  Firewalling and Proxy Server HOWTO
  Mark Grennan, markg@netplus.net
  v0.4, 8 November 1996
  ܂݂Ђ isle@st.rim.or.jp(1997/03/26)

  ̕ł Linux Ńt@CAEH[gۂ̊{IȐݒɂĉ
  ALinux g PC ŃpPbgtB^OƃvLVt@CAEH
  [gۂ̐ݒɂđȂƂڂs܂B̕
  HTMLł http://okcforum.org/~markg/Firewall-HOWTO.htmlɂ܂B
  ______________________________________________________________________

  ڎ

  1. ͂߂
     1.1 tB[hobN
     1.2 ӔC̕(disclaimer)
     1.3 Copyright(쌠\)
     1.4 Ȃ̂
     1.5 ׂ
     1.6 ɒm肽l

  2. t@CAEH[Ƃ
     2.1 t@CAEH[̎
        2.1.1 IP tB^Ot@CAEH[
        2.1.2 vLV(㗝)T[o

  3. t@CAEH[̐ݒ
     3.1 Kvȃn[hEFA

  4. t@CAEH[p\tgEFA
     4.1 \ȃ\tgEFA
     4.2 TIS t@CAEH[c[Lbg SOCKS

  5. Linux VXȅ
     5.1 J[l̃RpC
     5.2 2 ̃lbg[NJ[h̐ݒ
     5.3 lbg[NAhX̐ݒ
     5.4 lbg[ÑeXg
     5.5 t@CAEH[̋

  6. IP tB^O̐ݒ(IPFWADM)
     6.1 tB^Ot@CAEH[̌_

  7. TIS vLVT[o[̃CXg[
     7.1 \tgEFA̓
     7.2 TIS FWTK ̃RpC
     7.3 TIS FWTK ̃CXg[
     7.4 TIS FWTK ̐ݒ
        7.4.1 netperm-table t@C
        7.4.2 inetd.conf t@C
        7.4.3 /etc/services t@C

  8. SOCKS vLVT[o
     8.1 vLVT[õZbgAbv
     8.2 vLVT[o̐ݒ
        8.2.1 ANZXt@C
        8.2.2 oHt@C
     8.3 vLVT[og
        8.3.1 Unix
        8.3.2 Trumpet Winsock g MS Windows
        8.3.3 vLVT[o UDP pPbg
     8.4 vLVT[ǒ_

  9. i񂾐ݒ
     9.1 ZLeBd傫ȃlbg[N
        9.1.1 lbg[N̐ݒ
        9.1.2 vLVT[o̐ݒ

  ______________________________________________________________________

  1.  ͂߂

  Firewall-HOWTO ͌X David Rudder <drig@execpc.com> ܂Bo
  [WAbv邱ƂĂꂽނɊӂ܂B

  t@CAEH[̓C^[lbgɈSɐڑ邽߂̋ɓIȉ
  āAߔNA܂܂傫Ȗl܂B傫Ȗ𓾂
  ̗̂ɘRꂸA̖͌ɂƂÂĂ܂B HOWTO ł̓t@
  CAEH[Ƃ͉Aǂ̂悤ɐݒ肷̂AvLV(㗝)T[oƂ
  AvLVT[o̐ݒ@A̋Zpg߃AvP[Vɂ
  ĉ܂B

  1.1.  tB[hobN

  ނ̃tB[hobN}܂BǂȊԈႢłAЋ
  B ͌Ƃȕʂ̐lԂłBǂȂȂƂ
  AԈႢΘAĂBĈ͍ŗD̉ۑ
  BĂ e-mail ɂ͕ԎłAŋߖẐŁA
  ԎȂĂCɂȂłB

   e-mail address  <drig@execpc.com>łB [҂ e-mail address
   <isle@st.rim.or.jp> łB]

  1.2.  ӔC̕(disclaimer)

  ̕ɏĂ邱Ƃɏ]ʐȂ鑹QɂӔC𕉂
  B ̓̕t@CAEH[ƃvLVT[oǂ̂悤ɓ
  Љ邽߂ɏꂽ̂łB̓ZLeB̐ƂłȂA
  ̂ӂ܂B́Aʂ̐l葽̖{ǂŁA
  Rs[^DȐlԂɉ߂܂.͐lXt@CAEH[
  vLVT[oɂė̂邽߂ɂ̕Ă邾
  ŁA̐̕mɐlq悤Ȃ͂܂B

  1.3.  Copyright(쌠\)

  Unless otherwise stated, Linux HOWTO documents are copyrighted by
  their respective authors. Linux HOWTO documents may be reproduced and
  distributed in whole or in part, in any medium physical or electronic,
  as long as this copyright notice is retained on all copies. Commercial
  redistribution is allowed and encouraged; however, the author would
  like to be notified of any such distributions.

  All translations, derivative works, or aggregate works incorporating
  any Linux HOWTO documents must be covered under this copyright notice.
  That is, you may not produce a derivative work from a HOWTO and impose
  additional restrictions on its distribution. Exceptions to these rules
  may be granted under certain conditions; please contact the Linux
  HOWTO coordinator.

  In short, we wish to promote dissemination of this information through
  as many channels as possible. However, we do wish to retain copyright
  on the HOWTO documents, and would like to be notified of any plans to
  redistribute the HOWTOs.

  If you have any questions, please contact Mark Grennan at
  <markg@netplus.net>.

  ʓr錾ĂȂALinux  HOWTO ͂ꂼ̒҂쌠
  ێĂ܂B̒쌠\SẴRs[ɓYtALinux
   HOWTO ́Aǂ̂悤ȕIAdCIȎiłASāA邢͈
  ݂̂Rs[čĔzz邱Ƃ\łBƓIȗp\ł
  A܂Â悤ȏꍇɂ͘AĂ邱Ƃ҂܂B

  Linux HOWTO ̖|hA邢 HOWTO W߂̂
  SĂ̒쌠\ɏ]܂BȂ킿AHOWTO hɑ΂
  ̒쌠\ȊO̒ǉ̐Ă͂܂B̋KɂĂ
  ̏̂ƂŗO܂; ڍׂɂĂ͌q Linux HOWTO
  ̃R[fBl[^̃AhX܂Ŗ₢킹ĂB

  ȒPɌƁA͂\ȃ`loRĂ̕L
  y邱ƂĂ܂BȂA HOWTO 
  copyright ŕی삵ĂAHOWTO ĔzzvɂĂ͘A
  邱Ƃ҂Ă܂B

  ₪ Mark Grennan <markg@netplus.net> ܂łǂB [|ɂ
  Ă͂܂݂Ђ<isle@st.rim.or.jp>܂ł肢܂B]

  1.4.  Ȃ̂

  t@CAEH[̐ݒ@Ɋւ鎿₪ߋNԂقǂ̊ԂɌJԂ
  comp.os.linux.* ɓeĂ܂AݒɕKvȏɂĂ͌
  ɂԂłB HOWTO ̌Âo[Wdvȏ񌹂ł
  AĂ镔܂BDavid Rudder IWi
   HOWTO ̃o[WŁANt@CAEH[ȒP
  ݒł悤ɂȂ邱Ƃ]ł܂B

  ܂AgA Linux R~jeBɊҌƎvĂ܂B

  1.5.  ׂ

  o  NCAg̐ݒ@ɂāB

  o  UDP ʂ Linux p̃vLVT[o邱

  1.6.  ɒm肽l

  ȉ HOWTO ⏑ЂQlɂȂł傤B

  o  NET-2 HOWTO

  o  Ethernet HOWTO

  o  Multiple Ethernet Mini HOWTO

  o  Networking with Linux

  o  PPP HOWTO

  o  O'Reilly  "TCP/IP Network Administrator's Guide"

  o  TIS t@CAEH[Ec[Lbgɕt̕

  Trusted Information System(TIS)̃EFuy[W (http://www.tis.com/)
  ̓t@CAEH[ƂɊ֘AbɂẴhLgLx
  Ă܂B

  ͌݁ASecure Linux ƌZLeBɂẴvWFNgɊ
  Ă܂BSecure Linux̃EFuy[Wɂ́AWAS
  Linux VXe邽߂̏╶AvȎSĂo^Ă
  BΎ e-mail ĂB

  2.  t@CAEH[Ƃ

  t@CAEH[(hΕ)Ƃ͂ƂƂ͎ԋƊE̗płBԂɂƂ
  Ẵt@CAEH[Ƃ́AGWƏquĂ镨IȏǂłB
  Ԃ̃GWɉ΂ĂAt@CAEH[qAhCo
  t@CAEH[zɃGW𐧌䂷邱Ƃł܂B

