荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: georgehill (清风浮云 人生), 信区: Linux
标 题: ipfilter-howto(1-3)(转寄)
发信站: BBS 荔园晨风站 (Thu Nov 2 23:07:13 2000), 站内信件
【 以下文字转载自 georgehill 的信箱 】
【 原文由 georgehill.bbs@smth.org 所发表 】
发信人: snofe ([听潮阁主人]), 信区: FreeBSD
标 题: ipfilter-howto(1-3)(转寄)
发信站: BBS 水木清华站 (Tue Oct 31 13:41:51 2000)
IP Filter Based Firewalls HOWTO
Brendan Conoboy <synk@swcp.com>
Erik Fichtner <emf@obfuscation.org>
Thu Sep 28 00:23:22 EDT 2000
Abstract: This document is intended to introduce a new
user to the IP Filter firewalling package and, at the
same time, teach the user some basic fundamentals of
good firewall design.
1. Introduction
IP Filter is a great little firewall package. It does
just about everything other free firewalls (ipfwadm,
ipchains, ipfw) do, but it's also portable and does neat
stuff the others don't. This document is intended to make
some cohesive sense of the sparse documentation presently
available for ipfilter. Some prior familiarity with packet
filtering will be useful, however too much familiarity may
make this document a waste of your time. For greater under-
standing of firewalls, the authors reccomend reading Build-
ing Internet Firewalls, Chapman & Zwicky, O'Reilly and Asso-
ciates; and TCP/IP Illustrated, Volume 1, Stevens, Addison-
Wesley.
1.1. Disclaimer
The authors of this document are not responsible for
any damages incurred due to actions taken based on this doc-
ument. This document is meant as an introduction to building
a firewall based on IP-Filter. If you do not feel
-2-
comfortable taking responsibility for your own actions, you
should stop reading this document and hire a qualified secu-
rity professional to install your firewall for you.
1.2. Copyright
Unless otherwise stated, HOWTO documents are copy-
righted by their respective authors. HOWTO documents may be
reproduced and distributed in whole or in part, in any
medium physical or electronic, as long as this copyright
notice is retained on all copies. Commercial redistribution
is allowed and encouraged; however, the authors would like
to be notified of any such distributions.
All translations, derivative works, or aggregate works
incorporating any HOWTO documents must be covered under this
copyright notice. That is, you may not produce a derivative
work from a HOWTO and impose additional restrictions on its
distribution. Exceptions to these rules may be granted under
certain conditions; please contact the HOWTO coordinator.
In short, we wish to promote dissemination of this
information through as many channels as possible. However,
we do wish to retain copyright on the HOWTO documents, and
would like to be notified of any plans to redistribute the
HOWTOs.
1.3. Where to obtain the important pieces
The official IPF homepage is at:
<http://coombs.anu.edu.au/~avalon/ip-filter.html>
The most up-to-date version of this document can be
found at: <http://www.obfuscation.org/ipf/>
2. Basic Firewalling
This section is designed to familiarize you with ipfil-
ter's syntax, and firewall theory in general. The features
discussed here are features you'll find in any good firewall
package. This section will give you a good foundation to
make reading and understanding the advanced section very
easy. It must be emphasized that this section alone is not
enough to build a good firewall, and that the advanced sec-
tion really is required reading for anybody who wants to
build an effective security system.
-3-
2.1. Config File Dynamics, Order and Precedence
IPF (IP Filter) has a config file (as opposed to say,
running some command again and again for each new rule).
The config file drips with Unix: There's one rule per line,
the "#" mark denotes a comment, and you can have a rule and
a comment on the same line. Extraneous whitespace is
allowed, and is encouraged to keep the rules readable.
2.2. Basic Rule Processing
The rules are processed from top to bottom, each one
appended after another. This quite simply means that if the
entirety of your config file is:
block in all
pass in all
The computer sees it as:
block in all
pass in all
Which is to say that when a packet comes in, the first thing
IPF applies is:
block in all
Should IPF deem it necessary to move on to the next rule, it
would then apply the second rule:
pass in all
At this point, you might want to ask yourself "would
IPF move on to the second rule?" If you're familiar with
ipfwadm or ipfw, you probably won't ask yourself this.
Shortly after, you will become bewildered at the weird way
packets are always getting denied or passed when they
shouldn't. Many packet filters stop comparing packets to
rulesets the moment the first match is made; IPF is not one
of them.
Unlike the other packet filters, IPF keeps a flag on
whether or not it's going to pass the packet. Unless you
interrupt the flow, IPF will go through the entire ruleset,
making its decision on whether or not to pass or drop the
packet based on the last matching rule. The scene: IP Fil-
ter's on duty. It's been been scheduled a slice of CPU
time. It has a checkpoint clipboard that reads:
block in all
pass in all
--
※ 来源:·BBS 水木清华站 smth.org·[FROM: 202.199.66.62]
--
※ 转载:·BBS 荔园晨风站 bbs.szu.edu.cn·[FROM: 192.168.1.115]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店