firewall proxy howto.htm

Linux初学者最好的老师就是howto了。相当于函数man。

<br>FWTKSRCDIR=/usr/src/fwtk/fwtk
<br>其次,有些linux系统使用gdbm数据库.而Makefile.config中缺省的是dbm也许你的需要修
<br>改.我的/linux版本是 redhat 3.0.3.
<br>DBMLIB=-lgdbm
<br>最后一处在x-gw中,这个BETA版的socket.c有BUG,解决方法是去掉下面的一段代码:
<p>#ifdef SCM_RIGHTS /* 4.3BSD Reno and later */
<br>+ sizeof(un_name->sun_len) + 1
<br>#endif
<p>如果你在FWTK源目录中加入了ssl-gw,还要把它的目录加到 Makefile里:
<br>　
<br>DIRS=smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw
ssl-gw
<p>现在,可以运行make了.
<p>　
<p>7.3 安装TIS FWTK
<br>&nbsp;
<p>运行 make install
<p>缺省的安装目录为/usr/local/etc.你可以把它改到一个更安全的目录,我没改,而是把这
<br>个目录的权限设为'chmod 700'.
<p>剩下的就只有配置工作了.
<p>　
<br>7.4 配置 TIS FWTK
<br>这才是真正引人入胜的部分.我们要让系统能够调用这些新加入的服务,并建立相应的控制
<br>信息.
<p>我不想重复TIS FWTK手册的内容.只说明一些我所遇到的问题及其解决方法.
<p>有三个文件组成了所有的控制.
<br>* /etc/services&nbsp; 告诉系统服务所在的端口
<br>* /etc/inetd.conf&nbsp; 决定inetd在某端口收到服务请求时调用哪个程序
<br>*/usr/local/etc/netperm-table&nbsp; 决定FWTK对服务请求的许可/拒绝为使
FWTK 发挥作用,
<br>你最好从头编辑这些文件.忽略其中任何一个都可能导致系统失效.
<p>　
<p>netperm-table
<br>该文件用来控制对TIS FWTK服务的访问授权.要同时考虑防火墙两边的情况.外部的用户必
<br>须经过验证后才能获得访问权,内部用户则可以允许直接通过.
<br>&nbsp;
<p>TIS 防火墙可以进行身份验证,系统通过一个authsrv的程序管理一个用户ID和密码的数据
<br>库。netperm-table的授权部分指定了数据库的位置及访问权限.
<br>&nbsp;
<p>我在禁止对该服务读取时遇到了一些麻烦.注意我给出的是在permit-host行中
'*'表示给
<br>所有用户访问权.而正确的设置应该是
<p>'' authsrv: premit-hosts localhost.
<p>#
<p># Proxy configuration table
<p>#
<p># Authentication server and client rules
<p>authsrv: database /usr/local/etc/fw-authdb
<p>authsrv: permit-hosts *
<p>authsrv: badsleep 1200
<p>authsrv: nobogus true
<p># Client Applications using the Authentication server
<p>*: authserver 127.0.0.1 114
<br>&nbsp;
<p>初始化数据库时,要先su到root,在/var/local/etc下运行./authsrv创建用户的记录,
<p>如下所示:
<br>&nbsp;
<p>可以在FWTK的文档中找到创建用户及组的信息.
<br>#
<p># authsrv
<p>authsrv# list
<p>authsrv# adduser admin “Auth DB admin”
<p>ok - user added initially disabled
<p>authsrv# ena admin
<p>enabled
<p>authsrv# proto admin pass
<p>changed
<p>authsrv# pass admin “plugh”
<p>Password changed.
<p>authsrv# superwiz admin
<p>set wizard
<p>authsrv# list
<p>Report for users in database
<p>user group longname ok? proto last
<p>------ ------ ------------------ ----- ------ -----
<p>admin Auth DB admin ena passw never
<p>authsrv# display admin
<p>Report for user admin (Auth DB admin)
<p>Authentication protocol: password
<p>Flags: WIZARD
<p>authsrv# ^D
<p>EOT
<p>#
<br>&nbsp;
<br>&nbsp;
<p>telnet网关是最直截了当的并且是你第一个需要设置的.
