1. Introduction The original "firewall - howto" is a work of David RudderDrig@execpc.com. He let me update the content on his original, I am deeply grateful to this. Recently, this firewall (firewall became hot topics for security issues of internet access. But like many other popular topics, this also causes many people to misunderstand it. This HOWTO will discuss what is a firewall? how to install? What is a proxy server? How to set a proxy server? And applications other than these technologies in the security field. 1.1. Reader Responding If there is any mistake in this article, be sure to inform me. People are not sages, I can don't! Any mistake I am willing to correct. I will try to reply, but I am quite busy. If I don't receive my reply, please also accept. Reply Address Markg@NETPLUS.NET If you find any misconspread, please notify this document: Tchao@worldnet.att.net. 1.2. Strictly declare that I don't have any responsibility for any damage caused by this article (I am NOT RESPONSIBLE for Anydamages In this Document). This article only introduces the role of firewall and proxy servo. You know, I am not an expert in computer security, and I have never installed this expert. I am just a guy who likes to read, and love the computer. I hope this article can help you be familiar with this theme, but it doesn't guarantee that the content is absolutely correct.
1.3 Disclaimer (translation: Disclaimer not translated) Unless otherwise stated, Linux HOWTO documents are copyrighted by their respective authors Linux HOWTO documents may be reproduced and distributed in whole or in part, in any medium physical or electronic, as long as. . this copyright notice is retained on all copies Commercial redistribution is allowed and encouraged; however, the author would like to be notified of any such distributions.All translations, derivative works, or aggregate works incorporating any Linux HOWTO documents must be covered under this copyright . notice That is, you may not produce a derivative work from a HOWTO and impose additional restrictions on its distribution Exceptions to these rules may be granted under certain conditions;. please contact the Linux HOWTO coordinator.In short, we wish to promote dissemination of THIS INFORMATION THROUGH AS MANY CHANNELS As Possible. However, We do wish to retain Copyright on the howto documents, and wouldt like to be notified of any plan to redistribu Tethe Howtos.if You Have Any Questions, please contact Mark Grennan at
On the Secure Linux URL, I collected all information, files, and programs that make Linux secure and reliable. If you need this information, please contact us. 2. What is the firewall firewall is the name of a part in the car. In the automotive, the firewall is separated from the passengers and the engine so that the car engine can not only protect passenger safety, but also allow the driver to continue the control engine. In the computer, the firewall is a device that allows individual networks from being affected by the public part (Internet). Thereafter, the firewall computer is called "firewall" in the text, which can be connected to the protected network and the Internet network. However, the protected network cannot be connected to the Internet, and the Internet cannot receive the protected network. If you want to pick up the Internet from the inside of the protected network, you have to Telnet to the firewall, then connect the Internet from the firewall. The simplest firewall is the Dual Homed system (with two network linkages). If you can believe in all your users, you only need to install a Linux (set IP forwarding / getwaying to OFF) and let each person set up an account. They can then log in to this system, use Telnet, FTP, read electronic letters and any other services you provide. According to this setting, the only computer that can contact the outside world is this firewall. Other computers in this network don't even need a common path. Need again: To make the firewall role, you must believe in all users! However, I don't dare to suggest it. 2.1. The problem of firewall for firewall is used for filtration. The problem is that this firewall does not allow internet access to your network. Only by filtrating the firewall can take the function. In the case of a proxy server, the user can log in to the firewall and then enter any system within a private network. In addition, new clients and servers are currently listed almost every day. Therefore, you have to have a new method to enter the network to call these features. 2.2. There are two kinds of firewalls in the firewall. 1. IP Filter Firewall - Block all networked features except for some network features. 2. Agent Server - For your online connection. 2.2.1. IP filter firewall IP filter firewall works at the packet. It controls the flow of data packets based on the starting point, end point, the number, and the data package type information included in each packet. This firewall is very secure, but lacks a useful login record. It blocked others into individual networks, but don't tell you where to enter your public system, or 1 from the interior to enter the Internet. Filter firewall is an absolute filtration system. Even if you want some people in the outside to enter your private servo, you can't let everyone enter the server. Linux has included packet filtering software in the kernel from the 1.3.x version. 2.2.2. The proxy server proxy server allows indirect access to the Internet through the firewall. The best example is the first Telnet system and then telnet again again. This work is completely automated in the system with proxy server. After connecting the proxy server using the client software, the proxy server starts its client software (proxy) and then returns the data. Since all communications are repeated due to proxy servors, all work can be recorded. As long as the configuration is correct, the proxy server is absolutely safe, and this is the most desirable. It blocked anyone, because there is no direct IP path. 3. Set firewall 3.1. Hardware requirements In □, the computer configuration used is a 486-DX66 chip, 16M memory and 500M Linux split. Two online cards are also installed, one is connected to the private network, and the other is connected to a network called "non-military zone" (translation: refers to public network), and in this non-military zone On the Internet, there is a router connected to the Internet.
