<br>FWTKSRCDIR=/usr/src/fwtk/fwtk
<br>其次,有些linux系統(tǒng)使用gdbm數(shù)據(jù)庫(kù).而Makefile.config中缺省的是dbm也許你的需要修
<br>改.我的/linux版本是 redhat 3.0.3.
<br>DBMLIB=-lgdbm
<br>最后一處在x-gw中,這個(gè)BETA版的socket.c有BUG,解決方法是去掉下面的一段代碼:
<p>#ifdef SCM_RIGHTS /* 4.3BSD Reno and later */
<br>+ sizeof(un_name->sun_len) + 1
<br>#endif
<p>如果你在FWTK源目錄中加入了ssl-gw,還要把它的目錄加到 Makefile里:
<br>　
<br>DIRS=smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw
ssl-gw
<p>現(xiàn)在,可以運(yùn)行make了.
<p>　
<p>7.3 安裝TIS FWTK
<br>&nbsp;
<p>運(yùn)行 make install
<p>缺省的安裝目錄為/usr/local/etc.你可以把它改到一個(gè)更安全的目錄,我沒改,而是把這
<br>個(gè)目錄的權(quán)限設(shè)為'chmod 700'.
<p>剩下的就只有配置工作了.
<p>　
<br>7.4 配置 TIS FWTK
<br>這才是真正引人入勝的部分.我們要讓系統(tǒng)能夠調(diào)用這些新加入的服務(wù),并建立相應(yīng)的控制
<br>信息.
<p>我不想重復(fù)TIS FWTK手冊(cè)的內(nèi)容.只說(shuō)明一些我所遇到的問(wèn)題及其解決方法.
<p>有三個(gè)文件組成了所有的控制.
<br>* /etc/services&nbsp; 告訴系統(tǒng)服務(wù)所在的端口
<br>* /etc/inetd.conf&nbsp; 決定inetd在某端口收到服務(wù)請(qǐng)求時(shí)調(diào)用哪個(gè)程序
<br>*/usr/local/etc/netperm-table&nbsp; 決定FWTK對(duì)服務(wù)請(qǐng)求的許可/拒絕為使
FWTK 發(fā)揮作用,
<br>你最好從頭編輯這些文件.忽略其中任何一個(gè)都可能導(dǎo)致系統(tǒng)失效.
<p>　
<p>netperm-table
<br>該文件用來(lái)控制對(duì)TIS FWTK服務(wù)的訪問(wèn)授權(quán).要同時(shí)考慮防火墻兩邊的情況.外部的用戶必
<br>須經(jīng)過(guò)驗(yàn)證后才能獲得訪問(wèn)權(quán),內(nèi)部用戶則可以允許直接通過(guò).
<br>&nbsp;
<p>TIS 防火墻可以進(jìn)行身份驗(yàn)證,系統(tǒng)通過(guò)一個(gè)authsrv的程序管理一個(gè)用戶ID和密碼的數(shù)據(jù)
<br>庫(kù)。netperm-table的授權(quán)部分指定了數(shù)據(jù)庫(kù)的位置及訪問(wèn)權(quán)限.
<br>&nbsp;
<p>我在禁止對(duì)該服務(wù)讀取時(shí)遇到了一些麻煩.注意我給出的是在permit-host行中
'*'表示給
<br>所有用戶訪問(wèn)權(quán).而正確的設(shè)置應(yīng)該是
<p>'' authsrv: premit-hosts localhost.
<p>#
<p># Proxy configuration table
<p>#
<p># Authentication server and client rules
<p>authsrv: database /usr/local/etc/fw-authdb
<p>authsrv: permit-hosts *
<p>authsrv: badsleep 1200
<p>authsrv: nobogus true
<p># Client Applications using the Authentication server
<p>*: authserver 127.0.0.1 114
<br>&nbsp;
<p>初始化數(shù)據(jù)庫(kù)時(shí),要先su到root,在/var/local/etc下運(yùn)行./authsrv創(chuàng)建用戶的記錄,
<p>如下所示:
<br>&nbsp;
<p>可以在FWTK的文檔中找到創(chuàng)建用戶及組的信息.
<br>#
<p># authsrv
<p>authsrv# list
<p>authsrv# adduser admin “Auth DB admin”
<p>ok - user added initially disabled
<p>authsrv# ena admin
<p>enabled
<p>authsrv# proto admin pass
<p>changed
<p>authsrv# pass admin “plugh”
<p>Password changed.
