








			  ǽʹŷ - HOWTO

		     : Mark Grennan, markg@netplus.net

		      : ƽ tchao@worldnet.att.net

			      v0.4, 1996118



				   Abstract

     v0.4,
     1996118գƪҪ˵ǽϵͳĸֻʾLin
     uxΪĸ˵ϰװΪ֮õķǽʹŷϸ衣ļHTML汾http://okc
     forum.org/~markg/Firewall-HOWTO.html



1.  

ƪǽ - HOWTODavid Rudder
drig@execpc.comƷԭݣԴл
һ, ǽFire
wall·İȫŻ⡣ŻһҲͬʱ˶⡣ƪHOWTO
̽ʲǷǽΰװνŷProxy
Server趨ŷԼЩڰȫӦá

1.1  ߻Ӧ

ƪκδ, ֪ͨҡ˷ʥ, ޹!
κδҶڸҶ跨ظ, ൱æ,
ûյҵĻţŵַmarkg@netplus.net

κ֪֮ͨߣƽtchao@worldnet.att.net)

1.2  

ҲκձΪɵ𺦸κ(I AM NOT RESPONSIBLE FOR ANY
DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS DOCUMENT)
ƪֻܷǽʹŷáҪ֪Ҳǵ԰ȫרңҲûװⷽרҡֻǸϲ飬ҰʤļһϣƪܰϤ,
֤ݾ

1.3  Ȩ

 (עðȨ治)"

Unless otherwise stated, Linux HOWTO documents are copyrighted by their respec
tive authors. Linux HOWTO documents may be reproduced and distributed in whole
or in part, in any medium physical or electronic, as long as this copyright
notice is retained on all copies. Commercial redistribution is allowed and
encouraged; however, the author would like to be notified of any such


ǽʹŷ - HOWTO						      1





ǽʹŷ - HOWTO						      2



distributions.

All translations, derivative works, or aggregate works incorporating any Linux
HOWTO documents must be covered under this copyright notice. That is, you may
not produce a derivative work from a HOWTO and impose additional restrictions
on its distribution. Exceptions to these rules may be granted under certain
conditions; please contact the Linux HOWTO coordinator.

In short, we wish to promote dissemination of this information through as many
channels as possible. However, we do wish to retain copyright on the HOWTO doc
uments, and would like to be notified of any plans to redistribute the HOWTOs.

If you have any questions, please contact Mark Grennan at <markg@netplus.net>.

1.4  дƪµĶ

ȥcomp.os.lin
uxڷǽۣҷֺҵ趨ǽϡƪHOWTOԭȰ汾ṩһЩӲ㡣ҸDavid
RudderдFirewall
HOWTOϣƪṩ㹻ϣʹڼСʱھ趨һķǽҪ֮á
ҲΪӦԾرLinuxѡ

1.5  дɵĹ

    ָ趨ͻ

    ѰLinuxUDPŷ

1.6  

    NET-2 HOWTO

    Ethernet HOWTO

    Multiple Ethernet Mini HOWTO

    Linux

     PPP HOWTO

    O'Reilly and AssociatesTCP/IP Network Administrator's Guide

    TIS Firewall Toolkitļ

Trusted Information System (TIS)
ַռйطǽļزϡhttp://www.tis.com/

⣬ҲڴһΪLinuxȫSecure LinuxĿSecure Lin
uxַϣռʹLinuxȫɿϡļͳʽҪⷽϣȡ


2.  ʲôǷǽ

ǽһơУ÷ǽѳ˿ͺԱһ𣬷ǽܱ˿Ͱȫͬʱ˾档








ǽʹŷ - HOWTO						      3



ڵУǽһװãʹ·ܹ֣·Ӱ졣
ᣬнǽԳΪǽͬʱܵ··ˡܵ·޷ӵ··Ҳ޷ӵܵ·
Ҫܵ·ڲӵ·͵tel
netǽȻӷǽ· 򵥵ķǽdual
homedϵͳ·ϵͳûֻҪװһ̨Linux趨ʱ
IP forwarding/gatewaying Ϊ
OFFÿһʻܵ¼һϵͳʹtel
netFTPĶӺʹṩκ񡣸ãһ·ΨһϵĵԱǽ·еҪһõ·
Ҫٴ˵Ҫʹǽãͱûҿɲô顣

2.1  ǽȱ

ڹ֮õķǽַǽ··ֻͨ˷ǽȡùܡдŷ£ûɵ¼ǽȻ˽·ڵκϵͳ
⣬Ŀǰÿ춼ͿͻŷСˣҪµķ·ܵЩܡ

2.2  ǽ

ǽ֡

  1.  IP˷ǽ - һЩ·赲һܡ

  2.  ŷ - ·ᡣ

2.2.1  IP˷ǽ

IP˷ǽݰһ㹤㡢յ㡢źÿһݰݰϢݰ
ַǽǳȫȱõĵ¼¼赲˽·Ҳ˽Ĺϵͳ˴ڲ·
˷ǽǾԵĹϵͳʹҪһЩ˽˽ŷҲ޷ÿһ˽ŷ
Linux1.3.x濪ʼںаݰ

2.2.2  ŷ

ŷͨǽӽ·õtel
netϵͳȻӸôtel
netһϵͳдŷϵͳУȫԶÿͻӴŷᣬŷĿͻȻᴫݡ
ڴŷظͨѶܹ¼неĹ
ֻҪȷŷ;԰ȫȡ֮赲κ˽룬ΪûֱӵIPͨ·


3.  ÷ǽ

3.1  Ӳ


ڡУõĵһ486-DX66оƬ16Mڴ500M
Linuxָϵͳڻװ·һ˽·һŽӵһΪǾ·עָ·Ǿ·ϣһӵ··router
üΪһһ̨ݻͨPPPӵ·ؼ֮ǷǽϱIP롣
˼жС·̨Խһ𡣲԰ݻLinuxĵϣϾɵ386Ȼøƽķʽݻӵ·װãҪݣݻͬʱɼӱٶȡ


