Filewatcher File Search
FTP Search
  
Directory 
  
Content Search 
   
pkg://C-Linux-HOWTOs-html.tar.gz:1591252/Firewall-HOWTO-html.tar.gz  downloads

Firewall-HOWTO-1.html0100644000014400001440000000766106516573724014146 0ustar  cwhuangusers<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=big5">
 <META NAME="GENERATOR" CONTENT="ZH-SGML-Tools 1.0.9">
 <TITLE>¨¾¤õÀð©M¥N²z¦øªA¾¹ - HOWTO: ¾É¨¥</TITLE>
 <LINK HREF="Firewall-HOWTO-2.html" REL=next>

 <LINK HREF="Firewall-HOWTO.html#toc1" REL=contents>
</HEAD>
<BODY>
<A HREF="Firewall-HOWTO-2.html">Next</A>
Previous
<A HREF="Firewall-HOWTO.html#toc1">Contents</A>
<HR>
<H2><A NAME="s1">1. ¾É¨¥</A></H2>

<P>³Ìªìªº³o½g¡§¨¾¤õÀð - HOWTO¡¨¬ODavid Rudder<B>drig@execpc.com</B>ªº§@«~¡C¥LÅý§Ú¦b¥Lªº­ì½Z¤W¼W­q¤º®e¡A¹ï¦¹§Ú²`ªí·PÁ¡C
³Ìªñ³o¤@°}¤l, ¨¾¤õÀð¡]Firewall¡^¦¨¤Fºô»Úºô¸ôªº¦w¥þ°ÝÃDªº¼öªù¸ÜÃD¡C¦ý¹³³\¦h¨ä¥L¼öªù¸ÜÃD¤@¼Ë¡A³o¤]¦P®É³y¦¨¤F³\¦h¤H¹ï¥¦ªº»~¸Ñ¡C³o½gHOWTO ±N·|±´°Q¤°»ò¬O¨¾¤õÀð¡H¦p¦ó¦w¸Ë¡H¦ó¿×¥N²z¦øªA¾¹¡]Proxy Server¡^¡H¦p¦ó³]©w¥N²z¦øªA¾¹¡H¥H¤Î³o¨Ç§Þ³N¦b¦w¥þ»â°ì¥H¥~ªºÀ³¥Î¡C
<P>
<H2><A NAME="ss1.1">1.1 ŪªÌ¦^À³</A>
</H2>

<P><B>¦pªGµo²{³o½g¤å³¹¤¤¦³¥ô¦ó¿ù»~, ½Ð°È¥²³qª¾§Ú</B>¡C¤H«D¸t½å, ±E¯àµL¹L! ¥ô¦ó¿ù»~§Ú³£¼Ö¤_§ó¥¿¡C¨Ó«H§Ú³£·|³]ªk¦^ÂÐ, ¦ý§Ú¬Û·í¦£, ¦pªG¨S¦³¦¬¨ì§Úªº¦^«H¡AÁٽХ]²[¡C<EM>¦^«H¦a§}<B>markg@netplus.net</B></EM>
<P>¦pªGµo²{¥ô¦ó»~Ķ¤§³B¡A½Ð¥ß§Y³qª¾¥»¤åĶªÌ¡G»¯¥­±æ¡]tchao@worldnet.att.net)¡C
<P>
<H2><A NAME="ss1.2">1.2 ÄY¥¿Án©ú</A>
</H2>

<P><B>§Ú¤£¹ï¥ô¦ó¨Ì·Ó¥»¤å©Ò°µ¦æ¬°³y¦¨ªº·l®`­t¥ô¦ó³d¥ô(I AM NOT RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS DOCUMENT) </B>¡C³o½g¤å³¹¥u¤¶²Ð¨¾¤õÀð©M¥N²z¦øªA¾¹ªº§@¥Î¡C­nª¾¹D¡A§Ú¤£¬O¹q¸£¦w¥þ°ÝÃD±M®a¡A¤]±q¨Ó¨S¦³¸Ë¦¨³o¤è­±ªº±M®a¡C§Ú¥u¬O­Ó³ßÅwŪ®Ñ¡A¦Ó¥B·R¹q¸£³Ó¹L·R¤HÃþªº³Ã¥ë¡C§Ú§Æ±æ³o½g¤å³¹¯àÀ°§U§A¼ô±x³o­Ó¥DÃD, ¦ý¤£«Oµý¤º®eµ´¹ïµL»~¡C
<P>
<H2><A NAME="ss1.3">1.3 ª©Åv«Å§i (Ķª`¡Jª©Åv«Å§i¤£Ä¶)</A>
</H2>

<P>
<P>Unless otherwise stated, Linux HOWTO documents are copyrighted by their respective authors. Linux HOWTO documents may be reproduced and distributed in whole or in part, in any medium physical or electronic, as long as this copyright notice is retained on all copies. Commercial redistribution is allowed and encouraged; however, the author would like to be notified of any such distributions.
<P>All translations, derivative works, or aggregate works incorporating any Linux HOWTO documents must be covered under this copyright notice. That is, you may not produce a derivative work from a HOWTO and impose additional restrictions on its distribution. Exceptions to these rules may be granted under certain conditions; please contact the Linux HOWTO coordinator.
<P>In short, we wish to promote dissemination of this information through as many channels as possible. However, we do wish to retain copyright on the HOWTO documents, and would like to be notified of any plans to redistribute the HOWTOs. 
<P>If you have any questions, please contact Mark Grennan at &lt;markg@netplus.net&gt;.
<P>
<H2><A NAME="ss1.4">1.4 ¼g³o½g¤å³¹ªº°Ê¾÷</A>
</H2>

<P>¾¨ºÞ¥h¦~¦bcomp.os.linux¤W¦³³\¦hÃö¤_¨¾¤õÀð°ÝÃDªº°Q½×¡A¦ý§Úµo²{«ÜÃø§ä¨ì³]©w¨¾¤õÀð©Ò»Ýªº¸ê®Æ¡C³o½gHOWTOªº­ì¥ýª©¥»´£¨Ñ¤F¤@¨ÇÀ°§U¡A¦ý¤º®e¤´¶û¤£¨¬¡C§Ú®Ú¾ÚDavid Rudder½s¼gªºFirewall HOWTO§@¤F¼W­q¡A§Æ±æ³o½g¤å³¹´£¨Ñ¤F¨¬°÷ªº¸ê®Æ¡A¨Ï§A¯à¦b´X¤p®É¤º´N¯à³]©w¤@­Ó¥i¥H¹B§@ªº¨¾¤õÀð¡A¦Ó¤£¦A»Ý­nªá´X¬P´Á¤§¤[¡C
§Ú¤]»{¬°§ÚÀ³¸Ó²¤ºÉºø¤O¡A¦^³ø·R¦nLinuxªºªB¤Í¡C
<P>
<H2><A NAME="ss1.5">1.5 ¦³«Ý§¹¦¨ªº¤u§@</A>
</H2>

<P>
<UL>
<LI>«ü¾É¦p¦ó³]©w«È¤á¾÷</LI>
<LI>´M§ä¯à»PLinux·f°tªºUDP¥N²z¦øªA¾¹</LI>
</UL>
<P>
<H2><A NAME="ss1.6">1.6 ©µ¦ùŪª«</A>
</H2>

<P>
<UL>
<LI>NET-2 HOWTO</LI>
<LI>Ethernet HOWTO</LI>
<LI>Multiple Ethernet Mini HOWTO</LI>
<LI>LinuxªºÁpºô</LI>
<LI> PPP HOWTO</LI>
<LI>O'Reilly and Associates¥Xª©ªºTCP/IP Network Administrator's Guide </LI>
<LI>TIS Firewall Toolkitªº¤å¥ó</LI>
</UL>
<P>¦bTrusted Information System (TIS) ºô§}¤W¦¬¶°¤F³\¦h¦³Ãö¨¾¤õÀ𪺤å¥ó©M¬ÛÃö§÷®Æ¡C<B>http://www.tis.com/</B>
<P>¦¹¥~¡A§Ú¤]¥¿¦b±q¨Æ¤@¶µºÙ¬°<EM>Linux¦w¥þ¡]Secure Linux¡^</EM>ªº¶µ¥Ø¡C¦b<EM>Secure Linux</EM>ºô§}¤W¡A§Ú¦¬¶°¤F©Ò¦³¨ÏLinux¦w¥þ¥i¾aªº¸ê®Æ¡B¤å¥ó©Mµ{¦¡¡C¦pªG§A»Ý­n³o¤è­±ªº¸ê®Æ¡A½Ð¨Ó«H¯Á¨ú¡C
<P>
<HR>
<A HREF="Firewall-HOWTO-2.html">Next</A>
Previous
<A HREF="Firewall-HOWTO.html#toc1">Contents</A>
</BODY>
</HTML>
Firewall-HOWTO-2.html0100644000014400001440000000567206516573724014147 0ustar  cwhuangusers<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=big5">
 <META NAME="GENERATOR" CONTENT="ZH-SGML-Tools 1.0.9">
 <TITLE>¨¾¤õÀð©M¥N²z¦øªA¾¹ - HOWTO: ¤°¤\¬O¨¾¤õÀð</TITLE>
 <LINK HREF="Firewall-HOWTO-3.html" REL=next>
 <LINK HREF="Firewall-HOWTO-1.html" REL=previous>
 <LINK HREF="Firewall-HOWTO.html#toc2" REL=contents>
</HEAD>
<BODY>
<A HREF="Firewall-HOWTO-3.html">Next</A>
<A HREF="Firewall-HOWTO-1.html">Previous</A>
<A HREF="Firewall-HOWTO.html#toc2">Contents</A>
<HR>
<H2><A NAME="s2">2. ¤°¤\¬O¨¾¤õÀð</A></H2>

<P>¨¾¤õÀð¬O¨T¨®¤¤¤@­Ó³¡¥óªº¦WºÙ¡C¦b¨T¨®¤¤¡A§Q¥Î¨¾¤õÀð§â­¼«È©M¤ÞÀº¹j¶}¡A¥H«K¨T¨®¤ÞÀº¤@¥¹µÛ¤õ¡A¨¾¤õÀ𤣦ý¯à«OÅ@­¼«È¦w¥þ¡A¦Ó¦P®ÉÁÙ¯àÅý¥q¾÷Ä~Äò±±¨î¤ÞÀº¡C
¦b¹q¸£¤¤¡A¨¾¤õÀð¬O¤@ºØ¸Ë¸m¡A¥i¨Ï­Ó§Oºô¸ô¤£¨ü¤½¦@³¡¤À¡]¾ã­Óºô»Úºô¸ô¡^ªº¼vÅT¡C
¦¹«á¡A¤å¤¤±N¨¾¤õÀð¹q¸£ºÙ¬°¡§¨¾¤õÀ𡨡A¥¦¯à¦P®É³s±µ¨ü¨ì«OÅ@ªººô¸ô©Mºô»Úºô¸ô¨âºÝ¡C¦ý¨ü¨ì«OÅ@ªººô¸ôµLªk±µ¨ìºô»Úºô¸ô¡Aºô»Úºô¸ô¤]µLªk±µ¨ì¨ü¨ì«OÅ@ªººô¸ô¡C
¦pªG­n±q¨ü¨ì«OÅ@ªººô¸ô¤º³¡±µ¨ìºô»Úºô¸ô¡A´N±otelnet¨ì¨¾¤õÀð¡AµM«á±q¨¾¤õÀðÁp¤Wºô»Úºô¸ô¡C
³Ì²³æªº¨¾¤õÀð¬Odual homed¨t²Î¡]¨ã¦³¨â­Óºô¸ôÁpµ²ªº¨t²Î¡^¡C¦pªG§A¯à¬Û«H©Ò¦³§Aªº¥Î¤á¡A¨º§A¥u­n¸Ë³]¤@¥xLinux¡]³]©w®É±N IP forwarding/gatewaying ³]¬° OFF¡^¡A¨ÃÅý¨C¤H³]¤@±b¤á¡C¥L­ÌÀH«á¯àµn¿ý³o¤@¨t²Î¡A¨Ï¥Îtelnet¡BFTP¡A¾\Ū¹q¤l¨ç¥ó©M¨Ï¥Î©Ò¦³§A´£¨Ñªº¥ô¦ó¨ä¥LªA°È¡C®Ú¾Ú³o¶µ³]¸m¡A³o¤@ºô¸ô¤¤°ß¤@¯à»P¥~¬ÉÁp¨tªº¹q¸£«K¬O³o­Ó¨¾¤õÀð¡C¦b³o­Óºô¸ô¤¤ªº¨ä¥L¹q¸£¬Æ¦Ü¤£»Ý­n¤@±ø¤½¥Îªº¸ô®|¡C
»Ý­n¦A¦¸»¡©ú¡J­n¨Ï¤W­z¨¾¤õÀðµo´§§@¥Î¡A<B>´N¥²¶·¬Û«H©Ò¦³¥Î¤á¡T</B>¤£¹L¡A§Ú¥i¤£´±³o¤\«Øij¡C
<P>
<H2><A NAME="ss2.1">2.1 ¨¾¤õÀ𪺯ʳ´</A>
</H2>

<P>¥Î¤_¹LÂo¤§¥Îªº¨¾¤õÀ𪺰ÝÃD¬O³oºØ¨¾¤õÀð¤£Åýºô»Úºô¸ô¶i¤J§Aªººô¸ô¡C¥u¦³³q¹L¹LÂo¨¾¤õÀð¤~¯à¨ú¥Î¥\¯à¡C¦b¦³¥N²z¦øªA¾¹ªº±¡ªp¤U¡A¥Î¤á¥iµn¿ý¨ì¨¾¤õÀð¡AµM«á¶i¤J¨p¦³ºô¸ô¤ºªº¥ô¦ó¨t²Î¡C
¦¹¥~¡A¥Ø«e´X¥G¨C¤Ñ³£¦³·s«¬«È¤á¾÷©M¦øªA¾¹¤W¥«¡C¦]¦¹¡A±o­n¦³·sªº¤èªk¶i¤Jºô¸ô¤~¯à½Õ¥Î³o¨Ç¥\¯à¡C
<P>
<H2><A NAME="ss2.2">2.2 ¨¾¤õÀ𪺺ØÃþ</A>
</H2>

<P>¨¾¤õÀ𦳨âºØ¡C
<P>
<OL>
<LI>IP¹LÂo¨¾¤õÀð - °£¤@¨Çºô¸ô¥\¯à¥~ªý¾×¤@¤ÁÁpºô¥\¯à¡C</LI>
<LI>¥N²z¦øªA¾¹ - ´À§A¶i¦æºô¸ôÁpµ²¡C</LI>
</OL>
<P>
<H3>IP¹LÂo¨¾¤õÀð</H3>

