








			  MNzA - HOWTO

		     @: Mark Grennan, markg@netplus.net

		      Ķ:  tchao@worldnet.att.net

			      v0.4, 1996~118



				   Abstract

     v0.4,
     1996~118Aog峹Dnb_tΪUذ򥻷AåܽdbLinux¦ӤHqWw˧@LoΪMNzAԲӨBJCoHTML_http://okc
     forum.org/~markg/Firewall-HOWTO.html



1.  ɨ

̪쪺og - HOWTOODavid Rudder
drig@execpc.com@~CLڦbLZWWqeA惡ڲ`P¡C
̪o@}l, ]Fire
wall^FںwDDC\hLD@ˡAo]PɳyF\hH復~ѡCogHOWTO
N|QOHpwˡHץNzA]Proxy
Server^Hp]wNzAHHγoǧ޳NbwH~ΡC

1.1  Ū̦^

pGo{og峹~, аȥqڡCHDt, ELL!
~ڳ֤_󥿡CӫHڳ|]k^, ڬ۷,
pGSڪ^HAٽХ][C^Ha}markg@netplus.net

pGo{~ĶBAХߧYqĶ̡G]tchao@worldnet.att.net)C

1.2  Yn

ڤ̷ӥҰ欰yl`td(I AM NOT RESPONSIBLE FOR ANY
DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS DOCUMENT)
Cog峹uШMNzA@ΡCnDAڤOqwDMaA]qӨS˦o譱MaCڥuOӳwŪѡAӥBRqӹLRHåCڧƱog峹UAxoӥDD,
OeL~C

1.3  vŧi

 (Ķ`JvŧiĶ)"

Unless otherwise stated, Linux HOWTO documents are copyrighted by their respec
tive authors. Linux HOWTO documents may be reproduced and distributed in whole
or in part, in any medium physical or electronic, as long as this copyright
notice is retained on all copies. Commercial redistribution is allowed and
encouraged; however, the author would like to be notified of any such distribu
tions.


MNzA - HOWTO						      1





MNzA - HOWTO						      2



All translations, derivative works, or aggregate works incorporating any Linux
HOWTO documents must be covered under this copyright notice. That is, you may
not produce a derivative work from a HOWTO and impose additional restrictions
on its distribution. Exceptions to these rules may be granted under certain
conditions; please contact the Linux HOWTO coordinator.

In short, we wish to promote dissemination of this information through as many
channels as possible. However, we do wish to retain copyright on the HOWTO doc
uments, and would like to be notified of any plans to redistribute the HOWTOs.

If you have any questions, please contact Mark Grennan at <markg@netplus.net>.

1.4  gog峹ʾ

ޥh~bcomp.os.linuxW\h_DQסAڵo{]wһݪơCogHOWTOѤF@UAeCڮھDavid
RuddersgFirewall
HOWTO@FWqAƱog峹ѤFơAϧAbXpɤN]w@ӥiHB@AӤAݭnXP[C
ڤ]{ӲɺOA^RnLinuxB͡C

1.5  ݧu@

    ɦp]wȤ

    MPLinuxftUDPNzA

1.6  Ū

    NET-2 HOWTO

    Ethernet HOWTO

    Multiple Ethernet Mini HOWTO

    Linuxp

     PPP HOWTO

    O'Reilly and AssociatesXTCP/IP Network Administrator's Guide

    TIS Firewall Toolkit

bTrusted Information System (TIS)
}WF\h𪺤MơChttp://www.tis.com/

~Aڤ]bqƤ@٬Linuxw]Secure Linux^ءCbSecure
Linux}WAڦFҦLinuxwiaơBM{CpGAݭno譱ơAШӫHC


2.  O

OT@ӳ󪺦W١CbTAQΨ⭼ȩMj}AHKT@ۤA𤣦O@ȦwAӦPٯq~򱱨C
bqAO@ظ˸mAiϭӧO@]Ӻں^vTC
A夤Nq٬𡨡APɳsO@MںݡCO@LkںAں]LkO@C
pGnqO@ںANotelnet쨾AMqpWںC








MNzA - HOWTO						      3



²檺Odual
homedtΡ]㦳ӺptΡ^CpGA۫HҦAΤAAun˳]@xLinux]]wɱN
IP forwarding/gatewaying ]
OFF^ACH]@bCLHno@tΡAϥtel
netBFTPA\ŪqlMϥΩҦAѪLAȡCھڳo]mAo@ߤ@P~ptqKOoӨCboӺLqƦܤݭn@Ϊ|C
ݭnAJnϤWzo@ΡAN۫HҦΤTLAڥio\ĳC

2.1  𪺯ʳ

Τ_LoΪ𪺰DOoبںiJACuqLLo~Υ\CbNzApUAΤin쨾AMiJptΡC
~AثeXGCѳsȤMAWC]AonskiJ~եγoǥ\C

2.2  𪺺

𦳨ءC

  1.  IPLo - @Ǻ\~פ@p\C

  2.  NzA - AipC

2.2.1  IPLo

IPLobƾڥ]@hu@C̾ڰ_IBIB𸹩MC@ƾڥ]ҧtƾڥ]Hƾڥ]yʡC
oبD`wAOʤ֦ΪnOCקOHiJӧOA]iDAHiJA@tΡAΦHqiJںC
LoOʪLotΡCYϧAn~ɪ@ǤHiJApAAA]LkC@ӤHiJAC
Linuxq1.3.x}lNb֤]tFƾڥ]LonC

2.2.2  NzA

NzA\qL𶡱iJںC̦nҤlOtel
nettΡAMqӳBAtel
nett@ӨtΡCbNzAtΤAou@N۰ʡCQΫȤݳnsNzAANzAҰʥȤݳn]Nz^AMǦ^ƾڡC
Ѥ_NzAƩҦqTA]OҦi檺u@C
untmTANzANwAo̥̥iBCץHiJA]SIPqC


