index.docbook

linux系统下的一个防火墙guarddog

files and disk space.</para>

<para>The <guilabel>Rate limit logging</guilabel> checkbox controls whether
packet logging should be rate limited or not. It is recommended that this be
left on.</para>

<para>The <guilabel>Rate</guilabel> widget allows you to specify the maximum
average rate that packet log entries may be added to the system log. The rate
may be specified in terms of the number of entries per second, minute, hour or
day.</para>

<para>The <guilabel>Rate</guilabel> widget allows you to specify the
<emphasis>average</emphasis> maximum logging rate. Packets to be logged often
come in bursts of many packets in very quick succession. The
<guilabel>Burst</guilabel> widget allows you to specify how many packets
in a burst may be logged. Once the burst limit has been reached, the
average logging rate is enforced.</para>

<tip><para>For more information on exactly how this works, consult the
<command>iptables</command> documentation and the Linux kernel source
<filename>/net/ipv4/netfilter/ipt_limit.c</filename> file.
</para></tip>

<para>The <guilabel>Warn when limiting</guilabel> check box controls whether
&kappname; should put warning messages in the system log when it has been
forced to apply rate limiting to the packet log messages. When rate limiting
is applied to packet log messages, only a limited number of messages appear
in the log, while the rest are omitted.  When you come to view the system log,
it useful to know if packet log messages have been omitted due to rate limiting.
</para>

<para>The <guilabel>Warning rate</guilabel> widget allows you to specify how
often warning messages should be placed in the system log when rate limiting
is being used.
</para>

<tip><para>The warning messages in the system log have the word
<literal>LIMITED</literal> at the start of the line.</para></tip>

</sect2>

<sect2>
<title>Logging Options</title>

<para>The <guilabel>Log IP Options</guilabel> checkbox controls whether the
options field in the IP header of a packet should be included in a packet log
message.</para>

<para>The <guilabel>Log TCP Options</guilabel> checkbox controls whether the
options field in the TCP header of a packet should be included in a packet
log message.</para>

<para>The <guilabel>Log TCP sequence numbers</guilabel> checkbox controls
whether the TCP sequence number for a packet should be included in a packet
log message.</para>

<para>The <guilabel>Logging Priority</guilabel> selector specifies the logging
priority used when sending log messages to the system log. See the
documentation for <filename>syslog.conf</filename> for more information.
</para>

</sect2>
</sect1>

<sect1 id="guarddog-advancedtab">
<title>The Advanced Tab</title>
<para>The <guilabel>Advanced</guilabel> tab holds many miscellaneous advanced
options. Here you can also set up your own simple protocols for opening a
small hole through your firewall to support an <emphasis>ad hoc</emphasis>
protocol. For example, accessing a remote administration web interface that
is served from a non-standard port number.</para>

<para>When the <guilabel>Show advanced protocol help</guilabel> check box is
ticked, extra information is given in the help text for protocols on the
<guilabel>protocol</guilabel> tab.  The extra information includes the what
kinds of network connections the protocols uses.</para>

<para>The <guilabel>Allow TCP timestamps</guilabel> check box lets you turn
TCP timestamps on or off. Leaving TCP timestamps turned on makes it possible
for outsiders to calculate how long your machine has been running since it
was last booted. <command>nmap</command> <option>-O</option> can do this.
Generally, unless you are connected to a high speed network connection chances
are you have no good reason to have TCP timestamps turned on.</para>

<para>The <guilabel>Restore to factory defaults</guilabel> clears the
firewall configuration and resets it back to how it was the first time
&kappname; was run.</para>

<sect2>
<title>Local Dynamic Port Range</title>
<para>The two input fields next to <guilabel>Local Dynamic Port Range</guilabel>
allow you to specify the range of port numbers used by the operating system
for the source port of new out-going connections. When a connection is made to
a port on an external machine, the source port of the connection is usually
not specified by the application. It is left up to the operating system to choose
a suitable free source port number. The local dynamic port range is just a range
of port numbers that the operating system will use when looking for an
available source port.</para>

