
                          ǽʹŷ - HOWTO
                                       
: Mark Grennan, markg@netplus.net
: ƽ tchao@worldnet.att.net

   v0.4, 1996118
     _________________________________________________________________
   
   v0.4, 1996118գƪҪ˵ǽϵͳĸֻʾ
   LinuxΪĸ˵ϰװΪ֮õķǽʹŷϸ
   衣ļHTML汾
   http://okcforum.org/~markg/Firewall-HOWTO.html
     _________________________________________________________________
   
1. 

     * 1.1 ߻Ӧ
     * 1.2 
     * 1.3 Ȩ (עðȨ治)
     * 1.4 дƪµĶ
     * 1.5 дɵĹ
     * 1.6 
       
2. ʲôǷǽ

     * 2.1 ǽȱ
     * 2.2 ǽ
       
3. ÷ǽ

     * 3.1 Ӳ
       
4. ÷ǽ

     * 4.1 еװ
     * 4.2 TIS Firewall Toolkit SOCKSĲ
       
5. 趨Linuxϵͳ

     * 5.1 ༭ں
     * 5.2 趨·
     * 5.3 趨Network Addresses
     * 5.4 ·
     * 5.5 ӹ̷ǽ
       
6. IP filtering (IPFWADM)

7. װTISŷ

     * 7.1 ȡ
     * 7.2 ༭TIS FWTK
     * 7.3 װTIS FWTK 
     * 7.4 TIS FWTK
       
8. SOCKSŷ

     * 8.1 趨ŷ
     * 8.2 ôŷ
     * 8.3 ŷ
     * 8.4 ŷȱ
       
9. ߼

     * 9.1 עذȫĴ·
     _________________________________________________________________
   
1. 

   ƪǽ - HOWTODavid Rudderdrig@execpc.comƷ
   ԭݣԴл һ, ǽFirewall
   ·İȫŻ⡣ŻһҲͬʱ
   ˶⡣ƪHOWTO ̽ʲǷǽΰװν
   ŷProxy Server趨ŷԼЩڰȫ
   Ӧá
   
1.1 ߻Ӧ

   ƪκδ, ֪ͨҡ˷ʥ, ޹! κδ
   ҶڸҶ跨ظ, ൱æ, ûյҵĻţ
   ŵַmarkg@netplus.net
   
   κ֪֮ͨߣƽ
   tchao@worldnet.att.net)
   
1.2 

   ҲκձΪɵ𺦸κ(I AM NOT RESPONSIBLE
   FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS DOCUMENT) 
   ƪֻܷǽʹŷáҪ֪Ҳǵ԰ȫר
   ңҲûװⷽרҡֻǸϲ飬Ұʤ
   ļһϣƪܰϤ, ֤ݾ
   
1.3 Ȩ (עðȨ治)

   Unless otherwise stated, Linux HOWTO documents are copyrighted by
   their respective authors. Linux HOWTO documents may be reproduced and
   distributed in whole or in part, in any medium physical or electronic,
   as long as this copyright notice is retained on all copies. Commercial
   redistribution is allowed and encouraged; however, the author would
   like to be notified of any such distributions.
   
   All translations, derivative works, or aggregate works incorporating
   any Linux HOWTO documents must be covered under this copyright notice.
   That is, you may not produce a derivative work from a HOWTO and impose
   additional restrictions on its distribution. Exceptions to these rules
   may be granted under certain conditions; please contact the Linux
   HOWTO coordinator.
   
   In short, we wish to promote dissemination of this information through
   as many channels as possible. However, we do wish to retain copyright
   on the HOWTO documents, and would like to be notified of any plans to
   redistribute the HOWTOs.
   
   If you have any questions, please contact Mark Grennan at
   <markg@netplus.net>.
   
1.4 дƪµĶ

   ȥcomp.os.linuxڷǽۣҷֺҵ
   ǽϡƪHOWTOԭȰ汾ṩһЩӲ㡣
   ҸDavid RudderдFirewall HOWTOϣƪṩ㹻
   ϣʹڼСʱھ趨һķǽҪ
   ֮á ҲΪӦԾرLinuxѡ
   
1.5 дɵĹ

     * ָ趨ͻ
     * ѰLinuxUDPŷ
       
1.6 

     * NET-2 HOWTO
     * Ethernet HOWTO
     * Multiple Ethernet Mini HOWTO
     * Linux
     * PPP HOWTO
     * O'Reilly and AssociatesTCP/IP Network Administrator's Guide
     * TIS Firewall Toolkitļ
       
   Trusted Information System (TIS) ַռйطǽļ
   زϡhttp://www.tis.com/
   
   ⣬ҲڴһΪLinuxȫSecure LinuxĿSecure
   LinuxַϣռʹLinuxȫɿϡļͳʽҪ
   ⷽϣȡ
   
2. ʲôǷǽ

   ǽһơУ÷ǽѳ˿ͺ
   һ𣬷ǽܱ˿Ͱȫͬʱ˾
   档 ڵУǽһװãʹ·ܹ֣
   ·Ӱ졣 ᣬнǽԳΪǽͬʱܵ
   ··ˡܵ·޷ӵ··Ҳ޷
   ӵܵ· Ҫܵ·ڲӵ·
   telnetǽȻӷǽ· 򵥵ķǽdual
   homedϵͳ·ϵͳûֻҪ
   װһ̨Linux趨ʱ IP forwarding/gatewaying Ϊ OFFÿ
   һʻܵ¼һϵͳʹtelnetFTPĶӺʹ
   ṩκ񡣸ãһ·ΨһϵĵԱ
   ǽ·еҪһõ· Ҫٴ
   ˵Ҫʹǽãͱûҿɲô
   顣
   