<P>IP¹LÂo¨¾¤õÀð¦b¼Æ¾Ú¥]¤@¼h¤u§@¡C¥¦¨Ì¾Ú°_ÂI¡B²×ÂI¡B°ð¸¹©M¨C¤@¼Æ¾Ú¥]¤¤©Ò§tªº¼Æ¾Ú¥]ºØÃþ«H®§±±¨î¼Æ¾Ú¥]ªº¬y°Ê¡C
³oºØ¨¾¤õÀð«D±`¦w¥þ¡A¦ý¬O¯Ê¤Ö¦³¥Îªºµn¿ý°O¿ý¡C¥¦ªý¾×§O¤H¶i¤J­Ó§Oºô¸ô¡A¦ý¤]¤£§i¶D§A¦ó¤H¶i¤J§Aªº¤½¦@¨t²Î¡A©Î¦ó¤H±q¤º³¡¶i¤Jºô»Úºô¸ô¡C
¹LÂo¨¾¤õÀð¬Oµ´¹ï©Êªº¹LÂo¨t²Î¡C§Y¨Ï§A­nÅý¥~¬Éªº¤@¨Ç¤H¶i¤J§Aªº¨p¦³¦øªA¾¹¡A§A¤]µLªkÅý¨C¤@­Ó¤H¶i¤J¦øªA¾¹¡C
Linux±q1.3.xª©¶}©l´N¦b¤º®Ö¤¤¥]§t¤F¼Æ¾Ú¥]¹LÂo³n¥ó¡C
<P>
<H3>¥N²z¦øªA¾¹</H3>

<P>¥N²z¦øªA¾¹¤¹³\³q¹L¨¾¤õÀ𶡱µ¶i¤Jºô»Úºô¸ô¡C³Ì¦nªº¨Ò¤l¬O¥ýtelnet¨t²Î¡AµM«á±q¸Ó³B¦Atelnet¥t¤@­Ó¨t²Î¡C¦b¦³¥N²z¦øªA¾¹ªº¨t²Î¤¤¡A³o¶µ¤u§@´N§¹¥þ¦Û°Ê¡C§Q¥Î«È¤áºÝ³n¥ó³s±µ¥N²z¦øªA¾¹«á¡A¥N²z¦øªA¾¹±Ò°Ê¥¦ªº«È¤áºÝ³n¥ó¡]¥N²z¡^¡AµM«á¶Ç¦^¼Æ¾Ú¡C
¥Ñ¤_¥N²z¦øªA¾¹­«½Æ©Ò¦³³q°T¡A¦]¦¹¯à°÷°O¿ý©Ò¦³¶i¦æªº¤u§@¡C
¥u­n°t¸m¥¿½T¡A¥N²z¦øªA¾¹´Nµ´¹ï¦w¥þ¡A³o³Ì¥¦³Ì¥i¨ú¤§³B¡C¥¦ªý¾×¥ô¦ó¤H¶i¤J¡A¦]¬°¨S¦³ª½±µªºIP³q¸ô¡C
<P>
<HR>
<A HREF="Firewall-HOWTO-3.html">Next</A>
<A HREF="Firewall-HOWTO-1.html">Previous</A>
<A HREF="Firewall-HOWTO.html#toc2">Contents</A>
</BODY>
</HTML>
Firewall-HOWTO-3.html0100644000014400001440000000255206516573724014142 0ustar  cwhuangusers<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=big5">
 <META NAME="GENERATOR" CONTENT="ZH-SGML-Tools 1.0.9">
 <TITLE>¨¾¤õÀð©M¥N²z¦øªA¾¹ - HOWTO: ³]¸m¨¾¤õÀð</TITLE>
 <LINK HREF="Firewall-HOWTO-4.html" REL=next>
 <LINK HREF="Firewall-HOWTO-2.html" REL=previous>
 <LINK HREF="Firewall-HOWTO.html#toc3" REL=contents>
</HEAD>
<BODY>
<A HREF="Firewall-HOWTO-4.html">Next</A>
<A HREF="Firewall-HOWTO-2.html">Previous</A>
<A HREF="Firewall-HOWTO.html#toc3">Contents</A>
<HR>
<H2><A NAME="s3">3. ³]¸m¨¾¤õÀð</A></H2>

<H2><A NAME="ss3.1">3.1 µw¥ó»Ý¨D</A>
</H2>

<P>                            
¦b½d¨Ò¤¤¡A©Ò¥Îªº¹q¸£°t¸m¬O¤@¶ô486-DX66ªä¤ù¡A16M¤º¦s©M500M Linux¤À³Î¡C¨t²Î¤ºÁٸˤF¨â±iºô¸ô¥d¡A¤@±i³s¨ì¨p¦³ºô¸ô¡A¥t¤@±i±µ¨ì¤@­ÓºÙ¬°¡§«D­x¨Æ°Ï¡¨ªººô¸ô¡]Ķµù¡G«ü¤½¥Îºô¸ô¡^¡A¦Ó¦b³o­Ó«D­x¨Æ°Ïªººô¸ô¤W¡A¦³¤@­Ó±µ¨ìºô»Úºô¸ôªº¸ô¥Ñ¾¹¡]router¡^¡C
³oºØ°t¸m·¥¬°±`¨£¡A¬Æ¦ÜÁÙ¥i¥Î¤@±iºô¥d©M¤@¥x¼Æ¾Ú¾÷³q¹LPPP±µ¨ìºô»Úºô¸ô¡A¦ýÃöÁ䤧³B¬O¨¾¤õÀð¤W¥²¶·¦³¨â­ÓIP¸¹½X¡C
¤£¤Ö¤H®a¤¤³£¦³¤pºô¸ô¡A§â¨â¡B¤T¥x¹q¸£±µ¦b¤@°_¡C¤£§«¸Õ¸Õ§â©Ò¦³¼Æ¾Ú¾÷³£±µ¦b¶]Linuxªº¹q¸£¤W¡]¦Ñªº386¾÷¡^¡AµM«á§Q¥Î­t¸ü¥­¿Åªº¤è¦¡§â¼Æ¾Ú¾÷³£±µ¨ìºô»Úºô¸ô¡C§Q¥Î³oºØ¸Ë¸m¡A¦pªG­n¶Ç¿é¼Æ¾Ú¡A¨â³¡¼Æ¾Ú¾÷¦P®É¤u§@¡A¥i¥[­¿¶Ç¿éªº³t«×¡C
<P>
<HR>
<A HREF="Firewall-HOWTO-4.html">Next</A>
<A HREF="Firewall-HOWTO-2.html">Previous</A>
<A HREF="Firewall-HOWTO.html#toc3">Contents</A>
</BODY>
</HTML>
Firewall-HOWTO-4.html0100644000014400001440000000427206516573724014144 0ustar  cwhuangusers<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=big5">
 <META NAME="GENERATOR" CONTENT="ZH-SGML-Tools 1.0.9">
 <TITLE>¨¾¤õÀð©M¥N²z¦øªA¾¹ - HOWTO: ³]¸m¨¾¤õÀ𪺳n¥ó</TITLE>
 <LINK HREF="Firewall-HOWTO-5.html" REL=next>
 <LINK HREF="Firewall-HOWTO-3.html" REL=previous>
 <LINK HREF="Firewall-HOWTO.html#toc4" REL=contents>
</HEAD>
<BODY>
<A HREF="Firewall-HOWTO-5.html">Next</A>
<A HREF="Firewall-HOWTO-3.html">Previous</A>
<A HREF="Firewall-HOWTO.html#toc4">Contents</A>
<HR>
<H2><A NAME="s4">4. ³]¸m¨¾¤õÀ𪺳n¥ó</A></H2>

<H2><A NAME="ss4.1">4.1 ²{¦³ªº®M¸Ë³n¥ó</A>
</H2>

<P>¦pªG¥u­n³]¸m¤@­Ó¹LÂo¨¾¤õÀð¡A¨º¥u­nLinux©M°ò¥»ºô¸ô³n¥ó´N°÷¤F¡C¦³¤@®M³n¥ó¥i¯à¤£¦b§A¨Ï¥ÎªºLinuxª©¥»¤¤¡AºÙ¬° IP Firewall Administration¤u¨ã¡C
(IPFWADM) ¥i±q <B>http://www.xos.nl/linux/ipfwadm/</B>¨ú±o¡C
¦pªG­n³]¸m¥N²z¦øªA¾¹¡A´N»Ý­n¤@­Ó³oºØ®M¸Ë³n¥ó¡C
<OL>
<LI>SOCKS</LI>
<LI>TIS Firewall Toolkit (FWTK)</LI>
</OL>
<P>
<H2><A NAME="ss4.2">4.2 TIS Firewall Toolkit ©MSOCKS¶¡ªº®t²§</A>
</H2>

<P>Trusted Information System (<B>http://www.tis.com</B>)´£¨Ñ¤F¤@¨t¦C³n¥ó¡A¥Î¥H²¤Æ¦w¸Ë¨¾¤õÀ𪺤u§@¡C
³o¨Ç³n¥ó°ò¥»¤W¦PSOCKSªº³n¥ó¬Û¦P¡A¦ý³]­pµ¦²¤¤£¦P¡CSOCKS§Q¥Î¤@®M³n¥ó°õ¦æ©Ò¦³»PInternet¦³Ãöªº¤u§@¡A¦ÓTIS¹ï¨C¤@­Ó§Æ±æ¨Ï¥Î¨¾¤õÀðªºutility³£´£¨Ñ¤@­Ó³n¥ó¡C
¬°¤F»¡©ú¨âªÌ¤§¶¡ªº¤£¦P¡A´N¥Hworld wide web©MTelnet¬°¨Ò§a¡T¦bSOCKS¤¤¡A³]©w¤@­Ó³]¸m¡]configuration¡^ÀÉ©M¤@­Ódaemon«á¡Atelnet©MWWW³£¯à¶}©l¤u§@¡A¦P®É¨ä¥L¨S¦³Ãö³¬ªº¥\¯à¤]³£¯à°÷¹B§@¡C
¦ý¦bTIS¤¤¡A¬°WWW©Mtelnet³£±o³]©w¦U¦ÛªºconfigurationÀÉ©Mdaemon¡C¸g¦¹³]©w«á¡A¨ä¥Linternetªº¥\¯à¤´µLªk¹B¥Î¡A°£«D¹ï³o¨Ç¥\¯à¤]§@¥X¬ÛÃöªº³]©w¡C¦pªG¬Y¤@¥\¯à¡]¨Ò¦ptalk¡^¨S¦³daemon¡AÁöµM¦³&quot;plug-in&quot; daemon¥i¥Î¡A¦ý¥¦¤£¹³¨ä¥L¤u¨ã¨º¼ËÆF¬¡¡A¦Ó¥B¤]¤£©ö³]©w¡C
³o¦ü¥G¬O¤p¨Æ¡A¦ý¥B¤j¦³®t§O¡C³]¸mSOCKS®É¤ñ¸û¥i¥HÀH·N¡C¦pªGSOCKS¦øªA¾¹ªº³]¸m¤£¤Ó§¹¬ü¡A±qºô¸ô¤º³¡¥i¥H½Õ¥Î­ì¥ý¨Ã¤£¥´ºâ´£¨Ñªºinternet¥\¯à¡C¦p¨Ï¥ÎTIS¡A±qºô¸ô¤º³¡¥u¯à½Õ¥Î¨t²ÎºÞ²zªÌ³W©wªº¥\¯à¡C
SOCKS©ö¤_³]©w¡B©ö¤_½s¿è¡A¨Ã¥BÆF¬¡©Ê¸û°ª¡C¦p­nºÞ¨î¨ü¨ì«OÅ@ªººô¸ô¤ºªº¨Ï¥ÎªÌ¡A«hTISªº¦w¥þ©Ê¸û°ª¡C¤£¹L¨âªÌ³£´£¨Ñ¤Fµ´¹ï«OÅ@¡A¥~¬ÉµLªk¶i¤J¡C
§Ú·|»¡©ú¨âªÌªº¦w¸Ë©M³]©w¤èªk¡C
<P>
<HR>
<A HREF="Firewall-HOWTO-5.html">Next</A>
<A HREF="Firewall-HOWTO-3.html">Previous</A>
<A HREF="Firewall-HOWTO.html#toc4">Contents</A>
</BODY>
</HTML>
Firewall-HOWTO-5.html0100644000014400001440000001662706516573724014154 0ustar  cwhuangusers<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=big5">
 <META NAME="GENERATOR" CONTENT="ZH-SGML-Tools 1.0.9">
 <TITLE>¨¾¤õÀð©M¥N²z¦øªA¾¹ - HOWTO: ³]©wLinux¨t²Î</TITLE>
 <LINK HREF="Firewall-HOWTO-6.html" REL=next>
 <LINK HREF="Firewall-HOWTO-4.html" REL=previous>
 <LINK HREF="Firewall-HOWTO.html#toc5" REL=contents>
</HEAD>
<BODY>
<A HREF="Firewall-HOWTO-6.html">Next</A>
<A HREF="Firewall-HOWTO-4.html">Previous</A>
<A HREF="Firewall-HOWTO.html#toc5">Contents</A>
<HR>
<H2><A NAME="s5">5. ³]©wLinux¨t²Î</A></H2>

<H2><A NAME="ss5.1">5.1 ½s¿è¤º®Ö</A>
</H2>

<P>­º¥ý§Q¥ÎLinuxª©¥»­«·s¦w¸ËLinux¨t²Î¡]§Ú¥ÎRedHat 3.0.3¡A¦¹«á¹ê¨Ò§¡¥H³o¤@ª©¥»¬°·Ç¡^¡C¨t²Î¤¤¦w¸Ëªº³n¥ó¶V¤Ö¡A¤ò¯f©Mº|¬}¤]¶V¤Ö¡A¦]¬°³o¨Ç¤ò¯f©Mº|¬}¹ï¨t²Îªº¦w¥þ³£·|²£¥Í°ÝÃD¡A©Ò¥H¥u­n¦w¸Ë°÷¥Îªº³Ì¤Ö¶q³n¥ó§Y¥i¡C
¿ï¥Î¤@­Óí©wªº¤º®Ö¡C§Úªº¨t²Î¥Î¤FLinux 2.0.14ªº¤º®Ö¡C        ¦]¦¹¡A³o¥÷¤å¥ó¥H³oºØ¤º®Ö³]¸m¬°°ò¦¡C
®Ú¾Ú¾A·íªº¿ï¶µ¡]options¡^­«·s½s¿è¤º®Ö¡C ¦pªG¥H«e¨S¦³Åª¹LKernel HOWTO¡B Ethernet HOWTO©MNET-2 HOWTO¡A¦¹®É¤£§«§Q¥Î³o­Ó¾÷·|Ū¤@Ū³o¨ÇHOWTO¡C 
¥H¤U¬O¦b¡¥make config¡¦¤º»Pºô¸ô¦³Ãöªº³]©w¡C 
<OL>
<LI>¦bGeneral setup¤¤
<OL>
<LI>³]Networking Support ¬°ON</LI>
</OL>
</LI>
<LI>¦bNetworking Options¤¤
<OL>
<LI>³]Network firewalls¬° ON</LI>
<LI>³]TCP/IP Networking¬° ON</LI>
<LI>³]IP forwarding/gatewaying¬° OFF ¡]°£«D­n¥ÎIP¹LÂo¡^</LI>
<LI>³]IP Firewalling¬°ON</LI>
<LI>³]IP firewall packet loggin¬° ON¡]¤£¬O¥²»Ý¡A³]¤F§ó¦n¡^</LI>
<LI>³]IP: masquerading ¬°OFF¡]¤£ÄÝ¥»¤å­S³ò¡^</LI>
<LI>³]IP: accounting ¬°ON</LI>
<LI>³]IP: tunneling ¬°OFF</LI>
<LI>³]IP: aliasing ¬°OFF</LI>
<LI>³]IP: PC/TCP compatibility mode ¬°OFF</LI>
<LI>³] IP: Reverse ARP ¬°OFF</LI>
<LI>³]Drop source routed frames ¬°ON</LI>
</OL>
</LI>
<LI>¦bNetwork device support¶µ¤U
<OL>
<LI>³]Network device support ¬°ON</LI>
<LI>³]Dummy net driver support ¬°ON</LI>
<LI>³]Ethernet (10 or 100Mbit) ¬°ON</LI>
<LI>¿ï¾Üºô¸ô¥d</LI>
</OL>
</LI>
</OL>

