Ellhniko Firewalling kai Proxy Server HOWTO
Mark Grennan, markg@netplus.net
v0.4, 8 November 1996
Ayth h tekmhriwsh einai sxediasmenh na didajei ta basika twn firewall
systhmatwn kai na dwsei merikes leptomereies gia thn egkatastash fire
wall, ejoysiodothshs (proxy) kai filtrwn (filtering), se PC basismena
se Linux. Mia HTML ekdosh (agglikh) ayths ths tekmhriwshs einai
dia8esimh sto http://okcforum.org/~markg/Firewall-HOWTO.html
______________________________________________________________________
Table of Contents
1. Eisagwgh
1.1 Anadrash
1.2 Apokurhjh
1.3 Dikaiwmata
1.4 Oi logoi poy egraca ayto
1.5 TODO
1.6 Epipleon Anagnwsmata
2. Katanowntas to Firewall
2.1 Meionekthmata me toys firewalls
2.2 Tupoi twn Firewalls
2.2.1 IP Firewalls Filtrarismatos
2.2.2 Diakomistes Ejoysiodothshs
3. Sthnontas ena Firewall
3.1 Apaithseis Syskeywn (Hardware)
4. Logismiko gia Firewalls.
4.1 Dia8esima paketa
4.2 To TIS Firewall Toolkit enantion SOCKS
5. Proetoimazontas to susthma Linux
5.1 Metaglwttizontas to pyrhna
5.2 Ry8mizontas duo kartes diktuoy
5.3 Ry8mizontas tis Diey8unseis toy Diktuoy
5.4 Elegxontas to diktyo sas.
5.5 Asfalizontas to Firewall.
6. IP egkatastash filtrarismatos (IPFWADM)
7. Egka8istwntas ton diakomisth ejoysiodothshs TIS
7.1 Apoktwntas to logismiko
7.2 Metaglwttizontas thn TIS FWTK
7.3 Egka8istwntas thn TIS FWTK
7.4 Ry8mizontas thn TIS FWTK
7.4.1 To arxeio netperm-table
7.4.2 To arxeio inetd.conf
7.4.3 To arxeio /etc/services
8. O SOCKS Diakomisths Ejoysiodothshs
8.1 Sthnontas to Diakomisth Ejoysiodothshs
8.2 Ry8mizontas to Diakomisth Ejoysiodothshs.
8.2.1 To Arxeio Prosbashs
8.2.2 To arxeio Dromologhshs.
8.2.3 DNS pisw apo to firewall. Sthnontas thn Onoma Perioxhs Yphresia (Domain Name Service) pisw apo firewall einai omologoymenos eukolo 8ema. Xreiazeste apla kai mono na sthsete to DNS panw sto mhxanhma poy einai o firewall. Meta, oriste se ka8e mhxanhma pisw apo to firewall na xrhsimopoioun ayth to DNS.
8.3 Doyleuontas me Diakomisth Ejoysiodothshs.
8.3.1 Unix
8.3.2 MS Windows me Trumpet Winsock
8.3.3 Kanontas to Diakomisth Ejoysiodothshs na doyleuei me UDP Paketa
8.4 Meionekthmata me toys Diakomistes Ejoysiodothshs
9. Prohgmenes Morfes
9.1 Ena megalo diktyo me emfash sthn asfaleia
9.1.1 H egkatastash toy diktuoy
9.1.2 H egkatastash twn ejoysiodothsewn
______________________________________________________________________
1. Eisagwgh
H ay8entikh ekdosh toy Firewall-HOWTO grafthke apo ton David Rudder,
drig@execpc.com. kai 8elw na ton eyxaristhsw poy me afhse na ananewsw
th doyleia toy.
Ta firewalls exoyn kerdisei prosfata megalh fhmh san ustath asfaleia
mesa sto Internet. Opws sta perissotera pragmata poy kerdizoyn fhmh
erxontai kai parermhneuseis. Ayto to HOWTO 8a kalucei ta basika toy ti
einai ena firewall, pws na sthsete ena, ti einai diakomistes
ejoysiodothshs (proxy servers), pws na sthsete enan diakomisth
ejoysiodothshs, ka8ws kai oi efarmoges ayths ths texnologias ektos toy
asfalous basileioy.
1.1. Anadrash
Opoiadhpote anadrash einai kalodexoumenh. PARAKALW NA ANAFERETE TYXON
ANAKRIBIES SE AYTH TH TEKMIRIWSH !!! Eimai an8rwpos kai epirrephs sto
na kanw la8h. Ean breite kanena h dior8wsh toys einai o apwteros
skopos moy. 8a prospa8hsw na brw apanthseis se ola ta e-mail, alla
eimai apasxolhmenos, gi' ayto mhn prosblh8eite an den apanthsw.
H email diey8ynsh moy einai markg@netplus.net
1.2. Apokurhjh
DEN EIMAI YPEY8YNOS GIA OPOIADHPOTE ZHMIA SYMBEI KATA TWN ENERGEIWN
POY 8A PAR8OYN BASISMENES SE AYTH TH TEKMIRIWSH.. H tekmhriwsh ayth
proorizetai san mia eisagwgh sto pws ta firewalls kai oi diakomistes
ejoysiodothshs doyleuoyn. Den eimai, oute prospoioumai oti eimai, enas
eidikos asfaleias. Eimai enas aplos tupos poy diabase arketa kai agapa
perissotero toy H/Y apo th pleiochfia twn an8rwpwn. Parakalw, grafw
ayto to boh8hma kanontas gnwsto sto kosmo ayto to antikeimeno, kai den
eimai etoimos na kollhsw th zwh moy se o,ti einai edw.
1.3. Dikaiwmata
An den exei dhlw8ei diaforetika, oi Linux HOWTO tekmhriwseis anhkoyn
dikaiwmatika stoys antistoixoys syggrafeis. Oi Linux HOWTO
tekmhriwseis mporoun na anaparax8oun, na anadianemei8oun oloklhres h
se tmhmata mesw ka8e fysikou h hlektronikou mesoy, oso ayth h
eidopoihsh dikaiwmatwn einai prosarthmenh mazi me ta antigrafa. H
emporikh anadianomh epitrepetai kai yposthrizetai par' ola ayta, o
syggrafeas epi8ymei na enhmerw8ei gia opoiesdhpote tetoies dianomes.
Oles oi metafraseis, paragwga h a8roistikes ergasies poy enswmatwnoyn
ka8e Linux HOWTO tekmhriwsh, prepei na kaluptontai katw apo ayth thn
eidopoihsh dikaiwmatwn. Ayto shmainei, oti den mporeite na parajete
paragwgh ergasia apo ena HOWTO kai selidopoihsete epipleon
periorismous sth dianomh. Ejaireseis twn kanonwn aytwn mporoun na
ginoyn paradektes katw apo sygkekrimenes katastaseis, parakaloume na
er8ete se epafh me to syntonisth twn Linux HOWTO.
An exete pi8anes erwthseis, parakaloume epikoinwnhste me ton Mark
Grennan <markg@netplus.net>.
1.4. Oi logoi poy egraca ayto
An kai molonoti yparxoyn polles syzhthseis kata to perasmeno etos sto
comp.os.linux.* gia to firewalling to brhka duskolo na brw tis
plhrofories poy xreiazomoyn gia na sthsw ena firewall. H ay8entikh
ekdosh aytou toy HOWTO, boh8ouse alla htan elliphs. Elpizw ayth h
enisxymenh ekdosh toy David Rudder's Firewall HOWTO 8a dwsei ston
ka8ena tis plhrofories poy xreiazetai gia na dhmioyrghsei ena
leitoyrgiko firewall mesa se wres kai oxi ebdomades.
Epishs ais8anomai oti 8elw na epistrecw kati sth koinothta toy Linux.
1.5. TODO
· Na dwsw kapoia ekpaideysh pws na egkatasta8ei enas pelaths (client)
· Na brw ena wraio UDP diakomisth ejoysiodothshs na doyleuei sto
Linux.
1.6. Epipleon Anagnwsmata
· To NET-2 HOWTO
· To Ethernet HOWTO
· To Multiple Ethernet Mini HOWTO
· Networking with Linux
· To PPP HOWTO
· TCP/IP Network Administrator's Guide by O'Reilly and Associates
· To Documentation gia to TIS Firewall Toolkit
Sthn istoselida ths Trusted Information System's
(TIS)http://www.tis.com/ 8a breite mia megalh syllogh apo tekmhriwseis
panw sta firewalls kai synafh ylika.
Epishs doyleuw panw se ena sxedio asfaleias, kaleitai, poy egw apokalw
Secure Linux. Sth Secure Linux istoselida sygkentrwnw oles tis
plhrofories, tekmhriwseis kai programmata poy xreiazontai gia na
dhmioyrgh8ei ena asfales susthma Linux. Steilte moy e-mail ean 8elete
plhrofories.
2. Katanowntas to Firewall
Enas firewall einai kati poy xrhsimopoieitai ws kommati enos
aytokinhtoy. Sta aytokinhta firewalls einai ta fysika antikeimena poy
xwrizoyn to kinhthra apo toys epibates. Ayta prostateuoyn toys
epibates sth periptwsh poy o kinhthras piasei fwtia enw parexoyn akomh
ston odhgo, prosbash sto xeirismo toy kinhthra. Enas firewall stoys
ypologistes einai mia syskeyh (H/Y) poy prostateuei ena proswpiko
diktyo apo to dhmosio kommati. (To Internet san sunolo.)
O firewall ypologisths, apo edw kai pera 8a onomazetai "firewall",
mporei na "akoympa" amfotera, to prostateyomeno diktyo kai to
Internet. To prostateyomeno diktyo den mporei na proseggisei to
Internet, oute to Internet mporei na proseggisei to prostateyomeno
diktyo.
