index.docbook

linux系统下的一个防火墙guarddog

<guilabel>Protocols Served from Zone:</guilabel> is set to
<guilabel>DMZ</guilabel>. In the protocol list below there is a
column called <guilabel>Local</guilabel>.  Open up the
<guilabel>Mail</guilabel> group of protocols and tick
<guilabel>POP2</guilabel>, <guilabel>POP3</guilabel>, and
<guilabel>SMTP</guilabel>. POP3 is used to fetch mail from a
mail box on a mail server. While SMTP is used for sending outgoing mail. By
turning these on for <guilabel>Local</guilabel> we are saying that we want 
the local machine to be allowed to use these mail protocols with the machines
in the <guilabel>DMZ</guilabel> zone.
</para>

<para>
If the machines in your DMZ are also web servers you may also want to turn on
HTTP, FTP and some other common protocols.
</para>

<para>
Once you have finished configuring &kappname;, apply your changes with the
<guibutton>Apply</guibutton> button and test your email program to see if you
can still send and receive email.
</para>

</sect2>

</sect1>

<sect1 id="tutorial-router">
<title>Tutorial: Router Configuration</title>
<para>
So far we have only used &kappname; to protect a single workstation (i.e. the
computer &kappname; is running on), but as many people know a computer
running Linux can also act as a fantastic router for connecting multiple
networks. In this tutorial we will go through how &kappname; can be used on
a gateway machine to protect a LAN from the internet.
</para>

<important><para>&kappname; only supports router configurations on machines
running Linux kernel series 2.4 with <command>iptables</command>.
</para></important>

<sect2>
<title>Anatomy of a typical LAN connected to the Internet</title>

<para>
<screenshot>
<screeninfo>A typical router or gateway configuration with &kappname; running on the router machine.</screeninfo>
	<mediaobject>
	  <imageobject>
	    <imagedata fileref="guarddog2_routerdia.png" format="PNG"/>
	  </imageobject>
	  <textobject>
	    <phrase>A typical router configuration with &kappname; running on the router machine.</phrase>
	  </textobject>
	</mediaobject>
</screenshot>
</para>

<para>
The diagram above shows the network configuration of a typical LAN connected
to the Internet via a Linux based system acting as a router.
The LAN that we wish to protect is on the left side of the diagram. The
internet is shown on the right side. All communication between the LAN
and internet passes through the gateway machine which is marked by the dog.
&kappname; runs on the gateway machine. The most important aspect of this
setup from a security point of view is that all of the network traffic
between the LAN and the internet passes through one machine: the gateway.
This provides us with an obvious "choke point" that we can place the
firewall on to filter the network traffic.
</para>

<para>
The diagram also shows the zones that we will setup in &kappname;.
</para>
</sect2>

<sect2>
<title>"Repeat after me: &kappname; is a firewall"</title>
<para>
There seems to be a bit of confusion surrounding the function of a firewall
versus the task of packet routing. Firewalls act as network traffic
<emphasis>filters</emphasis>. Filtering and blocking unwanted and dangerous
network traffic. They are security devices. Features such as routing and
IP masquerade are not primarily security devices. They are advanced networking
features.
</para>

<note>
<para>
This misconception arose because in the past on Linux, before kernel series 2.4,
the networking sub-system was such that it wasn't possible to separate
advanced routing functionality from normal firewall functionality. This lead
to firewall programs that also included direct support for advanced routing
features such as IP masquerade and port forwarding for example.
</para>
</note>

<para>
&kappname; is a firewall and is not used for configuring networking
features such as IP masquerade and routing. These networking features must
be configured using a different program.
</para>

<tip>
<para>
<ulink url="http://www.simonzone.com/software/guidedog/">Guidedog</ulink>
is a user friendly utility for configuring advanced networking features
and is designed to work along side &kappname;.
</para>
</tip>
</sect2>

<sect2>
<title>Configure Routing and Network Settings</title>

<para>
Before we continue, you should go and configure the routing setup for your machine
and confirm that it is routing/masquerading network traffic as expected.
To make the task of debugging your gateway configuration easier, you can
disable &kappname; by checking the <guilabel>Disable firewall</guilabel>
checkbox on the <guilabel>Advanced</guilabel> tab and then applying the
changes. This will allow you to test your routing setup separately without
&kappname; blocking any test traffic.
</para>

<warning>
<para>
I strongly recommend that you do not test your network setup while connected
to a hostile network like the Internet. Attach a machine to the network
card that you plan to connect to the internet and give it an IP address so
that it can act as a pretend Internet.
</para>
</warning>

</sect2>

<sect2>
<title>Teaching &kappname; to Allow Traffic to/from your LAN</title>
<para>
If you configured and tested your routing and network settings with
&kappname; disabled, enable firewalling in &kappname; again and apply.
If all is going well then you will find that your LAN is once
again totally cut off from the internet. &kappname; has a fail-safe, "what is
not explicitly permitted, is denied" design.  What this means in this
situation is that since &kappname; hasn't been told to allow traffic from your
LAN out to the internet, or visa versa, it will assume that the traffic should
be blocked. This is intended to make it easy to get a secure configuration
(even if it is too secure) and difficult to have an insecure configuration.
</para>

<para>
The way we specify to &kappname; that computers on the LAN are allowed to
access computers on the Internet is by using zones. We simply create a zone
to hold the addresses of all of the computers on our LAN and then specify that
this zone is connected to the Internet, and probably to the
<guilabel>Local</guilabel> zone also, and then go to the
<guilabel>Protocols</guilabel> tab and tick on whatever
protocols should be allowed between the LAN and the Internet.
</para>

