  Firewalling and Proxy Server HOWTO
  Mark Grennan, markg@netplus.net 
  ޤߤĤҤ isle@st.rim.or.jp(1997/03/26) 
  v0.4, 8 November 1996

  ʸǤ Linux ǥեȤݤδŪˤĤƲ
  ⤷Linux Ȥä PC ǥѥåȥե륿󥰤ȥץե
  ȤݤˤĤ¿ʤȤܤԤޤʸ
  HTMLǤ http://okcforum.org/~markg/Firewall-HOWTO.htmlˤޤ
  ______________________________________________________________________

  Table of Contents:

  1.      Ϥ

  1.1.    եɥХå

  1.2.    Ǥ(disclaimer)

  1.3.    Copyright(ɽ)

  1.4.    ʤ񤤤Τ

  1.5.    ٤

  1.6.    Τꤿͤ

  2.      եȤ

  2.1.    եμ

  2.1.1.  IP ե륿󥰥ե

  2.1.2.  ץ()

  3.      ե

  3.1.    ɬפʥϡɥ

  4.      եѥեȥ

  4.1.    ǽʥեȥ

  4.2.    TIS եġ륭åȤ SOCKS

  5.      Linux ƥν

  5.1.    ͥΥѥ

  5.2.    2 Υͥåȥɤ

  5.3.    ͥåȥɥ쥹

  5.4.    ͥåȥΥƥ

  5.5.    եζ

  6.      IP ե륿󥰤(IPFWADM)

  6.1.    ե륿󥰥եη

  7.      TIS ץСΥ󥹥ȡ

  7.1.    եȥ

  7.2.    TIS FWTK Υѥ

  7.3.    TIS FWTK Υ󥹥ȡ

  7.4.    TIS FWTK 

  7.4.1.  netperm-table ե

  7.4.2.  inetd.conf ե

  7.4.3.  /etc/services ե

  8.      SOCKS ץ

  8.1.    ץФΥåȥå

  8.2.    ץФ

  8.2.1.  ĥե

  8.2.2.  ϩե

  8.3.    ץФȤ

  8.3.1.  Unix

  8.3.2.  Trumpet Winsock Ȥä MS Windows

  8.3.3.  ץФ UDP ѥå

  8.4.    ץФη

  9.      ʤ

  9.1.    ƥŻ뤷礭ʥͥåȥ

  9.1.1.  ͥåȥ

  9.1.2.  ץФ
  ______________________________________________________________________

  1.  Ϥ

  Firewall-HOWTO ϸ David Rudder <drig@execpc.com> 񤭤ޤ
  󥢥åפ뤳ȤĤƤ줿˴դޤ

  եϥ󥿡ͥåȤ˰³뤿εŪʲ
  ơǯޤޤ礭̾ĤĤޤ礭̾
  Τϳ줺̾ϸˤȤŤƤޤ HOWTO Ǥϥե
  ȤϲɤΤ褦ꤹΤץ()ФȤ
  ץФˡεѤȤᥢץꥱˤ
  Ʋ⤷ޤ

  1.1.  եɥХå

  ΥեɥХå򴿷ޤޤɤʴְ㤤Ǥ⡢Ҷ
   ϸȤ̤οʹ֤ǤɤʤʤȤ
  ⡢ְ㤤ϢƤΤϺͥβ
  äƤä e-mail ˤֻ򤹤ĤǤǶ˻Τǡ
  ⤷ֻ񤱤ʤƤⵤˤʤǤ

   e-mail address  <drig@execpc.com>Ǥ [Ԥ e-mail address
   <isle@st.rim.or.jp> Ǥ]

  1.2.  Ǥ(disclaimer)

  ʸ˽񤤤Ƥ뤳Ȥ˽äʤ»ˤǤ餤
   ʸϥեȥץФɤΤ褦ư
  Ҳ𤹤뤿˽񤫤줿ΤǤϥƥȤǤʤ
  Τդ򤹤Ĥ⤢ޤ󡣻ϡ̤οͤ¿ܤɤǡ
  ԥ塼ʿʹ֤˲᤮ޤ.Ͽ͡ե
  ץФˤĤ򤹤Τ뤿ˤʸ񤤤Ƥ
  ǡʸΤ˿Ҥ褦ʤĤϤޤ

  1.3.  Copyright(ɽ)

  Unless otherwise stated, Linux HOWTO documents are copyrighted by
  their respective authors. Linux HOWTO documents may be reproduced and
  distributed in whole or in part, in any medium physical or electronic,
  as long as this copyright notice is retained on all copies. Commercial
  redistribution is allowed and encouraged; however, the author would
  like to be notified of any such distributions.

  All translations, derivative works, or aggregate works incorporating
  any Linux HOWTO documents must be covered under this copyright notice.
  That is, you may not produce a derivative work from a HOWTO and impose
  additional restrictions on its distribution. Exceptions to these rules
  may be granted under certain conditions; please contact the Linux
  HOWTO coordinator.

  In short, we wish to promote dissemination of this information through
  as many channels as possible. However, we do wish to retain copyright
  on the HOWTO documents, and would like to be notified of any plans to
  redistribute the HOWTOs.

  If you have any questions, please contact Mark Grennan at
  <markg@netplus.net>.

  Ƥʤ¤ꡢLinux  HOWTO ʸϤ줾Ԥ
  ݻƤޤɽƤΥԡźդ¤ꡢLinux
   HOWTO ʸϡɤΤ褦ʪŪŵŪʼʤǤ⡢ơ뤤ϰ
  ʬΤߤ򥳥ԡƺۤ뤳ȤǽǤŪѤǽǤ
  侩ޤΤ褦ʾˤϢƤ뤳ȤԤޤ

  Linux HOWTO ʸ񤫤ʪ뤤 HOWTO ʸ򽸤᤿Τ
  Ƥɽ˽ޤʤHOWTO ʸФ
  ɽʳɲä¤äƤϤޤ󡣤ε§ˤĤƤ
  ξΤȤ㳰⤢ޤ; ܺ٤ˤĤƤϸҤ Linux HOWTO
  Υǥ͡Υɥ쥹ޤ䤤碌Ƥ

  ñ˸ȡ䤿ϤǽʥͥͳƤʸ񤬹
  ڤ뤳ȤäƤޤʤ顢䤿 HOWTO ʸ
  copyright ݸƤꡢHOWTO ʸۤײˤĤƤϢ
  뤳ȤԤƤޤ

  䤬 Mark Grennan <markg@netplus.net> ޤǤɤ [ˤĤ
  ƤϤޤߤĤҤ<isle@st.rim.or.jp>ޤǤꤤޤ]

  1.4.  ʤ񤤤Τ

  եˡ˴ؤ䤬ǯ֤ۤɤδ֤˷֤
  comp.os.linux.* ƤƤޤɬפʾˤĤƤϸ
  ˤ֤Ǥ HOWTO θŤСפʾ󸻤Ǥ
  Ĥ礱ƤʬޤDavid Rudder 񤤤ꥸ
   HOWTO 򶯲ΥСǡï⤬եñ
  Ǥ褦ˤʤ뤳Ȥ˾Ǥޤ

  ޤ伫ȡ Linux ߥ˥ƥ˴ԸȻפäƤޤ

  1.5.  ٤

  o  饤¦ˡˤĤơ

  o  UDP ̤ Linux ѤΥץФ򸫤Ĥ뤳

  1.6.  Τꤿͤ

  ʲ HOWTO ҤͤˤʤǤ礦

  o  NET-2 HOWTO

  o  Ethernet HOWTO

  o  Multiple Ethernet Mini HOWTO

  o  Networking with Linux

  o  PPP HOWTO

  o  O'Reilly  "TCP/IP Network Administrator's Guide"

  o  TIS ե롦ġ륭åȤ°ʸ

  Trusted Information System(TIS)Υ֥ڡ (http://www.tis.com/)
  ϥեȤ˴ϢˤĤƤΥɥȤ˭٤
  ·äƤޤ

  ϸߡSecure Linux ȸƥˤĤƤΥץȤ˴
  äƤޤSecure LinuxΥ֥ڡˤϡ䤬
  Linux ƥ뤿ξʸ񡢥ץƤϿƤ
  ̣л e-mail Ƥ

  2.  եȤ

  ե(ɲ)ȤϤȤȤϼưֶȳѸǤ֤ˤȤ
  ƤΥեȤϡ󥸥ȾҤ֤ƤʪŪʾɤǤ
  ֤Υ󥸥˲ФĤƤ⡢ե뤬Ҥꡢɥ饤Ф
  եۤ˥󥸥椹뤳ȤǤޤ

  ԥ塼ǤΥեȤϡץ饤١Ȥʥͥåȥ
  Υͥåȥ(Ūˤϥ󥿡ͥå)뤿ΥǥХ
  

  ʹߡե̤Ƥ륳ԥ塼Υۥ̾
  "firewall"ȤޤΥۥȤΥץ饤١Ȥʥͥåȥȥ
  ͥåȤ³ƤʤФʤޤ󡣤Υͥå
  饤󥿡ͥåȤؤľ³Ǥʤ󥿡ͥåȤ
  Υͥåȥľܤ³Ǥޤ