3.  ]m

3.1  wݨD


bdҤAҥΪqtmO@486-DX66A16MsM500M
LinuxΡCtΤٸˤFidA@ispAt@i@Ӻ٬Dxưϡ]ĶGκ^AӦboӫDxưϪWA@ӱںѾ]router^C
oذtm`AƦ٥iΤ@idM@xƾھqLPPPںA䤧BOWIPXC
֤HapABTxqb@_CոէҦƾھb]LinuxqW]ª386^AMQέtŪ覡ƾھںCQγoظ˸mApGnǿƾڡAⳡƾھPɤu@Ai[ǿ骺tסC


4.  ]m𪺳n

4.1  {M˳n

pGun]m@ӹLoAunLinuxM򥻺nNFC@MniणbAϥΪLinuxA٬
IP Firewall AdministrationuC (IPFWADM) iq
http://www.xos.nl/linux/ipfwadm/oC








MNzA - HOWTO						      4



pGn]mNzAANݭn@ӳoخM˳nC

  1.  SOCKS

  2.  TIS Firewall Toolkit (FWTK)

4.2  TIS Firewall Toolkit MSOCKSt

Trusted Information System
(http://www.tis.com)ѤF@tCnAΥH²Ʀw˨𪺤u@C
oǳn򥻤WPSOCKSnۦPA]pPCSOCKSQΤ@MnҦPIn
ternetu@ATISC@ӧƱϥΨutilityѤ@ӳnC
F̤PANHworld wide webMTel
netҧaTbSOCKSA]w@ӳ]m]configuration^ɩM@daemonAtel
netMWWW}lu@APɨLS\]B@C
bTISAWWWMtelneto]wU۪configurationɩMdae
monCg]wALinter
net\ऴLkBΡADoǥ\]@X]wCpGY@\]Ҧptalk^Sdae
monAM'plug-in' daemoniΡALu㨺FAӥB]]wC
oGOpơABjtOC]mSOCKSɤiHHNCpGSOCKSA]mӧAqiHեέäⴣѪinter
net\CpϥTISAquեΨtκ޲z̳Ww\C
SOCKS_]wB_sAåBFʸCpnިO@ϥΪ̡AhTISwʸCL̳ѤFO@A~ɵLkiJC
ڷ|̪w˩M]wkC


5.  ]wLinuxt

5.1  s褺

QLinuxswLinuxtΡ]ڥRedHat
3.0.3AҧHo@ǡ^CtΤw˪nV֡AfM|}]V֡A]oǤfM|}tΪw|ͰDAҥHunw˰Ϊֶ̤qnYiC
Τ@íw֡CڪtΥΤFLinux
2.0.14֡C	 ]AoHoؤֳ]m¦C
ھھAﶵ]options^ss褺֡C pGHeSŪLKernel HOWTOB Ethernet
HOWTOMNET-2 HOWTOAɤQγoӾ|Ū@ŪoHOWTOC HUObmake con
figP]wC

  1.  bGeneral setup

	1.  ]Networking Support ON

  2.  bNetworking Options

	1.  ]Network firewalls ON

	2.  ]TCP/IP Networking ON

	3.  ]IP forwarding/gatewaying OFF ]DnIPLo^

	4.  ]IP FirewallingON

	5.  ]IP firewall packet loggin ON]OݡA]Fn^










MNzA - HOWTO						      5



	6.  ]IP: masquerading OFF]ݥS^

	7.  ]IP: accounting ON

	8.  ]IP: tunneling OFF

	9.  ]IP: aliasing OFF

       10.  ]IP: PC/TCP compatibility mode OFF

       11.  ] IP: Reverse ARP OFF

       12.  ]Drop source routed frames ON

  3.  bNetwork device supportU

	1.  ]Network device support ON

	2.  ]Dummy net driver support ON

	3.  ]Ethernet (10 or 100Mbit) ON

	4.  ܺd

{bssAswˤ֡AsҰʡCdbҰʪܤܡCpGSdAd\LHOWTOA]אּC

5.2  ]wid

qpidAiݭnb/etc/lilo.con
fɤW[@AidIRQMa}CbڪAlilo.con
fɼW[@pUJ

	 append='ether=12,0x300,eth0 ether=15,0x340,eth1'

5.3  ]wNetwork Addresses

oAӥBonǨMwCѤ_ںiJ۳]󳡤A]ݭnιڪ}CbںdF@Ǧa}iHNϥΡA]۳]`oݭna}AӥBoǦa}]LkiJںAʹC]γoǦa}C
boǦa}A192.168.2.xxxOQdΪa}A]NγoǦa}ӧ@C

Ѥ_NzAPɨBӺA]~ǰe䪺ƾڡC

		 199.1.2.10   __________    192.168.2.1
	  _  __  _	  \ |	      | /	  _______________
	| \/  \/ |	       \|	 |/	     |		  |
	  ں \-------------|  |-------------------| u@	   |
	  \_/\_/\_/\_/		|_________|	      |______________|


pn]mLoA¥iγoǺ}ALoϥIP masquerad
ingCgLoس]wAN|eƾڥ]Aå[ڪIPa}eںC
bdںݡ]~ݡ^o]wuIPa}AbHӺdݳ]192.168.2.1CoOoxqNz/IPa}CO@ҦLqi192.168.2.xxx@ӧ@a}]q192.168.2.2
192.168.2.254^C bRedHat Linux Aob /etc/sysconfig/network-
scriptsؿUW[@ifcfg-eth1ɡAHKbҰʮɡAqLoɳ]wMrout
ingC ifcfg-eth1Ѽƥi]wpUJ








