Linux Firewall - Agent HOWTO
Introduction
This article stems from FireWall-HOWTO, David Rudder (Email: Drig@execpc.com), I have improved it under his recognition, here I express my gratitude to him.
In recent years, the firewall has greatly favored in Internet security. Like other things that have been favored, there is a lot of misunderstandings. This HOWTO article will introduce the concept and installation of firewalls, proxy servers. And firewall technology Applications other than security areas.
1.1 reader feedback
Welcome various forms of form of readers. Please feel free to refer to any improper in this article!!! I am not intertwined, I will inevitably. But I will be very happy to fix all the improper things you point out. I will try to reply to each Each -mail, but if you can delay reply due to busy, please ask.
My Email address is: Markg@Netplus.net
[Translator Note: There must be a lot of mistakes in the translation, which is caused by the translator. Welcome to the letter: Netium@writeme.com]
1.2 declaration
I am not responsible for the results of any act of this article. The original intention of this document is to introduce the working principle of the firewall and proxy server. I am not, I am not intended to be a security expert. I am just a love computer is mostly in most people. Bookworms. Write this document to help people familiarize with this theme, but don't intend to make it to give my life.
[Translator's statement: I will not be responsible for the results of any act based on this article. I am just a large number of students. I only have the most prestressed understanding of the firewall before translating this article. Translation This document is to let more people Understand and effectively use Linux and firewalls, not to assume extra responsibility]
1.3 copyright statement
Unless otherwise stated, the copyright of the Linux HOWTO file belongs to their respective authors. Linux howto file can be disseminated by partial or overall media, premise this copyright statement. Allow and encourage commercial distribution and copy, but must Inform the author in advance.
All Linux Howto translations, derived documents must be included with this copyright statement. That is, you cannot add any restrictions on any derived documents. Some situations can be used as exceptions, but must obtain Linux HOWTO Coordinator recognition.
In short, we hope to promote its spread at the same time as possible, as much as possible, and will see any communication plan about Linux HOWTO.
If you have any questions, please contact Mark Grennan
[Translation] The translator is not legal professional (even if the legal professional dropout is :), there is no legal factor between the words in the word, with any original text, there is any entry, please refer to the original text!
Unless otherwise stated, Linux HOWTO documents are copyrighted by their respective authors. Linux HOWTO documents may be reproduced and distributed in whole or in part, in any medium physical or electronic, as long as this copyright notice is retained on all copies. Commercial redistribution is Allowed and Encouraged; However, The Author Would Like To Be Notified of Any Such Distributions.
All translations, derivative works, or aggregate works incorporating any Linux HOWTO documents must be covered under this copyright notice. That is, you may not produce a derivative work from a HOWTO and impose additional restrictions on its distribution. Exceptions to these rules may be granted under certain conditions; please contact the Linux HOWTO coordinator.In short, we wish to promote dissemination of this information through as many channels as possible However, we do wish to retain copyright on the HOWTO documents, and would like to be notified of any. Plans to redistribute the howtos.
If You Have Any Questions, please contact Mark Grennan at
]
1.4 writing motive
Although in recent years, there is a very much discussion of firewall in Comp.OS.Linux. * News group, I still have to find it difficult to find enough information about establishing a firewall. This article is very helpful, but it is not enough. Fully, this paper improves the information required to establish a firewall in a short time by improving the Fire Wallhowto of David Rudder.
1.5 unfinished part
* About setting the description of the client.
* Find a proxy server that supports UDP for Linux (translation: now solved)
1.6 in-depth reading
The Net-2 HowTo
The Ethernet Howto
The Multiple Ethernet Mini HowTo
Networking with linux
The PPP HOWTO
TCP / IP NetWork Administrator's Guide by O'Reilly and Associates
The Documentation for the Tis FireWall Toolkit
The Web node of Trusted Information System's (TIS) collected a large amount of information about firewalls:
http://www.tis.com/
I am working on a plan called "Secure Linux", collecting any information on building a secure Linux system in my site. If you are interested, you can contact me with E-mail.
2. Preliminary firewall
The firewall comes from one term in the automotive industry, originally refers to the isolation engine and passengers of the car, which is used to protect passengers at the engine, but does not hinder the driver's control.
The firewall in the computer field refers to a device for protecting the internal network from an external network (the entire Internet) illegal intrusion.
From now on, we will refer to "firewall computer" as "firewall", refers to a computer that can access internal network Internet. The internal network is not allowed to access the Internet directly, and vice versa.
Internal network users want to access the Internet, you must first log in to the firewall to access.
The simplest firewall form is a system that links two networks. If you can * completely trust all your users *, you can simply install a Linux (compile the core when compiling the core) and assigned to each user account, they can log in and telnet, FTP, read letters, or other INTERNET access you allowed. According to this configuration, the only full Internet connection capability in your internal network is a firewall. The rest of the internal network can even do not have to set the default Routing. But here must emphasize: You can * completely trust all your users * ---- I don't recommend this solution.
