Ellhniko Firewalling kai Proxy Server HOWTO Mark Grennan, markg@netplus.net v0.4, 8 November 1996 Ayth h tekmhriwsh einai sxediasmenh na didajei ta basika twn firewall systhmatwn kai na dwsei merikes leptomereies gia thn egkatastash fire­ wall, ejoysiodothshs (proxy) kai filtrwn (filtering), se PC basismena se Linux. Mia HTML ekdosh (agglikh) ayths ths tekmhriwshs einai dia8esimh sto http://okcforum.org/~markg/Firewall-HOWTO.html ______________________________________________________________________ Table of Contents 1. Eisagwgh 1.1 Anadrash 1.2 Apokurhjh 1.3 Dikaiwmata 1.4 Oi logoi poy egraca ayto 1.5 TODO 1.6 Epipleon Anagnwsmata 2. Katanowntas to Firewall 2.1 Meionekthmata me toys firewalls 2.2 Tupoi twn Firewalls 2.2.1 IP Firewalls Filtrarismatos 2.2.2 Diakomistes Ejoysiodothshs 3. Sthnontas ena Firewall 3.1 Apaithseis Syskeywn (Hardware) 4. Logismiko gia Firewalls. 4.1 Dia8esima paketa 4.2 To TIS Firewall Toolkit enantion SOCKS 5. Proetoimazontas to susthma Linux 5.1 Metaglwttizontas to pyrhna 5.2 Ry8mizontas duo kartes diktuoy 5.3 Ry8mizontas tis Diey8unseis toy Diktuoy 5.4 Elegxontas to diktyo sas. 5.5 Asfalizontas to Firewall. 6. IP egkatastash filtrarismatos (IPFWADM) 7. Egka8istwntas ton diakomisth ejoysiodothshs TIS 7.1 Apoktwntas to logismiko 7.2 Metaglwttizontas thn TIS FWTK 7.3 Egka8istwntas thn TIS FWTK 7.4 Ry8mizontas thn TIS FWTK 7.4.1 To arxeio netperm-table 7.4.2 To arxeio inetd.conf 7.4.3 To arxeio /etc/services 8. O SOCKS Diakomisths Ejoysiodothshs 8.1 Sthnontas to Diakomisth Ejoysiodothshs 8.2 Ry8mizontas to Diakomisth Ejoysiodothshs. 8.2.1 To Arxeio Prosbashs 8.2.2 To arxeio Dromologhshs. 8.2.3 DNS pisw apo to firewall. Sthnontas thn Onoma Perioxhs Yphresia (Domain Name Service) pisw apo firewall einai omologoymenos eukolo 8ema. Xreiazeste apla kai mono na sthsete to DNS panw sto mhxanhma poy einai o firewall. Meta, oriste se ka8e mhxanhma pisw apo to firewall na xrhsimopoioun ayth to DNS. 8.3 Doyleuontas me Diakomisth Ejoysiodothshs. 8.3.1 Unix 8.3.2 MS Windows me Trumpet Winsock 8.3.3 Kanontas to Diakomisth Ejoysiodothshs na doyleuei me UDP Paketa 8.4 Meionekthmata me toys Diakomistes Ejoysiodothshs 9. Prohgmenes Morfes 9.1 Ena megalo diktyo me emfash sthn asfaleia 9.1.1 H egkatastash toy diktuoy 9.1.2 H egkatastash twn ejoysiodothsewn ______________________________________________________________________ 1. Eisagwgh H ay8entikh ekdosh toy Firewall-HOWTO grafthke apo ton David Rudder, drig@execpc.com. kai 8elw na ton eyxaristhsw poy me afhse na ananewsw th doyleia toy. Ta firewalls exoyn kerdisei prosfata megalh fhmh san ustath asfaleia mesa sto Internet. Opws sta perissotera pragmata poy kerdizoyn fhmh erxontai kai parermhneuseis. Ayto to HOWTO 8a kalucei ta basika toy ti einai ena firewall, pws na sthsete ena, ti einai diakomistes ejoysiodothshs (proxy servers), pws na sthsete enan diakomisth ejoysiodothshs, ka8ws kai oi efarmoges ayths ths texnologias ektos toy asfalous basileioy. 1.1. Anadrash Opoiadhpote anadrash einai kalodexoumenh. PARAKALW NA ANAFERETE TYXON ANAKRIBIES SE AYTH TH TEKMIRIWSH !!! Eimai an8rwpos kai epirrephs sto na kanw la8h. Ean breite kanena h dior8wsh toys einai o apwteros skopos moy. 8a prospa8hsw na brw apanthseis se ola ta e-mail, alla eimai apasxolhmenos, gi' ayto mhn prosblh8eite an den apanthsw. H email diey8ynsh moy einai markg@netplus.net 1.2. Apokurhjh DEN EIMAI YPEY8YNOS GIA OPOIADHPOTE ZHMIA SYMBEI KATA TWN ENERGEIWN POY 8A PAR8OYN BASISMENES SE AYTH TH TEKMIRIWSH.. H tekmhriwsh ayth proorizetai san mia eisagwgh sto pws ta firewalls kai oi diakomistes ejoysiodothshs doyleuoyn. Den eimai, oute prospoioumai oti eimai, enas eidikos asfaleias. Eimai enas aplos tupos poy diabase arketa kai agapa perissotero toy H/Y apo th pleiochfia twn an8rwpwn. Parakalw, grafw ayto to boh8hma kanontas gnwsto sto kosmo ayto to antikeimeno, kai den eimai etoimos na kollhsw th zwh moy se o,ti einai edw. 1.3. Dikaiwmata An den exei dhlw8ei diaforetika, oi Linux HOWTO tekmhriwseis anhkoyn dikaiwmatika stoys antistoixoys syggrafeis. Oi Linux HOWTO tekmhriwseis mporoun na anaparax8oun, na anadianemei8oun oloklhres h se tmhmata mesw ka8e fysikou h hlektronikou mesoy, oso ayth h eidopoihsh dikaiwmatwn einai prosarthmenh mazi me ta antigrafa. H emporikh anadianomh epitrepetai kai yposthrizetai par' ola ayta, o syggrafeas epi8ymei na enhmerw8ei gia opoiesdhpote tetoies dianomes. Oles oi metafraseis, paragwga h a8roistikes ergasies poy enswmatwnoyn ka8e Linux HOWTO tekmhriwsh, prepei na kaluptontai katw apo ayth thn eidopoihsh dikaiwmatwn. Ayto shmainei, oti den mporeite na parajete paragwgh ergasia apo ena HOWTO kai selidopoihsete epipleon periorismous sth dianomh. Ejaireseis twn kanonwn aytwn mporoun na ginoyn paradektes katw apo sygkekrimenes katastaseis, parakaloume na er8ete se epafh me to syntonisth twn Linux HOWTO. An exete pi8anes erwthseis, parakaloume epikoinwnhste me ton Mark Grennan . 1.4. Oi logoi poy egraca ayto An kai molonoti yparxoyn polles syzhthseis kata to perasmeno etos sto comp.os.linux.* gia to firewalling to brhka duskolo na brw tis plhrofories poy xreiazomoyn gia na sthsw ena firewall. H ay8entikh ekdosh aytou toy HOWTO, boh8ouse alla htan elliphs. Elpizw ayth h enisxymenh ekdosh toy David Rudder's Firewall HOWTO 8a dwsei ston ka8ena tis plhrofories poy xreiazetai gia na dhmioyrghsei ena leitoyrgiko firewall mesa se wres kai oxi ebdomades. Epishs ais8anomai oti 8elw na epistrecw kati sth koinothta toy Linux. 