Gia kapoion poy 8elei na epikoinwnhsei me to Internet mesa apo to
prostateyomeno diktyo, prepei na kanei sundesh telnet sto firewall,
kai na xrhsimopoihsei to Internet apo ekei.
H aplousterh morfh enos firewall einai ena diplo spitiko susthma (ena
susthma me duo syndeseis diktuoy). EAN MPOREITE NA EMPISTEYTHTE OLOYS
TOYS XRHSTES SAS mporeite apla na sthsete ena Linux (metaglwttiste to
pyrhna me IP Forwarding apenergopoihmeno) kai dwste oloys toys
logariasmous panw toy. 8a mporoun na kanoyn sundesh sto susthma
(login), telnet, FTP, na diabazoyn e-mail, kai na xrhsimopoioun o,ti
exete efodiasei. Me ayto to sthsimo, o monos ypologisths sto proswpiko
sas diktyo poy 8a gnwrizei ta panta sxetika me ton ejw kosmo einai o
firewall. To allo susthma sto prostateyomeno diktyo sas, den
xreiazontai kan na orisete to synh8es dromologio (default route).
Ayto xreiazetai mia dieykrinhsh. Gia na doylecei o parapanw firewall
PREPEI NA EMPISTEYESTE OLOYS TOYS XRHSTES SAS! Den to proteinw ayto.
2.1. Meionekthmata me toys firewalls
To problhma me toys firewalls filtrarismatos einai oti parempodizoyn
th prosbash sto diktyo apo to Internet. Mono yphresies sta systhmata
poy exoyn perasei to filtrarisma mporei na parex8ei prosbash. Me toys
diakomistes ejoysiodothshs oi xrhstes mporoun na synde8oun (login) sto
firewall, exontas prosbash se ka8e susthma mesa sto proswpiko sas
diktyo, opoy exoyn prosbash.
Epishs, neoi tupoi apo pelates diktuwn (network clients) kai
diakomistwn erxontai sxedon ka8e mera. Otan ayto symbei 8a prepei na
breite neoys tropoys gia na epitrecete thn elegxomenh prosbash prin
aytes oi yphresies mporoun na xrhmopoih8oun.
2.2. Tupoi twn Firewalls
Yparxoyn duo tupoi firewalls
1. IP Firewalls Filtrarismatos (filtering firewalls) - mplokaroyn ta
panta alla se epilegmena kykloforiaka diktya.
2. Diakomistes Ejoysiodothshs (Proxy Servers) - aytoi kanoyn th
diktyakh sundesh gia esas.
2.2.1. IP Firewalls Filtrarismatos
O IP firewall filtrarismatos doyleuei san isosta8misths paketwn. Exei
sxediastei gia na elegxei th roh apo paketa basismena sth phgaia
(proorismenh) pulh kai stis plhrofories poy periexei ka8e paketo.
Aytos o firewall einai polu asfalhs alla sterhtai opoiasdhpote eidoys
xrhsimh eggrafh symbantwn. Mporei na mplokarei to kosmo apo th
prosbash sto proswpiko sas diktyo alla den 8a anaferei poios
prospelase to dhmosio susthma h poios to Internet apo mesa.
Ta Firewalls filtrarismatos einai apolyta filtra. Akomh kai an 8elete
na dwsete prosbash ap' ejw apo toys proswpikous sas diakomistes den
mporeite na to kanete xwris na dwsete stoys pantes prosbash stoys
diakomistes.
To Linux perilambanei to paketo filtrarismatos sto pyrhna apo thn
ekdosh 1.3.x
2.2.2. Diakomistes Ejoysiodothshs
Oi diakomistes ejoysiodothshs epitrepoyn thn emmesh prosbash sto
Internet mesw toy firewall. Kallitero paradeigma pws doyleuei einai,
ena atomo kanei telnet se ena susthma kai meta allo telnet apo ekei
pros kapoy allou. Mono me toys diakomistes ejoysiodothshs h
leitoyrgia einai aytomath. Otan synde8eite se ena diakomisth
ejoysiodothshs me to diko sas pelateiako logismiko (client software) o
diakomisths jekina to diko toy pelateiako (ejoysiodotoumeno) logismiko
kai metabibazei ta dedomena sas.
Epeidh oi diakomistes ejoysiodothshs anaparagoyn oles tis epikoinwnies
mporoun na katagrafoyn o,ti kanoyn.
To kalo me toys diakomistes ejoysiodothshs einai oti, einai entelws
asfaleis, otan ry8mistoun swsta. Den 8a epitrecoyn se kapoion na
perasei apo mesa toys. Den yparxoyn amesa IP dromologia.
3. Sthnontas ena Firewall
3.1. Apaithseis Syskeywn (Hardware)
Gia to paradeigma mas, o ypologisths einai enas 486-DX66 me 16MB RAM
kai 500MB katatmhsh Linux. Ayto to susthma exei duo kartes diktuoy, h
mia syndedemenh sto topiko proswpiko sas diktyo (LAN) kai h allh me to
diktyo poy kaloume Apostratikopoihmenh Zwnh (DMZ De-Militarize Zone).
H A.Z. (DMZ) exei ena dromologhth me sundesh sto Internet.
Ayto einai ena wraio topiko sthsimo gia epixeirhseis. Mporeite na
xrhsimopoihsete mia karta diktuoy kai ena modem me RRR sto Internet.
To 8ema einai o firewall na exei duo IR ari8mous diktuoy.
Gnwrizw oti arketa atoma exoyn mikra topika diktya (LANs) sto spiti me
duo h treis H/Y epanw. Kati poy prepei na skefthte einai na balete ola
ta modem sas se ena koyti Linux (isws se ena palio 386) kai na
syndesete ola sto Internet me fortwmenh isosta8mish. Me ayto to
sthsimo otan ena mono proswpo trabaei dedomena 8a mporei na
xrhsimopoiei amfotera ta modems diplasiazontas th taxuthta sundeshs
:-)
4. Logismiko gia Firewalls.
4.1. Dia8esima paketa
Ean ayto poy zhtate einai enas firewall filtrarismatos 8a xreiasthte
mono to Linux kai to basiko paketo gia diktya. Ena paketo poy mporei
na mhn periexetai sth dianomh sas einai to IP Firewalling
Administration Tool.
To (IPFWADM) yparxei sto http://www.xos.nl/linux/ipfwadm/
Ean 8elete na sthsete ena diakomisth ejoysiodothshs 8a xreiasthte ena
apo ta parakatw paketa.
1. SOCKS
2. TIS Firewall Toolkit (FWTK)
4.2. To TIS Firewall Toolkit enantion SOCKS
To Trusted Information System (http://www.tis.com) exei ekdosei mia
syllogh apo programmata sxediasmena gia th dieykolynsh toy firewalling
(firewalling). Ta programmata ayta kanoyn ta idia me to SOCS paketo,
alla me diaforetikh sxediasmenh strathgikh. Ekei poy to SOCS exei ena
programma poy kaluptei oles tis synallages toy Internet, to TIS
parexei ena programma gia ka8e ti poy epi8ymei na xrhsimopoihsei to
firewall.
Se antiparabolh kai twn duo, as paroyme to paradeigma toy World Wide
Web kai ths prosbashs telnet. Me to SOCS pairnete ena arxeio ry8misewn
kai ena daimona. Mesa apo to arxeio ayto kai to daimona, exete
amfotera WWW kai telnet energopoihmena, ka8ws kai alles yphresies poy
den exete apenergopoihsei.
Me th TIS ergaleio8hkh, sthnete apo ena daimona sta WWW kai telnet,
alla kai apo ena arxeio ry8misewn epishs, sto ka8ena. Afou exete kanei
ta parapanw, oi alles prosbaseis (yphresies) sto Internet einai akoma
apenergopoihmenes mexri na tis sthsete. Ean den exete sthsei ena
daimona gia mia sygkekrimenh yphresia, yparxei enas "plug-in" daimonas
, alla den einai oute eukamptos oute toso eukolos sthn egkatastash,
san ta alla ergaleia.
Ayto mporei na mhn fainetai toso sobaro, alla kanei megalh diafora. To
SOCS epitrepei na eiste akatastatoi. Me ena ftwxo sthsimo diakomisth
SOCS, kapoios apo mesa mporei na kerdisei perissoterh prosbash apo
ayth poy kanonika toy exete proorisei. Me th TIS ergaleio8hkh, ta
atoma poy einai mesa exoyn prosbash mono ekei poy o diaxeirisths toy
systhmatos 8elei na exoyn.
To SOCS einai eukolo sto sthsimo, eykolotero sth metaglwttish
(compile) kai epitrepei megalh eykamcia. H TIS ergaleio8hkh einai pio
asfalhs an 8elete na taktopoihsete toys xrhstes sas mesa sto proswpiko
sas diktyo. Kai oi duo parexoyn apolyth prostasia ap' ejw.
8a kalucw thn egkatastash kai to sthsimo kai twn duo.
5. Proetoimazontas to susthma Linux
5.1. Metaglwttizontas to pyrhna
3ekiname me mia ka8arh egkatastash ths Linux dianomhs sas.
(Xrhsimopoihsa to RH 3.0.3 kai ta paradeigmata einai basismena se ayth
th dianomh). Oso pio ligo logismiko exete fortwsei, toso pio liges
trupes, pisw portes kai (h) bugs 8a yparxoyn gia na paroysiasoyn
problhmata asfaleias sto susthma sas, etsi fortwnete mono thn elaxisth
syllogh apo efarmoges (minimum installation).
Parte ena sta8ero pyrhna. Xrhsimopoihsa ton 2.0.14 pyrhna toy Linux
gia to susthma moy. Etsi ayth h tekmhriwsh einai basismenh sth dikh
moy sun8esh.