2.1 Disadvantages of Firewall
"Filter type" firewall has largely limited the external access to internal network, because only those who are not filtered will accept access. For agent firewalls, external users can log in to the proxy server, then carry out internal network Various access they allow.
At the same time, with the continuous emergence of various new network customers and server types, you must find a new method for controlling access.
2.2 Type of firewall
There are two types:
1. IP package filter firewall - only allows the specified network transmission.
2. Agent Server ---- For you a proxy network.
2.2.1 IP package filter firewall
The IP package filter firewall is operated at the layer of the network transmission package. It controls the transmission of the source, destination address, port number, and packet of each package.
This type of firewall is quite safe, but lacks tracking recording means. It can effectively prevent illegal access to external users, but can't give you any information about who is accessing your internal network and who visits Internet via an internal network.
Filter firewall is a purely meaning filter. Using filtration firewalls, you can't do only let your specific people to access your internal server - unless you give all the people (from the same IP: translation) the same access rights.
Linux provides support for packet filtering from core 1.3.x.
2.2.2 Proxy Server (Firewall)
The proxy server allows indirect access to the Internet via a firewall. A very image, you can first telnet to a machine, then from there. Telnet other machines. The only difference is the proxy server. When your client accesss the firewall, The proxy server launches its own client and transfer data for you.
Just because all communication information is copied by the proxy server, it can record everything to do.
For this type of firewall, the most great thing is that they are absolutely safe. They will not make some people pass. Because this firewall does not have a direct IP route.
3. Installation of firewall
3.1 Hardware requirements
A 16M memory 486-6 / dx, with a 500M Linux partition computer. Two network cards are equipped with our proprietary local area network and one we call "Non-military Zone (DMZ)" LAN. Simultaneous DMZ can be connected to the Internet via a router.
This is a very typical firewall computer configuration. You can also use a network card to add a PPP dial-up access to the MODEM. The key is that the firewall must have two IP addresses.
There are already many family small LANs, usually there are two or three machines. At this time, you can consider putting all modems to a Linux machine (probably a vintage 386) while connecting the Internet. In this way, when you use it, if you have two modems, it may double the connection rate! :-)
4. Firewall application software
4.1 Alternative package
If you only need a pack filter firewall, Linux plus basic network packs is enough.
There may be no packages with an IP FireWall Administration package in the Linux distribution package you have.
Ipfwadm in:
http://www.xos.nl/linux/ipfwadm/
If you want a proxy firewall, you may have one of the following: 1. Socks 2.Tis Firewall Toolkit (FWTK)
4.2 Trusted Information System (http://www.tis.com) A Services of the Firewall. The function is basically similar to SOCKS, but the design strategy is different. Socks is completed all Internet transport function. TIS provides a separate program for each function. To further distinguish, we will explain to WWW and Telnet. For SOCKs, we only need to set a configuration file and daemon, you can do it through the firewall. Www and telnet --- and anything else you are not set to be disabled. But if you use TIS, you have to set your own profiles and daemons for WWW and Telnet. And other Internet access is still rejected. Until you set up for it. If you don't have a specific function (such as Talk) to set the daemon, you can use a "plug-in (plugin)" daemon, but it is not flexible, nor It's as simple as other tools.
SOCKS is easy to compile and set, and it is very flexible; but if you want to regulate internal users' management, TIS provides better security. Both can absolutely disabate external illegal access.
5. Prepare Linux
5.1 Compile the kernel
First on the Linux system, the installation of 'clean' (I used the version is redHat3.0.3, all instances are based on this version.) The less the components are loaded, the less the system is behind, the less powerful, so only one The smallest system is enough. Select a stable kernel. I use Linux 2.0.14 kernel, the description of this document is based on it. The next step is to compile the kernel with the appropriate option. At this time you may need to refer to kernel howto, Ethernet HOWTO, and NET-2 HOWTO. This is an option related to the network part involved in the 'make config'.
1. In 'Gernal setup'
1.Networking Support -> ON
2. In 'NetWorking Options'
1.NetworkFireWalls -> ON
2.TCP / IP Networking -> ON
3.ip forwarding / gatewaying -> OFF (unless you choose an IP filter firewall)
4.ip firewalling -> ON
5.ip packet loggin -> ON (not required, it is not a good idea)
6.ip masquerading -> OFF (I didn't involve this topic)
7.ip Accounting -> ON
8.ip tunneling -> OFF
9.ip aliaasing -> OFF
10.PC / TCP Compatibility Mode -> OFF
11.ip Reverse ARP OFF -> OFF
12.Drop Source Routed Frames -> ON
3. In 'NetWork Device Support'
1.Network Device Support -> ON
2. Dummy Net Driver Support -> ON
3. Ethernet (10 or 100Mbit) -> ON
4. Select your network interface card.
It is now possible to start reconstructing. After compiling, press the kernel and reboot, Linux will display your NIC when starting, otherwise you have to study other HOWTO.
