【正文】 我使用 “ menuconfig ”編輯我的內核設置。在你還沒有重新編譯你的內核之前，你應該閱讀內核幫助手冊，以太網幫助手冊，以及 2幫助手冊。 選擇一個穩(wěn)定的內核。這樣做最好，如果你在一臺將要用作防火墻的 pc上編譯內核。我的安裝開始與服務器配置，然后我關掉很多不需要的服務在 / etc / 。因此，隨時訪問他們的網站以獲得更多的信息。 （ fwtk） 3 .SOCKS SQUID 是一個大的軟件包。這些老的內核使用來自 的ipfwadm，已經不再被支持。 Linux就可以做。 如果你需要的代理服務器將處理大量的網絡數(shù)據流量，你應該使用你能提供的最好性能的系統(tǒng)。只需要一個用戶使用一個調制解調器鏈接你的 LAN 。 西南交通大學本科 畢業(yè)設計 (英文翻譯 ) 第 16 頁 redundent Inter 配置 如果你要運行一個服務，如 Yahoo ， 或者 Slashdot你可以用 redundent路由器和防火墻。 ISP有時也這樣做來創(chuàng)造用戶感興趣的訪問列表來轉賣給商家。如果你擁有該路由器，你可以安裝一些硬過濾規(guī)則在路由器中。 撥號式結構 你可能正在使用撥號服務像 ISDN路線。而且，他們能夠記錄每個用戶連接到了那里。 SOCKS 代理 一個 SOCKS服務器非常像一個老交換臺。他們甚至可以從你 訪問的站點過濾掉 “不恰當 ”的話或掃描病毒。正如你遠程登錄到外面的世界，客戶端首先把你的信息發(fā)送到代理，然后代理連接到你請求的（外面的世界）服務器，最后傳回數(shù)據給你。 序代理 ——為你執(zhí)行工作。一些用程序代理緩存所要求的數(shù)據。 西南交通大學本科 畢業(yè)設計 (英文翻譯 ) 第 14 頁 過濾防火墻對于用戶來說是更加的透明。唯一的身份就是分配到用戶工作站的 IP 地址。因為如此，你需要深入了解的 IP 數(shù)據包結構。數(shù)據是只允許離開系統(tǒng)，如果防火墻規(guī)則允許它離開。 防火墻的類型 有兩種類型的防火墻 : 1 .過濾防火墻 ——阻止選定的網絡數(shù)據包。以我多年的經驗來看，我現(xiàn)在說，不相信他們的話。 我的修補程序針對此類型的濫用是公布防火墻日志在 Web 網頁上，讓大家看到共同監(jiān)督。人們應該工作，而不是在工作中玩耍。 至少在我所在的州（俄克拉何馬州） ，雇主有權監(jiān)督電話和網際網路活動，只要他們事先告知雇員他們在這樣做。 防火墻是用于兩個目的。正因為如此，我不推薦這個類型的防火墻。這樣安裝，在你的私有局域網里唯一擁有權限訪問外網的就只有防火墻服務器。例如，你可以在防火墻上面使用 XWindows 運行 Netscape 網絡瀏覽器，并把結果顯示在本地工作站上。 第一臺防火墻是一個連接著兩個不同網絡的非路由 UNIX 主機 。擁有用磚砌成的防火墻的建筑物完全被防火墻分割成多個獨立的空間。t any good if the system it is build on is left wide open to attacks. A bad guy could gain access to the through a non firewall service and modify it for their own needs. You need to turning off any unneeded services. Look in your /etc/ file. This file configures id also known as the super server. It controls a bunch of the server daemons and starts them as they are requested by a packet arriving at a well known port. You should turn off echo, discard, daytime, chargen, ftp, gopher, shell, login, exec, talk, ntalk, pop?2, pop?3,stat, systat, tftp, bootp, finger, cfinger, time, swat and linuxconfig if you have one. Securing the Firewall To turn a service off, put as the first character of the service line. When your done, send a SIG?HUP to the process by typing kill ?HUP pid, where pid is the process number of id. This will make id re?read its configuration file () and restart without taking your system down. Test this by teling to port 15 (stat) on firewall. If you get any output you have not turned these services off. tel localhost 19 You can also create the file /etc/nologin. Put a few line of text in it like (BUZZ OFF). When this file exists,login will not allow user to logon. They will see the contents of this file and their logins refused. Only root can logon. You can also edit the file /etc/securetty. If the user is root, then the login must be occurring on a tty listed in /etc/securetty. Failures will be logged with the syslog facility. With both of these controls in place the only way to logon to the firewall will be as root from the console. NEVER EVER TELNET to a system and log IN AS ROOT. If you need remote root access SSH (Secure Shell). You might even turn off tel. If you are really paranoid you need to be using lids (Linux Intrusion Detect System). It is an intrusion detection system patch for the Linux kernel。t work. If it does, you have masquerading or IP Forwarding turned on, or you already have some packet filtering set. Turn them off and try again. You need to know the filtering is in place. For kernels newer then you can issue the mand。 DEVICE=eth1 IPADDR= 西南交通大學本科 畢業(yè)設計 (英文翻譯 ) 第 9 頁 NETMASK= NETWORK= BROADCAST= GATEWAY= ONBOOT=yes If you are going to use a dialup connection you will need to look at the ifcfg?ppp0 and the chat?ppp0 file. These control your PPP connection. This ifcfg file might look like。t want the inter to have access to your private work, you don39。make modules。s settings. You well need to repile the Linux kernel with the appropriate options. If you haven39。m using RedHat . The bilt in Linux firewall have changed several times. If you are using an old Linux 西南交通大學本科 畢業(yè)設計 (英文翻譯 ) 第 6 頁 kernel ( or older) geta new copy. These older used ipfwadm from and is no longer supported. If you are using or newer you will be using ipchaining as developed by If you are using the newer kernal there is a new firewall utility with more feachers. I will write about this soon. Selecting a proxy server If you want to setup a proxy server you will need one of these packages. 1. Squid 2. The TIS Firewall Toolkit (FWTK) 3. SOCKS Squid is a great package and works with Linux39。s, routers and firewalls using High Avaibility technics you can create a 100% uptime service. 西南交通大學本科 畢業(yè)設計 (英文翻譯 ) 第 5 頁 It is easy to let your work get out of hand. Keep control of every connection. It only takes a user with a modem to promise your LAN. 4. Setting up the Linux Filtering Firewall Hardware requirements Filtering firewalls don39。t try to cover to much ground now. Make it simple and clear. Types of Firewalls There are two types of firewalls. 1. Filtering Firewalls ? that block selected work packets. 2. Proxy Servers (sometimes called firewalls) ? that make work connections for you. Packet Filtering Firewalls Packet Filtering is the type of firewall built into the Linux kernel. A filtering firewall works at the work level. Data is only allowed to leave the system if the firewall rules allow it. As packets arrive they are filtered by their type, source address, destination address, and port information contained in each packet. Many work routers have the ability to perform some firewall services. Filtering firewalls can be thought of as a type of router. Because of this you need a deep understanding of IP packet structure to work with one. Because very little data is analyzed and logged, filtering firewalls take less CPU a