1.5. TODO · Na dwsw kapoia ekpaideysh pws na egkatasta8ei enas pelaths (client) · Na brw ena wraio UDP diakomisth ejoysiodothshs na doyleuei sto Linux. 1.6. Epipleon Anagnwsmata · To NET-2 HOWTO · To Ethernet HOWTO · To Multiple Ethernet Mini HOWTO · Networking with Linux · To PPP HOWTO · TCP/IP Network Administrator's Guide by O'Reilly and Associates · To Documentation gia to TIS Firewall Toolkit Sthn istoselida ths Trusted Information System's (TIS)http://www.tis.com/ 8a breite mia megalh syllogh apo tekmhriwseis panw sta firewalls kai synafh ylika. Epishs doyleuw panw se ena sxedio asfaleias, kaleitai, poy egw apokalw Secure Linux. Sth Secure Linux istoselida sygkentrwnw oles tis plhrofories, tekmhriwseis kai programmata poy xreiazontai gia na dhmioyrgh8ei ena asfales susthma Linux. Steilte moy e-mail ean 8elete plhrofories. 2. Katanowntas to Firewall Enas firewall einai kati poy xrhsimopoieitai ws kommati enos aytokinhtoy. Sta aytokinhta firewalls einai ta fysika antikeimena poy xwrizoyn to kinhthra apo toys epibates. Ayta prostateuoyn toys epibates sth periptwsh poy o kinhthras piasei fwtia enw parexoyn akomh ston odhgo, prosbash sto xeirismo toy kinhthra. Enas firewall stoys ypologistes einai mia syskeyh (H/Y) poy prostateuei ena proswpiko diktyo apo to dhmosio kommati. (To Internet san sunolo.) O firewall ypologisths, apo edw kai pera 8a onomazetai "firewall", mporei na "akoympa" amfotera, to prostateyomeno diktyo kai to Internet. To prostateyomeno diktyo den mporei na proseggisei to Internet, oute to Internet mporei na proseggisei to prostateyomeno diktyo. Gia kapoion poy 8elei na epikoinwnhsei me to Internet mesa apo to prostateyomeno diktyo, prepei na kanei sundesh telnet sto firewall, kai na xrhsimopoihsei to Internet apo ekei. H aplousterh morfh enos firewall einai ena diplo spitiko susthma (ena susthma me duo syndeseis diktuoy). EAN MPOREITE NA EMPISTEYTHTE OLOYS TOYS XRHSTES SAS mporeite apla na sthsete ena Linux (metaglwttiste to pyrhna me IP Forwarding apenergopoihmeno) kai dwste oloys toys logariasmous panw toy. 8a mporoun na kanoyn sundesh sto susthma (login), telnet, FTP, na diabazoyn e-mail, kai na xrhsimopoioun o,ti exete efodiasei. Me ayto to sthsimo, o monos ypologisths sto proswpiko sas diktyo poy 8a gnwrizei ta panta sxetika me ton ejw kosmo einai o firewall. To allo susthma sto prostateyomeno diktyo sas, den xreiazontai kan na orisete to synh8es dromologio (default route). Ayto xreiazetai mia dieykrinhsh. Gia na doylecei o parapanw firewall PREPEI NA EMPISTEYESTE OLOYS TOYS XRHSTES SAS! Den to proteinw ayto. 2.1. Meionekthmata me toys firewalls To problhma me toys firewalls filtrarismatos einai oti parempodizoyn th prosbash sto diktyo apo to Internet. Mono yphresies sta systhmata poy exoyn perasei to filtrarisma mporei na parex8ei prosbash. Me toys diakomistes ejoysiodothshs oi xrhstes mporoun na synde8oun (login) sto firewall, exontas prosbash se ka8e susthma mesa sto proswpiko sas diktyo, opoy exoyn prosbash. Epishs, neoi tupoi apo pelates diktuwn (network clients) kai diakomistwn erxontai sxedon ka8e mera. Otan ayto symbei 8a prepei na breite neoys tropoys gia na epitrecete thn elegxomenh prosbash prin aytes oi yphresies mporoun na xrhmopoih8oun. 2.2. Tupoi twn Firewalls Yparxoyn duo tupoi firewalls 1. IP Firewalls Filtrarismatos (filtering firewalls) - mplokaroyn ta panta alla se epilegmena kykloforiaka diktya. 2. Diakomistes Ejoysiodothshs (Proxy Servers) - aytoi kanoyn th diktyakh sundesh gia esas. 2.2.1. IP Firewalls Filtrarismatos O IP firewall filtrarismatos doyleuei san isosta8misths paketwn. Exei sxediastei gia na elegxei th roh apo paketa basismena sth phgaia (proorismenh) pulh kai stis plhrofories poy periexei ka8e paketo. Aytos o firewall einai polu asfalhs alla sterhtai opoiasdhpote eidoys xrhsimh eggrafh symbantwn. Mporei na mplokarei to kosmo apo th prosbash sto proswpiko sas diktyo alla den 8a anaferei poios prospelase to dhmosio susthma h poios to Internet apo mesa. Ta Firewalls filtrarismatos einai apolyta filtra. Akomh kai an 8elete na dwsete prosbash ap' ejw apo toys proswpikous sas diakomistes den mporeite na to kanete xwris na dwsete stoys pantes prosbash stoys diakomistes. To Linux perilambanei to paketo filtrarismatos sto pyrhna apo thn ekdosh 1.3.x 2.2.2. Diakomistes Ejoysiodothshs Oi diakomistes ejoysiodothshs epitrepoyn thn emmesh prosbash sto Internet mesw toy firewall. Kallitero paradeigma pws doyleuei einai, ena atomo kanei telnet se ena susthma kai meta allo telnet apo ekei pros kapoy allou. Mono me toys diakomistes ejoysiodothshs h leitoyrgia einai aytomath. Otan synde8eite se ena diakomisth ejoysiodothshs me to diko sas pelateiako logismiko (client software) o diakomisths jekina to diko toy pelateiako (ejoysiodotoumeno) logismiko kai metabibazei ta dedomena sas. Epeidh oi diakomistes ejoysiodothshs anaparagoyn oles tis epikoinwnies mporoun na katagrafoyn o,ti kanoyn. To kalo me toys diakomistes ejoysiodothshs einai oti, einai entelws asfaleis, otan ry8mistoun swsta. Den 8a epitrecoyn se kapoion na perasei apo mesa toys. Den yparxoyn amesa IP dromologia. 