2.1 ǽȱ

   ڹ֮õķǽַǽ··ֻͨ
   ˷ǽȡùܡдŷ£ûɵ¼ǽ
   Ȼ˽·ڵκϵͳ ⣬Ŀǰÿ춼Ϳͻŷ
   СˣҪµķ·ܵЩܡ
   
2.2 ǽ

   ǽ֡
   
    1. IP˷ǽ - һЩ·赲һܡ
    2. ŷ - ·ᡣ
       
  IP˷ǽ
  
   IP˷ǽݰһ㹤㡢յ㡢źÿһݰ
   ݰϢݰ ַǽǳȫȱõĵ
   ¼¼赲˽·Ҳ˽Ĺϵͳ
   ˴ڲ· ˷ǽǾԵĹϵͳʹҪһ
   Щ˽˽ŷҲ޷ÿһ˽ŷ Linux1.3.x濪
   ʼںаݰ
   
  ŷ
  
   ŷͨǽӽ·õtelnetϵͳȻ
   ӸôtelnetһϵͳдŷϵͳУȫԶ
   ÿͻӴŷᣬŷĿͻ
   Ȼᴫݡ ڴŷظͨѶܹ¼неĹ
    ֻҪȷŷ;԰ȫȡ֮赲κ˽
   룬ΪûֱӵIPͨ·
   
3. ÷ǽ

3.1 Ӳ

   ڡУõĵһ486-DX66оƬ16Mڴ500M Linuxָϵ
   ͳڻװ·һ˽·һŽӵһΪǾ
   ·עָ·Ǿ·ϣһӵ
   ··router üΪһһ̨ݻ
   ͨPPPӵ·ؼ֮ǷǽϱIP롣 ˼
   С·̨Խһ𡣲԰ݻLinux
   ϣϾɵ386Ȼøƽķʽݻӵ·
   װãҪݣݻͬʱɼӱٶȡ
   
4. ÷ǽ

4.1 еװ

   ֻҪһ˷ǽֻҪLinuxͻ·͹ˡһ
   ܲʹõLinux汾УΪ IP Firewall Administrationߡ
   (IPFWADM) ɴ http://www.xos.nl/linux/ipfwadm/ȡá Ҫô
   Ҫһװ
    1. SOCKS
    2. TIS Firewall Toolkit (FWTK)
       
4.2 TIS Firewall Toolkit SOCKSĲ

   Trusted Information System (http://www.tis.com)ṩһϵԼ
   װǽĹ ЩͬSOCKSͬƲԲͬ
   SOCKSһִInternetйصĹTISÿһϣʹ
   ǽutilityṩһ Ϊ˵֮Ĳͬworld wide
   webTelnetΪɣSOCKSУ趨һãconfigurationһ
   daemonᣬtelnetWWWܿʼͬʱûйرյĹҲܹ
    TISУΪWWWtelnet趨Եconfigurationdaemon
   趨ᣬinternetĹ޷ãǶЩҲص趨
   ĳһܣtalkûdaemonȻ"plug-in" daemonã
   Ҳ趨 ƺС£Ҵв
   SOCKSʱȽϿ⡣SOCKSŷò̫·ڲԵ
   ԭȲṩinternetܡʹTIS·ڲֻܵϵͳ
   ߹涨Ĺܡ SOCKS趨ڱ༭ԽϸߡҪܵ
   ·ڵʹߣTISİȫԽϸߡ߶ṩ˾Ա
   롣 һ˵ߵİװ趨
   
5. 趨Linuxϵͳ

5.1 ༭ں

   Linux汾°װLinuxϵͳRedHat 3.0.3ʵһ
   汾Ϊ׼ϵͳаװԽ٣ë©ҲԽ٣ΪЩë©
   ϵͳİȫ⣬ֻҪװõɡ ѡһ
   ںˡҵϵͳLinux 2.0.14ںˡ ˣļں
   Ϊ ʵѡoptions±༭ںˡ ǰûж
   Kernel HOWTO Ethernet HOWTONET-2 HOWTOʱһ
   ЩHOWTO ڡmake config·йص趨
    1. General setup
         1. Networking Support ΪON
    2. Networking Options
         1. Network firewallsΪ ON
         2. TCP/IP NetworkingΪ ON
         3. IP forwarding/gatewayingΪ OFF ҪIPˣ
         4. IP FirewallingΪON
         5. IP firewall packet logginΪ ONǱ裬˸ã
         6. IP: masquerading ΪOFFķΧ
         7. IP: accounting ΪON
         8. IP: tunneling ΪOFF
         9. IP: aliasing ΪOFF
        10. IP: PC/TCP compatibility mode ΪOFF
        11.  IP: Reverse ARP ΪOFF
        12. Drop source routed frames ΪON
    3. Network device support
         1. Network device support ΪON
         2. Dummy net driver support ΪON
         3. Ethernet (10 or 100Mbit) ΪON
         4. ѡ·
       
   ±༭°װںˣ·Ӧʾʾ
   ûץ·HOWTOֱΪֹ
   
5.2 趨·

   ·Ҫ/etc/lilo.confһУ˵
   ·IRQ͵ַҵĻУlilo.confӵһ¡
    append="ether=12,0x300,eth0 ether=15,0x340,eth1"