This configuration is extremely common, and even one network card and a data machine are connected to the Internet through PPP, but the key is that there must be two IP numbers on the firewall. There are small networks in many people, and two, three computers are connected together. Try to pick all the data on the LINUX computer (old 386 machine), then use the load balance to connect the data to the Internet. With this device, if data is to be transferred, the two data simultaneously works simultaneously and can double the speed. 4. Set the software of the firewall 4.1. Existing suit software If you set a filter firewall, you will be enough for Linux and basic network software. There is a software that may not be in the Linux version you use, called the IP FireWall Administration tool. (IPFWADM) can be obtained from http://www.xos.nl/linux/ipfwadm/. If you want to set a proxy server, you need a set of suites. 1. SOCKS 2. TIS FIREWALL Toolkit (FWTK) Differences between Tis FireWall Toolkit and SOCKs Trusted Information System (http://www.tis.com provides a series of software to simplify the work of the firewall. These software Basically the same software as SOCKs, but the design strategy is different. Socks uses a set of software to perform all the work related to the Internet, and TIS provides a software for each Utility you want to use the firewall. To illustrate the difference between the two, Take WORLD WIDE Web and Telnet! In SOCKS, set a setting (Configuration) and a DAEMON, Telnet and WWW can start working, while other functions that do not close can be operated. But in Tis In the WWW and Telnet, you have to set your respective Configuration gears and daemon. After this setting, the functions of other Internet are still unrecognized unless these features are also made. If a feature (such as Talk) Without Daemon, although there is "Plug-in" daemon available, it is not as flexible as other tools, and it is not easy to set. This seems to be a small thing, but it is very different. It can be more casual when setting up SOCKS. If the SOCKS Server The setting is not perfect, and the Internet can be called from the Internet. If you use TIS, you can only call the functionality specified from the network from the network. SOCKS is easy to set, easy to edit, and flexibility Higher. If you want to control the user's users, TIS is high. However, both provide absolute protection, the outside world cannot enter. I will explain the installation and setting method of both. 5 Set Linux System 5.1. Editing the kernel First use the Linux version to reinstall the Linux system (I use RedHat 3.0.3, after this release is subject to this version). The fewer software installed in the system, the less the problem, the less, and the loophole. Because these problems are issued by these problems, they can have a problem with the system's safety, so as long as they install enough software. Use a stable kernel. My system uses Linux 2.0.14 kernel. Therefore, this document This kernel is set to the basis. Re-edit the kernel according to the appropriate options (options). If you haven't read Kernel Howto, Ethernet Howto and Net-2 HowTo, you can use this opportunity to read these HOWTO. Here is' Make config 'related to the network set up.
1. In General Setup 1. Set NetWorking Support to ON 2. In Networking Options 1. Set NetWork FireWalls to ON 2. Set TCP / IP Networking to ON 3. Set IP forwarding / Gatewaying for OFF (unless you want to filter with IP □ 4. Set IP FireWalling to ON 5. Set IP FireWall Packet Loggin to ON (not required, set better □ 6. Set IP: Masquerading is OFF (not a scope of this article □ 7. Set IP: Accounting is ON 8. Set IP: Tunneling is OFF 9. Set IP: AliaSing for OFF 10. Set IP: PC / TCP Compatibility Mode is OFF 11. Set IP: Reverse ARP for OFF 12. Sets Drop Source Routed Frames to ON 3. In Network Device Support Under the item 1. Setting Network Device Support is ON 2. Set Dummy Net Driver Support to ON 3. Set Ethernet (10 or 100Mbit) to ON 4. Selecting Network Card Now Re-editing, reinstall the kernel, restart. It should be displayed in the prompt that is started. If you don't catch the online card, check the other HOWTO until you do. 5.2. Setting two network cards in two network cards, it is very likely to need to be available in / etc In /Lilo.conf file, add a line, explain the IRQ and address of two online cards. In my machine, the lilo.conf file is added as follows: append = "Ether = 12, 0x300, eth0 Ether = 15, 0x340 , Eth1 "5.3. Setting the network addresses is more interesting, and you have to do some decisions. Since the Internet is not intended to enter any part of your own network, there is no need to use the actual URL. In the Internet Some addresses have been used in the Internet to allow the Internet to use, because the self-designed network is required, and these addresses are not available to the Internet, and they are mixed. So this may be used Some addresses. In these addresses, 192.168.2.xxx is an address that is retained, so these addresses are used. Since the proxy server is at the same time, it can hit the data in both sides. 199.1.2.10 __________ 192.168.2.1 ________________ | //// | / | | | | ---------------- | Workstation | / _ / / _ // _ // _ / | _________ | | _____________ | If you want to set a filter firewall, you can use these URLs, but Use ip masquerading. After this setting, the firewall will transfer the packet and add the actual IP address to the Internet. On the Internet card's Internet (outside), you have to set the true IP address, set to 192.168.2.1 in the inner end of the Ethernet card. This is the IP address of this computer agent / gateway.