3. Sthnontas ena Firewall 3.1. Apaithseis Syskeywn (Hardware) Gia to paradeigma mas, o ypologisths einai enas 486-DX66 me 16MB RAM kai 500MB katatmhsh Linux. Ayto to susthma exei duo kartes diktuoy, h mia syndedemenh sto topiko proswpiko sas diktyo (LAN) kai h allh me to diktyo poy kaloume Apostratikopoihmenh Zwnh (DMZ De-Militarize Zone). H A.Z. (DMZ) exei ena dromologhth me sundesh sto Internet. Ayto einai ena wraio topiko sthsimo gia epixeirhseis. Mporeite na xrhsimopoihsete mia karta diktuoy kai ena modem me RRR sto Internet. To 8ema einai o firewall na exei duo IR ari8mous diktuoy. Gnwrizw oti arketa atoma exoyn mikra topika diktya (LANs) sto spiti me duo h treis H/Y epanw. Kati poy prepei na skefthte einai na balete ola ta modem sas se ena koyti Linux (isws se ena palio 386) kai na syndesete ola sto Internet me fortwmenh isosta8mish. Me ayto to sthsimo otan ena mono proswpo trabaei dedomena 8a mporei na xrhsimopoiei amfotera ta modems diplasiazontas th taxuthta sundeshs :-) 4. Logismiko gia Firewalls. 4.1. Dia8esima paketa Ean ayto poy zhtate einai enas firewall filtrarismatos 8a xreiasthte mono to Linux kai to basiko paketo gia diktya. Ena paketo poy mporei na mhn periexetai sth dianomh sas einai to IP Firewalling Administration Tool. To (IPFWADM) yparxei sto http://www.xos.nl/linux/ipfwadm/ Ean 8elete na sthsete ena diakomisth ejoysiodothshs 8a xreiasthte ena apo ta parakatw paketa. 1. SOCKS 2. TIS Firewall Toolkit (FWTK) 4.2. To TIS Firewall Toolkit enantion SOCKS To Trusted Information System (http://www.tis.com) exei ekdosei mia syllogh apo programmata sxediasmena gia th dieykolynsh toy firewalling (firewalling). Ta programmata ayta kanoyn ta idia me to SOCS paketo, alla me diaforetikh sxediasmenh strathgikh. Ekei poy to SOCS exei ena programma poy kaluptei oles tis synallages toy Internet, to TIS parexei ena programma gia ka8e ti poy epi8ymei na xrhsimopoihsei to firewall. Se antiparabolh kai twn duo, as paroyme to paradeigma toy World Wide Web kai ths prosbashs telnet. Me to SOCS pairnete ena arxeio ry8misewn kai ena daimona. Mesa apo to arxeio ayto kai to daimona, exete amfotera WWW kai telnet energopoihmena, ka8ws kai alles yphresies poy den exete apenergopoihsei. Me th TIS ergaleio8hkh, sthnete apo ena daimona sta WWW kai telnet, alla kai apo ena arxeio ry8misewn epishs, sto ka8ena. Afou exete kanei ta parapanw, oi alles prosbaseis (yphresies) sto Internet einai akoma apenergopoihmenes mexri na tis sthsete. Ean den exete sthsei ena daimona gia mia sygkekrimenh yphresia, yparxei enas "plug-in" daimonas , alla den einai oute eukamptos oute toso eukolos sthn egkatastash, san ta alla ergaleia. Ayto mporei na mhn fainetai toso sobaro, alla kanei megalh diafora. To SOCS epitrepei na eiste akatastatoi. Me ena ftwxo sthsimo diakomisth SOCS, kapoios apo mesa mporei na kerdisei perissoterh prosbash apo ayth poy kanonika toy exete proorisei. Me th TIS ergaleio8hkh, ta atoma poy einai mesa exoyn prosbash mono ekei poy o diaxeirisths toy systhmatos 8elei na exoyn. To SOCS einai eukolo sto sthsimo, eykolotero sth metaglwttish (compile) kai epitrepei megalh eykamcia. H TIS ergaleio8hkh einai pio asfalhs an 8elete na taktopoihsete toys xrhstes sas mesa sto proswpiko sas diktyo. Kai oi duo parexoyn apolyth prostasia ap' ejw. 8a kalucw thn egkatastash kai to sthsimo kai twn duo. 5. Proetoimazontas to susthma Linux 5.1. Metaglwttizontas to pyrhna 3ekiname me mia ka8arh egkatastash ths Linux dianomhs sas. (Xrhsimopoihsa to RH 3.0.3 kai ta paradeigmata einai basismena se ayth th dianomh). Oso pio ligo logismiko exete fortwsei, toso pio liges trupes, pisw portes kai (h) bugs 8a yparxoyn gia na paroysiasoyn problhmata asfaleias sto susthma sas, etsi fortwnete mono thn elaxisth syllogh apo efarmoges (minimum installation). Parte ena sta8ero pyrhna. Xrhsimopoihsa ton 2.0.14 pyrhna toy Linux gia to susthma moy. Etsi ayth h tekmhriwsh einai basismenh sth dikh moy sun8esh. 8a xreiastei na metaglwttisete jana to pyrhna toy Linux me tis analoges ry8miseis. Gi' ayto koitajte sta Kernel-HOWTO, Ethernet-HOWTO kai NET-2 HOWTO, ean den to exete janakanei. Parakatw akoloy8oun oi ry8miseis poy gnwrizw oti doyleuoyn me to make config. 1. Katw apo to General setup a. Balte Networking Support ON 2. Katw apo to Networking Options a. Balte Network firewalls ON b. Balte TCP/IP Networking ON c. Balte IP forwarding/gatewaying OFF (UNLESS you wish to use IP filtering) d. Balte IP Firewalling ON e. Balte IP firewall packet loggin ON (this is not required but it is a good idea) f. Balte IP: masquerading OFF (I am not covering this subject here.) g. Balte IP: accounting ON h. Balte IP: tunneling OFF i. Balte IP: aliasing OFF j. Balte IP: PC/TCP compatibility mode OFF k. Balte IP: Reverse ARP OFF l. Balte Drop source routed frames ON 3. Katw apo to Network device support a. Balte Network device support ON b. Balte Dummy net driver support ON c. Balte Ethernet (10 or 100Mbit) ON d. Epilejte th karta diktuoy sas (network card) Twra mporeite na metaglwttisete kai na epanegkatasthsete to pyrhna kai epanekkinhsh (reboot). H karta (-es) diktuoy 8a emfanistoun kata th diarkeia ths ekkinhshs. Ean oxi, phgainete sta alla HOWTO jana mexri na doylecoyn 5.2. Ry8mizontas duo kartes diktuoy Ean exete duo kartes diktuoy ston ypologisth sas, pi8anws 8a xreiastei na pros8esete mia dhlwsh sto arxeio /etc/lilo.conf gia th perigrafh twn IRQ kai twn diey8unsewn twn duo kartwn. H dhlwsh sto diko moy lilo.conf einai kapws etsi: append="ether=12,0x300,eth0 ether=15,0x340,eth1" 5.3. Ry8mizontas tis Diey8unseis toy Diktuoy Ayto einai pragmatika ena endiaferon kommati. Twra 8a exete merikes apofaseis na parete. Epeidh den 8eloyme to Internet na exei prosbash se kanena tmhma toy proswpikou mas diktuoy, den xreiazetai na xrhsimopoihsoyme pragmatikes diey8unseis. Yparxei enas ari8mos diey8unsewn Internet poy briskontai sthn akrh gia ta proswpika diktya. Epeidh o ka8enas xreiazetai perissoteres diey8unseis kai epeidh aytes oi diey8unseis den mporoun na diastayrw8oun mesa sto Internet, einai kalh epilogh. Aytes, 192.168.2.xxx, einai topo8ethmenes sthn akrh kai 8a tis xrhsimopoihsoyme sto paradeigma mas. O firewall sas, 8a einai melos kai sta duo diktya kai etsi 8a mporei na metabibazei dedomena apo kai pros to proswpiko sas diktyo. 