   Firewalling  Proxy Server HOWTO
  Mark Grennan, markg@netplus.net
  v0.4, 8 November 1996

            firewall
           fire-
  wall,  (proxy)   (filtering),  PC 
   Linux.  HTML  ()    
    [4mhttp://okcforum.org/~markg/Firewall-HOWTO.html[0m
  ______________________________________________________________________

  Table of Contents






















































  1. 

     1.1 
     1.2 
     1.3 
     1.4     
     1.5 TODO
     1.6  

  2.   Firewall

     2.1    firewalls
     2.2   Firewalls
        2.2.1 IP Firewalls 
        2.2.2  

  3.   Firewall

     3.1   (Hardware)

  4.   Firewalls.

     4.1  
     4.2  TIS Firewall Toolkit  SOCKS

  5.    Linux

     5.1   
     5.2    
     5.3     
     5.4    .
     5.5   Firewall.

  6. IP   (IPFWADM)

  7.     TIS

     7.1   
     7.2   TIS FWTK
     7.3   TIS FWTK
     7.4   TIS FWTK
        7.4.1   netperm-table
        7.4.2   inetd.conf
        7.4.3   /etc/services

  8.  SOCKS  

     8.1    
     8.2    .
        8.2.1   
        8.2.2   .
        8.2.3 DNS    firewall.      (Domain Name Service)   firewall    .        DNS       firewall. ,        firewall    o DNS.
     8.3    .
        8.3.1 Uni
        8.3.2 MS Windows  Trumpet Winsock
        8.3.3        UDP 
     8.4     

  9.  

     9.1       
        9.1.1    
        9.1.2    



  ______________________________________________________________________

  [1m1.  [0m

      Firewall-HOWTO    David Rudder,
  [1mdrig@execpc.com[22m.           
    .

   firewalls        
    Internet.       
    .   HOWTO      
    firewall,    ,   
   (proxy servers),     
  ,         
   .


  [1m1.1.  [0m

     .  [1m   [0m
  [1m     !!!  [22m    
    .         
   .          e-mail, 
   , '      .

  [4m[24m [4memail[24m [4m[24m [4m[24m [4m[24m [1mmarkg@netplus.net[0m


  [1m1.2.  [0m

  [1m         [0m
  [1m       .[22m.   
         firewalls   
   .  ,    , 
   .         
    /     . , 
           ,  
          ,  .


  [1m1.3.  [0m


      ,  Linux HOWTO  
     .  Linux HOWTO
     ,    
         ,   
         . 
       '  , 
         .

    ,      
   Linux HOWTO ,       
   .  ,     
      HOWTO   
    .       
       ,  
         Linux HOWTO.

     ,     Mark
  Grennan <markg@netplus.net>.





  [1m1.4.      [0m


            
  comp.os.linux.*   firewalling      
         firewall.  
     HOWTO,    .   
     David Rudder's Firewall HOWTO   
          
   firewall      .

            Linux.


  [1m1.5.  TODO[0m


             (client)

        UDP     
     Linux.


  [1m1.6.   [0m


     NET-2 HOWTO

     Ethernet HOWTO

     Multiple Ethernet Mini HOWTO

    Networking with Linux

     PPP HOWTO

    TCP/IP Network Administrator's Guide by O'Reilly and Associates

     Documentation   TIS Firewall Toolkit

     Trusted Information System's
  (TIS)[1mhttp://www.tis.com/ [22m      
    firewalls   .

        , ,   
  [4mSecure[24m [4mLinux[24m.  [4mSecure[24m [4mLinux[24m    
  ,       
      Linux.   e-mail  
  .


  [1m2.    Firewall[0m


   firewall       
  .    firewalls     
       .   
            
   ,     .  firewall 
      (/)    
      . ( Internet  .)

   firewall ,       "firewall",
    "" ,     
  Internet.        
  Internet,   Internet     
  .

          Internet   
   ,     telnet  firewall,
      Internet  .

      firewall      (
      ).     
           Linux ( 
    IP Forwarding )    
    .        
  (login), telnet, FTP,   e-mail,    ,
   .    ,     
               
  firewall.       , 
         (default route).

     .      firewall
  [1m      ! [22m   .


  [1m2.1.     firewalls[0m

      firewalls    
        Internet.    
          .  
         (login) 
  firewall,         
  ,   .