All other computers in protected networks can be used as an address (from 192.168.2.2 to 192.168.2.254). In Redhat Linux, you have to add an IFCFG-ETH1 file in the / etc / sysconfig / network-scripts directory to set the network and the routing table through this file when starting. The parameters of IFCFG-Eth1 can be set as follows: #! / bin / sh # >>> Device Type: Ethernet # >>> Variable Declarations: device = eth1 ipaddr = 192.168.255.0 network = 192.168.2.0 Broadcast = 192.168.2.255 GATEWAY = 199.1.2.10 Onboot = YES # >>> End variable Declarations Try these parameters to automatically connect the data machine to ISP. Take a look at the IPUP-PPP file. If you are connected with an internet access, the ISP will specify the IP address of the external end when connecting. 5.4. Test network starts from testing ifconfig and route.
If there are two online cards on the machine, the settings should have the following cases: #ifconfig Lo Link Encap: local loopback inet Addr: 127.0.0.0 bcast: 127.255.0.0 up BROADCAST LOOPBACK RUNNING MTU: 3584 Metric : 1 RX Packets: 1620 Errors: 0 Dropped: 0 overruns: 0 TX Packets: 1620 Errors: 0 Dropped: 0 overruns: 0 Eth0 Link Encap: 10Mbps Ethernet Hwaddr 00:00: 09: 85: AC: 55 inet addr: 199.1 .2.2.255 Mask: 255.255.0.0 Up Broadcast Running Multicast MTU: 1500 Metric: 1 RX Packets: 0 Errors: 0 Dropped: 0 Overruns: 0 TX Packets: 0 ERRORS: 0 Dropped: 0 Overruns: 0 Interrupt: 12 Base address: 0x310 eth1 Link encap: 10Mbps Ethernet HWaddr 00: 00: 09: 80: 1E: D7 inet addr: 192.168.2.1 Bcast: 192.168.2.255 Mask: 255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1 RX Packet: 0 Overruns: 0 TX Packets: 0 Errors: 0 Dropped: 0 overruns: 0 Interrupt: 15 Base address: 0x350route table should look like the following: # route -nKernel routing tableDestination Gateway Genmask Flags MSS Window Use Iface199.1.2.0 * 255.255.255.0 U 1500 0 15 eth0192.168.2.0 * 255.255.255.0 U 1500 0 0 eth1127.0.0 .0 * 255.0.0.0 U 3584 0 2 Lodefault 199.1.2.10 * UG 1500 0 72 ETH0 Note: 199.1.2.0 On the Internet of the firewall, 192.168.2.0 at one end of the self-heeded network. First try to Ping the Internet from the firewall. Test the NIC.DDN.MIL. This test point is not bad, but it is not as reliable as I expected. If you don't connect it, try ping a few addresses that are not your online. If you still don't agree, the setting of the PPP must be equal. Read once again Net-2 Howto and try again. Then, test the computer from the firewall PING protection network. The computer within all Internet should be able to take any other computer in the PING network. If you can't, read Net-2 Howto, try again. Then the address other than the PING firewall within the protection network is tested.
(Note: Any address that does not belong to 192.168.2.xxx) If you can, it is not possible to cancel the IP forwarding. I want to think about whether this is in line with the original idea. If you keep the IP Forwarding feature, don't let go of the part of the IP filtering below. Try now from the firewall back the Internet. Use the same address (for example, nic.ddn.mil) using previous test. If the IP forwarding function has been canceled, it should not be turned on. However, if this feature is not canceled, it should be turned on. Suppose IP Forwarding features, and actual IP addresses (not 192.168.2. *) In their own network, if you cannot ping the Internet, you can ping the Internet The firewall has to check whether the last layer of ROUTER is transmitted to the address of the self-supplied network. (It may be to be checked by ISP) If the address of the protection network is set to 192.168.2. *, Any packet cannot be transmitted. If there is no such setting, IP Masquerading, which should be successful. At this point, the settings are basically completed. 5.5. Reinforced firewall If the function that is not used on the firewall can be free to enter and exit firewall, this firewall is not used. "Haracker" can make the necessary modifications in the firewall for their use. First close all unused features. Check the /etc/inetd.conf file first. This file controls the so-called "super server". It controls the Daemon of many servo and then starts these daemon when needed. Remove NetStat, Systat, TFTP, BootP, and Finger feature completely. The method of canceling the function is to let the # as a row of the function line. After setting, type "Kill-Hup
6. IP Filtering Settings (IPFWADM) First set the kernel's IP Forwarding function, the system should start to transfer each message. The route table should be set, so you should be able to lead to any location, from the network, can be connected to the network from the Internet. But the role of the firewall is not allowing anyone to enter and exit the network. Two sets of instructions (SCRIPT) are set in the system, and the firewall's Forwarding and Accounting are specified. The system uses these two sets of instructions when running /etc/rc.d, so the system is set when the system is started. Linux's kernel is transferred to the IP Forwarding system for all information. Therefore, the firewall's instruction should first prohibit all the rights to enter the system, clear any IPFW rules left after the last run. The following instructions should be able to achieve this. # # Setup ip packet accounting and forwarding # # by default deny all services ipfwadm -f -p de Neny # flush all commands ipfwadm -f -f ipfwadm -i -f ipfwadm -o -f is good, now there is absolute Insurance firewall. Everything is blocked outside and cannot cross the firewall step. Of course, some features still need, some of the following examples