  Υͥåȥ饤󥿡ͥåȤ³硢ޤ firewall 
  telnet ³θ塢firewall 饤󥿡ͥåȤ³뤳Ȥˤ
  ޤ

  եΤäȤñʷϤΤ褦 2 ĤΥͥåȥ
  ³ޥߤˡǤͥåȥΥ桼ƤѤ
  ƤʤС2 ĤΥͥåȥ³ Linux ޥ򥻥åȥå
  (IP forwarding/gatewaying  OFF ˤơ)ƤΥ桼Υ
  ȤФǤ礦ΥͥåȥΥ桼ϤΥޥ
  󤷤Ƥ telnet ꡢFTP ꡢ᡼ɤꡢ
  ꤷƤΥӥǤ褦ˤʤޤǤϡ
  Υͥåȥˤ륳ԥ塼ΤΤȤΤäƤΤ
  firewall Ǥͥåȥ³¾ΥޥǤϥǥե
  롼ȤꤹɬפϤޤ

  ֤ޤ嵭Υե뤬ޤƯˤϡ
  Υ桼Ƥƥ˵ۤꡢʬΥȤ˴
  ǽϤäƤʤФޤ󡣻ϤˡϤᤷޤ

  2.1.  եμ

  եˤ礭ʬ 2 Ĥμबޤ

  1. IP(ե륿)ե: ꤷѥåȰʳΥѥå
     ̲ᤵޤ

  2. ץ: ѤΥͥåȥ³󶡤ޤ

  2.1.1.  IP ե륿󥰥ե

  IP ե륿󥰥פΥեϥѥåȥ٥Ưޤ
  μΥեϡ줾ΥѥåȤϿƤ긵
  ݡȤ䰸ΥݡȡѥåȤμˤĤƤξ˴Ťơѥå
  ή椷ޤ

  ΥפΥեϤưǤͭפʥ뵡ǽ
  ˷礱ƤޤΥץ饤١Ȥʥƥ˥ʤȤϲ
  ǽǤƥθƤʬïƤΤȤ
  Υͥåȥï󥿡ͥåȤ³ΤȤϿ
  뤳ȤǤޤ

  ե륿󥰥פΥեϡ̣ǤⰭ̣Ǥⴰ
  ʥե륿ǤïΥץ饤١Ȥʥӥ󶡤褦
  פäƤ⡢ĿͤΤߤ˻ѵĤͿ褦ʤȤϤǤï
  Ǥ褦ꤹ뤷ޤ

  μΥѥåȥե륿󥰤εǽ 1.3.x ʹߤΥͥȤߤ
  Ƥޤ

  2.1.2.  ץ()

  ץФϥեۤ˴Ūʥ󥿡ͥå³
  ޤФʬ䤹 telnet ξǤ礦ץФ
  ȤС֤äեޥ˥󤷤ơٳ
  Υޥ˥פȤưŪ˹Ԥ褦ˤʤޤ
  饤ȤȤʤ륽եȥץФ³硢ץ
  ФѤΥ饤(ץ)եȥươʤ
  ȤƤǡŪϤžޤ

  ץФǤƤΤȤŲƤΤǡεϿ
  뤳ȤǽǤ

  ץФꤹд˰ʤȤǤץ
  Фï⼫ͳ̲ᤵľ IP 롼ƥ󥰤ޤ

  3.  ե

  3.1.  ɬפʥϡɥ

  Ǥ 66MHz 486-DX CPU ˥ 16MHDD  500M  Linux 
  ƥĥޥȤޤΥƥ 2 Υͥåȥ
  ɤΥץ饤١Ȥ LAN ³⤦Ĥϡ
  (de-militarized zone ά DMZ)פȸƤФ Lan ³Ƥ
  ȤޤDMZ ˤϥ󥿡ͥåȤ³롼Ȥޤ

  ϲǰŪ˻ȤƤǤ礦ͥåȥɤ
   LAN ѤΰΤߤǡ󥿡ͥåȤȤ³ PPP ȤȤ
  ǽǤפϡfirewall ˤ 2 Ĥ IP ɥ쥹ɬפ
  ȤǤ

  Τ礤¿ϼ 23 Υԥ塼³ LAN
  äƤޤΤ褦ʾ硢2 ĤΥǥ Linux ޥ(¿ʬŤ
  386 ޥäꤹΤǤ礦)³ơɡХ󥷥󥰷ͳ
  Ǽ LAN 򥤥󥿡ͥåȤ³ʤ뤫⤷ޤ󡣤
  Ǥϡ줫ǡɤ褦Ȥ 2 ĤΥǥब®
  ٤ 2 ܤˤƤϤǤ :-)

  [EQL(ɡХ󥷥)Linux ͥȤߤޤƤ뵡ǽ
  ǡ2 ĤΥꥢݡȤƱ˻Ȥä 2 Ť³ǡž
  ®٤ˡ 2 ɬפ³ˤ⤳εǽ̵
  ȻѤǤʤ(褯ΤʤɡISDN ʤȤ뵡ǽʤΤ⡢)]

  4.  եѥեȥ

  4.1.  ǽʥեȥ

  (ѥå)ե륿󥰥ե뤬ɬפʤСLinux Τȴ
  ŪʥͥåȥѥѥåǽʬǤŪʥǥȥӥ塼
  äƤʤΤʤΤ IP եġ
  (ipfwadm)Ǥ礦

  IPFWADM  http://www.xos.nl/linux/ipfwadm/ Ǥޤ

  ץФꤷ硢ʲμѥåΤɤ餫ɬפ
  

  1. SOCKS

  2. TIS Firewall Toolkit(FWTK)

  4.2.  TIS եġ륭åȤ SOCKS

  Trusted Information System(http://www.tis.com)Ϥޤޤʥե
  ϢΥեȥ꡼ƤޤΥץϴŪ
   SOCKS Ʊǽ̤ޤǥůؤϰäƤޤ SOCKS 
  ϰĤΥץबƤΥ󥿡ͥåȤȤΤȤ򥫥Сޤ
  TIS Ǥ firewall ۤ˻Ȥץऽ줾ˤĤѤΥ
  եȥѰդƤޤ

  ξԤӤ뤿ˡWWW  telnet ˤĤƸƤߤ뤳Ȥˤޤ礦
  SOCKS ǤեȥǡϰĤǤե
  ǡ telnet  WWW Ȥ褦ꤷޤtelnet  WWW ʳ
  ǤŪ˶ػߤʤӥѤǤޤ

  TIS ġ륭åȤǤ WWW  telnet 줾ѤΥǡ
  դե⤽줾ɬפǤWWW  telnet Ȥ褦ˤ
  Ƥ⡢ʳΥӥϡŪ˻ѤǤ褦ꤷƤʤ¤
  Ȥޤ(talk Τ褦)ѤΥǡ̵硢 "plug-in" ǡ
  Ȥޤˡ¾ˡ٤ƽ礭ʣ
  

  礷㤤ǤϤʤ褦˸뤫Τޤ󤬡ˤ߷׻
  ۤˤ礭ʰ㤤ޤSOCKS ϳȥ롼꤬ǽǤ
  ꤷʤ SOCKS ФͳơïͽۤƤʤ
  ͥåȥӥѤ뤫ΤޤTIS ġ륭åȤξ硢
  οʹ֤ϥƥԤĤӥʳѤ뤳ȤϤǤޤ

  SOCKS ⥳ѥñǡ꼫ͳ꤬ǽǤTIS 
  륭åȤΥ桼ϤǤȤ⳰
  ΥФƤϴ˰Ǥ

  ʸǤξԤΥ󥹥ȡˡˤĤޤ

  5.  Linux ƥν

  5.1.  ͥΥѥ

  󥹥ȡ뤷Ф Linux Ϥޤ礦( RedHat 3.0.3 
  ȤäƤꡢʲ˼⤳Υǥȥӥ塼ΤΤǤ)
  륽եȥʤۤɷ⾮Ƥߡȴ /뤤 Х
  ˤ륻ƥ⾯ʤƤߤޤեޥư
  ץꥱϺǾ¤ˤޤ礦

  ͥϰꤷΤӤޤ 2.0.14 ȤޤΥɥ
  Ȥ⤽ΥСΥͥ˽सޤ

  Linux ΥͥŬڤǥѥ뤷ޤκݤˤ ``Kernel
  HOWTO''  ``Ethernet HOWTO''``NET-2 HOWTO'' ʤɤͭפǤ礦
   HOWTO ɤȤ̵Сܤ̤褦ˤƤ