  ,      (network clients) 
      .      
           
       .


  [1m2.2.    Firewalls[0m

     firewalls


  1. IP Firewalls  (filtering firewalls) -  
          .

  2.   (Proxy Servers) -   
        .


  [1m2.2.1.  IP Firewalls [0m

   IP firewall     . 
            
  ()        .

    firewall       
    .       
           
         Internet  .

   Firewalls    .    
     '       
            
  .

   Linux        
   1.3.
  [1m2.2.2.   [0m

         
  Internet   firewall.     ,
     telnet       telnet  
    .       
    .     
         (client software) 
        () 
      .

         
     , .

         ,  
  ,   .      
     .    IP .


  [1m3.    Firewall[0m

  [1m3.1.    (Hardware)[0m


     ,     486-DX66  16MB RAM
   500MB  Linux.       , 
         (LAN)     
       (DMZ De-Militarize Zone).
   .. (DMZ)       Internet.

         .  
        modem    Internet.
      firewall      .

          (LANs)   
     / .         
   modem     Linux (    386)  
     Internet   .   
           
     modems    
  :-)




  [1m4.    Firewalls.[0m

  [1m4.1.   [0m

        firewall   
    Linux      .    
          IP Firewalling
  Administration Tool.

  To (IPFWADM)   [1mhttp://www.xos.nl/linux/ipfwadm/[0m

           
     .


  1. SOCKS

  2. TIS Firewall Toolkit (FWTK)



  [1m4.2.   TIS Firewall Toolkit  SOCKS[0m

   Trusted Information System (http://www.tis.com)   
          firewalling
  (firewalling).         SOCS ,
      .    SOCS  
         Internet,  TIS
            
  firewall.

      ,      World Wide
  Web    telnet.   SOCS    
    .        , 
   WWW  telnet ,     
    .

    TIS ,      WWW  telnet,
        ,  .   
   ,    ()  Internet  
      .     
      ,   "plug-in" 
  ,          ,
     .

        ,    . 
  SOCS    .     
  SOCS,         
       .   TIS , 
             
     .

   SOCS    ,   
  (compile)    .  TIS   
            
   .       ' .

           .


  [1m5.     Linux[0m

  [1m5.1.    [0m

        Linux  .
  (  RH 3.0.3       
   ).      ,   
  ,    () bugs     
      ,     
     (minimum installation).

     .   2.0.14   Linux
     .        
   .

          Linux  
   . '    Kernel-HOWTO, Ethernet-HOWTO
   NET-2 HOWTO,     .

            make
  config.


  1.    General setup

     a.  Networking Support ON

  2.     Networking Options

     a.  Network firewalls ON

     b.  TCP/IP Networking ON

     c.  IP forwarding/gatewaying OFF (UNLESS you wish to use IP
        filtering)

     d.  IP Firewalling ON

     e.  IP firewall packet loggin ON (this is not required but it
        is a good idea)

     f.  IP: masquerading OFF (I am not covering this subject
        here.)

     g.  IP: accounting ON

     h.  IP: tunneling OFF

     i.  IP: aliasing OFF

     j.  IP: PC/TCP compatibility mode OFF

     k.  IP: Reverse ARP OFF

     l.  Drop source routed frames ON

  3.    Network device support

     a.  Network device support ON

     b.  Dummy net driver support ON

     c.  Ethernet (10 or 100Mbit) ON

     d.      (network card)

           
   (reboot).   (-)     
    .  ,    HOWTO  
   


  [1m5.2.     [0m

         ,   
        /etc/lilo.conf   
   IRQ      .     
  lilo.conf   :

      append="ether=12,0x300,eth0 ether=15,0x340,eth1"




  [1m5.3.      [0m

       .    
    .     Internet   
        ,   
    .   
   Internet        .
          
          Internet, 
   .

  , 192.168.2.,       
     .

   firewall ,           
           .





              199.1.2.10   __________    192.168.2.1
        _  __  _        \ |          | /           _______________
       | \/  \/ |        \| Firewall |/           |               |
      / Internet \--------|  System  |------------| Workstation/s |
      \_/\_/\_/\_/        |__________|            |_______________|



      firewalls   
       .    
   IP masqurading    .   
    firewall         "REAL
  ()"       Internet.

