Since the promotion of the National Information Superhighway (NII), successive tanet, seednet and hinet have been painstakingly built, and the internet has become the hot topic of the magazine, and "add Into the Internet, the use of internet"also become a way to build corporate image. Amid a flurry of internet turmoil, people are beginning to worry about the so-called "cyber security" problem. Because of the openness of the Internet, it has benefited all members, but also because of his openness, the issue of "cyber security" should be considered. This time we're going to talk about the topic that started with this-"Firewall" (firewall) is a product of this "cyber security" consideration.
We can set up a machine with firewall function between the internal network and the outside network connection, and use it to filter the data transmitted between the two networks. , and then restrict the network functions that can be used by different users through the setting of related software. The data to be transmitted from the external network to the internal network must be transferred by setting up the firewall machine, and the data of the internal network can be transmitted correctly through this firewall. The destination of the external network road. As a firewall machine, it became a transfer station between the Internet. So when the "alien visitor" arrives, his footsteps only reach Firewall, so in the worst case, the "firewall machine is destroyed!! , but the internal network can escape a robbery and "live" down, based on the sacrifice of the ego to complete the principle of my own, such a price seems to be worthwhile.
While such procedures may seem cumbersome, they can, in some cases, prevent the intrusion of external Internet intruders to secure the intranet. On the other hand, it can restrict the internal network communication to the external network and do another layer of network data flow control. Of course, for this security issue, we have to sacrifice a lot of "convenience", "speed" on the enjoyment, but there will always be a way to make up for, these will be we are involved in the Capacity.
The erection pattern of firewall is not unique, it depends entirely on the function of the operating system and the firewall software. The graph above is one of the simplest firewall architectures. After saying some Firewall words, we have to do a combination of "Linux" with our protagonist and start to really jump into our focus on how to use Linux to build a firewall" 。
Add firewall functionality to Linux core
Since the Linux 1.2.x kernel compilation setup, add the Config_firewall option, because of the function of several system call functions, so if you want to set Linux as With firewall machines, then it is necessary to first determine, the use of the Linux kernel has firewall features into the!!
The surest way, of course, is to recompile the Linux Kernel and set the Config_ip_firewall to Yes. It is also important to note that "when setting up a basic Linux firewall, you must remove the ip_forwarding function of the Linux machine," and we use the following Diagram to explain it slightly. So when you are working on kernel recompilation to perform "make Config", specifically consider adding the following selection items.
1.Network Support (config_net) [y]
2.TCP/IP Networking (config_inet) [y]
3.IP forwarding/gatewaying (Config_ip_forward) [n]
4.IP firewalling (Config_ip_firewall) [y]
5.IP Accounting (CONFIG_IP_ACCT) [y]
6.SLIP or PPP driver (if the foreign connection is using a dial or a line)
EX:PPP (point-to-point) support (CONFIG_PPP) [y]
7. Personal network card driver (used to connect to the internal area network)
ex:ne2000/ne1000 Support (config_ne2000) [y]
Then, perform the compile work of "make dep;make Clean;make zimage", etc. (For detailed kernel recompilation, please refer to the details of the previous CD monthly Fine description)
(Note: In the development of the Linux 1.3.x will be added to another firewall function, called Ip_masquerade, he is the current from the external software to transfer information to the way by Kerne L internal directly to deal with, sounds pretty good news, but are still in the development of testing phase, I would like to advise you, if you want to be safe, do not use, with stable operation after the happy use of the
After creating a new kernel, move the resulting zimage or vmlinuz to the root directory (or other startup directory), and if you use LILO, be sure to perform "lilo" again, update Start the data, and then restart Linux.
After entering the new Linux, in order to ensure that in case, please observe the contents of/PROC/NET/SNMP, the implementation of the following way:
Please refer to the description and content value of 1.2. If the first value of 2. is 0, the function of ip_forwarding is not included in kernel. So, please execute this command to check if the function of IP forwarding has been turned off!!
Set up network addresses
After determining that Linux has a firewall function, the next thing to do is to set the address of the network, first to deal with the external part, since this Linux needs to external connection, so what the reason There should be an authorized named address, and it is unique. To the Internet, this network address is the only one in the world, there can be no second, otherwise there will be a fight situation, so do not need to be too nerve-racking!! However, because the external address must be unique, so when setting the address of the internal network (IP addresses), we have to consider the point of the week, otherwise if there is internal machine and external network bit At the same time, the firewall machine will probably not know how to transfer the data to the correct location.
Here are some of the IP address areas that are specifically reserved for use by the internal network:
If it is necessary to set the internal network address that does not exist on the Internet to this extent, it will not affect the Firewall machine error in forwarding data.
Test the network Line
The second step is to test the connection of the network, please note, because Linux is a Firewall Machine, so the machine on the intranet cannot be connected directly with the outside of the machine. The same network of outside machines cannot connect directly to the internal network machine, but they should all be able to connect to the firewall.
So next we have to test whether the connection between the Linux Firewall machine and the outside network is normal, and then test whether the machine on the intranet and this Linux Can maintain a normal wiring situation.
Do not just try to be the internal network machine directly to the outside of a machine to connect, which is theoretical and practical impossible, because of the Firewall , and any machine on the intranet (in addition to this firewall) is not a member of the outside network (that is, there is no exclusive IP address of the network addresses).
Setting limits on Network functionality
The purpose of building firewall is to consider safety. Although there is a layer of firewall block, can be a bit of protection, but if on this firewall, open all the functions of the network, it is not equal to a full public , it seems not quite right. Therefore, since it is necessary to achieve the objective of safety control, it is necessary to restrict the network programs provided on the Firewall machine.
How to limit the network functionality provided on the Firewall machine. You only have to change the "/etc/inet.conf" file as root. Add the annotation symbol to the network function that you are not prepared to use directly on the firewall. In general, save the file transmission, terminal simulation function, and the system information related to the program to shut down (Systat, BOOTP, Fingerd ...). Prevent others from using these programs to obtain information about the status of the machine.
Set proxy Server
Because in such a Firewall environment, all the data related to the external network must be connected through this Firewall (and possibly more than one). In this way, if you want to telnet to the outside network, then you have to Telnet to Firewall Machine, and then telnet to the outside, that is, "everything has to have a prosthetic hand", that Think about it, if someone inside wants to play www that's no solution. "Proxy Server" is an answer to this question, and next time we'll go on to explain how to set up SOCKS 4.2 on Linux Firewall machine, the proxy S Erver.
How to perform Linux, trumpet, and Netscape on an intranet machine to connect to the firewall via this good Linux network!!!。 In this way, regardless of security, we can use this method, so that several machines, while using an Internet IP address, connect to the International network to play!!!
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