</sect2>

<sect2>
<title>Step by Step</title>
<para>
Go to the <guilabel>Zone</guilabel> tab and create a new zone and call
it "LAN". In the <guilabel>Zone Addresses</guilabel> list enter the IP
addresses of the computers on your LAN.
The address list understands several notations for addresses and can also
accept whole network blocks. If you are running an IP masqueraded network
using the 192.168.1.0/255.255.255.0 private address space, you can enter
the whole block into a single address line using 192.168.1.0/255.255.255.0
format or the shorter 192.168.1.0/24 format.
</para>

<para>
Next, go to the <guilabel>Connection</guilabel> list and tick
<guilabel>Internet</guilabel> and <guilabel>Local</guilabel> to specify that
your LAN zone should be connected to the <guilabel>Internet</guilabel> and
<guilabel>Local</guilabel> zones.
</para>

<para>
Now, go to the <guilabel>Protocol</guilabel> tab and make sure that
<guilabel>Protocols Served from Zone:</guilabel> is set to
<guilabel>Internet</guilabel>.  In the list of protocols below you should see
a column of check boxes for the <guilabel>Local</guilabel> zone and another column
for the <guilabel>LAN</guilabel> zone.
Just like when we were turning on protocols for the local zone in the first
tutorial, we can do the same for the LAN zone. Tick the list of protocols that
machines in the LAN zone should be able to use with the Internet.
</para>

<para>
When you are ready, apply the changes and see if your machines on your LAN
can access the internet. That's all there is to it.
</para>
</sect2>
</sect1>

<sect1 id="specific-protocols">
<title>Important Notes</title>
<para>
Here are some important notes concerning the use of some protocols. 
</para>

<sect2>
<title>Windows Networking (NETBIOS)</title>
<para>
If your computer is connected to a LAN that you want to use NETBIOS on, there
is a little extra you need to do to get things working smoothly. Basically,
create a zone for your LAN, which you probably have done anyway, and make
sure that the broadcast address of the LAN is is also in the list of zone
addresses.
</para>

<para>
If you don't know what the broadcast address for your LAN is, the simplest way
is to go to shell and run the command <userinput>/sbin/ifconfig</userinput>.
You will see something similar to this:
<screen>
eth0      Link encap:Ethernet  HWaddr 00:50:FC:2A:AB:7A
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:240 (240.0 b)
          Interrupt:10 Base address:0x4000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:992 errors:0 dropped:0 overruns:0 frame:0
          TX packets:992 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:76568 (74.7 Kb)  TX bytes:76568 (74.7 Kb)
</screen>
This is a list of the network interfaces that your computer has. Your list
will probably be different of course. The names of the network interfaces are
listed on the left side. You need to go to one that corresponds to you LAN.
It will typically be called <computeroutput>ethX</computeroutput>. It's also
possible that you will have multiple <computeroutput>ethX</computeroutput>
entries, especially if you also have cable internet access or ADSL. Once you
have found the entry look for <computeroutput>Bcast:</computeroutput>.
This is the broadcast address for the network connected to that network
interface. Put this broadcast address in your LAN zone's list of IP addresses.
</para>

</sect2>

<sect2>
<title>Nmap and Nessus Scanning</title>
<para>
It is not possible to do effective scanning with nmap or nessus through, or
from out of, a machine running &kappname;.  The reason is that firewalls are
designed to block the kind of unusual and "hostile looking" network traffic
that these kinds of programs produce. A firewall can't distinguish between
friendly scan traffic produced by you, and unwanted scan traffic produced by
intruders, so it blocks both types.
</para>
</sect2>

<sect2>
<title>Telstra BigPond Cable</title>
<para>
People in Australia using Telstra's BigPond cable for internet access
need to make sure that Telstra's <computeroutput>dce-server</computeroutput>
machine is permitted to serve <guilabel>BigPond Cable Login</guilabel> to
your local machine. This is needed for logging on to BigPond and also to
allow the 'heartbeat' that BigPond uses to check that your machine is still
online.
</para>

<para>
One thing you could do is create special zone for the important BigPond
servers that also serve mail etc and then make sure that
<computeroutput>dce-server</computeroutput> is entered in there, and then
permit <guilabel>BigPond Cable Login</guilabel> protocol and whatever mail
and web protocols you want, to be served from there.
</para>
</sect2>

<sect2>
<title>X Window System</title>
<para>
In X Window System the notion of client and server is a bit backwards. The
server is considered to be the machine running the X server program and
displaying the screen and accepting user input. While the client is
considered to be the remote program whose user interface is being displayed
on the X server.
</para>

<para>
What this means is that you need to make sure that X is permitted to be served
from the zone containing the machine showing the X display (the X server), to
the zone containing the machines that actually run your programs (the
clients).
</para>

</sect2>

<sect2>
<title>DHCP (Dynamic Host Configuration Protocol)</title>
<para>
Go to <xref linkend='dhcp' /> for information about using DHCP with &kappname;.
</para>
</sect2>

<sect2>
<title>Squid, Web proxies and ICP</title>
<para>
If you are using a web cache/proxy like Squid and also want to peer and
interact with other web caches, you may have to enable the ICP (Internet
Cache Protocol, under the network section of the <guilabel>Protocol</guilabel>
tab. Just enabling the Squid protocol will not enable ICP.
</para>
</sect2>

</sect1>

<!--
<sect1 id="guarddog-features">
<title>More Guarddog features</title>

<para>It slices! It dices! and it comes with a free toaster!</para>
<para>
The Squiggle Tool <guiicon><inlinemediaobject>
	  <imageobject>
	    <imagedata fileref="squiggle.png" format="PNG">
	  </imageobject>
	  <imageobject>
	    <imagedata fileref="squiggle.eps" format="EPS">
	  </imageobject>
	  <textobject>
	    <phrase>Squiggle</phrase>
	  </textobject>
</inlinemediaobject></guiicon> is used to draw squiggly lines all over