²{¦b­«·s½s¿è¡A­«·s¦w¸Ë¤º®Ö¡A­«·s±Ò°Ê¡Cºô¸ô¥dÀ³¦b±Ò°Êªº´£¥Ü¤¤Åã¥Ü¡C¦pªG¨S¦³§ì¨ìºô¸ô¥d¡A¬d¾\¨ä¥LHOWTO¡Aª½¨ì³]¹ï¬°¤î¡C   
<P>
<H2><A NAME="ss5.2">5.2 ³]©w¨â±iºô¸ô¥d</A>
</H2>

<P>¹q¸£¤¤¦p¦³¨â±iºô¸ô¥d¡A·¥¥i¯à»Ý­n¦b/etc/lilo.confÀɤ¤¼W¥[¤@¦æ¡A»¡©ú¨â±iºô¸ô¥dªºIRQ©M¦a§}¡C¦b§Úªº¾÷¾¹¤¤¡Alilo.confÀɼW¥[ªº¤@¦æ¦p¤U¡J
<PRE>
    append=&quot;ether=12,0x300,eth0 ether=15,0x340,eth1&quot;
</PRE>
<P>
<H2><A NAME="ss5.3">5.3 ³]©wNetwork Addresses</A>
</H2>

<P>
<P>³o³¡¤À¤ñ¸û¦³½ì¡A¦Ó¥B±o­n°µ¨Ç¨M©w¡C¥Ñ¤_¤£¥´ºâÅýºô»Úºô¸ô¶i¤J¦Û³]ºô¸ôªº¥ô¦ó³¡¤À¡A¦]¦¹ºô¸ô¤¤¤£»Ý­n¥Î¹ê»Úªººô§}¡C¦bºô»Úºô¸ô¤¤¯d¤F¤@¨Ç¦a§}¥iÅýºô¸ôÀH·N¨Ï¥Î¡A¦]¬°¦Û³]ºô¸ôÁ`±o»Ý­n¦a§}¡A¦Ó¥B³o¨Ç¦a§}¤]µLªk¶i¤Jºô»Úºô¸ô¡AÅÍ´ý¥þ§½¡C¦]¦¹¤£§«¿ï¥Î³o¨Ç¦a§}¡C
¦b³o¨Ç¦a§}¤¤¡A192.168.2.xxx¬O³Q¯d¥Îªº¦a§}¡A¦]¦¹´N¥Î³o¨Ç¦a§}¨Ó§@»¡©ú¡C
<P>¥Ñ¤_¥N²z¦øªA¾¹¦P®É¨­³B¨â­Óºô¸ô¡A¦]¦¹¥¦¯à©~¤¤¶Ç°e¨âÃ䪺¼Æ¾Ú¡C
<P>
<PRE>
            199.1.2.10   __________    192.168.2.1
     _  __  _        \ |         | /         _______________
   | \/  \/ |             \|        |/          |            |          
     ºô»Úºô¸ô \-------------| ¨¾¤õÀð |-------------------| ¤u§@¯¸     |
     \_/\_/\_/\_/          |_________|           |______________|
</PRE>

¦p­n³]¸m¹LÂo¨¾¤õÀð¡A¨ÌÂÂ¥i¥Î³o¨Çºô§}¡A¤£¹L±o¨Ï¥ÎIP masquerading¡C¸g¹L³oºØ³]©w¡A¨¾¤õÀð´N·|Âà°e¼Æ¾Ú¥]¡A¨Ã¥[ªþ¹ê»ÚªºIP¦a§}°e©¹ºô»Úºô¸ô¡C
¦bºô¸ô¥dªººô»Úºô¸ôºÝ¡]¥~ºÝ¡^±o³]©w¯u¥¿ªºIP¦a§}¡A¦b¥H¤Óºô¥dªº¤ººÝ³]¬°192.168.2.1¡C³o¬O³o¥x¹q¸£¥N²z/ºôÃöªºIP¦a§}¡C¨ü«OÅ@ªººô¸ô¤ºªº©Ò¦³¨ä¥L¹q¸£§¡¥i¿ï¥Î192.168.2.xxx¤¤ªº¥ô¦ó¤@­Ó§@¬°¦a§}¡]±q192.168.2.2 ¨ì192.168.2.254¡^¡C
¦bRedHat Linux ¤¤¡A±o¦b /etc/sysconfig/network-scripts¥Ø¿ý¤U¼W¥[¤@­Óifcfg-eth1ÀÉ¡A¥H«K¦b±Ò°Ê®É¡A³q¹L³o­ÓÀɳ]©wºô¸ô©Mroutingªí¡C
ifcfg-eth1ªº°Ñ¼Æ¥i³]©w¦p¤U¡J
<PRE>
    #!/bin/sh
    #>>>Device type: ethernet
    #>>>Variable declarations:
    DEVICE=eth1
    IPADDR=192.168.2.1
    NETMASK=255.255.255.0
    NETWORK=192.168.2.0
    BROADCAST=192.168.2.255
    GATEWAY=199.1.2.10
    ONBOOT=yes
    #>>>End variable declarations
</PRE>

¥i¸Õ¥Î³o¨Ç°Ñ¼Æ¨Ï¼Æ¾Ú¾÷»PISP¦Û°Ê³s±µ¡C¤£§«¬Ý¬Ý ipup-pppÀÉ¡C
¦p¥Î¼Æ¾Ú¾÷»Pºô»Úºô¸ô³s±µ¡AISP·|¦b³s±µ®É«ü©w¥~ºÝªºIP¦a§}¡C
<P>
<H2><A NAME="ss5.4">5.4 ´ú¸Õºô¸ô</A>
</H2>

<P>±q´ú¸Õifconfig©Mroute¶}©l¡C¦p¾÷¾¹¤W¦³¨â±iºô¸ô¥d¡A¦U¶µ³]¸mÀ³¦³¦p¤U±¡ªp¡J
<PRE>
  #ifconfig
  lo        Link encap:Local Loopback
            inet addr:127.0.0.0  Bcast:127.255.255.255  Mask:255.0.0.0
            UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
            RX packets:1620 errors:0 dropped:0 overruns:0
            TX packets:1620 errors:0 dropped:0 overruns:0

  eth0      Link encap:10Mbps Ethernet  HWaddr 00:00:09:85:AC:55
            inet addr:199.1.2.10 Bcast:199.1.2.255  Mask:255.255.255.0
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0
            TX packets:0 errors:0 dropped:0 overruns:0
            Interrupt:12 Base address:0x310

  eth1      Link encap:10Mbps Ethernet  HWaddr 00:00:09:80:1E:D7
            inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0
            TX packets:0 errors:0 dropped:0 overruns:0
            Interrupt:15 Base address:0x350
</PRE>

route ªíÀ³¬Ý°_¨Ó¦p¤U¡J
<PRE>
#route -n
Kernel routing table
Destination   Gateway   Genmask    Flags  MSS  Window  Use  Iface
199.1.2.0     *       255.255.255.0   U   1500   0      15 eth0
192.168.2.0   *       255.255.255.0   U   1500   0       0 eth1
127.0.0.0     *       255.0.0.0      U   3584   0       2 lo
default      199.1.2.10   *          UG  1500   0       72 eth0
</PRE>
<P><B>ª`¡J</B> 199.1.2.0¦b¨¾¤õÀ𪺺ô»Úºô¸ôºÝ¡A192.168.2.0¦b¦Û³]ºô¸ô¤@ºÝ¡C
­º¥ý¸Õ¸Õ±q¨¾¤õÀðping ºô»Úºô¸ô¡C¤£§«§ânic.ddn.mil§@¸ÕÅçÂI¡C³o­Ó¸ÕÅçÂIÁÙ¤£¿ù¡A¥u¬O¤£¦p§Ú¹w´Áªº¥i¾a¡C¦pªG¨SÁp¤W¡A¸Õ¸Õping´X­Ó¤£¬O§Aºô¸ô¤Wªº¦a§}¡C¦pªG¤´Áp¤£¤W¡A«hPPPªº³]©w¤@©w¤£¹ï¡C¦AŪ¤@¦¸Net-2 HOWTO¡AµM«á¦A¸Õ¡C
µM«á¡A¸ÕÅç±q¨¾¤õÀðping«OÅ@ºô¸ô¤ºªº¹q¸£¡C©Ò¦³ºô¸ô¤ºªº¹q¸£À³¯àpingºô¸ô¤ºªº¥ô¦ó¨ä¥L¤@¥x¹q¸£¡C¦pªG¤£¦æ¡A¦AŪŪNet-2 HOWTO¡A¦A¸Õ¤@¦¸¡C
±µµÛ¸ÕÅç±q«OÅ@ºô¸ô¤ºping¨¾¤õÀð¥H¥~ªº¦a§}¡C¡]ª`·N¡J¤£Äݤ_192.168.2.xxxªº¥ô¦ó¦a§}¡^¦pªG¥i¥H¡Aªí¥ÜIP Forwardingªº¥\¯à¨S¦³¨ú®ø¡C·Q¤@·Q³o¬O§_²Å¦X­ì¥ýªººc·Q¡C¦pªG«O¯dIP Forwardingªº¥\¯à¡A´N§O©ñ¹L¤U­±³]©wIP filteringªº³¡¤À¡C
²{¦b¸Õ¸Õ±q¨¾¤õÀð«áping ºô»Úºô¸ô¡C§Q¥Î¥H«e¸Õ³qªº¦P¤@¦a§}¡]¨Ò¦p¡Anic.ddn.mil¡^¡C¦pªG IP Forwarding¥\¯à¤w¸g¨ú®ø¡A´N¤£À³±µ³q¡C¤£¹L¦pªG³o¶µ¥\¯à¨S¦³¨ú®ø¡A´NÀ³¸Ó±µ³q¡C
°²³]«O¯d¤FIP Forwarding¥\¯à¡A¦Ó¦b¦Û³]ªººô¸ô¤¤¨Ï¥Î¹ê»ÚªºIP¦a§}¡]¤£¬O192.168.2.*¡^¡A¦b³oºØ³]©w¤U¡A¦pªGµLªkping ºô»Úºô¸ô¡A¦ý¯à°÷pingºô»Úºô¸ôÃ䪺¨¾¤õÀð¡A´N±oÀˬd¤W¤@¼hªºrouter¦³§_§â¼Æ¾Ú¥]¶Ç°e¨ì¦Û³]ºô¸ôªº¦a§}¤W¡C¡]¥i¯à±o¥ÑISP§@³o¶µÀˬd¡^
¦pªG«OÅ@ºô¸ôªº¦a§}©w¬°192.168.2.*¡A«h¥ô¦ó¼Æ¾Ú¥]³£¤£¯à¶Ç°e¡C¦pªG¨S¦³§@³o¨Ç³]©w¡A¦Ó¨Ï¥Î¤FIP masquerading¡A³o¶µ¸ÕÅçÀ³¸Ó¦¨¥\¡C
¦Ü¦¹¡A¦U¶µ³]©w°ò¥»§¹¦¨¡C
<P>
<H2><A NAME="ss5.5">5.5 ¥[©T¨¾¤õÀð</A>
</H2>

<P>¦pªG³q¹L¨¾¤õÀð¤W¨S¦³¨Ï¥Îªº¥\¯à¯à°÷ÀH·N¶i¥X¨¾¤õÀð¡A«h³oºØ¨¾¤õÀð¤]´N¨S¦³¤°¤\¥Î³B¡C &quot;Àb«È&quot; ¯à¨ì¨¾¤õÀ𤺧@¥X¥²­nªº­×§ï¡A¨Ñ¨ä©Ò¥Î¡C
­º¥ýÃö³¬©Ò¦³¤£¥Îªº¥\¯à¡C¥ýÀˬd /etc/inetd.confÀÉ¡C³o­ÓÀɱ±¨î©Ò¿×ªº&quot;¶W¯Å¦øªA¾¹&quot;¡C¥¦±±¨î¤F³\¦h¦øªA¾¹ªºdaemon¡AµM«á¦b»Ý­n®É±Ò°Ê³o¨Çdaemon¡C
§¹¥þ¨ú®ønetstat¡B systat¡B tftp¡B bootp©Mfinger¥\¯à¡C¨ú®ø¥\¯àªº¤èªk¬O§â#§@¬°¥\¯à¦æªº¦æ­º¦r¥À¡C³]©w§¹²¦«á¡AÁä¤J<B>&quot;kill -HUP &lt;pid&gt;&quot;</B>¡A°õ¦æSIG-HUP ¡A¨ä¤¤&lt;pid&gt;¬Oinetdªºµ{§Ç½s¸¹¡Cinetd·|¦A¦¸Åª¨ú°t¸mÀÉ¡]inetd.conf¡^¡A¨Ã±q·s±Ò°Ê¨t²Î¡C
§Q¥Îtelnet ´ú¸Õ¨¾¤õÀ𪺰𸹡]port¡^15¡A³o¬Onetstatªº°ð¸¹¡C¦pnetstat¦^À³ºô¸ô±¡ªp¡A¨t²Î¨Ã¨S¦³«ö­n¨D¥¿½T¦a±q·s±Ò°Ê¡C
<P>
<HR>
<A HREF="Firewall-HOWTO-6.html">Next</A>
<A HREF="Firewall-HOWTO-4.html">Previous</A>
<A HREF="Firewall-HOWTO.html#toc5">Contents</A>
</BODY>
</HTML>
Firewall-HOWTO-6.html0100644000014400001440000000542306516573724014145 0ustar  cwhuangusers<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=big5">
 <META NAME="GENERATOR" CONTENT="ZH-SGML-Tools 1.0.9">
 <TITLE>¨¾¤õÀð©M¥N²z¦øªA¾¹ - HOWTO: IP filtering ªº³]¸m(IPFWADM)</TITLE>
 <LINK HREF="Firewall-HOWTO-7.html" REL=next>
 <LINK HREF="Firewall-HOWTO-5.html" REL=previous>
 <LINK HREF="Firewall-HOWTO.html#toc6" REL=contents>
</HEAD>
<BODY>
<A HREF="Firewall-HOWTO-7.html">Next</A>
<A HREF="Firewall-HOWTO-5.html">Previous</A>
<A HREF="Firewall-HOWTO.html#toc6">Contents</A>
<HR>
<H2><A NAME="s6">6. IP filtering ªº³]¸m(IPFWADM)</A></H2>