  Rs[^̐Eł̃t@CAEH[Ƃ́AvCx[gȃlbg[N
  Õlbg[N(ʓIɂ̓C^[lbg)邽߂̃foCX
  B

  ȍ~At@CAEH[̖ʂĂRs[^̃zXg
  "firewall"Ƃ܂B̃zXg͓̃vCx[gȃlbg[NƃC
  ^[lbg̑oɐڑĂȂ΂Ȃ܂BÃlbg
  [NC^[lbgւ͒ڐڑłȂAC^[lbg
  ̃lbg[N֒ڂ͐ڑł܂B

  ̃lbg[NC^[lbgɐڑꍇA܂ firewall 
  telnet ŐڑǍAfirewall C^[lbgɐڑ邱Ƃɂ
  ܂B

  t@CAEH[̂ƂȒPȌ`͂̂悤 2 ̃lbg[N
  ڑ}V݂@łBlbg[Ñ[ȖSĂMp
  ĂȂ΁A2 ̃lbg[Nɐڑ Linux }VZbgAbv
  (IP forwarding/gatewaying  OFF ɂāI)AɑSẴ[ŨA
  JEg΂ł傤B̃lbg[Ñ[U͂̃}V
  OCĂ telnet AFTP A[ǂ񂾂AA
  ̐ݒ肵SẴT[rXł悤ɂȂ܂B̐ݒł́A
  ̃lbg[NɂRs[^̂O̐ÊƂmĂ̂
  firewall łBlbg[Nɐڑ̃}Vł̓ftHg
  [gݒ肷Kv͂܂B

  JԂ܂AL̐ݒ̃t@CAEH[܂߂ɂ́A
  ̃[USĂZLeBɋCzÃAJEgSɊǗ
  \͂ĂȂ΂܂B͂̕@͂߂܂B

  2.1.  t@CAEH[̎

  t@CAEH[ɂ͑傫 2 ̎ނ܂B

  1. IP(tB^O)t@CAEH[: w肵pPbgȊÕpPbg
     ʉ߂܂B

  2. vLVT[o: p̃lbg[Nڑ񋟂܂B

  2.1.1.  IP tB^Ot@CAEH[

  IP tB^O^Cṽt@CAEH[̓pPbgxœ܂B
  ̎̃t@CAEH[́Aꂼ̃pPbgɓo^Ă鑗茳
  |[g∶̃|[gApPbg̎ނɂĂ̏ɊÂāApPbg
  ̗𐧌䂵܂B

  ̃^Cṽt@CAEH[͂߂ĈSłALvȃO@\
  ɌĂ܂B̃vCx[gȃVXeɃANZXȂƂ͉
  \łAVXěJĂ镔ɒNANZXĂ̂AƂA
  ̃lbg[NNC^[lbgɐڑ̂AƂL^
  邱Ƃł܂B

  tB^O^Cṽt@CAEH[́AӖłӖł
  ȃtB^łBO̒Nɓ̃vCx[gȃT[rX񋟂悤
  vĂAl݂̂Ɏgp^悤ȂƂ͂łAO̒N
  ANZXł悤ɐݒ肷邵܂B

  ̎̃pPbgtB^Ő@\ 1.3.x ȍ~̃J[lɑg݂
  Ă܂B

  2.1.2.  vLV(㗝)T[o

  vLVT[o̓t@CAEH[zɊԐړIȃC^[lbgڑ
  ܂B΂񕪂₷ telnet ̏ꍇł傤BvLVT[o
  g΁Aut@CAEH[}VɃOCāAēxO
  ̃}VɃANZXvƂ菇Iɍs悤ɂȂ܂BN
  CGgƂȂ\tgEFAvLVT[oɐڑꍇAvLVT
  [o͐p̃NCGg(vLV)\tgEFANāAȂ
  ƂĂf[^ړIn֓]܂B

  vLVT[oł͑SĂ̂ƂdĂ̂ŁA̋L^
  邱Ƃ\łB

  vLVT[o̗_͐ݒ肷ΊSɈSȂƂłBvLVT
  [o͒NRɒʉ߂A IP [eBO܂B

  3.  t@CAEH[̐ݒ

  3.1.  Kvȃn[hEFA

  ̗ł 66MHz 486-DX CPU Ƀ 16MAHDD  500M  Linux p
  [eBV}Vg܂B̃VXe 2 ̃lbg[N
  J[hAꖇ͓̃vCx[g LAN ɐڑA́u
  n(de-militarized zone  DMZ)vƌĂ΂ Lan ɐڑĂ
  Ƃ܂BDMZ ɂ̓C^[lbgɐڑ[^Ƃ܂B

  ͉ГňʓIɎgĂݒł傤Blbg[NJ[h͓
   LAN p̈ꖇ݂̂ŁAC^[lbgƂ̐ڑ PPP gAƂ
  \łBdvȓ_́Afirewall ɂ 2  IP AhXKvA
  ƂłB

  ̒m荇͎̑ 2A3 ̃Rs[^ڑ LAN
  Ă܂B̂悤ȏꍇA2 ̃f Linux }V(Â
  386 }V肷̂ł傤)ɐڑāA[hEoVOoR
  Ŏ LAN C^[lbgɐڑȂ邩܂B̐
  ł́Aꂩf[^_E[h悤Ƃꍇ 2 ̃f
  x 2 {ɂĂ͂ł :-)

  [󒍁FEQL([hEoVO)FLinux J[lɑg݂܂Ă@\
  ŁA2 ̃VA|[g𓯎Ɏg 2 dɑƐڑf[^̓]
  x{@BA 2 KvŐڑɂ̋@\
  ƎgpłȂB(悭mȂǁAISDN Ȃg@\Ȃ̂AA)]

  4.  t@CAEH[p\tgEFA

  4.1.  \ȃ\tgEFA

  (pPbg)tB^Ot@CAEH[KvȂ΁ALinux {̂Ɗ{
  Iȃlbg[NppbP[Wŏ\łBʓIȃfBXgr[
  VɓĂȂmȂ̂ IP t@CAEH[Ǘc[
  (ipfwadm)ł傤B

  IPFWADM  http://www.xos.nl/linux/ipfwadm/ ł܂B

  vLVT[oݒ肵ꍇAȉ̎pbP[Ŵǂ炩Kv
  B

  1. SOCKS

  2. TIS Firewall Toolkit(FWTK)

  4.2.  TIS t@CAEH[c[Lbg SOCKS

  Trusted Information System(http://www.tis.com)͂܂܂ȃt@CAEH
  [֘Ã\tgEFA[XĂ܂B̃vO͊{I
   SOCKS Ɠ@\ʂ܂AfUCNw͈Ă܂B SOCKS 
  ͈̃vOSẴC^[lbgƂ̂ƂJo[܂
  ATIS ł firewall zɎgvOꂼɂĐp̃\
  tgEFApӂĂ܂B

  ҂r邽߂ɁAWWW  telnet ɂČĂ݂邱Ƃɂ܂傤B
  SOCKS ł͐ݒt@Cƃf[͈łB̐ݒt@C
  f[ telnet  WWW g悤ɐݒ肵܂Atelnet  WWW ȊO
  łIɋ֎~ȂT[rX͗pł܂B

  ATIS c[Lbgł WWW  telnet ꂼɐp̃f[p
  ӂAݒt@CꂼɕKvłBWWW  telnet g悤ɂ
  ĂAȊÕT[rX́AIɎgpł悤ɐݒ肵ĂȂ
  g܂B(talk ̂悤)p̃f[ꍇA "plug-in" f[
  g܂A̕@͑̕@ɔׂď_AݒG
  B

  ͑債Ⴂł͂Ȃ悤Ɍ邩m܂񂪁Aɂ݌vv
  zɂ͑傫ȈႢ܂BSOCKS ͊ƃ[YȐݒ肪\łB
  Ɛݒ肵Ȃ SOCKS T[ooRāA̒N\zĂȂC^
  [lbgT[rX𗘗p邩m܂BTIS c[Lbg̏ꍇA
  ̐lԂ̓VXeǗ҂T[rXȊOgp邱Ƃ͂ł܂B

  SOCKS ̕ݒRpCȒPŁA莩RȐݒ肪\łBTIS c
  [Lbg͓̃[UKꍇ͂SłBoƂO
  ̃ANZXɑ΂Ă͊SɈSłB

  ̕ł͗҂̃CXg[Ɛݒ@ɂĐ܂B

  5.  Linux VXȅ

  5.1.  J[l̃RpC

  CXg[΂ Linux n߂܂傤( RedHat 3.0.3 
  gĂAȉɎ̃fBXgr[V̂̂ł)Bgp
  \tgEFAȂقǌĂ݁A /邢 oO
  ɂZLeB̖ȂĂ݂܂Bt@CAEH[}Vœ
  AvP[V͍ŏɂ܂傤B