8a xreiastei na metaglwttisete jana to pyrhna toy Linux me tis
analoges ry8miseis. Gi' ayto koitajte sta Kernel-HOWTO, Ethernet-HOWTO
kai NET-2 HOWTO, ean den to exete janakanei.
Parakatw akoloy8oun oi ry8miseis poy gnwrizw oti doyleuoyn me to make
config.
1. Katw apo to General setup
a. Balte Networking Support ON
2. Katw apo to Networking Options
a. Balte Network firewalls ON
b. Balte TCP/IP Networking ON
c. Balte IP forwarding/gatewaying OFF (UNLESS you wish to use IP
filtering)
d. Balte IP Firewalling ON
e. Balte IP firewall packet loggin ON (this is not required but it
is a good idea)
f. Balte IP: masquerading OFF (I am not covering this subject
here.)
g. Balte IP: accounting ON
h. Balte IP: tunneling OFF
i. Balte IP: aliasing OFF
j. Balte IP: PC/TCP compatibility mode OFF
k. Balte IP: Reverse ARP OFF
l. Balte Drop source routed frames ON
3. Katw apo to Network device support
a. Balte Network device support ON
b. Balte Dummy net driver support ON
c. Balte Ethernet (10 or 100Mbit) ON
d. Epilejte th karta diktuoy sas (network card)
Twra mporeite na metaglwttisete kai na epanegkatasthsete to pyrhna kai
epanekkinhsh (reboot). H karta (-es) diktuoy 8a emfanistoun kata th
diarkeia ths ekkinhshs. Ean oxi, phgainete sta alla HOWTO jana mexri
na doylecoyn
5.2. Ry8mizontas duo kartes diktuoy
Ean exete duo kartes diktuoy ston ypologisth sas, pi8anws 8a xreiastei
na pros8esete mia dhlwsh sto arxeio /etc/lilo.conf gia th perigrafh
twn IRQ kai twn diey8unsewn twn duo kartwn. H dhlwsh sto diko moy
lilo.conf einai kapws etsi:
append="ether=12,0x300,eth0 ether=15,0x340,eth1"
5.3. Ry8mizontas tis Diey8unseis toy Diktuoy
Ayto einai pragmatika ena endiaferon kommati. Twra 8a exete merikes
apofaseis na parete. Epeidh den 8eloyme to Internet na exei prosbash
se kanena tmhma toy proswpikou mas diktuoy, den xreiazetai na
xrhsimopoihsoyme pragmatikes diey8unseis. Yparxei enas ari8mos
diey8unsewn Internet poy briskontai sthn akrh gia ta proswpika diktya.
Epeidh o ka8enas xreiazetai perissoteres diey8unseis kai epeidh aytes
oi diey8unseis den mporoun na diastayrw8oun mesa sto Internet, einai
kalh epilogh.
Aytes, 192.168.2.xxx, einai topo8ethmenes sthn akrh kai 8a tis
xrhsimopoihsoyme sto paradeigma mas.
O firewall sas, 8a einai melos kai sta duo diktya kai etsi 8a mporei
na metabibazei dedomena apo kai pros to proswpiko sas diktyo.
199.1.2.10 __________ 192.168.2.1
_ __ _ \ | | / _______________
| \/ \/ | \| Firewall |/ | |
/ Internet \--------| System |------------| Workstation/s |
\_/\_/\_/\_/ |__________| |_______________|
Ean epi8ymeite na xrhsimopoihsete firewalls filtrarismatos mporeite na
xrhsimopoihsete akomh kai toys parapanw ari8mous. 8a xreiastei omws na
xrhsimopoihsete IP masqurading gia na symbei ayto. Me ayth th
diadikasia o firewall 8a prow8ei paketa kai 8a ta metabibazei se "REAL
(pragmatikes)" diey8unseis gia to tajidi toys sto Internet.
8a prepei na orisete tis pragmatikes IR diey8unseis sth karta diktuoy
panw sth (ejw) pleyra toy Internet. Kai na orisete 192.168.2.1 sthn
Ethernet karta sto eswteriko. Ayth 8a einai h IP dieu8ynsh toy
ejoysiodoth/pulh. Mporeite na orisete se oloys toys alloy H/Y mesa
sto prostateyomeno diktyo merikous ari8mous apo to 192.168.2.xxx pedio
(192.168.2.2 ews 192.168.2.254)
Epeidh xrhsimopoiw RH Linux (E! Paidia, moy kanete ena antigrafo gia
ta plugs? ;-) gia na ry8misw to diktyo kata to xrono ekkinhshs
pros8esa ena ifcfg-eth1 arxeio sto katalogo /etc/sysconfig/network-
scripts. Ayto to arxeio diabazetai kata th diarkeia ths ekkinhshs gia
thn egkatastash toy diktuoy kai twn pinakwn.
Parakatw paroysiazw me ti to ifcfg-eth1 moiazei.
#!/bin/sh
#>>>Device type: ethernet
#>>>Variable declarations:
DEVICE=eth1
IPADDR=192.168.2.1
NETMASK=255.255.255.0
NETWORK=192.168.2.0
BROADCAST=192.168.2.255
GATEWAY=199.1.2.10
ONBOOT=yes
#>>>End variable declarations
Mporeite na xrhsimopoihsete ayta ta scripts gia na synde8hte aytomata
mesw modem sto paroxea sas Internet. Koitajte sto ipup-ppp script.
Ean proorizete na xrhsimopoihsete modem gia th sundesh sas me to
Internet, h ejwterikh IR dieu8ynsh 8a prepei na oristei apo ton ISP
gia esas kata th diarkeia ths sundeshs.
5.4. Elegxontas to diktyo sas.
3ekinhste elegxontas ta ifconfig kai route. Ean exete duo kartes
diktuoy to ifconfig 8a einai kapws etsi:
#ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.0 Bcast:127.255.255.255 Mask:255.0.0.0
UP BROADCAST LOOPBACK RUNNING MTU:3584 Metric:1
RX packets:1620 errors:0 dropped:0 overruns:0
TX packets:1620 errors:0 dropped:0 overruns:0
eth0 Link encap:10Mbps Ethernet HWaddr 00:00:09:85:AC:55
inet addr:199.1.2.10 Bcast:199.1.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0
TX packets:0 errors:0 dropped:0 overruns:0
Interrupt:12 Base address:0x310
eth1 Link encap:10Mbps Ethernet HWaddr 00:00:09:80:1E:D7
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0
TX packets:0 errors:0 dropped:0 overruns:0
Interrupt:15 Base address:0x350
kai o pinakas route kapws etsi:
#route -n
Kernel routing table
Destination Gateway Genmask Flags MSS Window Use Iface
199.1.2.0 * 255.255.255.0 U 1500 0 15 eth0
192.168.2.0 * 255.255.255.0 U 1500 0 0 eth1
127.0.0.0 * 255.0.0.0 U 3584 0 2 lo
default 199.1.2.10 * UG 1500 0 72 eth0
Shmeiwsh: 199.1.2.0 einai h Internet pleyra aytou toy firewall kai
192.168.2.0 h proswpikh pleyra.
Twra prospa8hste na kanete ping to Internet apo to firewall. Synh8iza
na xrhsimopoiw to nic.ddn.mil san dokimastiko shmeio. Einai kalo
shmeio dokimhs, alla exei apodeix8ei oti einai ligotero ajiopisto ap'
oti eixa elpisei. An den doylecei me th prwth, prospa8hste na kanete
ping se merika alla shmeia poy den einai syndedemena me to topiko sas
diktyo (LAN). Ean den doylecei oute twra, tote to RRR den einai
sthmeno swsta. 3anadiabaste to NET-2 HOWTO kai prospa8hste jana.
Meta, prospa8hste na kanete ping ena host mesa sto prostateyomeno
diktyo apo to firewall. Oloi oi ypologistes mporoun na kanoyn ping
metaju toys. Ean oxi, phgainete sto NET-2 HOWTO jana kai doylecete
ligo panw sto diktyo sas akomh.
Ustera, prospa8hste na kanete ping thn ejwterikh dieu8ynsh toy
firewall apo to eswteriko toy prostateyomenoy diktuoy. (Shmeiwsh: H
dieu8ynsh ths ejwterikhs pleyras toy firewall den einai kanenas
192.168.2.xxx IR ari8mos). Ean mporeite, tote den exete
apenergopoihsei to IP Forwarding. Sigoyreythte oti to 8elete ayto.
Ean to afhsete energopoihmeno mporeite na pate katey8eian sto kefalaio
"IP egkatastash filtrarismatos (kefalaio 6)" ayths ths tekmhriwshs.
Twra, prospa8hste na kanete ping sto Internet pisw apo to firewall
xrhsimopoiwntas tis idies diey8unseis poy doulecan prohgoymenos. (px
nic.ddn.mil). 3ana, ean exete apenergopoihmeno to IP Forwarding, ayto
den prokeitai na doylecei. An omws to exete energopoihmeno ayto 8a
doylecei.
An exete to IP Forwarding epilegmeno na xrhsimopoihte "Pragmatikes
(REAL)" (kai oxi 192.168.2.xxx) IP diey8unseis gia to proswpiko sas
diktyo. An den mporeite na kanete ping to Internet alla mporeite thn
Internet pleyra toy firewall elejte an o epomenos dromologhths ths
grammhs (pros to Internet) dromologei paketa sth dieu8ynsh toy
proswpikou sas diktuoy. (O ISP to kanei ayto gia esas)
Ean exete ka8orisei to prostateyomeno diktyo sto 192.168.2.xxx, tote
kanena paketo den mporei na dromologh8ei se ayto me tipota. Ean exete
proxwrisei kai exete hdh to IP masqurading energopoihmeno, ayto to
test 8a doylecei.
Twra exete to basiko sas susthma etoimo.