<p>authsrv# superwiz admin
<p>set wizard
<p>authsrv# list
<p>Report for users in database
<p>user group longname ok? proto last
<p>------ ------ ------------------ ----- ------ -----
<p>admin Auth DB admin ena passw never
<p>authsrv# display admin
<p>Report for user admin (Auth DB admin)
<p>Authentication protocol: password
<p>Flags: WIZARD
<p>authsrv# ^D
<p>EOT
<p>#
<br>&nbsp;
<br>&nbsp;
<p>telnet網(wǎng)關(guān)是最直截了當(dāng)?shù)牟⑶沂悄愕谝粋€(gè)需要設(shè)置的.
<p>在我的例子中,所有內(nèi)部的用戶無(wú)須認(rèn)證(permit-hosts 196.1.2.* -passok-xok),而其余
<br>用戶必須經(jīng)過(guò)ID和密碼的驗(yàn)證.(permit-hosts *-auth)我還特別允許 196.1.2.202的用戶
<br>不經(jīng)過(guò)防火墻直接訪問(wèn)代理服務(wù)器.有關(guān)inetacl-in.telnetd的兩行表現(xiàn)了這一點(diǎn),接下去
<br>我就會(huì)解釋調(diào)用的過(guò)程.
<p>Telnet的timeout應(yīng)盡量設(shè)小.
<p># telnet gateway rules:
<p>tn-gw: denial-msg /usr/local/etc/tn-deny.txt
<p>tn-gw: welcome-msg /usr/local/etc/tn-welcome.txt
<p>tn-gw: help-msg /usr/local/etc/tn-help.txt
<p>tn-gw: timeout 90
<p>tn-gw: permit-hosts 196.1.2.* -passok -xok
<p>tn-gw: permit-hosts * -auth
<p># Only the Administrator can telnet directly to the Firewall via Port
24
<p>netacl-in.telnetd: permit-hosts 196.1.2.202 -exec /usr/sbin/in.telnetd
<br>&nbsp;
<p>rlogin的命令與telnet相仿.
<p># rlogin gateway rules:
<p>rlogin-gw: denial-msg /usr/local/etc/rlogin-deny.txt
<p>rlogin-gw: welcome-msg /usr/local/etc/rlogin-welcome.txt
<p>rlogin-gw: help-msg /usr/local/etc/rlogin-help.txt
<p>rlogin-gw: timeout 90
<p>rlogin-gw: permit-hosts 196.1.2.* -passok -xok
<p>rlogin-gw: permit-hosts * -auth -xok
<p># Only the Administrator can telnet directly to the Firewall via Port
<p>netacl-rlogind: permit-hosts 196.1.2.202 -exec /usr/libexec/rlogind
-a
<p>不要允許任何人直接訪問(wèn)你的防火墻，即使FTP訪問(wèn)也不行.因此要避免在防火墻機(jī)器上安
<br>裝FTP服務(wù).
<br>&nbsp;
<p>值得重申的是,這里允許所有內(nèi)部用戶自由訪問(wèn)Internet,而其他用戶則必須通過(guò)驗(yàn)證.
我
<br>還啟用了文件收發(fā)的記錄.
<br>&nbsp;
<p>(-log { retr stor })
<p>　
<br>ftp timeout指定防火墻對(duì)一個(gè)失效FTP連接的最長(zhǎng)等待時(shí)間.
<br>&nbsp;
<p># ftp gateway rules:
<p>ftp-gw: denial-msg /usr/local/etc/ftp-deny.txt
<p>ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt
<p>ftp-gw: help-msg /usr/local/etc/ftp-help.txt
<p>ftp-gw: timeout 300
<p>ftp-gw: permit-hosts 196.1.2.* -log { retr stor }
<p>ftp-gw: permit-hosts * -authall -log { retr stor }
<br>&nbsp;
<p>Web,gopher, 和基于瀏覽器的FTP由http-gw來(lái)完成. 前兩行建立目錄來(lái)緩存通過(guò)防火墻的
<br>web頁(yè)面和ftp文件,我把這些文件的所有者設(shè)為root,并保存在只有root才能訪問(wèn)的目錄中.
<br>&nbsp;
<p>Web connection應(yīng)保持在一個(gè)較小的值,它控制用戶等待一個(gè)失效連接的時(shí)間.
<br>&nbsp;
<p># www and gopher gateway rules:
<p>http-gw: userid root
<p>http-gw: directory /jail
<p>http-gw: timeout 90
<p>http-gw: default-httpd www.afs.net
<p>http-gw: hosts 196.1.2.* -log { read write ftp }
<p>http-gw: deny-hosts *
<br>&nbsp;
<p>ssl-gw只有一個(gè)傳遞作用, 要小心設(shè)置. 在這里, 我允許內(nèi)部用戶訪問(wèn)除 127.0.0.*
和
<br>192.1.1.*以外的所有外部地址.且只能訪問(wèn)443到563端口,這些是通用的SSL端口.