199.1.2.10 __________ 192.168.2.1 _ __ _ \ | | / _______________ | \/ \/ | \| Firewall |/ | | / Internet \--------| System |------------| Workstation/s | \_/\_/\_/\_/ |__________| |_______________| Ean epi8ymeite na xrhsimopoihsete firewalls filtrarismatos mporeite na xrhsimopoihsete akomh kai toys parapanw ari8mous. 8a xreiastei omws na xrhsimopoihsete IP masqurading gia na symbei ayto. Me ayth th diadikasia o firewall 8a prow8ei paketa kai 8a ta metabibazei se "REAL (pragmatikes)" diey8unseis gia to tajidi toys sto Internet. 8a prepei na orisete tis pragmatikes IR diey8unseis sth karta diktuoy panw sth (ejw) pleyra toy Internet. Kai na orisete 192.168.2.1 sthn Ethernet karta sto eswteriko. Ayth 8a einai h IP dieu8ynsh toy ejoysiodoth/pulh. Mporeite na orisete se oloys toys alloy H/Y mesa sto prostateyomeno diktyo merikous ari8mous apo to 192.168.2.xxx pedio (192.168.2.2 ews 192.168.2.254) Epeidh xrhsimopoiw RH Linux (E! Paidia, moy kanete ena antigrafo gia ta plugs? ;-) gia na ry8misw to diktyo kata to xrono ekkinhshs pros8esa ena ifcfg-eth1 arxeio sto katalogo /etc/sysconfig/network- scripts. Ayto to arxeio diabazetai kata th diarkeia ths ekkinhshs gia thn egkatastash toy diktuoy kai twn pinakwn. Parakatw paroysiazw me ti to ifcfg-eth1 moiazei. #!/bin/sh #>>>Device type: ethernet #>>>Variable declarations: DEVICE=eth1 IPADDR=192.168.2.1 NETMASK=255.255.255.0 NETWORK=192.168.2.0 BROADCAST=192.168.2.255 GATEWAY=199.1.2.10 ONBOOT=yes #>>>End variable declarations Mporeite na xrhsimopoihsete ayta ta scripts gia na synde8hte aytomata mesw modem sto paroxea sas Internet. Koitajte sto ipup-ppp script. Ean proorizete na xrhsimopoihsete modem gia th sundesh sas me to Internet, h ejwterikh IR dieu8ynsh 8a prepei na oristei apo ton ISP gia esas kata th diarkeia ths sundeshs. 5.4. Elegxontas to diktyo sas. 3ekinhste elegxontas ta ifconfig kai route. Ean exete duo kartes diktuoy to ifconfig 8a einai kapws etsi: #ifconfig lo Link encap:Local Loopback inet addr:127.0.0.0 Bcast:127.255.255.255 Mask:255.0.0.0 UP BROADCAST LOOPBACK RUNNING MTU:3584 Metric:1 RX packets:1620 errors:0 dropped:0 overruns:0 TX packets:1620 errors:0 dropped:0 overruns:0 eth0 Link encap:10Mbps Ethernet HWaddr 00:00:09:85:AC:55 inet addr:199.1.2.10 Bcast:199.1.2.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 TX packets:0 errors:0 dropped:0 overruns:0 Interrupt:12 Base address:0x310 eth1 Link encap:10Mbps Ethernet HWaddr 00:00:09:80:1E:D7 inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 TX packets:0 errors:0 dropped:0 overruns:0 Interrupt:15 Base address:0x350 kai o pinakas route kapws etsi: #route -n Kernel routing table Destination Gateway Genmask Flags MSS Window Use Iface 199.1.2.0 * 255.255.255.0 U 1500 0 15 eth0 192.168.2.0 * 255.255.255.0 U 1500 0 0 eth1 127.0.0.0 * 255.0.0.0 U 3584 0 2 lo default 199.1.2.10 * UG 1500 0 72 eth0 Shmeiwsh: 199.1.2.0 einai h Internet pleyra aytou toy firewall kai 192.168.2.0 h proswpikh pleyra. Twra prospa8hste na kanete ping to Internet apo to firewall. Synh8iza na xrhsimopoiw to nic.ddn.mil san dokimastiko shmeio. Einai kalo shmeio dokimhs, alla exei apodeix8ei oti einai ligotero ajiopisto ap' oti eixa elpisei. An den doylecei me th prwth, prospa8hste na kanete ping se merika alla shmeia poy den einai syndedemena me to topiko sas diktyo (LAN). Ean den doylecei oute twra, tote to RRR den einai sthmeno swsta. 3anadiabaste to NET-2 HOWTO kai prospa8hste jana. Meta, prospa8hste na kanete ping ena host mesa sto prostateyomeno diktyo apo to firewall. Oloi oi ypologistes mporoun na kanoyn ping metaju toys. Ean oxi, phgainete sto NET-2 HOWTO jana kai doylecete ligo panw sto diktyo sas akomh. Ustera, prospa8hste na kanete ping thn ejwterikh dieu8ynsh toy firewall apo to eswteriko toy prostateyomenoy diktuoy. (Shmeiwsh: H dieu8ynsh ths ejwterikhs pleyras toy firewall den einai kanenas 192.168.2.xxx IR ari8mos). Ean mporeite, tote den exete apenergopoihsei to IP Forwarding. Sigoyreythte oti to 8elete ayto. Ean to afhsete energopoihmeno mporeite na pate katey8eian sto kefalaio "IP egkatastash filtrarismatos (kefalaio 6)" ayths ths tekmhriwshs. Twra, prospa8hste na kanete ping sto Internet pisw apo to firewall xrhsimopoiwntas tis idies diey8unseis poy doulecan prohgoymenos. (px nic.ddn.mil). 3ana, ean exete apenergopoihmeno to IP Forwarding, ayto den prokeitai na doylecei. An omws to exete energopoihmeno ayto 8a doylecei. An exete to IP Forwarding epilegmeno na xrhsimopoihte "Pragmatikes (REAL)" (kai oxi 192.168.2.xxx) IP diey8unseis gia to proswpiko sas diktyo. An den mporeite na kanete ping to Internet alla mporeite thn Internet pleyra toy firewall elejte an o epomenos dromologhths ths grammhs (pros to Internet) dromologei paketa sth dieu8ynsh toy proswpikou sas diktuoy. (O ISP to kanei ayto gia esas) Ean exete ka8orisei to prostateyomeno diktyo sto 192.168.2.xxx, tote kanena paketo den mporei na dromologh8ei se ayto me tipota. Ean exete proxwrisei kai exete hdh to IP masqurading energopoihmeno, ayto to test 8a doylecei. Twra exete to basiko sas susthma etoimo. 