index.docbook

linux系统下的一个防火墙guarddog

<listitem><para>
Go to the <guilabel>Protocol</guilabel> tab.
</para></listitem>
<listitem><para>
First make sure that <guilabel>Internet</guilabel> is selected in the 
<guilabel>Defined Network Zones:</guilabel> list. (It's at the top left
corner in the window.) The list should have two entries,
<guilabel>Internet</guilabel> and <guilabel>Local</guilabel>.
</para></listitem>
<listitem><para>
Open the <guilabel>Network</guilabel> part of the list view control in the
center of the window.
It should expand to show more options and check boxes with entries like
<guilabel>ICMP Redirect</guilabel> and <guilabel>DNS - Domain Name Server
</guilabel> for example.
</para></listitem>
<listitem><para>
To the right of the protocol list is a black box in the
<guilabel>Local</guilabel> column. The box is a check box. Click on it until it shows
a check mark (tick). The box has three states, unchecked, checked and crossed.
Just repetitively click on it to cycle through the states.
</para></listitem>
</itemizedlist>

<para>
Done. That is all you need to do to grant your machine permission to access
DNS servers on the Internet. Your screen should look like the picture below.
</para>
<para>
<screenshot>
<screeninfo>Reading the protocol tab</screeninfo>
	<mediaobject>
	  <imageobject>
	    <imagedata fileref="guarddog2_protocol.png" format="PNG"/>
	  </imageobject>
	  <textobject>
	    <phrase>Reading the protocol tab</phrase>
	  </textobject>
	</mediaobject>
</screenshot>
</para>
<para>
This illustration also summarises how to read all of the information presented
on the <guilabel>Protocol</guilabel> tab. There is a lot of information
packed into this one tab, but it is vital that you understand what it means
so that you can avoid misconfiguration.
</para>
</sect2>

<sect2>
<title>Protocol Organisation</title>

<para>
Once we have DNS permitted we can move on to permitting other common protocols
that we might want to use.
</para>

<para>
&kappname; supports many different network protocols. They are organised into
categories to make it easier to find what you want. The different categories are:
</para>

<itemizedlist>
<listitem><para>
<guilabel>Chat</guilabel> - Protocols used by chat programs like IRC and ICQ.
</para></listitem>
<listitem><para>
<guilabel>Data Serve</guilabel> - Protocols used by databases and other data sources like time
servers for example.
</para></listitem>
<listitem><para>
<guilabel>File Transfer</guilabel> - Protocols used to transfers files. HTTP
for the Web and FTP are very good examples.
</para></listitem>
<listitem><para>
<guilabel>Game</guilabel> - Protocols used by games for online multiplayer gaming.
</para></listitem>
<listitem><para>
<guilabel>Interactive Session</guilabel> - Protocols used for working on or
performing actions on a remote system. SSH Secure Shell, telnet and also RPC
protocols are here.
</para></listitem>
<listitem><para>
<guilabel>Mail</guilabel> - Protocols associated with delivering and moving
email. SMTP and POP3 are under here.
</para></listitem>
<listitem><para>
<guilabel>Media</guilabel> - Protocols used for delivering multimedia
across the internet.
</para></listitem>
<listitem><para>
<guilabel>Miscellaneous</guilabel> - Other protocols that really didn't fit
under the other categories.
</para></listitem>
<listitem><para>
<guilabel>Network</guilabel> - Protocols related to the operation of the
network itself.
</para></listitem>
<listitem><para>
<guilabel>User Defined</guilabel> - Protocols defined by the user on the
<guilabel>Advanced</guilabel> tab appear here.
</para></listitem>
</itemizedlist>

<para>
Naturally there is some overlap and some protocols could easily be
placed under a different category than the end they are currently in.
</para>

<tip><para>
Click on the name of a protocol to quickly get information about it. A
description of the protocol will appear in the area in the lower left corner
 of the window.
</para></tip>

</sect2>

<sect2>
<title>Permitting Common Protocols</title>

<para>
Here is a quick list of the most common protocols that you will probably
want to permit.
</para>