4.  ÷ǽ











ǽʹŷ - HOWTO						      4



4.1  еװ

ֻҪһ˷ǽֻҪLinuxͻ·͹ˡһܲʹõLinux汾УΪ
IP Firewall Administrationߡ (IPFWADM) ɴ
http://www.xos.nl/linux/ipfwadm/ȡá
ҪôŷҪһװ

  1.  SOCKS

  2.  TIS Firewall Toolkit (FWTK)

4.2  TIS Firewall Toolkit SOCKSĲ

Trusted Information System
(http://www.tis.com)ṩһϵԼ򻯰װǽĹ
ЩͬSOCKSͬƲԲͬSOCKSһִIn
ternetйصĹTISÿһϣʹ÷ǽutilityṩһ
Ϊ˵֮Ĳͬworld wide webTelnetΪɣSOCK
SУ趨һãconfigurationһdaemonᣬtel
netWWWܿʼͬʱûйرյĹҲܹ
TISУΪWWWtelnet趨Եconfigurationdae
mon趨ᣬinter
netĹ޷ãǶЩҲص趨ĳһܣtalkûdae
monȻ'plug-in' daemonãҲ趨
ƺС£ҴвSOCKSʱȽϿ⡣SOCK
Sŷò̫·ڲԵԭȲṩinter
netܡʹTIS·ڲֻܵϵͳ߹涨Ĺܡ
SOCKS趨ڱ༭ԽϸߡҪܵ·ڵʹߣTISİȫԽϸߡ߶ṩ˾Ա޷롣
һ˵ߵİװ趨


5.  趨Linuxϵͳ

5.1  ༭ں

Linux汾°װLinuxϵͳRedHat
3.0.3ʵһ汾Ϊ׼ϵͳаװԽ٣ë©ҲԽ٣ΪЩë©ϵͳİȫ⣬ֻҪװõɡ
ѡһȶںˡҵϵͳLinux
2.0.14ںˡ	 ˣļںΪ
ʵѡoptions±༭ںˡ ǰûжKernel HOWTO Ethernet
HOWTONET-2 HOWTOʱһЩHOWTO ڡmake con
fig·йص趨

  1.  General setup

	1.  Networking Support ΪON

  2.  Networking Options

	1.  Network firewallsΪ ON

	2.  TCP/IP NetworkingΪ ON










ǽʹŷ - HOWTO						      5



	3.  IP forwarding/gatewayingΪ OFF ҪIPˣ

	4.  IP FirewallingΪON

	5.  IP firewall packet logginΪ ONǱ裬˸ã

	6.  IP: masquerading ΪOFFķΧ

	7.  IP: accounting ΪON

	8.  IP: tunneling ΪOFF

	9.  IP: aliasing ΪOFF

       10.  IP: PC/TCP compatibility mode ΪOFF

       11.   IP: Reverse ARP ΪOFF

       12.  Drop source routed frames ΪON

  3.  Network device support

	1.  Network device support ΪON

	2.  Dummy net driver support ΪON

	3.  Ethernet (10 or 100Mbit) ΪON

	4.  ѡ·

±༭°װںˣ·Ӧʾʾûץ·HOWTOֱΪֹ

5.2  趨·

·Ҫ/etc/lilo.confһУ˵·IRQ͵ַҵĻУlilo.confӵһ¡

	 append='ether=12,0x300,eth0 ether=15,0x340,eth1'

5.3  趨Network Addresses

ⲿֱȽȤҵҪЩڲ··κβ֣·вҪʵʵַ·һЩַ·ʹãΪ·ܵҪַЩַҲ޷·ȫ֡˲ѡЩַ
ЩַУ192.168.2.xxxǱõĵַ˾Щַ˵

ڴŷͬʱ·ܾдߵݡ

		 199.1.2.10   __________    192.168.2.1
	  _  __  _	  \ |	      | /	  _______________
	| \/  \/ |	       \|	 |/	     |		  |
	  · \-------------| ǽ |-------------------| վ	   |
	  \_/\_/\_/\_/		|_________|	      |______________|


Ҫù˷ǽɿЩַʹIP masquerad
ing趨ǽͻתݰӸʵʵIPַ·








ǽʹŷ - HOWTO						      6



··ˣˣ趨IPַ̫ڶΪ192.168.2.1̨Դ/صIPַܱ·ڵԾѡ192.168.2.xxxеκһΪַ192.168.2.2
192.168.2.254 RedHat Linux У /etc/sysconfig/network-
scriptsĿ¼һifcfg-eth1Աʱͨ趨·rout
ing ifcfg-eth1Ĳ趨¡

	 #!/bin/sh
	 #>>>Device type: ethernet
	 #>>>Variable declarations:
	 DEVICE=eth1
	 IPADDR=192.168.2.1
	 NETMASK=255.255.255.0
	 NETWORK=192.168.2.0
	 BROADCAST=192.168.2.255
	 GATEWAY=199.1.2.10
	 ONBOOT=yes
	 #>>>End variable declarations