5.5. Asfalizontas to Firewall.
O firewall den kanei kalo an ton exoyme diaplata anoikto se epi8eseis
mesw mh xrhsimopoioumenwn yphresiwn. Enas "kakos tupos (bad guy)"
mporei na apokthsei prosbash sto firewall kai na ton tropopoihsei
analoga me tis anagkes toy.
3ekiname apenergopoiwntas oles tis axrhstes yphresies. Koitajte to
arxeio /etc/inetd.conf. Ayto to arxeio elegxei to ti kalese ton "yper
diakomisth (super server)". Elegxei mia omada apo daimones yphretes
kai toys jekina otan aytoi zhth8oun.
Opwsdhpote apenergopoioume ta netstat, systat, tftp, bootp, kai
finger. Gia na apenergopoihsoyme mia yphresia, balte # sto prwto
xarakthra ths grammhs ths ka8e yphresias poy den 8eloyme. Otan to
kanete ayto, steilte ena SIG-HUP sth diergasia grafontas "kill -HUP
<pid>", opoy <pid> einai o ari8mos ergasias toy inetd. Ayto mporei na
kanei to inedt na janadiabasei to arxeio ry8misewn toy (inedt.conf)
kai epanekkinhsh (restart).
6. IP egkatastash filtrarismatos (IPFWADM)
Gia jekinhma, 8a prepei na exete to IP Forwarding energopoihmeno sto
pyrhna kai to susthma 8a prepei na einai fortwmeno kai na prow8ei o,ti
toy stelnete. Oi pinakes dromologiwn (routing tables) 8a prepei na
einai sth 8esh toys kai 8a prepei na exete prosbash pantou, apo mesa
ejw kai apo ejw mesa.
Alla emeis xtizoyme ena firewall, etsi xreiazetai na jekinhsoyme na
boylwnoyme se ti yparxei prosbash, apo oloys.
Sto susthma moy dhmiourghsa merika scripts ga na topo8etw sto firewall
politikh prow8hshs kai politikh 8ewrhshs. Kalw ayta ta scripts apo ta
/etc/rc.d scripts etsi to susthma moy einai ry8mismeno apo th stigmh
ths ekkinhshs.
Ej orismou to IP Forwarding susthma sto pyrhna toy Linux prow8ei ta
panta. Gi' ayto to script toy firewall 8a prepei na jekina apo to na
arneitai prosbash sta panta kai na ka8arizei opoioys ipfw kanones
einai topo8ethmenoi apo th teleytaia fora poy etreje. Thn ergasia ayth
th kanei to parakatw script :
#
# setup IP packet Accounting and Forwarding
#
# Forwarding
#
# By default DENY all services
ipfwadm -F -p deny
# Flush all commands
ipfwadm -F -f
ipfwadm -I -f
ipfwadm -O -f
Twra exoyme ton teliko firewall. Tipota den mporei na perasei apo
mesa. Xwris amfibolia exete kapoies yphresies poy xreiazetai na
prow8hsete (energopoihsete) etsi edw yparxoyn merika paradeigmata poy
8a breite xrhsima.
· # Prow8hsh email sto diakomisth
ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D
192.1.2.10 25
· # Prow8hsh sundeshs email ston ejwteriko diakomisth email
ipfwadm -F -a accept -b -P tcp -S 196.1.2.10 25 -D 0.0.0.0/0
1024:65535
· # Prow8hsh sundeshs Web ston Web diakomisth
/sbin/ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D
196.1.2.11 80
· # Prow8hsh sundeshs Web gia ton ejwteriko Web diakomisth
/sbin/ipfwadm -F -a accept -b -P tcp -S 196.1.2.* 80 -D 0.0.0.0/0
1024:65535
· # Prow8hsh DNS synallaghs
/sbin/ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D
196.1.2.0/24
Mporeite na endiafer8hte epishs gia thn katagrafh twn syndiallagwn poy
pernoun to firewall. Ayto to script 8a katagrafei ka8e paketo.
Mporeite na pros8esete mia grammh h duo gia na katagrafete gia paketa
metabainontas se ena mono susthma.
# Ka8ariste toy yparxontes kanones katagrafhs
ipfwadm -A -f
# Katagrafwntas
/sbin/ipfwadm -A -f
/sbin/ipfwadm -A out -i -S 196.1.2.0/24 -D 0.0.0.0/0
/sbin/ipfwadm -A out -i -S 0.0.0.0/0 -D 196.1.2.0/24
/sbin/ipfwadm -A in -i -S 196.1.2.0/24 -D 0.0.0.0/0
/sbin/ipfwadm -A in -i -S 0.0.0.0/0 -D 196.1.2.0/24
Ean ta osa zhtate htan enas firewall filtrarismatos mporeite na
stamathsete edw. Apolayste to :-)
7. Egka8istwntas ton diakomisth ejoysiodothshs TIS
7.1. Apoktwntas to logismiko
H TIS fwtk einai dia8esimh sto ftp://ftp.tis.com/.
Mhn kanete to la8os poy ekana egw. Otan katebazete arxeia apo to TIS
DIABASTE TA README. H TIS fwtk einai kleidwmenh mesa se ena kryfo
katalogo sto diakomisth toys.To TIS zhta na steilete ena email sto
fwtk-request@tis.com me mono th lejh SEND sto swma toy mynhmatos gia
na ma8ete to onoma aytou toy krymmenoy katalogoy. Den xreiazetai 8ema
(subject) sto mhnyma. To susthma toys 8a sas steilei to onoma aytou
toy kryfou katalogoy (kalo gia 12 wres) gia na katebasete to phgaio
arxeio.
Th stigmh poy grafw ayto (to HOWTO) to TIS ekdidei thn ekdosh 2.0
(beta) ths FWTK. Ayth h ekdosh fainetai oti metaglwttizetai kala (me
merikes ejaireseis) kai ta panta doyleuoyn. Ayth einai h ekdosh poy 8a
kalucw edw. Otan dia8esoyn to teliko kwdika 8a ananewsw to HOWTO.
Gia thn egkatastash th FWTK, dhmioyrghste to katalogo fwtk-2.0 sto
/usr/src. Metakinhste to antigrafo ths FWTK fwtk-2.0.tar.gz) apo to
katalogo sas se ayton to katalogo (/usr/src/fwtk-2.0) kai aposympieste
to. (tar zxf fwtk-2.0.tar.gz)
H FWTK den ejoysiodotei (yposthrizei) SSL web keimena alla yparxei ena
pros8eto (add on) gi' ayth grammeno apo ton Jean-Christophe Touvet.
Einai dia8esimo sto ftp://ftp.edelweb.fr/pub/contrib/fwtk/ssl-
gw.tar.Z. O Touvet den yposthrizei ayto to kwdika
Xrhsimopoiw mia tropopoihmenh ekdosh poy perilambanei prosbash gia
Netscape asfaleis diakomistes newn grammeno apo ton Eric Wedel. Einai
dia8esimh sto ftp://mdi.meridian-data.com/pub/tis.fwtk/ssl-gw/ssl-
gw2.tar.Z.
Sto paradeigma mas 8a xrhsimopoihsw thn ekdosh toy Eric Wedel.
Gia na to egkatasthsete, apla dhmioyrghste to ssl-gw katalogo sto
/usr/src/fwtk-2.0 kai balte ta arxeia ekei mesa.
Otan egkatesthsa ayth th pulh apaithse merikes allages prin
metaglwttistei mazi me thn ypoloiph ergaleio8hkh.
H prwth allagh htan sto ssl-gw.c arxeio. Brhka oti den perielambane
ena xrhsimo perielambanomeno (included) arxeio.
#if defined(__linux)
#include <sys/ioctl.h>
#endif
Deuteron den erxetai me Makefile. Antegraca ena ejw apo toys alloys
katalogoys pylwn kai antikatesthsa to onoma ths pulhs me to ssl-gw.
7.2. Metaglwttizontas thn TIS FWTK
H ekdosh 2.0 ths FWTK metaglwttizetai polu pio eukola apo opoiadhpote
palaioterh ekdosh. Briskw akoma merika pragmata poy xreiazetai na
allax8oun prin h BETA ekdosh mporei na metaglwttistei ka8ara. Elpizw
aytes oi allages na ginoyn sth telikh ekdosh.
Gia th dior8wsh toys, jekinhste allazontas to /usr/src/fwtk/fwtk
katalogo kai antigracte to Makefile.config.linux panw apo to
Makefile.config
MHN EKTELESETE TO FIXMAKE. Oi odhgies lene na to ektelesete. Ean to
kanete 8a spasei ta Makefiles sto ka8e katalogo
Den exw kamia dior8wsh gia to fixmake. To problhma einai to sed script
pros8este ena '.' kai '' sth ka8e grammh poy perilambanei ta
Makefiles.
sed 's/^include[ ]*\([^ ].*\)/include \1/' $name .proto > $name
Meta xreiazetai na epejergastoume to arxeio Makefile.config. Yparxoyn
duo allages poy xreiazetai na kanete.
O syggrafeas e8ese ws phgaio katalogo to diko toy spitiko katalogo. 8a
metaglwttisoyme to kwdika mas sto /usr/src etsi prepei na allajoyme th
metablhth FWTKSRCDIR gia na antikatroptizei ayto.
FWTKSRCDIR=/usr/src/fwtk/fwtk
Deuteron, se orismena liga systhmata Linux xrhsimopoihtai h bash
dedomenwn gdbm. To Makefile.conf xrhsimopoiei dbm. 8a xreiastei na
allajete ayto. Eixa gia to RH 3.0.3
DBMLIB=-lgdbm
H teleytaia dior8wsh einai sto x-gw. To bug sth BETA ekdosh einai mesa
sto socket.c kwdika. Gia na to ftiajete sbhste tis parakatw grammes
kwdika
#ifdef SCM_RIGHTS /* 4.3BSD Reno and later */
+ sizeof(un_name->sun_len) + 1
#endif
Ean pros8esete to ssl-gw sto FWTK phgaio katalogo sas. 8a xreiasthte
na pros8esete ayto sth lista katalogwn sto Makefile.