5.5. Asfalizontas to Firewall. O firewall den kanei kalo an ton exoyme diaplata anoikto se epi8eseis mesw mh xrhsimopoioumenwn yphresiwn. Enas "kakos tupos (bad guy)" mporei na apokthsei prosbash sto firewall kai na ton tropopoihsei analoga me tis anagkes toy. 3ekiname apenergopoiwntas oles tis axrhstes yphresies. Koitajte to arxeio /etc/inetd.conf. Ayto to arxeio elegxei to ti kalese ton "yper diakomisth (super server)". Elegxei mia omada apo daimones yphretes kai toys jekina otan aytoi zhth8oun. Opwsdhpote apenergopoioume ta netstat, systat, tftp, bootp, kai finger. Gia na apenergopoihsoyme mia yphresia, balte # sto prwto xarakthra ths grammhs ths ka8e yphresias poy den 8eloyme. Otan to kanete ayto, steilte ena SIG-HUP sth diergasia grafontas "kill -HUP ", opoy einai o ari8mos ergasias toy inetd. Ayto mporei na kanei to inedt na janadiabasei to arxeio ry8misewn toy (inedt.conf) kai epanekkinhsh (restart). 6. IP egkatastash filtrarismatos (IPFWADM) Gia jekinhma, 8a prepei na exete to IP Forwarding energopoihmeno sto pyrhna kai to susthma 8a prepei na einai fortwmeno kai na prow8ei o,ti toy stelnete. Oi pinakes dromologiwn (routing tables) 8a prepei na einai sth 8esh toys kai 8a prepei na exete prosbash pantou, apo mesa ejw kai apo ejw mesa. Alla emeis xtizoyme ena firewall, etsi xreiazetai na jekinhsoyme na boylwnoyme se ti yparxei prosbash, apo oloys. Sto susthma moy dhmiourghsa merika scripts ga na topo8etw sto firewall politikh prow8hshs kai politikh 8ewrhshs. Kalw ayta ta scripts apo ta /etc/rc.d scripts etsi to susthma moy einai ry8mismeno apo th stigmh ths ekkinhshs. Ej orismou to IP Forwarding susthma sto pyrhna toy Linux prow8ei ta panta. Gi' ayto to script toy firewall 8a prepei na jekina apo to na arneitai prosbash sta panta kai na ka8arizei opoioys ipfw kanones einai topo8ethmenoi apo th teleytaia fora poy etreje. Thn ergasia ayth th kanei to parakatw script : # # setup IP packet Accounting and Forwarding # # Forwarding # # By default DENY all services ipfwadm -F -p deny # Flush all commands ipfwadm -F -f ipfwadm -I -f ipfwadm -O -f Twra exoyme ton teliko firewall. Tipota den mporei na perasei apo mesa. Xwris amfibolia exete kapoies yphresies poy xreiazetai na prow8hsete (energopoihsete) etsi edw yparxoyn merika paradeigmata poy 8a breite xrhsima. · # Prow8hsh email sto diakomisth ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 192.1.2.10 25 · # Prow8hsh sundeshs email ston ejwteriko diakomisth email ipfwadm -F -a accept -b -P tcp -S 196.1.2.10 25 -D 0.0.0.0/0 1024:65535 · # Prow8hsh sundeshs Web ston Web diakomisth /sbin/ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 196.1.2.11 80 · # Prow8hsh sundeshs Web gia ton ejwteriko Web diakomisth /sbin/ipfwadm -F -a accept -b -P tcp -S 196.1.2.* 80 -D 0.0.0.0/0 1024:65535 · # Prow8hsh DNS synallaghs /sbin/ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 196.1.2.0/24 Mporeite na endiafer8hte epishs gia thn katagrafh twn syndiallagwn poy pernoun to firewall. Ayto to script 8a katagrafei ka8e paketo. Mporeite na pros8esete mia grammh h duo gia na katagrafete gia paketa metabainontas se ena mono susthma. # Ka8ariste toy yparxontes kanones katagrafhs ipfwadm -A -f # Katagrafwntas /sbin/ipfwadm -A -f /sbin/ipfwadm -A out -i -S 196.1.2.0/24 -D 0.0.0.0/0 /sbin/ipfwadm -A out -i -S 0.0.0.0/0 -D 196.1.2.0/24 /sbin/ipfwadm -A in -i -S 196.1.2.0/24 -D 0.0.0.0/0 /sbin/ipfwadm -A in -i -S 0.0.0.0/0 -D 196.1.2.0/24 Ean ta osa zhtate htan enas firewall filtrarismatos mporeite na stamathsete edw. Apolayste to :-) 7. Egka8istwntas ton diakomisth ejoysiodothshs TIS 7.1. Apoktwntas to logismiko H TIS fwtk einai dia8esimh sto ftp://ftp.tis.com/. Mhn kanete to la8os poy ekana egw. Otan katebazete arxeia apo to TIS DIABASTE TA README. H TIS fwtk einai kleidwmenh mesa se ena kryfo katalogo sto diakomisth toys.To TIS zhta na steilete ena email sto fwtk-request@tis.com me mono th lejh SEND sto swma toy mynhmatos gia na ma8ete to onoma aytou toy krymmenoy katalogoy. Den xreiazetai 8ema (subject) sto mhnyma. To susthma toys 8a sas steilei to onoma aytou toy kryfou katalogoy (kalo gia 12 wres) gia na katebasete to phgaio arxeio. Th stigmh poy grafw ayto (to HOWTO) to TIS ekdidei thn ekdosh 2.0 (beta) ths FWTK. Ayth h ekdosh fainetai oti metaglwttizetai kala (me merikes ejaireseis) kai ta panta doyleuoyn. Ayth einai h ekdosh poy 8a kalucw edw. Otan dia8esoyn to teliko kwdika 8a ananewsw to HOWTO. Gia thn egkatastash th FWTK, dhmioyrghste to katalogo fwtk-2.0 sto /usr/src. Metakinhste to antigrafo ths FWTK fwtk-2.0.tar.gz) apo to katalogo sas se ayton to katalogo (/usr/src/fwtk-2.0) kai aposympieste to. (tar zxf fwtk-2.0.tar.gz) H FWTK den ejoysiodotei (yposthrizei) SSL web keimena alla yparxei ena pros8eto (add on) gi' ayth grammeno apo ton Jean-Christophe Touvet. Einai dia8esimo sto ftp://ftp.edelweb.fr/pub/contrib/fwtk/ssl- gw.tar.Z. O Touvet den yposthrizei ayto to kwdika Xrhsimopoiw mia tropopoihmenh ekdosh poy perilambanei prosbash gia Netscape asfaleis diakomistes newn grammeno apo ton Eric Wedel. Einai dia8esimh sto ftp://mdi.meridian-data.com/pub/tis.fwtk/ssl-gw/ssl- gw2.tar.Z. Sto paradeigma mas 8a xrhsimopoihsw thn ekdosh toy Eric Wedel. Gia na to egkatasthsete, apla dhmioyrghste to ssl-gw katalogo sto /usr/src/fwtk-2.0 kai balte ta arxeia ekei