can be referenced. # Forward email to your server: Transfer email to server ipfwadm -f -a accept -b -p TCP -S 0.0.0.0.0.024: 65535 -D 192.1.2.10 25 # Forward Email Connections to outside email servers: Email E-mail Server Ipfwadm -f -a Accept -b -p TCP-S 196.1.2.10 25 -D 0.0.0.0 1024: 65535 # Forward Web Connections To Your Web Server: Web Even to Web Server / SBIN / IPFWADM -F -A Accept -b -p TCP -S 0.0.0.0.0 1024: 65535 -D 196.1.2.11 80 # Forward Web Connections To Outside Web Server: WEB is connected to the outside world Web Server / sbin / ipfwadm -f -a accept -b -p TCP -S 196.1.2. * 80 -D 0.0.0.0/0 1024: 65535 # Forward DNS Traffic: Transfer DNS Information / SBIN / IPFWADM -F -A Accept -b -p udp -s 0.0.0.0.0 53 -d 196.1.2.0/24 If you want to know the information through the firewall, the following instructions will count all packets.
# Flush the current accounting rules ipfwadm -a -f # accounting / sbin / ipfwadM -A -F / sbin / ipfwadm -a out -i-19 196.1.2.0/24 -d 0.0.0.0/0 / sbin / ipfwadm -a OUT -I -S 0.0.0.0 - D 196.1.2.0/24 / sbin / ipfwadm -a in -I -S 196.1.2.0/24 -D 0.0.0.0.0 / sbin / ipfwadm -a in -i - S 0.0.0.0 -d 196.1.2.0/24 If only the computer is set to filter the firewall, you will have a great effort here! 7. Install TIS Proxy Server 7.1. Getting Software TIS FWTK software can get from the following URL :ftp: //ftp.tis.com/. Millions Remember: After downloading the software from TIS, first read Readme. TIS FWTK is stored in a hidden directory of the server and requires power generation mail to fwardk-Request@tis.com and fill in Send within the letter to know the name of the hidden directory. There is no need to fill in any content in the Subject column. The name of the directory of the software will be informed within the reply email, and the effective time is 12 hours to download it quickly. When writing this article, the latest version of FWTK is 2.0 (Beta). In addition to a few small places, this version has no problem in editing, running is normal, and this is an example of this version. If there is finalization, it will be redefined in the future HOWTO. When you install FWTK, you first establish a FWTK-2.0 directory under / usr / src. Put FWTK (fwtk-2.0.tar.gz) decompression within this directory (TAR ZXF FWTK-2.0.tar.gz). FWTK does not process SSL's network files, Jean-Christophe Touvet wrote some additional information, can be obtained from ftp://ftp.edelweb.fr/pub/contrib/fwtk/ssl-gw.tar.z. Eric Wedel wrote a revision, including a news server using Netscape. This software can be obtained from the following URLs :ftta.com/pub/tis.fwtk/ssl-gw/ssl-gw2.tar.z The following is an example of Ericwedel. To install, just create an SSL-GW directory within the /usr/src/fwtk-2.0 directory, place the document there. When you install this gateway, you have to make some changes to edit. First change the SSL-GW.c file, where the necessary include files are missing. #If Defined (__ linux) #include
Sed 's / ^ include [] * / ([^]. * /) / include / 1 /' $ name .proto> $ name then you need to edit the Makefile.config file, but first make two modifications. The Source directory in the makefile.config file should be changed to the edited / usr / src, so fwtksrcdir should be changed accordingly. FWTKSRCDIR = / usr / src / fwtk / fwtk Some Linux systems use GDBM databases. Makefile.config uses DBM. For example, RedHat 3.0.3 uses DBM, so it needs to be made. DBMLIB = -LGDBM finally needs to change the X-GW. The following few rows in the beta version of Socket.c must be deleted. #Ifdef SCM_Rights / * 4.3BSD RENO AND LATER * / SIZEOF (UN_NAME-> Sun_LEN) 1 #ENDIF Adds SSL-GW in the FWTK source directory, add SSL-GW in the Makefile's directory list. DIRS = SMAP Smapd NetAcl Plug-GW FTP-GW TN-GW RLogin-GW HTTP-GW X-GW SSL-GW After the above modification is completed, Make is running. 7.3. Install TIS FWTK Run Make Install. The default installation directory is / usr / local / etc. It can be changed to a more secure and reliable directory for installation, but it can also be changed, and its privilege can also be changed to CHMOD 700. Now set the firewall. 7.4. Set TIS FWTK good! Here is more interesting! Setting the system to call these new features, and establish a management table management of these features. The following description is not to rewrite the TIS FWTK's manual, and its purpose is to display the possible settings and solutions that may encounter. There are three documents to form these Controls. * / etc / services o Tell the system to the function of He Wei * /etc/inetd.conf o When the service is active, tell inetd to start the program * / usr / local / etc / netperm-Table O tells FWTK consent and refuse The user who has to play the FWTK to play the role and should completely edit these files. Edit these function files and set inetd.conf or netperm-table correctly, it may make the system unable to function. 7.4.1. Netperm-Table file This file controls 1 of the TIS FWTK's functionality. First of all, you should think of the demand of both sides of the firewall. Users outside the network should first indicate the identity before entering the network, but users inside the network can pass directly. When indicating the identity, the firewall uses a program called Authsrv, where there is a user ID and password. The Authentication section in NetPerm-Table controls this data inventory and who can be used. It is not easy to take this feature, use "*" in the premit-hosts, so that each person can take this feature. The correct setting of this line should be "authsrv: premit-hosts localhost", but it doesn't seem to work.