5.2 Configuring two network cards If you have two network cards, you have to add an Append statement in /etc/lilo.conf in /etc/lilo.conf. This is my Lilo Append statement: append = "Ether = 12, 0x300, eth0 Ether = 15, 0x340, Eth1"
5.3 Configuring the network address This part is very meaningful. Now you face several options. Obviously we don't plan to allow Internet to make any form of unauthorized access to the internal network, so there is no need to use a real IP address. Some IPs are specially reserved for use in proprietary networks. Because IP always, These retention IPs cannot circulate online, just suitable for our needs. Here, we use the retention IP: 192.168.2.xxx, and use it as an example
Your agent firewall will be a member of the internal and external networks to deliver data between the two.
199.1.2.10 __________ 192.168.2.1 _______________ | // // | / | firewall | / | | / Internet / ------------------------- | ---- | Workstation / s | / _ // _ // _ // _ / | __________ | | ______________ |
Even if you use a filter firewall, you can still use these IPs, just ip masquerading. At this time, the firewall will automatically convert the address into the "real" IP address that the address is circulated on the Internet. The "true" IP must be assigned to the network card connected to the Internet, and assign 192.168.2.1 to the inside. This will be the internal use of the agent / gateway address, and finally allocate other internal networks at 192.168.2 Address within the .XXX range (192.168.2.2 to 192.168.2.254)
I use Redhat Linux, in order to be able to make a network configuration at startup, I added a 'IFCFG-Eth1' file in the / etc / sysconfig / network-scripts directory, which is read by the system during startup, configures the network And routing table. My ifcfg-eth1 file: #! / Bin / sh # >>> Device Type: Ethernet # >>> variable declarations: device = Eth1 ipaddr = 192.168.2.1 Netmask = 255.255.255.0 network = 192.168.2.0 Broadcast = 192.168.2.255 Gateway = 199.1.2.10 onboot = yes
# >>> End variable declarations This scripting language can also be used to implement the automatic connection of the MODEM to ISP, see the IPUP-PPP script. If you use the Modem to connect the external network (Internet), the external IP is at the beginning of the connection. ISP allocation.
5.4 Test You must check your ifconfig and route, for the system of two network cards, the result of ifconfig is like this: #ifconfig
Lo Link Encap: Local Loopback
INET AddR: 127.0.0.0 Bcast: 127.255.255.255 Mask: 255.0.0.0
Up Broadcast Loopback Running MTU: 3584 Metric: 1
RX Packets: 1620 Errors: 0 Dropped: 0 overruns: 0
TX Packets: 1620 Errors: 0 Dropped: 0 overruns: 0
Eth0 Link ENCAP: 10Mbps Ethernet Hwaddr 00:00: 09: 85: AC: 55
INET Addr: 199.1.2.10 Bcast: 199.1.255 Mask: 255.255.255.0
Up Broadcast Running Multicast MUNTU: 1500 metric: 1
RX Packets: 0 Errors: 0 Dropped: 0 Overruns: 0TX Packets: 0 Errors: 0 Dropped: 0 overruns: 0
Interrupt: 12 Base Address: 0x310
Eth1 Link Encap: 10Mbps Ethernet Hwaddr 00:00: 09: 80: 1e: D7
INET Addr: 192.168.2.1 Bcast: 192.168.2.255 Mask: 255.255.255.0
Up Broadcast Running Multicast MUNTU: 1500 metric: 1
RX Packets: 0 Errors: 0 Dropped: 0 overruns: 0
TX Packets: 0 Errors: 0 Dropped: 0 overruns: 0
Interrupt: 15 Base Address: 0x350
And, your Route table output should be: #ROUTE -N
Kernel Routing Table
Destination Gateway Genmask Flags MSS Window Uses
199.1.0 * 255.255.255.0 U 1500 0 15 ETH0
192.168.2.0 * 255.255.255.0 U 1500 0 0 Eth1
127.0.0.0 * 255.0.0.0 U 3584 0 2 LO
DEFAULT 199.1.2.10 * UG 1500 0 72 Eth0
Here to pay attention: 199.1.2.0 is a party in the firewall, and 192.168.2.0 in the internal network. You can now try to ping the Internet from the internal network, my choice is nic.ddn.mil, this should be a good Target, in fact, it is not as reliable as I imagined. If you don't respond, try again where you don't have to connect with you, if you still don't do it, your PPP setting must have a problem, you have to look at Net-2howTo. Next, then from the internal network of the firewall, all internal networks should be ping, if ping is not available ---- Net-2 Howto :) Next, the external address of the internal network ping firewall ( Be careful not 192.168.2.xxx). If you can ping, you haven't closed IP fowarding, if this is indeed from your original meaning, you can refer to some of the chapters filtered in this article. Now, try Ping Internet through the firewall Still useless (le.nic.ddn.mil) [in Zhejiang University can ping alpha.zju.edu.cn :) - translation] If IP forwarding is close, it should be ping, otherwise it should be. In the case of IP Farwarding, if your internal network uses "true" IP, it can't ping the Internet, but you can ping the external address of the firewall, check whether the last-level router is your internal network. Performing routing (may have your service provider to solve). If you choose to keep IP, you will not be routed, or you choose to use IP mask, this test is still applicable. Now you have completed basic settings.