mesa. Otan egkatesthsa ayth th pulh apaithse merikes allages prin metaglwttistei mazi me thn ypoloiph ergaleio8hkh. H prwth allagh htan sto ssl-gw.c arxeio. Brhka oti den perielambane ena xrhsimo perielambanomeno (included) arxeio. #if defined(__linux) #include #endif Deuteron den erxetai me Makefile. Antegraca ena ejw apo toys alloys katalogoys pylwn kai antikatesthsa to onoma ths pulhs me to ssl-gw. 7.2. Metaglwttizontas thn TIS FWTK H ekdosh 2.0 ths FWTK metaglwttizetai polu pio eukola apo opoiadhpote palaioterh ekdosh. Briskw akoma merika pragmata poy xreiazetai na allax8oun prin h BETA ekdosh mporei na metaglwttistei ka8ara. Elpizw aytes oi allages na ginoyn sth telikh ekdosh. Gia th dior8wsh toys, jekinhste allazontas to /usr/src/fwtk/fwtk katalogo kai antigracte to Makefile.config.linux panw apo to Makefile.config MHN EKTELESETE TO FIXMAKE. Oi odhgies lene na to ektelesete. Ean to kanete 8a spasei ta Makefiles sto ka8e katalogo Den exw kamia dior8wsh gia to fixmake. To problhma einai to sed script pros8este ena '.' kai '' sth ka8e grammh poy perilambanei ta Makefiles. sed 's/^include[ ]*\([^ ].*\)/include \1/' $name .proto > $name Meta xreiazetai na epejergastoume to arxeio Makefile.config. Yparxoyn duo allages poy xreiazetai na kanete. O syggrafeas e8ese ws phgaio katalogo to diko toy spitiko katalogo. 8a metaglwttisoyme to kwdika mas sto /usr/src etsi prepei na allajoyme th metablhth FWTKSRCDIR gia na antikatroptizei ayto. FWTKSRCDIR=/usr/src/fwtk/fwtk Deuteron, se orismena liga systhmata Linux xrhsimopoihtai h bash dedomenwn gdbm. To Makefile.conf xrhsimopoiei dbm. 8a xreiastei na allajete ayto. Eixa gia to RH 3.0.3 DBMLIB=-lgdbm H teleytaia dior8wsh einai sto x-gw. To bug sth BETA ekdosh einai mesa sto socket.c kwdika. Gia na to ftiajete sbhste tis parakatw grammes kwdika #ifdef SCM_RIGHTS /* 4.3BSD Reno and later */ + sizeof(un_name->sun_len) + 1 #endif Ean pros8esete to ssl-gw sto FWTK phgaio katalogo sas. 8a xreiasthte na pros8esete ayto sth lista katalogwn sto Makefile. DIRS= smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw ssl-gw Twra ekteleste to make. 7.3. Egka8istwntas thn TIS FWTK Ekteleste make install. O ej orismou katalogos egkatastashs einai o /usr/local/etc. Mporeite na ton allajete (egw oxi) se ena pio asfales katalogo. Dialeja na allajw th prosbash sto katalogo ayto me chmod 700. Ola ayta poy emeinan twra einai h telikh ru8mish toy firewall 7.4. Ry8mizontas thn TIS FWTK Twra arxizei h pragmatikh diaskedash. Prepei na ma8oyme :-) to susthma na kalei aytes tis nees yphresies kai na dhmioyrgei toys pinakes gia ton elegxo toys. Den prokeitai na dokimasw na janagracw to egxeiridio ths TIS FWTK, edw. 8a sas deijw tis ry8miseis poy anakalyca doyleuontas kai 8a ejhghsw ta problhmata poy brhka kai pws ta jeperasa. Yparxoyn tria arxeia poy ry8mizoyn ayta ta xeiristhria · /etc/services · Leei sto susthma ti portes yphresiwn einai anoiktes · /etc/inetd.conf · Leei sto inetd ti programma na kalei otan kapoios xtypa porta yphresias · /usr/local/etc/netperm-table · Leei stis FWTK yphresies se poion na epitrepoyn kai se poion na apagoreuoyn ths yphresies toys. Gia na parete th FWTK leitoyrgikh, 8a prepei na epejergasthte ayta ta arxeia apo to teleytaio pros ta panw. Epejergazontas ta arxeia twn yphresiwn xwris to inedt.conf h to netperm-table ry8mismena swsta mporei na kanete to susthma sas aprospelasto. 7.4.1. To arxeio netperm-table Ayto to arxeio elegxei poios mporei na exei prosbash stis yphresies apo th TIS FWTK. Ofeilete na skefthte sxetika me to kykloforiako xrhsimopoiwntas to firewall kai apo tis duo pleyres. O kosmos ejw apo to diktyo sas, ofeilei na anagnwrisei toys eaytous twn prin kerdisoyn prosbash, alla o kosmos mesa sto diktyo sas mporei na afe8ei na perna apla apo mesa. Etsi o kosmos mporei na anagnwrisei toys eaytous toys, o firewall xrhsimopoiei ena programma poy kaleitai authsrv gia na krata mia bash dedomenwn ta user ID kai toys kwdikous. To tmhma epikurwshs apo to netperm-table elegxei poy h bash dedomenwn brisketai kai poios mporei na exei prosbash se ayth. Eixa kapoia problhmata kleinontas th prosbash se ayth thn yphresia. Shmeiwste oti h grammh permit-hosts poy paroysiazw xrhsimopoiei '*' gia na dinei se oloys prosbash. Oi swstes ry8miseis gia th grammh ayth einai '' authsrv: premit-hosts localhost ean mporesete na to parete ayto doyleuontas # # Proxy configuration table # # Authentication server and client rules authsrv: database /usr/local/etc/fw-authdb authsrv: permit-hosts * authsrv: badsleep 1200 authsrv: nobogus true # Client Applications using the Authentication server *: authserver 127.0.0.1 114 Gia na orisete th bash dedomenwn, ginete root, kai ekteleste ./authsrv mesa sto /var/local/etc katalogo gia na dhmioyrgh8ei h eggrafh toy xrhsth poy ektelei xreh diaxeiristh. Edw einai ena aplo paradeigma. Diabaste th tekmhriwsh ths FWTK gia na ma8ete pws na pros8etete xrhstes kai omades. # # authsrv authsrv# list authsrv# adduser admin "Auth DB admin" ok - user added initially disabled authsrv# ena admin enabled authsrv# proto admin pass changed authsrv# pass admin "plugh" Password changed. authsrv# superwiz admin set wizard authsrv# list Report for users in database user group longname ok? proto last ------ ------ ------------------ ----- ------ ----- admin Auth DB admin ena passw never authsrv# display admin Report for user admin (Auth DB admin) Authentication protocol: password Flags: WIZARD authsrv# ^D EOT # To xeiristhrio ths telnet pulhs (tn-gw) einai katey8eian mprosta kai to prwto poy ofeilete na sthsete. Sto paradeigma moy, epitrepw se host apo to eswteriko toy proswpikou diktuoy na pernaei apo mesa xwris na epikyrwnoyn toys eaytous toys. (permit-hosts 19961.2.* -passok) Alla, ka8e allos xrhsths prepei na eisagei ta user ID kai to kwdiko toy gia na xrhsimopoiei ton ejoysiodothth. (permit-hosts * -auth) Epishs epitrepw se ena allo susthma (196.1.2.202) na exei prosbash sto firewall xwris na perna mesa apo to firewall sth pragmatikothta. Oi duo grammes inetacl-in.telnetd to kanoyn ayto. 8a ejhghsw pws aytes oi grammes kalountai argotera. To Telnet time out ofeiletai na krath8ei mikro. # telnet gateway rules: tn-gw: denial-msg /usr/local/etc/tn-deny.txt tn-gw: welcome-msg /usr/local/etc/tn-welcome.txt tn-gw: help-msg /usr/local/etc/tn-help.txt tn-gw: timeout 90 tn-gw: permit-hosts 196.1.2.* -passok -xok tn-gw: permit-hosts * -auth # Only the Administrator can telnet directly to the Firewall via Port 24 netacl-in.telnetd: permit-hosts 196.1.2.202 -exec /usr/sbin/in.telnetd Oi r-commands doyleuoyn me ton idio tropo opws to telnet. # rlogin gateway rules: rlogin-gw: denial-msg /usr/local/etc/rlogin-deny.txt rlogin-gw: welcome-msg /usr/local/etc/rlogin-welcome.txt rlogin-gw: help-msg /usr/local/etc/rlogin-help.txt rlogin-gw: timeout 90 rlogin-gw: permit-hosts 196.1.2.* -passok -xok rlogin-gw: permit-hosts * -auth -xok # Only the Administrator can telnet directly to the Firewall via Port netacl-rlogind: permit-hosts 196.1.2.202 -exec /usr/libexec/rlogind -a Den ofeilete na exete se kanenan amesh prosbash sto firewall kai ayto perilambanei to FTP etsi den bazoyme to FTP, diakomisth panw sto firewall. 3ana, oi grammes permit-hosts epitrepoyn mesa sto prostateyomeno diktyo eleu8erh prosbash sto Intenet kai oloi oi alloi prepei na epikyrwsoyn toys eaytous toys. Symperielaba th katagrafh symbantwn gia ka8e arxeio poy aposteletai kai paralambanetai gia ton elegxo moy. (-log { retr stor }) To ftp timeout elegxei poso 8a parei gia na rijei mia kakh sundesh toso oso poso 8a krathsei mia sundesh poy exei meinei anoikth xwris drasthriothta. # ftp gateway rules: ftp-gw: denial-msg /usr/local/etc/ftp-deny.txt ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt ftp-gw: help-msg /usr/local/etc/ftp-help.txt ftp-gw: timeout 300 ftp-gw: permit-hosts 196.1.2.* -log { retr stor } ftp-gw: permit-hosts * -authall -log { retr stor } Web, gopher kai se browser basismeno ftp einai paramorfwmena apo th http-gw. Oi duo prwtes grammes dhmioyrgoun ena katalogo gia apo8hkeysh twn ftp kai web keimenwn ka8ws ayta pernoun mesa apo to firewall. Ekana ayta ta arxeia na anoikoyn ston root kai ta topo8ethsa se ena katalogo prosbasimo mono apo ton root. H sundesh Web ofeiletai na krath8ei mikrh. Elegxei poso o xrhsths 8a perimenei se mia kakh sundesh. # www and gopher gateway rules: http-gw: userid root http-gw: directory /jail http-gw: timeout 90 http-gw: default-httpd www.afs.net http-gw: hosts 196.1.2.* -log { read write ftp } http-gw: deny-hosts * To ssl-gw einai pragmati apla mia diabash opoiasdhpote pulhs. Prosejte me ayto. Se ayto to paradeigma epitrepw ston ka8ena apo mesa toy prostateyomenoy diktuoy na syndeetai se ka8e diakomisth ejw apo to diktyo ektos twn diey8unsewn 127.0.0.xxx kai 192.1.1.xxx kai mono stis portes 443 ews 563. Oi portes 443 ews 563 einai gnwstes SSL portes. # ssl gateway rules: ssl-gw: timeout 300 ssl-gw: hosts 196.1.2.* -dest { !127.0.0.* !192.1.1.* *:443:563 } ssl-gw: deny-hosts * Edw einai ena paradeigma sto pws na xrhsimopoihsete to plug-gw gia na epitrecete syndeseis se diakomistes newn. Se ayto to paradeigma epitrepw sto ka8ena mesa sto prostateuomeno diktyo na synde8ei se ena mono susthma kai mono sth porta newn toy. H deuterh grammh epitrepei to diakomisth newn na perna ta dedomena toy pisw sto prostateyomeno diktyo. Epeidh polloi pelates perimenoyn na stekontai syndedemenoi oso o xrhsths diabazei ta nea, to timeout gia diakomistes newn ofeiletai na einai megalo. # NetNews Pluged gateway plug-gw: timeout 3600 plug-gw: port nntp 196.1.2.* -plug-to 199.5.175.22 -port nntp plug-gw: port nntp 199.5.175.22 -plug-to 196.1.2.* -port nntp H pulh finger einai aplh. O ka8enas mesa sto prostateyomeno diktyo prepei na kanei login prwta kai meta epitrepoyme na xrhsimopoihsoyn to programma finger panw sto firewall. Oloi oi alloi apla pernoyn ena mhnyma. # Enable finger service netacl-fingerd: permit-hosts 196.1.2.* -exec /usr/libexec/fingerd netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt Den exw sthsei tis Mail kai X-windows yphresies etsi den perilambanw paradeigmata. Ean kapoios exei doylecei ena paradeigma, parakalw steilte moy email. 