# # Proxy configuration table: Proxy setting table # # Authentication server and client rules authsrv: database / usr / local / etc / fw-authdb authsrv: permit-hosts * authsrv: badsleep 1200 authsrv: nobogus true # Client Applications using the Authentication Server *: AuthServer 127.0.0.1 114 To start the database, run in ROOT in / var / local / etc ./authsrv, set the manager's usage record. The actual operation is as follows: Read the FWTK documentation to learn how to add users and user groups. # # Authsrv authsrv # list authsrv # adduser admin "Auth DB admin" ok - user added initially disabled authsrv # ena admin enabled authsrv # proto admin pass changed authsrv # pass admin "plugh" Password changed authsrv # superwiz admin set wizard authsrv #. List Report for UserS in Database User Group Longname OK? Proto Last ---------------------------------- ---- - --- Admin Auth DB Admin ENA Passw Never Authsrv # Display Admin Report for User Admin (Auth DB Admin) Authentication Protocol: Password Flags: Wizard Authsrv # ^ D Eot #telnet Gateway (TN-GW) The control is directly, it should be set first. For example, allowing users within the protection network does not indicate that they are directly passing (Permit-Hosts 196.1.2. * -Passok). However, other users must provide user IDs and passwords to use proxy servo (permit-hosts * -auth). In addition, there is a system (196.1.2.202) or the firewall can also be used directly. This will only be set to set the contents of inetacl-in.telnetd. Telnet's Timeout time should be short.
# Telnet Gateway Rules: TN-GW: Denial-msg /usr/local/etc/tn-de.txt TN-GW: Welcome-msg /usr/local/etc/tn-welcome.txt TN-GW: Help-MSG /usr/local/etc/tn-help.txt TN-GW: Timeout 90 TN-GW: permit-hosts 196.1.2. * -passok -xok tn-gw: permit-hosts * -auth # Only the Administrator Can Telnet Directly to the firewall via port 24 NetaCl-in.telnetd: permit-hosts 196.1.2.202 -Exec /usr/sbin/in.telnetdr-command sets like Telnet. # rlogin Gateway Rules: rlogin-gw: denial-msg /usr/local/etc/rlogin-deny.txt rlogin-gw: welc/rlogin-welcome.txt rlogin-gw: Help-msg /usr/local/etc/rlogin-help.txt rlogin-gw: Timeout 90 rlogin-gw: permit-hosts 196.1.2. * -passok -xok rlogin-gw: permit-hosts * -auth -xok # Only the Administrator Can Telnet Directly To The FireWall Via Port NetaCl-rlogind: Permit-Hosts 196.1.2.202 -Exec / usr / libexec / rlogind -a No person must enter the firewall directly, including FTP, so do not put the FTP server on the firewall . Furthermore, the Permit-Hosts line allows anyone who protects anyone in the network to the Internet, others must indicate the identity. The records of each document are sent and received below (-log {retr 2). How much time the FTP Timeout switch control stops the test, and gives up the test pick after how long does not operate. # ftp Gateway Rules: FTP-GW: Denial-MSG /usR/local/etc/ftp-de.txt ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt ftp-gw: Help-msg /usr/local/etc/ftp-help.txt ftp-gw: Timeout 300 ftp-gw: permit-hosts 196.1.2. * -log {retr 2} ftp-gw: permit-hosts * -authall -log {retri Stor} The FTP performed by WWW, Gopher and browsers is controlled by HTTP-GW. The top two lines establish a directory for storing FTP and WWW files via a firewall.
