|
|
[ Pobierz całość w formacie PDF ]
have different Ethernet cards. IP Forwarding on it is turned off.
IP Forwarding on both Linux boxes is also turned off. The router will not forward packets destined for
192.168.1.xxx unless explicitly told to do so, so the internet will not be able to get in. The reason for turning
off IP Forwarding here is so that packets from the Troop's network will not be able to reach the Mercenary
network, and vica versa.
The NFS server can also be set to offer different files to the different networks. This can come in handy, and
a little trickery with symbolic links can make it so that the common files can be shared with all. Using this
setup and another ethernet card can offer this one file server for all three networks.
The Proxy Setup
Now, since all three levels want to be able to monitor the network for their own devious purposes, all three
need to have net access. The external network is connected directly into the internet, so we don't have to mess
with proxy servers here. The Mercenary and Troop networks are behind firewalls, so it is necessary to set up
proxy servers here.
Both networks will be setup very similarly. They both have the same IP addresses assigned to them. I will
throw in a couple of parameters, just to make things more interesting though.
1. No one can use the file server for internet access. This exposes the file server to viruses and other
nasty things, and it is rather important, so its off limits.
The Network Setup 31
� Firewall and Proxy Server HOWTO
2. We will not allow troop access to the World Wide Web. They are in training, and this kind of
information retrieval power might prove to be damaging.
So, the sockd.conf file on the Troop's Linux box will have this line:
deny 192.168.1.17 255.255.255.255
and on the Mercenary machine:
deny 192.168.1.23 255.255.255.255
And, the Troop's Linux box will have this line
deny 0.0.0.0 0.0.0.0 eq 80
This says to deny access to all machines trying to access the port equal (eq) to 80, the http port. This will still
allow all other services, just deny Web access.
Then, both files will have:
permit 192.168.1.0 255.255.255.0
to allow all the computers on the 192.168.1.xxx network to use this proxy server except for those that have
already been denied (ie. The file server and Web access from the Troop network).
The Troop's sockd.conf file will look like:
deny 192.168.1.17 255.255.255.255
deny 0.0.0.0 0.0.0.0 eq 80
permit 192.168.1.0 255.255.255.0
and the Mercenary file will look like:
deny 192.168.1.23 255.255.255.255
permit 192.168.1.0 255.255.255.0
This should configure everything correctly. Each network is isolated accordingly, with the proper amount of
interaction. Everyone should be happy.
The Network Setup 32
� Firewall and Proxy Server HOWTO
13.Making Management Easy
13.1 Firewall tools
There are several software packages that will make managing your firewall easier.
Be carefull, don't use these tools unless you can do without them. These scripts make it just as easy to make a
misstake as they do to help you get it wright.
Both graphical and web based interfaces are being developed to work with the Linux filtering rules. Some
companies have even create commercial firewalls based on Linux by putting it in their own box with their
own management code. (nice)
I'm not realy a GUI guy. However, I have been using firewalls with GUI interfaces for some time. I've found
they help by providing a nice report of all the rules in one easy glance.
gfcc (GTK+ Firewall Control Center) is a GTK+ application which can control Linux firewall policies and
rules, based on ipchains package. Go to http://icarus.autostock.co.kr and get your copy. This is a realy good
tool.
I have included RC scripts in appendex A. These scripts work with and without gfcc.
There a lots of scripts avaible to setup a firewall. One very complete script is avaible at
http://www.jasmine.org.uk/~simon/bookshelf/papers/instant-firewall/instant-firewall.html. Another will
done script is at http://www.pointman.org/.
Kfirewall is a GUI frontend for ipchains or ipfwadm (depending on your kernel version).
http://megaman.ypsilonia.net/kfirewall/
FCT is an HTML based tool for the configuration of a firewall. It features automatic script-generation for
IP-filtering commands (ipfwadm) on a firewall for multiple interfaces and any internet services.
http://www.fen.baynet.de/~ft114/FCT/firewall.htm
13.2 General tools
WebMin is a general system admin package. It will not help you manage the firewall rules but it will help
you with turning on and off damons and processes. This program is VERY good, I'm hoping the J. Cameron
will include a IPCHAINS module. http://www.webmin.com/
If you are an ISP, you will want to know about IPFA (IP Firewall Acounting)
http://www.soaring-bird.com/ipfa/. It can do Per-Month/Per-day/per-min/ logs and has a Web based GUI
administation.
httptunnel. httptunnel creates a bidirectional virtual data path tunnelled in HTTP requests. The HTTP requests
13.Making Management Easy 33
� Firewall and Proxy Server HOWTO
can be sent via an HTTP proxy if so desired. Or, on their system they install a Virtual Private Network (vpn).
See: http://sunsite.auc.dk/vpnd/ Or, Maybe this user simply puts a modem on their NT system and turns on
routing. Finally, on the workstation, on the private LAN, change the default gateway to point to the new route
to the Internet. Now, from this workstation, you can go anywhere. The only thing the firewall admin might
see is one connect with nowill see is a really long DNS lookup. Now, take over the world!
15.APPENDEX A - Example Scripts
15.1 RC Script useing GFCC
#!/bin/bash
#
# Firewall Script - Version 0.9.1
#
# chkconfig: 2345 09 99
# description: firewall script for 2.2.x kernel
# Set for testing
# set -x
#
# NOTES:
#
# This script is written for RedHat 6.1 or better.
#
# Be careful about offering public services like web or ftp servers.
#
# INSTALLATION:
# 1. place this file in /etc/rc.d/init.d (you'll have to be root..)
# call it something like "firewall" :-)
# make it root owned --> "chown root.root (filename)"
# make it executable --> "chmod 755 (filename)"
#
# 2. use GFCC to create your firewall rules and export them to a file
# named /etc/gfcc/rules/firewall.rule.sh.
#
[ Pobierz całość w formacie PDF ]
zanotowane.pldoc.pisz.plpdf.pisz.plblacksoulman.xlx.pl |
|
|
|
|
