すべての通信を拒否する設定 # はじめにすべての通信を拒否してから、使用するポートの設定を行います。 # 以下の2行を削除すると、すべての通信が許可されます。 block in log on hme0 all block out log on hme0 all # ICMP通信の許可 pass in quick on hme0 proto ipv6-icmp pass out quick on hme0 proto ipv6-icmp # 部門管理サーバの必須ポート pass in quick on hme0 proto tcp from any to any port = 9294 keep state pass out quick on hme0 proto tcp from any to any port = 9294 keep state pass out quick on hme0 proto tcp from any to any port = 5968 keep state pass in quick on hme0 proto tcp from any to any port = 5967 keep state pass in quick on hme0 proto tcp from any to any port = 5968 keep state pass in quick on hme0 proto tcp from any to any port = 4013 keep state # 以下より、使用機能により選択が可能。 # 使用しない機能の場合は、先頭行に"#"を追加し、コメントアウトをすること # ノードの自動検出/MIBしきい値監視/稼働状態の監視/DHCP監視 # 性能監視、性能情報の表示で使用するSNMPポートの設定 pass in quick on hme0 proto udp from any to any port = 161 keep state pass out quick on hme0 proto udp from any to any port = 161 keep state # SNMPトラップの監視のための設定 pass in quick on hme0 proto udp from any to any port = 162 keep state pass out quick on hme0 proto udp from any to any port = 162 keep state # MIBしきい値の監視を行う場合で、かつ部門管理サーバが存在する場合の設定 pass in quick on hme0 proto tcp from any to any port = 5971 keep state pass out quick on hme0 proto tcp from any to any port = 5971 keep state # サーバへの資源配付を行うための設定 pass in quick on hme0 proto tcp from any to any port = 9324 keep state pass out quick on hme0 proto tcp from any to any port = 9324 keep state # クライアントへの資源配付および資源配付GUIの接続のための設定 pass in quick on hme0 proto tcp from any to any port = 9231 keep state # HTTP通信を用いたサーバへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9394 keep state pass out quick on hme0 proto tcp from any to any port = 9394 keep state # HTTP通信を用いたクライアントへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9393 keep state # HTTPS通信を用いたサーバへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9398 keep state pass out quick on hme0 proto tcp from any to any port = 9398 keep state # HTTPS通信を用いたクライアントへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9399 keep state # 強制配付機能を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 4098 keep state # イベント監視定義GUIを接続するための設定 pass in quick on hme0 proto tcp from any to any port = 9345 keep state pass in quick on hme0 proto tcp from any to any port = 9371 keep state # 性能監視、性能情報の表示を行うための設定 # 本機能を利用する場合は、161/udpの設定も行うこと pass in quick on hme0 proto tcp from any to any port = 2750 keep state pass out quick on hme0 proto tcp from any to any port = 2750 keep state # アプリケーションの稼働/性能監視、および操作を行うための設定 pass in quick on hme0 proto tcp from any to any port = 2425 keep state pass out quick on hme0 proto tcp from any to any port = 2425 keep state # リモートコマンドを利用するための設定 pass in quick on hme0 proto udp from any to any port = 9294 keep state pass out quick on hme0 proto udp from any to any port = 9294 keep state # サーバの電源投入・切断を行うための設定 pass in quick on hme0 proto tcp from any to any port = 9373 keep state # 自動アクションを行うための設定 pass out quick on hme0 proto tcp from any to any port = 6961 keep state pass in quick on hme0 proto tcp from any to any port = 9369 keep state pass in quick on hme0 proto tcp from any to any port = 9370 keep state # 監査ログ管理を行うための設定 # 修正の配付を行うための設定 pass out quick on hme0 proto tcp from any to any port = 1105 keep state pass in quick on hme0 proto tcp from any to any port = 1105 keep state # 以下の9371/tcpポートは、イベント監視GUIと共通 #pass in quick on hme0 proto tcp from any to any port = 9371 keep state # その他業務で必要な設定を追記してください。 pass in quick on hme0 proto tcp from any to any port = 23 keep state pass out quick on hme0 proto tcp from any to any port = 23 keep state pass in quick on hme0 proto tcp/udp from any to any port = nfsd keep state pass out quick on hme0 proto tcp/udp from any to any port = nfsd keep state pass in quick on hme0 proto tcp from any to any port = ftp keep state pass in quick on hme0 proto tcp from any to any port = ftp-data keep state pass out quick on hme0 proto tcp from any to any port = ftp keep state pass out quick on hme0 proto tcp from any to any port = ftp-data keep state