MNzA - HOWTO						      6



	 #!/bin/sh
	 #>>>Device type: ethernet
	 #>>>Variable declarations:
	 DEVICE=eth1
	 IPADDR=192.168.2.1
	 NETMASK=255.255.255.0
	 NETWORK=192.168.2.0
	 BROADCAST=192.168.2.255
	 GATEWAY=199.1.2.10
	 ONBOOT=yes
	 #>>>End variable declarations


iեγoǰѼƨϼƾھPISP۰ʳsCݬ ipup-pppɡC
pμƾھPںsAISP|bsɫw~ݪIPa}C

5.4  պ

qifconfigMroute}lCpWidAU]mpUpJ

       #ifconfig
       lo	 Link encap:Local Loopback
		 inet addr:127.0.0.0  Bcast:127.255.255.255  Mask:255.0.0.0
		 UP BROADCAST LOOPBACK RUNNING	MTU:3584  Metric:1
		 RX packets:1620 errors:0 dropped:0 overruns:0
		 TX packets:1620 errors:0 dropped:0 overruns:0

       eth0	 Link encap:10Mbps Ethernet  HWaddr 00:00:09:85:AC:55
		 inet addr:199.1.2.10 Bcast:199.1.2.255  Mask:255.255.255.0
		 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
		 RX packets:0 errors:0 dropped:0 overruns:0
		 TX packets:0 errors:0 dropped:0 overruns:0
		 Interrupt:12 Base address:0x310

       eth1	 Link encap:10Mbps Ethernet  HWaddr 00:00:09:80:1E:D7
		 inet addr:192.168.2.1	Bcast:192.168.2.255  Mask:255.255.255.0
		 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
		 RX packets:0 errors:0 dropped:0 overruns:0
		 TX packets:0 errors:0 dropped:0 overruns:0
		 Interrupt:15 Base address:0x350


route ݰ_ӦpUJ

     #route -n
     Kernel routing table
     Destination   Gateway   Genmask	Flags  MSS  Window  Use  Iface
     199.1.2.0	   *	   255.255.255.0   U   1500   0      15 eth0
     192.168.2.0   *	   255.255.255.0   U   1500   0       0 eth1
     127.0.0.0	   *	   255.0.0.0	  U   3584   0	     2 lo
     default	  199.1.2.10   *	  UG  1500   0	     72 eth0

`J 199.1.2.0b𪺺ںݡA192.168.2.0b۳]@ݡC
ոձqping








MNzA - HOWTO						      7



ںCnic.ddn.mil@ICoӸI٤AuOpڹwiaCpGSpWAոpingXӤOAWa}CpGpWAhPPP]w@wCAŪ@Net-2
HOWTOAMAաC
MAqpingO@qCҦqpingL@xqCpGAAŪŪNet-2
HOWTOAAդ@C
۸qO@pingH~a}C]`NJݤ_192.168.2.xxxa}^pGiHAIP
Forwarding\SCQ@QoO_ŦXcQCpGOdIP Forward
ing\ANOLU]wIP filteringC {bոձqping
ںCQΥHeճqP@a}]ҦpAnic.ddn.mil^CpG IP Forward
ing\wgANqCLpGo\SANӱqC
]OdFIP Forward
ing\AӦb۳]ϥιڪIPa}]O192.168.2.*^Aboس]wUApGLkping
ںApingں䪺ANoˬdW@hrouter_ƾڥ]ǰe۳]a}WC]ioISP@oˬd^
pGO@a}w192.168.2.*Ahƾڥ]ǰeCpGS@oǳ]wAӨϥΤFIP
masqueradingAoӦ\C ܦAU]w򥻧C

5.5  [T

pGqLWSϥΪ\HNiXAhoب]NS\γBC
'b' 쨾𤺧@XnקAѨҥΡC ҦΪ\Cˬd
/etc/inetd.confɡCoɱҿת'WŦA'CF\hAdae
monAMbݭnɱҰʳodaemonC netstatB systatB tftpB bootpMfin
ger\C\઺kO#@\檺歺rC]wAJ'kill -HUP
<pid>'ASIG-HUP
A䤤<pid>Oinetd{ǽsCinetd|AŪtmɡ]inetd.conf^AñqsҰʨtΡC
Qtelnet ը𪺰𸹡]port^15AoOnetstat𸹡Cpnet
stat^pAtΨèSnDTaqsҰʡC


6.  IP filtering ]m(IPFWADM)

]w֪IP Forwarding\At}leC@HC|]routing
table^w]wA]ӥiHqaIAqiHp~Aq~]iiC
O𪺧@άOHiHHKiXC
bܽdtΤ]wFMO]script^A慨forwardingMaccount
ing@FWwCtΦbB/etc/rc.dɨγoMOA]btαҰʮɴNtΧ@F]mC
Linux֦۳]e@HIP Forward
ingtΡC]A𪺫OT@iJtΪvQAMWBdUipfwWhCUOFoتC

       #
       # setup IP packet Accounting and Forwarding
       #
       #   Forwarding
       #
       # By default DENY all services
       ipfwadm -F -p deny
       # Flush all commands
       ipfwadm -F -f
       ipfwadm -I -f
       ipfwadm -O -f


nFA{bFOIC@Q̾צb~ALkV@BCMAǥ\٬OݭnAU@ǨҤli@ѦҡC










MNzA - HOWTO						      8



       # Forward email to your server JeqllA
       ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 192.1.2.10 25

       # Forward email connections to outside email servers JNqlls~qllA
       ipfwadm -F -a accept -b -P tcp -S 196.1.2.10 25 -D 0.0.0.0/0 1024:65535

       # Forward Web connections to your Web ServerJNWebsWebA
       /sbin/ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 196.1.2.11 80

       # Forward Web connections to outside Web ServerJNWebs~WebA
       /sbin/ipfwadm -F -a accept -b -P tcp -S 196.1.2.* 80 -D 0.0.0.0/0 1024:65535

