00000005.htm

一份很好的linux入门资料

<HTML>

<HEAD>
  <TITLE>BBS水木清华站∶精华区</TITLE>
</HEAD>

<BODY>

<CENTER><H1>BBS水木清华站∶精华区</H1></CENTER>

发信人:&nbsp;zixia&nbsp;(Do&nbsp;you&nbsp;zixia&nbsp;tonight),&nbsp;信区:&nbsp;Linux&nbsp;<BR>
标&nbsp;&nbsp;题:&nbsp;3.&nbsp;So&nbsp;What's&nbsp;A&nbsp;Packet&nbsp;Filter?&nbsp;<BR>
发信站:&nbsp;BBS&nbsp;水木清华站&nbsp;(Wed&nbsp;Oct&nbsp;11&nbsp;01:17:06&nbsp;2000)&nbsp;WWW-POST&nbsp;<BR>
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Linux&nbsp;2.4&nbsp;Packet&nbsp;Filtering&nbsp;HOWTO:&nbsp;So&nbsp;What's&nbsp;A&nbsp;Packet&nbsp;Filter?&nbsp;(p1&nbsp;of&nbsp;&nbsp;<BR>
3)
&nbsp;<BR>

&nbsp;<BR>

&nbsp;<BR>

&nbsp;<BR>

&nbsp;<BR>
3.&nbsp;So&nbsp;What's&nbsp;A&nbsp;Packet&nbsp;Filter?
&nbsp;<BR>

&nbsp;<BR>
&nbsp;&nbsp;&nbsp;A&nbsp;packet&nbsp;filter&nbsp;is&nbsp;a&nbsp;piece&nbsp;of&nbsp;software&nbsp;which&nbsp;looks&nbsp;at&nbsp;the&nbsp;header&nbsp;of
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;packets&nbsp;as&nbsp;they&nbsp;pass&nbsp;through,&nbsp;and&nbsp;decides&nbsp;the&nbsp;fate&nbsp;of&nbsp;the&nbsp;entire&nbsp;packet.
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;It&nbsp;might&nbsp;decide&nbsp;to&nbsp;DROP&nbsp;the&nbsp;packet&nbsp;(i.e.,&nbsp;discard&nbsp;the&nbsp;packet&nbsp;as&nbsp;if&nbsp;it&nbsp;had
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;never&nbsp;received&nbsp;it),&nbsp;ACCEPT&nbsp;the&nbsp;packet&nbsp;(i.e.,&nbsp;let&nbsp;the&nbsp;packet&nbsp;go&nbsp;through),
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;or&nbsp;something&nbsp;more&nbsp;complicated.
&nbsp;<BR>

&nbsp;<BR>
LinUnder&nbsp;Linux,&nbsp;packet&nbsp;filtering&nbsp;is&nbsp;built&nbsp;into&nbsp;the&nbsp;kernel&nbsp;(as&nbsp;a&nbsp;kernelhere&nbsp;a&nbsp;&nbsp;<BR>
Ma
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;module,&nbsp;or&nbsp;built&nbsp;right&nbsp;in),&nbsp;and&nbsp;there&nbsp;are&nbsp;a&nbsp;few&nbsp;trickier&nbsp;things&nbsp;we&nbsp;can&nbsp;do
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;with&nbsp;packets,&nbsp;but&nbsp;the&nbsp;general&nbsp;principle&nbsp;of&nbsp;looking&nbsp;at&nbsp;the&nbsp;headers&nbsp;and
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;deciding&nbsp;the&nbsp;fate&nbsp;of&nbsp;the&nbsp;packet&nbsp;is&nbsp;still&nbsp;there.-------------------------
&nbsp;<BR>

&nbsp;<BR>
3.1&nbsp;Why&nbsp;Would&nbsp;I&nbsp;Want&nbsp;to&nbsp;Packet&nbsp;Filter?there&nbsp;a&nbsp;Mailing&nbsp;List?
&nbsp;<BR>