ファイアウォール機能の設定例(業務サーバ)
【IPv4】
# 運用管理/部門管理/業務サーバ共通の必須設定 # 自サーバ内通信の許可 # "lo0"は、ループバックデバイス名 pass in quick on lo0 all pass out quick on lo0 all # すべての通信を拒否する設定 # はじめにすべての通信を拒否してから、使用するポートの設定を行います。 # 以下の2行を削除すると、すべての通信が許可されます。 block in log on hme0 all block out log on hme0 all # ICMP通信の許可 pass in quick on hme0 proto icmp all keep state pass out quick on hme0 proto icmp all keep state # 業務サーバの必須ポート pass in quick on hme0 proto tcp from any to any port = 9294 keep state pass out quick on hme0 proto tcp from any to any port = 9294 keep state pass in quick on hme0 proto tcp from any to any port = 5968 keep state pass in quick on hme0 proto tcp from any to any port = 5967 keep state pass in quick on hme0 proto tcp from any to any port = 4013 keep state # 以下より、使用機能により選択が可能。 # 使用しない機能の場合は、先頭行に"#"を追加し、コメントアウトをすること # ノードの自動検出/MIBしきい値監視/稼働状態の表示/DHCP監視 # 性能監視、性能情報の表示で使用するSNMPポートの設定 pass in quick on hme0 proto udp from any to any port = 161 keep state pass out quick on hme0 proto udp from any to any port = 161 keep state # SNMPトラップの監視のための設定 pass out quick on hme0 proto udp from any to any port = 162 keep state # サーバへの資源配付を行うための設定 pass in quick on hme0 proto tcp from any to any port = 9324 keep state pass out quick on hme0 proto tcp from any to any port = 9324 keep state # クライアントへの資源配付および資源配付GUIの接続のための設定 pass in quick on hme0 proto tcp from any to any port = 9231 keep state # HTTP通信を用いたサーバへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9394 keep state pass out quick on hme0 proto tcp from any to any port = 9394 keep state # HTTP通信を用いたクライアントへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9393 keep state # HTTPS通信を用いたサーバへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9398 keep state pass out quick on hme0 proto tcp from any to any port = 9398 keep state # HTTPS通信を用いたクライアントへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9399 keep state # 強制配付機能を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 4098 keep state # イベント監視定義GUIを接続するための設定 pass in quick on hme0 proto tcp from any to any port = 9345 keep state pass in quick on hme0 proto tcp from any to any port = 9371 keep state # アプリケーションの稼働/性能監視、および操作を行うための設定 pass in quick on hme0 proto tcp from any to any port = 2425 keep state pass out quick on hme0 proto tcp from any to any port = 2425 keep state # リモートコマンドを利用するための設定 pass in quick on hme0 proto udp from any to any port = 9294 keep state pass out quick on hme0 proto udp from any to any port = 9294 keep state # サーバの電源投入・切断を行うための設定 pass in quick on hme0 proto tcp from any to any port = 9373 keep state # 自動アクションを行うための設定 pass out quick on hme0 proto tcp from any to any port = 6961 keep state pass in quick on hme0 proto tcp from any to any port = 9369 keep state pass in quick on hme0 proto tcp from any to any port = 9370 keep state # 監査ログ管理を行うための設定 # 修正の配付を行うための設定 pass out quick on hme0 proto tcp from any to any port = 1105 keep state pass in quick on hme0 proto tcp from any to any port = 1105 keep state # 以下の9371/tcpポートは、イベント監視GUIと共通 #pass in quick on hme0 proto tcp from any to any port = 9371 keep state # その他業務で必要な設定を追記してください。 pass in quick on hme0 proto tcp from any to any port = 23 keep state pass out quick on hme0 proto tcp from any to any port = 23 keep state pass in quick on hme0 proto tcp/udp from any to any port = nfsd keep state pass out quick on hme0 proto tcp/udp from any to any port = nfsd keep state pass in quick on hme0 proto tcp from any to any port = ftp keep state pass in quick on hme0 proto tcp from any to any port = ftp-data keep state pass out quick on hme0 proto tcp from any to any port = ftp keep state pass out quick on hme0 proto tcp from any to any port = ftp-data keep state
【IPv6】