5.5 firewall security
Open unnecessary services often make the firewall open their convenience for invaders. "Bad children" may invade and modify the firewall according to their own needs.
So first turn off all unused services.
The /etc/inetd.conf file controls the so-called "Super Server". It controls the daemon of various services, starting the corresponding service when the access request arrives.
Be sure to close NetStat, Systat, TFTP, Bootp, Finger. To turn off a service, you only need to use the corresponding row to use # 注 注. After you change, send a SIG-HUP signal to the inetd process, type Command "Kill -Hup
Telnet firewall's 15th port, this is the port of NetState, if you still get the output of NetStat, indicating that inetd does not correctly read the modified settings. 6. Install IP filter firewall (IPFWADM)
Before you start, you want to open the kernel's IP forwarding. Start your system to forward the data you sent, and then match your routing table, ensure that the internal network and external network are unimpeded, but we are going to do it. It is a firewall that is forbidden to disable any access.
In my system, I created a script file for the firewall's ForWading and Accounting (Cable Account) policy. In the script file of the /etc/rc.d, the system is automatically called by the system when startup.
By default, Linux kernel's IP forwarding feature is completely open (Gateway: Translation)
So your firewall script should reject all access from the regulations.
#
# setup ip packet accounting and freewings
#
# Forwarding
#
# By Default Deny ALL SERVICES
Ipfwadm -f -p Deny
# Flush all commands
IPFWADM -F -F
Ipfwadm -i -f
Ipfwadm -o -f
Ok, now we have a super firewall, it refuses all access, of course, you still need some services, you can refer to the following practical examples: # Forward Email to your server ipfwadm -f -a accept -b -p TCP -S 0.0.0.0.0.024: 65535 -D 192.1.2.10 25
# Forward Email Connections To Outside Email Servers Ipfwadm -f -a Accept -b -p TCP -S 196.1.2.10 25 -D 0.0.0.0/0 1024: 65535
# Forward Web Connections to your Web server / sbin / ipfwadm -f -a accept -b -p tcp -s 0.0.0.0/0 1024: 65535 -D 196.1.2.11 80
# Forward Web Connections to Outside Web Server / Sbin / IpfwadM -F -A Accept -b -p TCP -S 196.1.2. * 80 -D 0.0.0.0 1024: 65535
# Forward DNS Traffic / Sbin / IPFWADM -F -A Accept -b -p UDP -S 0.0.0.0.0 53 -D 196.1.2.0/24
You may be most interested in statistical traffic, the following scripts are used to count packages. You can be per-bill.
# Flush The Current Accounting Rules IpfwadM -A -F
# Accounting / sbin / ipfwadm -a -f / sbin / ipfwadm -a out -i-y 196.1.2.0/24 -D 0.0.0.0 / sbin / ipfwadM -A OUT -I -S 0.0.0.0.0 - D 196.1.0.0/24 / sbin / ipfwadM -A in -I -S 196.1.2.0/24 -D 0.0.0.0/0 / sbin / ipfwadm -a in -i -s 0.0.0.0 -d 196.1.2.0 /twenty four
If you decide that you can get it so long, you can go here. :-)
7. Install TIS
7.1 Get TIS
Can be downloaded from ftp://ftp.tis.com/. Don't repeat the mistake I have made. Let's read the readme file there. Tisfwtk is placed in a hidden directory. TiS requires you to give fwardk-request @ Tis .com sending the application, the text of the letter only writes Send, do not write the title, within 12 hours, you will get the system automatic reply, that is, the implicit directory name containing the FWTK source code.
I got TIS is 2.0 (beta) version, there is no problem (a little Exception), work is also very good. The following description is based on this version. When they release a formal version, I will update this document. Before installing fewtk First create a FWTK-2.0 directory in your / usr / src directory. Fewtk (fwtk-2.0.tar.gz) Copy is extracted to the directory (TAR ZXF FWTK-2.0.Tar.gz).