<p>在我的例子中,所有内部的用户无须认证(permit-hosts 196.1.2.* -passok-xok),而其余
<br>用户必须经过ID和密码的验证.(permit-hosts *-auth)我还特别允许 196.1.2.202的用户
<br>不经过防火墙直接访问代理服务器.有关inetacl-in.telnetd的两行表现了这一点,接下去
<br>我就会解释调用的过程.
<p>Telnet的timeout应尽量设小.
<p># telnet gateway rules:
<p>tn-gw: denial-msg /usr/local/etc/tn-deny.txt
<p>tn-gw: welcome-msg /usr/local/etc/tn-welcome.txt
<p>tn-gw: help-msg /usr/local/etc/tn-help.txt
<p>tn-gw: timeout 90
<p>tn-gw: permit-hosts 196.1.2.* -passok -xok
<p>tn-gw: permit-hosts * -auth
<p># Only the Administrator can telnet directly to the Firewall via Port
24
<p>netacl-in.telnetd: permit-hosts 196.1.2.202 -exec /usr/sbin/in.telnetd
<br>&nbsp;
<p>rlogin的命令与telnet相仿.
<p># rlogin gateway rules:
<p>rlogin-gw: denial-msg /usr/local/etc/rlogin-deny.txt
<p>rlogin-gw: welcome-msg /usr/local/etc/rlogin-welcome.txt
<p>rlogin-gw: help-msg /usr/local/etc/rlogin-help.txt
<p>rlogin-gw: timeout 90
<p>rlogin-gw: permit-hosts 196.1.2.* -passok -xok
<p>rlogin-gw: permit-hosts * -auth -xok
<p># Only the Administrator can telnet directly to the Firewall via Port
<p>netacl-rlogind: permit-hosts 196.1.2.202 -exec /usr/libexec/rlogind
-a
<p>不要允许任何人直接访问你的防火墙，即使FTP访问也不行.因此要避免在防火墙机器上安
<br>装FTP服务.
<br>&nbsp;
<p>值得重申的是,这里允许所有内部用户自由访问Internet,而其他用户则必须通过验证.
我
<br>还启用了文件收发的记录.
<br>&nbsp;
<p>(-log { retr stor })
<p>　
<br>ftp timeout指定防火墙对一个失效FTP连接的最长等待时间.
<br>&nbsp;
<p># ftp gateway rules:
<p>ftp-gw: denial-msg /usr/local/etc/ftp-deny.txt
<p>ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt
<p>ftp-gw: help-msg /usr/local/etc/ftp-help.txt
<p>ftp-gw: timeout 300
<p>ftp-gw: permit-hosts 196.1.2.* -log { retr stor }
<p>ftp-gw: permit-hosts * -authall -log { retr stor }
<br>&nbsp;
<p>Web,gopher, 和基于浏览器的FTP由http-gw来完成. 前两行建立目录来缓存通过防火墙的
<br>web页面和ftp文件,我把这些文件的所有者设为root,并保存在只有root才能访问的目录中.
<br>&nbsp;
<p>Web connection应保持在一个较小的值,它控制用户等待一个失效连接的时间.
<br>&nbsp;
<p># www and gopher gateway rules:
<p>http-gw: userid root
<p>http-gw: directory /jail
<p>http-gw: timeout 90
<p>http-gw: default-httpd www.afs.net
<p>http-gw: hosts 196.1.2.* -log { read write ftp }
<p>http-gw: deny-hosts *
<br>&nbsp;
<p>ssl-gw只有一个传递作用, 要小心设置. 在这里, 我允许内部用户访问除 127.0.0.*
和
<br>192.1.1.*以外的所有外部地址.且只能访问443到563端口,这些是通用的SSL端口.