       # Forward DNS trafficJeDNSH
       /sbin/ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 196.1.2.0/24


pGQDqL𪺫HөpAUCO|έpҦƾڥ]C


       # Flush the current accounting rules
       ipfwadm -A -f
       # Accounting
       /sbin/ipfwadm -A -f
       /sbin/ipfwadm -A out -i -S 196.1.2.0/24 -D 0.0.0.0/0
       /sbin/ipfwadm -A out -i -S 0.0.0.0/0 -D 196.1.2.0/24
       /sbin/ipfwadm -A in -i -S 196.1.2.0/24 -D 0.0.0.0/0
       /sbin/ipfwadm -A in -i -S 0.0.0.0/0 -D 196.1.2.0/24

pGuq]LoAo̴Nj\iFT


7.  wTISNzA

7.1  on

TIS FWTKniqUC}oJftp://ftp.tis.com/.
dUOJqTISUnA\ŪREADMECTIS
fwtksbA@åؿAݭnoqllfwtk-request@tis.com
æbH夺JSEND~oêؿWrCSubjec
t椺J󤺮eCb^Ъqll󤺷|isn󪺥ؿWrAĮɶ12pɡAo֤UC
bsgɡAFWTK̷s2.0]beta^CFXӤpa褧~AoӪbsɨSDABɤ]`ABNHo@ҡCp̫wɡANbH᪺HOWTOWqC
wFWTKɡAb
/usr/srcUإfwtk-2.0ؿCNFWTK]fwtk-2.0.tar.gz^boӥؿ]tar
zxf fwtk-2.0.tar.gz^C FWTKõLNzSSLAJean-Christophe Tou
vetgF@Ǫ[ơAiqftp://ftp.edelweb.fr/pub/contrib/fwtk/ssl-
gw.tar.ZoC Eric
WedelgF׭qA䤤]Aϥκ]Netscape^sDACoMniqUC}oJftp://mdi.merid
ian-data.com/pub/tis.fwtk/ssl-gw/ssl-gw2.tar.Z HUHEric WedelҡC
nwˡAunb/usr/src/fwtk-2.0ؿإߤ@ ssl-gwؿAɩb䤤YiC
bw˳oӺɡAon@ǧʤ~isC ssl-
gw.cɡA䤤|FnincludeɡC

       #if defined(__linux)
       #include        <sys/ioctl.h>








MNzA - HOWTO						      9



       #endif


䦸A]SMakefileɡCqLؿ@ӡAMNWrאּssl-
gwC

7.2  sTIS FWTK

2.0FWTKH@Ӫ_sCLbsHeٻݭnBETA@@ǧʡCƱoǧʷ|[̫wC
קkpUJiJ/usr/src/fwtk/fwtkؿAMakefile.config.lin
uxɡAHɴNMakefile.configɡC nBFIX
MAKECMbĳoӵ{ǡCB|}aC@ӥؿmakefileC
קfixmakekObC@Make
filesedOinclude椤K[.M"CUҧAKiBLêC

       sed 's/^include[        ]*\([^  ].*\)/include \1/' $name .proto > $name


MݭnsMakefile.configɡAo@ⶵקC Makefile.con
figɤsourceؿאּis誺/usr/srcA]FWTKSRCDIR@ܡC

       FWTKSRCDIR=/usr/src/fwtk/fwtk


LinuxtΨϥgdbmƾڮwCMakefile.configϥdbmCҦpARedHat
3.0.3NϥdbmA]ݭn@XʡC

       DBMLIB=-lgdbm


̫ݭnx-gwCBETAsocket.cUCƦ楲ݧRC

       #ifdef SCM_RIGHTS  /* 4.3BSD Reno and later */
			    + sizeof(un_name->sun_len) + 1
       #endif


pbFWTKؿK[ssl-gwAhbMakefileؿ椤]n[Wssl-gwC

       DIRS=   smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw ssl-gw


WzקABmakeC

7.3  wTIS FWTK

Bmake installC
q{w˥ؿO/usr/local/etcCiH[wiaؿiwˡA]iHA]iNSvאּchmod
700C {b}l]wC

7.4  ]mTIS FWTK

nTUNFT]wtέnեγoǷs\Aëإߺި޲zoǥ\C
HUäOFngTIS








MNzA - HOWTO						     10



FWTKϥΤUAتuOFܥi檺]wBiJ쪺DMѨMkC
TӤɲզocontrolsC

    /etc/services

	 iDtΩҩw\b


    /etc/inetd.conf

	 AȰ𦳰ʧ@ɧiDinetdҰʨӵ{


    /usr/local/etc/netperm-table

	 iDFWTKPNMڵөΤ

nFWTKo@ΡAsoɮסCsoǥ\ɦӤT]w inetd.confnet
perm-tableAiϨtΧLk@ΡC

7.4.1  netperm-table

oɱHiHϥTIS
FWTK\CӷQ쨾䪺ݨDC~ΤbiJeAΤhiqLC
bɡAϥΤ@Ӻ٬authsrv{A䤤sΤ᪺IDMKXCnetperm-
tableauthenticationo@ƾڮwsBM֥iΡC
nHγo@\äeAbpremit-
hostso@椤ϥΡ*AHPCHγo@\Co@檺T]wӬOauth
srv: premit-hosts localhostAG_@ΡC