ЩʹݻISPԶӡ ipup-ppp
ݻ·ӣISPʱָ˵IPַ

5.4  ·

Ӳifconfigrouteʼ·Ӧ

       #ifconfig
       lo	 Link encap:Local Loopback
		 inet addr:127.0.0.0  Bcast:127.255.255.255  Mask:255.0.0.0
		 UP BROADCAST LOOPBACK RUNNING	MTU:3584  Metric:1
		 RX packets:1620 errors:0 dropped:0 overruns:0
		 TX packets:1620 errors:0 dropped:0 overruns:0

       eth0	 Link encap:10Mbps Ethernet  HWaddr 00:00:09:85:AC:55
		 inet addr:199.1.2.10 Bcast:199.1.2.255  Mask:255.255.255.0
		 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
		 RX packets:0 errors:0 dropped:0 overruns:0
		 TX packets:0 errors:0 dropped:0 overruns:0
		 Interrupt:12 Base address:0x310

       eth1	 Link encap:10Mbps Ethernet  HWaddr 00:00:09:80:1E:D7
		 inet addr:192.168.2.1	Bcast:192.168.2.255  Mask:255.255.255.0
		 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
		 RX packets:0 errors:0 dropped:0 overruns:0
		 TX packets:0 errors:0 dropped:0 overruns:0
		 Interrupt:15 Base address:0x350


route Ӧ¡














ǽʹŷ - HOWTO						      7



     #route -n
     Kernel routing table
     Destination   Gateway   Genmask	Flags  MSS  Window  Use  Iface
     199.1.2.0	   *	   255.255.255.0   U   1500   0      15 eth0
     192.168.2.0   *	   255.255.255.0   U   1500   0       0 eth1
     127.0.0.0	   *	   255.0.0.0	  U   3584   0	     2 lo
     default	  199.1.2.10   *	  UG  1500   0	     72 eth0

ע 199.1.2.0ڷǽ·ˣ192.168.2.0·һˡ
Դӷǽping
·nic.ddn.mil㡣㻹ֻǲԤڵĿɿûϣping·ϵĵַϣPPP趨һԡٶһNet-2
HOWTOȻԡ
Ȼᣬӷǽping·ڵĵԡ·ڵĵӦping·ڵκһ̨ԡУٶNet-2
HOWTOһΡ
ӱ·pingǽĵַעò192.168.2.xxxκεַԣʾIP
ForwardingĹûȡһǷԭȵĹ롣IP Forward
ingĹܣͱŹ趨IP filteringĲ֡ Դӷǽping
·ǰͨͬһַ磬nic.ddn.mil IP Forward
ingѾȡͲӦͨûȡӦýͨ
豣IP Forward
ingܣ·ʹʵʵIPַ192.168.2.*趨£޷ping
·ܹping·ߵķǽ͵üһrouterзݰ͵·ĵַϡܵISP飩
·ĵַΪ192.168.2.*κݰܴ͡ûЩ趨ʹIP
masqueradingӦóɹ ˣ趨ɡ

5.5  ӹ̷ǽ

ͨǽûʹõĹܹǽַǽҲûʲôô
'' ܵǽҪ޸ģá ȹرвõĹܡȼ
/etc/inetd.confν'ŷ'ŷdae
monȻҪʱЩdaemon ȫȡnetstat systat tftp bootpfin
gerܡȡܵķǰ#Ϊеĸ趨ᣬ'kill -HUP
<pid>'ִSIG-HUP
<pid>inetdĳšinetdٴζȡõinetd.confϵͳ
telnet ԷǽĲţport15netstatĲšnet
statӦ·ϵͳûаҪȷش


6.  IP filtering (IPFWADM)

趨ں˵IP ForwardingܣϵͳӦʼתÿһϢ·routing
tableӦ趨Ӧÿͨκεص㣬ڿ⣬Ҳɽڡ
Ƿǽǲκ˿·
ʾϵͳ趨ָscriptԷǽforwardingaccount
ing˹涨ϵͳ/etc/rc.dʱȡָϵͳʱͶϵͳá
LinuxںתһϢIP Forward
ingϵͳˣǽָӦȽֹһнϵͳȨϴµκipfwָӦܴﵽĿġ















ǽʹŷ - HOWTO						      8



       #
       # setup IP packet Accounting and Forwarding
       #
       #   Forwarding
       #
       # By default DENY all services
       ipfwadm -F -p deny
       # Flush all commands
       ipfwadm -F -f
       ipfwadm -I -f
       ipfwadm -O -f


ˣ˾Այķǽһж棬޷ԽǽһȻЩܻҪģһЩӿο

       # Forward email to your server ת͵ʼŷ
       ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 192.1.2.10 25

       # Forward email connections to outside email servers ýʼ·ĵʼŷ
       ipfwadm -F -a accept -b -P tcp -S 196.1.2.10 25 -D 0.0.0.0/0 1024:65535

       # Forward Web connections to your Web ServerýWebWebŷ
       /sbin/ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 196.1.2.11 80

       # Forward Web connections to outside Web ServerýWebWebŷ
       /sbin/ipfwadm -F -a accept -b -P tcp -S 196.1.2.* 80 -D 0.0.0.0/0 1024:65535

       # Forward DNS trafficתDNSϢ
       /sbin/ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 196.1.2.0/24


֪ͨǽϢָͳݰ


       # Flush the current accounting rules
       ipfwadm -A -f
       # Accounting
       /sbin/ipfwadm -A -f
       /sbin/ipfwadm -A out -i -S 196.1.2.0/24 -D 0.0.0.0/0
       /sbin/ipfwadm -A out -i -S 0.0.0.0/0 -D 196.1.2.0/24
       /sbin/ipfwadm -A in -i -S 196.1.2.0/24 -D 0.0.0.0/0
       /sbin/ipfwadm -A in -i -S 0.0.0.0/0 -D 196.1.2.0/24

