● ipfilter-howto(1-3)(转寄) - 荔园在线 | 深圳大学学生论坛,荔园晨风BBS,深大在线网站

荔园之美，在春之萌芽，在夏之绽放，在秋之收获，在冬之沉淀

发信人: georgehill (清风浮云人生), 信区: Linux
标  题: ipfilter-howto(1-3)(转寄)
发信站: BBS 荔园晨风站 (Thu Nov  2 23:07:13 2000), 站内信件

【以下文字转载自 georgehill 的信箱】
【原文由 georgehill.bbs@smth.org 所发表】
发信人: snofe ([听潮阁主人]), 信区: FreeBSD
标  题: ipfilter-howto(1-3)(转寄)
发信站: BBS 水木清华站 (Tue Oct 31 13:41:51 2000)

              IP Filter Based Firewalls HOWTO

              Brendan Conoboy <synk@swcp.com>
            Erik Fichtner <emf@obfuscation.org>

                Thu Sep 28 00:23:22 EDT 2000

     Abstract:  This document is intended to introduce a new
     user to the IP Filter firewalling package and,  at  the
     same  time,  teach  the user some basic fundamentals of
     good firewall design.

1.  Introduction

     IP Filter is a great little firewall package.  It  does
just   about   everything  other  free  firewalls  (ipfwadm,
ipchains, ipfw) do, but it's also  portable  and  does  neat
stuff  the  others don't.  This document is intended to make
some cohesive sense of the  sparse  documentation  presently
available  for ipfilter.  Some prior familiarity with packet
filtering will be useful, however too much  familiarity  may
make this document a waste of your time.  For greater under-
standing of firewalls, the authors reccomend reading  Build-
ing Internet Firewalls, Chapman & Zwicky, O'Reilly and Asso-
ciates; and TCP/IP Illustrated, Volume 1, Stevens,  Addison-
Wesley.

1.1.  Disclaimer

     The  authors  of  this document are not responsible for
any damages incurred due to actions taken based on this doc-
ument. This document is meant as an introduction to building
a  firewall  based  on  IP-Filter.   If  you  do  not   feel

                             -2-

comfortable  taking responsibility for your own actions, you
should stop reading this document and hire a qualified secu-
rity professional to install your firewall for you.

1.2.  Copyright

     Unless  otherwise  stated,  HOWTO  documents  are copy-
righted by their respective authors. HOWTO documents may  be
reproduced  and  distributed  in  whole  or  in part, in any
medium physical or electronic, as  long  as  this  copyright
notice  is retained on all copies. Commercial redistribution
is allowed and encouraged; however, the authors  would  like
to be notified of any such distributions.

     All  translations, derivative works, or aggregate works
incorporating any HOWTO documents must be covered under this
copyright notice.  That is, you may not produce a derivative
work from a HOWTO and impose additional restrictions on  its
distribution. Exceptions to these rules may be granted under
certain conditions; please contact the HOWTO coordinator.

     In short, we wish  to  promote  dissemination  of  this
information  through  as many channels as possible. However,
we do wish to retain copyright on the HOWTO  documents,  and
would  like  to be notified of any plans to redistribute the
HOWTOs.

1.3.  Where to obtain the important pieces

     The     official     IPF      homepage      is      at:
<http://coombs.anu.edu.au/~avalon/ip-filter.html>

     The  most  up-to-date  version  of this document can be
found at: <http://www.obfuscation.org/ipf/>

2.  Basic Firewalling

     This section is designed to familiarize you with ipfil-
ter's  syntax, and firewall theory in general.  The features
discussed here are features you'll find in any good firewall
package.   This  section  will give you a good foundation to
make reading and understanding  the  advanced  section  very
easy.   It must be emphasized that this section alone is not
enough to build a good firewall, and that the advanced  sec-
tion  really  is  required  reading for anybody who wants to
build an effective security system.

                             -3-

2.1.  Config File Dynamics, Order and Precedence

     IPF (IP Filter) has a config file (as opposed  to  say,
running  some  command  again  and again for each new rule).
The config file drips with Unix:  There's one rule per line,
the  "#" mark denotes a comment, and you can have a rule and
a comment  on  the  same  line.   Extraneous  whitespace  is
allowed, and is encouraged to keep the rules readable.

2.2.  Basic Rule Processing

     The  rules  are  processed from top to bottom, each one
appended after another.  This quite simply means that if the
entirety of your config file is:

    block in all
    pass  in all

The computer sees it as:

    block in all
    pass  in all

Which is to say that when a packet comes in, the first thing
IPF applies is:

    block in all

Should IPF deem it necessary to move on to the next rule, it
would then apply the second rule:

    pass  in all

     At  this  point,  you might want to ask yourself "would
IPF move on to the second rule?"  If  you're  familiar  with
ipfwadm  or  ipfw,  you  probably  won't  ask yourself this.
Shortly after, you will become bewildered at the  weird  way
packets  are  always  getting  denied  or  passed  when they
shouldn't.  Many packet filters stop  comparing  packets  to
rulesets  the moment the first match is made; IPF is not one
of them.

     Unlike the other packet filters, IPF keeps  a  flag  on
whether  or  not  it's going to pass the packet.  Unless you
interrupt the flow, IPF will go through the entire  ruleset,
making  its  decision  on whether or not to pass or drop the
packet based on the last matching rule.  The scene: IP  Fil-
ter's  on  duty.   It's  been  been scheduled a slice of CPU
time.  It has a checkpoint clipboard that reads:

    block in all
    pass  in all

--

※ 来源:·BBS 水木清华站 smth.org·[FROM: 202.199.66.62]
--
※ 转载:·BBS 荔园晨风站 bbs.szu.edu.cn·[FROM: 192.168.1.115]

荔园在线首页友情链接：深圳大学深大招生荔园晨风BBS S-Term软件网络书店