⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 00000012.htm

📁 一份很好的linux入门资料
💻 HTM
📖 第 1 页 / 共 5 页
字号:
🔍
12345 
#&nbsp;<BR>&nbsp;<BR>#&nbsp;Authentication&nbsp;server&nbsp;and&nbsp;client&nbsp;rules&nbsp;<BR>&nbsp;<BR>authsrv:&nbsp;database&nbsp;/usr/local/etc/fw-authdb&nbsp;<BR>&nbsp;<BR>authsrv:&nbsp;permit-hosts&nbsp;*&nbsp;<BR>&nbsp;<BR>authsrv:&nbsp;badsleep&nbsp;1200&nbsp;<BR>&nbsp;<BR>authsrv:&nbsp;nobogus&nbsp;true&nbsp;<BR>&nbsp;<BR>#&nbsp;Client&nbsp;Applications&nbsp;using&nbsp;the&nbsp;Authentication&nbsp;server&nbsp;<BR>&nbsp;<BR>*:&nbsp;authserver&nbsp;127.0.0.1&nbsp;114&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>初始化数据库时,要先su到root,在/var/local/etc下运行./authsrv创建用户的记录,&nbsp;<BR>&nbsp;<BR>如下所示:&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>可以在FWTK的文档中找到创建用户及组的信息.&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>#&nbsp;<BR>&nbsp;<BR>#&nbsp;authsrv&nbsp;<BR>&nbsp;<BR>authsrv#&nbsp;list&nbsp;<BR>&nbsp;<BR>authsrv#&nbsp;adduser&nbsp;admin&nbsp;“Auth&nbsp;DB&nbsp;admin”&nbsp;<BR>&nbsp;<BR>ok&nbsp;-&nbsp;user&nbsp;added&nbsp;initially&nbsp;disabled&nbsp;<BR>&nbsp;<BR>authsrv#&nbsp;ena&nbsp;admin&nbsp;<BR>&nbsp;<BR>enabled&nbsp;<BR>&nbsp;<BR>authsrv#&nbsp;proto&nbsp;admin&nbsp;pass&nbsp;<BR>&nbsp;<BR>changed&nbsp;<BR>&nbsp;<BR>authsrv#&nbsp;pass&nbsp;admin&nbsp;“plugh”&nbsp;<BR>&nbsp;<BR>Password&nbsp;changed.&nbsp;<BR>&nbsp;<BR>authsrv#&nbsp;superwiz&nbsp;admin&nbsp;<BR>&nbsp;<BR>set&nbsp;wizard&nbsp;<BR>&nbsp;<BR>authsrv#&nbsp;list&nbsp;<BR>&nbsp;<BR>Report&nbsp;for&nbsp;users&nbsp;in&nbsp;database&nbsp;<BR>&nbsp;<BR>user&nbsp;group&nbsp;longname&nbsp;ok?&nbsp;proto&nbsp;last&nbsp;&nbsp;<BR>&nbsp;<BR>------&nbsp;------&nbsp;------------------&nbsp;-----&nbsp;------&nbsp;-----&nbsp;<BR>&nbsp;<BR>admin&nbsp;Auth&nbsp;DB&nbsp;admin&nbsp;ena&nbsp;passw&nbsp;never&nbsp;<BR>&nbsp;<BR>authsrv#&nbsp;display&nbsp;admin&nbsp;<BR>&nbsp;<BR>Report&nbsp;for&nbsp;user&nbsp;admin&nbsp;(Auth&nbsp;DB&nbsp;admin)&nbsp;<BR>&nbsp;<BR>Authentication&nbsp;protocol:&nbsp;password&nbsp;<BR>&nbsp;<BR>Flags:&nbsp;WIZARD&nbsp;<BR>&nbsp;<BR>authsrv#&nbsp;^D&nbsp;<BR>&nbsp;<BR>EOT&nbsp;<BR>&nbsp;<BR>#&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>telnet网关是最直截了当的并且是你第一个需要设置的.