  ʲ 'make config' κݤ˻ꤹ٤ͥåȥϢΥץ
  ޤ

  1. General setup 

     a. Networking Support  ON

  2. Networking Options 

     a. Network firewalls  ON

     b. TCP/IP Networking  ON

     c. IP forwarding/gatewaying  OFF(IP ե륿󥰤򤷤
        ON)

     d. IP Firewalling  ON

     e. IP firewall packet loggin  ON(ɬܤǤϤʤȤ)

     f. IP: masquerading  OFF(masquerade ˤĤƤϤʸǰޤ
        )

     g. IP: accounting  ON

     h. IP: tunneling  OFF

     i. IP: aliasing  OFF

     j. IP: PC/TCP compatibility mode  OFF

     k. IP: Reverse ARP  OFF

     l. Drop source routed frames  ON

     Network device support 

     a. Network device support  ON

     b. Dummy net driver support  ON

     c. Ethernet(10 or 100Mbit) ON

     d. ȤΥͥåȥѤΥɥ饤ФǤ

  򽪤饫ͥ򥳥ѥ뤷ƥ󥹥ȡ뤷Ƶư
  ƤưΥåʣΥͥåȥɤǧ
  뤳ȤǧƤޤ礦⤷ޤʤ硢¾ HOWTO 
  ȤƤ

  5.2.  2 Υͥåȥɤ

  2 Υͥåȥɤ夷Ƥ硢/etc/lilo.conf ե
  append ԤΥɤ IRQ ȥɥ쥹ꤷʤФʤޤ󡣼
  ǤϰʲΤ褦ꤷƤޤ

      append="ether=12,0x300,eth0 ether=15,0x340,eth1"

  5.3.  ͥåȥɥ쥹

  褤¶äƤޤޤĤͥåȥ
  ʤФʤޤΥͥåȥ饤󥿡ͥåȤľܥ
  뤳ȤǧʤΤǡΥͥåȥΥɥ쥹ꤢƤ
  ɬפϤޤ󡣥󥿡ͥåȤ³ʤץ饤١Ȥʥͥåȥ
  ѤΥɥ쥹Ϥ餫ᤤĤƤΤǡΥɥ쥹
  ȤȤˤޤ󥿡ͥåȤǤϥɥ쥹­̣Ǥ
  Υץ饤١ȥɥ쥹Ȥ¤ꡢְäƥ󥿡ͥåȤ˥
  åȤήƤޤäƤⰭƶϽФʤ褦ˤʤäƤΤǡץ饤١
  ȥͥåȥˤϤμΥɥ쥹Ȥޤ礦

  Ǥ 192.168.2.xxx Ȥ饹 C Υɥ쥹ȤȤˤ
  

  ץեϥ󥿡ͥåȤȥץ饤١ȥͥåȥ
  ³ξԤδ֤ǥǡȤꤷޤ

              199.1.2.10   __________    192.168.2.1
        _  __  _        \ |          | /           _______________
       | \/  \/ |        \| Firewall |/           |               |
      / Internet \--------|  System  |------------| Workstation/s |
      \_/\_/\_/\_/        |__________|            |_______________|

  ѥåȥե륿󥰼ΥեξǤ⤳Υɥ쥹
  ȤȤǽǡκݤˤ IP masquerade ȤȤˤʤޤIP
  masquerade ȤСեۤƥ󥿡ͥåȤ
  ѥåȤΥɥ쥹ϼưŪˡʪΡ IP ɥ쥹(199.1.2.10)Ѵ
  Ƥ饤󥿡ͥåȤ˽ФƹԤޤ

  󥿡ͥåȤ³¦(¦)Υͥåȥɤˤ IP 
  쥹դʤФޤ󡣰¦Υͥåȥɤˤ
  192.168.2.1 Υɥ쥹ꤢƤޤ 192.168.2.1 Υɥ쥹
  Υͥåȥˤץ/ȥ IP ɥ쥹ˤʤ
  ʳΥͥåȥ³ޥˤ 192.168.2.xxx 
  ɥ쥹Ϳޤ(192.168.2.2  192.168.2.254)

   RedHat Linux ȤäƤޤΤ(ï¾򲼤 ;-)
  ưΥͥåȥɤꤹ뤿 /etc/sysconfig/network-
  scripts ǥ쥯ȥˤ 'ifcfg-eth1' եޤ
  եϵưɤߤޤ졢ͥåȥȥ롼ƥ󥰥ơ֥
  뤿˻Ȥޤ

  ʲ˻ ifcfg-eth1 򼨤ޤ

      #!/bin/sh
      #>>>Device type: ethernet
      #>>>Variable declarations:
      DEVICE=eth1
      IPADDR=192.168.2.1
      NETMASK=255.255.255.0
      NETWORK=192.168.2.0
      BROADCAST=192.168.2.255
      GATEWAY=199.1.2.10
      ONBOOT=yes
      #>>>End variable declarations

  Ʊǥȥˤ륹ץȤȤäƥǥͳǥץХ˼ưŪ
  ³뤳ȤǽǤΤˤ ipup-ppp ץȤ򸫤ƤߤƤ
  

  󥿡ͥåȤ³ݤ˥ǥͳ PPP  SLIP  ISP ³
  硢¦(ISP ¦) IP ɥ쥹ϥץХ鼫ưŪ˳ꤢƤ
  ޤ

  5.4.  ͥåȥΥƥ

  ifconfig  route ޥɤǥͥåȥåޤ2 Υͥå
  ɤȤäƤ硢ifconfig νϤϰʲΤ褦ˤʤϤ
  

    #ifconfig
    lo        Link encap:Local Loopback
              inet addr:127.0.0.0  Bcast:127.255.255.255  Mask:255.0.0.0
              UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
              RX packets:1620 errors:0 dropped:0 overruns:0
              TX packets:1620 errors:0 dropped:0 overruns:0

    eth0      Link encap:10Mbps Ethernet  HWaddr 00:00:09:85:AC:55
              inet addr:199.1.2.10 Bcast:199.1.2.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0
              TX packets:0 errors:0 dropped:0 overruns:0
              Interrupt:12 Base address:0x310

    eth1      Link encap:10Mbps Ethernet  HWaddr 00:00:09:80:1E:D7
              inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0
              TX packets:0 errors:0 dropped:0 overruns:0
              Interrupt:15 Base address:0x350

  ϩɽϤΤ褦ˤʤǤ礦

    #route -n
    Kernel routing table
    Destination     Gateway         Genmask         Flags MSS    Window Use Iface
    199.1.2.0       *               255.255.255.0   U     1500   0       15 eth0
    192.168.2.0     *               255.255.255.0   U     1500   0        0 eth1
    127.0.0.0       *               255.0.0.0       U     3584   0        2 lo
    default         199.1.2.10      *               UG    1500   0       72 eth0

  ա 199.1.2.0 󥿡ͥå¦Υɥ쥹 192.168.2.0 ϥץ饤
  ¦Υɥ쥹Ǥ

   firewall 饤󥿡ͥåȤ ping ƤߤޤƥȤˤ
  nic.ddn.mil ȤޤϺǤɤƥǤۤɤο
  ̵褦Ǥnic.ddn.mil ưƤʤ硢̤Υ󥿡ͥåȾ
  ΥۥȤǻƤߤƤǤʾ PPP 
  ƤʤΤǤ礦``NET-2 HOWTO'' ɤǺ٥åƤߤƤ
  

  [Ǥ www.ntt.co.jp  www.iij.ad.jp ꤬ʥƥǤ
  ]

   firewall ɸ椵줿ͥåȥΥۥȤ ping Ƥ
  ޤΥͥåȥΥۥȴ֤Ǥߤ ping ǤϤǤ
  ʾ硢``NET-2 HOWTO'' ɤľƥͥåȥå
  ޤ礦

  Υͥåȥ firewall γͥåȥ¦Υɥ쥹
  ping Ƥߤޤ(աΥɥ쥹Ȥϡ192.168.2.xxx Ȱ㤦 IP ɥ
  Ǥ)⤷ ping Ǥ褦ʤ IP Forwarding ̵ˤʤäƤޤ
  󡣤ˤΤǧƤIP Forwarding ǽȤ
  硢ʸ IP ե륿󥰤⻲ȤƤ

  ˥ե(ΥͥåȥΥۥ)饤󥿡ͥ
  ȾΥۥȤ ping Ƥߤޤκݤˤ firewall  ping ǳǧ
  ۥ(㤨 nic.ddn.mil)ȤΤǤ礦IP Forwarding ǽ
  ̵ˤʤäƤ ping ̤ʤϤǤ

  IP forwarding ͭˤƤơΥͥåȥ(192.168.2.* Ȥ
  㤦)ʪΡIP ɥ쥹դƤˤؤ餺饤󥿡
  ͥåȤؤ ping Ǥfirewall Υ󥿡ͥå¦ ping Ǥ
  褦ʾ硢firewall ³Υ롼ˤΥͥåȥ˴
  ƤʤΤΤޤ(³Υ
  ХλŻΤޤ)Υͥåȥ
  192.168.2.*  Υɥ쥹դƤ硢ѥåȤ뤳Ȥ
  Ǥޤ