  J[l͈肵̂Iт܂B 2.0.14 g܂B̃hL
  g̃o[W̃J[lɏ܂B

  Linux ̃J[lK؂ȐݒŃRpC܂B̍ۂɂ ``Kernel
  HOWTO''  ``Ethernet HOWTO''A``NET-2 HOWTO'' ȂǂLvł傤B
   HOWTO ǂ񂾂Ƃ΁AЖڂʂ悤ɂĂB

  ȉ 'make config' ̍ۂɎw肷ׂlbg[N֘ÃIvV
  ܂B

  1. General setup ̒

     a. Networking Support  ON

  2. Networking Options 

     a. Network firewalls  ON

     b. TCP/IP Networking  ON

     c. IP forwarding/gatewaying  OFF(IP tB^Oꍇ
        ON)

     d. IP Firewalling  ON

     e. IP firewall packet loggin  ON(K{ł͂ȂAg)

     f. IP: masquerading  OFF(masquerade ɂĂ͂̕ň܂
        )

     g. IP: accounting  ON

     h. IP: tunneling  OFF

     i. IP: aliasing  OFF

     j. IP: PC/TCP compatibility mode  OFF

     k. IP: Reverse ARP  OFF

     l. Drop source routed frames  ON

     Network device support ̒

     a. Network device support  ON

     b. Dummy net driver support  ON

     c. Ethernet(10 or 100Mbit) ON

     d. g̃lbg[NJ[hp̃hCoIłB

  ̐ݒIJ[lRpCăCXg[AċN
  ĂBÑbZ[Wŕ̃lbg[NJ[hF
  邱ƂmFĂ܂傤B܂ȂꍇA HOWTO 
  QƂĂB

  5.2.  2 ̃lbg[NJ[h̐ݒ

  2 ̃lbg[NJ[h𑕒ĂꍇA/etc/lilo.conf t@C
  append sɑõJ[h IRQ ƃAhXݒ肵Ȃ΂Ȃ܂B
  ł͈ȉ̂悤ɐݒ肵Ă܂B

      append="ether=12,0x300,eth0 ether=15,0x340,eth1"

  5.3.  lbg[NAhX̐ݒ

  悢ɓĂ܂B܂lbg[N̐ݒ
  Ȃ΂Ȃ܂B̃lbg[NC^[lbg֒ڃANZX
  邱Ƃ͔F߂Ȃ̂ŁÃlbg[Nɐ̃AhX肠Ă
  Kv͂܂BC^[lbgɐڑȂvCx[gȃlbg[N
  p̃AhX͂炩߂߂Ă̂ŁÃAhX
  gƂɂ܂BC^[lbg̐Eł̓AhX͕sCłB
  ÃvCx[gAhXgAԈăC^[lbgɃp
  Pbg𗬂Ă܂Ăe͏oȂ悤ɂȂĂ̂ŁAvCx[
  glbg[Nɂ͂̎̃AhXg܂傤B

  ̗ł 192.168.2.xxx ƂNX C ̃AhXgƂɂ
  B

  vLVt@CAEH[̓C^[lbgƃvCx[glbg[N̑o
  ɐڑA҂̊ԂŃf[^Ƃ肵܂B

              199.1.2.10   __________    192.168.2.1
        _  __  _        \ |          | /           _______________
       | \/  \/ |        \| Firewall |/           |               |
      / Internet \--------|  System  |------------| Workstation/s |
      \_/\_/\_/\_/        |__________|            |_______________|

  pPbgtB^Õt@CAEH[̏ꍇł̃AhX
  gƂ\ŁA̍ۂɂ IP masquerade gƂɂȂ܂BIP
  masquerade g΁At@CAEH[zăC^[lbg֑
  pPbg̃AhX͎IɁu{́v IP AhX(199.1.2.10)ɕϊ
  ĂC^[lbgɏočs܂B

  C^[lbgɐڑ鑤(O)̃lbg[NJ[hɂ͐ IP Ah
  XtȂ΂܂BÃlbg[NJ[hɂ
  192.168.2.1 ̃AhX肠Ă܂B 192.168.2.1 ̃AhX
  ̃lbg[NɂvLV/Q[gEFC IP AhXɂȂ
  BȊO̓̃lbg[Nɐڑ}Vɂ 192.168.2.xxx 
  AhX^܂(192.168.2.2  192.168.2.254)B

   RedHat Linux gĂ܂̂(N̑̐ݒ ;-)A
  Ñlbg[NJ[hݒ肷邽߂ /etc/sysconfig/network-
  scripts fBNgɂ 'ifcfg-eth1' t@CC܂B
  t@C͋Nɓǂ݂܂Albg[Nƃ[eBOe[uݒ
  邽߂Ɏg܂B

  ȉɎ ifcfg-eth1 ܂B

      #!/bin/sh
      #>>>Device type: ethernet
      #>>>Variable declarations:
      DEVICE=eth1
      IPADDR=192.168.2.1
      NETMASK=255.255.255.0
      NETWORK=192.168.2.0
      BROADCAST=192.168.2.255
      GATEWAY=199.1.2.10
      ONBOOT=yes
      #>>>End variable declarations

  fBNgɂXNvggăfoRŃvoC_ɎI
  ɐڑ邱Ƃ\łB̂߂ɂ ipup-ppp XNvgĂ݂Ă
  B

  C^[lbgƐڑۂɃfoR PPP  SLIP  ISP Ɛڑ
  ꍇAO(ISP ) IP AhX̓voC_玩IɊ肠Ă
  ܂B

  5.4.  lbg[ÑeXg

  ifconfig  route R}hŃlbg[N`FbN܂B2 ̃lbg
  [NJ[hgĂꍇAifconfig ̏o͈͂ȉ̂悤ɂȂ͂
  B

    #ifconfig
    lo        Link encap:Local Loopback
              inet addr:127.0.0.0  Bcast:127.255.255.255  Mask:255.0.0.0
              UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
              RX packets:1620 errors:0 dropped:0 overruns:0
              TX packets:1620 errors:0 dropped:0 overruns:0

    eth0      Link encap:10Mbps Ethernet  HWaddr 00:00:09:85:AC:55
              inet addr:199.1.2.10 Bcast:199.1.2.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0
              TX packets:0 errors:0 dropped:0 overruns:0
              Interrupt:12 Base address:0x310

    eth1      Link encap:10Mbps Ethernet  HWaddr 00:00:09:80:1E:D7
              inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0
              TX packets:0 errors:0 dropped:0 overruns:0
              Interrupt:15 Base address:0x350

  oH\͂̂悤ɂȂł傤F

    #route -n
    Kernel routing table
    Destination     Gateway         Genmask         Flags MSS    Window Use Iface
    199.1.2.0       *               255.255.255.0   U     1500   0       15 eth0
    192.168.2.0     *               255.255.255.0   U     1500   0        0 eth1
    127.0.0.0       *               255.0.0.0       U     3584   0        2 lo
    default         199.1.2.10      *               UG    1500   0       72 eth0

  ӁF 199.1.2.0 C^[lbg̃AhX 192.168.2.0 ̓vCx
  [g̃AhXłB

   firewall C^[lbg ping Ă݂܂BeXgɂ
  nic.ddn.mil g܂B͍łǂeXgłAȑOقǂ̐M
  ͖悤łBnic.ddn.mil ĂȂꍇAʂ̃C^[lbg
  ̃zXgŎĂ݂ĂBł_ȏꍇ PPP ݒ
  ĂȂ̂ł傤B``NET-2 HOWTO'' ǂōēx`FbNĂ݂Ă
  B

  [ł www.ntt.co.jp  www.iij.ad.jp 肪ÓȃeXgł
  B]

   firewall ̖h䂳ꂽlbg[ÑzXg ping Ă
  ܂B̃lbg[ÑzXgԂł݂͑ ping ł͂łB
  _ȏꍇA``NET-2 HOWTO'' ǂݒălbg[N̐ݒ`FbN
  ܂傤B

  ɓ̃lbg[N firewall ̊Olbg[ÑAhX
  ping Ă݂܂(ӁFÕAhXƂ́A192.168.2.xxx ƈႤ IP Ah
  Xł)B ping ł悤Ȃ IP Forwarding ɂȂĂ܂
  Bݒɂ̂mFĂBIP Forwarding @\g
  ꍇA̕ IP tB^O̐߂QƂĂB

  Ƀt@CAEH[̒(̃lbg[ÑzXg)C^[lb
  g̃zXg ping Ă݂܂B̍ۂɂ firewall  ping ŊmF
  zXg(Ⴆ nic.ddn.mil)ĝł傤BIP Forwarding @\
  ɂȂĂ ping ͒ʂȂ͂łB

  IP forwarding LɂĂāÃlbg[N(192.168.2.* Ƃ
  Ⴄ)u{́vIP AhXtĂɂւ炸AC^[
  lbgւ ping łAfirewall ̃C^[lbg ping ł
  悤ȏꍇAfirewall ̐ڑ̃[^ɂ̓̃lbg[NɊ
  񂪐`ĂȂ̂m܂(̐ݒ͐ڑ̃v
  oC_̎dm܂)BÃlbg[N
  192.168.2.*  ̃AhXtĂꍇAOpPbg𑗂邱Ƃ
  ł܂B