ֻѵΪ˷ǽʹ󹦸ˣ


7.  װTISŷ

7.1  ȡ

TIS FWTKɴַõftp://ftp.tis.com/.
ǧסôTISᣬĶREADMETIS
fwtkŷһĿ¼ڣҪʼfwtk-request@tis.com
SEND֪ܵصĿ¼֡Sub








ǽʹŷ - HOWTO						      9



jectڲκݡڻظĵʼڻ֪Ŀ¼֣ЧʱΪ12СʱøϿء
ڱдʱFWTK°汾Ϊ2.0beta˼Сط֮⣬汾ڱ༭ʱû⣬ʱҲ˴һ汾ΪᶨʱHOW
TO װFWTKʱ
/usr/src½fwtk-2.0Ŀ¼FWTKfwtk-2.0.tar.gzĿ¼ڽѹtar
zxf fwtk-2.0.tar.gz FWTK޴SSL·ļJean-Christophe Tou
vetдһЩϣɴftp://ftp.edelweb.fr/pub/contrib/fwtk/ssl-
gw.tar.Zȡá Eric
Wedelд޶аʹNetscapeŷɴַȡáftp://mdi.merid
ian-data.com/pub/tis.fwtk/ssl-gw/ssl-gw2.tar.Z Eric Wedelİ汾Ϊ
ҪװֻҪ/usr/src/fwtk-2.0Ŀ¼ڽһ ssl-gwĿ¼ĵмɡ
ڰװʱҪЩĶܽб༭ ȸıssl-
gw.c©˱Ҫinclude

       #if defined(__linux)
       #include        <sys/ioctl.h>
       #endif


ΣҲûMakefileĿ¼һȻὫصָΪssl-
gw

7.2  ༭TIS FWTK

汾2.0FWTKκһ汾ڱ༭ڱ༭ǰҪBETA汾һЩϣЩӸᶨС
޸ķ¡Ƚ/usr/src/fwtk/fwtkĿ¼Makefile.con
fig.linuxԴ˵Makefile.config ҪFIX
MAKEȻ˵нִ򡣵ƻÿһĿ¼еmakefile
޸fixmakeķÿһMakefilesedָin
cludeӡ."ģް

       sed 's/^include[        ]*\([^  ].*\)/include \1/' $name .proto > $name


ȻҪ༭Makefile.configȵ޸ġ Makefile.con
figеsourceĿ¼ӦΪб༭/usr/srcFWTKSRCDIRӦӦĸı䡣

       FWTKSRCDIR=/usr/src/fwtk/fwtk


ЩLinuxϵͳʹgdbmݿ⡣Makefile.configʹdbm磬RedHat
3.0.3ʹdbmҪӦ

       DBMLIB=-lgdbm


Ҫx-gwBETAsocket.cебɾ

       #ifdef SCM_RIGHTS  /* 4.3BSD Reno and later */
			    + sizeof(un_name->sun_len) + 1
       #endif


FWTKԴĿ¼ssl-gwMakefileĿ¼ҲҪssl-gw









ǽʹŷ - HOWTO						     10



       DIRS=   smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw ssl-gw


޸ᣬmake

7.3  װTIS FWTK

make install
ĬϵİװĿ¼/usr/local/etcԸĵӰȫɿĿ¼аװҲԲģҲɽȨΪchmod
700 ڿʼ趨ǽ

7.4  TIS FWTK

ãͱȽȤˣ趨ϵͳҪܵЩ¹ܣƱЩܡ
µ˵ΪҪдTIS
FWTKʹֲᣬĿֻΪʾе趨ͽİ취
ĵЩcontrols

    /etc/services

	 ϵͳںβ


    /etc/inetd.conf

	 жʱinetdǸʽ


    /usr/local/etc/netperm-table

	 FWTKͬ;ܾû

ҪFWTKãӦױ༭Щ༭Щܵȷ趨 inetd.confnet
perm-tableʹϵͳȫ޷á

7.4.1  netperm-table

ƺ˿ʹTIS
FWTKĹܡӦ뵽ǽߵ·ûڽ·֮ǰӦȱݣ·ڲûֱͨ
ڱʱǽʹһΪauthsrvĳʽдûID롣netperm-
tableеauthenticationֿһݿźδ˭ȡá
Ҫȡһܲףpremit-host
sһʹá*ÿ˶ȡһܡһеȷ趨Ӧǡauthsrv:
premit-hosts localhostƺá

       #
       # Proxy configuration table  ŷñ
       #
       # Authentication server and client rules
       authsrv:     database /usr/local/etc/fw-authdb
       authsrv:     permit-hosts *
       authsrv:     badsleep 1200
       authsrv:     nobogus true
       # Client Applications using the Authentication server








