index.docbook

linux系统下的一个防火墙guarddog

the &kappname; main window. It's not a bug, it's a feature!
</para>

</sect1>
-->
</chapter>
<!--
***************************************************************************
* Program Reference *******************************************************
***************************************************************************
-->
<chapter id="commands">
<title>Program Reference</title>

<sect1 id="guarddog-zonetab">
<title>The Zone Tab</title>
<para>
&kappname; is built around the concept of zones containing IP
addresses, and then managing which network protocols are permited
between the different zones. This tab is where zones and thier contents
are managed.
</para>

<para>
The list of currently defined zones is on the left side of the tab under
<guilabel>Defined Network Zones:</guilabel>. The properties of the currently
selected zone are shown in the <guilabel>Zone Properties</guilabel> area.
The <guibutton>New Zone</guibutton> and <guibutton>Delete Zone</guibutton>
buttons in the bottom left corner of the tab create new zones or delete the
currently selected zone.
</para>

<para>
There are two zones which are built-in and can not be modifed or
deleted. They are called the <guilabel>Internet</guilabel> and
<guilabel>Local</guilabel> zones. The <guilabel>Local</guilabel> zone
automatically contains the IP addresses of the network interfaces for the
machine that the firewall runs on. Note that the list of addresses in this
zone are not actually shown in the window. The <guilabel>Internet</guilabel> zone
automatically contains the IP addresses of anything that is not in another
zone. It acts as the default zone holding addresses that are not in
any other zone.
</para>

<para>
Each zone has a name that can be edited in the <guilabel>Name:</guilabel>
text edit box. It is recommended that this be kept relatively brief. A longer
comment can be entered for each zone in the <guilabel>Comment:</guilabel>
text edit box.
</para>

<sect2>
<title>Addresses</title>
<para>
Each zone consists of a number of IP addresses. The <guilabel>Zone Addresses</guilabel>
list holds the list of IP addresses for the currently selected zone. 
Addresses can be added to the list by using the <guibutton>New Address</guibutton>
button. The currently selected address can be deleted using the <guibutton>Delete Address</guibutton>
button. The text field next to <guilabel>Address:</guilabel>, allows you
to edit the currently selected address.
</para>

<para>
Addresses and ranges of addresses can be specified in several ways:
</para>

<itemizedlist>
<listitem>
  <para>Numeric IP address (dotted quad). Whole networks can be specified by
  using a mask. Masks can be network masks (e.g. 255.255.255.0) or a plain number
  (e.g. 24). Some examples are: 123.34.56.78, 192.168.1.1/24 and
  192.168.1.1/255.255.255.0 (the last two mean all the addresses
  from 192.168.1.1 to 192.168.1.255)</para>
</listitem>
<listitem>
  <para>Domain name. Only Fully Qualified Domain Names (FQDN) are allowed,
  something like .simonzone.com will not work. A complete name is required,
  like www.simonzone.com, for example.</para>
</listitem>
</itemizedlist>
</sect2>

<sect2>
<title>Connection</title>
<para>The <guilabel>Connection</guilabel> list allows you to specify which
other zones the currently selected zone is connected to.  When a zone is
connected to another zone, that particular combination will appear on the
<guilabel>Protocol</guilabel> tab. If a combination is not selected here
then it won't appear on the <guilabel>Protocol</guilabel> tab, and no
communication will be permitted between the two zones.
</para>
</sect2>

<!--
<sect2>
<title>The File Menu</title>
<para>
<variablelist>
<varlistentry>
<term><menuchoice>
<shortcut>
<keycombo><keycap>Ctrl</keycap><keycap>n</keycap></keycombo>
</shortcut>
<guimenu>File</guimenu>
<guimenuitem>New</guimenuitem>
</menuchoice></term>
<listitem><para><action>Creates a new document</action></para></listitem>
</varlistentry>
<varlistentry>
<term><menuchoice>
<shortcut>
<keycombo><keycap>Ctrl</keycap><keycap>s</keycap></keycombo>
</shortcut>
<guimenu>File</guimenu>
<guimenuitem>Save</guimenuitem>
</menuchoice></term>
<listitem><para><action>Saves the document</action></para></listitem>
</varlistentry>
<varlistentry>
<term><menuchoice>
<shortcut>
<keycombo><keycap>Ctrl</keycap><keycap>q</keycap></keycombo>
</shortcut>
<guimenu>File</guimenu>
<guimenuitem>Quit</guimenuitem>
</menuchoice></term>
<listitem><para><action>Quits</action> &kappname;</para></listitem>
</varlistentry>
</variablelist>
</para>