&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>在我的例子中,所有内部的用户无须认证(permit-hosts&nbsp;196.1.2.*&nbsp;-passok-xok),而其余&nbsp;<BR>用户必须经过ID和密码的验证.(permit-hosts&nbsp;*-auth)我还特别允许&nbsp;196.1.2.202的用户&nbsp;<BR>不经过防火墙直接访问代理服务器.有关inetacl-in.telnetd的两行表现了这一点,接下去&nbsp;<BR>我就会解释调用的过程.&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>Telnet的timeout应尽量设小.&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>#&nbsp;telnet&nbsp;gateway&nbsp;rules:&nbsp;<BR>&nbsp;<BR>tn-gw:&nbsp;denial-msg&nbsp;/usr/local/etc/tn-deny.txt&nbsp;<BR>&nbsp;<BR>tn-gw:&nbsp;welcome-msg&nbsp;/usr/local/etc/tn-welcome.txt&nbsp;<BR>&nbsp;<BR>tn-gw:&nbsp;help-msg&nbsp;/usr/local/etc/tn-help.txt&nbsp;<BR>&nbsp;<BR>tn-gw:&nbsp;timeout&nbsp;90&nbsp;<BR>&nbsp;<BR>tn-gw:&nbsp;permit-hosts&nbsp;196.1.2.*&nbsp;-passok&nbsp;-xok&nbsp;<BR>&nbsp;<BR>tn-gw:&nbsp;permit-hosts&nbsp;*&nbsp;-auth&nbsp;<BR>&nbsp;<BR>#&nbsp;Only&nbsp;the&nbsp;Administrator&nbsp;can&nbsp;telnet&nbsp;directly&nbsp;to&nbsp;the&nbsp;Firewall&nbsp;via&nbsp;Port&nbsp;24&nbsp;<BR>&nbsp;<BR>netacl-in.telnetd:&nbsp;permit-hosts&nbsp;196.1.2.202&nbsp;-exec&nbsp;/usr/sbin/in.telnetd&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>rlogin的命令与telnet相仿.&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>#&nbsp;rlogin&nbsp;gateway&nbsp;rules:&nbsp;<BR>&nbsp;<BR>rlogin-gw:&nbsp;denial-msg&nbsp;/usr/local/etc/rlogin-deny.txt&nbsp;<BR>&nbsp;<BR>rlogin-gw:&nbsp;welcome-msg&nbsp;/usr/local/etc/rlogin-welcome.txt&nbsp;<BR>&nbsp;<BR>rlogin-gw:&nbsp;help-msg&nbsp;/usr/local/etc/rlogin-help.txt&nbsp;<BR>&nbsp;<BR>rlogin-gw:&nbsp;timeout&nbsp;90&nbsp;<BR>&nbsp;<BR>rlogin-gw:&nbsp;permit-hosts&nbsp;196.1.2.*&nbsp;-passok&nbsp;-xok&nbsp;<BR>&nbsp;<BR>rlogin-gw:&nbsp;permit-hosts&nbsp;*&nbsp;-auth&nbsp;-xok&nbsp;<BR>&nbsp;<BR>#&nbsp;Only&nbsp;the&nbsp;Administrator&nbsp;can&nbsp;telnet&nbsp;directly&nbsp;to&nbsp;the&nbsp;Firewall&nbsp;via&nbsp;Port&nbsp;<BR>&nbsp;<BR>netacl-rlogind:&nbsp;permit-hosts&nbsp;196.1.2.202&nbsp;-exec&nbsp;/usr/libexec/rlogind&nbsp;-a&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>不要允许任何人直接访问你的防火墙,即使FTP访问也不行.因此要避免在防火墙机器上安&nbsp;<BR>装FTP服务.&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>值得重申的是,这里允许所有内部用户自由访问Internet,而其他用户则必须通过验证.