ǽʹŷ - HOWTO						     11



       *:      authserver 127.0.0.1 114


Ҫݿ⣬root/var/local/etc./auth
srvߵʹü¼ʵʲ¡
ĶFWTKĵ˽ûû顣

	 #
	 # authsrv
	 authsrv# list
	 authsrv# adduser admin 'Auth DB admin'
	 ok - user added initially disabled
	 authsrv# ena admin
	 enabled
	 authsrv# proto admin pass
	 changed
	 authsrv# pass admin 'plugh'
	 Password changed.
	 authsrv# superwiz admin
	 set wizard
	 authsrv# list
	 Report for users in database
	 user	group  longname 	  ok?	 proto	 last
	 ------ ------ ------------------ -----  ------  -----
	 admin	       Auth DB admin	  ena	 passw	 never
	 authsrv# display admin
	 Report for user admin (Auth DB admin)
	 Authentication protocol: password
	 Flags: WIZARD
	 authsrv# ^D
	 EOT
	 #


Telnetأtn-gwֱ˵Ӧ趨
磬ڱ·ڵûֱͨ(permit-hosts 196.1.2.* -pas
sok)ûṩûIDſʹôŷ(permit-hosts * -auth)
⣬һϵͳ(196.1.2.202)Ҳֱʹ÷ǽֻҪ趨inetacl-in.tel
netdݼɡ TelnettimeoutʱӦöݡ

       # telnet gateway rules:
       tn-gw:	    denial-msg	   /usr/local/etc/tn-deny.txt
       tn-gw:	    welcome-msg    /usr/local/etc/tn-welcome.txt
       tn-gw:	    help-msg  /usr/local/etc/tn-help.txt
       tn-gw:	    timeout 90
       tn-gw:	    permit-hosts 196.1.2.* -passok -xok
       tn-gw:	    permit-hosts * -auth
       # Only the Administrator can telnet directly to the Firewall via Port 24
       netacl-in.telnetd: permit-hosts 196.1.2.202 -exec /usr/sbin/in.telnetd


r-commandͬtelnetͬһʽ趨










ǽʹŷ - HOWTO						     12



       # rlogin gateway rules:
       rlogin-gw:   denial-msg	   /usr/local/etc/rlogin-deny.txt
       rlogin-gw:   welcome-msg    /usr/local/etc/rlogin-welcome.txt
       rlogin-gw:   help-msg  /usr/local/etc/rlogin-help.txt
       rlogin-gw:   timeout 90
       rlogin-gw:   permit-hosts 196.1.2.* -passok -xok
       rlogin-gw:   permit-hosts * -auth -xok
       # Only the Administrator can telnet directly to the Firewall via Port
       netacl-rlogind: permit-hosts 196.1.2.202 -exec /usr/libexec/rlogind -a


κ˾ֱӽǽаFTPˣҪFTPŷڷǽϡ
ߣpermit-host
s·ڵκɽ·ݡĸ͵յÿĵļ¼-log
{ retr stor } FTPtime
outؿڶʱֹͣԽӣԼڶʱûжᣬԽӡ

       # ftp gateway rules:
       ftp-gw:	    denial-msg	   /usr/local/etc/ftp-deny.txt
       ftp-gw:	    welcome-msg    /usr/local/etc/ftp-welcome.txt
       ftp-gw:	    help-msg  /usr/local/etc/ftp-help.txt
       ftp-gw:	    timeout 300
       ftp-gw:	    permit-hosts 196.1.2.* -log { retr stor }
       ftp-gw:	    permit-hosts * -authall -log { retr stor }


ͨWWWgopherеftphttp-
gwơнһĿ¼ڴ澭ɷǽftpWWWļڱУЩļ
rootУ˷ֻrootܹĿ¼ڡ
WWWӦöݡʹӲͨʱĵȴʱ䡣

       # www and gopher gateway rules:
       http-gw:     userid	   root
       http-gw:     directory /jail
       http-gw:     timeout 90
       http-gw:     default-httpd  www.afs.net
       http-gw:     hosts	   196.1.2.* -log { read write ftp }
       http-gw:     deny-hosts	   *


ssl-
gwʵһκ˶ͨءӦ趨ڱУκα·еû127.0.0.*
192.1.1.* ⣬·κŷֻʹ443563
š443563һΪSSLš

       # ssl gateway rules:
       ssl-gw:	 timeout 300
       ssl-gw:	 hosts		 196.1.2.* -dest { !127.0.0.* !192.1.1.* *:443:563 }
       ssl-gw:	 deny-hosts	 *


˵plug-
gwӵŷڱУ·ڵûֻӵһϵͳӵŲ
ڶʹŷ͵·








ǽʹŷ - HOWTO						     13



ŷtimeoutʱ趨ӦñȽϳΪûĶš


       # NetNews Pluged gateway
       plug-gw:        timeout 3600
       plug-gw: port nntp 196.1.2.* -plug-to 199.5.175.22 -port nntp
       plug-gw: port nntp 199.5.175.22 -plug-to 196.1.2.* -port nntp

Fingerص趨Ϊ򵥡·ڵûֻҪȵ¼Ϳʹ÷ǽϵfin
gerʽκ˾ֻյһmessage

       # Enable finger service --------趨finger
       netacl-fingerd: permit-hosts 196.1.2.* -exec /usr/libexec/fingerd
       netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt


HOWTOУû趨MailX-win
dowsܡκⷽʵ뷢emailҡ

7.4.2  inetd.confõ

渽/etc/inetd.confȫĵвҪĹܶ#עȫĵʾȡ˺ֹܣԼʾ趨µķǽܡ


       #echo   stream	 tcp  nowait  root	  internal
       #echo   dgram	 udp  wait    root   internal
       #discard 	 stream    tcp	nowait	root   internal
       #discard 	 dgram	   udp	wait	root   internal
       #daytime 	 stream    tcp	nowait	root   internal
       #daytime 	 dgram	   udp	wait	root   internal
       #chargen 	 stream    tcp	nowait	root   internal
       #chargen 	 dgram	   udp	wait	root   internal
       # FTP firewall gateway --------FTPǽ
       ftp-gw	   stream  tcp	nowait.400  root  /usr/local/etc/ftp-gw  ftp-gw
       # Telnet firewall gateway------Telnetǽ
       telnet  stream  tcp  nowait	root  /usr/local/etc/tn-gw /usr/local/etc/tn-gw
       # local telnet services------ûtelnet
       telnet-a    stream  tcp	nowait	    root  /usr/local/etc/netacl in.telnetd
       # Gopher firewall gateway------Gopherǽ
       gopher  stream  tcp  nowait.400	root  /usr/local/etc/http-gw /usr/local/etc/http-gw
       # WWW firewall gateway------WWWǽ
       http    stream  tcp  nowait.400	root  /usr/local/etc/http-gw /usr/local/etc/http-gw
       # SSL firewall gateway------SSLǽ
       ssl-gw  stream  tcp     nowait  root /usr/local/etc/ssl-gw   ssl-gw
       # NetNews firewall proxy (using plug-gw)------NetNewsǽŷʹplug-gw
       nntp    stream  tcp     nowait  root    /usr/local/etc/plug-gw plug-gw nntp
       #nntp   stream	 tcp  nowait	root /usr/sbin/tcpd in.nntpd
       # SMTP (email) firewall gateway------SMTPemailǽ
       #smtp   stream  tcp    nowait  root    /usr/local/etc/smap smap
       #
       # Shell, login, exec and talk are BSD protocols------ Shell, login, exec and talkBSDЭ
       #
       #shell  stream	 tcp  nowait	root /usr/sbin/tcpd in.rshd
       #login  stream	 tcp  nowait	root /usr/sbin/tcpd in.rlogind








ǽʹŷ - HOWTO						     14



       #exec   stream	 tcp  nowait	root /usr/sbin/tcpd in.rexecd
       #talk   dgram	 udp  wait root /usr/sbin/tcpd in.talkd
       #ntalk  dgram	 udp  wait root /usr/sbin/tcpd in.ntalkd
       #dtalk  stream	 tcp  waut nobody    /usr/sbin/tcpd in.dtalkd
       #
       # Pop and imap mail services et al------Popimap mail
       #
       #pop-2	stream	tcp  nowait  root  /usr/sbin/tcpd   ipop2d
       #pop-3	stream	tcp  nowait  root  /usr/sbin/tcpd   ipop3d
       #imap	stream	tcp  nowait  root  /usr/sbin/tcpd   imapd
       #
       # The Internet UUCP service------·UUCP
       #
       #uucp	stream	tcp  nowait  uucp  /usr/sbin/tcpd  /usr/lib/uucp/uucico -l
       #
       # Tftp service is provided primarily for booting.  Most sites
       # run this only on machines acting as 'boot servers.' Do not uncomment
       # this unless you *need* it.  ----- TftpҪһֻΪ'bootŷ'ʱҪtftpˣҪȡע#š
       #
       #tftp   dgram	 udp  wait root /usr/sbin/tcpd in.tftpd
       #bootps dgram	 udp  wait root /usr/sbin/tcpd bootpd
       #
       # Finger, systat and netstat give out user information which may be
       # valuable to potential "system crackers."  Many sites choose to disable
       # some or all of these services to improve security.------ Finger, systat and netstat򺧿ṩɹϡվȡһЩȫܣȫ
       #
       # cfinger is for GNU finger, which is currently not in use in RHS Linux
       # cfingerGNU fingerĿǰRHS Linuxвʹá
       #
       finger  stream	 tcp  nowait  root   /usr/sbin/tcpd  in.fingerd
       #cfinger      stream   tcp  nowait  root   /usr/sbin/tcpd  in.cfingerd
       #systat stream	 tcp  nowait  guest  /usr/sbin/tcpd  /bin/ps -auwwx
       #netstat     stream    tcp  nowait  guest  /usr/sbin/tcpd  /bin/netstat -f inet
       #
       # Time service is used for clock syncronization.-----ʱ书趨ʱͬ
       #
       #time   stream	 tcp  nowait  root  /usr/sbin/tcpd  in.timed
       #time   dgram	 udp  wait    root  /usr/sbin/tcpd  in.timed
       #
       # Authentication-----û
       #
       auth	     stream  tcp  wait	  root	/usr/sbin/tcpd	in.identd -w -t120
       authsrv stream	 tcp  nowait  root  /usr/local/etc/authsrv authsrv
       #
       # End of inetd.conf-----inetd.congõ

7.4.3  /etc/services

ûӵǽʱӵһ֪ĲС1024磬tel
netӵ23inetd deamonӵӵĶ鿴/etc/ser
vicesЩܵ֡Ȼᣬ/etc/inetd.confָĳʽ
ʱʹõĹܲ/etc/ser
vicesСЩָܿκָĲ磬Աtelnettelnet-
a趨24Ҳ趨2323Ϥ㡣Աָ㱾ˣҪֱӵǽtel








ǽʹŷ - HOWTO						     15



net24ǲ23簴趨netperm-
tableֻܴӱ·еһϵͳ趨


       telnet-a 	24/tcp
       ftp-gw	       21/tcp	      # this named changed
       auth	       113/tcp	 ident	  # User Verification
       ssl-gw		443/tcp