       #
       # Proxy configuration tableG  NzA]m
       #
       # Authentication server and client rules
       authsrv:     database /usr/local/etc/fw-authdb
       authsrv:     permit-hosts *
       authsrv:     badsleep 1200
       authsrv:     nobogus true
       # Client Applications using the Authentication server
       *:      authserver 127.0.0.1 114


nҰʼƾڮwAHrootb/var/local/etcB./auth
srvA]ߺ޲z̪ϥΰOCھާ@pUJ
\ŪFWTKɤFѦpK[ΤMΤաC

















MNzA - HOWTO						     11



	 #
	 # authsrv
	 authsrv# list
	 authsrv# adduser admin 'Auth DB admin'
	 ok - user added initially disabled
	 authsrv# ena admin
	 enabled
	 authsrv# proto admin pass
	 changed
	 authsrv# pass admin 'plugh'
	 Password changed.
	 authsrv# superwiz admin
	 set wizard
	 authsrv# list
	 Report for users in database
	 user	group  longname 	  ok?	 proto	 last
	 ------ ------ ------------------ -----  ------  -----
	 admin	       Auth DB admin	  ena	 passw	 never
	 authsrv# display admin
	 Report for user admin (Auth DB admin)
	 Authentication protocol: password
	 Flags: WIZARD
	 authsrv# ^D
	 EOT
	 #


Telnet]tn-gw^FA]wC
ҦpA\bO@ΤᤣqL(permit-hosts 196.1.2.* -pas
sok)CLΤᥲݴѥΤIDMKX~iϥΥNzA(permit-hosts * -auth)C
~A@Өt(196.1.2.202)]iϥΨCoun]winetacl-in.tel
netdeYiC TelnettimeoutɶӵuȡC

       # telnet gateway rules:
       tn-gw:	    denial-msg	   /usr/local/etc/tn-deny.txt
       tn-gw:	    welcome-msg    /usr/local/etc/tn-welcome.txt
       tn-gw:	    help-msg  /usr/local/etc/tn-help.txt
       tn-gw:	    timeout 90
       tn-gw:	    permit-hosts 196.1.2.* -passok -xok
       tn-gw:	    permit-hosts * -auth
       # Only the Administrator can telnet directly to the Firewall via Port 24
       netacl-in.telnetd: permit-hosts 196.1.2.202 -exec /usr/sbin/in.telnetd


r-commandpPtelnetP@覡]wC

       # rlogin gateway rules:
       rlogin-gw:   denial-msg	   /usr/local/etc/rlogin-deny.txt
       rlogin-gw:   welcome-msg    /usr/local/etc/rlogin-welcome.txt
       rlogin-gw:   help-msg  /usr/local/etc/rlogin-help.txt
       rlogin-gw:   timeout 90
       rlogin-gw:   permit-hosts 196.1.2.* -passok -xok
       rlogin-gw:   permit-hosts * -auth -xok
       # Only the Administrator can telnet directly to the Firewall via Port








MNzA - HOWTO						     12



       netacl-rlogind: permit-hosts 196.1.2.202 -exec /usr/libexec/rlogind -a


HoiJA䤤]AFTPA]AnFTPAbWC
A̡Apermit-
hosts椹\O@HۥѶiJںALHhݪCUWeM쪺CɪO]-log
{ retr stor }^C FTPtime
out}bh֮ɶᰱձAHΦbh֮ɶSʧ@AձC

       # ftp gateway rules:
       ftp-gw:	    denial-msg	   /usr/local/etc/ftp-deny.txt
       ftp-gw:	    welcome-msg    /usr/local/etc/ftp-welcome.txt
       ftp-gw:	    help-msg  /usr/local/etc/ftp-help.txt
       ftp-gw:	    timeout 300
       ftp-gw:	    permit-hosts 196.1.2.* -log { retr stor }
       ftp-gw:	    permit-hosts * -authall -log { retr stor }


qLWWWBgopherMsi檺ftphttp-
gwC̤Wإߤ@ӥؿAΤ_xsgѨftpMWWWCbҤAoǤݭ
rootҦA]burootiJؿC
WWWsӵuȡCϥΪ̦bsqɪݮɶC

       # www and gopher gateway rules:
       http-gw:     userid	   root
       http-gw:     directory /jail
       http-gw:     timeout 90
       http-gw:     default-httpd  www.afs.net
       http-gw:     hosts	   196.1.2.* -log { read write ftp }
       http-gw:     deny-hosts	   *


ssl-
gwڤWO@ӥHiqLC߳]wCbҤAO@ΤA127.0.0.*
M192.1.1.* ~Ais~AAåuϥ443563
𸹡C443563𸹤@٬SSL𸹡C

       # ssl gateway rules:
       ssl-gw:	 timeout 300
       ssl-gw:	 hosts		 196.1.2.* -dest { !127.0.0.* !192.1.1.* *:443:563 }
       ssl-gw:	 deny-hosts	 *


UҤlpQplug-
gwssDACbҤAO@Τu\s@ӨtΡAYs쥦sDC
ĤGϷsDANưeO@C sDAtime
outɶ]wӤA]hƥΤjp\ŪsDC


       # NetNews Pluged gateway
       plug-gw:        timeout 3600
       plug-gw: port nntp 196.1.2.* -plug-to 199.5.175.22 -port nntp
       plug-gw: port nntp 199.5.175.22 -plug-to 196.1.2.* -port nntp









MNzA - HOWTO						     13



Finger]wܬ²CO@ΤunnANiϥΨWfin
ger{CLHNu@qmessageC

       # Enable finger service --------]wfinger\
       netacl-fingerd: permit-hosts 196.1.2.* -exec /usr/libexec/fingerd
       netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt


boHOWTOAS]wMailMX-win
dows\CpHo譱ҡAеoemailڡC

7.4.2  inetd.conf]m

UW/etc/inetd.confɡCҦݭn\ೣ#Ÿ`PCboɤܨFإ\AHܦp]ws\C


       #echo   stream	 tcp  nowait  root	  internal
       #echo   dgram	 udp  wait    root   internal
       #discard 	 stream    tcp	nowait	root   internal
       #discard 	 dgram	   udp	wait	root   internal
       #daytime 	 stream    tcp	nowait	root   internal
       #daytime 	 dgram	   udp	wait	root   internal
       #chargen 	 stream    tcp	nowait	root   internal
       #chargen 	 dgram	   udp	wait	root   internal
       # FTP firewall gateway --------FTP
       ftp-gw	   stream  tcp	nowait.400  root  /usr/local/etc/ftp-gw  ftp-gw
       # Telnet firewall gateway------Telnet
       telnet  stream  tcp  nowait	root  /usr/local/etc/tn-gw /usr/local/etc/tn-gw
       # local telnet services------Τ᪺telnet\
       telnet-a    stream  tcp	nowait	    root  /usr/local/etc/netacl in.telnetd
       # Gopher firewall gateway------Gopher
       gopher  stream  tcp  nowait.400	root  /usr/local/etc/http-gw /usr/local/etc/http-gw
       # WWW firewall gateway------WWW
       http    stream  tcp  nowait.400	root  /usr/local/etc/http-gw /usr/local/etc/http-gw
       # SSL firewall gateway------SSL
       ssl-gw  stream  tcp     nowait  root /usr/local/etc/ssl-gw   ssl-gw
       # NetNews firewall proxy (using plug-gw)------NetNewsNzA]ϥplug-gw^
       nntp    stream  tcp     nowait  root    /usr/local/etc/plug-gw plug-gw nntp
       #nntp   stream	 tcp  nowait	root /usr/sbin/tcpd in.nntpd
       # SMTP (email) firewall gateway------SMTP]email^
       #smtp   stream  tcp    nowait  root    /usr/local/etc/smap smap
       #
       # Shell, login, exec and talk are BSD protocols------ Shell, login, exec and talkBSDĳ
       #
       #shell  stream	 tcp  nowait	root /usr/sbin/tcpd in.rshd
       #login  stream	 tcp  nowait	root /usr/sbin/tcpd in.rlogind
       #exec   stream	 tcp  nowait	root /usr/sbin/tcpd in.rexecd
       #talk   dgram	 udp  wait root /usr/sbin/tcpd in.talkd
       #ntalk  dgram	 udp  wait root /usr/sbin/tcpd in.ntalkd
       #dtalk  stream	 tcp  waut nobody    /usr/sbin/tcpd in.dtalkd
       #
       # Pop and imap mail services et al------PopMimap mail\
       #
       #pop-2	stream	tcp  nowait  root  /usr/sbin/tcpd   ipop2d








MNzA - HOWTO						     14



       #pop-3	stream	tcp  nowait  root  /usr/sbin/tcpd   ipop3d
       #imap	stream	tcp  nowait  root  /usr/sbin/tcpd   imapd
       #
       # The Internet UUCP service------ںUUCP\
       #
       #uucp	stream	tcp  nowait  uucp  /usr/sbin/tcpd  /usr/lib/uucp/uucico -l
       #
       # Tftp service is provided primarily for booting.  Most sites
       # run this only on machines acting as 'boot servers.' Do not uncomment
       # this unless you *need* it.  ----- Tftp\DnΤ_ҰʡC@u@'bootA'ɤ~ݭntftpC]An`P]#^ŸC
       #
       #tftp   dgram	 udp  wait root /usr/sbin/tcpd in.tftpd
       #bootps dgram	 udp  wait root /usr/sbin/tcpd bootpd
       #
       # Finger, systat and netstat give out user information which may be
       # valuable to potential "system crackers."  Many sites choose to disable
       # some or all of these services to improve security.------ Finger, systat and netstat|VbȴѥiQơC\h@ǩΥ\AHWwC
       #
       # cfinger is for GNU finger, which is currently not in use in RHS Linux
       # cfingerOGNU fingerAثebRHS LinuxäϥΡC
       #
       finger  stream	 tcp  nowait  root   /usr/sbin/tcpd  in.fingerd
       #cfinger      stream   tcp  nowait  root   /usr/sbin/tcpd  in.cfingerd
       #systat stream	 tcp  nowait  guest  /usr/sbin/tcpd  /bin/ps -auwwx
       #netstat     stream    tcp  nowait  guest  /usr/sbin/tcpd  /bin/netstat -f inet
       #
       # Time service is used for clock syncronization.-----ɶ\Τ_]wɶPBC
       #
       #time   stream	 tcp  nowait  root  /usr/sbin/tcpd  in.timed
       #time   dgram	 udp  wait    root  /usr/sbin/tcpd  in.timed
       #
       # Authentication-----dΤᨭ
       #
       auth	     stream  tcp  wait	  root	/usr/sbin/tcpd	in.identd -w -t120
       authsrv stream	 tcp  nowait  root  /usr/local/etc/authsrv authsrv
       #
       # End of inetd.conf-----inetd.cong]mɵ

7.4.3  /etc/services

Τs쨾ɡA|@Ӥw]p_1024^CҦpAtel
net23Cinetd deamonsʧ@Ad/etc/ser
vicesWoǥ\઺WrCMA|Ұ/etc/inetd.confɤoӦWrҫw{C
ɨϥΪ\äb/etc/ser
vicesɤCoǥ\iwQwCҦpA޲ztelnet]telnet-
a^i]w24A]i]w2323AxťLKCpG޲z]AH^ns쨾Ahtel
net24ӫD23CpӤUҳ]wnetperm-
tableAhuqO@@Өtγ]wC


       telnet-a 	24/tcp
       ftp-gw	       21/tcp	      # this named changed
       auth	       113/tcp	 ident	  # User Verification
       ssl-gw		443/tcp








MNzA - HOWTO						     15



8.  SOCKSNzA

8.1  ]wNzA

SOCKSNzAiq ftp://sunsite.unc.edu/pub/Linux/system/Network/misc/socks-
linux- src.tgzoCɤ]@Ӻ٬'socks-
conf']mɥi@ѦҡCiɸAMھڨ䤤ϥθɡCϥήɨä²ATwMake
fileɥTL~C b
/etc/inetd.confӼWKNzAC]AӼW[HU@C

       socks  stream  tcp  nowait  nobody  /usr/local/etc/sockd  sockd


o˦A~|bݭnɹBC

8.2  ]mNzA

SOCKSݭnӳ]mɶi]wC@ӳ]mɳ]wiJΪvAt@ӳ]mɳ]w|AHKANzACvbAWA|bC@xUNIXWCDOSMMac
intosh|Twۦ檺|C