&nbsp;我&nbsp;<BR>还启用了文件收发的记录.&nbsp;&nbsp;<BR>&nbsp;<BR>&nbsp;<BR>(-log&nbsp;{&nbsp;retr&nbsp;stor&nbsp;})&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>ftp&nbsp;timeout指定防火墙对一个失效FTP连接的最长等待时间.&nbsp;<BR>&nbsp;<BR> &nbsp;<BR> &nbsp;<BR>&nbsp;<BR>#&nbsp;ftp&nbsp;gateway&nbsp;rules:&nbsp;<BR>&nbsp;<BR>ftp-gw:&nbsp;denial-msg&nbsp;/usr/local/etc/ftp-deny.txt&nbsp;<BR>&nbsp;<BR>ftp-gw:&nbsp;welcome-msg&nbsp;/usr/local/etc/ftp-welcome.txt&nbsp;<BR>&nbsp;<BR>ftp-gw:&nbsp;help-msg&nbsp;/usr/local/etc/ftp-help.txt&nbsp;<BR>&nbsp;<BR>ftp-gw:&nbsp;timeout&nbsp;300&nbsp;<BR>&nbsp;<BR>ftp-gw:&nbsp;permit-hosts&nbsp;196.1.2.*&nbsp;-log&nbsp;{&nbsp;retr&nbsp;stor&nbsp;}&nbsp;<BR>&nbsp;<BR>ftp-gw:&nbsp;permit-hosts&nbsp;*&nbsp;-authall&nbsp;-log&nbsp;{&nbsp;retr&nbsp;stor&nbsp;}&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>Web,gopher,&nbsp;和基于浏览器的FTP由http-gw来完成.&nbsp;前两行建立目录来缓存通过防火墙的&nbsp;<BR>web页面和ftp文件,我把这些文件的所有者设为root,并保存在只有root才能访问的目录中.&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>Web&nbsp;connection应保持在一个较小的值,它控制用户等待一个失效连接的时间.&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>#&nbsp;www&nbsp;and&nbsp;gopher&nbsp;gateway&nbsp;rules:&nbsp;<BR>&nbsp;<BR>http-gw:&nbsp;userid&nbsp;root&nbsp;<BR>&nbsp;<BR>http-gw:&nbsp;directory&nbsp;/jail&nbsp;<BR>&nbsp;<BR>http-gw:&nbsp;timeout&nbsp;90&nbsp;<BR>&nbsp;<BR>http-gw:&nbsp;default-httpd&nbsp;www.afs.net&nbsp;<BR>&nbsp;<BR>http-gw:&nbsp;hosts&nbsp;196.1.2.*&nbsp;-log&nbsp;{&nbsp;read&nbsp;write&nbsp;ftp&nbsp;}&nbsp;<BR>&nbsp;<BR>http-gw:&nbsp;deny-hosts&nbsp;*&nbsp;&nbsp;<BR>&nbsp;<BR> &nbsp;<BR> &nbsp;<BR>&nbsp;<BR>ssl-gw只有一个传递作用,&nbsp;要小心设置.&nbsp;在这里,&nbsp;我允许内部用户访问除&nbsp;127.0.0.*&nbsp;和&nbsp;<BR>192.1.1.*以外的所有外部地址.且只能访问443到563端口,这些是通用的SSL端口.&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>#&nbsp;ssl&nbsp;gateway&nbsp;rules:&nbsp;<BR>&nbsp;<BR>ssl-gw:&nbsp;timeout&nbsp;300&nbsp;<BR>&nbsp;<BR>ssl-gw:&nbsp;hosts&nbsp;196.1.2.*&nbsp;-dest&nbsp;{&nbsp;!127.0.0.*&nbsp;!192.1.1.*&nbsp;*:443:563&nbsp;}&nbsp;<BR>&nbsp;<BR>ssl-gw:&nbsp;deny-hosts&nbsp;*&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>下例说明怎样使用plug-gw代理news&nbsp;server,只允许内部用户访问一个外部server,且只能&nbsp;<BR>访问一个端口。&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>第二行设置允许news&nbsp;server将数据送入内部网.