&nbsp;<BR>
&nbsp;&nbsp;&nbsp;Control.&nbsp;Security.&nbsp;Watchfulness.
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*&nbsp;Thanks&nbsp;to&nbsp;Filewatcher.
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;Control:ks&nbsp;to&nbsp;The&nbsp;Samba&nbsp;Team&nbsp;and&nbsp;SGI.
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*&nbsp;Thanks&nbsp;to&nbsp;Jim&nbsp;Pick.
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;when&nbsp;you&nbsp;are&nbsp;using&nbsp;a&nbsp;Linux&nbsp;box&nbsp;to&nbsp;connect&nbsp;your&nbsp;internal&nbsp;network&nbsp;&nbsp;<BR>
to
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;For&nbsp;the&nbsp;another&nbsp;network&nbsp;(say,&nbsp;the&nbsp;Internet)&nbsp;you&nbsp;have&nbsp;an&nbsp;opportunity&nbsp;to
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;allow&nbsp;certain&nbsp;types&nbsp;of&nbsp;traffic,&nbsp;and&nbsp;disallow&nbsp;others.&nbsp;For&nbsp;example,
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;------the&nbsp;header&nbsp;of&nbsp;a&nbsp;packet&nbsp;contains&nbsp;the&nbsp;destination&nbsp;address&nbsp;of&nbsp;the--
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;packet,&nbsp;so&nbsp;you&nbsp;can&nbsp;prevent&nbsp;packets&nbsp;going&nbsp;to&nbsp;a&nbsp;certain&nbsp;part&nbsp;of&nbsp;the
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;Next&nbsp;Preoutside&nbsp;network.&nbsp;As&nbsp;another&nbsp;example,&nbsp;I&nbsp;use&nbsp;Netscape&nbsp;to&nbsp;access&nbsp;the
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Dilbert&nbsp;archives.&nbsp;There&nbsp;are&nbsp;advertisements&nbsp;from&nbsp;doubleclick.net&nbsp;&nbsp;<BR>
on
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;the&nbsp;page,&nbsp;and&nbsp;Netscape&nbsp;wastes&nbsp;my&nbsp;time&nbsp;by&nbsp;cheerfully&nbsp;downloading
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;them.&nbsp;Telling&nbsp;the&nbsp;packet&nbsp;filter&nbsp;not&nbsp;to&nbsp;allow&nbsp;any&nbsp;packets&nbsp;to&nbsp;or
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;from&nbsp;the&nbsp;addresses&nbsp;owned&nbsp;by&nbsp;doubleclick.net&nbsp;solves&nbsp;that&nbsp;problem
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(there&nbsp;are&nbsp;better&nbsp;ways&nbsp;of&nbsp;doing&nbsp;this&nbsp;though:&nbsp;see&nbsp;Junkbuster).
&nbsp;<BR>

&nbsp;<BR>
&nbsp;&nbsp;&nbsp;Security:
&nbsp;<BR>

&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;when&nbsp;your&nbsp;Linux&nbsp;box&nbsp;is&nbsp;the&nbsp;only&nbsp;thing&nbsp;between&nbsp;the&nbsp;chaos&nbsp;of&nbsp;the
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Internet&nbsp;and&nbsp;your&nbsp;nice,&nbsp;orderly&nbsp;network,&nbsp;it's&nbsp;nice&nbsp;to&nbsp;know&nbsp;you&nbsp;&nbsp;<BR>
can
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;restrict&nbsp;what&nbsp;comes&nbsp;tromping&nbsp;in&nbsp;your&nbsp;door.&nbsp;For&nbsp;example,&nbsp;you&nbsp;might
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;allow&nbsp;anything&nbsp;to&nbsp;go&nbsp;out&nbsp;from&nbsp;your&nbsp;network,&nbsp;but&nbsp;you&nbsp;might&nbsp;be
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;worried&nbsp;about&nbsp;the&nbsp;well-known&nbsp;`Ping&nbsp;of&nbsp;Death'&nbsp;coming&nbsp;in&nbsp;&nbsp;<BR>
from
&nbsp;<BR>
LinUnder&nbsp;Limalicious&nbsp;outsiders.&nbsp;As&nbsp;another&nbsp;example,&nbsp;you&nbsp;might&nbsp;not&nbsp;wanthere&nbsp;a&nbsp;&nbsp;<BR>
Ma
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;mo&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;outsiders&nbsp;telnetting&nbsp;to&nbsp;your&nbsp;Linux&nbsp;box,&nbsp;even&nbsp;though&nbsp;all&nbsp;your&nbsp;&nbsp;&nbsp;&nbsp;o
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;with&nbsp;pacaccounts&nbsp;have&nbsp;passwords.&nbsp;Maybe&nbsp;you&nbsp;want&nbsp;(like&nbsp;most&nbsp;people)&nbsp;to&nbsp;be
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;an&nbsp;observer&nbsp;on&nbsp;the&nbsp;Internet,&nbsp;and&nbsp;not&nbsp;a&nbsp;server&nbsp;(willing&nbsp;or-------
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;otherwise).&nbsp;Simply&nbsp;don't&nbsp;let&nbsp;anyone&nbsp;connect&nbsp;in,&nbsp;by&nbsp;having&nbsp;the
&nbsp;<BR>
3.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;packet&nbsp;filter&nbsp;reject&nbsp;incoming&nbsp;packets&nbsp;used&nbsp;to&nbsp;set&nbsp;up&nbsp;connections.
&nbsp;<BR>

&nbsp;<BR>
&nbsp;&nbsp;&nbsp;Watchfulness:
&nbsp;<BR>

&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sometimes&nbsp;a&nbsp;badly&nbsp;configured&nbsp;machine&nbsp;on&nbsp;the&nbsp;local&nbsp;network&nbsp;will
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;decide&nbsp;to&nbsp;spew&nbsp;packets&nbsp;to&nbsp;the&nbsp;outside&nbsp;world.&nbsp;It's&nbsp;nice&nbsp;to&nbsp;tell&nbsp;&nbsp;<BR>
the
&nbsp;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;packet&nbsp;filter&nbsp;to&nbsp;let&nbsp;you&nbsp;know&nbsp;if&nbsp;anything&nbsp;abnormal&nbsp;occurs;&nbsp;&nbsp;<BR>
maybeto
&nbsp;<BR>