<P>­º¥ý³]©w¤º®ÖªºIP Forwarding¥\¯à¡A¨t²ÎÀ³¶}©lÂà°e¨C¤@«H®§¡C¸ô®|ªí¡]routing table¡^À³¤w³]©w¡A¦]¦¹À³¸Ó¥i¥H³q©¹¥ô¦ó¦aÂI¡A±qºô¤º¥i¥HÁp¨ìºô¥~¡A±qºô¥~¤]¥i¶i¨ìºô¤º¡C
¦ý¬O¨¾¤õÀ𪺧@¥Î¬O¤£Åý¥ô¦ó¤H¥i¥HÀH«K¶i¥Xºô¸ô¡C 
¦b¥Ü½d¨t²Î¤¤³]©w¤F¨â®M«ü¥O¡]script¡^¡A¹ï¨¾¤õÀðªºforwarding©Maccounting§@¤F³W©w¡C¨t²Î¦b¹B¦æ/etc/rc.d®É¨ú¥Î³o¨â®M«ü¥O¡A¦]¦¹¦b¨t²Î±Ò°Ê®É´N¹ï¨t²Î§@¤F³]¸m¡C
Linuxªº¤º®Ö¦Û³]Âà°e¤@¤Á«H®§ªºIP Forwarding¨t²Î¡C¦]¦¹¡A¨¾¤õÀ𪺫ü¥OÀ³­º¥ý¸T¤î¤@¤Á¶i¤J¨t²ÎªºÅv§Q¡A²M°£¤W¦¸¹B¦æ«á¯d¤Uªº¥ô¦óipfw³W«h¡C¤U­±ªº«ü¥OÀ³¯à¹F¨ì³o¶µ¥Øªº¡C
<P>
<PRE>
  #
  # setup IP packet Accounting and Forwarding
  #
  #   Forwarding
  #
  # By default DENY all services
  ipfwadm -F -p deny
  # Flush all commands
  ipfwadm -F -f
  ipfwadm -I -f
  ipfwadm -O -f
</PRE>

¦n¤F¡A²{¦b¦³¤Fµ´¹ï«OÀIªº¨¾¤õÀð¡C¤@¤Á³£³Q«Ì¾×¦b¥~­±¡AµLªk¬ï¶V¨¾¤õÀð¤@¨B¡C·íµM¡A¦³¨Ç¥\¯àÁÙ¬O»Ý­nªº¡A¤U­±ªº¤@¨Ç¨Ò¤l¥i§@°Ñ¦Ò¡C
<PRE>
  # Forward email to your server ¡JÂà°e¹q¤l¶l¥ó¨ì¦øªA¾¹
  ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 192.1.2.10 25

  # Forward email connections to outside email servers ¡J±N¹q¤l¶l¥ó³s¨ìºô¸ô¥~ªº¹q¤l¶l¥ó¦øªA¾¹
  ipfwadm -F -a accept -b -P tcp -S 196.1.2.10 25 -D 0.0.0.0/0 1024:65535

  # Forward Web connections to your Web Server¡J±NWeb³s¨ìWeb¦øªA¾¹
  /sbin/ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 196.1.2.11 80

  # Forward Web connections to outside Web Server¡J±NWeb³s¨ì¥~¬ÉWeb¦øªA¾¹
  /sbin/ipfwadm -F -a accept -b -P tcp -S 196.1.2.* 80 -D 0.0.0.0/0 1024:65535 

  # Forward DNS traffic¡JÂà°eDNS«H®§
  /sbin/ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 196.1.2.0/24
</PRE>

¦pªG·Qª¾¹D³q¹L¨¾¤õÀ𪺫H®§¨Ó©¹±¡ªp¡A¤U¦C«ü¥O·|²Î­p©Ò¦³¼Æ¾Ú¥]¡C
<PRE>
                      
  # Flush the current accounting rules
  ipfwadm -A -f
  # Accounting
  /sbin/ipfwadm -A -f
  /sbin/ipfwadm -A out -i -S 196.1.2.0/24 -D 0.0.0.0/0
  /sbin/ipfwadm -A out -i -S 0.0.0.0/0 -D 196.1.2.0/24
  /sbin/ipfwadm -A in -i -S 196.1.2.0/24 -D 0.0.0.0/0
  /sbin/ipfwadm -A in -i -S 0.0.0.0/0 -D 196.1.2.0/24
</PRE>
<P>¦pªG¥u§â¹q¸£³]¬°¹LÂo¨¾¤õÀð¡A¨ì³o¸Ì´N¤j¥\§i¦¨¤F¡T
<P>
<P>
<HR>
<A HREF="Firewall-HOWTO-7.html">Next</A>
<A HREF="Firewall-HOWTO-5.html">Previous</A>
<A HREF="Firewall-HOWTO.html#toc6">Contents</A>
</BODY>
</HTML>
Firewall-HOWTO-7.html0100644000014400001440000003474206516573724014154 0ustar  cwhuangusers<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=big5">
 <META NAME="GENERATOR" CONTENT="ZH-SGML-Tools 1.0.9">
 <TITLE>¨¾¤õÀð©M¥N²z¦øªA¾¹ - HOWTO: ¦w¸ËTIS¥N²z¦øªA¾¹</TITLE>
 <LINK HREF="Firewall-HOWTO-8.html" REL=next>
 <LINK HREF="Firewall-HOWTO-6.html" REL=previous>
 <LINK HREF="Firewall-HOWTO.html#toc7" REL=contents>
</HEAD>
<BODY>
<A HREF="Firewall-HOWTO-8.html">Next</A>
<A HREF="Firewall-HOWTO-6.html">Previous</A>
<A HREF="Firewall-HOWTO.html#toc7">Contents</A>
<HR>
<H2><A NAME="s7">7. ¦w¸ËTIS¥N²z¦øªA¾¹</A></H2>

<P>
<H2><A NAME="ss7.1">7.1 ¨ú±o³n¥ó</A>
</H2>

<P>TIS FWTK³n¥ó¥i±q¤U¦Cºô§}±o¨ì¡J<B>ftp://ftp.tis.com/</B>.  
¤d¸U°O¦í¡J±qTIS¤U¸ü³n¥ó«á¡A­º¥ý¾\ŪREADME¡CTIS fwtk¦s©ñ¦b¦øªA¾¹ªº¤@­ÓÁôÂåؿý¤º¡A»Ý­n<B>µo¹q¤l¶l¥óµ¹fwtk-request@tis.com</B> ¨Ã¦b«H¤å¤º¶ñ¤J<B>SEND</B>¤~¯à±oª¾ÁôÂ꺥ؿýªº¦W¦r¡CSubjectÄ椺¤£¥²¶ñ¤J¥ô¦ó¤º®e¡C¦b¦^ÂЪº¹q¤l¶l¥ó¤º·|§iª¾¦s©ñ³n¥óªº¥Ø¿ýªº¦W¦r¡A¦³®Ä®É¶¡¬°12¤p®É¡A±o»°§Ö¤U¸ü¡C
¦b½s¼g¥»¤å®É¡AFWTKªº³Ì·sª©¥»¬°2.0¡]beta¡^¡C°£¤F´X­Ó¤p¦a¤è¤§¥~¡A³o­Óª©¥»¦b½s¿è®É¨S¦³°ÝÃD¡A¹B¦æ®É¤]¥¿±`¡A¦¹³B´N¥H³o¤@ª©¥»¬°¨Ò¡C¦p¦³³Ì«á©w¥»®É¡A±N¦b¥H«áªºHOWTO¤¤¼W­q¡C
¦w¸ËFWTK®É¡A­º¥ý¦b /usr/src¤U«Ø¥ßfwtk-2.0¥Ø¿ý¡C±NFWTK¡]fwtk-2.0.tar.gz¡^©ñ¦b³o­Ó¥Ø¿ý¤º¸ÑÀ£¡]tar zxf fwtk-2.0.tar.gz¡^¡C
FWTK¨ÃµL¥N²zSSLªººô¸ô¤å¥ó¡AJean-Christophe Touvet¼g¤F¤@¨Çªþ¥[¸ê®Æ¡A¥i±q<B>ftp://ftp.edelweb.fr/pub/contrib/fwtk/ssl-gw.tar.Z</B>¨ú±o¡C
Eric Wedel¼g¤F­×­q¥»¡A¨ä¤¤¥]¬A¨Ï¥Îºô´º¡]Netscape¡^ªº·s»D¦øªA¾¹¡C³o®M³n¥ó¥i±q¤U¦Cºô§}¨ú±o¡J<B>ftp://mdi.meridian-data.com/pub/tis.fwtk/ssl-gw/ssl-gw2.tar.Z</B>
¥H¤U¥HEric Wedelªºª©¥»¬°¨Ò¡C
­n¦w¸Ë¡A¥u­n¦b/usr/src/fwtk-2.0¥Ø¿ý¤º«Ø¥ß¤@­Ó ssl-gw¥Ø¿ý¡A§â¤åÀÉ©ñ¦b¨ä¤¤§Y¥i¡C
¦b¦w¸Ë³o­ÓºôÃö®É¡A±o­n§@¨Ç§ï°Ê¤~¯à¶i¦æ½s¿è¡C
­º¥ý§ïÅÜssl-gw.cÀÉ¡A¨ä¤¤¿òº|¤F¥²­nªºincludeÀÉ¡C
<PRE>
  #if defined(__linux)
  #include        &lt;sys/ioctl.h>
  #endif
</PRE>

¨ä¦¸¡A¤]¨S¦³MakefileÀÉ¡C¤£§«±q¨ä¥LºôÃö¥Ø¿ý«þ¨©¤@­Ó¡AµM«á±NºôÃöªº¦W¦r§ï¬°ssl-gw¡C
<P>
<H2><A NAME="ss7.2">7.2 ½s¿èTIS FWTK</A>
</H2>

<P>ª©¥»2.0ªºFWTK¤ñ¥H©¹¥ô¦ó¤@­Óª©¥»³£©ö¤_½s¿è¡C¤£¹L¦b½s¿è¥H«eÁٻݭn¹ïBETAª©¥»§@¤@¨Ç§ó°Ê¡C§Æ±æ³o¨Ç§ó°Ê·|¥[ªþ¨ì³Ì«á©w¥»¤¤¡C
­×§ï¤èªk¦p¤U¡J­º¥ý¶i¤J/usr/src/fwtk/fwtk¥Ø¿ý¡A«þ¨©Makefile.config.linuxÀÉ¡A¥H¦¹ÀÉ´À¥NMakefile.configÀÉ¡C
<B>¤£­n¹B¦æFIXMAKE</B>¡CÁöµM¦b»¡©ú¤¤«Øij°õ¦æ³o­Óµ{§Ç¡C¦ý¹B¦æ«á·|¯}Ãa¨C¤@­Ó¥Ø¿ý¤¤ªºmakefile¡C
­×§ïfixmakeªº¤èªk¬O¦b¨C¤@­ÓMakefileªºsed«ü¥Oªºinclude¦æ¤¤²K¥[¡¥.¡¦©M"¡C«ö¤U¨Ò§ó§ï¡A«K¥i¹B¦æµLê¡C
<PRE>
  sed 's/^include[        ]*\([^  ].*\)/include \1/' $name .proto > $name 
</PRE>

µM«á»Ý­n½s¿èMakefile.configÀÉ¡A¦ý­º¥ý±o§@¨â¶µ­×§ï¡C
Makefile.configÀɤ¤ªºsource¥Ø¿ýÀ³§ï¬°¶i¦æ½s¿èªº/usr/src¡A¦]¦¹FWTKSRCDIRÀ³§@¬ÛÀ³ªº§ïÅÜ¡C
<PRE>
  FWTKSRCDIR=/usr/src/fwtk/fwtk
</PRE>

¦³¨ÇLinux¨t²Î¨Ï¥Îgdbm¼Æ¾Ú®w¡CMakefile.config¨Ï¥Îdbm¡C¨Ò¦p¡ARedHat 3.0.3´N¨Ï¥Îdbm¡A¦]¦¹»Ý­n§@¥X¬ÛÀ³§ó°Ê¡C
<PRE>
  DBMLIB=-lgdbm
</PRE>

³Ì«á»Ý­n§ïx-gw¡CBETAª©¤ºsocket.c¤¤ªº¤U¦C¼Æ¦æ¥²»Ý§R°£¡C
<PRE>
  #ifdef SCM_RIGHTS  /* 4.3BSD Reno and later */
                       + sizeof(un_name->sun_len) + 1
  #endif
</PRE>

¦p¦bFWTK·½¥Ø¿ý¤¤²K¥[ssl-gw¡A«h¦bMakefileªº¥Ø¿ý³æ¤¤¤]­n¥[¤Wssl-gw¡C
<PRE>
  DIRS=   smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw ssl-gw
</PRE>

§¹¦¨¤W­z­×§ï«á¡A¹B¦æ<B>make</B>¡C
<P>
<H2><A NAME="ss7.3">7.3 ¦w¸ËTIS FWTK </A>
</H2>

<P>¹B¦æ<B>make install</B>¡C
Àq»{ªº¦w¸Ë¥Ø¿ý¬O/usr/local/etc¡C¥i¥H§ï¨ì§ó¥[¦w¥þ¥i¾aªº¥Ø¿ý¶i¦æ¦w¸Ë¡A¦ý¤]¥i¥H¤£§ï¡A¤]¥i±N¨ä¯SÅv§ï¬°chmod 700¡C
²{¦b¶}©l³]©w¨¾¤õÀð¡C
<P>
<H2><A NAME="ss7.4">7.4 ³]¸mTIS FWTK</A>
</H2>

<P>¦n¡T¤U­±´N¤ñ¸û¦³½ì¤F¡T³]©wªº¨t²Î­n¯à½Õ¥Î³o¨Ç·s¥\¯à¡A¨Ã«Ø¥ßºÞ¨îªíºÞ²z³o¨Ç¥\¯à¡C
¥H¤Uªº»¡©ú¨Ã¤£¬O¬°¤F­n­«¼gTIS FWTKªº¨Ï¥Î¤â¥U¡A¨ä¥Øªº¥u¬O¬°¤FÅã¥Ü¥i¦æªº³]©w¡B¥i¯à¹J¨ìªº°ÝÃD©M¸Ñ¨Mªº¿ìªk¡C
¦³¤T­Ó¤åÀɲզ¨³o¨Çcontrols¡C
<P>
<UL>
<LI>/etc/services
<UL>
<LI>§i¶D¨t²Î©Ò©w¥\¯à¦b¦ó°ð¸¹</LI>
</UL>
</LI>
</UL>