            
    ()   Internet.    192.168.2.1 
  Ethernet   .     IP  
  /.         / 
         192.168.2. 
  (192.168.2.2  192.168.2.254)

    RH Linux (! ,     
   plugs? ;-)         
    ifcfg-eth1    /etc/sysconfig/network-
  scripts.          
        .

       ifcfg-eth1 .


      #!/bin/sh
      #>>>Device type: ethernet
      #>>>Variable declarations:
      DEVICE=eth1
      IPADDR=192.168.2.1
      NETMASK=255.255.255.0
      NETWORK=192.168.2.0
      BROADCAST=192.168.2.255
      GATEWAY=199.1.2.10
      ONBOOT=yes
      #>>>End variable declarations



       scripts    
   modem    Internet.   ipup-ppp script.

      modem      
  Internet,           ISP
        .




  [1m5.4.     .[0m

     ifconfig  route.    
    ifconfig    :


    #ifconfig
    lo        Link encap:Local Loopback
              inet addr:127.0.0.0  Bcast:127.255.255.255  Mask:255.0.0.0
              UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
              RX packets:1620 errors:0 dropped:0 overruns:0
              TX packets:1620 errors:0 dropped:0 overruns:0

    eth0      Link encap:10Mbps Ethernet  HWaddr 00:00:09:85:AC:55
              inet addr:199.1.2.10 Bcast:199.1.2.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0
              TX packets:0 errors:0 dropped:0 overruns:0
              Interrupt:12 Base address:0x310

    eth1      Link encap:10Mbps Ethernet  HWaddr 00:00:09:80:1E:D7
              inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0
              TX packets:0 errors:0 dropped:0 overruns:0
              Interrupt:15 Base address:0x350



     route  :


    #route -n
    Kernel routing table
    Destination     Gateway         Genmask         Flags MSS    Window Use Iface
    199.1.2.0       *               255.255.255.0   U     1500   0       15 eth0
    192.168.2.0     *               255.255.255.0   U     1500   0        0 eth1
    127.0.0.0       *               255.0.0.0       U     3584   0        2 lo
    default         199.1.2.10      *               UG    1500   0       72 eth0



  [1m: [22m199.1.2.0   Internet    firewall 
  192.168.2.0   .

      ping  Internet   firewall. 
     nic.ddn.mil   .  
   ,        '
    .      ,   
  ping            
   (LAN).     ,     
   .   -2 HOWTO   .

  ,    ping  host   
     firewall.       ping
   .  ,   NET-2 HOWTO   
       .

  ,    ping    
  firewall      . (: 
       firewall   
  192.168.2.  ).  ,   
    IP Forwarding.      .
           
  [1m"IP   ( 6)" [22m  .

  ,    ping  Internet    firewall
        . (
  nic.ddn.mil). ,     IP Forwarding, 
     .       
  .

     IP Forwarding    "
  (REAL)" (  192.168.2.) IP     
  .      ping  Internet   
  Internet   firewall      
   (  Internet)     
    . ( ISP     )

         192.168.2., 
           .  
       IP masqurading ,  
    .

        .


  [1m5.5.    Firewall.[0m

   firewall          
     .  "  (bad guy)"
       firewall    
      .

       .  
   /etc/inetd.conf.         "
   (super server)".      
       .

     netstat, systat, tftp, bootp, 
  finger.     ,  #  
          .  
   ,   SIG-HUP    [1m"kill -HUP[0m
  [1m<pid>"[22m,  <pid>      inetd.   
    inedt       (inedt.conf)
    (restart).



  [1m6.  IP   (IPFWADM)[0m

   ,      IP Forwarding  
              ,
   .    (routing tables)   
            ,  
      .

      firewall,     
      ,  .

       scripts     firewall
      .    scripts  
  /etc/rc.d scripts         
   .

     IP Forwarding     Linux  
  .  '   script  firewall       
          ipfw 
         .   
      script :


    #
    # setup IP packet Accounting and Forwarding
    #
    #   Forwarding
    #
    # By default DENY all services
    ipfwadm -F -p deny
    # Flush all commands
    ipfwadm -F -f
    ipfwadm -I -f
    ipfwadm -O -f



      firewall.      
  .         
   ()      
    .