5.3 趨Network Addresses

   ⲿֱȽȤҵҪЩڲ··
   β֣·вҪʵʵַ·һЩַ·
   ʹãΪ·ܵҪַЩַҲ޷·
   ȫ֡˲ѡЩַ ЩַУ192.168.2.xxxǱõĵ
   ַ˾Щַ˵
   
   ڴŷͬʱ·ܾдߵݡ
   
            199.1.2.10   __________    192.168.2.1
     _  __  _        \ |         | /         _______________
   | \/  \/ |             \|        |/          |            |
     · \-------------| ǽ |-------------------| վ     |
     \_/\_/\_/\_/          |_________|           |______________|

   Ҫù˷ǽɿЩַʹIP masquerading
   趨ǽͻתݰӸʵʵIPַ· ·
   ·ˣˣ趨IPַ̫ڶ
   Ϊ192.168.2.1̨Դ/صIPַܱ·ڵ
   Ծѡ192.168.2.xxxеκһΪַ192.168.2.2
   192.168.2.254 RedHat Linux У
   /etc/sysconfig/network-scriptsĿ¼һifcfg-eth1Աʱ
   ͨ趨·routing ifcfg-eth1Ĳ趨¡
    #!/bin/sh
    #>>>Device type: ethernet
    #>>>Variable declarations:
    DEVICE=eth1
    IPADDR=192.168.2.1
    NETMASK=255.255.255.0
    NETWORK=192.168.2.0
    BROADCAST=192.168.2.255
    GATEWAY=199.1.2.10
    ONBOOT=yes
    #>>>End variable declarations

   ЩʹݻISPԶӡ ipup-ppp ݻ
   ·ӣISPʱָ˵IPַ
   
5.4 ·

   Ӳifconfigrouteʼ·Ӧ
  #ifconfig
  lo        Link encap:Local Loopback
            inet addr:127.0.0.0  Bcast:127.255.255.255  Mask:255.0.0.0
            UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
            RX packets:1620 errors:0 dropped:0 overruns:0
            TX packets:1620 errors:0 dropped:0 overruns:0

  eth0      Link encap:10Mbps Ethernet  HWaddr 00:00:09:85:AC:55
            inet addr:199.1.2.10 Bcast:199.1.2.255  Mask:255.255.255.0
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0
            TX packets:0 errors:0 dropped:0 overruns:0
            Interrupt:12 Base address:0x310

  eth1      Link encap:10Mbps Ethernet  HWaddr 00:00:09:80:1E:D7
            inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0
            TX packets:0 errors:0 dropped:0 overruns:0
            Interrupt:15 Base address:0x350

   route Ӧ¡
#route -n
Kernel routing table
Destination   Gateway   Genmask    Flags  MSS  Window  Use  Iface
199.1.2.0     *       255.255.255.0   U   1500   0      15 eth0
192.168.2.0   *       255.255.255.0   U   1500   0       0 eth1
127.0.0.0     *       255.0.0.0      U   3584   0       2 lo
default      199.1.2.10   *          UG  1500   0       72 eth0

   ע 199.1.2.0ڷǽ·ˣ192.168.2.0·һˡ 
   Դӷǽping ·nic.ddn.mil㡣㻹
   ֻǲԤڵĿɿûϣping·ϵĵַ
   ϣPPP趨һԡٶһNet-2 HOWTOȻԡ Ȼᣬ
   ӷǽping·ڵĵԡ·ڵĵӦping·ڵκ
   һ̨ԡУٶNet-2 HOWTOһΡ ӱ·
   pingǽĵַעò192.168.2.xxxκεַ
   ʾIP ForwardingĹûȡһǷԭȵĹ롣
   IP ForwardingĹܣͱŹ趨IP filteringĲ֡ Դ
   ǽping ·ǰͨͬһַ磬nic.ddn.mil
    IP ForwardingѾȡͲӦͨûȡ
   Ӧýͨ 豣IP Forwardingܣ·ʹʵʵIP
   ַ192.168.2.*趨£޷ping ·ܹping
   ·ߵķǽ͵üһrouterзݰ͵·
   ַϡܵISP飩 ·ĵַΪ192.168.2.*
   κݰܴ͡ûЩ趨ʹIP masquerading
   Ӧóɹ ˣ趨ɡ
   
5.5 ӹ̷ǽ

   ͨǽûʹõĹܹǽַǽҲû
   ʲôô "" ܵǽҪ޸ģá ȹرв
   õĹܡȼ /etc/inetd.confν"ŷ"
   ŷdaemonȻҪʱЩdaemon ȫȡnetstat
   systat tftp bootpfingerܡȡܵķǰ#Ϊе
   ĸ趨ᣬ"kill -HUP <pid>"ִSIG-HUP <pid>
   inetdĳšinetdٴζȡõinetd.confϵͳ
    telnet ԷǽĲţport15netstatĲšnetstat
   Ӧ·ϵͳûаҪȷش
   
6. IP filtering (IPFWADM)

   趨ں˵IP ForwardingܣϵͳӦʼתÿһϢ·
   routing tableӦ趨Ӧÿͨκεص㣬ڿ
   Ҳɽڡ Ƿǽǲκ˿·
   ʾϵͳ趨ָscriptԷǽforwardingaccounting
   ˹涨ϵͳ/etc/rc.dʱȡָϵͳʱͶϵͳ
   á LinuxںתһϢIP Forwardingϵͳˣǽ
   ָӦȽֹһнϵͳȨϴµκipfw
   ָӦܴﵽĿġ
   