<itemizedlist>
<listitem><para>
HTTP - Used on the World Wide Web to move web pages around. If you want to
browse the web you will need this. It's in the <guilabel>File Transfer</guilabel>
category.
</para></listitem>
<listitem><para>
FTP - File Transfer Protocol. Used for uploading and downloading files. Also
commonly used on the web too. If you have seen something like "ftp://" in the
location bar on your web browser, then you have used FTP. FTP is in the
<guilabel>File Transfer</guilabel> category.
</para></listitem>
<listitem><para>
SMTP - Simple Mail Transport Protocol. Used for sending email around the
internet. It's in the <guilabel>Mail</guilabel> category.
</para></listitem>
<listitem><para>
POP3 - Post Office Protocol version 3. Commonly used for picking up and
downloading email from a mailbox located at an ISP. It's in the
<guilabel>Mail</guilabel> category.
</para></listitem>
</itemizedlist>

<warning><para>
Resist any temptation to permit all protocols. The more protocols you permit
the weaker your firewall will be. The idea is to only permit the protocols
you really need, and no more. Don't permit something just in case you might
need it in the future. If you need to permit another protocol in the future
then you can just come back to &kappname; and turn it on.
</para></warning>
</sect2>

<sect2>
<title>Applying your new Firewall</title>
<para>
Changes made in &kappname; don't take effect immediately. To activate your
changes you need to press the <guibutton>Apply</guibutton> button or the
<guibutton>OK</guibutton> button. The <guibutton>Ok</guibutton> button will
also quit the &kappname; once the firewall is in place. &kappname; will then
set up the networking subsystem on your machine with your new firewall
rules. Once you click on the <guibutton>Ok</guibutton> or
<guibutton>Apply</guibutton> button a warning message 
appears to warn you that changing the system's firewall may disrupt existing
network connections. Generally it is not a good idea to be doing anything
important on your network, like an FTP download for example, when you
<guibutton>Apply</guibutton> the firewall. After you click on the warning's
<guibutton>OK</guibutton> button another popup window will appear, showing
the firewall setup progress. If any errors occurred while setting up the 
firewall, they will be shown in the popup. Click on the
<guibutton>OK</guibutton> button to exit the popup window.
</para>

<para>
Done! Your new firewall should now be in place and working. From now on
whenever your system starts it will automatically be set up to use your
firewall. &kappname; does not have to be constantly running to protect
your computer. As your firewalling needs evolve you can just run &kappname;
again and modify the configuration.
</para>

<tip><para>
To see if your firewall is doing its job you can put it too a bit of a test.
Go over to <ulink url="http://grc.com/">Gibson Research Corporation</ulink> and
head towards the "Shields Up!" area and ask it to "Test My Shields!" or "Probe
My Ports!". It will then scan your machine and give you a report on what it
found. Hopefully it should give you a very positive report.
</para>
</tip>
</sect2>
</sect1>

<sect1 id="tutorial-zones">
<title>Tutorial: Using Zones</title>
<para>
In this tutorial we will build on what we have learnt in the first tutorial
and introduce the concept of <guilabel>Zones</guilabel>.
<guilabel>Zones</guilabel> allow you to precisely control which protocols
are permitted between different groups of computers.
</para>

<sect2>
<title>Introducing Zones</title>
<para>
In &kappname; a zone is just a bunch of IP addresses.
You may recall that IP addresses are like telephone numbers for machines
on the internet.  A zone more or less specifies a group of computers.
Once a zone has been created we can use the <guilabel>Protocol</guilabel>
tab to specify which protocols computers in the zone may use.
</para>

<para>
For example. If we know that the people at evil.com are evil and can not be
trusted, then we can restrict thier access to our computer by using zones.
First we create a zone called "Bad Guys" and place evil.com in it. Next we
go to the <guilabel>Protocol</guilabel> tab and make sure that no
protocols are selected between the "Bad Guys" zone and the "Local" zone. (The
<guilabel>Local</guilabel> zone represents the local machine). This
way we can limit, or even completely block evil.com's access to our computer.
</para>