In this example, these files are all all, so they are placed in the directory that only root can enter. The WWW connection should be short. It controls the waiting time when the user is not connected. # www and gopher getway rules: http-gw: userid root http-gw: Directory / Jail HTTP-GW: Timeout 90 http-gw: default-httpd www: host http-gw: hosts 196.1.2. * -log {Read Write FTP} HTTP-GW: DENY-HOSTS * SSL-GW is actually a gateway that anyone can pass. Be careful. In this example, any server in any protection network, except 127.0.0. * And 192.1.1. *, All servers outside the network can be connected, and only 443 to 563 号 can be used. 443 to 563 号 is generally called SSL. # SSL GATEWAY RULES: SSL-GW: Timeout 300 SSL-GW: Hosts 196.1.2. * -dest {! 127.0.0. *! 192.1.1. * *: 443: 563} SSL-GW: DENY-HOSTS * The following example shows how to connect to the news server using the PLUG-GW. In this example, users within the protection network only allow connection to a system, that is, connected to its news. The second exercise news server sent its information to the protection network. Timeout time settings for news servers should be relatively long, because most users are online reading news. # Netnews Pluged Gateway Plug-GW: Timeout 3600 PLUG-GW: Port NNTP 196.1.2. * -Plug-to 199.5.175.22 -port NNTP PLUG-GW: Port NNTP 199.5.175.22 -Plug-to 196.1.2. * The port nntpfinger gateway is set to simple. Protecting users within the network can use the finger program on the firewall as long as you first log in. Any other person only receives a Message. # Enable finger service -------- Set the finger function NetaCl-finger: permit-hosts 196.1.2. * -Exec / usr / libexec / fingerd NetaCl-fingerd: permit-hosts * -exec / bin / cat /usr/local/etc/finger.txt In this HOWTO, there is no Mail and X-Windows feature. If anyone has an example of this, please send me email. 7.4.2. Inetd.conf Settings All documents of /etc/inetd.conf below. All unwanted features are used with # symbol logout. What is the function of canceling in this full document, and how to set new firewall functions.
#echo stream tcp nowait root internal #echo dgram udp wait root internal #discard stream tcp nowait root internal #discard dgram udp wait root internal #daytime stream tcp nowait root internal #daytime dgram udp wait root internal #chargen stream tcp nowait root internal # Chargen Dgram Udp Wait Root Internal # ftp firewall gateway -------- FTP firewall gateway FTP-GW Stream TCP NOWAIT.400 ROOT / USR / LOCAL / ETC / FTP-GW FTP-GW # Telnet FireWall Gateway --- --- Telnet firewall gateway Telnet Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / TN-GW / USR / local / etc / TN-GW # local telnet services ------ User's Telnet function Telnet-a stream TCP NOWAIT ROOT / USR / LOCAL / ETC / Netacl In.telnetd # Gopher FireWall Gateway ------ Gopher firewall gateway gopher stream tcp noAit.400 root / usr / local / etc / http-gw / usr / local / etc / HTTP-GW # WWW Fire Wall Gateway ------ WWW firewall gateway http stream tcp noAit.400 root / usr / local / etc / http-gw / usr / local / etc / http-gw # SSL Firewall Gateway ------ SSL firewall Gateway SSL-GW Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / SSL-GW SSL-GW # NetNews FireWall Proxy (Using Plug-GW) ------ NetNews Firewall Proxy Server (using plug-gw) NNTP stream TCP NOWAIT ROOT / USR / LOCAL / ETC / PLUG-GW PLUG-GW NNTP #NNTP Stream TCP NoWait Root / USR / SBIN / TCPD IN.NNTPD # SMTP (Email) Firewall Gateway ------ SMTP (email)
Firewall Gateway #smtp Street TCP NOWAIT ROOT / USR / LOCAL / ETC / SMAP Smap # # shell, login, exec and talk all bsd protocols ------ shell, login, exec and talk Both BSD protocol # #Shell Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IN.RSHD #Login Stream TCP NOWAIT ROOT / USR / SBIN / TCPD in .Rlogind #Exec Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IN.RExecd #talk Dgram UDP WAIT ROOT / USR / sbin / tcpd in.talkd #ntalk Dgram udp wait root / usr / sbin / tcpd in.ntalkd #dtalk stream TCP WAUT NOBODY / USR / SBIN / TCPD in.dtalkd # # pop and imap mail services et al ---- --POP and IMAP MAIL Function # # Pop-2 Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IPOP2D # POP-3 Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IP3D #imap Stream TCP NOT / USR / SBIN / TCPD IMAPD # # THE Internet UUCP Service ------ Internet UUCP Function # #uucp stream TCP NOWAIT UUCP / USR / SBIN / TCPD / USR / LIB / UUCP / UUCICO -L # # TFTP Service IS Provided Primari Ly for booting. Most Sites # Run this only on machines acting as "boot servers." Do Not Uncomment # this unless YOU * NEED * IT. ----- TFTP function is mainly used to start. TFTP is usually only used as a "boot # server". Therefore, do not cancel the logout (#) symbol. # #Tftp dgram udp wait root / usr / sbin / tcpd in.tftpd #bootps dgram udp valuable to potential "system crackers wait root / usr / sbin / tcpd bootpd # # Finger, systat and netstat give out user information which may be # "Many Sites Choose to Disable # Some OR All of these Services to Improve Security. ------ Finger, # systat and netstat will provide a valuable information to hackers. Many websites cancel some or all of them to increase security.
