荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: Chair (银发), 信区: Linux
标 题: Re: ipfilter-howto(1-3)(转寄)
发信站: BBS 荔园晨风站 (Fri Nov 3 15:15:52 2000), 站内信件
这个绝对是好东西,要认真研究,你能找到的都不是写的最
好的。这个能做FIREWALL,NAT,ip redir ,simple load balance
功能强大,缺点是ipmon要反向查询目标主机,查不到时会胡乱写
个IP上去。自带一套工具,也是很有用的东西。这个对于弄清楚
TCP/IP工作方式很有好处。缺点,很烦,和其他FIREWALL有点不同。
我的机器上就开了proxy,ssh2就写了140多条规则。还没加上NAT和ip redir那些。
【 在 georgehill (清风浮云 人生) 的大作中提到: 】
: 【 以下文字转载自 georgehill 的信箱 】
: 【 原文由 georgehill.bbs@smth.org 所发表 】
: 发信人: snofe ([听潮阁主人]), 信区: FreeBSD
: 标 题: ipfilter-howto(1-3)
: 发信站: BBS 水木清华站 (Tue Oct 31 13:41:51 2000)
:
:
:
:
:
:
: IP Filter Based Firewalls HOWTO
:
: Brendan Conoboy <synk@swcp.com>
: Erik Fichtner <emf@obfuscation.org>
:
:
: Thu Sep 28 00:23:22 EDT 2000
:
:
:
:
:
:
: Abstract: This document is intended to introduce a new
: user to the IP Filter firewalling package and, at the
: same time, teach the user some basic fundamentals of
: good firewall design.
:
:
:
:
:
:
:
:
:
:
:
:
: 1. Introduction
:
: IP Filter is a great little firewall package. It does
: just about everything other free firewalls (ipfwadm,
: ipchains, ipfw) do, but it's also portable and does neat
: stuff the others don't. This document is intended to make
: some cohesive sense of the sparse documentation presently
: available for ipfilter. Some prior familiarity with packet
: filtering will be useful, however too much familiarity may
: make this document a waste of your time. For greater under-
: standing of firewalls, the authors reccomend reading Build-
: ing Internet Firewalls, Chapman & Zwicky, O'Reilly and Asso-
: ciates; and TCP/IP Illustrated, Volume 1, Stevens, Addison-
: Wesley.
:
:
:
:
:
: 1.1. Disclaimer
:
: The authors of this document are not responsible for
: any damages incurred due to actions taken based on this doc-
: ument. This document is meant as an introduction to building
: a firewall based on IP-Filter. If you do not feel
:
:
:
:
:
:
:
:
:
: -2-
:
:
: comfortable taking responsibility for your own actions, you
: should stop reading this document and hire a qualified secu-
: rity professional to install your firewall for you.
:
:
: 1.2. Copyright
:
: Unless otherwise stated, HOWTO documents are copy-
: righted by their respective authors. HOWTO documents may be
: reproduced and distributed in whole or in part, in any
: medium physical or electronic, as long as this copyright
: notice is retained on all copies. Commercial redistribution
: is allowed and encouraged; however, the authors would like
: to be notified of any such distributions.
:
: All translations, derivative works, or aggregate works
: incorporating any HOWTO documents must be covered under this
: copyright notice. That is, you may not produce a derivative
: work from a HOWTO and impose additional restrictions on its
: distribution. Exceptions to these rules may be granted under
: certain conditions; please contact the HOWTO coordinator.
:
: In short, we wish to promote dissemination of this
: information through as many channels as possible. However,
: we do wish to retain copyright on the HOWTO documents, and
: would like to be notified of any plans to redistribute the
: HOWTOs.
:
:
: 1.3. Where to obtain the important pieces
:
: The official IPF homepage is at:
: <http://coombs.anu.edu.au/~avalon/ip-filter.html>
:
: The most up-to-date version of this document can be
: found at: <http://www.obfuscation.org/ipf/>
:
:
:
:
: 2. Basic Firewalling
:
: This section is designed to familiarize you with ipfil-
: ter's syntax, and firewall theory in general. The features
: discussed here are features you'll find in any good firewall
: package. This section will give you a good foundation to
: make reading and understanding the advanced section very
: easy. It must be emphasized that this section alone is not
: enough to build a good firewall, and that the advanced sec-
: tion really is required reading for anybody who wants to
: build an effective security system.
:
:
:
:
:
:
:
:
:
:
:
:
: -3-
:
:
: 2.1. Config File Dynamics, Order and Precedence
:
: IPF (IP Filter) has a config file (as opposed to say,
: running some command again and again for each new rule).
: The config file drips with Unix: There's one rule per line,
: the "#" mark denotes a comment, and you can have a rule and
: a comment on the same line. Extraneous whitespace is
: allowed, and is encouraged to keep the rules readable.
:
:
: 2.2. Basic Rule Processing
:
: The rules are processed from top to bottom, each one
: appended after another. This quite simply means that if the
: entirety of your config file is:
:
: block in all
: pass in all
:
: The computer sees it as:
:
: block in all
: pass in all
:
: Which is to say that when a packet comes in, the first thing
: IPF applies is:
:
: block in all
:
: Should IPF deem it necessary to move on to the next rule, it
: would then apply the second rule:
:
: pass in all
:
: At this point, you might want to ask yourself "would
: IPF move on to the second rule?" If you're familiar with
: ipfwadm or ipfw, you probably won't ask yourself this.
: Shortly after, you will become bewildered at the weird way
: packets are always getting denied or passed when they
: shouldn't. Many packet filters stop comparing packets to
: rulesets the moment the first match is made; IPF is not one
: of them.
:
: Unlike the other packet filters, IPF keeps a flag on
: whether or not it's going to pass the packet. Unless you
: interrupt the flow, IPF will go through the entire ruleset,
: making its decision on whether or not to pass or drop the
: packet based on the last matching rule. The scene: IP Fil-
: ter's on duty. It's been been scheduled a slice of CPU
: time. It has a checkpoint clipboard that reads:
:
: block in all
: pass in all
:
--
☆ 来源:.BBS 荔园晨风站 bbs.szu.edu.cn.[FROM: bbs@202.104.119.102]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店