  #
  # setup IP packet Accounting and Forwarding
  #
  #   Forwarding
  #
  # By default DENY all services
  ipfwadm -F -p deny
  # Flush all commands
  ipfwadm -F -f
  ipfwadm -I -f
  ipfwadm -O -f

   ˣ˾Այķǽһж棬޷Խǽһ
   ȻЩܻҪģһЩӿο
  # Forward email to your server ת͵ʼŷ
  ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 192.1.2.10 25

  # Forward email connections to outside email servers ýʼ·
ʼŷ
  ipfwadm -F -a accept -b -P tcp -S 196.1.2.10 25 -D 0.0.0.0/0 1024:65535

  # Forward Web connections to your Web ServerýWebWebŷ
  /sbin/ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 196.1.2.11 80

  # Forward Web connections to outside Web ServerýWebWebŷ
  /sbin/ipfwadm -F -a accept -b -P tcp -S 196.1.2.* 80 -D 0.0.0.0/0 1024:65535

  # Forward DNS trafficתDNSϢ
  /sbin/ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 196.1.2.0/24

   ֪ͨǽϢָͳݰ

  # Flush the current accounting rules
  ipfwadm -A -f
  # Accounting
  /sbin/ipfwadm -A -f
  /sbin/ipfwadm -A out -i -S 196.1.2.0/24 -D 0.0.0.0/0
  /sbin/ipfwadm -A out -i -S 0.0.0.0/0 -D 196.1.2.0/24
  /sbin/ipfwadm -A in -i -S 196.1.2.0/24 -D 0.0.0.0/0
  /sbin/ipfwadm -A in -i -S 0.0.0.0/0 -D 196.1.2.0/24

   ֻѵΪ˷ǽʹ󹦸ˣ
   
7. װTISŷ

7.1 ȡ

   TIS FWTKɴַõftp://ftp.tis.com/. ǧסôTIS
   ᣬĶREADMETIS fwtkŷһĿ¼ڣҪ
   ʼfwtk-request@tis.com SEND֪ܵصĿ¼
   Subjectڲκݡڻظĵʼڻ֪Ŀ¼
   ֣ЧʱΪ12СʱøϿء ڱдʱFWTK°汾Ϊ2.0
   beta˼Сط֮⣬汾ڱ༭ʱû⣬ʱҲ
   ˴һ汾ΪᶨʱHOWTO װFWTK
   ʱ /usr/src½fwtk-2.0Ŀ¼FWTKfwtk-2.0.tar.gz
   Ŀ¼ڽѹtar zxf fwtk-2.0.tar.gz FWTK޴SSL·ļ
   Jean-Christophe TouvetдһЩϣ
   ftp://ftp.edelweb.fr/pub/contrib/fwtk/ssl-gw.tar.Zȡá Eric Wedelд
   ޶аʹNetscapeŷɴ
   ַȡáftp://mdi.meridian-data.com/pub/tis.fwtk/ssl-gw/ssl-gw2.tar.Z
   Eric Wedelİ汾Ϊ ҪװֻҪ/usr/src/fwtk-2.0Ŀ¼ڽ
   һ ssl-gwĿ¼ĵмɡ ڰװʱҪЩĶ
   ܽб༭ ȸıssl-gw.c©˱Ҫinclude
  #if defined(__linux)
  #include        <sys/ioctl.h>
  #endif

   ΣҲûMakefileĿ¼һȻὫصָ
   Ϊssl-gw
   
7.2 ༭TIS FWTK

   汾2.0FWTKκһ汾ڱ༭ڱ༭ǰҪBETA
   һЩϣЩӸᶨС ޸ķ¡Ƚ
   /usr/src/fwtk/fwtkĿ¼Makefile.config.linuxԴ˵
   Makefile.config ҪFIXMAKEȻ˵нִ򡣵
   ƻÿһĿ¼еmakefile ޸fixmakeķÿһ
   Makefilesedָincludeӡ."ģް
   
  sed 's/^include[        ]*\([^  ].*\)/include \1/' $name .proto > $name

   ȻҪ༭Makefile.configȵ޸ġ Makefile.config
   sourceĿ¼ӦΪб༭/usr/srcFWTKSRCDIRӦӦĸı䡣
  FWTKSRCDIR=/usr/src/fwtk/fwtk

   ЩLinuxϵͳʹgdbmݿ⡣Makefile.configʹdbm磬RedHat
   3.0.3ʹdbmҪӦ
  DBMLIB=-lgdbm

   Ҫx-gwBETAsocket.cебɾ
  #ifdef SCM_RIGHTS  /* 4.3BSD Reno and later */
                       + sizeof(un_name->sun_len) + 1
  #endif

   FWTKԴĿ¼ssl-gwMakefileĿ¼ҲҪssl-gw
  DIRS=   smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw ssl-gw