8.  SOCKSŷ

8.1  趨ŷ

SOCKSŷɴ ftp://sunsite.unc.edu/pub/Linux/system/Network/misc/socks-
linux- src.tgzȡáõҲһΪ'socks-
conf'õοɰѸõѹȻе˵ʹøõʹʱ򵥣ӦȷMake
fileȷ  /etc/inetd.con
fӦŷˣӦһС

       socks  stream  tcp  nowait  nobody  /usr/local/etc/sockd  sockd


ŷŻҪʱС

8.2  ôŷ

SOCK
SҪõ趨һõ趨ȡõȨޣһõ趨·ԱҵʵĴŷȨ޵Ӧŷϣ·Ӧÿһ̨UNIXϡDOSMac
intoshȷе·

8.2.1  Ȩ޵

socks4.2betaУȨ޵Ϊ'sockd.conf'ӦֻУһper
mitһоܾdenyÿж趨

    ʶʾ(permit/deny)

    IPַ

    ޸ĵַ

ʶʾpermitdenyӦеpermitк͵denyС
IPַʹñ׼4byteʽʾI.E. 192.168.2.0. ޸ĵַҲǱ׼4λԪ
IPַΪnet
maskַ32λԪ֡1˶ԵĵַӦλӦIPַӦλԪ磬еĵַΪ

	 permit 192.168.2.23  255.255.255.255

ֻÿһλԪĵַ192.168.2.23ַΪ

	 permit 192.168.2.0  255.255.255.0










ǽʹŷ - HOWTO						     16



192.168.2.0192.168.2.255֮ÿһַCĵֵַַ֡

	 permit 192.168.2.0  0.0.0.0


ÿһַʹãַΪΡ
ˣÿһӦĵַȻַܾ192.168.2.xxxΧеÿһûзʽʾ

	 permit 192.168.2.0  255.255.255.0
	 deny 0.0.0.0  0.0.0.0

עdenyеĵһ'0.0.0.0'ڵַ0.0.0.0޸ģIPΪζûӰ졣0ΪIPַΪڴ֡
رûԸܾʹõȨޡͨidenĲʵ֡ڲϵͳ֧idenаTrum
pet WinsockԴ˴Ԥ˵ͬsocksṩ˵Թʹá

8.2.2  ·

SOCKSе·Ϊ'socks.conf'Ȩ޵ ·SOCK
Sû֪ʱsocksʱá磬ʾ·192.168.2.3Ҫʹsock
s192.168.2.1ǽԻͨEther
netֱ֮ӵӡ127.0.0.1ԶΪloop
backҲҪsocksͬԼԻ

    deny

    direct

    sockd

Denyи߭
socksʱܾһڴͬsockd.confַͬʾСIPַ޸ĵַСһԣȨ޵sockd.confҲйأ޸ĵַ0.0.0.0κεطڴ˿޸ġ

direc
t벻ʹsockĵַЩֱַ·뾭ŷλҪiden
tifieraddressmodifier

	 direct 192.168.2.0 255.255.255.0

Sockdиߵһûĵsocks server daemon¡

       sockd @=<serverlist> <IP address> <modifier>

ע@=
ݡַһϵдŷIPַֻһŷĵַΪ϶ŷĵַԱӴŷʧʱŷ档

趨IPַmodifierķͬ

8.2.3  ǽDNS

     ӷǽ趨Domain Name Ser
viceǼ򵥲¡ֻҪΪǽĵ趨DNSɡȻڷǽĵ趨ʹDNS"











ǽʹŷ - HOWTO						     17



8.3  ŷ

8.3.1  Unix

ҪʹӦóôŷЩӦóҪ'sockified'ҪtelnetһֱͨѶһͨŷͨѶSOCKS˵sockһʽķҲмѾsockõĳʽҪֱʹsockõĳʽSOCKSֱ趨ˣӦý·ڵгʽȻٸѾsockõĳʽ磬'Finger'Ϊ'finger.orig''telnet'Ϊ'telnet.orig'	  ͨin
clude/socks.hSOCKS趨 Щʽдroutingsockify
ing⡣Netscapeʹ֮һNetscapeҪôŷֻҪProx
ies­
SOCKŷĵַɣڴΪ192.168.2.1ȻÿӦóʽЩС䶯䴦ŷķΪΡ

8.3.2  ΢ӴTrumpet Winsock

Trumpet Winsock
ԴĴŷܡ'setup'ѡŷIPֱַӿĵԵĵַȻᣬTrum
petͻᴦ͵ݰ

8.3.3  ʹŷUDPݰ

SOCKSֻTCPݰ UDPټôΪõĳʽtalkArchieUDPһΪUDPrelayTom
Fitzger
ald<fitz@wang.com>ҪΪUDPݰĴŷʹáڱдʱLinux.

8.4  ŷȱ

ףŷһȫװá޵IPַ£ʹû·ȱ㡣ŷʹ·ڵû·֮⣬ʹ·֮ûȫ޷ͬ·֮ڵûϵʾ޷ͬ·֮ڵĵԽtalkarchieҲ޷͵ʼЩȱ㿴أ

    һûɵıڱ·ǽڵĵϡؼᣬ뿴ݱ档ûа취Ϊڷǽᣬ޷lo
     gin
     ǽÿһ˶ɽŷŷϲûиʻ

    Ůȥ˴ѧдʼ̸Щ˽£ܰѵʼֱӷŵԼĵϡ㵱ȻŵùϵͳԱ⵹빫޹أǸ˵ż

    ʹUDPǴŷһȱݡ벻֮ͻUDPĹܡ

FTPǴŷһ⡣ȡûʹlsʱFTPŷڿͻϴһsocketͨϢŷFT
P޷ʹá
⣬ŷлҪԴ϶࣬κܴõŷҪ졣
һԣIPֲַرǰȫ⣬ǾͲҪʹ÷ǽͣ򣩴ŷûIPַҲǰȫ⣬ǾͲʹIPģTermSlirpTIATermɴftp://sun
site.unc.eduȡãSlirpɴftp://blitzen.can
berra.edu.au/pub/slirpȡãTIAɴmarket
place.comȡáʹôŷ·ûҪֻҪһ趨֮Ͳ̫Ĺ