<para>Generally, there is little reason to change this. It might only become
important on machines that need to have an unusually high number of
connections active at the same time.</para>
</sect2>

<sect2 id='dhcp'>
<title>DHCP (Dynamic Host Configuration Protocol)</title>

<para>If you are using DHCP to configure a network interface, then you will
need to specify the name of the interface(s) in the <guilabel>Enable DHCP on
interfaces:</guilabel> widget.</para>
 
<para>If you are running a DHCP server on a network interface, then you will
need to specify the name of the interface(s) in the <guilabel>Enable DHCP server
on interfaces:</guilabel> widget.</para>
 
<para>When entering multiple interface names, separate them using a comma ",".</para>

</sect2>

<sect2>
<title>Import/Export</title>
<para><guilabel>Import</guilabel> and <guilabel>Export</guilabel> allow you
to save the current configuration to a file, and read it back into &kappname;
again. When you click on either of these buttons, a file dialog appears and
you can choose the file to import from, or export to.</para>

<para>The <guilabel>Description</guilabel> text box allows you enter a short
note about the current firewall configuration.</para>

<tip><para><guilabel>Export</guilabel> doesn't just export the current
firewall configuration, it actually outputs an entire firewall script.
The firewall script can then be moved onto another machine and manually
installed and run.</para></tip>

</sect2>

<sect2>
<title>User Defined Protocols</title>

<para>In addition to all the protocols that &kappname; supports, it is also
possible to specify your own custom protocols.</para>

<para>In the middle of the <guilabel>User Defined Protocols</guilabel>
group is the current list of user defined protocols. Use the <guilabel>New
Protocol</guilabel> button to create a new blank protocol. The <guilabel>Delete
Protocol</guilabel> button naturally deletes the currently selected user
defined protocol.</para>

<para>After creating a new protocol you can give it a name using the
<guilabel>Name</guilabel> text field. The <guilabel>Type</guilabel> widget lets
you specify what IP protocol your user defined protocol uses. You have the
choice between TCP and UDP.  In the <guilabel>Port</guilabel> widget you
specify the TCP or UDP port on the server or remote machine that the
protocol must connect to.  For UDP protocols use the
<guilabel>bidirectional</guilabel> check box to specify if the protocol is
bidirectional and requires packets to travel in both directions. Once a
user defined protocol has been specified here, it becomes available on the
<guilabel>Protocol</guilabel> tab under the <guilabel>User Defined</guilabel>
category. There it can be turned on or off just like any other
built-in protocol.</para>

<tip><para>This feature is intended for simple protocols where a server is
just serving from a single TCP or UDP port. If you feel that you need to
specify a more complex protocol, consider contacting the author so that
direct support for it can be added in a future &kappname; release.</para></tip>

</sect2>
</sect1>

</chapter>

<!--
<chapter id="developers">
<title>Developer's Guide to Guarddog</title>

<para>
Programming &guarddog; plugins is a joy to behold. Just read through the next
66 pages of API's to learn how!
</para>

<refentry id="re-1007-unmanagechildren-1">
<refmeta>
<refentrytitle>XtUnmanageChildren</refentrytitle>
<refmiscinfo>Xt - Geometry Management</refmiscinfo>
</refmeta>
<refnamediv>
<refname>XtUnmanageChildren
</refname>
<refpurpose>remove a list of children from a parent widget's managed list.
</refpurpose>
<indexterm id="ix-1007-unmanagechildren-1"><primary>widgets</primary><secondary>removing</secondary></indexterm>
<indexterm id="ix-1007-unmanagechildren-2"><primary>XtUnmanageChildren</primary></indexterm>
</refnamediv>
<refsynopsisdiv>
<refsynopsisdivinfo>
<date>4 March 1996</date>
</refsynopsisdivinfo>
<synopsis>
void XtUnmanageChildren(<replaceable parameter>children</replaceable>, <replaceable parameter>num_children</replaceable>)
    WidgetList <replaceable parameter>children</replaceable>;
    Cardinal <replaceable parameter>num_children</replaceable>;
</synopsis>