  Ŋ{IȐݒ͊܂B

  5.5.  t@CAEH[̋

  t@CAEH[ݒ肵Ă}VŎgȂT[rX̂܂܂ɂ
  ̂͂悭܂Buҁv firewall ɃANZXāA
  p邩mȂłB

  ̂߂ɂgȂT[rX͎gp~ɂ܂傤B/etc/inetd.conf
  t@CĂB̃t@CuX[o[T[ov inetd ̐ݒ
  t@CłB̃t@CɗlXȃT[rXsȂf[Ƃ̋N
  @LqĂ܂B

  netstat, systat, tftp, bootp, finger ͖Yꂸɒ~܂傤BT[r
  Xgp~ɂɂ́ÃT[rX̍s # t܂BKv
  ݒIA"kill -HUP <pid>"(<pid>  ined ̃vZXԍ)s
  A inetd  HUP VOi𑗂܂B̃VOi󂯂 inetd ͐
  t@C(etc/inetd.conf/)ǂ݂ݒčċN܂B

  inetd ċNAfirewall  15 Ԃ̃|[g telnet Ă݂܂
  (telnet firewall 15)B netstat ̏o͂悤Ȃ inetd 
  ċNĂ܂B

  6.  IP tB^O̐ݒ(IPFWADM)

  IPtB^O^Cṽt@CAEH[ݒ肷ꍇA܂ŏɃJ[
  l IP Forwarding @\g݂ōč\zApPbgƓ]
  Ă邱ƂmFĂ܂BLinux  IP Forwarding @\̓ftH
  gł͗LɂȂĂ̂ŁAoH\𐳂ݒ肵Ă΃lbg
  [N̓łOłRɐڑł͂łB

  Ał̓t@CAEH[ݒ肵悤ƂĂ܂̂ŁȀ
  g@\𐧌ĂƂɂ܂B

  ̃VXeł͂܂܂ȃXNvgŃt@CAEH[ forwarding 
  ݒ accounting ̐ݒsȂĂ܂B̃XNvg
  /etc/rc.d/ NɌĂяo悤ɂĂ܂B

  ftHgł Linux  IP Forwarding ͑SẴpPbg forward 
  悤ɂȂĂ܂B̂߁At@CAEH[ݒ肷邽߂̃XNv
  gł́A܂SĂ forward ֎~āAȑOɐݒ肳ꂽ forwarding 
  [SďKv܂B̃XNvg̋@\ʂ܂B

    #
    # setup IP packet Accounting and Forwarding
    #
    #   Forwarding
    #
    # By default DENY all services
    ipfwadm -F -p deny
    # Flush all commands
    ipfwadm -F -f
    ipfwadm -I -f
    ipfwadm -O -f

  Ŋȃt@CAEH[ɂȂ܂BǂȃpPbg̃zXg
  ʉ߂ł܂BAKvȃT[rX̓t@CAEH[ʉ߂
  Kv܂B̂߂ɂ͈ȉɎXNvgQlɂȂł傤B

    # O e-mail ̃[T[o֓͂Ƃ
    ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 192.1.2.10 25

    # Õ[T[o֐ڑ
    ipfwadm -F -a accept -b -P tcp -S 196.1.2.10 25 -D 0.0.0.0/0 1024:65535

  [IWił͂ȂĂ܂A҂́A̐̕ݒ ipfwadm -F
  -b a accept -b -P tcp -S 192.1.2.10 1024:65535 -D 0.0.0.0/0 25 Ǝv
  ܂B]

    # O Web T[oւ̐ڑ
    /sbin/ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 196.1.2.11 80

    # O Web T[oւ̐ڑ
    /sbin/ipfwadm -F -a accept -b -P tcp -S 196.1.2.* 80 -D 0.0.0.0/0 1024:65535

    # DNS ̂Ƃ
    /sbin/ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 196.1.2.0/24

  t@CAEH[ʉ߂f[^ɋꍇÃXNvgp
  Pbg̋L^邽߂Ɏg܂BKvɉċL^AhX𑝂
  AVXeŜ̋L^悤ɂĂB

    # ݂̃AJEg[
    ipfwadm -A -f
    # VAJEgJn
    /sbin/ipfwadm -A -f
    /sbin/ipfwadm -A out -i -S 196.1.2.0/24 -D 0.0.0.0/0
    /sbin/ipfwadm -A out -i -S 0.0.0.0/0 -D 196.1.2.0/24
    /sbin/ipfwadm -A in -i -S 196.1.2.0/24 -D 0.0.0.0/0
    /sbin/ipfwadm -A in -i -S 0.0.0.0/0 -D 196.1.2.0/24

  tB^Ot@CAEH[gꍇ͂ŏ[łBył
   :-)

  6.1.  tB^Ot@CAEH[̌_

  tB^Õt@CAEH[̌_́AC^[lbg
  lbg[NփANZXłȂƂłBtB^Õt@CAEH
  [ł̓tB^ʉ߂ł悤ɐݒ肵T[rXt@CAEH[
  zɎgƂł܂BvLVT[og΁AO[U̓t@C
  AEH[}VɃOCĂAANZX\ȓlbg[Ñ}
  VɎRɃANZXł悤ɂȂ܂B

  Vlbg[NNCGglbg[NT[rX͖̂悤ɊJ
  Ă܂B̃T[rXgۂɂ́ÃT[rXRg
  [邽߂̐V@lKv܂B

  7.  TIS vLVT[o[̃CXg[

  7.1.  \tgEFA̓

  TIS FWTK(FireWall ToolKit) ftp://ftp.tis.com/ ł܂B

  ƓsȂ悤ɁATIS t@C ftp ۂɂ́A܂
  README t@CǂłBTIS fwtk ̓T[ỏBfBNg
  ߂ĂA肷邽߂ɂ fwtk-request@tis.com ɖ{ SEND Ƃ
  [𑗂Kv܂BTuWFNgs͕svłB[
  ƎI(12 ԗL)\[XR[h_E[h邽߂̃fB
  NgԐM܂B

   HOWTO Ă鎞_ł TIS  FWTK o[W 2.0(beta)
  [XĂ܂B̃o[W(̗Ô)ƃRpC
  łA茳ł͂ƓĂ܂Bȉ̐̃o[W
  ܂Bނ炪ŏIł[X΁A HOWTO  update ܂B

  FWTK CXg[邽߂ɂ fwtk-2.0 ƂfBNg /usr/src
  fBNgɍ܂BFWTK̃\[XR[h(fwtk-2.0.tar.gz)̃fB
  NgɈڂēWJĂ(tar zxf fwtk-2.0.tar.gz)B

  FWTK ɂ WWW  SSL T|[g@\͂܂񂪁AJean-Christophe
  Touvet  addon \tgĂ܂B̃\tg
  ftp://ftp.edelweb.fr/pub/contrib/fwtk/ssl-gw.tar.Z ł܂B
   Touvet ͂̃R[hT|[gĂ܂B

   Eric Wedel  Netscape secure news servers pɉo[W
  gĂ܂B ftp://mdi.meridian-data.com/pub/tis.fwtk/ssl-
  gw/ssl-gw2.tar.Z ł܂B

  ȉ̗ł Eric Wedel łg܂B

  ̃vOCXg[ɂ́AP /usr/src/fwtk-2.0 ̉
  ssl-gw fBNgAt@CɒułB

  RpC͂̏CKvłB

  ŏ̏C ssl-gw.c ɍs܂Bssl-gw.c ł͕Kvȃt@CCN
  [hYĂ܂B

    #if defined(__linux)
    #include        <sys/ioctl.h>
    #endif

  ߂̏ĆAssl-gw  Makefile ƂłB͑ gateway
  fBNgɂ Makefile Rs[āAgateway  ssl-gw ɕύX
  邱Ƃł̂܂B

  7.2.  TIS FWTK ̃RpC

  FWTK ̃o[W 2.0 ͈ȑÕo[WɔׂĂƊȒPɃRpC
  ł悤ɂȂ܂ABETA łꂢɃRpCɂ͂܂
  ̏CKvłBŏIł܂łɂ̏CsȂ邱Ƃ
  Ă܂B

  C邽߂ɂ /usr/src/fwtk/fwtk fBNgɈړāA܂
  Makefile.config.linux  Makefile.config t@CɃRs[܂B