   ޸ᣬmake
   
7.3 װTIS FWTK

   make install ĬϵİװĿ¼/usr/local/etcԸĵӰȫɿ
   Ŀ¼аװҲԲģҲɽȨΪchmod 700 ڿʼ趨
   ǽ
   
7.4 TIS FWTK

   ãͱȽȤˣ趨ϵͳҪܵЩ¹ܣƱ
   Щܡ µ˵ΪҪдTIS FWTKʹֲᣬĿֻΪ
   ʾе趨ͽİ취 ĵЩcontrols
   
     * /etc/services
          + ϵͳںβ
       
     * /etc/inetd.conf
          + жʱinetdǸʽ
       
     * /usr/local/etc/netperm-table
          + FWTKͬ;ܾû
       
   ҪFWTKãӦױ༭Щ༭Щܵȷ趨
   inetd.confnetperm-tableʹϵͳȫ޷á
   
  netperm-table
  
   ƺ˿ʹTIS FWTKĹܡӦ뵽ǽߵ
   ·ûڽ·֮ǰӦȱݣ·ڲûֱͨ
    ڱʱǽʹһΪauthsrvĳʽдûID
   롣netperm-tableеauthenticationֿһݿźδ˭ȡ
    Ҫȡһܲףpremit-hostsһʹá*
   ÿ˶ȡһܡһеȷ趨Ӧǡauthsrv: premit-hosts
   localhostƺá
  #
  # Proxy configuration table  ŷñ
  #
  # Authentication server and client rules
  authsrv:      database /usr/local/etc/fw-authdb
  authsrv:      permit-hosts *
  authsrv:      badsleep 1200
  authsrv:      nobogus true
  # Client Applications using the Authentication server
  *:            authserver 127.0.0.1 114

   Ҫݿ⣬root/var/local/etc./authsrvߵʹü
   ¼ʵʲ¡ ĶFWTKĵ˽ûû顣
    #
    # authsrv
    authsrv# list
    authsrv# adduser admin "Auth DB admin"
    ok - user added initially disabled
    authsrv# ena admin
    enabled
    authsrv# proto admin pass
    changed
    authsrv# pass admin "plugh"
    Password changed.
    authsrv# superwiz admin
    set wizard
    authsrv# list
    Report for users in database
    user   group  longname           ok?    proto   last
    ------ ------ ------------------ -----  ------  -----
    admin         Auth DB admin      ena    passw   never
    authsrv# display admin
    Report for user admin (Auth DB admin)
    Authentication protocol: password
    Flags: WIZARD
    authsrv# ^D
    EOT
    #

   Telnetأtn-gwֱ˵Ӧ趨 磬ڱ·
   ûֱͨ(permit-hosts 196.1.2.* -passok)û
   ṩûIDſʹôŷ(permit-hosts * -auth) ⣬һ
   ϵͳ(196.1.2.202)Ҳֱʹ÷ǽֻҪ趨inetacl-in.telnetd
   ݼɡ TelnettimeoutʱӦöݡ
  # telnet gateway rules:
  tn-gw:                denial-msg      /usr/local/etc/tn-deny.txt
  tn-gw:                welcome-msg     /usr/local/etc/tn-welcome.txt
  tn-gw:                help-msg        /usr/local/etc/tn-help.txt
  tn-gw:                timeout 90
  tn-gw:                permit-hosts 196.1.2.* -passok -xok
  tn-gw:                permit-hosts * -auth
  # Only the Administrator can telnet directly to the Firewall via Port 24
  netacl-in.telnetd: permit-hosts 196.1.2.202 -exec /usr/sbin/in.telnetd

   r-commandͬtelnetͬһʽ趨
  # rlogin gateway rules:
  rlogin-gw:    denial-msg      /usr/local/etc/rlogin-deny.txt
  rlogin-gw:    welcome-msg     /usr/local/etc/rlogin-welcome.txt
  rlogin-gw:    help-msg        /usr/local/etc/rlogin-help.txt
  rlogin-gw:    timeout 90
  rlogin-gw:    permit-hosts 196.1.2.* -passok -xok
  rlogin-gw:    permit-hosts * -auth -xok
  # Only the Administrator can telnet directly to the Firewall via Port
  netacl-rlogind: permit-hosts 196.1.2.202 -exec /usr/libexec/rlogind -a

   κ˾ֱӽǽаFTPˣҪFTPŷڷ
   ǽϡ ߣpermit-hosts·ڵκɽ·
   ݡĸ͵յÿĵļ¼-log { retr stor
   } FTPtimeoutؿڶʱֹͣԽӣԼڶʱûж
   ᣬԽӡ
  # ftp gateway rules:
  ftp-gw:               denial-msg      /usr/local/etc/ftp-deny.txt
  ftp-gw:               welcome-msg     /usr/local/etc/ftp-welcome.txt
  ftp-gw:               help-msg        /usr/local/etc/ftp-help.txt
  ftp-gw:               timeout 300
  ftp-gw:               permit-hosts 196.1.2.* -log { retr stor }
  ftp-gw:               permit-hosts * -authall -log { retr stor }

   ͨWWWgopherеftphttp-gwơнһĿ¼
   ڴ澭ɷǽftpWWWļڱУЩļrootУ
   ֻrootܹĿ¼ڡ WWWӦöݡʹӲ
   ͨʱĵȴʱ䡣
  # www and gopher gateway rules:
  http-gw:      userid          root
  http-gw:      directory       /jail
  http-gw:      timeout 90
  http-gw:      default-httpd   www.afs.net
  http-gw:      hosts           196.1.2.* -log { read write ftp }
  http-gw:      deny-hosts      *

   ssl-gwʵһκ˶ͨءӦ趨ڱУκα
   ·еû127.0.0.* 192.1.1.* ⣬·κŷ
   ֻʹ443563 š443563һΪSSLš
  # ssl gateway rules:
  ssl-gw:   timeout 300
  ssl-gw:   hosts           196.1.2.* -dest { !127.0.0.* !192.1.1.* *:443:563 }
  ssl-gw:   deny-hosts      *