<UL>
<LI>/etc/inetd.conf
<UL>
<LI>·íªA°È°ð¦³°Ê§@®É§i¶Dinetd±Ò°Ê¨º­Óµ{¦¡</LI>
</UL>
</LI>
</UL>

<UL>
<LI>/usr/local/etc/netperm-table
<UL>
<LI>§i¶DFWTK¦P·N©M©Úµ´¨Ó©¹ªº¥Î¤á</LI>
</UL>
</LI>
</UL>

­nFWTKµo´§§@¥Î¡AÀ³¹ý©³½s¿è³o¨ÇÀɮסC½s¿è³o¨Ç¥\¯àÀɦӤ£¥¿½T³]©w inetd.conf©Înetperm-table¡A¥i¯à¨Ï¨t²Î§¹¥þµLªk§@¥Î¡C
<P>
<H3>netperm-tableÀÉ</H3>

<P>³o­ÓÀɱ±¨î¦ó¤H¥i¥H¨Ï¥ÎTIS FWTKªº¥\¯à¡C­º¥ýÀ³¸Ó·Q¨ì¨¾¤õÀð¨âÃ䪺»Ý¨D¡Cºô¸ô¥~­±ªº¥Î¤á¦b¶i¤Jºô¸ô¤§«eÀ³­º¥ýªí©ú¨­¥÷¡A¦ýºô¸ô¤º³¡ªº¥Î¤á«h¥iª½±µ³q¹L¡C
¦bªí©ú¨­¥÷®É¡A¨¾¤õÀð¨Ï¥Î¤@­ÓºÙ¬°<B>authsrv</B>ªºµ{¦¡¡A¨ä¤¤¦s¦³¥Î¤áªºID©M±K½X¡Cnetperm-table¤¤ªºauthentication³¡¤À±±¨î³o¤@¼Æ¾Ú®w¦s©ñ¦ó³B©M½Ö¥i¨ú¥Î¡C
­n¤£Åý¤H¨ú¥Î³o¤@¥\¯à¨Ã¤£®e©ö¡A¦bpremit-hosts³o¤@¦æ¤¤¨Ï¥Î¡§*¡¨¡A¥H­P¨C¤H³£¯à¨ú¥Î³o¤@¥\¯à¡C³o¤@¦æªº¥¿½T³]©wÀ³¸Ó¬O¡§<CODE>authsrv: premit-hosts localhost</CODE>¡¨¡A¦ý¦ü¥G¤£°_§@¥Î¡C
<PRE>
  #
  # Proxy configuration table¡G  ¥N²z¦øªA¾¹³]¸mªí
  #
  # Authentication server and client rules
  authsrv:      database /usr/local/etc/fw-authdb
  authsrv:      permit-hosts *
  authsrv:      badsleep 1200
  authsrv:      nobogus true
  # Client Applications using the Authentication server
  *:            authserver 127.0.0.1 114
</PRE>

­n±Ò°Ê¼Æ¾Ú®w¡A¥Hroot¦b/var/local/etc¤º¹B¦æ<B>./authsrv</B>¡A³]¥ßºÞ²zªÌªº¨Ï¥Î°O¿ý¡C¹ê»Ú¾Þ§@¦p¤U¡J
¾\ŪFWTK¤åÀɤF¸Ñ¦p¦ó²K¥[¥Î¤á©M¥Î¤á²Õ¡C
<PRE>
    #
    # authsrv
    authsrv# list
    authsrv# adduser admin &quot;Auth DB admin&quot;
    ok - user added initially disabled
    authsrv# ena admin
    enabled
    authsrv# proto admin pass
    changed
    authsrv# pass admin &quot;plugh&quot;
    Password changed.
    authsrv# superwiz admin
    set wizard
    authsrv# list
    Report for users in database
    user   group  longname           ok?    proto   last 
    ------ ------ ------------------ -----  ------  -----
    admin         Auth DB admin      ena    passw   never
    authsrv# display admin
    Report for user admin (Auth DB admin)
    Authentication protocol: password
    Flags: WIZARD
    authsrv# ^D
    EOT
    #
</PRE>

TelnetªººôÃö¡]tn-gw¡^±±¨îª½±µ¤F·í¡AÀ³­º¥ý³]©w¡C
¨Ò¦p¡A¤¹³\¦b«OÅ@ºô¸ô¤ºªº¥Î¤á¤£ªí©ú¨­¥÷ª½±µ³q¹L(permit-hosts 196.1.2.* -passok)¡C¦ý¨ä¥L¥Î¤á¥²»Ý´£¨Ñ¥Î¤áID©M±K½X¤~¥i¨Ï¥Î¥N²z¦øªA¾¹(permit-hosts * -auth)¡C
¦¹¥~¡A¦³¤@­Ó¨t²Î(196.1.2.202)¤]¥iª½±µ¨Ï¥Î¨¾¤õÀð¡C³o¥u­n³]©winetacl-in.telnetdªº¤º®e§Y¥i¡C
Telnetªºtimeout®É¶¡À³¸Óµu¼È¡C
<PRE>
  # telnet gateway rules:
  tn-gw:                denial-msg      /usr/local/etc/tn-deny.txt
  tn-gw:                welcome-msg     /usr/local/etc/tn-welcome.txt
  tn-gw:                help-msg        /usr/local/etc/tn-help.txt
  tn-gw:                timeout 90
  tn-gw:                permit-hosts 196.1.2.* -passok -xok
  tn-gw:                permit-hosts * -auth
  # Only the Administrator can telnet directly to the Firewall via Port 24
  netacl-in.telnetd: permit-hosts 196.1.2.202 -exec /usr/sbin/in.telnetd
</PRE>

r-command¦p¦Ptelnetªº¦P¤@¤è¦¡³]©w¡C
<PRE>
  # rlogin gateway rules:
  rlogin-gw:    denial-msg      /usr/local/etc/rlogin-deny.txt
  rlogin-gw:    welcome-msg     /usr/local/etc/rlogin-welcome.txt
  rlogin-gw:    help-msg        /usr/local/etc/rlogin-help.txt
  rlogin-gw:    timeout 90
  rlogin-gw:    permit-hosts 196.1.2.* -passok -xok
  rlogin-gw:    permit-hosts * -auth -xok
  # Only the Administrator can telnet directly to the Firewall via Port
  netacl-rlogind: permit-hosts 196.1.2.202 -exec /usr/libexec/rlogind -a
</PRE>

¥ô¦ó¤H§¡¤£±oª½±µ¶i¤J¨¾¤õÀð¡A¨ä¤¤¥]¬AFTP¡A¦]¦¹¡A¤£­n§âFTP¦øªA¾¹©ñ¦b¨¾¤õÀð¤W¡C
¦AªÌ¡Apermit-hosts¦æ¤¹³\«OÅ@ºô¸ô¤ºªº¥ô¦ó¤H¦Û¥Ñ¶i¤Jºô»Úºô¸ô¡A¨ä¥L¤H«h¥²»Ýªí©ú¨­¥÷¡C¤U¤åªþ¤W°e¨ì©M¦¬¨ìªº¨C¥÷¤åÀɪº°O¿ý¡]-log { retr stor }¡^¡C
FTPªºtimeout¶}Ãö±±¨î¦b¦h¤Ö®É¶¡«á°±¤î¸Õ±µ¡A¥H¤Î¦b¦h¤Ö®É¶¡¨S¦³°Ê§@«á¡A©ñ±ó¸Õ±µ¡C
<PRE>
  # ftp gateway rules:
  ftp-gw:               denial-msg      /usr/local/etc/ftp-deny.txt
  ftp-gw:               welcome-msg     /usr/local/etc/ftp-welcome.txt
  ftp-gw:               help-msg        /usr/local/etc/ftp-help.txt
  ftp-gw:               timeout 300
  ftp-gw:               permit-hosts 196.1.2.* -log { retr stor }
  ftp-gw:               permit-hosts * -authall -log { retr stor }
</PRE>

³q¹LWWW¡Bgopher©MÂsÄý¾¹¶i¦æªºftp¥Ñhttp-gw±±¨î¡C³Ì¤W­±ªº¨â¦æ«Ø¥ß¤@­Ó¥Ø¿ý¡A¥Î¤_Àx¦s¸g¥Ñ¨¾¤õÀðªºftp©MWWW¤å¥ó¡C¦b¥»¨Ò¤¤¡A³o¨Ç¤å¥óÄÝroot©Ò¦³¡A¦]¦¹©ñ¦b¥u¦³root¯à°÷¶i¤Jªº¥Ø¿ý¤º¡C
WWWªº³s±µÀ³¸Óµu¼È¡C¥¦±±¨î¨Ï¥ÎªÌ¦b³s±µ¤£³q®Éªºµ¥«Ý®É¶¡¡C
<PRE>
  # www and gopher gateway rules:
  http-gw:      userid          root
  http-gw:      directory       /jail
  http-gw:      timeout 90
  http-gw:      default-httpd   www.afs.net
  http-gw:      hosts           196.1.2.* -log { read write ftp }
  http-gw:      deny-hosts      * 
</PRE>

ssl-gw¹ê»Ú¤W¬O¤@­Ó¥ô¦ó¤H³£¥i³q¹LªººôÃö¡CÀ³·í·í¤ß³]©w¡C¦b¥»¨Ò¤¤¡A¥ô¦ó«OÅ@ºô¸ô¤¤ªº¥Î¤á¡A°£127.0.0.* ©M192.1.1.* ¥~¡A§¡¥i³s±µºô¸ô¥~ªº¥ô¦ó¦øªA¾¹¡A¨Ã¥u¯à¨Ï¥Î443¦Ü563 °ð¸¹¡C443¦Ü563°ð¸¹¤@¯ëºÙ¬°SSL°ð¸¹¡C
<PRE>
  # ssl gateway rules:
  ssl-gw:   timeout 300
  ssl-gw:   hosts           196.1.2.* -dest { !127.0.0.* !192.1.1.* *:443:563 }
  ssl-gw:   deny-hosts      *
</PRE>

¤U­±ªº¨Ò¤l»¡©ú¦p¦ó§Q¥Îplug-gw³s±µ¨ì·s»D¦øªA¾¹¡C¦b¥»¨Ò¤¤¡A«OÅ@ºô¸ô¤ºªº¥Î¤á¥u¤¹³\³s±µ¨ì¤@­Ó¨t²Î¡A§Y³s±µ¨ì¥¦ªº·s»D°ð¡C
²Ä¤G¦æ¨Ï·s»D¦øªA¾¹±N¨ä¸ê®Æ°e¨ì«OÅ@ºô¸ô¡C
¹ï·s»D¦øªA¾¹ªºtimeout®É¶¡³]©wÀ³¸Ó¤ñ¸ûªø¡A¦]¬°¦h¼Æ¥Î¤á¤j³£Áp¾÷¾\Ū·s»D¡C
<PRE>
 
  # NetNews Pluged gateway
  plug-gw:        timeout 3600
  plug-gw: port nntp 196.1.2.* -plug-to 199.5.175.22 -port nntp
  plug-gw: port nntp 199.5.175.22 -plug-to 196.1.2.* -port nntp
</PRE>
<P>FingerºôÃöªº³]©w¦Ü¬°Â²³æ¡C«OÅ@ºô¸ô¤ºªº¥Î¤á¥u­n­º¥ýµn¿ý¡A´N¥i¨Ï¥Î¨¾¤õÀð¤Wªºfingerµ{¦¡¡C¥ô¦ó¨ä¥L¤H´N¥u¦¬¨ì¤@¬qmessage¡C
<PRE>
  # Enable finger service --------³]©wfinger¥\¯à
  netacl-fingerd: permit-hosts 196.1.2.* -exec /usr/libexec/fingerd
  netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt
</PRE>

¦b³o¥÷HOWTO¤¤¡A¨S¦³³]©wMail©MX-windows¥\¯à¡C¦p¥ô¦ó¤H¦³³o¤è­±ªº¹ê¨Ò¡A½Ðµoemailµ¹§Ú¡C
<P>
<H3>inetd.confªº³]¸mÀÉ</H3>

<P>¤U­±ªþ¤W/etc/inetd.confªº¥þ³¡¤åÀÉ¡C©Ò¦³¤£»Ý­nªº¥\¯à³£¥Î#²Å¸¹ª`¾P¡C¦b³o¥÷¥þ³¡¤åÀɤ¤Åã¥Ü¨ú®ø¤F¦óºØ¥\¯à¡A¥H¤ÎÅã¥Ü¦p¦ó³]©w·sªº¨¾¤õÀð¥\¯à¡C
<PRE>
 