<refsect2 id="r2-1007-unmanagechildren-1">
<title>Inputs</title>
<variablelist>
<varlistentry>
<term><replaceable parameter>children</replaceable>
</term>
<listitem>
<para>Specifies an array of child widgets. Each child must be of
class RectObj or any subclass thereof.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable parameter>num_children</replaceable>
</term>
<listitem>
<para>Specifies the number of elements in <replaceable parameter>children</replaceable>.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect2></refsynopsisdiv>

<refsect1 id="r1-1007-unmanagechildren-1">
<title>Description
</title>
<para><function>XtUnmanageChildren()</function> unmaps the specified widgets
and removes them from their parent's geometry management.
The widgets will disappear from the screen, and (depending
on its parent) may no longer have screen space allocated for
them.
</para>
<para>Each of the widgets in the <replaceable parameter>children</replaceable> array must have
the same parent.
</para>
<para>See the &ldquo;Algorithm&rdquo; section below for full details of the
widget unmanagement procedure.
</para>
</refsect1>

<refsect1 id="r1-1007-unmanagechildren-2">
<title>Usage</title>
<para>Unmanaging widgets is the usual method for temporarily
making them invisible.  They can be re-managed with
<function>XtManageChildren()</function>.
</para>
<para>You can unmap a widget, but leave it under geometry
management by calling <function>XtUnmapWidget()</function>.  You can
destroy a widget's window without destroying the widget by
calling <function>XtUnrealizeWidget()</function>.  You can destroy a
widget completely with <function>XtDestroyWidget()</function>.
</para>
<para>If you are only going to unmanage a single widget, it is
more convenient to call <function>XtUnmanageChild()</function>.  It is
often more convenient to call <function>XtUnmanageChild()</function>
several times than it is to declare and initialize an array
of widgets to pass to <function>XtUnmanageChildren()</function>.  Calling
<function>XtUnmanageChildren()</function> is more efficient, however,
because it only calls the parent's <function>change_managed()</function>
method once.
</para>
</refsect1>

<refsect1 id="r1-1007-unmanagechildren-3">
<title>Algorithm
</title>
<para><function>XtUnmanageChildren()</function> performs the following:
</para>
<variablelist>
<varlistentry>
<term>-
</term>
<listitem>
<para>Ignores the child if it already is unmanaged or is being
destroyed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-
</term>
<listitem>
<para>Otherwise, if the child is realized, it makes it nonvisible
by unmapping it.
</para>
</listitem>
</varlistentry>
</variablelist>
<para>
</para>
</refsect1>

<refsect1 id="r1-1007-unmanagechildren-4">
<title>Structures</title>
<para>The <type>WidgetList</type> type is simply an array of widgets:
</para>
<screen id="sc-1007-unmanagechildren-1">typedef Widget *WidgetList;
</screen>
</refsect1>
</refentry>

</chapter>
-->

<chapter id="faq">
<title>Questions and Answers</title>

&reporting.bugs;
&updating.documentation;

<qandaset id="faqlist">
<qandaentry>
<question>
<para>Does &kappname; need to be running for it to protect my computer?</para>
</question>
<answer>
<para>&kappname; provides a user friendly way of configuring your computer's
built-in firewalling capabilities. &kappname; itself doesn't need to be
running continously to protect your computer.</para>
</answer>
</qandaentry>

<qandaentry>
<question>
<para>How can I see which ports a given protocol uses? or How can I see which ports
a given protocol opens up?</para>
</question>
<answer>
<para>Go to the <guilabel>Advanced</guilabel> tab and tick the checkbox at
<guilabel>Show advanced protocol help</guilabel>. Now when you
go back to the <guilabel>Protocol</guilabel> tab and click on the na