  ǴŪϴλޤ

  5.5.  եζ

  եꤷƤޥǻȤʤӥ򤽤Τޤޤˤ
  ΤϤ褯ޤ󡣡ְԡפ firewall ˥ơ
  Ѥ뤫ΤʤǤ

  ΤˤȤʤӥϻߤˤޤ礦/etc/inetd.conf
  ե򸫤ƤΥե뤬֥СС inetd 
  եǤΥե͡ʥӥԤʤǡȤεư
  ˡҤƤޤ

  netstat, systat, tftp, bootp, finger ˺줺ߤޤ礦
  ߤˤˤϡΥӥιƬ # դäޤɬפ
  򽪤顢"kill -HUP <pid>"(<pid>  ined Υץֹ)¹
   inetd  HUP ʥޤΥʥ inetd 
  ե(etc/inetd.conf/)ɤߤľƺƵưޤ

  inetd Ƶư顢firewall  15 ֤ΥݡȤ telnet Ƥߤޤ
  (telnet firewall 15) netstat νϤ褦ʤ inetd 
  ƵưƤޤ

  6.  IP ե륿󥰤(IPFWADM)

  IPե륿󥰥פΥեꤹ硢ޤǽ˥
  ͥ IP Forwarding ǽȤߤǺƹۤѥåȤž
  Ƥ뤳ȤǧƤޤLinux  IP Forwarding ǽϥǥե
  ȤǤͭˤʤäƤΤǡϩɽꤷƤХͥåȥ
  Ǥ⳰Ǥ⼫ͳ³ǤϤǤ

  Ǥϥեꤷ褦ȤƤޤΤǡξ
  Ȥ뵡ǽ¤ƤȤˤޤ

  ΥƥǤϤޤޤʥץȤǥե forwarding 
   accounting ԤʤäƤޤΥץȤ
  /etc/rc.d/ 鵯ư˸ƤӽФ褦ˤƤޤ

  ǥեȤǤ Linux  IP Forwarding ƤΥѥåȤ forward 
  褦ˤʤäƤޤΤᡢեꤹ뤿Υ
  ȤǤϡޤƤ forward ػߤơꤵ줿 forwarding 
  ƾõɬפޤΥץȤεǽ̤ޤ

    #
    # setup IP packet Accounting and Forwarding
    #
    #   Forwarding
    #
    # By default DENY all services
    ipfwadm -F -p deny
    # Flush all commands
    ipfwadm -F -f
    ipfwadm -I -f
    ipfwadm -O -f

  ǴʥեˤʤޤɤʥѥåȤ⤳ΥۥȤ
  ̲Ǥޤ󡣤ɬפʥӥϥե̲ᤵ
  ɬפޤΤˤϰʲ˼ץȤͤˤʤǤ礦

    #  e-mail ʬΥ᡼륵ФϤȤĤ
    ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 192.1.2.10 25

    # Υ᡼륵Ф³Ĥ
    ipfwadm -F -a accept -b -P tcp -S 196.1.2.10 25 -D 0.0.0.0/0 1024:65535

  [ꥸʥǤϤʤäƤޤԤϡʬ ipfwadm -F
  -b a accept -b -P tcp -S 192.1.2.10 1024:65535 -D 0.0.0.0/0 25 Ȼ
  ޤ]

    #  Web Фؤ³Ĥ
    /sbin/ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 196.1.2.11 80

    #  Web Фؤ³Ĥ
    /sbin/ipfwadm -F -a accept -b -P tcp -S 196.1.2.* 80 -D 0.0.0.0/0 1024:65535

    # DNS ΤȤĤ
    /sbin/ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 196.1.2.0/24

  ե̲᤹ǡ˶̣硢ΥץȤ
  åȤεϿ뤿˻Ȥޤɬפ˱ƵϿ륢ɥ쥹
  ƥΤεϿ褦ˤƤ

    # ߤΥȥ롼õ
    ipfwadm -A -f
    # Ȥ򳫻
    /sbin/ipfwadm -A -f
    /sbin/ipfwadm -A out -i -S 196.1.2.0/24 -D 0.0.0.0/0
    /sbin/ipfwadm -A out -i -S 0.0.0.0/0 -D 196.1.2.0/24
    /sbin/ipfwadm -A in -i -S 196.1.2.0/24 -D 0.0.0.0/0
    /sbin/ipfwadm -A in -i -S 0.0.0.0/0 -D 196.1.2.0/24

  ե륿󥰥եȤϤǽʬǤڤǤ
   :-)

  6.1.  ե륿󥰥եη

  ե륿󥰼Υեηϡ󥿡ͥåȤ
  ͥåȥإǤʤȤǤե륿󥰼Υե
  Ǥϥե륿̲Ǥ褦ꤷӥե
  ۤ˻ȤȤǤޤ󡣥ץФȤС桼ϥե
  ޥ˥󤷤Ƥ顢ǽͥåȥΥ
  ˼ͳ˥Ǥ褦ˤʤޤ

  ͥåȥ饤ȤͥåȥӥΤ褦˳ȯ
  ƤޤΥӥȤݤˤϡΥӥ򥳥ȥ
  뤹뤿οˡͤɬפޤ

  7.  TIS ץСΥ󥹥ȡ

  7.1.  եȥ

  TIS FWTK(FireWall ToolKit) ftp://ftp.tis.com/ Ǥޤ

  ƱԤ򤷤ʤ褦ˡTIS ե ftp ݤˤϡޤ
  README եɤǤTIS fwtk ϥФαǥ쥯ȥ
  Ƥꡢꤹ뤿ˤ fwtk-request@tis.com ʸ SEND Ȥ
  񤤤᡼ɬפޤ֥ȹԤפǤ᡼
  ȼưŪ(12 ͭ)ɤɤ뤿Υǥ
  ȥֿ̾ޤ

   HOWTO 񤤤ƤǤ TIS  FWTK С 2.0(beta)
  ƤޤΥС(㳰Τ)ȥѥ
  Ǥ긵ǤϤưƤޤʲ⤳ΥС򸵤
  ޤ餬ǽǤ꡼С HOWTO  update ޤ

  FWTK 򥤥󥹥ȡ뤹뤿ˤ fwtk-2.0 Ȥǥ쥯ȥ /usr/src
  ǥ쥯ȥ˺ޤFWTKΥ(fwtk-2.0.tar.gz)򤳤Υǥ
  쥯ȥ˰ܤŸƤ(tar zxf fwtk-2.0.tar.gz)

  FWTK ˤ WWW  SSL 򥵥ݡȤ뵡ǽϤޤ󤬡Jean-Christophe
  Touvet  addon եȤ񤤤ƤޤΥեȤ
  ftp://ftp.edelweb.fr/pub/contrib/fwtk/ssl-gw.tar.Z Ǥޤ
   Touvet ϤΥɤ򥵥ݡȤƤޤ

   Eric Wedel  Netscape secure news servers Ѥ˲¤С
  ȤäƤޤ ftp://mdi.meridian-data.com/pub/tis.fwtk/ssl-
  gw/ssl-gw2.tar.Z Ǥޤ

  ʲǤ Eric Wedel ǤȤޤ

  Υץ򥤥󥹥ȡ뤹ˤϡñ /usr/src/fwtk-2.0 β
  ssl-gw ǥ쥯ȥꡢե򤽤֤Ǥ

  䤬ѥ뤷ϤĤνɬפǤ

  ǽν ssl-gw.c ˹Ԥޤssl-gw.c Ǥɬפʥե򥤥
  롼ɤ˺Ƥޤ

    #if defined(__linux)
    #include        <sys/ioctl.h>
    #endif

  Ĥνϡssl-gw  Makefile ̵ȤǤ¾ gateway
  ǥ쥯ȥˤ Makefile 򥳥ԡơgateway ̾ ssl-gw ѹ
  뤳ȤǤΤޤ

  7.2.  TIS FWTK Υѥ

  FWTK ΥС 2.0 ϰΥС٤Ƥäȴñ˥ѥ
  Ǥ褦ˤʤޤBETA Ǥ򤭤줤˥ѥ뤹ˤϤޤ
  ĤνɬפǤǽǤޤǤˤνԤʤ뤳Ȥ
  Ƥޤ

  뤿ˤ /usr/src/fwtk/fwtk ǥ쥯ȥ˰ươޤ
  Makefile.config.linux  Makefile.config ե˥ԡޤ

  FIXMAKE ưƤϤޤ 󥹥ȥ饯ˤ FIXMAKE 
  ˽񤤤ƤޤFIXMAKE ȡ줾Υǥ쥯ȥ
  Makefile ˲Ƥޤޤ

   fixmake ʲΤ褦˽ޤ sed ץȤ줾
   Makefile  include ԤФ '.' '' դäʬ
  ʲΤ褦ˤƤ fixmake ưޤ

    sed 's/^include[        ]*\([^  ].*\)/include \1/' $name .proto > $name

   Makefile.config եޤΥեˤ 2 սν
  ɬפǤ

  °ΥɥȤԤϼʬΥۡǥ쥯ȥ˥ɤ֤
  Ƥޤ䤿Ǥ /usr/src ǥѥ뤷褦ȤƤޤ
  ǡ FWTKSRCDIR ʲΤ褦ꤷޤ

    FWTKSRCDIR=/usr/src/fwtk/fwtk

  ˡMakefile.config Ǥ dbm Ȥ褦ˤʤäƤޤĤ
  Linux ƥǤ gdbm ǡ١ȤΤǰʲΤ褦ꤷޤ
  δĶ RedHat 3.0.3 Ǥ

    DBMLIB=-lgdbm

  Ǹν x-gw Ǥλ BETA Сˤ socket.c 
  ˥ХޤˤϡʲιԤƤ

    #ifdef SCM_RIGHTS  /* 4.3BSD Reno and later */
                         + sizeof(un_name->sun_len)+ 1
    #endif