  #echo stream  tcp  nowait  root               internal 
  #echo dgram   udp  wait    root       internal
  #discard              stream  tcp  nowait  root       internal
  #discard              dgram   udp  wait    root       internal
  #daytime              stream  tcp  nowait  root       internal
  #daytime              dgram   udp  wait    root       internal
  #chargen              stream  tcp  nowait  root       internal
  #chargen              dgram   udp  wait    root       internal
  # FTP firewall gateway --------FTP¨¾¤õÀðºôÃö
  ftp-gw      stream  tcp  nowait.400  root  /usr/local/etc/ftp-gw  ftp-gw
  # Telnet firewall gateway------Telnet¨¾¤õÀðºôÃö
  telnet        stream  tcp  nowait      root  /usr/local/etc/tn-gw /usr/local/etc/tn-gw
  # local telnet services------¥Î¤áªºtelnet¥\¯à
  telnet-a    stream  tcp  nowait      root  /usr/local/etc/netacl in.telnetd
  # Gopher firewall gateway------Gopher¨¾¤õÀðºôÃö
  gopher        stream  tcp  nowait.400  root  /usr/local/etc/http-gw /usr/local/etc/http-gw 
  # WWW firewall gateway------WWW¨¾¤õÀðºôÃö
  http  stream  tcp  nowait.400  root  /usr/local/etc/http-gw /usr/local/etc/http-gw 
  # SSL firewall gateway------SSL¨¾¤õÀðºôÃö
  ssl-gw  stream  tcp     nowait  root /usr/local/etc/ssl-gw   ssl-gw
  # NetNews firewall proxy (using plug-gw)------NetNews¨¾¤õÀð¥N²z¦øªA¾¹¡]¨Ï¥Îplug-gw¡^
  nntp    stream  tcp     nowait  root    /usr/local/etc/plug-gw plug-gw nntp
  #nntp stream  tcp     nowait  root    /usr/sbin/tcpd  in.nntpd
  # SMTP (email) firewall gateway------SMTP¡]email¡^¨¾¤õÀðºôÃö
  #smtp stream  tcp     nowait  root    /usr/local/etc/smap smap
  #
  # Shell, login, exec and talk are BSD protocols------ Shell, login, exec and talk§¡ÄÝBSD¨óij
  #
  #shell        stream  tcp     nowait  root    /usr/sbin/tcpd  in.rshd
  #login        stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind
  #exec stream  tcp     nowait  root    /usr/sbin/tcpd  in.rexecd
  #talk dgram   udp     wait    root    /usr/sbin/tcpd  in.talkd
  #ntalk        dgram   udp     wait    root    /usr/sbin/tcpd  in.ntalkd
  #dtalk        stream  tcp     waut    nobody  /usr/sbin/tcpd  in.dtalkd
  #
  # Pop and imap mail services et al------Pop©Mimap mail¥\¯à
  #
  #pop-2   stream  tcp  nowait  root  /usr/sbin/tcpd    ipop2d
  #pop-3   stream  tcp  nowait  root  /usr/sbin/tcpd    ipop3d
  #imap    stream  tcp  nowait  root  /usr/sbin/tcpd    imapd
  #
  # The Internet UUCP service------ºô»Úºô¸ôUUCP¥\¯à
  #
  #uucp    stream  tcp  nowait  uucp  /usr/sbin/tcpd  /usr/lib/uucp/uucico -l
  #
  # Tftp service is provided primarily for booting.  Most sites
  # run this only on machines acting as &quot;boot servers.&quot; Do not uncomment
  # this unless you *need* it.  ----- Tftp¥\¯à¥D­n¥Î¤_±Ò°Ê¡C¤@¯ë¥u¦³§@¬°&quot;boot¦øªA¾¹&quot;®É¤~»Ý­ntftp¡C¦]¦¹¡A¤£­n¨ú®øª`¾P¡]#¡^²Å¸¹¡C
  #
  #tftp dgram   udp     wait    root    /usr/sbin/tcpd  in.tftpd
  #bootps       dgram   udp     wait    root    /usr/sbin/tcpd  bootpd
  #
  # Finger, systat and netstat give out user information which may be
  # valuable to potential "system crackers."  Many sites choose to disable 
  # some or all of these services to improve security.------ Finger, systat and netstat·|¦VÀb«È´£¨Ñ¥i¶Qªº¸ê®Æ¡C³\¦hºô¯¸¨ú®ø¤@¨Ç©Î¥þ³¡¥\¯à¡A¥H¼W¦w¥þ¡C
  #
  # cfinger is for GNU finger, which is currently not in use in RHS Linux
  # cfinger¬OGNU finger¡A¥Ø«e¦bRHS Linux¤¤¨Ã¤£¨Ï¥Î¡C
  #
  finger        stream  tcp  nowait  root   /usr/sbin/tcpd  in.fingerd
  #cfinger      stream  tcp  nowait  root   /usr/sbin/tcpd  in.cfingerd
  #systat       stream  tcp  nowait  guest  /usr/sbin/tcpd  /bin/ps -auwwx
  #netstat      stream  tcp  nowait  guest  /usr/sbin/tcpd  /bin/netstat -f inet
  #
  # Time service is used for clock syncronization.-----®É¶¡¥\¯à¥Î¤_³]©w®É¶¡ªº¦P¨B¡C
  #
  #time stream  tcp  nowait  root  /usr/sbin/tcpd  in.timed
  #time dgram   udp  wait    root  /usr/sbin/tcpd  in.timed
  #
  # Authentication-----¬dÅç¥Î¤á¨­¥÷
  #
  auth          stream  tcp  wait    root  /usr/sbin/tcpd  in.identd -w -t120
  authsrv       stream  tcp  nowait  root  /usr/local/etc/authsrv authsrv
  #
  # End of inetd.conf-----inetd.cong³]¸mÀɵ²§ô
</PRE>
<P>
<H3>/etc/servicesÀÉ</H3>

<P>
<P>·í¥Î¤á³s±µ¨ì¨¾¤õÀð®É¡A·|±µ¨ì¤@­Ó¤wª¾ªº°ð¡]¤p¤_1024¡^¡C¨Ò¦p¡Atelnet±µ¨ì°ð23¡Cinetd deamon±µ¨ì³s±µªº°Ê§@¡A¬d¬Ý/etc/services¤W³o¨Ç¥\¯àªº¦W¦r¡CµM«á¡A¥¦·|±Ò°Ê/etc/inetd.confÀɤ¤³o­Ó¦W¦r©Ò«ü©wªºµ{¦¡¡C
¦³®É¨Ï¥Îªº¥\¯à¨Ã¤£¦b/etc/servicesÀɤ¤¡C³o¨Ç¥\¯à¥i«ü©w¨ì¥ô¦ó·Q«ü©wªº°ð¡C¨Ò¦p¡AºÞ²z­ûªºtelnet°ð¡]telnet-a¡^¥i³]©w¨ì°ð24¡A¤]¥i³]©w¨ì°ð2323¡A±xÅ¥´L«K¡C¦pªGºÞ²z­û¡]«ü§A¥»¤H¡^­nª½±µ³s±µ¨ì¨¾¤õÀð¡A«h»Ýtelnet¨ì°ð24¦Ó«D°ð23¡C¦p«ö·Ó¤U¨Ò³]©wnetperm-table¡A«h¥u¯à±q«OÅ@ªººô¸ô¤¤ªº¤@­Ó¨t²Î³]©w¡C
<P>
<PRE>
 
  telnet-a         24/tcp
  ftp-gw          21/tcp           # this named changed
  auth            113/tcp   ident    # User Verification
  ssl-gw           443/tcp
</PRE>
<P>
<P>
<HR>
<A HREF="Firewall-HOWTO-8.html">Next</A>
<A HREF="Firewall-HOWTO-6.html">Previous</A>
<A HREF="Firewall-HOWTO.html#toc7">Contents</A>
</BODY>
</HTML>
Firewall-HOWTO-8.html0100644000014400001440000001543206516573724014150 0ustar  cwhuangusers<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=big5">
 <META NAME="GENERATOR" CONTENT="ZH-SGML-Tools 1.0.9">
 <TITLE>¨¾¤õÀð©M¥N²z¦øªA¾¹ - HOWTO: SOCKS¥N²z¦øªA¾¹</TITLE>
 <LINK HREF="Firewall-HOWTO-9.html" REL=next>
 <LINK HREF="Firewall-HOWTO-7.html" REL=previous>
 <LINK HREF="Firewall-HOWTO.html#toc8" REL=contents>
</HEAD>
<BODY>
<A HREF="Firewall-HOWTO-9.html">Next</A>
<A HREF="Firewall-HOWTO-7.html">Previous</A>
<A HREF="Firewall-HOWTO.html#toc8">Contents</A>
<HR>
<H2><A NAME="s8">8. SOCKS¥N²z¦øªA¾¹</A></H2>

<H2><A NAME="ss8.1">8.1 ³]©w¥N²z¦øªA¾¹</A>
</H2>

<P>SOCKS¥N²z¦øªA¾¹¥i±q
<B>ftp://sunsite.unc.edu/pub/Linux/system/Network/misc/socks-linux-
src.tgz</B>¨ú±o¡C¸ÓÀɤº¤]¦³¤@­ÓºÙ¬°&quot;socks-conf&quot;ªº³]¸mÀÉ¥i§@°Ñ¦Ò¡C¥i§â¸ÓÀɸÑÀ£¡AµM«á®Ú¾Ú¨ä¤¤ªº»¡©ú¨Ï¥Î¸ÓÀÉ¡C¦ý¨Ï¥Î®É¨Ã¤£Â²³æ¡AÀ³­º¥ý½T©wMakefileÀÉ¥¿½TµL»~¡C
¦b /etc/inetd.conf¤¤À³¸Ó¼W²K¥N²z¦øªA¾¹¡C¦]¦¹¡AÀ³¸Ó¼W¥[¥H¤U¤@¦æ¡C
<PRE>
  socks  stream  tcp  nowait  nobody  /usr/local/etc/sockd  sockd
</PRE>

³o¼Ë¦øªA¾¹¤~·|¦b»Ý­n®É¹B¦æ¡C
<P>
<H2><A NAME="ss8.2">8.2 ³]¸m¥N²z¦øªA¾¹</A>
</H2>

<P>SOCKS»Ý­n¨â­Ó³]¸mÀɶi¦æ³]©w¡C¤@­Ó³]¸mÀɳ]©w¶i¤J¨ú¥ÎªºÅv­­¡A¥t¤@­Ó³]¸mÀɳ]©w¸ô®|¡A¥H«K§ä¨ì¾A·íªº¥N²z¦øªA¾¹¡CÅv­­ÀÉÀ³¦b¦øªA¾¹¤W¡A¸ô®|ÀÉÀ³¦b¨C¤@¥xUNIX¾÷¤W¡CDOS¾÷©MMacintosh¾÷³£·|½T©w¦Û¦æªº¸ô®|¡C
<P>
<H3>Åv­­ÀÉ</H3>

<P>¦bsocks4.2¡]beta¡^ª©¤¤¡AÅv­­Àɺ٬°&quot;sockd.conf&quot;¡AÀ³¸Ó¥u¦³¨â¦æ¡A¤@¦æ¤¹³\¡]permit¡^¡A¤@¦æ©Úµ´¡]deny¡^¡C¨C¦æ³£¦³¤T¶µ³]©w¡G
<UL>
<LI>ÃѧO¼Ð¥Ü¦æ(permit/deny)</LI>
<LI>IP¦a§}¦æ</LI>
<LI>­×§ï¦a§}¦æ</LI>
</UL>

ÃѧO¼Ð¥Ü¥Î¤_permit©Îdeny¡CÀ³¸Ó¦³³æ¿Wªºpermit¦æ©M³æ¿Wªºdeny¦æ¡C
IP¦a§}¨Ï¥Î¼Ð·Çªº4byte¤è¦¡ªí¥Ü¡A¦pI.E. 192.168.2.0.¡C
­×§ï¦a§}¦æ¤]¬O¼Ð·Çªº4¦ì¤¸ IP¦a§}¡A¥Î¨Ó§@¬°netmask¡C±N³o­Ó¦a§}·Q¦¨32¦ì¤¸ªº¼Æ¦r¡C¦pªG¬O1¡A«h®Ö¹ïªº¦a§}ªº¬ÛÀ³¦ì¸mÀ³²Å¦XIP¦a§}¤¤¬ÛÀ³ªº¦ì¤¸¡C¨Ò¦p¡A¦¹¦æªº¦a§}¬°¡J
<PRE>
    permit 192.168.2.23  255.255.255.255
</PRE>
<P>«h¥u¤¹³\¨C¤@¦ì¤¸¬Û²Åªº¦a§}¡A§Y192.168.2.23¡C¦pªG¦a§}¬°¡J
<PRE>
    permit 192.168.2.0  255.255.255.0
</PRE>

«h·|¤¹³\192.168.2.0¦Ü192.168.2.255¤§¶¡ªº¨C¤@­Ó¦a§}¡A§Y¾ã­ÓC¯Åªº¦a§}¡C¤£±o¦³¤U¦C³oºØ¦a§}¥X²{¡J
<PRE>
    permit 192.168.2.0  0.0.0.0
</PRE>

³o·|¤¹³\¨C¤@¦a§}¨Ï¥Î¡A¤£½×¨ä¦a§}¬°¦ó¡C
¦]¦¹¡A¤¹³\¨C¤@­ÓÀ³¸Ó¤¹³\ªº¦a§}¡AµM«á©Úµ´¨ä§E¦a§}¡C¦p¤¹³\192.168.2.xxx­S³ò¤¤ªº¨C¤@¥Î¤á¡A¥i¥Î¤U¦C¤è¦¡ªí¥Ü¡J
<PRE>
    permit 192.168.2.0  255.255.255.0
    deny 0.0.0.0  0.0.0.0
</PRE>
<P>ª`·Ndeny¦æ¤¤ªº²Ä¤@­Ó&quot;0.0.0.0&quot;¡C¥Ñ¤_¦a§}¥H0.0.0.0­×§ï¡A¦]¦¹IP¬°¦ó³£¨S¦³¼vÅT¡C¥Î0§@¬°IP¦a§}¡A¦]¬°«K¤_¥´¦r¡C 
¯S§Oªº¥Î¤á¥i¥Hµ¹¤©©Î©Úµ´¨Ï¥ÎªºÅv­­¡C³o¥i³q¹Lidenªº¬dÅç¨Ó¹ê²{¡C¥Ñ¤_¤£¬O©Ò¦³¨t²Î³£¤ä«ùiden¡A¨ä¤¤¥]¬ATrumpet Winsock¡A©Ò¥H¦¹³B¤£¹w³Æ¦h¥[»¡©ú¡CÀH¦Psocks´£¨Ñªº»¡©ú¥H°÷¨Ï¥Î¡C
<H3>¸ô®|ÀÉ</H3>

<P>SOCKS¤¤ªº¸ô®|Àɺ٬°&quot;socks.conf&quot;¡A·¥©ö»PÅv­­ÀɲV²c¡C
¸ô®|ÀÉÅýSOCKS¥Î¤áª¾¹D¦ó®É¥Îsocks¡A¦ó®É¤£¥Î¡C¨Ò¦p¡A¦b¥Ü½dªººô¸ô¤¤192.168.2.3¨Ã¤£»Ý­n¨Ï¥Îsocks»P192.168.2.1¨¾¤õÀð¹ï¸Ü¡C³q¹LEthernet¡A¥¦­Ì¤§¶¡¦³ª½±µªº³s±µ¡C¤S127.0.0.1¦Û°Ê³]¬°loopback¡C¦]¦¹¤]¤£»Ý­n¥Îsocks¦P¦Û¤v¹ï¸Ü¡C¥¦¦³¤T¦æ¿é¤J¡J
<P>
<UL>
<LI>deny</LI>
<LI>direct</LI>
<LI>sockd</LI>
</UL>