FWTK itself does not support the agent for SSL Web, but there is an Addon, the author is Jean-Christophe Touvet. You can:
ftp://ftp.edelweb.fr/pub/contrib/fwtk/ssl-gw.tar.z
Download. Touvet does not provide technical support.
I use a modified that I can support the version of Netscape Secure News Servers, the author is: ERIC Wedel. Site is:
ftp://mdi.meridian-data.com/pub/tis.fwtk/ssl-gw/ssl-gw2.tar.z.
Establish an SSL-GW directory in /usr/src/fwtk-2.0 in /usr/src/fwtk-2.0, before compiling, make some changes to the code.
The first is SSL-GW.C less an incdude file, where it is joined:
#if Defined (__ linux)
#include
#ENDIF
Another one is there in it contains Makefile, my solution is to change from other gateway directories, and change the name of the gateway to: SSL-GW
7.2 Compile TIS FWTK
FWTK version 2.0 is easier to compile than before any version, but I still discover some places that need to be corrected in this beta. I hope that these errors can be corrected in the official version. First-to / SRC / FWTK / FWTK directory, copy the Makefile.config this file with makefile.config.linux. Note: Don't run fixmake as follows in the operation instruction. Otherwise, you will get bad Makefile in each directory. I have a solution to fixmake. It is to add '.' And '' in the Makefile in the Makefile. The corresponding SED script is:
Sed 's / ^ include [] * / ([^]. * /) / include / 1 /' $ name .proto> $ name then we have to edit makefile.config. There are two places to modify. The author is in his Compiling code in the home directory, and we put the code in / usr / src, so make the corresponding changes to the environment variable fWTKSRCDIR: fwtksrcdir = / usr / src / fwtk / fwtk Next, some Linux systems use the GDBM database. And makefile. The default is that DBM may be modified. My / Linux version is redhat 3.0.3. dbmlib = -lgdbm Last place in X-GW, this beta version of Socket.c has bugs, the solution is Remove one of the following paragraph:
#ifdef scm_rights / * 4.3bsd reno and latter * / sizeof (un_name-> sun_len) 1 #ENDIF
If you add SSL-GW in the FWTK source directory, add its directory to Makefile: DIRS = SMAP Smapd NetaCl Plug-GW FTP-GW TN-GW RLogin-GW HTTP-GW X-GW SSL-GW
Now you can run make.
7.3 Install TIS FWTK
Run Make Install
The default installation directory is / usr / local / etc. You can change it to a more secure directory, I didn't change, but set the permissions of this directory to 'CHMOD 700'.
The rest is only the configuration work.
7.4 Configuring TIS FWTK This is a part that is really fascinating. We want the system to call these newly added services and establish corresponding control information.
I don't want to repeat the contents of the Tis Fwtk manual. Only some of the problems I have encountered and their solutions. There are three files to form all controls. * / Etc / services tell the system service location * /etc/inetd.conf Decide which program when INETD receives a service request when a service request is received. * / Usr / local / etc / netperm-table determines that FWTK's license / refusal to make FWTK play, you are best editing these files from head. Ignore any One may cause system failure.
NetPerm-Table This file is used to control access to the Tis FWTK service. To consider the case of the firewall on both sides. External users must be verified to obtain access, and internal users can allow direct pass.
The TIS firewall can authenticate, and the system manages a database of user IDs and passwords through an AuthSRV program. NetPerm-Table authorization section specifies the location and access rights of the database.
I have encountered some troubles when I read the service. Note I give it to all user access in the Permit-Host line. The correct setting should be
'' Authsrv: Premit-hosts localhost.
#
# Proxy Configuration Table
#
# Authentication Server and Client Rules
Authsrv: Database / USR / local / etc / fw-authdb
Authsrv: Permit-Hosts *
Authsrv: Badsleep 1200
Authsrv: NoBogus True
# Client Applications Using The Authentication Server
*: Authserver 127.0.0.1 114
When initializing the database, you must first sust to root, run under / var / local / etc ./authsrv creates a user's record,
As follows:
You can find information created by creating users and groups in FWTK documents. #
# authsrv
Authsrv # list
Authsrv # adduser admin "Auth DB Admin"
OK - User Added Initially Disabled
Authsrv # ena admin
enabled
Authsrv # Proto Admin Pass
changed
Authsrv # Pass Admin "Plugh"
Password changed.
Authsrv # superwiz admin
SET WIZARD
Authsrv # list
Report for Uses in Database
User group longname ok? proto LAST
------ ------ -------------------------------
Admin Auth DB Admin Ena Passw Never
Authsrv # Display admin
Report for User Admin (Auth DB Admin)
Authentication Protocol: Password
Flags: wizard
Authsrv # ^ D
EOT
#
The Telnet Gateway is the most straightforward and it is your first to set it.