  ssl-gw ɬפʤСMakefile Υǥ쥯ȥꥹȤ ssl-gw Υǥ쥯
  ȥäޤ

    DIRS=   smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw ssl-gw

   make Ƥ

  7.3.  TIS FWTK Υ󥹥ȡ

  󥹥ȡ뤹ˤ make install Ƥ

  ۻǤ /usr/local/etc ˥󥹥ȡ뤵ޤ̤Τ
  ʥǥ쥯ȥ˰ܤƤ⹽ޤ(ϤäƤޤ)Ϥ
  Υǥ쥯ȥΥѡߥå 'chmod 700' ˤޤ

   firewall ԤǤ

  7.4.  TIS FWTK 

  褤¶äƤޤޤ󥹥ȡ뤷ӥˤ
  ƥƥ˶ǽꤹ뤿ɽʤФޤ
  

   TIS FWTK Υޥ˥奢򷫤֤ĤϤޤΤǡʲǤ
  긵ư򼨤ȶˡ䤬֤ĤäˤĤɤ
  ä򸫤ĤҤ٤ޤ

  TIS FWTK 椹뤿Υեϰʲ  3 Ǥ

  o  /etc/services

  o  TIS FWTK ɤΥݡȤȤꤷޤ

  o  /etc/inetd.conf

  o  ΥݡȤ˥ä硢ȤΥץư뤫 inetd
     ˻ؼޤ

  o  /usr/local/etc/netperm-table

  o  FWTK ï˲Ĥ뤫ꤷޤ

  FWTK ǽ뤿ˤϰʾΥես˽ʤФޤ
  netperm-table  inetd.conf ꤻ services ե
  ȥƥबǽˤʤǽޤ

  7.4.1.  netperm-table ե

  Υե TIS FWTK ΥӥïȤ뤫ꤷޤ 
  ݤˤ firewall ξ¦ΥͥåȥΥȥեåʬθƤ
  ϥץ饤١ȥͥåȥγ饢ˤϼǧڤ
  褦ˤơͥåȥ¦ˤͤϼͳ˳إǤ
  ˤޤ礦

  οͤǧѤ firewall Ǥ authsrv ȤץȤޤ
  Υץϥ桼 ID ȥѥɤΥǡ١Ȥޤ
  netperm-table ǧڥϥǡ١ɤˤäï
  Ǥ뤫ꤷޤ

  Ϥ³¤ݤ¿Υȥ֥иޤʲ˼
  permit-hosts Ԥ '*' ǤïǤ⥢ǤƤޤޤιԤ
   authsrv: permit-hosts localhost Ǥ

    #
    # Proxy configuration table
    #
    # Authentication server and client rules
    authsrv:      database /usr/local/etc/fw-authdb
    authsrv:      permit-hosts *
    authsrv:      badsleep 1200
    authsrv:      nobogus true
    # Client Applications using the Authentication server
    *:            authserver 127.0.0.1 114

  ǡ١ˤϡsu  root ˤʤä /usr/local/etc ǥ
  쥯ȥ ./authsrv ޥɤưƴѤΥ桼쥳ɤ
  ʲ򼨤ޤ

  桼䥰롼פɲˡˤĤƤ FWTK ΥɥȤɤǤ
  

      #
      # authsrv
      authsrv# list
      authsrv# adduser admin "Auth DB admin"
      ok - user added initially disabled
      authsrv# ena admin
      enabled
      authsrv# proto admin pass
      changed
      authsrv# pass admin "plugh"
      Password changed.
      authsrv# superwiz admin
      set wizard
      authsrv# list
      Report for users in database
      user   group  longname           ok?    proto   last
      ------ ------ ------------------ -----  ------  -----
      admin         Auth DB admin      ena    passw   never
      authsrv# display admin
      Report for user admin(Auth DB admin)
      Authentication protocol: password
      Flags: WIZARD
      authsrv# ^D
      EOT
      #

  telnet ѥȥ(tn-gw)ǤñʤΤǡ줫Ϥޤ
  

  ʲ˼ǤϡΥͥåȥΥۥȤ telnet ǧ̵
  ǵĤƤޤ(permit-hosts 196.1.2.* -passok)¾Υ桼
  ץФȤϥ桼 ID ȥѥɤɬפǤ (permit-
  hosts * -auth)

  ⤦ս 196.1.2.202 Υǧڤʤľ firewall ˥
  Ǥ褦ˤƤޤnetacl-in.telnetd ΤԤΤλ
  ǤιԤξܺ٤ˤĤƤϸҤޤ

  telnet ΥॢȤûˤƤ٤Ǥ

    # telnet gateway rules:
    tn-gw:                denial-msg      /usr/local/etc/tn-deny.txt
    tn-gw:                welcome-msg     /usr/local/etc/tn-welcome.txt
    tn-gw:                help-msg        /usr/local/etc/tn-help.txt
    tn-gw:                timeout 90
    tn-gw:                permit-hosts 196.1.2.* -passok -xok
    tn-gw:                permit-hosts * -auth
    # Only the Administrator can telnet directly to the Firewall via Port 24
    netacl-in.telnetd: permit-hosts 196.1.2.202 -exec /usr/sbin/in.telnetd

  rlogin ʤ r- ϤΥޥɤ telnet Ʊˤʤޤ

    # rlogin gateway rules:
    rlogin-gw:    denial-msg      /usr/local/etc/rlogin-deny.txt
    rlogin-gw:    welcome-msg     /usr/local/etc/rlogin-welcome.txt
    rlogin-gw:    help-msg        /usr/local/etc/rlogin-help.txt
    rlogin-gw:    timeout 90
    rlogin-gw:    permit-hosts 196.1.2.* -passok -xok
    rlogin-gw:    permit-hosts * -auth -xok
    # Only the Administrator can telnet directly to the Firewall via Port
    netacl-rlogind: permit-hosts 196.1.2.202 -exec /usr/libexec/rlogind -a

  FTP ʤɤľܥե³٤ǤϤʤΤǡե
  ǤFTP ФưƤϤޤ

  ֤ޤʲ permit-hosts ԤΥͥåȥï
  ⥤󥿡ͥåȾΥۥȤ FTP ³Ǥǡ¾Υ桼ˤ
  ǧڤȤǤ(-log {retr stor })ԤǤȤꤷ
  եεϿȤ褦ˤƤޤ

  FTP  timeout ³֤ʤɤ³ڤ뤿λ֤
  ǡȤꤷʤޤ³򳫤Ƥ֤椹뤿ꤷ
  ޤ

    # ftp gateway rules:
    ftp-gw:               denial-msg      /usr/local/etc/ftp-deny.txt
    ftp-gw:               welcome-msg     /usr/local/etc/ftp-welcome.txt
    ftp-gw:               help-msg        /usr/local/etc/ftp-help.txt
    ftp-gw:               timeout 300
    ftp-gw:               permit-hosts 196.1.2.* -log { retr stor }
    ftp-gw:               permit-hosts * -authall -log { retr stor }

  Web  gopher֥饦ͳ ftp ʤɤ http-gw 椷ޤʲ
  κǽ 2 Ԥ firewall ˤȤꤷ ftp  web ʸ
  ߤƤǥ쥯ȥꤷޤϤΥե롼Ȥνͭ
  Ȥ롼ȤǤʤǥ쥯ȥ֤ޤ

  Web ³û¤٤Ǥtimeout ȿ̵³Ԥ
  ֤Ǥ

    # www and gopher gateway rules:
    http-gw:      userid          root
    http-gw:      directory       /jail
    http-gw:      timeout 90
    http-gw:      default-httpd   www.afs.net
    http-gw:      hosts           196.1.2.* -log { read write ftp }
    http-gw:      deny-hosts      *

  ssl-gw Ƥ̲ᤵޤΤդɬפǤʲǤΥͥ
  ȥƤΥۥȤ 127.0.0.*  192.1.1.* ʳäƥݡֹ
   443  563 γΥͥåȥƤ˥Ǥ褦ˤƤ
  443  563 ޤǤ SSL ȤݡȤǤ