</sect2>
-->

</sect1>

<sect1 id="guarddog-protocoltab">
<title>The Protocol Tab</title>
<para>
The <guilabel>Protocol</guilabel> tab is used to specify which protocols are
permitted between which combinations of zones.
</para>

<para>
To the left of the tab is the <guilabel>Defined Network Zones:</guilabel>
list holding every zone currently defined. The <guilabel>Zone Properties</guilabel>
area shows which protocols or services the currently selected zone is
permitted to serve and to whom. We will refer to the currently selected zone
as the serving zone.
</para>

<para>
The expandable list of protocols is organised into ten categories:
</para>

<itemizedlist>
<listitem><para>
Chat - Protocols used by chat programs like IRC and ICQ.
</para></listitem>
<listitem><para>
Data Serve - Protocols used by databases and other data sources like time
servers.
</para></listitem>
<listitem><para>
File Transfer - Protocols used to tranfers files like HTTP for the Web and FTP.
</para></listitem>
<listitem><para>
Game - Protocols used by games for online multiplayer gaming.
</para></listitem>
<listitem><para>
Interactive Session - Protocols used for working on or performing actions on
remote systems. SSH Secure Shell, telnet and RPC protocols are here.
</para></listitem>
<listitem><para>
Mail - Protocols associated with delivering and moving email. SMTP and POP3
are here.
</para></listitem>
<listitem><para>
Media - Protocols used for delivering multimedia across the internet in real
time.
</para></listitem>
<listitem><para>
Miscellaneous - Other protocols that really didn't fit under the other
categories.
</para></listitem>
<listitem><para>
Network - Protocols related to the direct operation of the network inself.
</para></listitem>
<listitem><para>
User Defined - Protocols defined by the user on the "Advanced" tab show up
here.
</para></listitem>
</itemizedlist>

<para>
To the right of each protocol entry in the list is one or more columns
of check boxes. Each zone that the serving zone is connected to has a
column on check boxes. The name of the zone is at the top of the column.
The zones/columns which appear here are determined by the <guilabel>Connection</guilabel>
list on the <guilabel>Zone</guilabel> tab for the currently selected zone.
</para>

<para>
The check boxes have the following meanings:
</para>

<itemizedlist>
<listitem><para>Clear - The protocol is not permitted. Clients in this zone
may not start a connection to the serving zone using this protocol. For
example, if "Web Servers" is the currently selected serving zone, and the
HTTP (Web) protocol box is clear for the "Bad Guys" zone, then machines in
the "Bad Guys" zone will not be allowed to access a web server running on a
machine in the "Web Servers" zone. Any attempt will be completely ignored.
Any incoming packets will be dropped.
</para></listitem>

<listitem><para>Checked/Ticked - The protocol is permitted. Clients in this
zone may start a connection to the serving zone using this protocol. For
example, if "Web Servers" is the currently selected serving zone, and the
HTTP (Web) protocol box is ticked for the "Bad Guys" zone, then machines in
the "Bad Guys" zone will be allowed to access a web server running on a
machine in the "Web Servers" zone.</para></listitem>

<listitem><para>Crossed - The protocol is not permitted and packets will be
rejected instead of just dropped. When a packet is rejected an ICMP packet
is sent back to the source to inform it that the packet was rejected by the
firewall. For example, if "Web Servers" is the currently selected serving
zone, and the HTTP (Web) protocol box is crossed for the "Bad Guys" zone, then
machines in the "Bad Guys" zone will not be allowed to access a web server
running on a machine in the "Web Servers" zone. But unlike when the check box
is clear, any connection attempts will be rejected instead of 
ignored.</para></listitem>
</itemizedlist>