# # Cfinger is for gnu finger, Which is currently not in use in rhs linux # cfinger is GNU Finger, is not used in RHS Linux. # Finger stream tcp noait root / usr / sbin / tcpd in.finger #cfinger stream tcp not ot / usr / sbin / tcpd in.cfingerd #SYSTAT Stream TCFingerD #Systat Stream TCP NOTSTATATATATATATATATATATATATATATATATATATATATATA Stream TCP NOWAIT GUEST / USR / SBIN / TCPD / BIN / NETSTAT -F INET # # Time Service IS Used for Clock Syncronization .---- Time function is used to set the time synchronization. # #Time stream TCP NOWAIT ROOT / USR / SBIN / TCPD in.timed #time Dgram UDP WAIT ROOT / USR / SBIN / TCPD In.timed # # Authentication ----- Check User Identity # Auth Stream TCP WAIT / USR / sbin / tcpd in.Identd -w -t120 authsrv stream tcp no ot / usr / local / etc / authsrv authsrv # # end of inetd.conf ----- inetd.cong Settings End 7.4.3. / ETC / When the Services file is connected to the firewall, it will receive a known port (less than 1024). For example, Telnet is connected to 23. INETD DEAMON is connected to the connection to view the names of these features on / etc / services. Then, it will start the program specified by this name in the /etc/inetd.conf file. Sometimes used is not in / etc / service. These features can specify any port you want to specify. For example, the administrator's Telnet 埠 (telnet-a) can be set to Run 24, or it can be set to Yip 2323, listen to the respect. If the administrator (I refer to you) To connect directly to the firewall, Telnet is required to be 24 instead of 23. If NetPerm-Table is set according to the following example, it can only be set from one of the protected networks. Telnet-A 24 / TCP FTP-GW 21 / TCP # this named Changed Auth 113 / TCP Ident # User Verification SSL-GW 443 / TCP
8. SOCKS Proxy Server 8.1. Setting the Agent Server SOCKS Proxy Server can be obtained from ftp://sunsite.unc.edu/pub/linux/system/neetwork/misc/socks-linux-src.tgz. There is also a setup file called "Socks-Conf" in this file. This file can be extracted and the file is used according to the description therein. However, it is not easy to use, and you should first determine the makefile file correctly. The agent server should be added to /etc/inetd.conf. Therefore, the following line should be added. Socks Stream TCP NOWAIT NOBODY / USR / LOCAL / etc / sockd sockd This server will run when needed. 8.2. Setting the proxy server SOCKS requires two setup files to set. A setup file sets the permissions to take, and the other sets the file setting path to find the appropriate proxy server. The right file should be on the server, the path file should be on each UNIX machine. DOS machines and Macintosh machines determine their own path. 8.2.1. Permission files In the SOCKS4.2 (Beta) version, the permissions file is called "sockd.conf", and there should be only two lines, one line allows (Permit), a line of Deny. Each line has three settings: * Identification mark (Permit / deny) * IP address line * Modifying address row identification indicates for Permit or Deny. There should be a separate permit line and a separate Deny line. The IP address is represented using a standard 4byte way, such as I.E. 192.168.2.0.. Modifying address lines is also a standard 4-bit IP address for use as NetMask. Turn this address into a 32-bit number. If it is 1, the corresponding position of the check-in address should comply with the corresponding bit in the IP address. For example, the address of this row is: Permit 192.168.2.23 255.255.255.255 The address of each bit is allowed to match, ie 192.168.2.23. If the address is: Permit 192.168.2.0 255.255.255.0 will allow each address between 192.168.2.2.0 to 192.168.2.255, the address of the entire C-class. There is no such address appearance: Permit 192.168.2.0 0.0.0.0 This will allow each address to be used, regardless of its address. Therefore, each address should be allowed, and then reject the rest of the address. If each user in the range of 192.168.2.xxx is allowed to be represented by: Permit 192.168.2.0 255.255.255.0 Deny 0.0.0.0 0.0.0.0 Note the first "0.0.0.0" in the DENY line. Since the address is modified at 0.0.0.0, IP has no effect. Use 0 as an IP address because it is easy to typing. Special users can give or refuse the permissions used. This can be implemented by Iden's inspection. Since not all systems support IDEN, including Trumpet Winsock, this is not presented in a number of addresses. The instructions provided with SOCKs are used in sufficient use. 8.2.2. The path file in the path file SOCKS is called "socks.conf", which is easy to confuse with the permissions. The path file allows the SOCKS users to know when to use SOCKs, when not. For example, in the network of □ 192.168.2.3 does not need to use SOCKS and 192.168.2.1 firewall dialogue. With Ethernet, there is a direct connection between them. Another 127.0.0.1 is automatically set to loopback. Therefore, you don't need to talk to your own yourself with SOCKs. It has three lines of input: * Deny * Direct * SockDdeny row tells SOCKS to reject a request.