    # ssl gateway rules:
    ssl-gw:         timeout 300
    ssl-gw:         hosts           196.1.2.* -dest { !127.0.0.* !192.1.1.* *:443:563 }
    ssl-gw:         deny-hosts      *

  ˼㤬 plug-gw Ȥä news Ф³ȤǤ
  ǤϡΥͥåȥïǤ⤬Υޥ news ݡȤˤΤ
  ͳ˥Ǥ褦ˤƤޤ

  3 Ԥ news ФΥǡեۤ뤿ΤΤ
  

  桼˥塼ɤǤ֡Ф³Ƥ뤳ȤꤷƤ
  ˥塼꡼¿ΤǡǤ timeout ĹꤷƤޤ

    # NetNews Pluged gateway
    plug-gw: timeout 3600
    plug-gw: port nntp 196.1.2.* -plug-to 199.5.175.22 -port nntp
    plug-gw: port nntp 199.5.175.22 -plug-to 196.1.2.* -port nntp

  finger ΥȥϴñǤΥͥåȥΥ桼Ϥä
  firewall ˥󤷤Ƥ finger Ȥ褦ˤƤޤʳ
  ͤ finger 褦ȤƤ finger.txt Ǥ

    # Enable finger service
    netacl-fingerd: permit-hosts 196.1.2.* -exec /usr/libexec/fingerd
    netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt

  Mail  X-windows ѤΥӥꤷƤʤΤϼޤï
  ޤԤ¸Τϻޤ e-mail ϢƤ

  7.4.2.  inetd.conf ե

  ʲ /etc/inetd.conf ե򼨤ޤפʥӥƥ
  ȥȤƤޤ򥳥ȥȤơեư
  Ƥ⤤ӥϲ򼨤ʸ򼨤ޤ

    #echo stream  tcp  nowait  root       internal
    #echo dgram   udp  wait    root       internal
    #discard      stream  tcp  nowait  root       internal
    #discard      dgram   udp  wait    root       internal
    #daytime      stream  tcp  nowait  root       internal
    #daytime      dgram   udp  wait    root       internal
    #chargen      stream  tcp  nowait  root       internal
    #chargen      dgram   udp  wait    root       internal
    # FTP firewall gateway
    ftp-gw      stream  tcp  nowait.400  root  /usr/local/etc/ftp-gw  ftp-gw
    # Telnet firewall gateway
    telnet        stream  tcp  nowait      root  /usr/local/etc/tn-gw /usr/local/etc/tn-gw
    # local telnet services
    telnet-a    stream  tcp  nowait      root  /usr/local/etc/netacl in.telnetd
    # Gopher firewall gateway
    gopher        stream  tcp  nowait.400  root  /usr/local/etc/http-gw /usr/local/etc/http-gw
    # WWW firewall gateway
    http  stream  tcp  nowait.400  root  /usr/local/etc/http-gw /usr/local/etc/http-gw
    # SSL firewall gateway
    ssl-gw  stream  tcp     nowait  root /usr/local/etc/ssl-gw   ssl-gw
    # NetNews firewall proxy (using plug-gw)
    nntp    stream  tcp     nowait  root    /usr/local/etc/plug-gw plug-gw nntp
    #nntp stream  tcp     nowait  root    /usr/sbin/tcpd  in.nntpd
    # SMTP (email)firewall gateway
    #smtp stream  tcp     nowait  root    /usr/local/etc/smap smap
    #
    # Shell, login, exec and talk are BSD protocols.
    #
    #shell        stream  tcp     nowait  root    /usr/sbin/tcpd  in.rshd
    #login        stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind
    #exec stream  tcp     nowait  root    /usr/sbin/tcpd  in.rexecd
    #talk dgram   udp     wait    root    /usr/sbin/tcpd  in.talkd
    #ntalk        dgram   udp     wait    root    /usr/sbin/tcpd  in.ntalkd
    #dtalk        stream  tcp     waut    nobody  /usr/sbin/tcpd  in.dtalkd
    #
    # Pop and imap mail services et al
    #
    #pop-2   stream  tcp  nowait  root  /usr/sbin/tcpd    ipop2d
    #pop-3   stream  tcp  nowait  root  /usr/sbin/tcpd    ipop3d
    #imap    stream  tcp  nowait  root  /usr/sbin/tcpd    imapd
    #
    # The Internet UUCP service.
    #
    #uucp    stream  tcp  nowait  uucp  /usr/sbin/tcpd  /usr/lib/uucp/uucico -l
    #
    # Tftp service is provided primarily for booting.  Most sites
    # run this only on machines acting as \*Uboot servers.\*U Do not uncomment
    # this unless you *need* it.
    #
    #tftp dgram   udp     wait    root    /usr/sbin/tcpd  in.tftpd
    #bootps       dgram   udp     wait    root    /usr/sbin/tcpd  bootpd
    #
    # Finger, systat and netstat give out user information which may be
    # valuable to potential "system crackers."  Many sites choose to disable
    # some or all of these services to improve security.
    #
    # cfinger is for GNU finger, which is currently not in use in RHS Linux
    #
    finger        stream  tcp  nowait  root   /usr/sbin/tcpd  in.fingerd
    #cfinger      stream  tcp  nowait  root   /usr/sbin/tcpd  in.cfingerd
    #systat       stream  tcp  nowait  guest  /usr/sbin/tcpd  /bin/ps -auwwx
    #netstat      stream  tcp  nowait  guest  /usr/sbin/tcpd  /bin/netstat -f inet
    #
    # Time service is used for clock syncronization.
    #
    #time stream  tcp  nowait  root  /usr/sbin/tcpd  in.timed
    #time dgram   udp  wait    root  /usr/sbin/tcpd  in.timed
    #
    # Authentication
    #
    auth          stream  tcp  wait    root  /usr/sbin/tcpd  in.identd -w -t120
    authsrv       stream  tcp  nowait  root  /usr/local/etc/authsrv authsrv
    #
    # End of inetd.conf

  7.4.3.  /etc/services ե

  /etc/services ƤλϤޤǤ饤Ȥե
  well known port(1024 ʲΥݡ)³Ƥ㤨 telnet 
   23 ֤ΥݡȤ³ޤinetd ǡ󤬤³ʹĤơ
  ޤ /etc/services եǵư٤ӥ̾Ĵ٤ޤˡ
  ̾˽ä /etc/inetd.conf եɬפʥץ򸫤Ĥơ
  Υץư뤳Ȥˤʤޤ

  ƤΥӥ /etc/services ե˴ޤޤƤ櫓ǤϤޤ
  󡣤ĤΥӥϼͳ˥ݡȤꤢƤ뤳ȤǽǤϡ
  Ѥ telnet(telnet-a)ΥݡȤ 24 ֤˳ꤢƤޤ
  2323 ˤ뤳ȤǽǤtelnet-a ΥݡȤ 24 ֤ˤƤС
  (ʤ) firewall ˥ݤˤ 23 ֤ǤϤʤ 24 ֤Υݡ
  Ȥ褦ˤʤޤäơ䤬Ƥ褦 netperm-table ե
  ꤹСΥͥåȥΤߤ³ǽˤʤޤ

    telnet-a        24/tcp
    ftp-gw          21/tcp           # this named changed
    auth            113/tcp   ident    # User Verification
    ssl-gw          443/tcp

  8.  SOCKS ץ

  8.1.  ץФΥåȥå

  SOCKS ץФ
  ftp://sunsite.unc.edu/pub/Linux/system/Network/misc/socks-linux-
  src.tgz ǤޤƱǥ쥯ȥեΥץ
  "socks-conf"֤ƤޤꤷƥŸơؼ˽ä
  make Ƥ䤬ѥ뤷ݤϤĤ꤬ޤ
   Makefile ǧ뤳Ȥ򤪴ᤷޤ

  ĽפʤȤޤץФ /etc/inetd.conf ˥ȥ
  ɬפǤʲιԤäơinetd ץФư褦
  ꤷƤ

    socks  stream  tcp  nowait  nobody  /usr/local/etc/sockd  sockd

  8.2.  ץФ

  SOCKS ץˤ 2 ĤΩե뤬ɬפǤĤϥ
  Ĥ򵭽ҤΤǡ⤦ĤϥꥯȤŬڤʥץФ
  ž뤿ǤĤ򵭽ҤեϥФ֤
  Фʤޤ󡣥ꥯȤž뤿Υե SOCKS ȤƤ
  Un*x ޥɬפǤDOS ȡ¿ʬ Macintosh ⡢ȼΥꥯž
  ǽäƤϤǤ