# 運用管理/部門管理/業務サーバ共通の必須設定 # 自サーバ内通信の許可 # "lo0"は、ループバックデバイス名 pass in quick on lo0 all pass out quick on lo0 all # すべての通信を拒否する設定 # はじめにすべての通信を拒否してから、使用するポートの設定を行います。 # 以下の2行を削除すると、すべての通信が許可されます。 block in log on hme0 all block out log on hme0 all # ICMP通信の許可 pass in quick on hme0 proto ipv6-icmp pass out quick on hme0 proto ipv6-icmp # 業務サーバの必須ポート pass in quick on hme0 proto tcp from any to any port = 9294 keep state pass out quick on hme0 proto tcp from any to any port = 9294 keep state pass in quick on hme0 proto tcp from any to any port = 5968 keep state pass in quick on hme0 proto tcp from any to any port = 5967 keep state pass in quick on hme0 proto tcp from any to any port = 4013 keep state # 以下より、使用機能により選択が可能。 # 使用しない機能の場合は、先頭行に"#"を追加し、コメントアウトをすること # ノードの自動検出/MIBしきい値監視/稼働状態の表示/DHCP監視 # 性能監視、性能情報の表示で使用するSNMPポートの設定 pass in quick on hme0 proto udp from any to any port = 161 keep state pass out quick on hme0 proto udp from any to any port = 161 keep state # SNMPトラップの監視のための設定 pass out quick on hme0 proto udp from any to any port = 162 keep state # サーバへの資源配付を行うための設定 pass in quick on hme0 proto tcp from any to any port = 9324 keep state pass out quick on hme0 proto tcp from any to any port = 9324 keep state # クライアントへの資源配付および資源配付GUIの接続のための設定 pass in quick on hme0 proto tcp from any to any port = 9231 keep state # HTTP通信を用いたサーバへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9394 keep state pass out quick on hme0 proto tcp from any to any port = 9394 keep state # HTTP通信を用いたクライアントへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9393 keep state # HTTPS通信を用いたサーバへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9398 keep state pass out quick on hme0 proto tcp from any to any port = 9398 keep state # HTTPS通信を用いたクライアントへの資源配付を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 9399 keep state # 強制配付機能を使用するための設定 pass in quick on hme0 proto tcp from any to any port = 4098 keep state # イベント監視定義GUIを接続するための設定 pass in quick on hme0 proto tcp from any to any port = 9345 keep state pass in quick on hme0 proto tcp from any to any port = 9371 keep state # アプリケーションの稼働/性能監視、および操作を行うための設定 pass in quick on hme0 proto tcp from any to any port = 2425 keep state pass out quick on hme0 proto tcp from any to any port = 2425 keep state # リモートコマンドを利用するための設定 pass in quick on hme0 proto udp from any to any port = 9294 keep state pass out quick on hme0 proto udp from any to any port = 9294 keep state # サーバの電源投入・切断を行うための設定 pass in quick on hme0 proto tcp from any to any port = 9373 keep state # 自動アクションを行うための設定 pass out quick on hme0 proto tcp from any to any port = 6961 keep state pass in quick on hme0 proto tcp from any to any port = 9369 keep state pass in quick on hme0 proto tcp from any to any port = 9370 keep state # 監査ログ管理を行うための設定 # 修正の配付を行うための設定 pass out quick on hme0 proto tcp from any to any port = 1105 keep state pass in quick on hme0 proto tcp from any to any port = 1105 keep state # 以下の9371/tcpポートは、イベント監視GUIと共通 #pass in quick on hme0 proto tcp from any to any port = 9371 keep state # その他業務で必要な設定を追記してください。 pass in quick on hme0 proto tcp from any to any port = 23 keep state pass out quick on hme0 proto tcp from any to any port = 23 keep state pass in quick on hme0 proto tcp/udp from any to any port = nfsd keep state pass out quick on hme0 proto tcp/udp from any to any port = nfsd keep state pass in quick on hme0 proto tcp from any to any port = ftp keep state pass in quick on hme0 proto tcp from any to any port = ftp-data keep state pass out quick on hme0 proto tcp from any to any port = ftp keep state pass out quick on hme0 proto tcp from any to any port = ftp-data keep state