  FIXMAKE 𓮂Ă͂܂B CXgNVɂ FIXMAKE 
  ɏĂ܂AFIXMAKE ƁAꂼ̃fBNg
  Makefile j󂳂Ă܂܂B

   fixmake ȉ̂悤ɏC܂B sed XNvgꂼ
   Makefile  include sɑ΂ '.' '' t鏈̕
  Bȉ̂悤ɂĂ fixmake Ɠ܂B

    sed 's/^include[        ]*\([^  ].*\)/include \1/' $name .proto > $name

   Makefile.config t@CC܂B̃t@Cɂ 2 ӏ̏C
  KvłB

  t̃hLg̒҂͎̃z[fBNgɃ\[XR[hu
  Ă܂A̗ł /usr/src ŃRpC悤ƂĂ܂
  ŁA FWTKSRCDIR ȉ̂悤ɐݒ肵܂B

    FWTKSRCDIR=/usr/src/fwtk/fwtk

  ɁAMakefile.config ł dbm g悤ɂȂĂ܂A
  Linux VXeł gdbm f[^x[Xĝňȉ̂悤ɐݒ肵܂
  B̊ RedHat 3.0.3 łB

    DBMLIB=-lgdbm

  Ō̏C x-gw łB̎ BETA o[Wɂ socket.c R[h
  ɃoO܂BCɂ́Aȉ̍s폜ĂB

    #ifdef SCM_RIGHTS  /* 4.3BSD Reno and later */
                         + sizeof(un_name->sun_len)+ 1
    #endif

  ssl-gw KvȂ΁AMakefile ̃fBNgXg ssl-gw ̃fBN
  g܂B

    DIRS=   smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw ssl-gw

   make ĂB

  7.3.  TIS FWTK ̃CXg[

  CXg[ɂ make install ĂB

  zz̐ݒł /usr/local/etc ɃCXg[܂Aʂ̂
  SȃfBNgɈڂĂ\܂(͂Ă܂)B͂
  ̃fBNg̃p[~bV 'chmod 700' ɂ܂B

   firewall ̐ݒsłB

  7.4.  TIS FWTK ̐ݒ

  悢ɓĂ܂B܂ACXg[VT[rXɂ
  ăVXeɋAV@\ݒ肷邽߂̕\Ȃ΂܂
  B

   TIS FWTK ̃}jAJԂ͂܂̂ŁAȉł
  茳œݒƋɁAԂɂĐAǂ
  Đݒqׂ܂B

  TIS FWTK 𐧌䂷邽߂̃t@C͈ȉ  3 łB

  o  /etc/services

  o  TIS FWTK ǂ̃|[ggw肵܂B

  o  /etc/inetd.conf

  o  ̃|[gɃANZXꍇAƂ̃vON邩 inetd
     Ɏw܂B

  o  /usr/local/etc/netperm-table

  o  FWTK ɒNɉ邩w肵܂B

  FWTK @\邽߂ɂ͈ȏ̃t@CtɏCȂ΂܂
  Bnetperm-table  inetd.conf 𐳂ݒ肹 services t@C
  CƃVXegps\ɂȂ\܂B

  7.4.1.  netperm-table t@C

  ̃t@C TIS FWTK ̃T[rXNg邩w肵܂B ݒ
  ۂɂ firewall ̗̃lbg[ÑgtBbN[lĂ
  B̓vCx[glbg[N̊OANZXɂ͎F؂
  悤ɂāAlbg[N̓ɂl͎RɊOփANZXł
  Ȑݒɂ܂傤B

  O̐l̔Fؗp firewall ł authsrv ƂvOg܂B
  ̃vO̓[U ID ƃpX[h̃f[^x[Xg܂B
  netperm-table ̔F؃ZNV̓f[^x[XǂɂĒNANZX
  ł邩w肵܂B

  ͂̐ڑ𐧌ۂɑ̃guo܂BȉɎ
  permit-hosts s '*' ł͒NłANZXłĂ܂܂B̍s̐
  ݒ authsrv: permit-hosts localhost łB

    #
    # Proxy configuration table
    #
    # Authentication server and client rules
    authsrv:      database /usr/local/etc/fw-authdb
    authsrv:      permit-hosts *
    authsrv:      badsleep 1200
    authsrv:      nobogus true
    # Client Applications using the Authentication server
    *:            authserver 127.0.0.1 114

  f[^x[Xɂ́Asu  root ɂȂ /usr/local/etc fB
  Ng ./authsrv R}hNĊǗp̃[UR[h
  Bȉɗ܂B

  [UO[v̒ǉ@ɂĂ FWTK ̃hLgǂł
  B

      #
      # authsrv
      authsrv# list
      authsrv# adduser admin "Auth DB admin"
      ok - user added initially disabled
      authsrv# ena admin
      enabled
      authsrv# proto admin pass
      changed
      authsrv# pass admin "plugh"
      Password changed.
      authsrv# superwiz admin
      set wizard
      authsrv# list
      Report for users in database
      user   group  longname           ok?    proto   last
      ------ ------ ------------------ -----  ------  -----
      admin         Auth DB admin      ena    passw   never
      authsrv# display admin
      Report for user admin(Auth DB admin)
      Authentication protocol: password
      Flags: WIZARD
      authsrv# ^D
      EOT
      #

  telnet pQ[gEFC(tn-gw)łȒPȂ̂ŁAꂩݒn߂܂
  B

  ȉɎł́Ãlbg[ÑzXg telnet ͔Fؖ
  ŋĂ܂(permit-hosts 196.1.2.* -passok)BȂ̃[U
  vLVT[ogꍇ̓[U ID ƃpX[hKvł (permit-
  hosts * -auth)B

  ӏ 196.1.2.202 ̃ANZXF؂ȂŒ firewall ɃAN
  ZXł悤ɂĂ܂Bnetacl-in.telnetd ̂ŝ߂̎w
  łB̍s̏ڍׂɂĂ͌q܂B

  telnet ̃^CAEg͒Z߂ɂĂׂłB

    # telnet gateway rules:
    tn-gw:                denial-msg      /usr/local/etc/tn-deny.txt
    tn-gw:                welcome-msg     /usr/local/etc/tn-welcome.txt
    tn-gw:                help-msg        /usr/local/etc/tn-help.txt
    tn-gw:                timeout 90
    tn-gw:                permit-hosts 196.1.2.* -passok -xok
    tn-gw:                permit-hosts * -auth
    # Only the Administrator can telnet directly to the Firewall via Port 24
    netacl-in.telnetd: permit-hosts 196.1.2.202 -exec /usr/sbin/in.telnetd

  rlogin Ȃ r- ñR}h telnet ƓݒɂȂ܂B

    # rlogin gateway rules:
    rlogin-gw:    denial-msg      /usr/local/etc/rlogin-deny.txt
    rlogin-gw:    welcome-msg     /usr/local/etc/rlogin-welcome.txt
    rlogin-gw:    help-msg        /usr/local/etc/rlogin-help.txt
    rlogin-gw:    timeout 90
    rlogin-gw:    permit-hosts 196.1.2.* -passok -xok
    rlogin-gw:    permit-hosts * -auth -xok
    # Only the Administrator can telnet directly to the Firewall via Port
    netacl-rlogind: permit-hosts 196.1.2.202 -exec /usr/libexec/rlogind -a

  FTP ȂǂŒڃt@CAEH[ɐڑׂł͂Ȃ̂ŁAt@CAEH[
  łFTP T[oNĂ͂܂B

  JԂ܂Aȉ̗ permit-hosts s͓̃lbg[NN
  C^[lbg̃zXg FTP ڑłŁȂ̃[Uɂ
  F؂߂ƂݒłB(-log {retr stor })słƂ肵
  t@C̋L^Ƃ悤ɂĂ܂B

  FTP  timeout ̐ݒ͐ڑԂꍇȂǂɐڑ؂邽߂̎Ԃ
  f[^Ƃ肵Ȃ܂ܐڑJĂ鎞Ԃ𐧌䂷邽߂ɐݒ肵
  ܂B

    # ftp gateway rules:
    ftp-gw:               denial-msg      /usr/local/etc/ftp-deny.txt
    ftp-gw:               welcome-msg     /usr/local/etc/ftp-welcome.txt
    ftp-gw:               help-msg        /usr/local/etc/ftp-help.txt
    ftp-gw:               timeout 300
    ftp-gw:               permit-hosts 196.1.2.* -log { retr stor }
    ftp-gw:               permit-hosts * -authall -log { retr stor }

  Web  gopherAuEUoR ftp Ȃǂ http-gw 䂵܂Bȉ
  ̍ŏ 2 s firewall ɂƂ肵 ftp  web ̕
  ~ĂfBNgw肵܂B͂̃t@C[g̏L
  ƂA[gANZXłȂfBNgɒu܂B