  8.2.1.  ĥե

  socks4.2 Beta ǤϥĤ򵭽Ҥե "sockd.conf"Ǥ
  ΥեˤϺǤ permit() deny() 2 ԤɬפǤ
  ƹԤϰʲΤ褦 3 ĤΥȥޤ

  o  ̻(permit/deny)

  o  IP ɥ쥹

  o  ɥ쥹ν

  ̻Ҥ permit  deny Τɤ餫Ǥpermit  deny ξɬפ
  

  IP ɥ쥹 4 ХȤΰ̤˻Ȥ IP ɥ쥹εˡǵҤޤ
   192.168.2.0 Τ褦ʷǤ

  ɥ쥹νҤ̤˻Ȥ 4 ХȤ IP ɥ쥹ν񼰤ˤʤꡢ
  ꤬ͥåȥޥΤ褦˻Ȥޤο 32 ӥåȤ 1  0 
  ޥȹͤ 1 ʬ IP ɥ쥹եɤǻꤷɥ
  ȰפʤФޤ㤨С

      permit 192.168.2.23 255.255.255.255

  Ȥ硢192.168.2.23 Ȥ IP ɥ쥹ΤߤĤ뤳Ȥˤʤ
  ⤷ 192.168.2.3 Ȥ IP ɥ쥹Ĥϡ

      permit 192.168.2.0 255.255.255.0

  ꤷޤ 192.168.2.0  192.168.2.255 ޤǤΥ饹 C
  Υɥ쥹ƤΥĤ뤳Ȥˤʤޤ

  ꤷƤϤޤ

      permit 192.168.2.0 0.0.0.0

  ǤƤΥɥ쥹³Ĥ뤳ȤˤʤΤǰ̣ޤ
  

  ޤĤɥ쥹ƵҤޤƻĤΥɥ쥹ϵݤ
  褦ꤷޤ礦192.168.2.xxx ΥΤߤĤ硢
  ʲΤ褦ˤʤޤ

      permit 192.168.2.0 255.255.255.0
      deny 0.0.0.0 0.0.0.0

  deny Ԥκǽ "0.0.0.0" դƤɥ쥹Ҥ 0.0.0.0
  ꤷƤΤǡIP ɥ쥹ˤϰ̣Ϥʤñ˥פ䤹
  ֹǤǤ

  ʣꤹ뤳ȤǽǤ

  SOCKS ǤΥ桼Τߤ³Ĥݤꤹ뤳Ȥǽ
  Τˤ ident ѤǧڤȤ߹碌ޤTrumpet Winsock
  ޤơɬƤΥƥब ident 򥵥ݡȤƤ櫓ǤϤ
  ΤǡǤϤʾ忨ޤident Ȥˡ socks °
  ɥȤ˾ܤܤƤޤ

  8.2.2.  ϩե

  ӥꥯȤžꤹϩեʶ路Ȥ
  "socks.conf"Ȥ̾ˤʤäƤޤΤǡĤꤹ
  "sockd.conf"ȺƱʤ褦դƤ

  ϩե SOCKS Υ饤Ȥˤ socks Ȥ٤ؼ
  ޤ㤨С䤿ΥͥåȥǤϡ192.168.2.3 Υɥ쥹
  192.168.2.1  firewall  talk 硢ξԤϥͥåȤľ뤵
  ƤޤΤ socks ȤɬפϤޤ󡣤ޤ127.0.0.1 Ȥ롼
  ץХåɥ쥹ȤäƼʬȤ³ socks ȤɬפϤ
  ޤ󡣷ϩեˤ ʲ 3 ĤΥȥ꤬ޤ

  o  deny

  o  direct

  o  sockd

  (Deny)ΥȥǥꥯȤݤꤷޤΥ
  ˤ sockd.conf Ʊͤˡ̻ҡɥ쥹ҡȤ 3 Ĥ
  ޤ̾ɤꥯȤݤ뤫(ץ
  ФѰդ) sockd.conf ǽΤǡҤ 0.0.0.0 ˤƤ
  ޤɤˤ³ʤΤǤС餫ᤳꤹ뤳
  ǽǤ

  direct ȥ socks Ȥʤɥ쥹ꤷޤˤϥץ
  ФȤʤ³ǤƤΥɥ쥹ꤷޤˤ⼱
  ̻ҡɥ쥹Ҥ 3 Ĥ󤬤ޤ䤿ǤϰʲΤ褦
  ˤʤޤ

      direct 192.168.2.0 255.255.255.0

  ΥͥåȥΥۥȤؤľ³Ǥ뤳Ȥˤʤ
  ޤ

  sockd Υȥ socks Хǡ󤬤ۥȤΤ꤫ꤷ
  񼰤ϰʲΤ褦ˤʤޤ

    sockd @=<serverlist> <IP address> <modifier>

  @= ȥդƤ˥ץФ IP ɥ쥹
  󤷤ޤ䤿ǤϰĤΥץФȤޤ󤬡٤
  Ĺ뤿ʣΥץФ󤹤뤳Ȥǽ
  
  IP ɥ쥹ȽҤ¾ƱǡɤΥɥ쥹ؤϤɤͳ
  ³뤫ꤷޤ

  8.3.  ץФȤ

  8.3.1.  Unix

  ץФ˥ץꥱȤˤϡץꥱ
  餫SOCKS פƤʤФʤޤľ³Ѥȥץ
  зͳѤ2 Ĥ telnet ޥɤѰդʤФʤΤ
  SOCKS ѥåˤϡ餫 SOCKS 줿ĤΥץ
  ȶˡץ SOCKS ˡˤĤƲ⤷ʸ°
  Ƥޤľ³Ǥ SOCKS ޥɤȤȤ
  SOCKS ϼưŪľ³ѤΥޥɤưޤΤᡢƤΥ
  ɤ rename  SOCK С֤ؤ뤳ȤǽǤ
  Ȥ"finger""finger.orig"ˤ "telnet""telnet.orig"ˤ롢
  ɤǤΥޥɤɤˤ뤫 include/socks.h ǻꤷޤ

  ηϩ浡ǽ socks ǽĥץ⤢ޤ㤨
  Netscape ⤽ΰĤǤNetscape Ǥ Proxies ץ SOCKS ե
  ɤ˥ФΥɥ쥹(䤿Ǥ 192.168.2.1)ꤹ뤳Ȥǥ
  ФȤȤǽǤץФɤΤ褦˰˴
  ʤ줾Υץꥱ󤴤Ȥˤ¿Ǻɬפ뤫
  Τޤ

  8.3.2.  Trumpet Winsock Ȥä MS Windows

  Trumpet Winsock ˤϥץеǽȤߤޤƤޤ "setup"
  ˥ǥФ IP ɥ쥹ꤷơľ³Ǥ륳ԥ塼
  ޤƤ Trumpet ϼưŪ˳ؤΥѥåȤ򥵡Ф
  褦ˤʤޤ

  8.3.3.  ץФ UDP ѥå

  SOCKS ѥå TCP ѤˤʤäƤ UDP ΥѥåȤ̤ޤ󡣤
  ¿ؤˤʤäƤޤtalk  archie Ȥäץ UDP 
  ȤäƤ뤿 SOCKS ͳǤϻȤޤTom Fitzgerald
  <fitz@wang.com>  UDPrelay Ȥ UDP ѥåѤΥץФ
  ޤǰʤȤ˼ɮǤ Linux ǻȤޤǤ

  8.4.  ץФη

  ץФϤưʻȤߤǤץФȤäƸ
   IP ɥ쥹ˤΤߥ󥿡ͥåȤؤΥĤˡˤϤ
  ĤηޤץФȤΥͥåȥ鳰
  ؤΥϤʤ꼫ͳ˹Ԥʤ顢Υ˼Ǥ
  뤳ȤǽǤʤtalk  archie Ȥä³뤤
  Υԥ塼줿᡼̤ʤȤȤǤϤ
  ǤϤʤ褦˻פ뤫Τޤ󤬡˹ͤƤߤƤ
  

  o  񤭤ΥݡȤեΥԥ塼֤Ƥ
     硢𤫤³ȤƤ⡢եΥԥ
     ˤ³Ǥޤ󡣤ޤեޥ˥󤹤
     ǤץФˤϤɤǤ⥢ǤΤǡʤ
     ѤΥȤեޥ˺櫓ˤϤޤ

  o  ʤΤؤ˹Ԥޤ e-mail ϢȻ
     ޤĤץ饤١Ȥä⤢ΤǡľܤʤΥޥ˥
     äƤ餤Ȥ⤢Ǥ礦Ǥ⡢ե
     Υޥˤľܥ᡼Ϥޤ󡣤󡢥ƥԤ
     ˥᡼ɤळȤϤʤȿѤƤϤޤǤץ饤١
     ȤǤ顣

  o  UDP ѥåȤ̤ʤȤϥץФ礭ʷǤη
     ϤǤ᤯ʤȤΤǤ

  FTP ץФˤȤäƤǤftp getȤ ls
   FTP Ф³ƤޥΥåȤ򥪡ץ󤷤ơ
  ͳƾޤץФϤĤʤΤǡFTP Ϥ
  Ȥޤ

  ץФͳ³٤ʤޤץФˤϤʤ
  ХإåɤΤǡ³٤ʤޤ

  Ūˡ󥿡ͥåȤ˾³ƤƤ( IP ɥ쥹
  ƤƤ)ۤɥƥˤʤʤХե
  ФȤʤۤǤ礦󥿡ͥåȤ˾³
  ʤơۤɥƥˤʤȤ Term Slirp,
  TIA Ȥäꥢ IP ³򥨥ߥ졼Ȥ륽եȤȤФ
  Ǥ礦Term ftp://sunsite.unc.edu顢Slirp 
  ftp://blitzen.canberra.edu.au/pub/slirp 顢TIA  marketplace.com
  餽줾ǽǤΥѥåϥץФͳ
  ®¿ΥӥѤǤ󥿡ͥåȤΥͥå
  ³뤳ȤǽǤץФϡΥͥåȥ
  ¿ΥۥȤäơ줾ΥۥȤ饤󥿡ͥåȤ³
  ɬפϰսˤޤȤƲǽʸ¤꾯ȤŬ
  Ƥޤ