In my example, all internal users do not have to authenticate (Permit-Hosts 196.1.2. * -Passok-Xok), and the rest of the users must pass the ID and password verification. (Permit-hosts * -auth) I also allowed 196.1.2.202 The user does not directly access the proxy server through the firewall. The two lines of inetaCl-in.telnetd behave, and I will explain the process of calling.
Telnet's Timeout should be minimized.
# Telnet Gateway Rules:
TN-GW: Denial-msg /usr/local/tc/tn-de.txt
TN-GW: Welcome-msg /usr/local/etc/tn-welcome.txttn-gw: Help-msg /usr/local/etc/tn-help.txt
TN-GW: TIMEOUT 90
TN-GW: Permit-Hosts 196.1.2. * -passok -xok
TN-GW: permit-hosts * -auth
# Only The Administrator Can Telnet Directly to The FireWall Via Port 24
NetaCl-in.telnetd: permit-hosts 196.1.2.202 -EXEC /USR/SBIN/IN.TELNETD
The command of rlogin is similar to Telnet.
# rlogin Gateway Rules:
Rlogin-gw: denial-msg /usr/local/etc/rlogin-deny.txt
Rlogin-gw: welcome-msg /usr/local/etc/rlogin-welcome.txt
Rlogin-gw: help-msg /usr/local/etc/rlogin-help.txt
Rlogin-GW: Timeout 90
Rlogin-GW: permit-hosts 196.1.2. * -passok -xok
Rlogin-gw: permit-hosts * -auth -xok
# Only The Administrator Can Telnet Directly to The FireWall Via Port
NetaCl-rlogind: permit-hosts 196.1.2.202 -EXEC / USR / LIBEXEC / RLOGIND -A
Don't allow anyone to access your firewall directly, even if FTP access is not possible. Therefore, avoid installing FTP services on firewall machines.
It is worth to reiterate that all internal users are allowed to access the Internet, while other users must pass verification. I also enable records of file transceivers.
(-log {retris})
FTP Timeout Specifies the longest wait time for the firewall to a failure FTP connection.
# ftp Gateway Rules:
FTP-GW: Denial-msg /usr/local/etc/ftp-de.txt
FTP-GW: Welcome-msg /usr/local/etc/ftp-welcome.txt
FTP-GW: Help-msg /usr/local/etc/ftp-help.txt
FTP-GW: TIMEOUT 300
FTP-GW: Permit-Hosts 196.1.2. * -log {retrist}
FTP-GW: permit-hosts * -authall -log {retrous
Web, gopher, and browser-based FTP are completed by HTTP-GW. The first two lines establish a directory to cache the web page and FTP files through the firewall, I set the owner of these files to root, and save only root In the directory of access.
Web Connection should be kept in a smaller value, which controls the user waiting for a failure connection.
# www and gopher geteway rules:
HTTP-GW: Userid Root
HTTP-GW: Directory / Jail
HTTP-GW: TIMEOUT 90
HTTP-GW: DEFAULT-httpd www.afs.net
HTTP-GW: Hosts 196.1.2. * -log {ied write ftp}
HTTP-GW: DENY-HOSTS *
SSL-GW has only one transfer effect, be careful. Here, I can allow internal users to access all external addresses other than 127.0.0. * and 192.1.1. * Outside the external address. And only access 443 to 563 ports, these are general purpose SSL port.
# SSL GATEWAY RULES:
SSL-GW: TIMEOUT 300SSL-GW: Hosts 196.1.2. * -dest {! 127.0.0. *! 192.1.1. * *: 443: 563}
SSL-GW: DENY-HOSTS *
The following example shows how to use the PLUG-GW proxy News Server, only the internal users are allowed to access an external Server and can only access one port. The second line setting allows the news server to send the data into the internal network.
Almost all NEWS Client keeps the connection status while the user reads NEWS, so this is specified for News Server to specify a longer Out.
# Netnews PLUGED GATEWAY
PLUG-GW: Timeout 3600
PLUG-GW: Port NNTP 196.1.2. * -plug-to 199.5.175.22 -port nntp
Plug-GW: Port NNTP 199.5.175.22 -plug-to 196.1.2. * -port nntp
Finger-gw is relatively simple, any internal user can only log in to the firewall, then run the finger, other visits will get
One information (finger.txt).
# Enable finger service
NetaCl-fingerd: permit-hosts 196.1.2. * -EXEC / USR / LIBEXEC / FINGERD
NetaCl-fingerd: permit-hosts * -exec / bin / cat /usr/local/etc/finger.txt
I have not made a proxy for Mail and X-Windows services, and I can't provide the corresponding example, welcome to the letter to add.
About inetd.conf
Here is an inetd.conf file, all unnecessary services are commented. But I still include the entire file to clarify how to turn off the service and open a new service for the firewall.