  Web ̐ڑ͒ZׂłBtimeout ̐ݒ͔̖ڑ҂
  ԂłB

    # www and gopher gateway rules:
    http-gw:      userid          root
    http-gw:      directory       /jail
    http-gw:      timeout 90
    http-gw:      default-httpd   www.afs.net
    http-gw:      hosts           196.1.2.* -log { read write ftp }
    http-gw:      deny-hosts      *

  ssl-gw ͑SĂʉ߂܂̂ŒӂKvłBȉ̗ł͓̃lb
  g[N̑SẴzXg 127.0.0.*  192.1.1.* ȊOAă|[gԍ
   443  563 ̊Õlbg[NSĂɃANZXł悤ɂĂ
  B443  563 ܂ł SSL g|[głB

    # ssl gateway rules:
    ssl-gw:         timeout 300
    ssl-gw:         hosts           196.1.2.* -dest { !127.0.0.* !192.1.1.* *:443:563 }
    ssl-gw:         deny-hosts      *

  ɎႪ plug-gw g news T[oɐڑƂꍇłB
  ̗ł́Ãlbg[N̒Nł̃}V news |[gɂ̂
  RɃANZXł悤ɂĂ܂B

  3 s߂ news T[õf[^t@CAEH[z邽߂̂̂
  B

  [Uj[XǂłԁAT[oƐڑĂ邱Ƃ肵Ă
  j[X[_̂ŁAł timeout ͒߂ɐݒ肵Ă܂B

    # NetNews Pluged gateway
    plug-gw: timeout 3600
    plug-gw: port nntp 196.1.2.* -plug-to 199.5.175.22 -port nntp
    plug-gw: port nntp 199.5.175.22 -plug-to 196.1.2.* -port nntp

  finger ̃Q[gEFC͊ȒPłB̃lbg[Ñ[U͂
  firewall ɃOCĂ finger g悤ɂĂ܂BȊO
  l finger 悤ƂĂ finger.txt 邾łB

    # Enable finger service
    netacl-fingerd: permit-hosts 196.1.2.* -exec /usr/libexec/fingerd
    netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt

  Mail  X-windows p̃T[rX͐ݒ肵ĂȂ̂ŗ͎܂BN
  ܂sm͎̕܂ e-mail ŘAĂB

  7.4.2.  inetd.conf t@C

  ȉ /etc/inetd.conf t@C܂BsvȃT[rX͑SăR
  gAEgĂ܂BRgAEgāAt@CAEH[œ
  ĂT[rX͉߂ɑS܂B

    #echo stream  tcp  nowait  root       internal
    #echo dgram   udp  wait    root       internal
    #discard      stream  tcp  nowait  root       internal
    #discard      dgram   udp  wait    root       internal
    #daytime      stream  tcp  nowait  root       internal
    #daytime      dgram   udp  wait    root       internal
    #chargen      stream  tcp  nowait  root       internal
    #chargen      dgram   udp  wait    root       internal
    # FTP firewall gateway
    ftp-gw      stream  tcp  nowait.400  root  /usr/local/etc/ftp-gw  ftp-gw
    # Telnet firewall gateway
    telnet        stream  tcp  nowait      root  /usr/local/etc/tn-gw /usr/local/etc/tn-gw
    # local telnet services
    telnet-a    stream  tcp  nowait      root  /usr/local/etc/netacl in.telnetd
    # Gopher firewall gateway
    gopher        stream  tcp  nowait.400  root  /usr/local/etc/http-gw /usr/local/etc/http-gw
    # WWW firewall gateway
    http  stream  tcp  nowait.400  root  /usr/local/etc/http-gw /usr/local/etc/http-gw
    # SSL firewall gateway
    ssl-gw  stream  tcp     nowait  root /usr/local/etc/ssl-gw   ssl-gw
    # NetNews firewall proxy (using plug-gw)
    nntp    stream  tcp     nowait  root    /usr/local/etc/plug-gw plug-gw nntp
    #nntp stream  tcp     nowait  root    /usr/sbin/tcpd  in.nntpd
    # SMTP (email)firewall gateway
    #smtp stream  tcp     nowait  root    /usr/local/etc/smap smap
    #
    # Shell, login, exec and talk are BSD protocols.
    #
    #shell        stream  tcp     nowait  root    /usr/sbin/tcpd  in.rshd
    #login        stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind
    #exec stream  tcp     nowait  root    /usr/sbin/tcpd  in.rexecd
    #talk dgram   udp     wait    root    /usr/sbin/tcpd  in.talkd
    #ntalk        dgram   udp     wait    root    /usr/sbin/tcpd  in.ntalkd
    #dtalk        stream  tcp     waut    nobody  /usr/sbin/tcpd  in.dtalkd
    #
    # Pop and imap mail services et al
    #
    #pop-2   stream  tcp  nowait  root  /usr/sbin/tcpd    ipop2d
    #pop-3   stream  tcp  nowait  root  /usr/sbin/tcpd    ipop3d
    #imap    stream  tcp  nowait  root  /usr/sbin/tcpd    imapd
    #
    # The Internet UUCP service.
    #
    #uucp    stream  tcp  nowait  uucp  /usr/sbin/tcpd  /usr/lib/uucp/uucico -l
    #
    # Tftp service is provided primarily for booting.  Most sites
    # run this only on machines acting as "boot servers." Do not uncomment
    # this unless you *need* it.
    #
    #tftp dgram   udp     wait    root    /usr/sbin/tcpd  in.tftpd
    #bootps       dgram   udp     wait    root    /usr/sbin/tcpd  bootpd
    #
    # Finger, systat and netstat give out user information which may be
    # valuable to potential "system crackers."  Many sites choose to disable
    # some or all of these services to improve security.
    #
    # cfinger is for GNU finger, which is currently not in use in RHS Linux
    #
    finger        stream  tcp  nowait  root   /usr/sbin/tcpd  in.fingerd
    #cfinger      stream  tcp  nowait  root   /usr/sbin/tcpd  in.cfingerd
    #systat       stream  tcp  nowait  guest  /usr/sbin/tcpd  /bin/ps -auwwx
    #netstat      stream  tcp  nowait  guest  /usr/sbin/tcpd  /bin/netstat -f inet
    #
    # Time service is used for clock syncronization.
    #
    #time stream  tcp  nowait  root  /usr/sbin/tcpd  in.timed
    #time dgram   udp  wait    root  /usr/sbin/tcpd  in.timed
    #
    # Authentication
    #
    auth          stream  tcp  wait    root  /usr/sbin/tcpd  in.identd -w -t120
    authsrv       stream  tcp  nowait  root  /usr/local/etc/authsrv authsrv
    #
    # End of inetd.conf

  7.4.3.  /etc/services t@C

  /etc/services SĂ̎n܂łBNCAgt@CAEH[
  well known port(1024 ȉ̃|[g)ɐڑĂA`Ⴆ telnet 
   23 Ԃ̃|[gɐڑ܂`Ainetd f[̐ڑ𕷂āA
  ܂ /etc/services t@CŋNׂT[rX𒲂ׂ܂BɁA
  ̖Oɏ] /etc/inetd.conf t@CŕKvȃvOāA
  ̃vON邱ƂɂȂ܂B

  SẴT[rX /etc/services t@CɊ܂܂Ă킯ł͂܂
  B̃T[rX͎RɃ|[g肠Ă邱Ƃ\łB́A
  Ǘҗp telnet(telnet-a)̃|[g 24 ԂɊ肠Ă܂A
  2323 ɂ邱Ƃ\łBtelnet-a ̃|[g 24 ԂɂĂ΁AǗ
  (Ȃ) firewall ɃANZXۂɂ 23 Ԃł͂Ȃ 24 Ԃ̃|[g
  g悤ɂȂ܂BāAĂ悤 netperm-table t@C
  ݒ肷΁Ãlbg[N݂̂̐ڑ\ɂȂ܂B

    telnet-a        24/tcp
    ftp-gw          21/tcp           # this named changed
    auth            113/tcp   ident    # User Verification
    ssl-gw          443/tcp

  8.  SOCKS vLVT[o

  8.1.  vLVT[õZbgAbv

  SOCKS vLVT[o
  ftp://sunsite.unc.edu/pub/Linux/system/Network/misc/socks-linux-
  src.tgz ł܂BfBNgɐݒt@C̃Tv
  "socks-conf"uĂ܂B肵VXeWJāAwɏ]
  make ĂBRpCۂ͂肪N܂B
   Makefile mF邱Ƃ߂܂B

  dvȂƂ܂BvLVT[o /etc/inetd.conf ɃGg
  KvłBȉ̍sāAinetd vLVT[oN悤ɐ
  肵ĂB

    socks  stream  tcp  nowait  nobody  /usr/local/etc/sockd  sockd

  8.2.  vLVT[o̐ݒ

  SOCKS vOɂ 2 ̓Ɨݒt@CKvłB̓AN
  ZXLq̂ŁA̓NGXgK؂ȃvLVT[o
  ]邽߂̐ݒłBANZXLqt@C̓T[oɒu
  ΂Ȃ܂BNGXg]邽߂̃t@C SOCKS gSĂ
  Un*x }VɕKvłBDOS ƁA Macintosh AƎ̃NGXg]
  @\Ă͂łB