9.  ߼

ڽʱپһӣ˵õķǰʺ϶ʹһ߼ΪԱ˵һЩ⡣ǰӲܽ⣬߻˽ŷͷǽԣעӡ

9.1  עذȫĴ·

һҪ·й50̨Ժһ32IPַĴμӵļͬ·òͬʹȨˣ·һֲһֻͨ
ּС

  1.  Χ˶ɵĲ档³ԱĲ档









ǽʹŷ - HOWTO						     18



  2.  ԱһѾΧ˿֪һЩıķ

  3.  ⼮ɼƻ֮

9.1.1  ·趨

IP趨¡

    һַΪ192.168.2.255broadcastĵַʹá

    32 IPַ23ַ23̨Щͬ·ᡣ

    һIPַ·ϵlinux

    һIPַ·ϵһlinux

    IP #'srouter

    ʣµĸַ㶨ĸ֣ʹ׽û

    ·ĵַΪ192.168.2.xxx

ͽͬ··ͨEther
netȫǵĴڡEthernetúһEther
netͬ ·IPַlinuxĵԡ
ͬʱһĵŷ·ΪļƻҪһЩѵĲӡĵŷв·IPַ192.168.2.17⼮·IPַ192.168.2.23вͬIPַԭΪвͬEth
ernetԵʡ·IP ForwardingĹܹرͣá ̨LinuxIP Forward
ingĹҲͣáȷ涨routerת192.168.2.xxxݰ·ɽ롣رIP
Forward
ingܵԭǲ·ݰõ⼮·⼮·ݰҲõﲿ·
趨NFSŷãʹѲͬĵͬ·ַΪãsym
blic linksֽſʹĵôҹúͼһether
netʹһ̨ĵŷ·

9.1.2  ŷ

Ҫ˽ϵǶҪⲿ·ֱ·ڴŷϲҪκθ⼮·Ͳ·ڷǽ֮ᣬҪڴŷһЩá
·÷ǳơԾʹ÷ǵIPַ趨һЩ

  1.  κ˶ʹĵŷĵŷܻ⵽֡Ϊأ˲ʹĵŷ

  2.  òԱڽѵӵּѶܶк

ˣڲ·linuxsockd.confӦһС

	 deny 192.168.2.17  255.255.255.255


⼮Żڵ趨ǡ

	 deny 192.168.2.23  255.255.255.255


ͬʱ·linux趨








ǽʹŷ - HOWTO						     19



	 deny 0.0.0.0  0.0.0.0 eq 80

еǲκλʹò80httpЩȻܣֻǲ
Ȼ̨sockd.confڶӡ

	 permit 192.168.2.0  255.255.255.0


ʹ192.168.2.xxxϵĵԶʹ̨ŷʹõĵԳ⣨ȴӲ·ĵŷ·

·sockd.conf¡

	 deny 192.168.2.17  255.255.255.255
	 deny 0.0.0.0  0.0.0.0 eq 80
	 permit 192.168.2.0  255.255.255.0


⼮·sockd.conf¡

	 deny 192.168.2.23  255.255.255.255
	 permit 192.168.2.0  255.255.255.0

Ӧû⡣ÿһ·ܵҵʵ໥ϵ˶ӦŶԡ
ھͿˣ






































ǽʹŷ - HOWTO						     20





































































				   CONTENTS



1.  ..................................................................... 1
   1.1 ߻Ӧ ............................................................. 1
   1.2  ............................................................. 1
   1.3 Ȩ ............................................................. 1
   1.4 дƪµĶ ..................................................... 2
   1.5 дɵĹ ....................................................... 2
   1.6  ............................................................. 2

2. ʲôǷǽ ............................................................. 2
   2.1 ǽȱ ......................................................... 3
   2.2 ǽ ......................................................... 3

3. ÷ǽ ............................................................... 3
   3.1 Ӳ ............................................................. 3

4. ÷ǽ ......................................................... 3
   4.1 еװ ....................................................... 4
   4.2 TIS Firewall Toolkit SOCKSĲ ................................. 4

5. 趨Linuxϵͳ ............................................................ 4
   5.1 ༭ں ............................................................. 4
   5.2 趨· ....................................................... 5
   5.3 趨Network Addresses ................................................ 5
   5.4 · ............................................................. 6
   5.5 ӹ̷ǽ ........................................................... 7

6. IP filtering (IPFWADM) ............................................. 7

7. װTISŷ ........................................................ 8
   7.1 ȡ ............................................................. 8
   7.2 ༭TIS FWTK ......................................................... 9
   7.3 װTIS FWTK  ....................................................... 10
   7.4 TIS FWTK ........................................................ 10

8. SOCKSŷ ......................................................... 15
   8.1 趨ŷ ...................................................... 15
   8.2 ôŷ ...................................................... 15
   8.3 ŷ .......................................................... 17
   8.4 ŷȱ .................................................... 17

9. ߼ ................................................................ 17
   9.1 עذȫĴ· .................................................. 17










				       i