8.2.1  v

bsocks4.2]beta^Avɺ٬'sockd.conf'AӥuA@椹\]per
mit^A@ڵ]deny^CC泣T]wG

    ѧOХܦ(permit/deny)

    IPa}

    קa}

ѧOХܥΤ_permitdenyCӦWpermitMWdenyC
IPa}ϥμзǪ4byte覡ܡApI.E. 192.168.2.0.C קa}]OзǪ4줸
IPa}AΨӧ@net
maskCNoӦa}Q32줸ƦrCpGO1Ahֹ諸a}mŦXIPa}줸CҦpA檺a}J

	 permit 192.168.2.23  255.255.255.255

hu\C@줸۲Ūa}AY192.168.2.23CpGa}J

	 permit 192.168.2.0  255.255.255.0


h|\192.168.2.0192.168.2.255C@Ӧa}AYCŪa}CoUCoئa}X{J

	 permit 192.168.2.0  0.0.0.0


o|\C@a}ϥΡAרa}C
]A\C@Ӥ\a}AMڵEa}Cp\192.168.2.xxxS򤤪C@ΤAiΤUC覡ܡJ

	 permit 192.168.2.0  255.255.255.0
	 deny 0.0.0.0  0.0.0.0









MNzA - HOWTO						     16



`Ndeny椤Ĥ@'0.0.0.0'CѤ_a}H0.0.0.0קA]IP󳣨SvTC0@IPa}A]K_rC
SOΤiHΩڵϥΪvCoiqLidendӹ{CѤ_OҦtγidenA䤤]ATrum
pet WinsockAҥHBwƦh[CHPsocksѪHϥΡC

8.2.2  |

SOCKS|ɺ٬'socks.conf'APvɲVcC |
SOCKSΤ᪾DɥsocksAɤΡCҦpAbܽd192.168.2.3äݭnϥsocksP192.168.2.1ܡCqLEth
ernetA̤sCS127.0.0.1۰ʳ]loop
backC]]ݭnsocksPۤvܡCTJJ

    deny

    direct

    sockd

DenyiDsocksɩڵ@ШDCbKJePsockd.confeۦPAa}ХܦBIPa}Mקa}C@ӨAvsockd.conf]PAקa}h0.0.0.0CpGsaAbi@XקC

bdi
rectUCJϥsocka}CҦoǦa}ipWALgLNzACbo̤STӦmnJiden
tifierBaddressMmodifierCҦpJ

	 direct 192.168.2.0 255.255.255.0

SockdiDq@ӥΤ᪺qWsocks server daemonCӦ椺epUJ

       sockd @=<serverlist> <IP address> <modifier>

`N@=
JeCQγoؤkiHJ@tCNzAIPa}Cbo̥uΤ@ӥNzAa}ҡCiHCWhӦAa}AHK[jeqA÷AFɡALAC

]wIPa}Mmodifier쪺kMLҤlۦPC

8.2.3  ᪺DNS

     q]wDomain Name Ser
viceO²椣LơCunb@𪺹qW]wDNSYiCMb᪺qW]wϥγoDNSC"

8.3  NzA

8.3.1  Unix

nε{ǧQΥNzAAoε{ǻݭn'sockified'Cbo̻ݭntelnetA@Ӷi檽qTA@ӳqLNzAiqTCSOCKSn󤤦sock@ӵ{kA]XӤwgsockn{CpGnϥsockn{ASOCKSn|]wC]AӱNO@Ҧ{WAMAΤwgsockn{CҦpA'Finger'ܬ'finger.orig'A'telnet'ܬ'telnet.orig'C	  qLin
clude/socks.hɧiDSOCKSoس]wC ǵ{ۦBzroutingMsockify
ingDCNetscapeNϨ䤤@CҦpbNetscapeUnΥΥNzAAunbProx
iesUSOCK椺JAa}Yi]b192.168.2.1^CMACε{o@ǤpܰʡAרBzNzAkC

8.3.2  LnPTrumpet Winsock

Trumpet
Winsock۱aNzA\Cb'setup'椤JAIPa}MҦipqa}CMATrum
petN|BzҦ~eƾڥ]C









MNzA - HOWTO						     17



8.3.3  ϥNzAtXUDPƾڥ]

SOCKSnuBzTCPƾڥ]AӤBz UDPCohִ֤FγBA]A\hΪ{AҦptalkMArchieAQUDPC@MnA٬UDPrelayATom
Fitzger
ald]p<fitz@wang.com>ADn@UDPƾڥ]NzAϥΡCLbsgɡAoMn󤣯Τ_Linux.

8.4  NzAI

kڵANzAO@Ӧw˸mCbIPa}pUAΥϳ\hΤiJں\hICNzAiϫO@Τp~AϺ~Τ᧹LkPΤptCoܵLkPqitalkarchiepA]LkoeqllCoǯIݨӨäYAOpGJ

    A@SidbO@𤺪qWC^aAASQݬݳoiCOSkC]qbALkpCpGlo
     gin
     AѤ_C@ӤHiiJNzAA]AboӦAWèSӧObC