  8.2.1.  ANZXt@C

  socks4.2 Beta ł̓ANZXLqt@C "sockd.conf"łB
  ̃t@Cɂ͍Œł permit() deny() 2 sKvłB
  es͈ȉ̂悤 3 ̃Gg܂B

  o  ʎq(permit/deny)

  o  IP AhX

  o  AhX̏Cq

  ʎq permit  deny ̂ǂ炩łBpermit  deny ̗Kv
  B

  IP AhX 4 oCg̈ʂɎg IP AhX̋Lq@ŋLq܂B
   192.168.2.0 ̂悤Ȍ`łB

  AhX̏CqʂɎg 4 oCg IP AhX̏ɂȂA
  w肪lbg}XN̂悤Ɏg܂B̐ 32 rbg 1  0 
  }XNƍlꍇ 1 ̕ IP AhXtB[hŎw肵Ah
  XƈvȂ΂܂BႦ΁A

      permit 192.168.2.23 255.255.255.255

  ƂꍇA192.168.2.23 Ƃ IP AhX݂̂邱ƂɂȂ
  B 192.168.2.3 Ƃ IP AhXꍇ́A

      permit 192.168.2.0 255.255.255.0

  Ɛݒ肵܂B 192.168.2.0  192.168.2.255 ܂ł̃NX C
  ̃AhXSẴANZX邱ƂɂȂ܂B

  ɐݒ肵Ă͂܂B

      permit 192.168.2.0 0.0.0.0

  ł͑SẴAhX̐ڑ邱ƂɂȂ̂ňӖ܂
  B

  ܂AhXSċLq܂BĎc̃AhX͋ۂ
  悤ɐݒ肵܂傤B192.168.2.xxx ̃ANZX݂̂ꍇA
  ȉ̂悤ȐݒɂȂ܂B

      permit 192.168.2.0 255.255.255.0
      deny 0.0.0.0 0.0.0.0

  deny s̍ŏ "0.0.0.0" ɒӂĂBAhXCq 0.0.0.0
  w肵Ă̂ŁAIP AhX̐ݒɂ͈Ӗ͂ȂAPɃ^Cv₷
  ԍIł邾łB

  ̐ݒ𕡐w肷邱Ƃ\łB

  SOCKS ł͓̃[Û݂ɐڑ苑ۂ肷邱Ƃ\
  B̂߂ɂ ident pF؂gݍ킹܂BTrumpet Winsock
  ܂߂āAKSẴVXe ident T|[gĂ킯ł͂
  ̂ŁAł͂ȏG܂Bident g@ socks ɕt
  hLgɏڂLڂĂ܂B

  8.2.2.  oHt@C

  T[rXNGXg̓]w肷oHt@C͕킵Ƃ
  "socks.conf"ƂOɂȂĂ܂̂ŁAANZXݒ肷
  "sockd.conf"ƍȂ悤ɒӂĂB

  oHt@C SOCKS ̃NCGgɂ socks gׂw
  ܂BႦ΁Ãlbg[Nł́A192.168.2.3 ̃AhX
  192.168.2.1  firewall  talk ꍇA҂̓C[TlbgŒ
  Ă܂̂ socks gKv͂܂B܂A127.0.0.1 Ƃ[
  vobNAhXgĎgɐڑꍇ socks gKv͂
  ܂BoHt@Cɂ ȉ 3 ̃Gg܂B

  o  deny

  o  direct

  o  sockd

  (Deny)̃GgŃNGXgۂꍇw肵܂B̃Gg
  ɂ sockd.conf ƓlɁAʎqAAhXACqAƂ 3 ̗
  ܂BʏAǂNGXgۂ邩̐ݒ(vLVT[
  oɗpӂ) sockd.conf ŏ̂ŁACq̗ 0.0.0.0 ɂĂ
  ܂BǂɂڑȂ̂ł΁A炩߂Őݒ肷邱
  \łB

  direct Gg socks gȂAhXw肵܂Bɂ̓vL
  V[T[ogȂŐڑłSẴAhXw肵܂Bɂ
  ʎqAAhXACq 3 ̗܂B̗ł͈ȉ̂悤
  ɂȂ܂B

      direct 192.168.2.0 255.255.255.0

  ̐ݒœ̃lbg[ÑzXgւ͑SĒڐڑł邱ƂɂȂ
  ܂B

  sockd ̃Gg socks T[of[zXĝ肩w肵
  B͈ȉ̂悤ɂȂ܂F

    sockd @=<serverlist> <IP address> <modifier>

  @= GgɒӂĂBɃvLVT[o IP AhX
  ܂B̗ł͈̃vLVT[og܂񂪁Aׂ
  ꍇ璷߂邽߂ɕ̃vLVT[o񋓂邱Ƃ\
  B
  IP AhXƏCq̗̗͑ƓŁAǂ̃AhXւ͂ǂoR
  Đڑ邩w肵܂B

  8.3.  vLVT[og

  8.3.1.  Unix

  vLVT[oɃAvP[Vg߂ɂ́AAvP[V
  炩߁uSOCKS vĂȂ΂Ȃ܂BڐڑpƃvLV
  T[ooRp2  telnet R}hpӂȂ΂Ȃm
  BSOCKS pbP[Wɂ́A炩 SOCKS ꂽ̃vO
  ƋɁAvO SOCKS @ɂĉt
  Ă܂Bڐڑł鑊 SOCKS R}hgƂ
  SOCKS ͎Iɒڐڑp̃R}hN܂B̂߁ASẴR}
  h rename  SOCK o[WŒuւ邱Ƃ\łB
  Ƃ"finger""finger.orig"ɂA "telnet""telnet.orig"ɂA
  ǂłB̃R}hǂɂ邩 include/socks.h Ŏw肵܂B

  ǑoH@\ socks @\vO܂BႦ
  Netscape ̈łBNetscape ł Proxies IvV SOCKS tB
  [hɃT[õAhX(̗ł 192.168.2.1)w肷邱ƂŃv
  LVT[ogƂ\łBvLVT[oǂ̂悤ɈɊ
  WȂAꂼ̃AvP[VƂ̐ݒɂ͑YޕKv邩
  m܂B

  8.3.2.  Trumpet Winsock g MS Windows

  Trumpet Winsock ɂ̓vLVT[o@\g݂܂Ă܂B "setup"
  jŃT[o IP AhXw肵āAڐڑłRs[^w
  ܂BĂ Trumpet ͎IɊOւ̃pPbgT[o֑
  悤ɂȂ܂B

  8.3.3.  vLVT[o UDP pPbg

  SOCKS pbP[W TCP pɂȂĂ UDP ̃pPbg͒ʂ܂B
  ߑsւɂȂĂ܂Btalk  archie ƂvO UDP 
  gĂ邽 SOCKS oRł͎g܂BTom Fitzgerald
  <fitz@wang.com>  UDPrelay Ƃ UDP pPbgp̃vLVT[o
  ܂AcOȂƂɎM_ł Linux Ŏg܂łB

  8.4.  vLVT[ǒ_

  vLVT[o͂߂ĈSȎdg݂łAvLVT[ogČ
   IP AhXɂ̂݃C^[lbgւ̃ANZX@ɂ͂
  ̌_܂BvLVT[ogΓ̃lbg[NO
  ւ̃ANZX͂Ȃ莩RɍsȂAÕANZXSɎՒf
  邱Ƃ\łBȂ킿Atalk  archie ƂڑA邢͓
  ̃Rs[^֑ꂽ[ʂȂƂƂłB͂
  _ł͂Ȃ悤Ɏv邩m܂񂪁AɍlĂ݂Ă
  B

  o  ̃|[gt@CAEH[̃Rs[^ɒuĂ
     ꍇA瑱낤ƂĂAt@CAEH[̃Rs
     [^ɂ͐ڑł܂B܂t@CAEH[}VɃOC
     łAvLVT[oɂ͂ǂłANZXł̂ŁAȂ
     p̃AJEgt@CAEH[}Vɍ킯ɂ͂܂B

  o  Ȃ̂삳񂪑wɍs܂Bޏ e-mail ŘAƎv
     ܂BvCx[gȘb̂ŁAڂȂ̃}VɃ
     [𑗂Ă炢Ƃł傤BłAt@CAEH[
     ̃}Vɂ͒ڃ[͓͂܂BAVXeǗ҂
     Ƀ[ǂނƂ͂ȂƐMpĂ͂܂AłvCx[
     gȘbłB