The content added here is the same as the content of SOCKD.CONF, the address mark line, the IP address, and the modified address line. In general, the rights file sockd.conf is also related to this, and the modified address portion is 0.0.0.0. If you don't plan to connect anywhere, you can make a modification. Add addresses that do not use SOCK under Direct line. All of these addresses can be directly connected to the Internet without having to pass a proxy server. There are three locations here to fill in: Edentifier, Address and Modifier. For example: Direct 192.168.2.0 255.255.255.0sockd told the computer The user's computer has SOCKS Server Daemon. The line is as follows: SOCKD @ =
For example, "finger" becomes "finger.orig", "telnet" changes "telnet.orig". This setting must be told by incrude / Socks.H file. Some programs can handle routing and sockifying questions. Netscape makes one of them. For example, use the proxy server under Netscape, as long as it fills the address of the server in the SOCK column under Proxies (herein 192.168.2.1). Of course, each application has a small change, regardless of the method of processing a proxy server. 8.3.2. Microsoft Windows and Trumpet WinsockTrumpet Winsock have their own proxy server. Fill in the IP address of the server and all the addresses of the directly-connected computer in the "Setup" menu. The TRUMPET then processes all foreign delivery packets. 8.3.3. Making the proxy server with the UDP packet SOCKS software only processes the TCP packet without processing UDP. This reduces its use, because many useful programs, such as Talk and Archie, use UDP. There is a software called UDPRELAY, which is used by TomfitzGrald design
9. Advanced Settings When you end this article, you may wish to give another example of the setting method. The previous example is suitable for most usage. The following will be set as an example in order to explain some problems. If the previous example does not answer your question, or you want to know other features of the proxy server and firewall, please pay attention to the example below. 9.1. Staff a large network of security assumes a ministerial head to set up a network, with a total of 50 computers and a secondary network with 32 IP addresses. Due to the different levels of followers, the Minuma's head wants to set up different levels of usage rights on the Internet. Therefore, part of the network cannot communicate with another part. Various levels are: 1. Peripherals. This is the level that everyone can reach. This is the level of attracting new members. 2. The characters at this level of troops have exceeded the periphery. People in this level can know some methods for conspiracy and manufacturing weapons. 3. Foreign Army This is the truly completed plan. 9.1.1. The setting method of the setting IP number is as follows: * An address is 192.168.2.255, which is the address of Broadcast, not available. * 32 The 23 addresses in the IP address are assigned to 23 machines, which can join online. * An IP address is used for Linux machines on the Internet. * An IP address is used for another Linux machine on the Internet. * Two IP # 's used for Router * The four addresses left casually, which makes people do not touch the real user. * The address of the protection network is 192.168.2.xxx, two different networks have been established. These two networks are networked through the infrared Ethernet, and the outside world does not see their existence. The role of infrared Ethernet is the same as in general Ethernet. These two networks are each connected to the IP address to run Linux. At the same time, there is a document server to connect to these two protection networks because some training excellent troops are needed in the conquest world. IP address 192.168.2.17 and the IP address of the Foreign Legion Network in the document server IP address 192.168.2.23. The reason for different IP addresses is because there are different Ethernet cards. The function of IP forwarding on the Internet is closed. The functions of ipForwarding on both Linux machines are also disabled. The ROUTER will not transfer to 192.168.2.xxx packets unless clearly stipulate, so the network does not enter. The reason for turning off IP forwarding is that the data package issued by the Force Network does not allow the data packets of the Foreign Legion Network, and the foreign military network is not allowed to reach the troops. You can set the setting of the NFS server to send different documents to different networks. This method is quite easy, and it is necessary to make the document to make the documentation. Using this setting and add an Ethernet card to make one document server for all three networks. 9.1.2. The setting of the proxy server is required to understand the Internet because the three batches of people need to understand the Internet, so they all need to internet. External networks are directly connected to the Internet, so no more occurs on the proxy server. After the Foreign Legion Network and the Force Network After the firewall, it is necessary to make some settings on the proxy server. The settings of the two networks are very similar. They still use IP addresses allocated to them. However, some parameters are set here. 1. No one can use the document server to access the Internet, otherwise the document server may be invaded by the virus or other bad East West. This problem is as serious, so the document server must not be used. 2. Do not allow forces staff to go online. They are receiving training, if they have the ability to have this ability to retrieve information, they can be harmful to them. Therefore, there should be the following lines in the slums of the troop network: Deny 192.168.2.17 255.255.255.255 and the settings in the Foreign Legion Machine are: Deny 192.168.2.23 255.255.255.255 At the same time, the troops network Linux In-machine settings: Deny 0.0.0.0 0.0.0.0 EQ 80 The meaning of this line is not allowing any machine to use the number 80, both http 埠.