    #  email  


     ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D
     192.1.2.10 25


    #   email    email


     ipfwadm -F -a accept -b -P tcp -S 196.1.2.10 25 -D 0.0.0.0/0
     1024:65535


    #   Web  Web 


     /sbin/ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D
     196.1.2.11 80


    #   Web    Web 


     /sbin/ipfwadm -F -a accept -b -P tcp -S 196.1.2.* 80 -D 0.0.0.0/0
     1024:65535


    #  DNS 


     /sbin/ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D
     196.1.2.0/24

           
    firewall.   script    .
             
      .








    #     
    ipfwadm -A -f
    # 
    /sbin/ipfwadm -A -f
    /sbin/ipfwadm -A out -i -S 196.1.2.0/24 -D 0.0.0.0/0
    /sbin/ipfwadm -A out -i -S 0.0.0.0/0 -D 196.1.2.0/24
    /sbin/ipfwadm -A in -i -S 196.1.2.0/24 -D 0.0.0.0/0
    /sbin/ipfwadm -A in -i -S 0.0.0.0/0 -D 196.1.2.0/24



        firewall   
   .   :-)


  [1m7.      TIS[0m



  [1m7.1.    [0m

   TIS fwtk    [1mftp://ftp.tis.com/[22m.

        .      TIS
    README.  TIS fwtk      
     . TIS     email 
  [1mfwtk-request@tis.com [22m    [1mSEND [22m     
         .   
  (subject)  .         
     (  12 )     
  .

       ( HOWTO)  TIS    2.0
  (beta)  FWTK.        (
   )    .      
   .         HOWTO.

      FWTK,    fwtk-2.0 
  /usr/src.      FWTK fwtk-2.0.tar.gz)  
        (/usr/src/fwtk-2.0)  
  . (tar zxf fwtk-2.0.tar.gz)

   FWTK   () SSL web    
   (add on) '     Jean-Christophe Touvet.
     [1mftp://ftp.edelweb.fr/pub/contrib/fwtk/ssl-[0m
  [1mgw.tar.Z[22m.   Touvet     

         
  Netscape       Eric Wedel. 
    [1mftp://mdi.meridian-data.com/pub/tis.fwtk/ssl-gw/ssl-[0m
  [1mgw2.tar.Z[22m.

          Eric Wedel.

     ,    ssl-gw  
  /usr/src/fwtk-2.0      .

          
       .

       ssl-gw.c .    
     (included) .




    #if defined(__linux)
    #include        <sys/ioctl.h>
    #endif



      Makefile.      
            ssl-gw.


  [1m7.2.    TIS FWTK[0m

    2.0  FWTK      
   .       
     BETA     . 
         .

     ,    /usr/src/fwtk/fwtk
      Makefile.config.linux   
  Makefile.config

  [1m   FIXMAKE[22m.      .  
      Makefiles   

        fixmake.     sed script
    '.'  ''      
  Makefiles.


    sed 's/^include[        ]*\([^  ].*\)/include \1/' $name .proto > $name



        Makefile.config. 
       .

            . 
       /usr/src     
   FWTKSRCDIR    .


    FWTKSRCDIR=/usr/src/fwtk/fwtk



  ,     Linux   
   gdbm.  Makefile.conf  dbm.   
   .    RH 3.0.3


    DBMLIB=-lgdbm



       x-gw.  bug     
   socket.c .        
  


    #ifdef SCM_RIGHTS  /* 4.3BSD Reno and later */
                         + sizeof(un_name->sun_len) + 1
    #endif




     ssl-gw  FWTK   .  
         Makefile.


    DIRS=   smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw ssl-gw



     [1mmake[22m.



  [1m7.3.    TIS FWTK[0m

   [1mmake install[22m.

         /usr/local/etc. 
     ( )     .  
         chmod 700.

            firewall


  [1m7.4.    TIS FWTK[0m

      .    :-)  
             
    .

           TIS FWTK,
  .          
          .

         



    /etc/services

           


    /etc/inetd.conf

      inetd        
     


    /usr/local/etc/netperm-table

      FWTK         
        .

      FWTK ,      
        .    
     inedt.conf   netperm-table  
        .


  [1m7.4.1.    netperm-table[0m

            
    TIS FWTK.       
    firewall     .    
    ,        
  ,            
    .

          ,  firewall
       [1mauthsrv [22m    
    user ID   .     
  netperm-table         
      .

           .
      permit-hosts    '*'
       .       
   '' authsrv: premit-hosts localhost     
   


    #
    # Proxy configuration table
    #
    # Authentication server and client rules
    authsrv:      database /usr/local/etc/fw-authdb
    authsrv:      permit-hosts *
    authsrv:      badsleep 1200
    authsrv:      nobogus true
    # Client Applications using the Authentication server
    *:            authserver 127.0.0.1 114



       ,  root,   [1m./authsrv[0m
    /var/local/etc       
      .     .

      FWTK      
    .


      #
      # authsrv
      authsrv# list
      authsrv# adduser admin "Auth DB admin"
      ok - user added initially disabled
      authsrv# ena admin
      enabled
      authsrv# proto admin pass
      changed
      authsrv# pass admin "plugh"
      Password changed.
      authsrv# superwiz admin
      set wizard
      authsrv# list
      Report for users in database
      user   group  longname           ok?    proto   last
      ------ ------ ------------------ -----  ------  -----
      admin         Auth DB admin      ena    passw   never
      authsrv# display admin
      Report for user admin (Auth DB admin)
      Authentication protocol: password
      Flags: WIZARD
      authsrv# ^D
      EOT
      #



     telnet  (tn-gw)    
       .
    ,   host     
            .
  (permit-hosts 19961.2.* -passok) ,     
    user ID        
  . (permit-hosts * -auth)

        (196.1.2.202)    
  firewall       firewall  . 
    inetacl-in.telnetd   .     
    .

   Telnet time out    .


    # telnet gateway rules:
    tn-gw:                denial-msg      /usr/local/etc/tn-deny.txt
    tn-gw:                welcome-msg     /usr/local/etc/tn-welcome.txt
    tn-gw:                help-msg        /usr/local/etc/tn-help.txt
    tn-gw:                timeout 90
    tn-gw:                permit-hosts 196.1.2.* -passok -xok
    tn-gw:                permit-hosts * -auth
    # Only the Administrator can telnet directly to the Firewall via Port 24
    netacl-in.telnetd: permit-hosts 196.1.2.202 -exec /usr/sbin/in.telnetd



   r-commands        telnet.


    # rlogin gateway rules:
    rlogin-gw:    denial-msg      /usr/local/etc/rlogin-deny.txt
    rlogin-gw:    welcome-msg     /usr/local/etc/rlogin-welcome.txt
    rlogin-gw:    help-msg        /usr/local/etc/rlogin-help.txt
    rlogin-gw:    timeout 90
    rlogin-gw:    permit-hosts 196.1.2.* -passok -xok
    rlogin-gw:    permit-hosts * -auth -xok
    # Only the Administrator can telnet directly to the Firewall via Port
    netacl-rlogind: permit-hosts 196.1.2.202 -exec /usr/libexec/rlogind -a



           firewall  
    FTP     FTP,   
  firewall.

  ,   permit-hosts    
      Intenet      
     .     
           .
  (-log { retr stor })

   ftp timeout          
             
  .


    # ftp gateway rules:
    ftp-gw:               denial-msg      /usr/local/etc/ftp-deny.txt
    ftp-gw:               welcome-msg     /usr/local/etc/ftp-welcome.txt
    ftp-gw:               help-msg        /usr/local/etc/ftp-help.txt
    ftp-gw:               timeout 300
    ftp-gw:               permit-hosts 196.1.2.* -log { retr stor }
    ftp-gw:               permit-hosts * -authall -log { retr stor }



  Web, gopher   browser  ftp    
  http-gw.         
    ftp  web       
  firewall.        root   
         root.

    Web    .     
      .


    # www and gopher gateway rules:
    http-gw:      userid          root
    http-gw:      directory       /jail
    http-gw:      timeout 90
    http-gw:      default-httpd   www.afs.net
    http-gw:      hosts           196.1.2.* -log { read write ftp }
    http-gw:      deny-hosts      *



   ssl-gw       . 
   .          
           
      127.0.0.  192.1.1.   
   443  563.   443  563   SSL .


    # ssl gateway rules:
    ssl-gw:         timeout 300
    ssl-gw:         hosts           196.1.2.* -dest { !127.0.0.* !192.1.1.* *:443:563 }
    ssl-gw:         deny-hosts      *



           plug-gw  
      .    
            
         .

             
     .

          
     ,  timeout     
   .



    # NetNews Pluged gateway
    plug-gw:        timeout 3600
    plug-gw: port nntp 196.1.2.* -plug-to 199.5.175.22 -port nntp
    plug-gw: port nntp 199.5.175.22 -plug-to 196.1.2.* -port nntp



    finger  .      
     login       
   finger   firewall.      
  .


    # Enable finger service
    netacl-fingerd: permit-hosts 196.1.2.* -exec /usr/libexec/fingerd
    netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt


      Mail  X-windows    
  .      , 
    email.


  [1m7.4.2.    inetd.conf[0m

       /etc/inetd.conf.   
      .     
       ,       
     firewall.























































    #echo stream  tcp  nowait  root       internal
    #echo dgram   udp  wait    root       internal
    #discard      stream  tcp  nowait  root       internal
    #discard      dgram   udp  wait    root       internal
    #daytime      stream  tcp  nowait  root       internal
    #daytime      dgram   udp  wait    root       internal
    #chargen      stream  tcp  nowait  root       internal
    #chargen      dgram   udp  wait    root       internal
    # FTP firewall gateway
    ftp-gw      stream  tcp  nowait.400  root  /usr/local/etc/ftp-gw  ftp-gw
    # Telnet firewall gateway
    telnet        stream  tcp  nowait      root  /usr/local/etc/tn-gw /usr/local/etc/tn-gw
    # local telnet services
    telnet-a    stream  tcp  nowait      root  /usr/local/etc/netacl in.telnetd
    # Gopher firewall gateway
    gopher        stream  tcp  nowait.400  root  /usr/local/etc/http-gw /usr/local/etc/http-gw
    # WWW firewall gateway
    http  stream  tcp  nowait.400  root  /usr/local/etc/http-gw /usr/local/etc/http-gw
    # SSL firewall gateway
    ssl-gw  stream  tcp     nowait  root /usr/local/etc/ssl-gw   ssl-gw
    # NetNews firewall proxy (using plug-gw)
    nntp    stream  tcp     nowait  root    /usr/local/etc/plug-gw plug-gw nntp
    #nntp stream  tcp     nowait  root    /usr/sbin/tcpd  in.nntpd
    # SMTP (email) firewall gateway
    #smtp stream  tcp     nowait  root    /usr/local/etc/smap smap
    #
    # Shell, login, exec and talk are BSD protocols.
    #
    #shell        stream  tcp     nowait  root    /usr/sbin/tcpd  in.rshd
    #login        stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind
    #exec stream  tcp     nowait  root    /usr/sbin/tcpd  in.rexecd
    #talk dgram   udp     wait    root    /usr/sbin/tcpd  in.talkd
    #ntalk        dgram   udp     wait    root    /usr/sbin/tcpd  in.ntalkd
    #dtalk        stream  tcp     waut    nobody  /usr/sbin/tcpd  in.dtalkd
    #
    # Pop and imap mail services et al
    #
    #pop-2   stream  tcp  nowait  root  /usr/sbin/tcpd    ipop2d
    #pop-3   stream  tcp  nowait  root  /usr/sbin/tcpd    ipop3d
    #imap    stream  tcp  nowait  root  /usr/sbin/tcpd    imapd
    #
    # The Internet UUCP service.
    #
    #uucp    stream  tcp  nowait  uucp  /usr/sbin/tcpd  /usr/lib/uucp/uucico -l
    #
    # Tftp service is provided primarily for booting.  Most sites
    # run this only on machines acting as "boot servers." Do not uncomment
    # this unless you *need* it.
    #
    #tftp dgram   udp     wait    root    /usr/sbin/tcpd  in.tftpd
    #bootps       dgram   udp     wait    root    /usr/sbin/tcpd  bootpd
    #
    # Finger, systat and netstat give out user information which may be
    # valuable to potential "system crackers."  Many sites choose to disable
    # some or all of these services to improve security.
    #
    # cfinger is for GNU finger, which is currently not in use in RHS Linux
    #
    finger        stream  tcp  nowait  root   /usr/sbin/tcpd  in.fingerd
    #cfinger      stream  tcp  nowait  root   /usr/sbin/tcpd  in.cfingerd
    #systat       stream  tcp  nowait  guest  /usr/sbin/tcpd  /bin/ps -auwwx
    #netstat      stream  tcp  nowait  guest  /usr/sbin/tcpd  /bin/netstat -f inet
    #
    # Time service is used for clock syncronization.
    #
    #time stream  tcp  nowait  root  /usr/sbin/tcpd  in.timed
    #time dgram   udp  wait    root  /usr/sbin/tcpd  in.timed
    #
    # Authentication
    #
    auth          stream  tcp  wait    root  /usr/sbin/tcpd  in.identd -w -t120
    authsrv       stream  tcp  nowait  root  /usr/local/etc/authsrv authsrv
    #
    # End of inetd.conf




  [1m7.4.3.    /etc/services[0m

      .      firewall
       . (  1024). .. 
  telnet    23.  inetd     
           /etc/services. 
             
  /etc/inetd.conf.

          
  /etc/sevices.         
  .  ..    telnet    (telnet-a)
    24.        2323  .
     (),      firewall 
     telnet   24   23   
   netperm-table,   ,      
         .




    telnet-a        24/tcp
    ftp-gw          21/tcp           # this named changed
    auth            113/tcp   ident    # User Verification
    ssl-gw          443/tcp





  [1m8.   SOCKS  [0m

  [1m8.1.     [0m

   SOCKS      
  [1mftp://sunsite.unc.edu/pub/Linux/system/Network/misc/socks-linux-[0m
  [1msrc.tgz[22m.         (config
  file)   "socks-conf".     
     ,       
    .       .
     Makefile    .

           
        /etc/inetd.conf.
       :


    socks  stream  tcp  nowait  nobody  /usr/local/etc/sockd  sockd



           .  to tell the
  server to run when requested.

  [1m8.2.     .[0m

    SOCKS     .  
     ,       
     .     
    .     
     Un*x .  DOS , , Macintosh
  /     .


  [1m8.2.1.    [0m

    socks4.2 Beta,     "sockd.conf".  
     2 ,      . 
      :


       (Identifier) (permit/deny)

     IP 

      

        .    
       .

        byte     
  . .. 192.168.2.0.

          
   byte.      (netmask). 
       32 bit (1  0).   bit  1, 
   bit          
    bit      . ..   
  :


      permit 192.168.2.23 255.255.255.255



              bit
   192.168.2.23, ..  192.168.2.3.  :


      permit 192.168.2.0 255.255.255.0



           192.168.2.0 
  192.168.2.255,   C  .      :


      permit 192.168.2.0 0.0.0.0



        , .

  ,          
   ,     .   
       192.168.2.,  :




      permit 192.168.2.0 255.255.255.0
      deny 0.0.0.0 0.0.0.0



    .     "0.0.0.0"   
  .      0.0.0.0,    
   .   0      
  .

         .

          
   .      
  .        ,
    Trumpet Winsock,      
  .      socks    ' 
   .


  [1m8.2.2.    .[0m

         SOCKS "socks.conf".
   " "        
        .

           SOCKS  
     socks   . ..   , 
  192.168.2.3       socks  
     192.168.2.1,  firewall.    
   Ethernet.    127.0.0.1,   
  (loopback), .      SOCKS  
      .    :



    deny

    direct

    sockd

    (deny)   SOCKS     .  
          sockd.conf,  
  (identifier),    (modifier). , 
       sockd.conf,   , 
        0.0.0.0.   
          ,   
   .

   direct         
  socks.          
     .    ,
  ,   .     


      direct 192.168.2.0 255.255.255.0



          .

   sockd    /  host   socks 
    .    :


    sockd @=<serverlist> <IP address> <modifier>



    @= .       
       .   ,
      . ,  
           
    .

            
  .        
  .  The IP address and modifier fields work just like in the other
  examples.  You specify which addresses go where through these.


  [1m8.2.3.       (Domain Name Service)[0m
  [1m  firewall    .   [0m
  [1m    DNS       firewall. ,[0m
  [1m       firewall    o[0m
  [1mDNS.  DNS    firewall.[0m

  [1m8.3.     .[0m

  [1m8.3.1.  Uni[0m

            
  ,    "sockified".   
   telnet,        
     .  SOCS    
      SOCKify  ,     pre-
  SOCKified .    SOCKified   
    ,  SOCS       
  .   ,      
           SOCKified
  . .  "Finger"  "finger.orig",  "telnet"
   "telnet.orig", ..      SOCKS   
    include/socks.h .

          sockify
    .  Netscape    .  
        Netscape
       (192.168.2.1   )
     SOKCs    Proxies.     
   ,        
  .


  [1m8.3.2.  MS Windows  Trumpet Winsock[0m

   Trumpet Winsock     
  .    " (setup)",   
     ,       / 
    .  Trumpet     
   .


  [1m8.3.3.         UDP[0m
  [1m[0m

    SOCKS     TCP,   UDP.  
    .   ,   talk  
  Archie,  UDP.      
        UDP 
   UDPrelay,   Tom Fitzgerald <fitz@wang.com>. ,
        HOWTO,      Linux.
  [1m8.4.      [0m

     ,  ' ,   .
          Internet 
        . 
         
        ,    
     ' .    ,
  talk  archie ,     
  .       , 
      :


              
         firewall.   , 
           .  . 
              
      firewall.    log  firewall ,  
            , 
              .

         .     email.
          ,  
             
     .      , 
     ,    mail.

        UDP    
         .  
       UDP   .

   FTP        .
      ls,   FTP    
         .  
       ,   FTP  
   .

  ,     .   
   - (overhead),       
        .

  ,     ,      
  ,   firewall / 
  .      ,    
      ,       
      ,   Term, Slirp  TIA.  Term
      [1mftp://sunsite.unc.edu[22m,  Slirp  
    [1mftp://blitzen.canberra.edu.au/pub/slirp[22m,   TIA 
     marketplace.com.      ,
    ,     
          Internet.  
            host
        Internet "on the fly",  
      .


  [1m9.   [0m

             
  .         
  . ,       
          .
          ,  
          
  firewalls,   .

  [1m9.1.        [0m

  ,  ,     
         .  50 /  
    32    5  (bits). 
           
     . ,   
         .

    :


  1.   .       .
              
     .

  2. [1m [22m         
        .       
      evail       .

  3. [1m [22m    [4m[24m  .   
              
           ,  
        Newt Gingrish, Oklahoma City, lown 
              
      51.


  [1m9.1.1.     [0m

        :



    1   192.168.2.2555,      
      

    23   32      23 
          Internet.

    1       linux    

    1       linux   
     .

    2     

    4   ,       paul,
     ringo, john,  george,       .

          192.168.2.

  ,    ,    
  .      Ethernet  
      . ,   ethernet
      ethernet.

             linux 
     .

      (file server)    
   .       
      .   
     192.168.2.17      
  192.168.2.23    .    
       Ethernet.   Forwarding
      .

    Forwarding      linux  . 
         192.168.2. 
         ,   Internet 
       .      IP
  Forwarding           
          ,  
  .

    NFS       
      .   ,
          (symbolic links) 
            .
         ethernet  
             .


  [1m9.1.2.     [0m

  ,           
         ,   
       Internet,     
      .   
       firewalls,    
     .

        .    
        .   
  ,        .


  1.         
       Internet.       
        ,     , 
        .

  2.        World Wide Web.
        ,      ,
      ,    .

  ,   sockd.conf   linux     
   :


      deny 192.168.2.17 255.255.255.255



      :


      deny 192.168.2.23 255.255.255.255


  ,   linux       :


      deny 0.0.0.0 0.0.0.0 eq 80



             
       (equal)  80,  http . 
       ,   Web
  .
  ,     :


      permit 192.168.2.0 255.255.255.0



           192.168.2.
          
       . (.     
  Web      .)


    sockd.conf      :


      deny 192.168.2.17 255.255.255.255
      deny 0.0.0.0 0.0.0.0 eq 80
      permit 192.168.2.0 255.255.255.0



      :


      deny 192.168.2.23 255.255.255.255
      permit 192.168.2.0 255.255.255.0



         .   
   ,     . 
     .

  ,   !



    

            
             
     .      
            . 
             :->
           
           HOWTO, 
   voulariba@hellug.gr,    .  
      firewalls     
   ,    .


    mazestix@ath.forthnet.gr 26  1999