#echo stream tcp nowait root internal
#echo dgram udp Wait root internal
#discard Stream TCP NOWAIT ROOT INTERNAL
#discard Dgram Udp Wait Root Internal
#daytime stream TCP NOWAIT ROOT INTERNAL
# Daytime Dgram Udp Wait Root Internal
#chargen stream TCP NOWAIT ROOT INTERNAL
#Chargen Dgram UDP WAIT ROOT INTERNAL
# Ftp firewall gateway
FTP-GW Stream TCP NOWAIT.400 ROOT / USR / LOCAL / ETC / FTP-GW FTP-GW
# Telnet FireWall Gateway
Telnet Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / TN-GW / USR / LOCAL / ETC / TN-GW
# Local Telnet Services
Telnet-a stream TCP NOWAIT ROOT / USR / local / etc / netacl in.telnetd
# Gopher FireWall Gateway
Gopher stream tcp noAit.400 root / usr / local / etc / http-gw / usr / local / etc / http-gw
# WWW firewall Gateway
HTTP Stream TCP NOWAIT.400 ROOT / USR / LOCAL / ETC / HTTP-GW / USR / LOCAL / ETC / HTTP-GW
# SSL FireWall Gateway
SSL-GW Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / SSL-GW SSL-GW
# NetNews FireWall Proxy (USING PLUG-GW)
NNTP stream tcp NOWAIT ROOT / USR / local / etc / plug-gw plug-gw nntp # nntp stream TCP NOWAIT ROOT / USR / SBIN / TCPD IN.NNTPD
# SMTP (Email) FireWall Gateway
#SMTP Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / SMAP SMAP
#
# Shell, login, Exec AND Talk Are BSD protocols.
#
#SHELL Stream TCP NOWAIT ROOT / USR / SBIN / TCPD in .rshd
#login stream tcp noait root / usr / sbin / tcpd in.rlogind
#exec stream tcp noetait root / usr / sbin / tcpd in.rexecd
#talk dgram udp Wait root / usr / sbin / tcpd in.talkd
#ntalk Dgram Udp Wait Root / USR / SBIN / TCPD IN.NTALKD
#dtalk stream tcp waut nobody / usr / sbin / tcpd in.dtalkd
#
# POP AND IMAP MAIL Services ET AL
#
# POP-2 stream TCP NOWAIT ROOT / USR / SBIN / TCPD IPOP2D
# POP-3 Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IPOP3D
#imap stream TCP NOWAIT ROOT / USR / SBIN / TCPD IMAPD
#
# The Internet uucp service.
#
#uucp stream tcp nowait uucp / usr / sbin / tcpd / usr / lib / uucp / uucico -l
#
# TFTP Service IS Provided Primarily for Booting. Most Sites
# Run this only on machineines acting as "boot servers." DO NOT UNCOMMENT
# this unless YOU * NEED * IT.
#
#TFTP DGRAM UDP WAIT ROOT / USR / SBIN / TCPD in.tftpd
#bootps Dgram Udp Wait Root / USR / SBIN / TCPD BOOTPD
#
# Finger, SYSTAT AND NETSTAT GIVE OUT USER Information Which May BE
# Valuable to Potential "System Crackers." MANY SITES choose to disable
# Some or all of these services to impRove Security.
#
# cfinger is for gnu finger, Which is currently not in use in rhs linux
#
Finger stream tcp noait root / usr / sbin / tcpd in.fingerd
#cfinger stream tcp noait root / usr / sbin / tcpd in.cfingerd
#nsystat stream TCP NOWAIT GUEST / USR / SBIN / TCPD / BIN / PS --AUWWX
#NetStat Stream TCP NOWAIT GUEST / USR / SBIN / TCPD / BIN / NETSTAT-F inet
#
# Time service is buy for clock syncronization.
#
#time stream tcp nowait root / usr / sbin / tcpd in.timed
#Time Dgram UDP WAIT ROOT / USR / SBIN / TCPD in.TIMED
#
# Authentication
#
Auth Stream TCP WAIT ROOT / USR / SBIN / TCPD IN.IDENTD -W -T120
Authsrv Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / Authsrv Authsrv
#
# End of inetd.conf
About / ETC / SERVICES
The real service is started here. When a customer requests a known port (<1024) to the firewall computer, such as the 23-port of Telnet, inetd looks for the name of this service in the / etc / service file. And then call The corresponding application specified in inetd.conf.
Some services we create are often not in / etc / services, you have the freedom to specify ports. For example, I specified as 24 of the Administrator's Telnet port, you can even use 2323. Therefore, as an administrator, you must Telnet when accessing the firewall. To the 24-port, in addition, if you set NetPerm-Table like me, you can only access the firewall from the internal network.