    AkhFjǡCAQgʹqll󵹦oCAQͨǨpơA]̦nqll󪽱ۤvqWCAMHoLAtκ޲zAo˩PȵLAOӤHHC

    ϥUDPONzA@ӤjʳCڷQ[N|UDP\C

FTPONzAt@ӰDCboΨϥlsɡAFTPAbȤW}@socketAóqLǰeHCNzA\iou@A]FTPLkϥΡC
~ANzABwCCѤ_ݭnB~귽hAXGLFo@ΪAn񥦧֡C
@ӨApGIPa}pAӤSSOU{wDANnϥΨM]Ρ^NzACpGSIPa}pA]U{wDANϥIPAHTermASlirpTIACTermiqftp://sun
site.unc.eduoASlirpiqftp://blitzen.can
berra.edu.au/pub/slirpoATIAiqmarket
place.comoCϥΥNzAzQO\hΤݭnpAun@]wNAӦhLu@C


9.  ų]m

bɡAA|@ӨҤlAӻ]mkCeҤlAXhƨϥαpCUAH@Ӱų]mҡAHK໡@ǰDCpGeҤlѵADAΪٷQFѥNzAM𪺨LSʡAЪ`NUҤlC

9.1  `wj

]@ӥέn]mA䤤@50xqM@32IPa}źCѤ_HqŧOPAέQbW]mPŧOϥvC]A@Pt@qC
UدŧOJ

  1.  ~CoOHHiFhCoOl޷shC

  2.  Ho@hHwgWL~CoӼhHiHD@ǭpѩMsyZkC

  3.  ~yxγoOupBC

9.1.1  ]w

IPX]wkpUJ

    @Ӧa}192.168.2.255AoObroadcasta}AiϥΡC

    32 IPa}23Ӧa}t23xAoǾiPںpC

    @IPa}Τ_WlinuxC

    @IPa}Τ_Wt@linuxC










MNzA - HOWTO						     18



    IP #'sΤ_router

    ѤU|Ӧa}HKw|ӦWrAϤHNwuΤC

    O@a}192.168.2.xxx

o˴NإߤFӤPCoӺqL~uEther
netpA~ɧݤ쥦̪sbC~uEthernet@ΩM@Ether
net@άۦPC oӺU۳s즳IPa}BlinuxqC
Pɦ@ӤɦAsoӫO@A]A@ɪpݭn@ǰVm}CɦAIPa}192.168.2.17M~yxκIPa}192.168.2.23CPIPa}]O]PEth
ernetdtGCWIP Forwarding\ΡC xLinuxWIP Forward
ing\]ΡCDTWwA_hrouter|ee192.168.2.xxxƾڥ]A]LѶiJCIP
Forward
ing\઺]OoXƾڥ]F~yxκA~yxκƾڥ]]FC
iH]wNFSA]mAϨ⤣PɰePCoؤkᬰnΡAbsym
blic linksWf}iϤja@ɡCQγoس]mM[@iether
netdiϤ@xɦAΤ_ҦTӺC

9.1.2  NzA]m

Ѥ_THݭnFѺWpA]L̳ݭnWC~sںA]bNzAWݭn@XʡC~yxκMb𤧫A]ݭnbNzAW@X@ǳ]mC
Ӻ]mD`C̤¨ϥΤt̪IPa}CLbo̱o]w@ǰѼơC

  1.  HoϥΤɦAWA_hɦAi|DfrΨLaFoJICoذDܬYA]oϥΤɦAC

  2.  HWCL̥bVmApGL֦̾o˯TOiL̦`C

]AblinuxWsockd.confɤUC@J

	 deny 192.168.2.17  255.255.255.255


åBb~yxξ]wOJ

	 deny 192.168.2.23  255.255.255.255


PɡAlinux]wJ

	 deny 0.0.0.0  0.0.0.0 eq 80

o檺NqOϥΰ80AJhttpCLoǾMiΩҦL\AuOWC
Mbxsockd.confɤK[J

	 permit 192.168.2.0  255.255.255.0


ϩҦb192.168.2.xxxWqϥγoxNzAAϥΪq~]JqiJɦAMں^C

sockd.confɪepUJ

	 deny 192.168.2.17  255.255.255.255
	 deny 0.0.0.0  0.0.0.0 eq 80
	 permit 192.168.2.0  255.255.255.0








MNzA - HOWTO						     19



~yxκsockd.confɪepUJ

	 deny 192.168.2.23  255.255.255.255
	 permit 192.168.2.0  255.255.255.0

o˪tmӨSDCC@ӺW@~AæAۤtCHHӤߺN~C
{bNiA@ɤFT























































MNzA - HOWTO						     20





































































				   CONTENTS



1. ɨ ..................................................................... 1
   1.1 Ū̦^ ............................................................. 1
   1.2 Yn ............................................................. 1
   1.3 vŧi ............................................................. 1
   1.4 gog峹ʾ ..................................................... 2
   1.5 ݧu@ ....................................................... 2
   1.6 Ū ............................................................. 2

2. O .............................................................. 2
   2.1 𪺯ʳ ......................................................... 3
   2.2 𪺺 ......................................................... 3

3. ]m ............................................................... 3
   3.1 wݨD ............................................................. 3

4. ]m𪺳n ......................................................... 3
   4.1 {M˳n ....................................................... 3
   4.2 TIS Firewall Toolkit MSOCKSt ................................. 4

5. ]wLinuxt ............................................................ 4
   5.1 s褺 ............................................................. 4
   5.2 ]wid ....................................................... 5
   5.3 ]wNetwork Addresses ................................................ 5
   5.4 պ ............................................................. 6
   5.5 [T ........................................................... 7

6. IP filtering ]m(IPFWADM) ............................................. 7

7. wTISNzA ........................................................ 8
   7.1 on ............................................................. 8
   7.2 sTIS FWTK ......................................................... 9
   7.3 wTIS FWTK  ........................................................ 9
   7.4 ]mTIS FWTK ......................................................... 9

8. SOCKSNzA ......................................................... 15
   8.1 ]wNzA ...................................................... 15
   8.2 ]mNzA ...................................................... 15
   8.3 NzA .......................................................... 16
   8.4 NzAI .................................................... 17

9. ų]m ................................................................ 17
   9.1 `wj .................................................. 17










				       i