  o  UDP pPbgʂȂƂ̓vLVT[ȏ傫Ȍ_łB̌
     _͂ł邾ȂƂ̂łB

  FTP vLVT[oɂƂĂ͖łBftp getƂ ls
  A FTP T[o͐ڑĂ}Ṽ\PbgI[vāAo
  Rď𑗂܂BvLVT[o͂Ȃ̂ŁAFTP ͂
  Ƃ܂B

  vLVT[ooRƐڑ͒xȂ܂BvLVT[oɂ͂Ȃ
  I[owbĥŁAނ̐ڑxȂ܂B

  {IɁAC^[lbgɏ펞ڑĂĂ( IP AhX
  ĂĂ)قǃZLeBɂȂȂ΃t@CAEH[v
  LVT[ogȂقł傤BC^[lbgɏ펞ڑ
  ȂāAقǃZLeBɂȂƂꍇ Term Slirp,
  TIA ƂVA IP ڑG~[g\tgg΂
  ł傤BTerm ftp://sunsite.unc.eduASlirp 
  ftp://blitzen.canberra.edu.au/pub/slirp ATIA  marketplace.com
  炻ꂼ\łB̃pbP[W̓vLVT[ooR
  A葽̃T[rXpłAC^[lbg̃lbg
  [N֐ڑ邱Ƃ\łBvLVT[óÃlbg[N
  ɑ̃zXgāAꂼ̃zXgC^[lbg֐ڑ
  AKvȐݒ͈ӏɂ܂Ƃ߂ĉ\Ȍ菭AƂꍇɓK
  Ă܂B

  9.  i񂾐ݒ

  ̕IOɁA̐ݒ܂傤B܂łɏЉ
  Ăő啔̐lɂ͏\Ǝv܂A蕡GȐݒЉ邱
  ƂŁA̋^ɓ邱Ƃłł傤B܂ł̘bŋ^_
  AvLVT[ot@CAEH[̂蕡GȐݒɋ
  l͓ǂł݂ĂB

  9.1.  ZLeBd傫ȃlbg[N

  Ⴆ΁AȂ millisha ̃[_ŁÃTCglbg[N
  ƍlĂƂ܂BȂ̎茳ɂ 50 ̃Rs[^A5
  bits ̃Tulbgŋ؂ꂽ 32 IP AhX肠ĂĂ܂B
  Ȃ͎x҂̃xɏ]ĈႤƋĂ̂ŁAlbg[Nɂ
  ̃ANZXxpӂāA̕BĂKv܂B

  x͈ȉ̂悤ɐݒ肵܂B

  1. OxB̃x͒Nɂł郌xłB̃xŐV
     u҂܂܂Ȏ@pĊU܂傤B

  2. RcxBOxNAl̃xłB̃x̐lX
     ɂ͐{̎׈┚e̍Ă܂B

  3. bxB̃x̐lXɂ̂ݐ^̌v悪Ă܂B
     x̐lXɂAǂ̂悤ɑOE̐{E낤Ƃ
     Ă邩Aj[gEMOb`INz}VeBAł̎
     ȂǂpAGA 51 ̃nK[ɉBĂ̂A
     Ƃ閧Ă܂B

  9.1.1.  lbg[N̐ݒ

  IP AhX͈ȉ̂悤Ɋ肠Ă܂F

  o  192.168.2.255 ̓u[hLXgAhXŎgpł܂B

  o  pӂꂽ 32  IP AhX̂ 23 ̓C^[lbgɐڑ\
     23 ̃}VɊ肠Ă܂B

     [ 󒍁F23 Ƃ͈ꕔ̐lɂƂĐ_IȈӖ
     łB]

  o  ] IP AhXÃlbg[N linux }VɊ肠
     Ă܂B

  o  ] IP AhX̃lbg[N linux }VɊ
     Ă܂B

  o  2  IP AhX[^Ɋ肠Ă܂B

  o  c 4 IP AhXɂ paul, ringo, john, george ƂhC
     肠ĂāAUH}܂B

  o  2 ̉Bꂽlbg[No̓vCx[gAhXł
     192.168.2.xxx  IP 肠Ă܂B

  ɉBꂽ 2 ̃lbg[Nꂼʂ̕ɗpӂ܂B҂
  ԊOgC[TlbgŌ΂Ă̂ŁÅO̓lbg
  [NłȂĂ邱Ƃ܂BKȂƂɐԊOC[Tlbg
  ʏ̃C[Tlbĝ悤Ɏg(ƍl܂)̂ŁAp̐ݒKv
  ͂܂B

  ̃lbg[N͂ꂼ 1 ]v IP AhX^ Linux }
  V䂸oRČ΂Ă܂B

  2 ̊uꂽlbg[Nɂ͈̃t@CT[opӂĂ
  B҂ɓt@CT[opӂƂ̂Aʂ̌RcɂĐ
  Exzv̈ꕔłBt@CT[oɂ 2 ̃C[TlbgJ[
  hpӂAuRcvx̃lbg[Nɂ192.168.2.17 IP Ah
  XAubvx̃lbg[Nɂ192.168.2.23 IP AhX
  Ă܂Bt@CT[o}Vł IP Forwarding ͖ (off)ɂĂ
  ܂

  uꂽlbg[NƐڑĂ 2  Linux }V IP
  Forwarding ɂĂ܂BC^[lbgɐڑĂ郋[^
  ́AIɎwȂA vCx[gAhXł
  192.168.2.xxx ̃pPbg͒ʂȂ̂ŁAC^[lbguꂽ
  2 ̃lbg[NɃpPbg𑗂肱ނƂ͂ł܂BIP Forwarding
  𖳌ɂĂ闝ŔuRcvlbg[NƁubvlbg[NԂŃp
  PbgƂ肵Ȃ߂łB

  NFS T[o(t@CT[o)Aꂼ̃lbg[NɈقȂt@C
  񋟂܂B̓V{bNENg΁AgbL[Ȍ`ł
  A҂ŋLłt@C܂߂āAȒPɎł܂Bt@CT[
  oɂꖇ̃C[TlbgJ[h}΁Ã}V͈ 3 
  lbg[Nɐڑ邱ƂɂȂ܂B

  9.1.2.  vLVT[o̐ݒ

  āA3̃x̃lbg[N͂ꂼ̐[ȖړIC^[lb
  gĎ悤ƍlĂ܂B̂߂ɂ́A3̃lbg[Nꂼ
  C^[lbgɐڑłȂ΂Ȃ܂B̂߂ɂ̓vLVT
  [opӂKv܂BubvxƁuRcvx̃lbg
  [N̓t@CAEH[̔wɂ܂̂ŁAɃvLVT[op
  ܂傤B

   2 ̃lbg[N̐ݒ͂悭ĂA҂Ƃ IP AhX
  肠ĂĂ܂B₱邽߂ɕʂ̏Ă݂
  傤B

  1. t@CT[ooRł̓C^[lbgɃANZXłȂ悤ɂ
     Bt@CT[oC^[lbgɐڑƁAEBX₻̑
     ܂܂Ȃ̂ɉ\܂B

  2. uRcvlbg[N World Wide Web ɃANZXłȂ悤
     ܂Bނ͏CsŁAWWW ^悤Ȋȅ͈ey
     ڂ܂B

  ̏ꍇAuRcvlbg[Np̃vLVT[oƂȂĂ Linux }
  V sockd.conf ͂̂悤ɂȂ܂B

      deny 192.168.2.17 255.255.255.255

  Aubvx̃lbg[Nł͂łB

      deny 192.168.2.23 255.255.255.255

  uRcvx̃lbg[ÑvLVT[oɂ WWW ֎~ݒ
  ǉ܂B

      deny 0.0.0.0 0.0.0.0 eq 80

  ̐ݒ́A}V http ̃|[gł 80 Ԃ̃|[gւ
  ANZX͋ۂAƂӖłB̃|[g𗘗pT[rX͑S
  płAWeb ւ̃ANZX݂̂֎~܂B

  ҂Ƃ permit ɂ͈ȉ̐ݒ܂B

      permit 192.168.2.0 255.255.255.0

  ̐ݒŁA192.168.2.xxx ̃lbg[N̑SẴ}V́Aɋ֎~
  ĂT[rX(t@CT[oւ̐ڑƁuRcvlbg[N Web
  ւ̃ANZX)ẴvLVT[ogƂ\ɂȂ܂B

  ̌ʁAuRcvlbg[ÑvLVT[o sockd.conf ͂̂悤
  ɂȂ܂B

      deny 192.168.2.17 255.255.255.255
      deny 0.0.0.0 0.0.0.0 eq 80
      permit 192.168.2.0 255.255.255.0

  ubvlbg[ÑvLVT[o sockd.conf ͂łB

      deny 192.168.2.23 255.255.255.255
      permit 192.168.2.0 255.255.255.0

  őSĂ̐ݒ肪I܂BuRcvƁubṽlbg[N͓K
  ȒxɌȂ܂Bł݂ȍKɂȂł傤B

  AE̐n߂܂傤I

