注册
个人空间
YT 回复于:2003-01-08 17:46:29
哦? MM~?~!
YT 回复于:2003-01-08 17:47:07
1.下载后解包、安装
# gunzip –cd ip_fil3.4.28.tar.gz | tar xvf -
# cd ip_fil3.4.28
# make solaris注意不能使用GNU make来编译
# cd SunOS5
#make package
ipf软件会被安装在/opt/ipf目录下,并同时在/etc/opt/ipf目录形成一个空文件ipf.conf
2.网络结构:
DMZ:10.0.0.0/8
PRIVATE:172.16.0.0/24
INTERNAT:由isp提供
3.Ipfilter可以分为两个模块:网络地址转换(network address translator)简称NAT,和数据包过滤器(packet filter)。第一个是用于伪装(隐藏单个外部IP地址后面的内部IP地址)和重定向主机和端口之间的数据包。包过滤器会检查被NAT修改过的数据包是否可以允许通过防火墙后的网络。
NAT与应用程序代理工作在TCP/IP的不同层次上,前者的好处是对应用程序基本透明,后者的好处是能够进行基于内容的过滤,但是需要应用程序支持代理并进行正确的设置,并且系统开销比较大,对服务器的配置要求比较高。
4. vi ipf.conf
#
# The following routes should be configured, if not already:
#
# route add 10.0.0.1 localhost 0
# route add 172.16.0.1 localhost 0
#
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
pass out on sppp0 all head 150
block out from 127.0.0.0/8 to any group 150
block out from any to 127.0.0.0/8 group 150
block out from any to 218.108.173.134/32 group 150
pass in on sppp0 all head 100
block in from 127.0.0.0/8 to any group 100
block in from 218.108.173.134/32 to any group 100
block in from 10.0.0.1/0xff000000 to any group 100
block in from 172.16.0.1/0xffff0000 to any group 100
pass out on elxl0 all head 350
block out from 127.0.0.0/8 to any group 350
block out from any to 127.0.0.0/8 group 350
block out from any to 10.0.0.1/32 group 350
pass in on elxl0 all head 300
block in from 127.0.0.0/8 to any group 300
block in from 10.0.0.1/32 to any group 300
block in from 218.108.173.134/0xffffff00 to any group 300
block in from 172.16.0.1/0xffff0000 to any group 300
pass out on elxl1 all head 450
block out from 127.0.0.0/8 to any group 450
| 论坛热门帖子: | [lch203] 写得蛮好的linux学习笔记(10-21) [黑马制造] 学习java的30个目标(10-19) [笑傲股林] 做测试半年了,有点迷茫,应该再学些什么提高自己的测试水平和测试能力呢?(10-19) [udp8589] 大家用google的来吱一声? 用百度的~~也来报道下?(10-18) [沂偌掳兆] 本人总结的一些认为C++比较经典的书籍,希望对大家有用(10-18) |
| TAG标签: | 一点 文章 内容 提供 技术 相关 请教 #59 fi then if |