   ˵plug-gwӵŷڱУ·ڵ
   ֻӵһϵͳӵŲ ڶʹŷ
   ͵· ŷtimeoutʱ趨ӦñȽϳΪû
   Ķš

  # NetNews Pluged gateway
  plug-gw:        timeout 3600
  plug-gw: port nntp 196.1.2.* -plug-to 199.5.175.22 -port nntp
  plug-gw: port nntp 199.5.175.22 -plug-to 196.1.2.* -port nntp

   Fingerص趨Ϊ򵥡·ڵûֻҪȵ¼Ϳʹ÷ǽ
   ϵfingerʽκ˾ֻյһmessage
  # Enable finger service --------趨finger
  netacl-fingerd: permit-hosts 196.1.2.* -exec /usr/libexec/fingerd
  netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt

   HOWTOУû趨MailX-windowsܡκⷽʵ
   emailҡ
   
  inetd.confõ
  
   渽/etc/inetd.confȫĵвҪĹܶ#ע
   ȫĵʾȡ˺ֹܣԼʾ趨µķǽܡ

  #echo stream  tcp  nowait  root               internal
  #echo dgram   udp  wait    root       internal
  #discard              stream  tcp  nowait  root       internal
  #discard              dgram   udp  wait    root       internal
  #daytime              stream  tcp  nowait  root       internal
  #daytime              dgram   udp  wait    root       internal
  #chargen              stream  tcp  nowait  root       internal
  #chargen              dgram   udp  wait    root       internal
  # FTP firewall gateway --------FTPǽ
  ftp-gw      stream  tcp  nowait.400  root  /usr/local/etc/ftp-gw  ftp-gw
  # Telnet firewall gateway------Telnetǽ
  telnet        stream  tcp  nowait      root  /usr/local/etc/tn-gw /usr/local/
etc/tn-gw
  # local telnet services------ûtelnet
  telnet-a    stream  tcp  nowait      root  /usr/local/etc/netacl in.telnetd
  # Gopher firewall gateway------Gopherǽ
  gopher        stream  tcp  nowait.400  root  /usr/local/etc/http-gw /usr/loca
l/etc/http-gw
  # WWW firewall gateway------WWWǽ
  http  stream  tcp  nowait.400  root  /usr/local/etc/http-gw /usr/local/etc/ht
tp-gw
  # SSL firewall gateway------SSLǽ
  ssl-gw  stream  tcp     nowait  root /usr/local/etc/ssl-gw   ssl-gw
  # NetNews firewall proxy (using plug-gw)------NetNewsǽŷʹpl
ug-gw
  nntp    stream  tcp     nowait  root    /usr/local/etc/plug-gw plug-gw nntp
  #nntp stream  tcp     nowait  root    /usr/sbin/tcpd  in.nntpd
  # SMTP (email) firewall gateway------SMTPemailǽ
  #smtp stream  tcp     nowait  root    /usr/local/etc/smap smap
  #
  # Shell, login, exec and talk are BSD protocols------ Shell, login, exec and
talkBSDЭ
  #
  #shell        stream  tcp     nowait  root    /usr/sbin/tcpd  in.rshd
  #login        stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind
  #exec stream  tcp     nowait  root    /usr/sbin/tcpd  in.rexecd
  #talk dgram   udp     wait    root    /usr/sbin/tcpd  in.talkd
  #ntalk        dgram   udp     wait    root    /usr/sbin/tcpd  in.ntalkd
  #dtalk        stream  tcp     waut    nobody  /usr/sbin/tcpd  in.dtalkd
  #
  # Pop and imap mail services et al------Popimap mail
  #
  #pop-2   stream  tcp  nowait  root  /usr/sbin/tcpd    ipop2d
  #pop-3   stream  tcp  nowait  root  /usr/sbin/tcpd    ipop3d
  #imap    stream  tcp  nowait  root  /usr/sbin/tcpd    imapd
  #
  # The Internet UUCP service------·UUCP
  #
  #uucp    stream  tcp  nowait  uucp  /usr/sbin/tcpd  /usr/lib/uucp/uucico -l
  #
  # Tftp service is provided primarily for booting.  Most sites
  # run this only on machines acting as "boot servers." Do not uncomment
  # this unless you *need* it.  ----- TftpҪһֻΪ"boot
"ʱҪtftpˣҪȡע#š
  #
  #tftp dgram   udp     wait    root    /usr/sbin/tcpd  in.tftpd
  #bootps       dgram   udp     wait    root    /usr/sbin/tcpd  bootpd
  #
  # Finger, systat and netstat give out user information which may be
  # valuable to potential "system crackers."  Many sites choose to disable
  # some or all of these services to improve security.------ Finger, systat and
 netstat򺧿ṩɹϡվȡһЩȫܣȫ
  #
  # cfinger is for GNU finger, which is currently not in use in RHS Linux
  # cfingerGNU fingerĿǰRHS Linuxвʹá
  #
  finger        stream  tcp  nowait  root   /usr/sbin/tcpd  in.fingerd
  #cfinger      stream  tcp  nowait  root   /usr/sbin/tcpd  in.cfingerd
  #systat       stream  tcp  nowait  guest  /usr/sbin/tcpd  /bin/ps -auwwx
  #netstat      stream  tcp  nowait  guest  /usr/sbin/tcpd  /bin/netstat -f ine
t
  #
  # Time service is used for clock syncronization.-----ʱ书趨ʱͬ