DIRS= smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw ssl-gw
Twra ekteleste to make.
7.3. Egka8istwntas thn TIS FWTK
Ekteleste make install.
O ej orismou katalogos egkatastashs einai o /usr/local/etc. Mporeite
na ton allajete (egw oxi) se ena pio asfales katalogo. Dialeja na
allajw th prosbash sto katalogo ayto me chmod 700.
Ola ayta poy emeinan twra einai h telikh ru8mish toy firewall
7.4. Ry8mizontas thn TIS FWTK
Twra arxizei h pragmatikh diaskedash. Prepei na ma8oyme :-) to susthma
na kalei aytes tis nees yphresies kai na dhmioyrgei toys pinakes gia
ton elegxo toys.
Den prokeitai na dokimasw na janagracw to egxeiridio ths TIS FWTK,
edw. 8a sas deijw tis ry8miseis poy anakalyca doyleuontas kai 8a
ejhghsw ta problhmata poy brhka kai pws ta jeperasa.
Yparxoyn tria arxeia poy ry8mizoyn ayta ta xeiristhria
· /etc/services
· Leei sto susthma ti portes yphresiwn einai anoiktes
· /etc/inetd.conf
· Leei sto inetd ti programma na kalei otan kapoios xtypa porta
yphresias
· /usr/local/etc/netperm-table
· Leei stis FWTK yphresies se poion na epitrepoyn kai se poion na
apagoreuoyn ths yphresies toys.
Gia na parete th FWTK leitoyrgikh, 8a prepei na epejergasthte ayta ta
arxeia apo to teleytaio pros ta panw. Epejergazontas ta arxeia twn
yphresiwn xwris to inedt.conf h to netperm-table ry8mismena swsta
mporei na kanete to susthma sas aprospelasto.
7.4.1. To arxeio netperm-table
Ayto to arxeio elegxei poios mporei na exei prosbash stis yphresies
apo th TIS FWTK. Ofeilete na skefthte sxetika me to kykloforiako
xrhsimopoiwntas to firewall kai apo tis duo pleyres. O kosmos ejw apo
to diktyo sas, ofeilei na anagnwrisei toys eaytous twn prin kerdisoyn
prosbash, alla o kosmos mesa sto diktyo sas mporei na afe8ei na perna
apla apo mesa.
Etsi o kosmos mporei na anagnwrisei toys eaytous toys, o firewall
xrhsimopoiei ena programma poy kaleitai authsrv gia na krata mia bash
dedomenwn ta user ID kai toys kwdikous. To tmhma epikurwshs apo to
netperm-table elegxei poy h bash dedomenwn brisketai kai poios mporei
na exei prosbash se ayth.
Eixa kapoia problhmata kleinontas th prosbash se ayth thn yphresia.
Shmeiwste oti h grammh permit-hosts poy paroysiazw xrhsimopoiei '*'
gia na dinei se oloys prosbash. Oi swstes ry8miseis gia th grammh ayth
einai '' authsrv: premit-hosts localhost ean mporesete na to parete
ayto doyleuontas
#
# Proxy configuration table
#
# Authentication server and client rules
authsrv: database /usr/local/etc/fw-authdb
authsrv: permit-hosts *
authsrv: badsleep 1200
authsrv: nobogus true
# Client Applications using the Authentication server
*: authserver 127.0.0.1 114
Gia na orisete th bash dedomenwn, ginete root, kai ekteleste ./authsrv
mesa sto /var/local/etc katalogo gia na dhmioyrgh8ei h eggrafh toy
xrhsth poy ektelei xreh diaxeiristh. Edw einai ena aplo paradeigma.
Diabaste th tekmhriwsh ths FWTK gia na ma8ete pws na pros8etete
xrhstes kai omades.
#
# authsrv
authsrv# list
authsrv# adduser admin "Auth DB admin"
ok - user added initially disabled
authsrv# ena admin
enabled
authsrv# proto admin pass
changed
authsrv# pass admin "plugh"
Password changed.
authsrv# superwiz admin
set wizard
authsrv# list
Report for users in database
user group longname ok? proto last
------ ------ ------------------ ----- ------ -----
admin Auth DB admin ena passw never
authsrv# display admin
Report for user admin (Auth DB admin)
Authentication protocol: password
Flags: WIZARD
authsrv# ^D
EOT
#
To xeiristhrio ths telnet pulhs (tn-gw) einai katey8eian mprosta kai
to prwto poy ofeilete na sthsete.
Sto paradeigma moy, epitrepw se host apo to eswteriko toy proswpikou
diktuoy na pernaei apo mesa xwris na epikyrwnoyn toys eaytous toys.
(permit-hosts 19961.2.* -passok) Alla, ka8e allos xrhsths prepei na
eisagei ta user ID kai to kwdiko toy gia na xrhsimopoiei ton
ejoysiodothth. (permit-hosts * -auth)
Epishs epitrepw se ena allo susthma (196.1.2.202) na exei prosbash sto
firewall xwris na perna mesa apo to firewall sth pragmatikothta. Oi
duo grammes inetacl-in.telnetd to kanoyn ayto. 8a ejhghsw pws aytes oi
grammes kalountai argotera.
To Telnet time out ofeiletai na krath8ei mikro.
# telnet gateway rules:
tn-gw: denial-msg /usr/local/etc/tn-deny.txt
tn-gw: welcome-msg /usr/local/etc/tn-welcome.txt
tn-gw: help-msg /usr/local/etc/tn-help.txt
tn-gw: timeout 90
tn-gw: permit-hosts 196.1.2.* -passok -xok
tn-gw: permit-hosts * -auth
# Only the Administrator can telnet directly to the Firewall via Port 24
netacl-in.telnetd: permit-hosts 196.1.2.202 -exec /usr/sbin/in.telnetd
Oi r-commands doyleuoyn me ton idio tropo opws to telnet.
# rlogin gateway rules:
rlogin-gw: denial-msg /usr/local/etc/rlogin-deny.txt
rlogin-gw: welcome-msg /usr/local/etc/rlogin-welcome.txt
rlogin-gw: help-msg /usr/local/etc/rlogin-help.txt
rlogin-gw: timeout 90
rlogin-gw: permit-hosts 196.1.2.* -passok -xok
rlogin-gw: permit-hosts * -auth -xok
# Only the Administrator can telnet directly to the Firewall via Port
netacl-rlogind: permit-hosts 196.1.2.202 -exec /usr/libexec/rlogind -a
Den ofeilete na exete se kanenan amesh prosbash sto firewall kai ayto
perilambanei to FTP etsi den bazoyme to FTP, diakomisth panw sto
firewall.
3ana, oi grammes permit-hosts epitrepoyn mesa sto prostateyomeno
diktyo eleu8erh prosbash sto Intenet kai oloi oi alloi prepei na
epikyrwsoyn toys eaytous toys. Symperielaba th katagrafh symbantwn gia
ka8e arxeio poy aposteletai kai paralambanetai gia ton elegxo moy.
(-log { retr stor })
To ftp timeout elegxei poso 8a parei gia na rijei mia kakh sundesh
toso oso poso 8a krathsei mia sundesh poy exei meinei anoikth xwris
drasthriothta.
# ftp gateway rules:
ftp-gw: denial-msg /usr/local/etc/ftp-deny.txt
ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt
ftp-gw: help-msg /usr/local/etc/ftp-help.txt
ftp-gw: timeout 300
ftp-gw: permit-hosts 196.1.2.* -log { retr stor }
ftp-gw: permit-hosts * -authall -log { retr stor }
Web, gopher kai se browser basismeno ftp einai paramorfwmena apo th
http-gw. Oi duo prwtes grammes dhmioyrgoun ena katalogo gia
apo8hkeysh twn ftp kai web keimenwn ka8ws ayta pernoun mesa apo to
firewall. Ekana ayta ta arxeia na anoikoyn ston root kai ta topo8ethsa
se ena katalogo prosbasimo mono apo ton root.
H sundesh Web ofeiletai na krath8ei mikrh. Elegxei poso o xrhsths 8a
perimenei se mia kakh sundesh.
# www and gopher gateway rules:
http-gw: userid root
http-gw: directory /jail
http-gw: timeout 90
http-gw: default-httpd www.afs.net
http-gw: hosts 196.1.2.* -log { read write ftp }
http-gw: deny-hosts *
To ssl-gw einai pragmati apla mia diabash opoiasdhpote pulhs. Prosejte
me ayto. Se ayto to paradeigma epitrepw ston ka8ena apo mesa toy
prostateyomenoy diktuoy na syndeetai se ka8e diakomisth ejw apo to
diktyo ektos twn diey8unsewn 127.0.0.xxx kai 192.1.1.xxx kai mono stis
portes 443 ews 563. Oi portes 443 ews 563 einai gnwstes SSL portes.
# ssl gateway rules:
ssl-gw: timeout 300
ssl-gw: hosts 196.1.2.* -dest { !127.0.0.* !192.1.1.* *:443:563 }
ssl-gw: deny-hosts *
Edw einai ena paradeigma sto pws na xrhsimopoihsete to plug-gw gia na
epitrecete syndeseis se diakomistes newn. Se ayto to paradeigma
epitrepw sto ka8ena mesa sto prostateuomeno diktyo na synde8ei se ena
mono susthma kai mono sth porta newn toy.
H deuterh grammh epitrepei to diakomisth newn na perna ta dedomena toy
pisw sto prostateyomeno diktyo.
Epeidh polloi pelates perimenoyn na stekontai syndedemenoi oso o
xrhsths diabazei ta nea, to timeout gia diakomistes newn ofeiletai na
einai megalo.