Deny¦æ§i¶Dsocks¦ó®É©Úµ´¤@¶µ½Ð¨D¡C¦b¦¹²K¤Jªº¤º®e¦Psockd.confªº¤º®e¬Û¦P¡A¦a§}¼Ð¥Ü¦æ¡BIP¦a§}©M­×§ï¦a§}¦æ¡C¤@¯ë¦Ó¨¥¡AÅv­­ÀÉsockd.conf¤]»P¦¹¦³Ãö¡A­×§ï¦a§}³¡¤À«h¥Î0.0.0.0¡C¦pªG¤£¥´ºâ³s¨ì¥ô¦ó¦a¤è¡A¦b¦¹¥i§@¥X­×§ï¡C
<P>¦bdirect¦æ¤U¦C¤J¤£¨Ï¥Îsockªº¦a§}¡C©Ò¦³³o¨Ç¦a§}³£¥iª½±µÁp¤Wºô¸ô¡AµL¶·¸g¹L¥N²z¦øªA¾¹¡C¦b³o¸Ì¤S¦³¤T­Ó¦ì¸m­n¶ñ¡Jidentifier¡Baddress©Mmodifier¡C¨Ò¦p¡J
<PRE>
    direct 192.168.2.0 255.255.255.0
</PRE>
<P>Sockd¦æ§i¶D¹q¸£¨º¤@­Ó¥Î¤áªº¹q¸£¤W¦³socks server daemon¡C¸Ó¦æ¤º®e¦p¤U¡J
<P>
<PRE>
  sockd @=&lt;serverlist> &lt;IP address> &lt;modifier>
</PRE>
<P>ª`·N@= ¶ñ¤Jªº¤º®e¡C§Q¥Î³oºØ¤èªk¥i¥H¶ñ¤J¤@¨t¦C¥N²z¦øªA¾¹ªºIP¦a§}¡C¦b³o¸Ì¥u¥Î¤@­Ó¥N²z¦øªA¾¹ªº¦a§}¬°¨Ò¡C¦ý¥i¥H¦C¤W¦h­Ó¦øªA¾¹ªº¦a§}¡A¥H«K¥[¤j®e¶q¡A¨Ã·í¦³¦øªA¾¹¥¢ÆF®É¡A¦³¨ä¥Lªº¦øªA¾¹³»´À¡C
<P>³]©wIP¦a§}©Mmodifier°ìªº¤èªk©M¨ä¥L¨Ò¤l¬Û¦P¡C
<P>
<H3>¨¾¤õÀð«áªºDNS        ±q¨¾¤õÀð«á³]©wDomain Name Service¬O¥ó²³æ¤£¹Lªº¨Æ¡C¥u­n¦b§@¬°¨¾¤õÀ𪺹q¸£¤W³]©wDNS§Y¥i¡CµM«á¦b¨¾¤õÀð«áªº¹q¸£¤W³]©w¨Ï¥Î³o­ÓDNS¡C</H3>

<H2><A NAME="ss8.3">8.3 ¥N²z¦øªA¾¹</A>
</H2>

<H3>Unix</H3>

<P>­n¨ÏÀ³¥Îµ{§Ç§Q¥Î¥N²z¦øªA¾¹¡A³o¨ÇÀ³¥Îµ{§Ç»Ý­n&quot;sockified&quot;¡C¦b³o¸Ì»Ý­n¨â­Ótelnet¡A¤@­Ó¶i¦æª½±µ³q°T¡A¤@­Ó³q¹L¥N²z¦øªA¾¹¶i¦æ³q°T¡CSOCKS³n¥ó¤¤¦³»¡©úsock¤@­Óµ{¦¡ªº¤èªk¡A¤]ªþ¦³´X­Ó¤w¸gsock¦nªºµ{¦¡¡C¦pªG­nª½±µ¨Ï¥Îsock¦nªºµ{¦¡¡ASOCKS³n¥ó·|ª½±µ³]©w¡C¦]¦¹¡AÀ³¸Ó±N«OÅ@ºô¸ô¤ºªº©Ò¦³µ{¦¡§ï¦W¡AµM«á¦A§ï¥Î¤w¸gsock¦nªºµ{¦¡¡C¨Ò¦p¡A&quot;Finger&quot;Åܬ°&quot;finger.orig&quot;¡A&quot;telnet&quot;Åܬ°&quot;telnet.orig&quot;¡C  ¥²¶·³q¹Linclude/socks.hÀɧi¶DSOCKS³oºØ³]©w¡C
¦³¨Çµ{¦¡¯à¦Û¦æ³B²zrouting©Msockifyingªº°ÝÃD¡CNetscape´N¨Ï¨ä¤¤¤§¤@¡C¨Ò¦p¦bNetscape¤U­n¥Î¥Î¥N²z¦øªA¾¹¡A¥u­n¦bProxies¤USOCKÄ椺¶ñ¤J¦øªA¾¹ªº¦a§}§Y¥i¡]¦b¦¹¬°192.168.2.1¡^¡C·íµM¡A¨CºØÀ³¥Îµ{¦¡³£±o§@¨Ç¤pÅÜ°Ê¡A¤£½×¨ä³B²z¥N²z¦øªA¾¹ªº¤èªk¬°¦ó¡C
<P>
<H3>·L³nµøµ¡»PTrumpet Winsock</H3>

<P>Trumpet Winsock¤¤¦³¦Û±aªº¥N²z¦øªA¾¹¥\¯à¡C¦b&quot;setup&quot;¿ï³æ¤¤¶ñ¤J¦øªA¾¹ªºIP¦a§}©M©Ò¦³ª½±µ¥iÁpªº¹q¸£ªº¦a§}¡CµM«á¡ATrumpet´N·|³B²z©Ò¦³¥~°eªº¼Æ¾Ú¥]¡C
<P>
<H3>¨Ï¥N²z¦øªA¾¹°t¦XUDP¼Æ¾Ú¥]</H3>

<P>SOCKS³n¥ó¥u³B²zTCP¼Æ¾Ú¥]¡A¦Ó¤£³B²z  UDP¡C³o¦h¤Ö´î¤Ö¤F¥¦ªº¥Î³B¡A¦]¬°¡A³\¦h¦³¥Îªºµ{¦¡¡A¨Ò¦ptalk©MArchie¡A³£§Q¥ÎUDP¡C¦³¤@®M³n¥ó¡AºÙ¬°UDPrelay¡A¥ÑTom Fitzgerald³]­p&lt;fitz@wang.com&gt;¡A¥D­n§@¬°UDP¼Æ¾Ú¥]ªº¥N²z¦øªA¾¹¨Ï¥Î¡C¤£¹L¦b½s¼g¥»¤å®É¡A³o®M³n¥ó¤£¯à¥Î¤_Linux.
<H2><A NAME="ss8.4">8.4 ¥N²z¦øªA¾¹ªº¯ÊÂI</A>
</H2>

<P>Âk®Úµ²©³¡A¥N²z¦øªA¾¹¬O¤@­Ó<CODE>¦w¥þ¸Ë¸m</CODE>¡C¦b¦³­­ªºIP¦a§}ªº±¡ªp¤U¡A¥Î¥¦¨Ï³\¦h¥Î¤á¶i¤Jºô»Úºô¸ô¦³³\¦h¯ÊÂI¡C¥N²z¦øªA¾¹¥i¨Ï«OÅ@ºô¸ô¤ºªº¥Î¤áÁp¨ìºô¸ô¤§¥~¡A¦ý¨Ïºô¸ô¤§¥~ªº¥Î¤á§¹¥þµLªk¦Pºô¸ô¤§¤ºªº¥Î¤áÁp¨t¡C³oªí¥ÜµLªk¦Pºô¸ô¤§¤ºªº¹q¸£¶i¦ætalk©ÎarchieÁpºô¡A¤]µLªkµo°e¹q¤l¶l¥ó¡C³o¨Ç¯ÊÂI¬Ý¨Ó¨Ã¤£ÄY­«¡A¦ý¬O¦pªG¡J
<UL>
<LI>§A¦³¤@¥÷¨S¦³§¹¦¨ªº³ø§i¯d¦b«OÅ@ºô¸ô¨¾¤õÀ𤺪º¹q¸£¤W¡C¦^®a«á¡A§A¤S·Q¬Ý¬Ý³o¥÷³ø§i¡C¦ý¬O¨S¦³¿ìªk¡C¦]¬°¹q¸£¦b¨¾¤õÀð«á¡AµLªkÁpºô¡C¦pªG­º¥ýlogin <CODE>¨¾¤õÀð</CODE>¡A¦ý¥Ñ¤_¨C¤@­Ó¤H³£¥i¶i¤J¥N²z¦øªA¾¹¡A¦]¦¹§A¦b³o­Ó¦øªA¾¹¤W¨Ã¨S¦³­Ó§O±b¤á¡C
<P>
</LI>
<LI>§A¤k¨à¥h¤F¤j¾Ç¡C§A·Q¼g«Ê¹q¤l¶l¥óµ¹¦o¡C§A·Q½Í¨Ç¨p¨Æ¡A¦]¦¹³Ì¦n¯à§â¹q¤l¶l¥óª½±µ©ñ¨ì¦Û¤vªº¹q¸£¤W¡C§A·íµM«H±o¹L§Aªº¨t²ÎºÞ²z­û¡A¦ý³o­Ë©³»P¤½°ÈµLÃö¡A¬O­Ó¤Hªº«H¥ó¡C
<P>
</LI>
<LI>¤£¯à¨Ï¥ÎUDP¬O¥N²z¦øªA¾¹ªº¤@­Ó¤j¯Ê³´¡C§Ú·Q¤£¤[¤§«á´N·|¦³UDPªº¥\¯à¡C</LI>
</UL>
<P>FTP¬O¥N²z¦øªA¾¹ªº¥t¤@­Ó°ÝÃD¡C¦b¨ú±o©Î¨Ï¥Î<CODE>ls</CODE>®É¡AFTP¦øªA¾¹¦b«È¤á¾÷¤W¥´¶}¤@­Ósocket¡A¨Ã³q¹L¥¦¶Ç°e«H®§¡C¥N²z¦øªA¾¹¤£¤¹³\¶i¦æ³o¶µ¤u§@¡A¦]¦¹FTPµLªk¨Ï¥Î¡C
¦¹¥~¡A¥N²z¦øªA¾¹¹B¦æ½wºC¡C¥Ñ¤_»Ý­nÃB¥~¸ê·½¸û¦h¡A´X¥G¥ô¦ó¨ä¥L¯à¹F¦¨³o¶µ§@¥Îªº¦øªA¾¹³£­n¤ñ¥¦§Ö¡C
¤@¯ë¦Ó¨¥¡A¦pªG¦³IP¦a§}Ápºô¡A¦Ó¤S¤£¥²¯S§OÅU¼{¦w¥þ°ÝÃD¡A¨º´N¤£­n¨Ï¥Î¨¾¤õÀð©M¡]©Î¡^¥N²z¦øªA¾¹¡C¦pªG¨S¦³IP¦a§}Ápºô¡A¦ý¤]¤£ÅU¼{¦w¥þ°ÝÃD¡A¨º´N¤£§«¨Ï¥ÎIP¼ÒÀÀ¾¹¡A¶HTerm¡ASlirp©ÎTIA¡CTerm¥i±q<CODE><B>ftp://sunsite.unc.edu</B></CODE>¨ú±o¡ASlirp¥i±q<CODE><B>ftp://blitzen.canberra.edu.au/pub/slirp</B></CODE>¨ú±o¡ATIA¥i±qmarketplace.com¨ú±o¡C¨Ï¥Î¥N²z¦øªA¾¹ªº²z·Qºô¸ô¬O¦³³\¦h¥Î¤á»Ý­nÁpºô¡A¨º¥u­n°µ¤@¦¸³]©w¤§«á´N¤£¥²¦A°µ¤Ó¦h¨ä¥Lªº¤u§@¡C
<P>
<HR>
<A HREF="Firewall-HOWTO-9.html">Next</A>
<A HREF="Firewall-HOWTO-7.html">Previous</A>
<A HREF="Firewall-HOWTO.html#toc8">Contents</A>
</BODY>
</HTML>
Firewall-HOWTO-9.html0100644000014400001440000001003006516573724014136 0ustar  cwhuangusers<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=big5">
 <META NAME="GENERATOR" CONTENT="ZH-SGML-Tools 1.0.9">
 <TITLE>¨¾¤õÀð©M¥N²z¦øªA¾¹ - HOWTO: °ª¯Å³]¸m</TITLE>
 <LINK HREF="Firewall-HOWTO-8.html" REL=previous>
 <LINK HREF="Firewall-HOWTO.html#toc9" REL=contents>
</HEAD>
<BODY>
Next
<A HREF="Firewall-HOWTO-8.html">Previous</A>
<A HREF="Firewall-HOWTO.html#toc9">Contents</A>
<HR>
<H2><A NAME="s9">9. °ª¯Å³]¸m</A></H2>

<P>¦bµ²§ô¦¹¤å®É¡A¤£§«¦AÁ|¤@­Ó¨Ò¤l¡A¨Ó»¡©ú³]¸mªº¤èªk¡C«e­±ªº¨Ò¤l¾A¦X¦h¼Æ¨Ï¥Î±¡ªp¡C¤U­±¦A¥H¤@­Ó°ª¯Å³]¸m¬°¨Ò¡A¥H«K¯à»¡©ú¤@¨Ç°ÝÃD¡C¦pªG«e­±ªº¨Ò¤l¤£¯à¸Ñµª§Aªº°ÝÃD¡A©ÎªÌÁÙ·Q¤F¸Ñ¥N²z¦øªA¾¹©M¨¾¤õÀ𪺨ä¥L¯S©Ê¡A½Ðª`·N¤U­±ªº¨Ò¤l¡C
<P>
<H2><A NAME="ss9.1">9.1 ª`­«¦w¥þªº¤j«¬ºô¸ô</A>
</H2>

<P>°²³]¤@­Ó¥Á¹Î­º¸£­n³]¸mºô¸ô¡A¨ä¤¤¦@¦³50¥x¹q¸£©M¦³¤@­Ó32­ÓIP¦a§}ªº¦¸¯Åºô¡C¥Ñ¤_ÀH±qªº¯Å§O¤£¦P¡A¥Á¹Î­º¸£·Q¦bºô¸ô¤W³]¸m¤£¦P¯Å§Oªº¨Ï¥ÎÅv¡C¦]¦¹¡Aºô¸ôªº¤@³¡¤À¤£¯à»P¥t¤@³¡¤À¤¬³q¡C
¦UºØ¯Å§O¦³¡J
<P>
<OL>
<LI>¥~³ò¡C³o¬O¤H¤H³£¥i¨ì¹Fªº¼h­±¡C³o¬O§l¤Þ·s¦¨­ûªº¼h­±¡C</LI>
<LI><B>³¡¶¤¤H­û</B>³o¤@¼h­±ªº¤Hª«¤w¸g¶W¹L¥~³ò¡C³o­Ó¼h­±ªº¤H¥i¥Hª¾¹D¤@¨Ç­p¿Ñ©M»s³yªZ¾¹ªº¤èªk¡C</LI>
<LI><B>¥~Äy­x¹Î</B>³o¬O<EM>¯u¥¿</EM>§¹¦¨­p¹º¤§³B¡C</LI>
</OL>
<P>
<H3>ºô¸ôªº³]©w</H3>

<P>IP¸¹½Xªº³]©w¤èªk¦p¤U¡J
<P>
<P>
<UL>
<LI>¤@­Ó¦a§}¬°192.168.2.255¡A³o¬Obroadcastªº¦a§}¡A¤£¥i¨Ï¥Î¡C
</LI>
<LI>32 IP¦a§}¤¤23­Ó¦a§}¤À°tµ¹23¥x¾÷¾¹¡A³o¨Ç¾÷¾¹¥i¦Pºô»Úºô¸ôÁpµ²¡C</LI>
<LI>¤@­ÓIP¦a§}¥Î¤_ºô¸ô¤Wªºlinux¾÷¡C</LI>
<LI>¤@­ÓIP¦a§}¥Î¤_ºô¸ô¤Wªº¥t¤@­Ólinux¾÷¡C</LI>
<LI>¨â­ÓIP #'s¥Î¤_router</LI>
<LI>³Ñ¤Uªº¥|­Ó¦a§}ÀH«K©w¥|­Ó¦W¦r¡A¨Ï¤H®»ºN¤£©w¯u¥¿ªº¥Î¤á¡C</LI>
<LI>«OÅ@ºô¸ôªº¦a§}¬°192.168.2.xxx</LI>
</UL>