  #
  #time stream  tcp  nowait  root  /usr/sbin/tcpd  in.timed
  #time dgram   udp  wait    root  /usr/sbin/tcpd  in.timed
  #
  # Authentication-----û
  #
  auth          stream  tcp  wait    root  /usr/sbin/tcpd  in.identd -w -t120
  authsrv       stream  tcp  nowait  root  /usr/local/etc/authsrv authsrv
  #
  # End of inetd.conf-----inetd.congõ

  /etc/services
  
   ûӵǽʱӵһ֪ĲС1024磬telnetӵ
   23inetd deamonӵӵĶ鿴/etc/servicesЩܵ֡Ȼ
   ᣬ/etc/inetd.confָĳʽ ʱʹõĹܲ
   /etc/servicesСЩָܿκָĲ磬Ա
   telnettelnet-a趨24Ҳ趨2323Ϥ㡣
   Աָ㱾ˣҪֱӵǽtelnet24ǲ23簴
   趨netperm-tableֻܴӱ·еһϵͳ趨
   

  telnet-a         24/tcp
  ftp-gw          21/tcp           # this named changed
  auth            113/tcp   ident    # User Verification
  ssl-gw           443/tcp

8. SOCKSŷ

8.1 趨ŷ

   SOCKSŷɴ
   ftp://sunsite.unc.edu/pub/Linux/system/Network/misc/socks-linux-
   src.tgzȡáõҲһΪ"socks-conf"õοɰѸõ
   ѹȻе˵ʹøõʹʱ򵥣ӦȷMakefile
   ȷ  /etc/inetd.confӦŷˣӦһ
   С
  socks  stream  tcp  nowait  nobody  /usr/local/etc/sockd  sockd

   ŷŻҪʱС
   
8.2 ôŷ

   SOCKSҪõ趨һõ趨ȡõȨޣһõ
   趨·ԱҵʵĴŷȨ޵Ӧŷϣ·Ӧÿһ
   ̨UNIXϡDOSMacintoshȷе·
   
  Ȩ޵
  
   socks4.2betaУȨ޵Ϊ"sockd.conf"ӦֻУһ
   permitһоܾdenyÿж趨
     * ʶʾ(permit/deny)
     * IPַ
     * ޸ĵַ
       
   ʶʾpermitdenyӦеpermitк͵denyС IPַʹ
   ñ׼4byteʽʾI.E. 192.168.2.0. ޸ĵַҲǱ׼4λԪ
   IPַΪnetmaskַ32λԪ֡1˶Ե
   ַӦλӦIPַӦλԪ磬еĵַΪ
    permit 192.168.2.23  255.255.255.255

   ֻÿһλԪĵַ192.168.2.23ַΪ
    permit 192.168.2.0  255.255.255.0

   192.168.2.0192.168.2.255֮ÿһַCĵַ
   ֵַ֡
    permit 192.168.2.0  0.0.0.0

   ÿһַʹãַΪΡ ˣÿһӦĵַ
   Ȼַܾ192.168.2.xxxΧеÿһûзʽʾ
   
    permit 192.168.2.0  255.255.255.0
    deny 0.0.0.0  0.0.0.0

   עdenyеĵһ"0.0.0.0"ڵַ0.0.0.0޸ģIPΪζû
   Ӱ졣0ΪIPַΪڴ֡ رûԸܾʹõȨ
   ͨidenĲʵ֡ڲϵͳ֧idenа
   Trumpet WinsockԴ˴Ԥ˵ͬsocksṩ˵Թʹ
   
   
  ·
  
   SOCKSе·Ϊ"socks.conf"Ȩ޵ ·SOCKSû֪
   ʱsocksʱá磬ʾ·192.168.2.3Ҫʹ
   socks192.168.2.1ǽԻͨEthernetֱ֮ӵӡ
   127.0.0.1ԶΪloopbackҲҪsocksͬԼԻ
   
   
     * deny
     * direct
     * sockd
       
   Denyиsocksʱܾһڴͬsockd.confͬ
   ַʾСIPַ޸ĵַСһԣȨ޵sockd.confҲйأ
   ޸ĵַ0.0.0.0κεطڴ˿޸ġ
   
   direct벻ʹsockĵַЩֱַ·뾭
   ŷλҪidentifieraddressmodifier
   
    direct 192.168.2.0 255.255.255.0

   Sockdиߵһûĵsocks server daemon¡
   
  sockd @=<serverlist> <IP address> <modifier>

   ע@= ݡַһϵдŷIPַ
   ֻһŷĵַΪ϶ŷĵַԱӴ
   ŷʧʱŷ档
   
   趨IPַmodifierķͬ
   
  ǽDNS ӷǽ趨Domain Name ServiceǼ򵥲¡ֻҪΪ
  ǽĵ趨DNSɡȻڷǽĵ趨ʹDNS
  
8.3 ŷ

  Unix
  
   ҪʹӦóôŷЩӦóҪ"sockified"Ҫ
   telnetһֱͨѶһͨŷͨѶSOCKS˵
   sockһʽķҲмѾsockõĳʽҪֱʹsock
   ĳʽSOCKSֱ趨ˣӦý·ڵгʽȻ
   ٸѾsockõĳʽ磬"Finger"Ϊ"finger.orig""telnet"
   Ϊ"telnet.orig" ͨinclude/socks.hSOCKS趨 Щʽ
   дroutingsockifying⡣Netscapeʹ֮һ
   NetscapeҪôŷֻҪProxiesSOCKŷĵַ
   ɣڴΪ192.168.2.1ȻÿӦóʽЩС䶯䴦
   ŷķΪΡ
   
  ΢ӴTrumpet Winsock
  
   Trumpet WinsockԴĴŷܡ"setup"ѡŷIP
   ֱַӿĵԵĵַȻᣬTrumpetͻᴦ͵ݰ
   
  ʹŷUDPݰ
  
   SOCKSֻTCPݰ UDPټôΪ
   õĳʽtalkArchieUDPһΪUDPrelay
   Tom Fitzgerald<fitz@wang.com>ҪΪUDPݰĴŷʹ
   ڱдʱLinux.
   