# NetNews Pluged gateway
plug-gw: timeout 3600
plug-gw: port nntp 196.1.2.* -plug-to 199.5.175.22 -port nntp
plug-gw: port nntp 199.5.175.22 -plug-to 196.1.2.* -port nntp
H pulh finger einai aplh. O ka8enas mesa sto prostateyomeno diktyo
prepei na kanei login prwta kai meta epitrepoyme na xrhsimopoihsoyn to
programma finger panw sto firewall. Oloi oi alloi apla pernoyn ena
mhnyma.
# Enable finger service
netacl-fingerd: permit-hosts 196.1.2.* -exec /usr/libexec/fingerd
netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt
Den exw sthsei tis Mail kai X-windows yphresies etsi den perilambanw
paradeigmata. Ean kapoios exei doylecei ena paradeigma, parakalw
steilte moy email.
7.4.2. To arxeio inetd.conf
Edw einai plhres ena arxeio /etc/inetd.conf. Oles oi axrhstes
yphresies exoyn afaire8ei ws sxolia. Exw symperilabei to plhres arxeio
gia na deijw ti na apenergopoihsete, toso oso to pws na sthnete tis
nees yphresies toy firewall.
#echo stream tcp nowait root internal
#echo dgram udp wait root internal
#discard stream tcp nowait root internal
#discard dgram udp wait root internal
#daytime stream tcp nowait root internal
#daytime dgram udp wait root internal
#chargen stream tcp nowait root internal
#chargen dgram udp wait root internal
# FTP firewall gateway
ftp-gw stream tcp nowait.400 root /usr/local/etc/ftp-gw ftp-gw
# Telnet firewall gateway
telnet stream tcp nowait root /usr/local/etc/tn-gw /usr/local/etc/tn-gw
# local telnet services
telnet-a stream tcp nowait root /usr/local/etc/netacl in.telnetd
# Gopher firewall gateway
gopher stream tcp nowait.400 root /usr/local/etc/http-gw /usr/local/etc/http-gw
# WWW firewall gateway
http stream tcp nowait.400 root /usr/local/etc/http-gw /usr/local/etc/http-gw
# SSL firewall gateway
ssl-gw stream tcp nowait root /usr/local/etc/ssl-gw ssl-gw
# NetNews firewall proxy (using plug-gw)
nntp stream tcp nowait root /usr/local/etc/plug-gw plug-gw nntp
#nntp stream tcp nowait root /usr/sbin/tcpd in.nntpd
# SMTP (email) firewall gateway
#smtp stream tcp nowait root /usr/local/etc/smap smap
#
# Shell, login, exec and talk are BSD protocols.
#
#shell stream tcp nowait root /usr/sbin/tcpd in.rshd
#login stream tcp nowait root /usr/sbin/tcpd in.rlogind
#exec stream tcp nowait root /usr/sbin/tcpd in.rexecd
#talk dgram udp wait root /usr/sbin/tcpd in.talkd
#ntalk dgram udp wait root /usr/sbin/tcpd in.ntalkd
#dtalk stream tcp waut nobody /usr/sbin/tcpd in.dtalkd
#
# Pop and imap mail services et al
#
#pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d
#pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d
#imap stream tcp nowait root /usr/sbin/tcpd imapd
#
# The Internet UUCP service.
#
#uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l
#
# Tftp service is provided primarily for booting. Most sites
# run this only on machines acting as "boot servers." Do not uncomment
# this unless you *need* it.
#
#tftp dgram udp wait root /usr/sbin/tcpd in.tftpd
#bootps dgram udp wait root /usr/sbin/tcpd bootpd
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers." Many sites choose to disable
# some or all of these services to improve security.
#
# cfinger is for GNU finger, which is currently not in use in RHS Linux
#
finger stream tcp nowait root /usr/sbin/tcpd in.fingerd
#cfinger stream tcp nowait root /usr/sbin/tcpd in.cfingerd
#systat stream tcp nowait guest /usr/sbin/tcpd /bin/ps -auwwx
#netstat stream tcp nowait guest /usr/sbin/tcpd /bin/netstat -f inet
#
# Time service is used for clock syncronization.
#
#time stream tcp nowait root /usr/sbin/tcpd in.timed
#time dgram udp wait root /usr/sbin/tcpd in.timed
#
# Authentication
#
auth stream tcp wait root /usr/sbin/tcpd in.identd -w -t120
authsrv stream tcp nowait root /usr/local/etc/authsrv authsrv
#
# End of inetd.conf
7.4.3. To arxeio /etc/services
Edw einai poy jekinoun ola. Otan enas pelaths synde8ei sto firewall
ayto syndeetai se mia gnwsth porta. (mikroterh apo 1024). p.x. To
telnet syndeetai sth porta 23. O inetd daimonas akouei ayth th sundesh
kai koita to onoma ayths ths yphresias sto arxeio /etc/services. Ayto
tote kalei to programma orismeno gia to onoma sto mesa sto arxeio
/etc/inetd.conf.
Kapoies yphresies poy dhmioyrgoume den einai kanonika sto arxeio
/etc/sevices. Mporeite na orisete merikes apo aytes se opoia porta
8elete. p.x. Exw orisei th telnet porta toy diaxeiristh (telnet-a)
sth porta 24. Mporeite na to orisete sth porta 2323 ean epi8ymhte.
Gia to diaxeiristh (ESEIS), gia na syndeeste amesa sto firewall 8a
xreiazeste na kanete telnet sth porta 24 kai oxi 23 ean sthsete to
arxeio netperm-table, opws egw ekana, 8a eiste ikanoi na to kanete
ayto mono apo to eswteriko toy prostateyomenoy diktuoy.
telnet-a 24/tcp
ftp-gw 21/tcp # this named changed
auth 113/tcp ident # User Verification
ssl-gw 443/tcp
8. O SOCKS Diakomisths Ejoysiodothshs
8.1. Sthnontas to Diakomisth Ejoysiodothshs
O SOCKS diakomisths ejoysiodothshs einai dia8esimos apo to
ftp://sunsite.unc.edu/pub/Linux/system/Network/misc/socks-linux-
src.tgz. Ekei einai kai ena paradeigma toy arxeioy ry8misewn (config
file) poy kaleitai "socks-conf". Aposympieste ta arxeia mesa se
katalogo toy systhmatos sas, kai akoloy8hste tis odhgies panw sto pws
8a to ftiajete. Eixa merika problhmata otan to eftiaja ayto.
Sigoyreythte oti ta Makefile arxeia sas einai entajei.
Ena symantiko pragma gia na shmeiwsoyme einai oti o diakomisths
ejoysiodothshs xreiazetai na proste8ei sto arxeio /etc/inetd.conf.
Prepei na pros8esete th grammh :
socks stream tcp nowait nobody /usr/local/etc/sockd sockd
gia na peite sto diakomisth na trejei otan toy zhth8ei. to tell the
server to run when requested.
8.2. Ry8mizontas to Diakomisth Ejoysiodothshs.
To programma SOCKS xreiazetai duo xwrista arxeia ry8misewn. Ena na
leei thn epitrepomenh prosbash, kai ena gia na dromologei tis aithseis
sto katallhlo diakomisth ejoysiodothshs. To arxeio prosbashs prepei na
brisketai sto diakomisth. To arxeio dromologhshs ofeiletai na
brisketai se ka8e Un*x mhxanhma. Oi DOS kai, ypoti8emenoi, Macintosh
Y/H 8a kanoyn dikes toys dromologhseis.
8.2.1. To Arxeio Prosbashs
Me to socks4.2 Beta, to arxeio prosbashs kaleitai "sockd.conf". Ayto
ofeilei na periexei 2 grammes, mia grammh adeia kai mia arnhsews. Ka8e
grammh 8a exei tria pedia:
· Ton Ejakribwth (Identifier) (permit/deny)
· Thn IP dieu8ynsh
· To Tropopoihth Diey8unsewn
O ejakribwths einai h adeias h arnhsews. Ofeilete na exete amfotera
mia grammh adeias kai mia arnhsews.
H IR dieu8ynsh krata mia tessarwn byte dieu8ynsh se typikh IR shmeiwsh
koykidas. p.x. 192.168.2.0.
O tropopoihths diey8unsewn einai epishs mia typikh IR dieu8ynsh
tessarwn byte. Ayto doyleuei san maska diktuoy (netmask). Oramatisthte
ayto ton ari8mo na einai 32 bit (1 h 0). Ean to bit einai 1, to
antistoixo bit apo th dieu8ynsh poy elegxete prepei na einai idio me
to antistoixo bit mesa sto pedio twn IR diey8unsewn. p.x. ean h grammh
einai:
permit 192.168.2.23 255.255.255.255
ayto 8a dinei adeia mono se IR diey8unseis poy tairiazoyn se ka8e bit
mesa 192.168.2.23, p.x. mono 192.168.2.3. H grammh:
permit 192.168.2.0 255.255.255.0
8a dwsei adeia se ka8e ari8mo mesa sthn omada 192.168.2.0 ews
192.168.2.255, olh h C klash perioxh. Den prepei na exete th grammh:
permit 192.168.2.0 0.0.0.0
epeidh ayth dinei adeia se ka8e dieu8ynsh, adiaforo.
Etsi, prwta dinoyme adeia se oles tis diey8unseis poy 8eloyme na
dwsoyme adeia, kai tote aporriptoyme tis ypoloipes. Gia na afhsete
toys pantes mesa sth perioxh 192.168.2.xxx, oi grammes:
permit 192.168.2.0 255.255.255.0
deny 0.0.0.0 0.0.0.0
8a doylecoyn kala. Shmeiwste oti to prwto "0.0.0.0" einai h grammh
arnhsews. Me enan ena tropopoihth apo 0.0.0.0, to pedio IR dieu8ynshs
den peirazei. Ola ta 0 einai kanonas epeidh einai eukola sth
plhktrologhsh.