<para>
<screenshot>
<screeninfo>Placing the Bad Guys in a zone and firewalling them out</screeninfo>
	<mediaobject>
	  <imageobject>
	    <imagedata fileref="guarddog2_zonedia.png" format="PNG"/>
	  </imageobject>
	  <textobject>
	    <phrase>Placing the Bad Guys in a zone and firewalling them out.</phrase>
	  </textobject>
	</mediaobject>
</screenshot>
</para>

</sect2>

<sect2>
<title>Editing Zones</title>
<para>
Zones are specified and edited on the <guilabel>Zone</guilabel> tab.
To the left of the <guilabel>Zone</guilabel> tab is the list of
defined zones.
&kappname; has two builtin zones that you can't change. They are
<guilabel>Local</guilabel> and <guilabel>Internet</guilabel>.
<guilabel>Local</guilabel> is a zone simply containing the local machine;
the machine that &kappname; is running on. <guilabel>Internet</guilabel>
corresponds to any IP address that's not in another zone. Put simply, if a
IP address is not in another zone it is assumed to be in the
<guilabel>Internet</guilabel> zone.
</para>
<para>
The information about the currently selected zone are displayed to the right
of the zone list. Each zone has a name which is used on the
<guilabel>Protocol</guilabel> tab and therefore should be kept fairly short.
A more descriptive comment can also be given to a zone.
</para>
<para>
The list of IP addresses in a zone are shown in the
<guilabel>Zone Addresses</guilabel> list.
</para>

<para>
Zones that the currently selected zone may communicate with, are listed in the
<guilabel>Connection</guilabel> list located on the right side of the window.
</para>

<para>
<screenshot>
<screeninfo>The Zone tab.</screeninfo>
	<mediaobject>
	  <imageobject>
	    <imagedata fileref="guarddog2_zones.png" format="PNG"/>
	  </imageobject>
	  <textobject>
	    <phrase>The Zone tab.</phrase>
	  </textobject>
	</mediaobject>
</screenshot>
</para>

<warning><para>
An IP address should only be in one zone at a time.
</para></warning>
</sect2>

<sect2>
<title>Creating a Demilitarised Zone</title>
<para>
Let's put zones to work.
</para>
<para>
A good use of zones is to harden our firewall by setting up a "Demilitarised
Zone" (DMZ). In network security a DMZ is a group of computers 
located between the internet and an organisation's internal computer
network. Computers in the DMZ are exposed to the internet and usually
performing tasks like serving web pages to public or handling email.
Since these machines are exposed to the internet and constant attack from
outside, thier access to the internal network is restricted. The idea is that
if an attacker gains control of a machine in the DMZ, they won't
automatically gain higher access to the organisation's internal computer
network.
</para>

<para>
Even if you are not managing an internal network or a group of web or email
servers, you probably do make use of a group of computers that could
be considered to be in a DMZ. For this tutorial we will set up a DMZ
containing the mail server you use for sending and receiving email.
</para>

<para>
Go to the <guilabel>Zone</guilabel> tab and click on the <guibutton>New Zone</guibutton>
button to create a new zone. The new zone will appear in the zone list
and will be called <guilabel>new zone</guilabel>. Go up to the
<guilabel>Name</guilabel> text box and change <guilabel>new zone</guilabel> to
say "DMZ". The name should be fairly short, but you may put a longer, more
descriptive comment in the <guilabel>Comment</guilabel> text box.
</para>

<para>
On the right side of the window is the <guilabel>Connection</guilabel> list.
It is just a group of check boxes that let you specify which other zones the
currently selected zone is connected to. Put a tick in <guilabel>Local</guilabel>
check box to indicate that the <guilabel>DMZ</guilabel> zone is connected to the
<guilabel>Local</guilabel> zone.  The combination of <guilabel>DMZ</guilabel> and
<guilabel>Local</guilabel> zone will only be available on the
<guilabel>Protocol</guilabel> tab when this check box is ticked. &kappname;
will block all communication between zones that are not connected to each
other.
</para>

<para>
Now move over to the <guilabel>Protocol</guilabel> tab and make sure that