2774blinux防火墙设计与实现毕业设计英文翻译

2774blinux防火墙设计与实现毕业设计英文翻译内容摘要：

o this on a puter other then the firewall. If you do install a C piler and utilities on your firewall, remove them after you have pleted figuring your kernel. Compiling the Kernel Start with a clean minimal installation of your Linux distribution. The less software you have loaded the less holes, backdoors and/or bugs there will be to introduce security problems in your server. Pick a stable kernel. I am using kernel kernel for my system. So this documentation is based on it39。 s settings. You well need to repile the Linux kernel with the appropriate options. If you haven39。 t repiled your kernel before you should read the Kernel HOWTO, the Ether HOWTO, and the NET−2 HOWTO. Here are the work related setting I know work. I have marked some with a ?. If you will be using this feature, turn it on as well. I use make menuconfig to edit my kernel settings. * Packet socket 西南交通大学本科 毕业设计 (英文翻译 ) 第 7 页 [ ] Kernel/User link socket [*] Network firewalls [ ] Socket Filtering * Unix domain sockets [*] TCP/IP working [ ] IP: multicasting [*] IP: advanced router [ ] IP: kernel level autoconfiguration [*] IP: firewalling [?] IP: always defragment (required for masquerading) [?] IP: transparent proxy support [?] IP: masquerading −−− Protocol−specific masquerading support will be built as modules. [?] IP: ICMP masquerading −−− Protocol−specific masquerading support will be built as modules. [ ] IP: masquerading special modules support [*] IP: optimize as router not host IP: tunneling IP: GRE tunnels over IP [?] IP: aliasing support [*] IP: TCP syncookie support (not enabled per default) −−− (it is safe to leave these untouched) IP: Reverse ARP [*] IP: Allow large windows (not remended if 16Mb of memory) The IPv6 protocol (EXPERIMENTAL) −−− The IPX protocol Appletalk DDP CCITT Packet Layer (EXPERIMENTAL) LAPB Data Link Driver (EXPERIMENTAL) [ ] Bridging (EXPERIMENTAL) [ ] LLC (EXPERIMENTAL) Acorn Eco/AUN protocols (EXPERIMENTAL) WAN router [ ] Fast switching (read help!) [ ] Forwarding between high speed interfaces [ ] PU is too slow to handle full bandwidth QoS and/or fair queueing −−− After making all the setting you need you should repile, reinstall the kernel and reboot. I use the mand: make dep。 make clean。 make bzlilo。 make modules。 make modules_install。 init 6 to acplish all of this in one step. Configuring two work cards 西南交通大学本科 毕业设计 (英文翻译 ) 第 8 页 If you have two work cards in your puter, you may need to add an append statement to your /etc/ file to describe the IRQ and address of both cards. My lilo append statement looks like this: append=ether=12,0x300,eth0 ether=15,0x340,eth1 Configuring the Network Addresses Now we arrive at the fun part of our setup. I39。 m not going to go deep into how to setup a LAN. Read the Networking−HOWTO to solve your problems here. Your goal is to provide two work connection to your filtering firewall system. One on the Inter (unsecured side) and one on the LAN (secure side). Anyway, you have a few decisions to make. 1. Will you use Real IP number or Make some up for your LAN. 2. Will your ISP assign the number or will you be using static IP numbers? Since you don39。 t want the inter to have access to your private work, you don39。 t need to use real addresses. You could just makeup addresses for your private LAN. But this is not remended. If data gets routed out of your LAN, it might end up at another systems port. There are a number of Inter address ranges set aside for private works. Of these, , is set aside and we will use it in our examples. You will need to use IP masquerading to make this happen. With this process the firewall will forward packets and translate them into REAL IP address to travel on the Inter. Using these non−routable IP address makes your work is more secure. Inter routers will not pass packets with these addresses. You may want to read the IP Masquerading HOWTO at this point. You must have a real IP address to assign to your Inter work card. This address can be permanently assigned to you. (A static IP address) or it can be assigned at work connect time by the PPP process. You assign your inside IP numbers. Like to the LAN card. This will be your gateway IP can assign all the other machines in the protected work (LAN) a number in the range.( through ) I use RedHat Linux. To configure the work at boot time I added a ifcfg−eth1 file in the /etc/sysconfig/work−scripts directory. You may also find a ifcfg−ppp0 or ifcfg−tr0 in this directory. These 39。 ifcfg−39。 files are used by RedHat to configure and enable your work devices at boot time. The are named after the connection type. Here is the ifcfg−eth1 (second ehter card) for our example。 DEVICE=eth1 IPADDR= 西南交通大学本科 毕业设计 (英文翻译 ) 第 9 页 NETMASK= NETWORK= BROADCAST= GATEWAY= ONBOOT=yes If you are going to use a dialup connection you will need to look at the ifcfg−ppp0 and the chat−ppp0 file. These control your PPP connection. This ifcfg file might look like。 DEVICE=ppp0 ONBOOT=yes USERCTL=no MODEMPORT=/dev/modem LINESPEED=115200 PERSIST=yes DEFABORT=yes DEBUG=yes INITSTRING=ATZ DEFROUTE=yes HARDFLOWCTL=yes ESCAPECHARS=no PPPOPTIONS= PAPNAME=LoginID REMIP= NETMASK= IPADDR= MRU= MTU= DISCONNECTTIMEOUT= RETRYTIMEOUT=5 BOOTPROTO=none Testing your work Start by using the ifconfig and route mands. If you have two work cards ifconfig should look something like: ifconfig lo Link encap:Local Loopback i addr: Mask: UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:1620 errors:0 dropped:0 overruns:0 TX packets:1620 errors:0 dropped:0 overruns:0 colli。