Perissoteres apo mia katagrafes apo to ka8ena epitrepontai.
Sygkekrimenoi xrhstes mporoun epishs na kerdisoyn h na toys
apagoreytoun prosbaseis. Ayto ginetai mesw diamorfwshs ths diadikasias
epikurwshs. Den to yposthrizoyn ola ta systhmata th diamorfwsh,
perilambanomenoy toy Trumpet Winsock, etsi den 8a anafer8w se ayto
edw. H tekmhriwsh poy periexei to socks einai entelws eparkhs gi' ayto
to antikeimeno.
8.2.2. To arxeio Dromologhshs.
To arxeio dromologhshs einai ftwxa onomasmeno sto SOCKS "socks.conf".
Eipa "ftwxa onomasmeno" epeidh einai toso konta sto onoma toy arxeio
prosbashs poy einai eukolo na ta mperdecete.
To arxeio dromologhshs einai ekei gia na leei stoys SOCKS pelates pote
na xrhsimopoioun to socks kai pote oxi. p.x. Sto diktyo mas, to
192.168.2.3 den 8a xreiastei ma xrhsimopoihsei to socks gia na
epikoinwnhsei me to 192.168.2.1, to firewall. Exei amesh sundesh mesw
toy Ethernet. Ayto ka8orizei to 127.0.0.1, ton epistrefomeno brogxo
(loopback), aytomata. Bebaiws den xreiazeste to SOCKS gia na
epikoinwnhsete me ton eayto sas. Yparxoyn treis eisagwges:
· deny
· direct
· sockd
H arnhsh (deny) leei sto SOCKS pote na aporriptei mia aithsh. Ayth h
eisagwgh exei ta idia tria pedia opws to sockd.conf, ton ejakribwth
(identifier), dieu8ynsh kai tropopoihth (modifier). Genika, epeidh
ayto xeirizetai epishs apo to sockd.conf, to arxeio prosbashs, to
pedio toy tropopoihth einai orismeno sto 0.0.0.0. Ean 8elete na
prologhsete ton eayto sas sto na kaleite apo pantou, mporeite na to
kanete edw.
H direct eisagwgh leei gia poies diey8unseis na mhn xrhsimopoihtai to
socks. Aytes einai oles oi diey8unseis poy mporoun na proseggis8oun
xwris to diakomisth ejoysiodothshs. 3ana exoyme tria pedia,
ejakribwth, dieu8ynsh kai tropopoihth. To paradeigma mas 8a exei
direct 192.168.2.0 255.255.255.0
Etsi metabainei amesa o ka8enas panw sto prostateyomeno diktyo.
H sockd eisagwgh leei ston H/Y poios host exei ton socks diakomisth
daimona panw toy. H suntajh einai:
sockd @=<serverlist> <IP address> <modifier>
Shmeiwste th @= eisagwgh. Ayth epitrepei na sthsete tis IR diey8unseis
apo mia lista apo diakomistes ejoysiodothshs. Sto paradeigma mas,
xrhsimopoioume mono ena diakomisth ejoysiodothshs. Alla, mporeite na
exete arketous gia na epitrepete megalutera fortia kai gia pleonasma
se periptwsh elleichs.
Ta pedia IR dieu8ynsh kai tropopoihths doyleuoyn san ola ta alla
paradeigmata. Na ka8orizete poies diey8unseis phgainoyn poy mesw apo
ayta. The IP address and modifier fields work just like in the other
examples. You specify which addresses go where through these.
8.2.3. Sthnontas thn Onoma Perioxhs Yphresia (Domain Name Service)
pisw apo firewall einai omologoymenos eukolo 8ema. Xreiazeste apla kai
mono na sthsete to DNS panw sto mhxanhma poy einai o firewall. Meta,
oriste se ka8e mhxanhma pisw apo to firewall na xrhsimopoioun ayth to
DNS. DNS pisw apo to firewall.
8.3. Doyleuontas me Diakomisth Ejoysiodothshs.
8.3.1. Unix
Gia na exete tis efarmoges sas na doyleuoyn me to diakomisth
ejoysiodothshs, xreiazontai na ginoyn "sockified". 8a xreiasthte duo
diaforetika telnet, ena gia amesh epikoinwnia kai ena gia epikoinwnia
mesw toy diakomisth ejoysiodothshs. To SOCS erxetai me odhgies panw
sto pws na kanete SOCKify ena programma, toso oso kai merika pre-
SOCKified programmata. Ean xrhsimopoihte mia SOCKified ekdosh gia na
pate kapoy amesa, to SOCS aytomata 8a allajei sthn amesh ekdosh gia
esas. Epeidh ginetai ayto, 8eloyme na metonomasoyme ola ta programmata
sto proswpiko mas diktyo kai na ta antikatasthsoyme me SOCKified
programmata. p.x to "Finger" ginetai "finger.orig", to "telnet"
ginetai "telnet.orig", k.o. Prepei na peite sto SOCKS sxetika me ayta
mesw toy include/socks.h arxeioy.
Sygkekrimena programmata 8a xeirizontai roytines kai 8a kanoyn sockify
ton eayto toys. To Netscape einai ena apo ayta. Mporeite na
xrhsimopoihte diakomisth ejoysiodothshs katw apo to Netscape
eisagontas th dieu8ynsh toy diakomisth (192.168.2.1 sth periptwsh mas)
mesa sto pedio SOKCs katw apo ta Proxies. H ka8e efarmogh 8a xreiastei
ligh trofodothsh, asxeta apo to pws ths xeirizetai o diakomisth
ejoysiodothshs.
8.3.2. MS Windows me Trumpet Winsock
To Trumpet Winsock erxetai me enswmatwmenes diakomisth ejoysiodothshs
dynatothtes. Mesa sto menou "egkatastashs (setup)", eisagete thn IR
dieu8ynsh apo to diakomisth, kai tis diey8unseis apo oloys toy H/Y poy
einai syndedemenoi amesa. To Trumpet tote 8a xeiristei ola ta
ejerxomena paketa.
8.3.3. Kanontas to Diakomisth Ejoysiodothshs na doyleuei me UDP
Paketa
To paketo SOCKS doyleuei mono me paketa TCP, kai oxi UDP. Ayto to
kanei ligotero xrhsimo. Polla xrhsima programmata, opws to talk kai to
Archie, xrhsimopoioun UDP. Yparxei ena paketo sxediasmeno gia na
xrhsimopoih8ei san diakomisths ejoysiodothshs gia paketa UDP kai
kaleitai UDPrelay, apo ton Tom Fitzgerald <fitz@wang.com>. Dystyxws,
th stigmh poy grafete ayto to HOWTO, den einai symbato me to Linux.
8.4. Meionekthmata me toys Diakomistes Ejoysiodothshs
O diakomisths ejoysiodothshs einai, panw ap' ola, mia asfalhs syskeyh.
Xrhsimopoiwntas ton gia na ayjhsete thn prosbash sto Internet me
periorismenes IR diey8unseis 8a exete polla meionekthmata. Enas
diakomisths ejoysiodothshs 8a epitrepei kalliterh prosbash apo to
eswteriko toy prostateyomenoy diktuoy pros ta ejw, alla 8a krata to
eswteriko apolutws aprosbasto ap' ejw. Ayto shmainei oxi diakomistes,
talk h archie syndeseis, h ameso taxydromeio stoys eswterikous
ypologistes. Ayta ta meionekthmata mporei na fainontai ashmanta, alla
skefthte me ayto to tropo:
· Exete afhsei mia anafora poy ftiaxnete sto ypologisth sas mesa se
ena diktyo prostateymeno me firewall. Eiste sto spiti, kai
apofasizete oti 8elete na metabhte se ayton. Den mporeite. Den
mporeite na proseggisete ton ypologisth sas epeidh einai pisw apo
to firewall. Prospa8hte na kanete log sto firewall prwta, alla apo
tote poy o ka8enas exei diakomisth ejoysiodothshs prosbash, kanenas
den exei egkatasthsei ena logariasmo panw se ayton gia esas.
· H korh sas phgainei sto kolegio. 8elete na tis stelnete email.
Exete kapoia proswpika pragmata na syzhthsete, kai anamfibolws
exete to taxydromeio sas na aposteletai katey8eian sto mhxanhma
sas. Empisteueste to diaxeiristh toy systhmatos apolyta, alla
akoma, ayto einai proswpiko mail.
· H anikanothta na xrhsimopoiei UDP paketa antiproswpeuei ena megalo
meionekthma me toys diakomistes ejoysiodothshs. Oramatizomai tis
dynatothtes toy UDP poy erxontai suntoma.
To FTP dhmioyrgei allo ena problhma me to diakomisth ejoysiodothshs.
Otan katebazete h kanete ls, o diakomisths FTP anoigei mia ypodoxh sth
mhxanh pelath kai stelnei tis plhrofories mesw ayths. O diakomisths
ejoysiodothshs den 8a to epitrecei ayto, etsi to FTP sygkekrimena den
8a doylecei.
Kai, oi diakomistes ejoysiodothshs einai argoi. Logw ths kalliterhs
megalhs kalychs-elegxoy (overhead), sxedon ka8e allo meso apo to opoio
pairnoyme ayth th prosbash 8a einai taxutero.
Basika, ean exete tis IR diey8unseis, kai den anhsyxhte sxetika me thn
asfaleia, mhn xrhsimopoieite firewall kai/h diakomistes
ejoysiodothshs. Ean den exete tis IR diey8unseis, kai epishs den exete
na anhsyxhte gia thn asfaleia, mporeite epishs na rijete mia matia gia
na xrhsimopoihsete ena ejomoiwth IR, san ta Term, Slirp h TIA. To Term
einai dia8esimo apo to ftp://sunsite.unc.edu, to Slirp einai dia8esimo
apo to ftp://blitzen.canberra.edu.au/pub/slirp, kai to TIA einai
dia8esimo apo to marketplace.com. Ayta ta paketa 8a trexoyn taxutera,
epitrepoyn kalliteres syndeseis, kai parexoyn megaloy epipedoy apo
prosbash gia to eswteriko toy diktuoy apo to Internet. Oi diakomistes
ejoysiodothshs einai kaloi gia ta diktya ayta poy exoyn pollous host
poy 8a 8eloyn na syndeontai sto Internet "on the fly", me mia
egkatastash kai ligh doyleia meta.