<br>&nbsp;
<p># ssl gateway rules:
<p>ssl-gw: timeout 300
<p>ssl-gw: hosts 196.1.2.* -dest { !127.0.0.* !192.1.1.* *:443:563 }
<p>ssl-gw: deny-hosts *
<br>&nbsp;
<p>下例說(shuō)明怎樣使用plug-gw代理news server,只允許內(nèi)部用戶訪問(wèn)一個(gè)外部server,且只能
<br>訪問(wèn)一個(gè)端口。
<br>　
<br>第二行設(shè)置允許news server將數(shù)據(jù)送入內(nèi)部網(wǎng).
<br>&nbsp;
<p>幾乎所有的news client在用戶閱讀news時(shí)保持連接狀態(tài),因此這里給news server規(guī)定了
<br>一個(gè)較長(zhǎng)的等待時(shí)間(time out).
<br>&nbsp;
<p># NetNews Pluged gateway
<p>plug-gw: timeout 3600
<p>plug-gw: port nntp 196.1.2.* -plug-to 199.5.175.22 -port nntp
<p>plug-gw: port nntp 199.5.175.22 -plug-to 196.1.2.* -port nntp
<br>&nbsp;
<p>finger-gw比較簡(jiǎn)單,任何內(nèi)部用戶只能先登錄到防火墻,再運(yùn)行finger,其他訪問(wèn)者將得到
<p>一個(gè)信息(finger.txt).
<p># Enable finger service
<p>netacl-fingerd: permit-hosts 196.1.2.* -exec /usr/libexec/fingerd
<p>netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt
<br>&nbsp;
<p>我沒有作過(guò)Mail和X-windows服務(wù)的代理,無(wú)法提供相應(yīng)的例子,歡迎來(lái)信補(bǔ)充.
<br>&nbsp;
<p>關(guān)于inetd.conf
<br>&nbsp;
<p>下面是一例inetd.conf文件,所有不必要的服務(wù)都被注釋掉了. 但我還是包括了整個(gè)文件,
<br>以闡明怎樣關(guān)閉服務(wù)及為防火墻開啟新服務(wù).
<p>#echo stream tcp nowait root internal
<p>#echo dgram udp wait root internal
<p>#discard stream tcp nowait root internal
<p>#discard dgram udp wait root internal
<p>#daytime stream tcp nowait root internal
<p>#daytime dgram udp wait root internal
<p>#chargen stream tcp nowait root internal
<p>#chargen dgram udp wait root internal
<p># FTP firewall gateway
<p>ftp-gw stream tcp nowait.400 root /usr/local/etc/ftp-gw ftp-gw
<p># Telnet firewall gateway
<p>telnet stream tcp nowait root /usr/local/etc/tn-gw /usr/local/etc/tn-gw
<p># local telnet services
<p>telnet-a stream tcp nowait root /usr/local/etc/netacl in.telnetd
<p># Gopher firewall gateway
<p>gopher stream tcp nowait.400 root /usr/local/etc/http-gw /usr/local/etc/http-gw
<p># WWW firewall gateway
<p>http stream tcp nowait.400 root /usr/local/etc/http-gw /usr/local/etc/http-gw
<p># SSL firewall gateway
<p>ssl-gw stream tcp nowait root /usr/local/etc/ssl-gw ssl-gw
<p># NetNews firewall proxy (using plug-gw)
<p>nntp stream tcp nowait root /usr/local/etc/plug-gw plug-gw nntp
<p>#nntp stream tcp nowait root /usr/sbin/tcpd in.nntpd
<p># SMTP (email) firewall gateway
<p>#smtp stream tcp nowait root /usr/local/etc/smap smap
<p>#
<p># Shell, login, exec and talk are BSD protocols.
<p>#
<p>#shell stream tcp nowait root /usr/sbin/tcpd in.rshd
<p>#login stream tcp nowait root /usr/sbin/tcpd in.rlogind
<p>#exec stream tcp nowait root /usr/sbin/tcpd in.rexecd
<p>#talk dgram udp wait root /usr/sbin/tcpd in.talkd
<p>#ntalk dgram udp wait root /usr/sbin/tcpd in.ntalkd
<p>#dtalk stream tcp waut nobody /usr/sbin/tcpd in.dtalkd
<p>#
<p># Pop and imap mail services et al
<p>#
<p>#pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d
<p>#pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d
<p>#imap stream tcp nowait root /usr/sbin/tcpd imapd
<p>#
<p># The Internet UUCP service.
<p>#
<p>#uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l
<p>#
<p># Tftp service is provided primarily for booting. Most sites
<p># run this only on machines acting as “boot servers.” Do not uncomment
<p># this unless you *need* it.