8.4 ŷȱ

   ףŷһȫװá޵IPַ£ʹ
   û·ȱ㡣ŷʹ·ڵû·֮
   ʹ·֮ûȫ޷ͬ·֮ڵûϵʾ޷ͬ·֮
   ĵԽtalkarchieҲ޷͵ʼЩȱ㿴أ
   
     * һûɵıڱ·ǽڵĵϡؼᣬ
       ݱ档ûа취Ϊڷǽᣬ޷
       login ǽÿһ˶ɽŷŷ
       ϲûиʻ
     * Ůȥ˴ѧдʼ̸Щ˽£ܰѵ
       ʼֱӷŵԼĵϡ㵱ȻŵùϵͳԱ⵹
       ޹أǸ˵ż
     * ʹUDPǴŷһȱݡ벻֮ͻUDPĹܡ
       
   FTPǴŷһ⡣ȡûʹlsʱFTPŷڿͻϴ
   һsocketͨϢŷFTP޷
   ʹá ⣬ŷлҪԴ϶࣬κܴ
   õŷҪ졣 һԣIPֲַر
   ǰȫ⣬ǾͲҪʹ÷ǽͣ򣩴ŷûIPַ
   Ҳǰȫ⣬ǾͲʹIPģTermSlirpTIATerm
   ftp://sunsite.unc.eduȡãSlirp
   ftp://blitzen.canberra.edu.au/pub/slirpȡãTIAɴmarketplace.comȡ
   áʹôŷ·ûҪֻҪһ趨֮
   Ͳ̫Ĺ
   
9. ߼

   ڽʱپһӣ˵õķǰʺ϶ʹ
   һ߼ΪԱ˵һЩ⡣ǰӲ
   ܽ⣬߻˽ŷͷǽԣע
   ӡ
   
9.1 עذȫĴ·

   һҪ·й50̨Ժһ32IPַĴμ
   ӵļͬ·òͬʹȨˣ
   ·һֲһֻͨ ּС
   
    1. Χ˶ɵĲ档³ԱĲ档
    2. ԱһѾΧ˿֪һЩı
       ķ
    3. ⼮ɼƻ֮
       
  ·趨
  
   IP趨¡
   
     * һַΪ192.168.2.255broadcastĵַʹá
     * 32 IPַ23ַ23̨Щͬ·ᡣ
     * һIPַ·ϵlinux
     * һIPַ·ϵһlinux
     * IP #'srouter
     * ʣµĸַ㶨ĸ֣ʹ׽û
     * ·ĵַΪ192.168.2.xxx
       
   ͽͬ··ͨEthernetȫ
   ǵĴڡEthernetúһEthernetͬ 
   ·IPַlinuxĵԡ ͬʱһĵŷ
   ·ΪļƻҪһЩѵĲӡĵŷв
   ·IPַ192.168.2.17⼮·IPַ192.168.2.23вͬIP
   ַԭΪвͬEthernetԵʡ·IP ForwardingĹܹرͣ
   á ̨LinuxIP ForwardingĹҲͣáȷ涨
   routerת192.168.2.xxxݰ·ɽ롣رIP
   Forwardingܵԭǲ·ݰõ⼮·⼮
   ·ݰҲõﲿ· 趨NFSŷãʹѲͬ
   ĵͬ·ַΪãsymblic linksֽſʹĵ
   ҹúͼһethernetʹһ̨ĵŷ
   ·
   
  ŷ
  
   Ҫ˽ϵǶҪⲿ·ֱ
   ·ڴŷϲҪκθ⼮·Ͳ·
   ڷǽ֮ᣬҪڴŷһЩá ·÷ǳ
   ơԾʹ÷ǵIPַ趨һЩ
    1. κ˶ʹĵŷĵŷܻ⵽
       ֡Ϊأ˲ʹĵŷ
    2. òԱڽѵӵּѶ
       ܶк
       
   ˣڲ·linuxsockd.confӦһС
    deny 192.168.2.17  255.255.255.255

   ⼮Żڵ趨ǡ
    deny 192.168.2.23  255.255.255.255

   ͬʱ·linux趨
    deny 0.0.0.0  0.0.0.0 eq 80

   еǲκλʹò80httpЩȻ
   ܣֻǲ Ȼ̨sockd.confڶӡ
    permit 192.168.2.0  255.255.255.0

   ʹ192.168.2.xxxϵĵԶʹ̨ŷʹõĵԳ
   ⣨ȴӲ·ĵŷ·
   
   ·sockd.conf¡
    deny 192.168.2.17  255.255.255.255
    deny 0.0.0.0  0.0.0.0 eq 80
    permit 192.168.2.0  255.255.255.0

   ⼮·sockd.conf¡
    deny 192.168.2.23  255.255.255.255
    permit 192.168.2.0  255.255.255.0

   Ӧû⡣ÿһ·ܵҵʵ໥ϵ
   ˶ӦŶԡ ھͿˣ