<br>&nbsp;
<p># ssl gateway rules:
<p>ssl-gw: timeout 300
<p>ssl-gw: hosts 196.1.2.* -dest { !127.0.0.* !192.1.1.* *:443:563 }
<p>ssl-gw: deny-hosts *
<br>&nbsp;
<p>下例说明怎样使用plug-gw代理news server,只允许内部用户访问一个外部server,且只能
<br>访问一个端口。
<br>　
<br>第二行设置允许news server将数据送入内部网.
<br>&nbsp;
<p>几乎所有的news client在用户阅读news时保持连接状态,因此这里给news server规定了
<br>一个较长的等待时间(time out).
<br>&nbsp;
<p># NetNews Pluged gateway
<p>plug-gw: timeout 3600
<p>plug-gw: port nntp 196.1.2.* -plug-to 199.5.175.22 -port nntp
<p>plug-gw: port nntp 199.5.175.22 -plug-to 196.1.2.* -port nntp
<br>&nbsp;
<p>finger-gw比较简单,任何内部用户只能先登录到防火墙,再运行finger,其他访问者将得到
<p>一个信息(finger.txt).
<p># Enable finger service
<p>netacl-fingerd: permit-hosts 196.1.2.* -exec /usr/libexec/fingerd
<p>netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt
<br>&nbsp;
<p>我没有作过Mail和X-windows服务的代理,无法提供相应的例子,欢迎来信补充.
<br>&nbsp;
<p>关于inetd.conf
<br>&nbsp;
<p>下面是一例inetd.conf文件,所有不必要的服务都被注释掉了. 但我还是包括了整个文件,
<br>以阐明怎样关闭服务及为防火墙开启新服务.
<p>#echo stream tcp nowait root internal
<p>#echo dgram udp wait root internal
<p>#discard stream tcp nowait root internal
<p>#discard dgram udp wait root internal
<p>#daytime stream tcp nowait root internal
<p>#daytime dgram udp wait root internal
<p>#chargen stream tcp nowait root internal
<p>#chargen dgram udp wait root internal
<p># FTP firewall gateway
<p>ftp-gw stream tcp nowait.400 root /usr/local/etc/ftp-gw ftp-gw
<p># Telnet firewall gateway
<p>telnet stream tcp nowait root /usr/local/etc/tn-gw /usr/local/etc/tn-gw
<p># local telnet services
<p>telnet-a stream tcp nowait root /usr/local/etc/netacl in.telnetd
<p># Gopher firewall gateway
<p>gopher stream tcp nowait.400 root /usr/local/etc/http-gw /usr/local/etc/http-gw
<p># WWW firewall gateway
<p>http stream tcp nowait.400 root /usr/local/etc/http-gw /usr/local/etc/http-gw
<p># SSL firewall gateway
<p>ssl-gw stream tcp nowait root /usr/local/etc/ssl-gw ssl-gw
<p># NetNews firewall proxy (using plug-gw)
<p>nntp stream tcp nowait root /usr/local/etc/plug-gw plug-gw nntp
<p>#nntp stream tcp nowait root /usr/sbin/tcpd in.nntpd
<p># SMTP (email) firewall gateway
<p>#smtp stream tcp nowait root /usr/local/etc/smap smap
<p>#
<p># Shell, login, exec and talk are BSD protocols.
<p>#
<p>#shell stream tcp nowait root /usr/sbin/tcpd in.rshd
<p>#login stream tcp nowait root /usr/sbin/tcpd in.rlogind
<p>#exec stream tcp nowait root /usr/sbin/tcpd in.rexecd
<p>#talk dgram udp wait root /usr/sbin/tcpd in.talkd
<p>#ntalk dgram udp wait root /usr/sbin/tcpd in.ntalkd
<p>#dtalk stream tcp waut nobody /usr/sbin/tcpd in.dtalkd
<p>#
<p># Pop and imap mail services et al
<p>#
<p>#pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d
<p>#pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d
<p>#imap stream tcp nowait root /usr/sbin/tcpd imapd
<p>#
<p># The Internet UUCP service.
<p>#
<p>#uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l
<p>#
<p># Tftp service is provided primarily for booting. Most sites
<p># run this only on machines acting as “boot servers.” Do not uncomment
<p># this unless you *need* it.