Telnet-a 24 / TCP
FTP-GW 21 / TCP # this named changed
Auth 113 / TCP Ident # User Verification
SSL-GW 443 / TCP
8.socks proxy server
8.1 installation
(Translation: All the contents of this article are based on SOCKS4.2 (SOCKS4). In view of SOCKS5 has become the current standard, the translator will specify as much as possible to both.
From ftp://sunsite.unc.edu/pub/linux/system/neetwork/misc/socks-linux-src.tgz to get a SOCKS proxy server. There is also a sample profile "Socks-Conf" in the same directory. Unwrite the file, press Make. I have touched some questions, the key is to ensure that the makefile is correct.
It is worth noting to join the Proxy Server to /etc/inetd.conf. You must join a line:
(Translation: SOCKS5 can also be started in other ways, specifically seeing its documentation)
Socks Stream TCP NOWAIT NOBODY / USR / LOCAL / etc / sockd sockd
It is used to start the service at the request.
8.2 Configuring Agent Services
The SOCKS program requires two configuration files. One is used to confirm the access license, and the other is used between the client and the proxy server. Access the license profile on the server, while routing configuration files on each Un * X machine, DOS You can do your own routing, Mac should also route yourself.
Configuration Access License
In SOCKS4.2BETA, the configuration file is "sockd.conf". It contains two rows, which are used to accept and reject access. Each line consists of three items:
* PERMIT / DENY * IP address * address modification
The value of the label is Permit / deny, each of which is occupied.
The IP address is a typical 4byte format separated by the sentence. For example: 192.168.2.0
Address correction, similar to subnet, this number has 32 bits. If a bit is 1, it must be the same as the value of the IP address it checks, for example, if the behavior: permit 192.168.2.0 255.255.255.0 Represents all Class 192.168.2.0 to 192.168.2.255, the following line is dangerous: Permit 192.168.2.0 0.0.0.0 Because this is equal to no address matching check, all access is allowed to allow all access!
Therefore, first set the allowable range, restrict. The following two lines are allowed from 192.168.2.xxx all access: permit
192.168.2.0 255.255.255.0
Deny 0.0.0.0 0.0.0.0
Pay attention to the latter line, the first "0.0.0.0" does not matter, because its shield value is "0.0.0.0", all zone is just for writing.
Each line is more legal.
It is also possible to configure the reception or rejection of the specified user access. Completed by authentication. But not all systems support, including Trumpet Winsock, so I no longer introduce the content, specifically refer to SOCKS.
Configure routing
The routing profile is crowned to a bad name: "Socks.conf" is bad because the previous file name is too like, which is easy to misunderstand.
The routing profile determines when to use Sock. For example: In our network, 192.168.2.3 between 192.168.2.1 does not need to use Sock and firewall dialogue, but directly through Ethernet. It is also defined. Your IP loop, 127.0.0.1, and you don't need to use SOCK to talk to yourself. A total of three:
* deny
* Direct
* Sockd
DENY indicates when SOCKS rejects the request. That is the same as sockd.conf, each line contains the identifier, IP address, and IP correction three domains.
Generally speaking, these are also processed by Sockd.conf and access files, so IP correction This item can be set here 0.0.0.0. If you can't access yourself, you can set it here.
Direct specifies the address that is not passed by the agent. These are directly accessible, the same identifier, IP address, and IP correction three domains, our example:
Direct 192.168.2.0 255.255.255.0
Specifies the address of all internal networks without a proxy.
SOCKD is used to explain the address of the server, the format of this line is:
SOCKD @ =
Note "@ =" is to set the IP list of proxy servers. We can use only one server here, but you can use multiple bandwidth or use redundancy to improve stability.
The remaining two are the same as the address of the corresponding agent.
Setting the domain name server after the firewall is a relatively simple job. You only need to set the DNS service on the proxy server and use it as a DNS in the wall.
8.3 Using proxy servers
8.3.1 Unix
To make the application work with the firewall job, you must first put them sockify, you will have two Telnet, one for direct connection, another connection to the firewall. Socks contains the text of the SOCK application, and Some examples have been SOCK. If you use SOCK-type programs to access direct connection, SOCKs will automatically switch you into a direct connection.
Therefore, we can replace all the applications in the wall into a AA version. At this time, the original "finger" becomes "finger.orig", "telnet" becomes "telnet.orig", etc.. But you have to tell SOCKS per change in /include/socks.h.
Some applications can handle routing and Sockify, such as Netscape, you only fill in the address of the proxy server in the corresponding location (we are 192.168.2.1).
8.3.2 MS Windows with Trumpet Winsock
Trumpet Winsock comes with your agency, in the "Setup" menu, in the "Setup" menu, you can work directly to IP, and Trumpet can work.
8.3.4 About UDP Package
Socks (Translation: SOCKS4) can only proxy TCP, do not support UDP (translation: SOCKS5 fully support UDP). This makes the Socks can not behave like Talk,