9. Prohgmenes Morfes
Yparxei mia morfh poy 8a h8ela na asxolh8w prin kleisw ayth th
tekmhriwsh. Ayth molis th skiagrafhsa kai pi8anws 8a ikanopoihsei
arketous. Pantws, skeftomai oti to epomeno skiagrafhma 8a deijei
perissotero prohgmenhs morfhs apo to na jeka8arisei kapoies erwthseis.
Ean exete erwthseis pera apo aytes poy molis kalyca, h apla
endiafereste gia thn eykamcia twn diakomistwn ejoysiodothshs kai twn
firewalls, synexiste to diabasma.
9.1. Ena megalo diktyo me emfash sthn asfaleia
Peite, gia paradeigma, oti eiste o epikefalhs parastratiwtikhs
organwshs kai 8elete na diktywsete th 8esh sas. Exete 50 H/Y kai ena
ypodiktyo apo 32 IR ari8mous twn 5 stoixeiwn (bits). Xreiazeste
diaforetika epipeda prosbashs mesa sto diktyo sas epeidh lete stoys
akolou8oys sas diaforetika pragmata. Etsi, 8a xreiasthte na
prostateusete sygkekrimena tmhmata toy diktuoy apo to ypoloipo.
Ta epipeda einai:
1. To ejwteriko epipedo. Ayto to epipedo poy deixnete stoys pantes.
Edw einai poy fwnazete kai parallhlhte gia na parete neoys
e8elontes.
2. Stratiwtiko Edw einai to epipedo apo atoma poy exoyn perasei pera
apo to ejwteriko epipedo. Edw einai poy toys didaskete sxetika me
thn evail kybernhsh kai sto pws na ftiaxnoyn bombes.
3. Mis8oforoi Edw einai poy ta pragmatika plana kratountai. Se ayto to
epipedo einai apo8hkeymenes oles oi plhrofories panw sto pws h
tritokosmikh kybernhsh phgainei na katakthsei to kosmo, ta plana
sas emplekoyn tis Newt Gingrish, Oklahoma City, lown endiaferontos
proionta kai ti pragmatika einai apo8hkeymeno mesa sta ypostega tis
perioxhs 51.
9.1.1. H egkatastash toy diktuoy
Oi IR ari8moi einai katanemhmenoi ws ejhs:
· 1 ari8mos einai 192.168.2.2555, poy einai h dieu8ynsh ekpomphs kai
den xrhsimopoieitai
· 23 apo tis 32 IR diey8unseis einai topo8ethmenes sta 23 mhxanhmata
poy 8a einai prosbashma sto Internet.
· 1 epipleon IR phgainei se ena koyti linux se ayto to diktyo
· 1 epipleon phgainei se ena diaforetiko koyti linux se ayto to
diktyo.
· 2 IR ari8moi pane sto dromologhth
· 4 afe8hkan sth panta, alla toys do8hkan ta topika onomata paul,
ringo, john, kai george, apla gia na mperdeuoyn ta pragmata ligaki.
· Ta prostateyomena diktya amfotera exoyn diey8unseis 192.168.2.xxx
Meta, duo xwrista diktya dhmioyrgh8hkan, to ka8ena se diaforetika
dwmatia. Ayta dromologh8hkan mesw ypery8roy Ethernet etsi einai
apolutws aorata sta ejwterika dwmatia. Eytyxws, ta ypery8ra ethernet
doyleuoyn san ta kanonika ethernet.
Ayta ta diktya einai to ka8ena syndedemeno me apo ena koyti linux me
mia epipleon IR dieu8ynsh.
Yparxei enas diakomisths arxeiwn (file server) poy syndeei ta duo
prostateyomena diktya. Ayto ginetai epeidh gia thn katakthsh toy
kosmoy emplekontai kai ychloteroi stratiwtes. O diakomisths arxeiwn
krata thn dieu8ynsh 192.168.2.17 gia to Stratiwtiko diktyo kai thn
192.168.2.23 gia to Mis8oforiko diktyo. Aytos exei diaforetikes IR
diey8unseis epeidh exei diaforetikes kartes Ethernet. To IR Forwarding
panw se ayton einai kleisto.
To IR Forwarding einai kai sta duo koytia linux epishs kleisto. O
dromologhths den 8a prow8ei paketa proorismena gia 192.168.2.xxx ektos
ean den toy dhlw8ei kathgorhmatika na to kanei, etsi to Internet den
8a einai ikano na mpei mesa. O logos poy apenergopoih8hke to IP
Forwarding edw egine giati etsi ta paketa apo to diktyo twn Stratiwtwn
den 8a einai ikana na proseggisoyn to Mis8oforiko diktyo, kai to
anapodo.
O diakomisths NFS mporei epishs na oristei gia na prosferei
diaforetika arxeia se diaforetika diktya. Ayto ginetai xeirokinhta,
kai me liga tryk me tis symbolikes syndeseis (symbolic links) mporei
na ginei etsi wste ta koina arxeia na moirazontai se oloys.
Xrhsimopoiwntas ayto to sthsimo kai allh mia ethernet karta mporoume
na prosferoyme ayto ton ena diakomisth arxeiwn kai gia ta tria diktya.
9.1.2. H egkatastash twn ejoysiodothsewn
Twra, afou kai ta tria epipeda 8eloyn na einai ikana na symboyleuontai
to diktyo gia toys dikous toys skoteinous skopous, kai oi treis
xreiazontai na exoyn prosbash sto Internet, etsi den exoyme na ta
trofodothsoyme edw me diakomistes ejoysiodothshs. Ta Mis8oforiko kai
Stratiwtiko diktya einai pisw apo firewalls, etsi einai anagkaio na
sthsoyme diakomistes ejoysiodothshs ekei.
Amfotera ta diktya 8a exoyn egkatasta8ei paromoia. Kai ta duo exoyn
tis idies IR diey8unseis topo8ethmenes epanw toys. 8a petajw merikes
parametroys, apla gia na kanw ta pragmata pio endiaferonta.
1. Kanenas den mporei na xrhsimopoiei to diakomisth arxeiwn gia
prosbash sto Internet. Ayth ek8etei to diakomisth arxeiwn se ious
kai alla dysaresta pragmata, kai ayto einai kapws sobaro, etsi
einai ektos twn oriwn.
2. Den 8a epitrepoyme prosbash twn stratiwtwn sto World Wide Web.
Aytoi einai se ekpaideysh, kai ayths ths fushs oi plhrofories,
anakthshs dunamhs, mporei na apodeix8oun katastrofikes.
Etsi, to arxeio sockd.conf sto koyti linux twn Stratiwtwn 8a exei ayth
th grammh:
deny 192.168.2.17 255.255.255.255
kai ston Mis8oforwn to mhxanhma:
deny 192.168.2.23 255.255.255.255
Kai, to koyti linux twn Stratiwtwn 8a exei thn ejhs grammh:
deny 0.0.0.0 0.0.0.0 eq 80
Ayth leei na arnh8ei prosbash se oles tis mhxanes poy prospa8oun na
apokthsoyn prosbash se porta ish (equal) me 80, thn http porta. Ayto
akoma epitrepei oles tis alles yphresies, apla apagoreuei Web
prosbash.
Meta, amfotera ta arxeia 8a exoyn:
permit 192.168.2.0 255.255.255.0
gia na epitrecete se oloys toys ypologistes panw sto 192.168.2.xxx
diktyo na xrhsimopoioun ayto to diakomisth ejoysiodothshs ektos gia
aytous poy toys exei hdh apagoreyth. (p.x o diakomisths arxeiwn kai h
Web prosbash apo to diktyo twn stratiwtwn.)
To arxeio sockd.conf twn Stratiwtwn 8a einai kapws etsi:
deny 192.168.2.17 255.255.255.255
deny 0.0.0.0 0.0.0.0 eq 80
permit 192.168.2.0 255.255.255.0
kai twn Mis8oforwn kapws etsi:
deny 192.168.2.23 255.255.255.255
permit 192.168.2.0 255.255.255.0
Ayto ofeilei na exei ta panta ry8mismena swsta. Ka8e diktyo einai
apomonwmeno analoga, me th swsth posothta allhlepidrashs. Oloi
ofeiloyn na einai xaroumenoi.
Twra, katakthste to kosmo!
Shmeiwsh toy Metafrasth
Gia opoiodhpote la8os sth metafrash zhtw na me sygxwrhsete mias kai
parolo poy edwsa to kallitero eayto moy se merika shmeia den mporesa
na kanw akribh metafrash. Se merika shmeia yparxoyn agglikes lejeis
poy htan adunato na tis metafrasw oute me th boh8eia lejikwn. Elpizw
na deijete th katanohsh sas opws epishs kai sta or8ografika la8h :->
Parakalw osoys exoyn epishmanei la8h h anakribeies na tis shmeiwsoyn
kai na tis steiloyn eite sth synthrhtria twn ellhnikwn HOWTO, Boula
Sanida voulariba@hellug.gr, eite se emena proswpika. Opoiadhpote
epipleon plhroforia gia toys firewalls poy pi8anws 8a boh8hsei sthn
egkatastash toys, epikoinwnhste me th synthrhtria.
Panagiwths Tsakirhs mazestix@ath.forthnet.gr 26 Ioynioy 1999