&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>几乎所有的news&nbsp;client在用户阅读news时保持连接状态,因此这里给news&nbsp;server规定了&nbsp;<BR>一个较长的等待时间(time&nbsp;out).&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>#&nbsp;NetNews&nbsp;Pluged&nbsp;gateway&nbsp;<BR>&nbsp;<BR>plug-gw:&nbsp;timeout&nbsp;3600&nbsp;<BR>&nbsp;<BR>plug-gw:&nbsp;port&nbsp;nntp&nbsp;196.1.2.*&nbsp;-plug-to&nbsp;199.5.175.22&nbsp;-port&nbsp;nntp&nbsp;<BR>&nbsp;<BR>plug-gw:&nbsp;port&nbsp;nntp&nbsp;199.5.175.22&nbsp;-plug-to&nbsp;196.1.2.*&nbsp;-port&nbsp;nntp&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>finger-gw比较简单,任何内部用户只能先登录到防火墙,再运行finger,其他访问者将得到&nbsp;<BR>&nbsp;<BR>一个信息(finger.txt).&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>#&nbsp;Enable&nbsp;finger&nbsp;service&nbsp;&nbsp;<BR>&nbsp;<BR>netacl-fingerd:&nbsp;permit-hosts&nbsp;196.1.2.*&nbsp;-exec&nbsp;/usr/libexec/fingerd&nbsp;<BR>&nbsp;<BR>netacl-fingerd:&nbsp;permit-hosts&nbsp;*&nbsp;-exec&nbsp;/bin/cat&nbsp;/usr/local/etc/finger.txt&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>我没有作过Mail和X-windows服务的代理,无法提供相应的例子,欢迎来信补充.&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>关于inetd.conf&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>下面是一例inetd.conf文件,所有不必要的服务都被注释掉了.&nbsp;但我还是包括了整个文件,&nbsp;<BR>以阐明怎样关闭服务及为防火墙开启新服务.&nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR> &nbsp;<BR>&nbsp;<BR>#echo&nbsp;stream&nbsp;tcp&nbsp;nowait&nbsp;root&nbsp;internal&nbsp;&nbsp;<BR>&nbsp;<BR>#echo&nbsp;dgram&nbsp;udp&nbsp;wait&nbsp;root&nbsp;internal&nbsp;<BR>&nbsp;<BR>#discard&nbsp;stream&nbsp;tcp&nbsp;nowait&nbsp;root&nbsp;internal&nbsp;<BR>&nbsp;<BR>#discard&nbsp;dgram&nbsp;udp&nbsp;wait&nbsp;root&nbsp;internal&nbsp;<BR>&nbsp;<BR>#daytime&nbsp;stream&nbsp;tcp&nbsp;nowait&nbsp;root&nbsp;internal&nbsp;<BR>&nbsp;<BR>#daytime&nbsp;dgram&nbsp;udp&nbsp;wait&nbsp;root&nbsp;internal&nbsp;<BR>&nbsp;<BR>#chargen&nbsp;stream&nbsp;tcp&nbsp;nowait&nbsp;root&nbsp;internal&nbsp;<BR>&nbsp;<BR>#chargen&nbsp;dgram&nbsp;udp&nbsp;wait&nbsp;root&nbsp;internal&nbsp;<BR>&nbsp;<BR>#&nbsp;FTP&nbsp;firewall&nbsp;gateway&nbsp;<BR>&nbsp;<BR>ftp-gw&nbsp;stream&nbsp;tcp&nbsp;nowait.400&nbsp;root&nbsp;/usr/local/etc/ftp-gw&nbsp;ftp-gw&nbsp;<BR>&nbsp;<BR>#&nbsp;Telnet&nbsp;firewall&nbsp;gateway&nbsp;<BR>&nbsp;<BR>telnet&nbsp;stream&nbsp;tcp&nbsp;nowait&nbsp;root&nbsp;/usr/local/etc/tn-gw&nbsp;/usr/local/etc/tn-gw&nbsp;<BR>&nbsp;<BR>#&nbsp;local&nbsp;telnet&nbsp;services&nbsp;<BR>&nbsp;<BR>telnet-a&nbsp;stream&nbsp;tcp&nbsp;nowait&nbsp;root&nbsp;/usr/local/etc/netacl&nbsp;in.telnetd&nbsp;<BR>&nbsp;<BR>#&nbsp;Gopher&nbsp;firewall&nbsp;gateway&nbsp;<BR>&nbsp;<BR>gopher&nbsp;stream&nbsp;tcp&nbsp;nowait.400&nbsp;root&nbsp;/usr/local/etc/http-gw&nbsp;/usr/local/etc/http-gw&nbsp;&nbsp;<BR>&nbsp;<BR>#&nbsp;WWW&nbsp;firewall&nbsp;gateway&nbsp;<BR>&nbsp;<BR>http&nbsp;stream&nbsp;tcp&nbsp;nowait.400&nbsp;root&nbsp;/usr/local/etc/http-gw&nbsp;/usr/local/etc/http-gw&nbsp;&nbsp;<BR>&nbsp;<BR>#&nbsp;SSL&nbsp;firewall&nbsp;gateway&nbsp;<BR>&nbsp;<BR>ssl-gw&nbsp;stream&nbsp;tcp&nbsp;nowait&nbsp;root&nbsp;/usr/local/etc/ssl-gw&nbsp;ssl-gw&nbsp;<BR>&nbsp;<BR>#&nbsp;NetNews&nbsp;firewall&nbsp;proxy&nbsp;(using&nbsp;plug-gw)&nbsp;<BR>&nbsp;<BR>nntp&nbsp;stream&nbsp;tcp&nbsp;nowait&nbsp;root&nbsp;/usr/local/etc/plug-gw&nbsp;plug-gw&nbsp;nntp&nbsp;<BR>&nbsp;<BR>#nntp&nbsp;stream&nbsp;tcp&nbsp;nowait&nbsp;root&nbsp;/usr/sbin/tcpd&nbsp;in.nntpd&nbsp;<BR>&nbsp;<BR>#&nbsp;SMTP&nbsp;(email)&nbsp;firewall&nbsp;gateway&nbsp;<BR>&nbsp;<BR>#smtp&nbsp;stream&nbsp;tcp&nbsp;nowait&nbsp;root&nbsp;/usr/local/etc/smap&nbsp;smap&nbsp;<BR>&nbsp;<BR>#&nbsp;<BR>&nbsp;<BR>#&nbsp;Shell,&nbsp;login,&nbsp;exec&nbsp;and&nbsp;talk&nbsp;are&nbsp;BSD&nbsp;protocols.&nbsp;<BR>&nbsp;<BR>#&nbsp;<BR>&nbsp;<BR>#shell&nbsp;stream&nbsp;tcp&nbsp;nowait&nbsp;root&nbsp;/usr/sbin/tcpd&nbsp;in.rshd&nbsp;<BR>&nbsp;<BR>#login&nbsp;stream&nbsp;tcp&nbsp;nowait&nbsp;root&nbsp;/usr/sbin/tcpd&nbsp;in.rlogind&nbsp;<BR>&nbsp;<BR>#exec&nbsp;stream&nbsp;tcp&nbsp;nowait&nbsp;root&nbsp;/usr/sbin/tcpd&nbsp;in.rexecd&nbsp;<BR>&nbsp;<BR>#talk&nbsp;dgram&nbsp;udp&nbsp;wait&nbsp;root&nbsp;/usr/sbin/tcpd&nbsp;in.talkd&nbsp;<BR>&nbsp;<BR>#ntalk&nbsp;dgram&nbsp;udp&nbsp;wait&nbsp;root&nbsp;/usr/sbin/tcpd&nbsp;in.ntalkd&nbsp;<BR>&nbsp;<BR>#dtalk&nbsp;stream&nbsp;tcp&nbsp;waut&nbsp;nobody&nbsp;/usr/sbin/tcpd&nbsp;in.dtalkd&nbsp;<BR>&nbsp;<BR>
12345

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -