
                          MNzA - HOWTO
                                       
@: Mark Grennan, markg@netplus.net
Ķ:  tchao@worldnet.att.net

   v0.4, 1996~118
     _________________________________________________________________
   
   v0.4, 1996~118Aog峹Dnb_tΪUذ򥻷Aå
   dbLinux¦ӤHqWw˧@LoΪMNzAԲӨB
   JCoHTML
   _http://okcforum.org/~markg/Firewall-HOWTO.html
     _________________________________________________________________
   
1. ɨ

     * 1.1 Ū̦^
     * 1.2 Yn
     * 1.3 vŧi (Ķ`JvŧiĶ)
     * 1.4 gog峹ʾ
     * 1.5 ݧu@
     * 1.6 Ū
       
2. \O

     * 2.1 𪺯ʳ
     * 2.2 𪺺
       
3. ]m

     * 3.1 wݨD
       
4. ]m𪺳n

     * 4.1 {M˳n
     * 4.2 TIS Firewall Toolkit MSOCKSt
       
5. ]wLinuxt

     * 5.1 s褺
     * 5.2 ]wid
     * 5.3 ]wNetwork Addresses
     * 5.4 պ
     * 5.5 [T
       
6. IP filtering ]m(IPFWADM)

7. wTISNzA

     * 7.1 on
     * 7.2 sTIS FWTK
     * 7.3 wTIS FWTK 
     * 7.4 ]mTIS FWTK
       
8. SOCKSNzA

     * 8.1 ]wNzA
     * 8.2 ]mNzA
     * 8.3 NzA
     * 8.4 NzAI
       
9. ų]m

     * 9.1 `wj
     _________________________________________________________________
   
1. ɨ

   ̪쪺og - HOWTOODavid Rudderdrig@execpc.com@~CL
   bLZWWqeA惡ڲ`P¡C ̪o@}l, ]Firewall^
   FںwDDC\hLD@ˡAo]Pɳy
   F\hH復~ѡCogHOWTO N|QOHpwˡHץN
   zA]Proxy Server^Hp]wNzAHHγoǧ޳NbwH
   ~ΡC
   
1.1 Ū̦^

   pGo{og峹~, аȥqڡCHDt, ELL! 
   ~ڳ֤_󥿡CӫHڳ|]k^, ڬ۷, pGSڪ^HA
   ٽХ][C^Ha}markg@netplus.net
   
   pGo{~ĶBAХߧYqĶ̡G
   ]tchao@worldnet.att.net)C
   
1.2 Yn

   ڤ̷ӥҰ欰yl`td(I AM NOT RESPONSIBLE
   FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS DOCUMENT) 
   Cog峹uШMNzA@ΡCnDAڤOqwDM
   aA]qӨS˦o譱MaCڥuOӳwŪѡAӥBRqӹLRH
   åCڧƱog峹UAxoӥDD, OeL~C
   
1.3 vŧi (Ķ`JvŧiĶ)

   Unless otherwise stated, Linux HOWTO documents are copyrighted by
   their respective authors. Linux HOWTO documents may be reproduced and
   distributed in whole or in part, in any medium physical or electronic,
   as long as this copyright notice is retained on all copies. Commercial
   redistribution is allowed and encouraged; however, the author would
   like to be notified of any such distributions.
   
   All translations, derivative works, or aggregate works incorporating
   any Linux HOWTO documents must be covered under this copyright notice.
   That is, you may not produce a derivative work from a HOWTO and impose
   additional restrictions on its distribution. Exceptions to these rules
   may be granted under certain conditions; please contact the Linux
   HOWTO coordinator.
   
   In short, we wish to promote dissemination of this information through
   as many channels as possible. However, we do wish to retain copyright
   on the HOWTO documents, and would like to be notified of any plans to
   redistribute the HOWTOs.
   
   If you have any questions, please contact Mark Grennan at
   <markg@netplus.net>.
   
1.4 gog峹ʾ

   ޥh~bcomp.os.linuxW\h_DQסAڵo{]
   wһݪơCogHOWTOѤF@UAeC
   ڮھDavid RuddersgFirewall HOWTO@FWqAƱog峹ѤF
   ơAϧAbXpɤN]w@ӥiHB@AӤAݭnXP
   [C ڤ]{ӲɺOA^RnLinuxB͡C
   
1.5 ݧu@

     * ɦp]wȤ
     * MPLinuxftUDPNzA
       
1.6 Ū

     * NET-2 HOWTO
     * Ethernet HOWTO
     * Multiple Ethernet Mini HOWTO
     * Linuxp
     * PPP HOWTO
     * O'Reilly and AssociatesXTCP/IP Network Administrator's Guide
     * TIS Firewall Toolkit
       
   bTrusted Information System (TIS) }WF\h𪺤M
   ơChttp://www.tis.com/
   
   ~Aڤ]bqƤ@٬Linuxw]Secure Linux^ءCbSecure
   Linux}WAڦFҦLinuxwiaơBM{CpGAݭn
   o譱ơAШӫHC
   
2. \O

   OT@ӳ󪺦W١CbTAQΨ⭼ȩMj}AH
   KT@ۤA𤣦O@ȦwAӦPٯq~򱱨
   C bqAO@ظ˸mAiϭӧO@]Ӻں
   ^vTC A夤Nq٬𡨡APɳsO@
   MںݡCO@LkںAں]Lk
   O@C pGnqO@ںAN
   otelnet쨾AMqpWںC ²檺Odual
   homedtΡ]㦳ӺptΡ^CpGA۫HҦAΤAAun
   ˳]@xLinux]]wɱN IP forwarding/gatewaying ] OFF^ACH]
   @bCLHno@tΡAϥtelnetBFTPA\ŪqlMϥΩҦ
   AѪLAȡCھڳo]mAo@ߤ@P~ptqK
   OoӨCboӺLqƦܤݭn@Ϊ|C ݭnA
   JnϤWzo@ΡAN۫HҦΤTLAڥio\
   ĳC
   
2.1 𪺯ʳ

   Τ_LoΪ𪺰DOoبںiJACuq
   LLo~Υ\CbNzApUAΤin쨾A
   MiJptΡC ~AثeXGCѳsȤMA
   WC]AonskiJ~եγoǥ\C
   
2.2 𪺺

   𦳨ءC
   
    1. IPLo - @Ǻ\~פ@p\C
    2. NzA - AipC
       
  IPLo
  
   IPLobƾڥ]@hu@C̾ڰ_IBIB𸹩MC@ƾڥ]ҧt
   ƾڥ]Hƾڥ]yʡC oبD`wAOʤ֦Ϊn
   OCקOHiJӧOA]iDAHiJA@tΡAΦ
   HqiJںC LoOʪLotΡCYϧAn~ɪ@
   ǤHiJApAAA]LkC@ӤHiJAC Linuxq1.3.x}
   lNb֤]tFƾڥ]LonC
   
  NzA
  
   NzA\qL𶡱iJںC̦nҤlOtelnettΡAM
   qӳBAtelnett@ӨtΡCbNzAtΤAou@N۰
   CQΫȤݳnsNzAANzAҰʥȤݳn]Nz^
   AMǦ^ƾڡC Ѥ_NzAƩҦqTA]OҦi檺u@
   C untmTANzANwAo̥̥iBCץHi
   JA]SIPqC
   
3. ]m

3.1 wݨD

   bdҤAҥΪqtmO@486-DX66A16MsM500M LinuxΡCt
   ΤٸˤFidA@ispAt@i@Ӻ٬Dxưϡ
   ]ĶGκ^AӦboӫDxưϪWA@ӱں
   Ѿ]router^C oذtm`AƦ٥iΤ@idM@xƾھ
   qLPPPںA䤧BOWIPXC ֤Ha
   pABTxqb@_CոէҦƾھb]Linux
   qW]ª386^AMQέtŪ覡ƾھںCQ
   γoظ˸mApGnǿƾڡAⳡƾھPɤu@Ai[ǿ骺tסC
   
4. ]m𪺳n

4.1 {M˳n

   pGun]m@ӹLoAunLinuxM򥻺nNFC@Mn
   iणbAϥΪLinuxA٬ IP Firewall AdministrationuC
   (IPFWADM) iq http://www.xos.nl/linux/ipfwadm/oC pGn]mNz
   AANݭn@ӳoخM˳nC
    1. SOCKS
    2. TIS Firewall Toolkit (FWTK)
       
4.2 TIS Firewall Toolkit MSOCKSt

   Trusted Information System (http://www.tis.com)ѤF@tCnAΥH²
   Ʀw˨𪺤u@C oǳn򥻤WPSOCKSnۦPA]pP
   CSOCKSQΤ@MnҦPInternetu@ATISC@ӧƱϥ
   utilityѤ@ӳnC F̤PANHworld wide
   webMTelnetҧaTbSOCKSA]w@ӳ]m]configuration^ɩM@
   daemonAtelnetMWWW}lu@APɨLS\]B@
   C bTISAWWWMtelneto]wU۪configurationɩMdaemonCg
   ]wALinternet\ऴLkBΡADoǥ\]@X]wC
   pGY@\]Ҧptalk^SdaemonAM"plug-in" daemoniΡA
   Lu㨺FAӥB]]wC oGOpơABjtOC]
   mSOCKSɤiHHNCpGSOCKSA]mӧAqiH
   έäⴣѪinternet\CpϥTISAquեΨtκ޲z
   ̳Ww\C SOCKS_]wB_sAåBFʸCpnިO
   @ϥΪ̡AhTISwʸCL̳ѤFO@A~ɵL
   kiJC ڷ|̪w˩M]wkC
   
5. ]wLinuxt

5.1 s褺

   QLinuxswLinuxtΡ]ڥRedHat 3.0.3AҧHo@
   ǡ^CtΤw˪nV֡AfM|}]V֡A]oǤfM|}
   tΪw|ͰDAҥHunw˰Ϊֶ̤qnYiC Τ@í
   w֡CڪtΥΤFLinux 2.0.14֡C ]AoHoؤֳ]m
   ¦C ھھAﶵ]options^ss褺֡C pGHeSŪ
   LKernel HOWTOB Ethernet HOWTOMNET-2 HOWTOAɤQγoӾ|Ū@
   ŪoHOWTOC HUObmake configP]wC
    1. bGeneral setup
         1. ]Networking Support ON
    2. bNetworking Options
         1. ]Network firewalls ON
         2. ]TCP/IP Networking ON
         3. ]IP forwarding/gatewaying OFF ]DnIPLo^
         4. ]IP FirewallingON
         5. ]IP firewall packet loggin ON]OݡA]Fn^
         6. ]IP: masquerading OFF]ݥS^
         7. ]IP: accounting ON
         8. ]IP: tunneling OFF
         9. ]IP: aliasing OFF
        10. ]IP: PC/TCP compatibility mode OFF
        11. ] IP: Reverse ARP OFF
        12. ]Drop source routed frames ON
    3. bNetwork device supportU
         1. ]Network device support ON
         2. ]Dummy net driver support ON
         3. ]Ethernet (10 or 100Mbit) ON
         4. ܺd
       
   {bssAswˤ֡AsҰʡCdbҰʪܤܡCpG
   SdAd\LHOWTOA]אּC
   
5.2 ]wid

   qpidAiݭnb/etc/lilo.confɤW[@Ai
   dIRQMa}CbڪAlilo.confɼW[@pUJ
    append="ether=12,0x300,eth0 ether=15,0x340,eth1"

5.3 ]wNetwork Addresses

   oAӥBonǨMwCѤ_ںiJ۳]
   󳡤A]ݭnιڪ}CbںdF@Ǧa}i
   HNϥΡA]۳]`oݭna}AӥBoǦa}]LkiJںA
   C]γoǦa}C boǦa}A192.168.2.xxxOQdΪa
   }A]NγoǦa}ӧ@C
   
   Ѥ_NzAPɨBӺA]~ǰe䪺ƾڡC
   
            199.1.2.10   __________    192.168.2.1
     _  __  _        \ |         | /         _______________
   | \/  \/ |             \|        |/          |            |
     ں \-------------|  |-------------------| u@     |
     \_/\_/\_/\_/          |_________|           |______________|

   pn]mLoA¥iγoǺ}ALoϥIP masqueradingCgLo
   س]wAN|eƾڥ]Aå[ڪIPa}eںC bd
   ںݡ]~ݡ^o]wuIPa}AbHӺdݳ]
   192.168.2.1CoOoxqNz/IPa}CO@ҦL
   qi192.168.2.xxx@ӧ@a}]q192.168.2.2
   192.168.2.254^C bRedHat Linux Aob
   /etc/sysconfig/network-scriptsؿUW[@ifcfg-eth1ɡAHKbҰʮ
   AqLoɳ]wMroutingC ifcfg-eth1Ѽƥi]wpUJ
    #!/bin/sh
    #>>>Device type: ethernet
    #>>>Variable declarations:
    DEVICE=eth1
    IPADDR=192.168.2.1
    NETMASK=255.255.255.0
    NETWORK=192.168.2.0
    BROADCAST=192.168.2.255
    GATEWAY=199.1.2.10
    ONBOOT=yes
    #>>>End variable declarations

   iեγoǰѼƨϼƾھPISP۰ʳsCݬ ipup-pppɡC pμƾھP
   ںsAISP|bsɫw~ݪIPa}C
   
5.4 պ

   qifconfigMroute}lCpWidAU]mpUpJ
  #ifconfig
  lo        Link encap:Local Loopback
            inet addr:127.0.0.0  Bcast:127.255.255.255  Mask:255.0.0.0
            UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
            RX packets:1620 errors:0 dropped:0 overruns:0
            TX packets:1620 errors:0 dropped:0 overruns:0

  eth0      Link encap:10Mbps Ethernet  HWaddr 00:00:09:85:AC:55
            inet addr:199.1.2.10 Bcast:199.1.2.255  Mask:255.255.255.0
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0
            TX packets:0 errors:0 dropped:0 overruns:0
            Interrupt:12 Base address:0x310

  eth1      Link encap:10Mbps Ethernet  HWaddr 00:00:09:80:1E:D7
            inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0
            TX packets:0 errors:0 dropped:0 overruns:0
            Interrupt:15 Base address:0x350

   route ݰ_ӦpUJ
#route -n
Kernel routing table
Destination   Gateway   Genmask    Flags  MSS  Window  Use  Iface
199.1.2.0     *       255.255.255.0   U   1500   0      15 eth0
192.168.2.0   *       255.255.255.0   U   1500   0       0 eth1
127.0.0.0     *       255.0.0.0      U   3584   0       2 lo
default      199.1.2.10   *          UG  1500   0       72 eth0

   `J 199.1.2.0b𪺺ںݡA192.168.2.0b۳]@ݡC 
   ձqping ںCnic.ddn.mil@ICoӸI٤A
   uOpڹwiaCpGSpWAոpingXӤOAWa}CpG
   pWAhPPP]w@wCAŪ@Net-2 HOWTOAMAաC MA
   qpingO@qCҦqping
   L@xqCpGAAŪŪNet-2 HOWTOAAդ@C ۸qO@
   pingH~a}C]`NJݤ_192.168.2.xxxa}^pGiH
   AIP Forwarding\SCQ@QoO_ŦXcQCpGO
   dIP Forwarding\ANOLU]wIP filteringC {bոձq
   ping ںCQΥHeճqP@a}]ҦpAnic.ddn.mil^Cp
   G IP Forwarding\wgANqCLpGo\SAN
   ӱqC ]OdFIP Forwarding\AӦb۳]ϥιڪIPa
   }]O192.168.2.*^Aboس]wUApGLkping ںAping
   ں䪺ANoˬdW@hrouter_ƾڥ]ǰe۳]
   a}WC]ioISP@oˬd^ pGO@a}w192.168.2.*Ah
   ƾڥ]ǰeCpGS@oǳ]wAӨϥΤFIP masqueradingAo
   Ӧ\C ܦAU]w򥻧C
   
5.5 [T

   pGqLWSϥΪ\HNiXAhoب]NS
   \γBC "b" 쨾𤺧@XnקAѨҥΡC Ҧ
   Ϊ\Cˬd /etc/inetd.confɡCoɱҿת"WŦA"C
   F\hAdaemonAMbݭnɱҰʳodaemonC netstatB
   systatB tftpB bootpMfinger\C\઺kO#@\檺歺
   rC]wAJ"kill -HUP <pid>"ASIG-HUP A䤤<pid>
   Oinetd{ǽsCinetd|AŪtmɡ]inetd.conf^AñqsҰʨt
   C Qtelnet ը𪺰𸹡]port^15AoOnetstat𸹡Cpnetstat
   ^pAtΨèSnDTaqsҰʡC
   
6. IP filtering ]m(IPFWADM)

   ]w֪IP Forwarding\At}leC@HC|
   ]routing table^w]wA]ӥiHqaIAqiHp~
   Aq~]iiC O𪺧@άOHiHHKiXC
   bܽdtΤ]wFMO]script^A慨forwardingMaccounting
   @FWwCtΦbB/etc/rc.dɨγoMOA]btαҰʮɴNt
   @F]mC Linux֦۳]e@HIP ForwardingtΡC]A
   OT@iJtΪvQAMWBdUipfwWhC
   UOFoتC
   
  #
  # setup IP packet Accounting and Forwarding
  #
  #   Forwarding
  #
  # By default DENY all services
  ipfwadm -F -p deny
  # Flush all commands
  ipfwadm -F -f
  ipfwadm -I -f
  ipfwadm -O -f

   nFA{bFOIC@Q̾צb~ALkV@B
   CMAǥ\٬OݭnAU@ǨҤli@ѦҡC
  # Forward email to your server JeqllA
  ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 192.1.2.10 25

  # Forward email connections to outside email servers JNqlls~
qllA
  ipfwadm -F -a accept -b -P tcp -S 196.1.2.10 25 -D 0.0.0.0/0 1024:65535

  # Forward Web connections to your Web ServerJNWebsWebA
  /sbin/ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 196.1.2.11 80

  # Forward Web connections to outside Web ServerJNWebs~WebA
  /sbin/ipfwadm -F -a accept -b -P tcp -S 196.1.2.* 80 -D 0.0.0.0/0 1024:65535

  # Forward DNS trafficJeDNSH
  /sbin/ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 196.1.2.0/24

   pGQDqL𪺫HөpAUCO|έpҦƾڥ]C

  # Flush the current accounting rules
  ipfwadm -A -f
  # Accounting
  /sbin/ipfwadm -A -f
  /sbin/ipfwadm -A out -i -S 196.1.2.0/24 -D 0.0.0.0/0
  /sbin/ipfwadm -A out -i -S 0.0.0.0/0 -D 196.1.2.0/24
  /sbin/ipfwadm -A in -i -S 196.1.2.0/24 -D 0.0.0.0/0
  /sbin/ipfwadm -A in -i -S 0.0.0.0/0 -D 196.1.2.0/24

   pGuq]LoAo̴Nj\iFT
   
7. wTISNzA

7.1 on

   TIS FWTKniqUC}oJftp://ftp.tis.com/. dUOJqTISUn
   A\ŪREADMECTIS fwtksbA@åؿAݭnoql
   lfwtk-request@tis.com æbH夺JSEND~oêؿWr
   CSubject椺J󤺮eCb^Ъqll󤺷|isn󪺥ؿ
   WrAĮɶ12pɡAo֤UC bsgɡAFWTK̷s2.0
   ]beta^CFXӤpa褧~AoӪbsɨSDABɤ]`A
   BNHo@ҡCp̫wɡANbH᪺HOWTOWqC wFWTK
   ɡAb /usr/srcUإfwtk-2.0ؿCNFWTK]fwtk-2.0.tar.gz^bo
   ӥؿ]tar zxf fwtk-2.0.tar.gz^C FWTKõLNzSSL
   AJean-Christophe TouvetgF@Ǫ[ơAi
   qftp://ftp.edelweb.fr/pub/contrib/fwtk/ssl-gw.tar.ZoC Eric Wedelg
   F׭qA䤤]Aϥκ]Netscape^sDACoMniqUC
   }oJftp://mdi.meridian-data.com/pub/tis.fwtk/ssl-gw/ssl-gw2.tar.Z
   HUHEric WedelҡC nwˡAunb/usr/src/fwtk-2.0ؿإ
   @ ssl-gwؿAɩb䤤YiC bw˳oӺɡAon@ǧʤ~
   isC ssl-gw.cɡA䤤|FnincludeɡC
  #if defined(__linux)
  #include        <sys/ioctl.h>
  #endif

   䦸A]SMakefileɡCqLؿ@ӡAMNWr
   ssl-gwC
   
7.2 sTIS FWTK

   2.0FWTKH@Ӫ_sCLbsHeٻݭnBETA
   @@ǧʡCƱoǧʷ|[̫wC קkpUJi
   J/usr/src/fwtk/fwtkؿAMakefile.config.linuxɡAHɴ
   NMakefile.configɡC nBFIXMAKECMbĳoӵ{ǡC
   B|}aC@ӥؿmakefileC קfixmakekObC@
   MakefilesedOinclude椤K[.M"CUҧAKiBLê
   C
  sed 's/^include[        ]*\([^  ].*\)/include \1/' $name .proto > $name

   MݭnsMakefile.configɡAo@ⶵקC Makefile.configɤ
   sourceؿאּis誺/usr/srcA]FWTKSRCDIR@ܡC
  FWTKSRCDIR=/usr/src/fwtk/fwtk

   LinuxtΨϥgdbmƾڮwCMakefile.configϥdbmCҦpARedHat
   3.0.3NϥdbmA]ݭn@XʡC
  DBMLIB=-lgdbm

   ̫ݭnx-gwCBETAsocket.cUCƦ楲ݧRC
  #ifdef SCM_RIGHTS  /* 4.3BSD Reno and later */
                       + sizeof(un_name->sun_len) + 1
  #endif

   pbFWTKؿK[ssl-gwAhbMakefileؿ椤]n[Wssl-gwC
  DIRS=   smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw ssl-gw

   WzקABmakeC
   
7.3 wTIS FWTK

   Bmake installC q{w˥ؿO/usr/local/etcCiH[wia
   ؿiwˡA]iHA]iNSvאּchmod 700C {b}l]w
   C
   
7.4 ]mTIS FWTK

   nTUNFT]wtέnեγoǷs\Aëإߺި޲zo
   ǥ\C HUäOFngTIS FWTKϥΤUAتuOF
   ܥi檺]wBiJ쪺DMѨMkC TӤɲզocontrolsC
   
     * /etc/services
          + iDtΩҩw\b
       
     * /etc/inetd.conf
          + AȰ𦳰ʧ@ɧiDinetdҰʨӵ{
       
     * /usr/local/etc/netperm-table
          + iDFWTKPNMڵөΤ
       
   nFWTKo@ΡAsoɮסCsoǥ\ɦӤT]w
   inetd.confnetperm-tableAiϨtΧLk@ΡC
   
  netperm-table
  
   oɱHiHϥTIS FWTK\CӷQ쨾䪺ݨDC
   ~ΤbiJeAΤhiqL
   C bɡAϥΤ@Ӻ٬authsrv{A䤤sΤ᪺IDMK
   XCnetperm-tableauthenticationo@ƾڮwsBM֥i
   C nHγo@\äeAbpremit-hostso@椤ϥΡ*AHP
   CHγo@\Co@檺T]wӬOauthsrv: premit-hosts
   localhostAG_@ΡC
  #
  # Proxy configuration tableG  NzA]m
  #
  # Authentication server and client rules
  authsrv:      database /usr/local/etc/fw-authdb
  authsrv:      permit-hosts *
  authsrv:      badsleep 1200
  authsrv:      nobogus true
  # Client Applications using the Authentication server
  *:            authserver 127.0.0.1 114

   nҰʼƾڮwAHrootb/var/local/etcB./authsrvA]ߺ޲z̪ϥΰO
   Cھާ@pUJ \ŪFWTKɤFѦpK[ΤMΤաC
    #
    # authsrv
    authsrv# list
    authsrv# adduser admin "Auth DB admin"
    ok - user added initially disabled
    authsrv# ena admin
    enabled
    authsrv# proto admin pass
    changed
    authsrv# pass admin "plugh"
    Password changed.
    authsrv# superwiz admin
    set wizard
    authsrv# list
    Report for users in database
    user   group  longname           ok?    proto   last
    ------ ------ ------------------ -----  ------  -----
    admin         Auth DB admin      ena    passw   never
    authsrv# display admin
    Report for user admin (Auth DB admin)
    Authentication protocol: password
    Flags: WIZARD
    authsrv# ^D
    EOT
    #

   Telnet]tn-gw^FA]wC ҦpA\bO@
   ΤᤣqL(permit-hosts 196.1.2.* -passok)CLΤᥲ
   ݴѥΤIDMKX~iϥΥNzA(permit-hosts * -auth)C ~A@
   Өt(196.1.2.202)]iϥΨCoun]winetacl-in.telnetd
   eYiC TelnettimeoutɶӵuȡC
  # telnet gateway rules:
  tn-gw:                denial-msg      /usr/local/etc/tn-deny.txt
  tn-gw:                welcome-msg     /usr/local/etc/tn-welcome.txt
  tn-gw:                help-msg        /usr/local/etc/tn-help.txt
  tn-gw:                timeout 90
  tn-gw:                permit-hosts 196.1.2.* -passok -xok
  tn-gw:                permit-hosts * -auth
  # Only the Administrator can telnet directly to the Firewall via Port 24
  netacl-in.telnetd: permit-hosts 196.1.2.202 -exec /usr/sbin/in.telnetd

   r-commandpPtelnetP@覡]wC
  # rlogin gateway rules:
  rlogin-gw:    denial-msg      /usr/local/etc/rlogin-deny.txt
  rlogin-gw:    welcome-msg     /usr/local/etc/rlogin-welcome.txt
  rlogin-gw:    help-msg        /usr/local/etc/rlogin-help.txt
  rlogin-gw:    timeout 90
  rlogin-gw:    permit-hosts 196.1.2.* -passok -xok
  rlogin-gw:    permit-hosts * -auth -xok
  # Only the Administrator can telnet directly to the Firewall via Port
  netacl-rlogind: permit-hosts 196.1.2.202 -exec /usr/libexec/rlogind -a

   HoiJA䤤]AFTPA]AnFTPAb
   WC A̡Apermit-hosts椹\O@HۥѶiJںAL
   HhݪCUWeM쪺CɪO]-log { retr stor
   }^C FTPtimeout}bh֮ɶᰱձAHΦbh֮ɶSʧ@
   AձC
  # ftp gateway rules:
  ftp-gw:               denial-msg      /usr/local/etc/ftp-deny.txt
  ftp-gw:               welcome-msg     /usr/local/etc/ftp-welcome.txt
  ftp-gw:               help-msg        /usr/local/etc/ftp-help.txt
  ftp-gw:               timeout 300
  ftp-gw:               permit-hosts 196.1.2.* -log { retr stor }
  ftp-gw:               permit-hosts * -authall -log { retr stor }

   qLWWWBgopherMsi檺ftphttp-gwC̤Wإߤ@ӥؿ
   AΤ_xsgѨftpMWWWCbҤAoǤrootҦA]
   burootiJؿC WWWsӵuȡCϥΪ̦bs
   qɪݮɶC
  # www and gopher gateway rules:
  http-gw:      userid          root
  http-gw:      directory       /jail
  http-gw:      timeout 90
  http-gw:      default-httpd   www.afs.net
  http-gw:      hosts           196.1.2.* -log { read write ftp }
  http-gw:      deny-hosts      *

   ssl-gwڤWO@ӥHiqLC߳]wCbҤAO
   @ΤA127.0.0.* M192.1.1.* ~Ais~A
   Aåuϥ443563 𸹡C443563𸹤@٬SSL𸹡C
  # ssl gateway rules:
  ssl-gw:   timeout 300
  ssl-gw:   hosts           196.1.2.* -dest { !127.0.0.* !192.1.1.* *:443:563 }
  ssl-gw:   deny-hosts      *

   UҤlpQplug-gwssDACbҤAO@
   u\s@ӨtΡAYs쥦sDC ĤGϷsDAN
   eO@C sDAtimeoutɶ]wӤA]hƥΤj
   p\ŪsDC

  # NetNews Pluged gateway
  plug-gw:        timeout 3600
  plug-gw: port nntp 196.1.2.* -plug-to 199.5.175.22 -port nntp
  plug-gw: port nntp 199.5.175.22 -plug-to 196.1.2.* -port nntp

   Finger]wܬ²CO@ΤunnANiϥΨ
   Wfinger{CLHNu@qmessageC
  # Enable finger service --------]wfinger\
  netacl-fingerd: permit-hosts 196.1.2.* -exec /usr/libexec/fingerd
  netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt

   boHOWTOAS]wMailMX-windows\CpHo譱ҡA
   oemailڡC
   
  inetd.conf]m
  
   UW/etc/inetd.confɡCҦݭn\ೣ#Ÿ`PCbo
   ɤܨFإ\AHܦp]ws\C

  #echo stream  tcp  nowait  root               internal
  #echo dgram   udp  wait    root       internal
  #discard              stream  tcp  nowait  root       internal
  #discard              dgram   udp  wait    root       internal
  #daytime              stream  tcp  nowait  root       internal
  #daytime              dgram   udp  wait    root       internal
  #chargen              stream  tcp  nowait  root       internal
  #chargen              dgram   udp  wait    root       internal
  # FTP firewall gateway --------FTP
  ftp-gw      stream  tcp  nowait.400  root  /usr/local/etc/ftp-gw  ftp-gw
  # Telnet firewall gateway------Telnet
  telnet        stream  tcp  nowait      root  /usr/local/etc/tn-gw /usr/local/
etc/tn-gw
  # local telnet services------Τ᪺telnet\
  telnet-a    stream  tcp  nowait      root  /usr/local/etc/netacl in.telnetd
  # Gopher firewall gateway------Gopher
  gopher        stream  tcp  nowait.400  root  /usr/local/etc/http-gw /usr/loca
l/etc/http-gw
  # WWW firewall gateway------WWW
  http  stream  tcp  nowait.400  root  /usr/local/etc/http-gw /usr/local/etc/ht
tp-gw
  # SSL firewall gateway------SSL
  ssl-gw  stream  tcp     nowait  root /usr/local/etc/ssl-gw   ssl-gw
  # NetNews firewall proxy (using plug-gw)------NetNewsNzA]ϥpl
ug-gw^
  nntp    stream  tcp     nowait  root    /usr/local/etc/plug-gw plug-gw nntp
  #nntp stream  tcp     nowait  root    /usr/sbin/tcpd  in.nntpd
  # SMTP (email) firewall gateway------SMTP]email^
  #smtp stream  tcp     nowait  root    /usr/local/etc/smap smap
  #
  # Shell, login, exec and talk are BSD protocols------ Shell, login, exec and
talkBSDĳ
  #
  #shell        stream  tcp     nowait  root    /usr/sbin/tcpd  in.rshd
  #login        stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind
  #exec stream  tcp     nowait  root    /usr/sbin/tcpd  in.rexecd
  #talk dgram   udp     wait    root    /usr/sbin/tcpd  in.talkd
  #ntalk        dgram   udp     wait    root    /usr/sbin/tcpd  in.ntalkd
  #dtalk        stream  tcp     waut    nobody  /usr/sbin/tcpd  in.dtalkd
  #
  # Pop and imap mail services et al------PopMimap mail\
  #
  #pop-2   stream  tcp  nowait  root  /usr/sbin/tcpd    ipop2d
  #pop-3   stream  tcp  nowait  root  /usr/sbin/tcpd    ipop3d
  #imap    stream  tcp  nowait  root  /usr/sbin/tcpd    imapd
  #
  # The Internet UUCP service------ںUUCP\
  #
  #uucp    stream  tcp  nowait  uucp  /usr/sbin/tcpd  /usr/lib/uucp/uucico -l
  #
  # Tftp service is provided primarily for booting.  Most sites
  # run this only on machines acting as "boot servers." Do not uncomment
  # this unless you *need* it.  ----- Tftp\DnΤ_ҰʡC@u@"boot
A"ɤ~ݭntftpC]An`P]#^ŸC
  #
  #tftp dgram   udp     wait    root    /usr/sbin/tcpd  in.tftpd
  #bootps       dgram   udp     wait    root    /usr/sbin/tcpd  bootpd
  #
  # Finger, systat and netstat give out user information which may be
  # valuable to potential "system crackers."  Many sites choose to disable
  # some or all of these services to improve security.------ Finger, systat and
 netstat|VbȴѥiQơC\h@ǩΥ\AHWwC
  #
  # cfinger is for GNU finger, which is currently not in use in RHS Linux
  # cfingerOGNU fingerAثebRHS LinuxäϥΡC
  #
  finger        stream  tcp  nowait  root   /usr/sbin/tcpd  in.fingerd
  #cfinger      stream  tcp  nowait  root   /usr/sbin/tcpd  in.cfingerd
  #systat       stream  tcp  nowait  guest  /usr/sbin/tcpd  /bin/ps -auwwx
  #netstat      stream  tcp  nowait  guest  /usr/sbin/tcpd  /bin/netstat -f ine
t
  #
  # Time service is used for clock syncronization.-----ɶ\Τ_]wɶP
BC
  #
  #time stream  tcp  nowait  root  /usr/sbin/tcpd  in.timed
  #time dgram   udp  wait    root  /usr/sbin/tcpd  in.timed
  #
  # Authentication-----dΤᨭ
  #
  auth          stream  tcp  wait    root  /usr/sbin/tcpd  in.identd -w -t120
  authsrv       stream  tcp  nowait  root  /usr/local/etc/authsrv authsrv
  #
  # End of inetd.conf-----inetd.cong]mɵ

  /etc/services
  
   Τs쨾ɡA|@Ӥw]p_1024^CҦpAtelnet
   23Cinetd deamonsʧ@Ad/etc/servicesWoǥ\઺WrCM
   A|Ұ/etc/inetd.confɤoӦWrҫw{C ɨϥΪ\
   b/etc/servicesɤCoǥ\iwQwCҦpA޲z
   telnet]telnet-a^i]w24A]i]w2323AxťLKCpG
   z]AH^ns쨾Ahtelnet24ӫD23CpӤU
   ҳ]wnetperm-tableAhuqO@@Өtγ]wC
   

  telnet-a         24/tcp
  ftp-gw          21/tcp           # this named changed
  auth            113/tcp   ident    # User Verification
  ssl-gw           443/tcp

8. SOCKSNzA

8.1 ]wNzA

   SOCKSNzAiq
   ftp://sunsite.unc.edu/pub/Linux/system/Network/misc/socks-linux-
   src.tgzoCɤ]@Ӻ٬"socks-conf"]mɥi@ѦҡCiɸ
   AMھڨ䤤ϥθɡCϥήɨä²ATwMakefile
   TL~C b /etc/inetd.confӼWKNzAC]AӼW[HU@
   C
  socks  stream  tcp  nowait  nobody  /usr/local/etc/sockd  sockd

   o˦A~|bݭnɹBC
   
8.2 ]mNzA

   SOCKSݭnӳ]mɶi]wC@ӳ]mɳ]wiJΪvAt@ӳ]m
   ]w|AHKANzACvbAWA|bC@
   xUNIXWCDOSMMacintosh|Twۦ檺|C
   
  v
  
   bsocks4.2]beta^Avɺ٬"sockd.conf"AӥuA@椹\
   ]permit^A@ڵ]deny^CC泣T]wG
     * ѧOХܦ(permit/deny)
     * IPa}
     * קa}
       
   ѧOХܥΤ_permitdenyCӦWpermitMWdenyC IPa}
   μзǪ4byte覡ܡApI.E. 192.168.2.0.C קa}]OзǪ4줸
   IPa}AΨӧ@netmaskCNoӦa}Q32줸ƦrCpGO1Ahֹ諸
   a}mŦXIPa}줸CҦpA檺a}J
    permit 192.168.2.23  255.255.255.255

   hu\C@줸۲Ūa}AY192.168.2.23CpGa}J
    permit 192.168.2.0  255.255.255.0

   h|\192.168.2.0192.168.2.255C@Ӧa}AYCŪa}C
   oUCoئa}X{J
    permit 192.168.2.0  0.0.0.0

   o|\C@a}ϥΡAרa}C ]A\C@Ӥ\a}A
   MڵEa}Cp\192.168.2.xxxS򤤪C@ΤAiΤUC覡
   J
    permit 192.168.2.0  255.255.255.0
    deny 0.0.0.0  0.0.0.0

   `Ndeny椤Ĥ@"0.0.0.0"CѤ_a}H0.0.0.0קA]IP󳣨S
   vTC0@IPa}A]K_rC SOΤiHΩڵϥΪv
   CoiqLidendӹ{CѤ_OҦtγidenA䤤]
   ATrumpet WinsockAҥHBwƦh[CHPsocksѪHϥ
   C
   
  |
  
   SOCKS|ɺ٬"socks.conf"APvɲVcC |SOCKSΤ᪾
   DɥsocksAɤΡCҦpAbܽd192.168.2.3äݭn
   socksP192.168.2.1ܡCqLEthernetA̤sC
   S127.0.0.1۰ʳ]loopbackC]]ݭnsocksPۤvܡCT
   JJ
   
     * deny
     * direct
     * sockd
       
   DenyiDsocksɩڵ@ШDCbKJePsockd.confeۦPA
   a}ХܦBIPa}Mקa}C@ӨAvsockd.conf]PA
   קa}h0.0.0.0CpGsaAbi@XקC
   
   bdirectUCJϥsocka}CҦoǦa}ipWALg
   LNzACbo̤STӦmnJidentifierBaddressMmodifierC
   pJ
    direct 192.168.2.0 255.255.255.0

   SockdiDq@ӥΤ᪺qWsocks server daemonCӦ椺epUJ
   
  sockd @=<serverlist> <IP address> <modifier>

   `N@= JeCQγoؤkiHJ@tCNzAIPa}Cbo
   uΤ@ӥNzAa}ҡCiHCWhӦAa}AHK[jeq
   A÷AFɡALAC
   
   ]wIPa}Mmodifier쪺kMLҤlۦPC
   
  ᪺DNS q]wDomain Name ServiceO²椣LơCunb@
  𪺹qW]wDNSYiCMb᪺qW]wϥγoDNSC
  
8.3 NzA

  Unix
  
   nε{ǧQΥNzAAoε{ǻݭn"sockified"Cbo̻ݭn
   telnetA@Ӷi檽qTA@ӳqLNzAiqTCSOCKSn󤤦
   sock@ӵ{kA]XӤwgsockn{CpGnϥsockn
   {ASOCKSn|]wC]AӱNO@Ҧ{WAM
   AΤwgsockn{CҦpA"Finger"ܬ"finger.orig"A"telnet"
   "telnet.orig"C qLinclude/socks.hɧiDSOCKSoس]wC ǵ{
   ۦBzroutingMsockifyingDCNetscapeNϨ䤤@CҦp
   bNetscapeUnΥΥNzAAunbProxiesUSOCK椺JAa}Y
   i]b192.168.2.1^CMACε{o@ǤpܰʡAרBzN
   zAkC
   
  LnPTrumpet Winsock
  
   Trumpet Winsock۱aNzA\Cb"setup"椤JAIP
   a}MҦipqa}CMATrumpetN|BzҦ~eƾڥ]C
   
  ϥNzAtXUDPƾڥ]
  
   SOCKSnuBzTCPƾڥ]AӤBz UDPCohִ֤FγBA]A\
   hΪ{AҦptalkMArchieAQUDPC@MnA٬UDPrelayA
   Tom Fitzgerald]p<fitz@wang.com>ADn@UDPƾڥ]NzAϥ
   CLbsgɡAoMn󤣯Τ_Linux.
   
8.4 NzAI

   kڵANzAO@Ӧw˸mCbIPa}pUAΥϳ\h
   ΤiJں\hICNzAiϫO@Τp~
   AϺ~Τ᧹LkPΤptCoܵLkP
   qitalkarchiepA]LkoeqllCoǯIݨӨäYA
   OpGJ
     * A@SidbO@𤺪qWC^aAASQ
       ݬݳoiCOSkC]qbALkpCpG
       login AѤ_C@ӤHiiJNzAA]AboӦA
       WèSӧObC
     * AkhFjǡCAQgʹqll󵹦oCAQͨǨpơA]̦nq
       ll󪽱ۤvqWCAMHoLAtκ޲zAo˩P
       ȵLAOӤHHC
     * ϥUDPONzA@ӤjʳCڷQ[N|UDP\C
       
   FTPONzAt@ӰDCboΨϥlsɡAFTPAbȤW}
   @socketAóqLǰeHCNzA\iou@A]FTPLk
   ϥΡC ~ANzABwCCѤ_ݭnB~귽hAXGLF
   o@ΪAn񥦧֡C @ӨApGIPa}pAӤSSO
   U{wDANnϥΨM]Ρ^NzACpGSIPa}p
   A]U{wDANϥIPAHTermASlirpTIACTermi
   qftp://sunsite.unc.eduoASlirpi
   qftp://blitzen.canberra.edu.au/pub/slirpoATIAiqmarketplace.com
   oCϥΥNzAzQO\hΤݭnpAun@]w
   NAӦhLu@C
   
9. ų]m

   bɡAA|@ӨҤlAӻ]mkCeҤlAXhƨ
   αpCUAH@Ӱų]mҡAHK໡@ǰDCpGeҤl
   ѵADAΪٷQFѥNzAM𪺨LSʡAЪ`NU
   ҤlC
   
9.1 `wj

   ]@ӥέn]mA䤤@50xqM@32IPa}ź
   CѤ_HqŧOPAέQbW]mPŧOϥvC]A
   @Pt@qC UدŧOJ
   
    1. ~CoOHHiFhCoOl޷shC
    2. Ho@hHwgWL~CoӼhHiHD@ǭpѩM
       syZkC
    3. ~yxγoOupBC
       
  ]w
  
   IPX]wkpUJ
   
     * @Ӧa}192.168.2.255AoObroadcasta}AiϥΡC
     * 32 IPa}23Ӧa}t23xAoǾiPںpC
     * @IPa}Τ_WlinuxC
     * @IPa}Τ_Wt@linuxC
     * IP #'sΤ_router
     * ѤU|Ӧa}HKw|ӦWrAϤHNwuΤC
     * O@a}192.168.2.xxx
       
   o˴NإߤFӤPCoӺqL~uEthernetpA~ɧ
   ݤ쥦̪sbC~uEthernet@ΩM@Ethernet@άۦPC o
   U۳s즳IPa}BlinuxqC Pɦ@ӤɦAso
   O@A]A@ɪpݭn@ǰVm}CɦA
   IPa}192.168.2.17M~yxκIPa}192.168.2.23CPIP
   a}]O]PEthernetdtGCWIP Forwarding\
   ΡC xLinuxWIP Forwarding\]ΡCDTWwA_
   hrouter|ee192.168.2.xxxƾڥ]A]LѶiJCIP
   Forwarding\઺]OoXƾڥ]F~yxκA~yx
   κƾڥ]]FC iH]wNFSA]mAϨ⤣P
   ɰePCoؤkᬰnΡAbsymblic linksWf}iϤ
   ja@ɡCQγoس]mM[@iethernetdiϤ@xɦAΤ_ҦT
   C
   
  NzA]m
  
   Ѥ_THݭnFѺWpA]L̳ݭnWC~s
   ںA]bNzAWݭn@XʡC~yxκM
   b𤧫A]ݭnbNzAW@X@ǳ]mC Ӻ]mD`
   C̤¨ϥΤt̪IPa}CLbo̱o]w@ǰѼơC
    1. HoϥΤɦAWA_hɦAi|DfrΨL
       aFoJICoذDܬYA]oϥΤɦAC
    2. HWCL̥bVmApGL֦̾o˯T
       OiL̦`C
       
   ]AblinuxWsockd.confɤUC@J
    deny 192.168.2.17  255.255.255.255

   åBb~yxξ]wOJ
    deny 192.168.2.23  255.255.255.255

   PɡAlinux]wJ
    deny 0.0.0.0  0.0.0.0 eq 80

   o檺NqOϥΰ80AJhttpCLoǾMiΩҦ
   L\AuOWC Mbxsockd.confɤK[J
    permit 192.168.2.0  255.255.255.0

   ϩҦb192.168.2.xxxWqϥγoxNzAAϥΪq
   ~]JqiJɦAMں^C
   
   sockd.confɪepUJ
    deny 192.168.2.17  255.255.255.255
    deny 0.0.0.0  0.0.0.0 eq 80
    permit 192.168.2.0  255.255.255.0

   ~yxκsockd.confɪepUJ
    deny 192.168.2.23  255.255.255.255
    permit 192.168.2.0  255.255.255.0

   o˪tmӨSDCC@ӺW@~AæAۤtCH
   HӤߺN~C {bNiA@ɤFT