  9.  ʤ

  ʸ򽪤ˡ⤦Ĥ򤪸ޤ礦ޤǤ˾Ҳ
  ƤʬοͤˤϽʬȻפޤʣҲ𤹤뤳
  ȤǡĤε뤳ȤǤǤ礦ޤǤäǵ
  äꡢץФեΤʣ˶̣
  ͤɤǤߤƤ

  9.1.  ƥŻ뤷礭ʥͥåȥ

  㤨Сʤ millisha Υ꡼ǡʬΥȤͥåȥ
  ȹͤƤȤޤʤμ긵ˤ 50 Υԥ塼ꡢ5
  bits Υ֥ͥåȤǶڤ줿 32 IP ɥ쥹ꤢƤƤޤ
  ʤϻٻԤΥ٥˽äư㤦ȶƤΤǡͥåȥˤ
  ʣΥ٥Ѱդơʬ򱣤Ƥɬפޤ

  ٥ϰʲΤ褦ꤷޤ

  1. ٥롣Υ٥ïˤǤ⸫٥ǤΥ٥ǿ
     ִԤ򤵤ޤޤʼˡѤƴͶޤ礦

  2. ĥ٥롣٥򥯥ꥢͤΥ٥ǤΥ٥ο͡
     ˤܤμٰƤκ򶵤Ƥޤ

  3. ʼ٥롣Υ٥ο͡ˤΤ߿ηײ褬Ƥޤ
     ٥ο͡ˤɤΤ褦軰ܤüȤ
     Ƥ뤫˥塼ȡ󥰥å䥪ۥޥƥǤμ
     ʤɤѤꥢ 51 Υϥ󥬡˲ƤΤ
     Ȥä̩Ƥޤ

  9.1.1.  ͥåȥ

  IP ɥ쥹ϰʲΤ褦˳ꤢƤޤ

  o  192.168.2.255 ϥ֥ɥ㥹ȥɥ쥹ǻѤǤޤ

  o  Ѱդ줿 32  IP ɥ쥹Τ 23 ϥ󥿡ͥåȤ³ǽ
     23 Υޥ˳ꤢƤޤ

     [ 23 ȤϰοͤˤȤäƿŪʰ̣Ŀ
     Ǥ]

  o  ;ʬ IP ɥ쥹ġΥͥåȥ linux ޥ˳ꤢ
     Ƥޤ

  o  ⤦;ʬ IP ɥ쥹򤽤Υͥåȥ linux ޥ˳
     Ƥޤ

  o  2 Ĥ IP ɥ쥹롼˳ꤢƤޤ

  o  Ĥ 4 ĤIP ɥ쥹ˤ paul, ringo, john, george Ȥɥᥤ
     ̾ꤢƤơޤޤ

  o  2 Ĥα줿ͥåȥϥץ饤١ȥɥ쥹Ǥ
     192.168.2.xxx  IP ꤢƤޤ

  ˱줿 2 ĤΥͥåȥ򤽤줾̤ѰդޤξԤ
  ֳȤäͥåȤǷФƤΤǡγϥͥåȥ
  ǤĤʤäƤ뤳Ȥʬޤ󡣹ʤȤֳͥåȤ
  ̾ΥͥåȤΤ褦˻Ȥ(ȹͤޤ)ΤǡѤ򤹤ɬ
  Ϥޤ

  ΥͥåȥϤ줾 1 ;פ IP ɥ쥹Ϳ Linux 
  椺ĤͳƷФƤޤ

  2 ĤγΥ줿ͥåȥˤϰΥե륵ФѰդƤ
  ξԤƱե륵ФѰդȤΤ⡢̤ηĤˤä
  ۤײΰǤե륵Фˤ 2 Υͥåȥ
  ɤѰդ졢ַġץ٥Υͥåȥˤ192.168.2.17 IP ɥ
  򡢡ʼץ٥Υͥåȥˤ192.168.2.23 IP ɥ쥹
  Ƥޤե륵ХޥǤ IP Forwarding ̵ (off)ˤƤ
  ޤ

  Υ줿ͥåȥ³Ƥ 2  Linux ޥ IP
  Forwarding ̵ˤƤޤ󥿡ͥåȤ³Ƥ롼
  ϡŪ˻ؼʤꡢ ץ饤١ȥɥ쥹Ǥ
  192.168.2.xxx ΥѥåȤ̤ʤΤǡ󥿡ͥåȤΥ줿
  2 ĤΥͥåȥ˥ѥåȤꤳळȤϤǤޤIP Forwarding
  ̵ˤƤͳϡַġץͥåȥȡʼץͥåȥ֤ǥ
  åȤȤꤷʤǤ

  NFS (ե륵)⡢줾Υͥåȥ˰ۤʤե
  󶡤ޤϥܥå󥯤ȤС¿ȥåʷǤ
  ξԤǶͭǤեޤơñ˼¸Ǥޤե륵
  Фˤ⤦ΥͥåȥɤޤСΥޥϰ 3 Ĥ
  ͥåȥ³뤳Ȥˤʤޤ

  9.1.2.  ץФ

  ơ3ĤΥ٥ΥͥåȥϤ줾οŪ饤󥿡ͥ
  Ȥƻ뤷褦ȹͤƤޤΤˤϡ3ĤΥͥåȥ줾
  饤󥿡ͥåȤ³ǤʤФʤޤ󡣤Τˤϥץ
  ФѰդɬפޤʼץ٥ȡַġץ٥Υͥåȥ
  ϥեظˤޤΤǡ˥ץФѰ
  ޤ礦

   2 ĤΥͥåȥϤ褯ƤꡢξԤȤƱ IP ɥ쥹
  ꤢƤƤޤ⤦䤳뤿̤ξäƤߤ
  礦

  1. ե륵зͳǤϥ󥿡ͥåȤ˥Ǥʤ褦ˤ
     ե륵Ф饤󥿡ͥåȤ³ȡ륹䤽¾
     ޤޤʤΤ˱ǽޤ

  2. ַġץͥåȥ World Wide Web ˥Ǥʤ褦
     ޤϽǡWWW Ϳ褦ʳƼξϰƶ
     ܤޤ

  ξ硢ַġץͥåȥѤΥץФȤʤäƤ Linux 
   sockd.conf ϤΤ褦ˤʤޤ

      deny 192.168.2.17 255.255.255.255

  ʼץ٥ΥͥåȥǤϤǤ

      deny 192.168.2.23 255.255.255.255

  ַġץ٥ΥͥåȥΥץФˤ WWW ػߤ
  ɲäޤ

      deny 0.0.0.0 0.0.0.0 eq 80

  ϡޥ󤫤 http ΥݡȤǤ 80 ֤ΥݡȤؤ
  ϵݤ롢Ȥ̣Ǥ¾ΥݡȤѤӥ
  ѤǤWeb ؤΥΤߤػߤޤ

  ξԤȤ permit ˤϰʲ򤷤ޤ

      permit 192.168.2.0 255.255.255.0

  ǡ192.168.2.xxx ΥͥåȥƤΥޥϡ˶ػߤ
  Ƥ륵ӥ(ե륵Фؤ³ȡַġץͥåȥ Web
  ؤΥ)ƤΥץФȤȤǽˤʤޤ

  ηַ̡ġץͥåȥΥץФ sockd.conf ϤΤ褦
  ˤʤޤ

      deny 192.168.2.17 255.255.255.255
      deny 0.0.0.0 0.0.0.0 eq 80
      permit 192.168.2.0 255.255.255.0

  ʼץͥåȥΥץФ sockd.conf ϤǤ

      deny 192.168.2.23 255.255.255.255
      permit 192.168.2.0 255.255.255.0

  Ƥ꤬λޤַġפȡʼפΥͥåȥŬ
  ٤˸ʤʬΥޤǤߤʹˤʤǤ礦

  Ϥޤ礦