<para>This information is summerised at the bottom of the tab in a concise
key or legend showing each of the different check box states and meanings.
</para>

<tip>
<para>
Rejecting a protocol is considered a more "friendly" way of blocking it's use,
because the sender is immediately informed about what has happened. When a
packet is quietly blocked by the firewall, the sender will not know and will
have to wait and "time out" before realising that communication has failed.
</para>

<para>
Generally there is little reason to reject protocols instead of just having
them dropped.  If someone is trying to use a protocol that you didn't allow,
then for safety's sake we should assume that they are hostile and therefore
should not be helped. In this situation, dropping packets is better because
it uses less network capacity and has the effect of making most port scanning
software that an intruder may be using, run very slowly.
</para>

<para>
The only situation that you are likely to run into where rejecting a protocol
is desirable, is with the "ident" protocol (located under the Network category).
</para>

</tip>

<sect2>
<title>Protocol Information</title>
<para>
Information about a protocol is displayed on the botton left side of the tab.
You can get information about any of the protocols in the list by clicking on
it's title.
</para>

<para>
The following information about each protocol is available:
</para>

<itemizedlist>
<listitem><para>Name - The name of the protocol. It's full name and also any
acronym it may be known by.</para></listitem>

<listitem><para>Description - A short description of what the protocol is
used for.</para></listitem>

<listitem><para>Security Risk - An estimate of the security risk that use of
the protocol has. The risk ranges from low, medium, high or unknown.
</para></listitem>

<listitem><para>Network Usage - This is a description of how the protocol
uses the network. It describes which connections, IP protocols and port
ranges etc that the protocol uses to operate. This field is only shown if the
<guilabel>Show Advanced Protocol Help</guilabel> checkbox on the
<guilabel>Advanced</guilabel> tab is checked.
</para></listitem>

</itemizedlist>

</sect2>

</sect1>

<sect1 id="guarddog-loggingtab">
<title>The Logging Tab</title>
<para>The <guilabel>Logging</guilabel> tab holds many options for controlling
what events are logged and how they are logged.</para>

<para>The <guilabel>Log blocked packets</guilabel> checkbox controls whether
packets that are blocked by &kappname; are logged in the system log. A packet
that is not part of a permitted protocol is by blocked by default. When this
checkbox is ticked, blocked packets are logged.</para>

<para>The <guilabel>Log rejected packets</guilabel> checkbox controls whether
packets that are rejected by &kappname; are logged in the system log. 
Protocols are marked to be rejected on the <guilabel>Protocol</guilabel>
tab by putting a cross in their checkbox.  When this checkbox is
ticked, any rejected packets are logged.</para>

<para>The <guilabel>Log aborted TCP connections (half open scans)</guilabel>
check box controls whether TCP connections that are forcefully terminated using
a RST packet are logged.  A port scanning technique know as "half-open"
scanning uses RST packets to quickly abort an half open TCP connection in
order to avoid detection.  This can be done using <command>nmap</command>'s
<option>-sS</option> option.  By
turning this option on you can detect and log when this happens. Unfortunately
many web servers like to quickly terminate connections by using a RST packet.
This can produce quite a lot of unwanted noise in your system logs. Therefore
you may want to turn this option off. Also, this option only has effect when
the firewall is used on a Linux kernel 2.4 machine in combination with 
<command>iptables</command>.</para>

<tip>
<para>Packet logs are received by the <command>syslog</command>. Consult
the <command>syslog</command> manual page for more information.</para>
</tip>

<sect2>
<title>Rate Limiting</title>
<para>This group of options allows you to specify how &kappname; should limit
the rate at which messages are placed in the system log. Rate Limited logging
is intended to stop someone from performing a Denial of Service attack against
your machine by flooding it with packets and trying to fill your system log