³o¼Ë´N«Ø¥ß¤F¨â­Ó¤£¦Pªººô¸ô¡C³o¨â­Óºô¸ô³q¹L¬õ¥~½uEthernetÁpºô¡A¥~¬É§¹¥þ¬Ý¤£¨ì¥¦­Ìªº¦s¦b¡C¬õ¥~½uEthernetªº§@¥Î©M¤@¯ëEthernetªº§@¥Î¬Û¦P¡C
³o¨â­Óºô¸ô¦U¦Û³s¨ì¦³IP¦a§}¹B¦ælinuxªº¹q¸£¡C
¦P®É¦³¤@­Ó¤åÀɦøªA¾¹±µ³s¨ì³o¨â­Ó«OÅ@ºô¸ô¡A¦]¬°©ºªA¥@¬Éªº­p¹º¤¤»Ý­n¤@¨Ç°V½mºë¨}ªº³¡¶¤¡C¤åÀɦøªA¾¹¤¤¦³³¡¶¤ºô¸ôªºIP¦a§}192.168.2.17©M¥~Äy­x¹Îºô¸ôªºIP¦a§}192.168.2.23¡C¦³¤£¦PIP¦a§}ªº­ì¦]¬O¦]¬°¦³¤£¦PEthernet¥dªº½t¬G¡Cºô¸ô¤WIP Forwardingªº¥\¯àÃö³¬°±¥Î¡C
¨â¥xLinux¾÷¤WIP Forwardingªº¥\¯à¤]³£°±¥Î¡C°£«D¦³©ú½T³W©w¡A§_«hrouter¤£·|Âà°e°e©¹192.168.2.xxxªº¼Æ¾Ú¥]¡A¦]¦¹ºô¸ôµL¥Ñ¶i¤J¡CÃö³¬IP Forwarding¥\¯àªº­ì¦]¬O³¡¶¤ºô¸ôµo¥Xªº¼Æ¾Ú¥]¤£Åý¨ì¹F¥~Äy­x¹Îºô¸ô¡A¥~Äy­x¹Îºô¸ôªº¼Æ¾Ú¥]¤]¤£Åý¨ì¹F³¡¶¤ºô¸ô¡C
¥i¥H³]©wNFS¦øªA¾¹ªº³]¸m¡A¨Ï¨ä§â¤£¦P¤åÀÉ°e©¹¤£¦Pºô¸ô¡C³oºØ¤èªk»á¬°¦n¥Î¡A¦bsymblic links¤W°µµf¤â¸}¥i¨Ï¤åÀÉÅý¤j®a¦@¨É¡C§Q¥Î³oºØ³]¸m©M¥[¤@±iethernet¥d¥i¨Ï¤@¥x¤åÀɦøªA¾¹¥Î¤_©Ò¦³¤T­Óºô¸ô¡C
<H3>¥N²z¦øªA¾¹ªº³]¸m</H3>

<P>¥Ñ¤_¤T§å¤H°¨³£»Ý­n¤F¸Ñºô¤Wªº±¡ªp¡A¦]¦¹¥L­Ì³£»Ý­n¤Wºô¡C¥~³¡ºô¸ôª½±µ³s¨ìºô»Úºô¸ô¡A¦]¦¹¦b¥N²z¦øªA¾¹¤W¤£»Ý­n§@¥X¥ô¦ó§ó°Ê¡C¥~Äy­x¹Îºô¸ô©M³¡¶¤ºô¸ô¦b¨¾¤õÀ𤧫á¡A¦]¦¹»Ý­n¦b¥N²z¦øªA¾¹¤W§@¥X¤@¨Ç³]¸m¡C
¨â­Óºô¸ôªº³]¸m«D±`Ãþ¦ü¡C¥¦­Ì¤´Â¨ϥΤÀ°tµ¹¥¦­ÌªºIP¦a§}¡C¤£¹L¦b³o¸Ì±o³]©w¤@¨Ç°Ñ¼Æ¡C
<OL>
<LI>¥ô¦ó¤H³£¤£±o¨Ï¥Î¤åÀɦøªA¾¹¤Wºô¡A§_«h¤åÀɦøªA¾¹¥i¯à·|¾D¨ì¯f¬r©Î¨ä¥LÃaªF¦è±o¤J«I¡C³oºØ°ÝÃD¦Ü¬°ÄY­«¡A¦]¦¹¤£±o¨Ï¥Î¤åÀɦøªA¾¹¡C</LI>
<LI>¤£Åý³¡¶¤¤H­û¤Wºô¡C¥L­Ì¥¿¦b±µ¨ü°V½m¡A¦pªGÅý¥L­Ì¾Ö¦³³oºØÀ˯Á¸ê°Tªº¯à¤O¥i¯à¹ï¥L­Ì¦³®`¡C</LI>
</OL>

¦]¦¹¡A¦b³¡¶¤ºô¸ôªºlinux¾÷¤Wsockd.confÀɤºÀ³¦³¤U¦C¤@¦æ¡J 
<PRE>
    deny 192.168.2.17  255.255.255.255
</PRE>

¨Ã¥B¦b¥~Äy­x¹Î¾÷¤ºªº³]©w¬O¡J
<PRE>
    deny 192.168.2.23  255.255.255.255
</PRE>

¦P®É¡A³¡¶¤ºô¸ôªºlinux¾÷¤º³]©w¡J
<PRE>
    deny 0.0.0.0  0.0.0.0 eq 80
</PRE>
<P>³o¦æªº·N¸q¬O¤£Åý¥ô¦ó¾÷¾¹¨Ï¥Î°ð¸¹80¡A¬Jhttp°ð¡C¤£¹L³o¨Ç¾÷¾¹¤´µM¥i¥Î©Ò¦³¨ä¥L¥\¯à¡A¥u¬O¤£Åý¤Wºô¡C
µM«á¦b¨â¥x¾÷¾¹ªºsockd.confÀɤº³£²K¥[¡J
<PRE>
    permit 192.168.2.0  255.255.255.0
</PRE>

¨Ï©Ò¦³¦b192.168.2.xxxºô¤Wªº¹q¸£³£¨Ï¥Î³o¥x¥N²z¦øªA¾¹¡A¦ý¤£Åý¨Ï¥Îªº¹q¸£°£¥~¡]¬J±q³¡¶¤ºô¸ô¶i¤J¤åÀɦøªA¾¹©Mºô»Úºô¸ô¡^¡C
<P>³¡¶¤ºô¸ôªºsockd.confÀɪº¤º®e¦p¤U¡J
<PRE>
    deny 192.168.2.17  255.255.255.255
    deny 0.0.0.0  0.0.0.0 eq 80
    permit 192.168.2.0  255.255.255.0
</PRE>

¥~Äy­x¹Îºô¸ôªºsockd.confÀɪº¤º®e¦p¤U¡J
<PRE>
    deny 192.168.2.23  255.255.255.255
    permit 192.168.2.0  255.255.255.0
</PRE>
<P>³o¼Ëªº°t¸mÀ³¸Ó¨S¦³°ÝÃD¡C¨C¤@­Óºô¸ô³£¯à³æ¿W§@·~¡A¨Ã¦³¾A·íªº¬Û¤¬Ãö¨t¡C¤H¤H³£À³¸Ó¤ßº¡·N¨¬¤~¹ï¡C
²{¦b´N¥i©ºªA¥@¬É¤F¡T
<P>
<HR>
Next
<A HREF="Firewall-HOWTO-8.html">Previous</A>
<A HREF="Firewall-HOWTO.html#toc9">Contents</A>
</BODY>
</HTML>
Firewall-HOWTO.html0100644000014400001440000000641606516573724014005 0ustar  cwhuangusers<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=big5">
 <META NAME="GENERATOR" CONTENT="ZH-SGML-Tools 1.0.9">
 <TITLE>¨¾¤õÀð©M¥N²z¦øªA¾¹ - HOWTO</TITLE>
 <LINK HREF="Firewall-HOWTO-1.html" REL=next>


</HEAD>
<BODY>
<A HREF="Firewall-HOWTO-1.html">Next</A>
Previous
Contents
<HR>
<H1>¨¾¤õÀð©M¥N²z¦øªA¾¹ - HOWTO</H1>

<H2>§@ªÌ: Mark Grennan, <CODE>markg@netplus.net</CODE><BR>
ĶªÌ: »¯¥­±æ <CODE>tchao@worldnet.att.net</CODE></H2>v0.4, 1996¦~11¤ë8¤é
<P><HR>
<EM>v0.4, 1996¦~11¤ë8¤é¡A³o½g¤å³¹¥D­n¦b¤_»¡©ú¨¾¤õÀð¨t²Îªº¦UºØ°ò¥»·§©À¡A¨Ã¥Ü½d¦bLinux¬°°ò¦ªº­Ó¤H¹q¸£¤W¦w¸Ë§@¬°¹LÂo¤§¥Îªº¨¾¤õÀð©M¥N²z¦øªA¾¹ªº¸Ô²Ó¨BÆJ¡C³o¥÷¤å¥óªºHTMLª©¥»¸ü¤_<EM>http://okcforum.org/~markg/Firewall-HOWTO.html</EM></EM>
<HR>
<P>
<H2><A NAME="toc1">1.</A> <A HREF="Firewall-HOWTO-1.html">¾É¨¥</A></H2>

<UL>
<LI><A HREF="Firewall-HOWTO-1.html#ss1.1">1.1 ŪªÌ¦^À³</A>
<LI><A HREF="Firewall-HOWTO-1.html#ss1.2">1.2 ÄY¥¿Án©ú</A>
<LI><A HREF="Firewall-HOWTO-1.html#ss1.3">1.3 ª©Åv«Å§i (Ķª`¡Jª©Åv«Å§i¤£Ä¶)</A>
<LI><A HREF="Firewall-HOWTO-1.html#ss1.4">1.4 ¼g³o½g¤å³¹ªº°Ê¾÷</A>
<LI><A HREF="Firewall-HOWTO-1.html#ss1.5">1.5 ¦³«Ý§¹¦¨ªº¤u§@</A>
<LI><A HREF="Firewall-HOWTO-1.html#ss1.6">1.6 ©µ¦ùŪª«</A>
</UL>
<P>
<H2><A NAME="toc2">2.</A> <A HREF="Firewall-HOWTO-2.html">¤°¤\¬O¨¾¤õÀð</A></H2>

<UL>
<LI><A HREF="Firewall-HOWTO-2.html#ss2.1">2.1 ¨¾¤õÀ𪺯ʳ´</A>
<LI><A HREF="Firewall-HOWTO-2.html#ss2.2">2.2 ¨¾¤õÀ𪺺ØÃþ</A>
</UL>
<P>
<H2><A NAME="toc3">3.</A> <A HREF="Firewall-HOWTO-3.html">³]¸m¨¾¤õÀð</A></H2>

<UL>
<LI><A HREF="Firewall-HOWTO-3.html#ss3.1">3.1 µw¥ó»Ý¨D</A>
</UL>
<P>
<H2><A NAME="toc4">4.</A> <A HREF="Firewall-HOWTO-4.html">³]¸m¨¾¤õÀ𪺳n¥ó</A></H2>

<UL>
<LI><A HREF="Firewall-HOWTO-4.html#ss4.1">4.1 ²{¦³ªº®M¸Ë³n¥ó</A>
<LI><A HREF="Firewall-HOWTO-4.html#ss4.2">4.2 TIS Firewall Toolkit ©MSOCKS¶¡ªº®t²§</A>
</UL>
<P>
<H2><A NAME="toc5">5.</A> <A HREF="Firewall-HOWTO-5.html">³]©wLinux¨t²Î</A></H2>

<UL>
<LI><A HREF="Firewall-HOWTO-5.html#ss5.1">5.1 ½s¿è¤º®Ö</A>
<LI><A HREF="Firewall-HOWTO-5.html#ss5.2">5.2 ³]©w¨â±iºô¸ô¥d</A>
<LI><A HREF="Firewall-HOWTO-5.html#ss5.3">5.3 ³]©wNetwork Addresses</A>
<LI><A HREF="Firewall-HOWTO-5.html#ss5.4">5.4 ´ú¸Õºô¸ô</A>
<LI><A HREF="Firewall-HOWTO-5.html#ss5.5">5.5 ¥[©T¨¾¤õÀð</A>
</UL>
<P>
<H2><A NAME="toc6">6.</A> <A HREF="Firewall-HOWTO-6.html">IP filtering ªº³]¸m(IPFWADM)</A></H2>

<P>
<H2><A NAME="toc7">7.</A> <A HREF="Firewall-HOWTO-7.html">¦w¸ËTIS¥N²z¦øªA¾¹</A></H2>

<UL>
<LI><A HREF="Firewall-HOWTO-7.html#ss7.1">7.1 ¨ú±o³n¥ó</A>
<LI><A HREF="Firewall-HOWTO-7.html#ss7.2">7.2 ½s¿èTIS FWTK</A>
<LI><A HREF="Firewall-HOWTO-7.html#ss7.3">7.3 ¦w¸ËTIS FWTK </A>
<LI><A HREF="Firewall-HOWTO-7.html#ss7.4">7.4 ³]¸mTIS FWTK</A>
</UL>
<P>
<H2><A NAME="toc8">8.</A> <A HREF="Firewall-HOWTO-8.html">SOCKS¥N²z¦øªA¾¹</A></H2>

<UL>
<LI><A HREF="Firewall-HOWTO-8.html#ss8.1">8.1 ³]©w¥N²z¦øªA¾¹</A>
<LI><A HREF="Firewall-HOWTO-8.html#ss8.2">8.2 ³]¸m¥N²z¦øªA¾¹</A>
<LI><A HREF="Firewall-HOWTO-8.html#ss8.3">8.3 ¥N²z¦øªA¾¹</A>
<LI><A HREF="Firewall-HOWTO-8.html#ss8.4">8.4 ¥N²z¦øªA¾¹ªº¯ÊÂI</A>
</UL>
<P>
<H2><A NAME="toc9">9.</A> <A HREF="Firewall-HOWTO-9.html">°ª¯Å³]¸m</A></H2>

<UL>
<LI><A HREF="Firewall-HOWTO-9.html#ss9.1">9.1 ª`­«¦w¥þªº¤j«¬ºô¸ô</A>
</UL>
<HR>
<A HREF="Firewall-HOWTO-1.html">Next</A>
Previous
Contents
</BODY>
</HTML>
Results 1 - 1
Help - FTP Sites List - Software Dir.
Searching half a billion files worldwide
© 1997-2009 MARUHN Internet Solutions