7.4.2. To arxeio inetd.conf Edw einai plhres ena arxeio /etc/inetd.conf. Oles oi axrhstes yphresies exoyn afaire8ei ws sxolia. Exw symperilabei to plhres arxeio gia na deijw ti na apenergopoihsete, toso oso to pws na sthnete tis nees yphresies toy firewall. #echo stream tcp nowait root internal #echo dgram udp wait root internal #discard stream tcp nowait root internal #discard dgram udp wait root internal #daytime stream tcp nowait root internal #daytime dgram udp wait root internal #chargen stream tcp nowait root internal #chargen dgram udp wait root internal # FTP firewall gateway ftp-gw stream tcp nowait.400 root /usr/local/etc/ftp-gw ftp-gw # Telnet firewall gateway telnet stream tcp nowait root /usr/local/etc/tn-gw /usr/local/etc/tn-gw # local telnet services telnet-a stream tcp nowait root /usr/local/etc/netacl in.telnetd # Gopher firewall gateway gopher stream tcp nowait.400 root /usr/local/etc/http-gw /usr/local/etc/http-gw # WWW firewall gateway http stream tcp nowait.400 root /usr/local/etc/http-gw /usr/local/etc/http-gw # SSL firewall gateway ssl-gw stream tcp nowait root /usr/local/etc/ssl-gw ssl-gw # NetNews firewall proxy (using plug-gw) nntp stream tcp nowait root /usr/local/etc/plug-gw plug-gw nntp #nntp stream tcp nowait root /usr/sbin/tcpd in.nntpd # SMTP (email) firewall gateway #smtp stream tcp nowait root /usr/local/etc/smap smap # # Shell, login, exec and talk are BSD protocols. # #shell stream tcp nowait root /usr/sbin/tcpd in.rshd #login stream tcp nowait root /usr/sbin/tcpd in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd in.rexecd #talk dgram udp wait root /usr/sbin/tcpd in.talkd #ntalk dgram udp wait root /usr/sbin/tcpd in.ntalkd #dtalk stream tcp waut nobody /usr/sbin/tcpd in.dtalkd # # Pop and imap mail services et al # #pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d #pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d #imap stream tcp nowait root /usr/sbin/tcpd imapd # # The Internet UUCP service. # #uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l # # Tftp service is provided primarily for booting. Most sites # run this only on machines acting as "boot servers." Do not uncomment # this unless you *need* it. # #tftp dgram udp wait root /usr/sbin/tcpd in.tftpd #bootps dgram udp wait root /usr/sbin/tcpd bootpd # # Finger, systat and netstat give out user information which may be # valuable to potential "system crackers." Many sites choose to disable # some or all of these services to improve security. # # cfinger is for GNU finger, which is currently not in use in RHS Linux # finger stream tcp nowait root /usr/sbin/tcpd in.fingerd #cfinger stream tcp nowait root /usr/sbin/tcpd in.cfingerd #systat stream tcp nowait guest /usr/sbin/tcpd /bin/ps -auwwx #netstat stream tcp nowait guest /usr/sbin/tcpd /bin/netstat -f inet # # Time service is used for clock syncronization. # #time stream tcp nowait root /usr/sbin/tcpd in.timed #time dgram udp wait root /usr/sbin/tcpd in.timed # # Authentication # auth stream tcp wait root /usr/sbin/tcpd in.identd -w -t120 authsrv stream tcp nowait root /usr/local/etc/authsrv authsrv # # End of inetd.conf 7.4.3. To arxeio /etc/services Edw einai poy jekinoun ola. Otan enas pelaths synde8ei sto firewall ayto syndeetai se mia gnwsth porta. (mikroterh apo 1024). p.x. To telnet syndeetai sth porta 23. O inetd daimonas akouei ayth th sundesh kai koita to onoma ayths ths yphresias sto arxeio /etc/services. Ayto tote kalei to programma orismeno gia to onoma sto mesa sto arxeio /etc/inetd.conf. Kapoies yphresies poy dhmioyrgoume den einai kanonika sto arxeio /etc/sevices. Mporeite na orisete merikes apo aytes se opoia porta 8elete. p.x. Exw orisei th telnet porta toy diaxeiristh (telnet-a) sth porta 24. Mporeite na to orisete sth porta 2323 ean epi8ymhte. Gia to diaxeiristh (ESEIS), gia na syndeeste amesa sto firewall 8a xreiazeste na kanete telnet sth porta 24 kai oxi 23 ean sthsete to arxeio netperm-table, opws egw ekana, 8a eiste ikanoi na to kanete ayto mono apo to eswteriko toy prostateyomenoy diktuoy. telnet-a 24/tcp ftp-gw 21/tcp # this named changed auth 113/tcp ident # User Verification ssl-gw 443/tcp 8. O SOCKS Diakomisths Ejoysiodothshs 8.1. Sthnontas to Diakomisth Ejoysiodothshs O SOCKS diakomisths ejoysiodothshs einai dia8esimos apo to ftp://sunsite.unc.edu/pub/Linux/system/Network/misc/socks-linux- src.tgz. Ekei einai kai ena paradeigma toy arxeioy ry8misewn (config file) poy kaleitai "socks-conf". Aposympieste ta arxeia mesa se katalogo toy systhmatos sas, kai akoloy8hste tis odhgies panw sto pws 8a to ftiajete. Eixa merika problhmata otan to eftiaja ayto. Sigoyreythte oti ta Makefile arxeia sas einai entajei. Ena symantiko pragma gia na shmeiwsoyme einai oti o diakomisths ejoysiodothshs xreiazetai na proste8ei sto arxeio /etc/inetd.conf. Prepei na pros8esete th grammh : socks stream tcp nowait nobody /usr/local/etc/sockd sockd gia na peite sto diakomisth na trejei otan toy zhth8ei. to tell the server to run when requested. 8.2. Ry8mizontas to Diakomisth Ejoysiodothshs. To programma SOCKS xreiazetai duo xwrista arxeia ry8misewn. Ena na leei thn epitrepomenh prosbash, kai ena gia na dromologei tis aithseis sto katallhlo diakomisth ejoysiodothshs. To arxeio prosbashs prepei na brisketai sto diakomisth. To arxeio dromologhshs ofeiletai na brisketai se ka8e Un*x mhxanhma. Oi DOS kai, ypoti8emenoi, Macintosh Y/H 8a kanoyn dikes toys dromologhseis. 8.2.1. To Arxeio Prosbashs Me to socks4.2 Beta, to arxeio prosbashs kaleitai "sockd.conf". Ayto ofeilei na periexei 2 grammes, mia grammh adeia kai mia arnhsews. Ka8e grammh 8a exei tria pedia: · Ton Ejakribwth (Identifier) (permit/deny) · Thn IP dieu8ynsh · To Tropopoihth Diey8unsewn O ejakribwths einai h adeias h arnhsews. Ofeilete na exete amfotera mia grammh adeias kai mia arnhsews. H IR dieu8ynsh krata mia tessarwn byte dieu8ynsh se typikh IR shmeiwsh koykidas. p.x. 192.168.2.0. O tropopoihths diey8unsewn einai epishs mia typikh IR dieu8ynsh tessarwn byte. Ayto doyleuei san maska diktuoy (netmask). Oramatisthte ayto ton ari8mo na einai 32 bit (1 h 0). Ean to bit einai 1, to antistoixo bit apo th dieu8ynsh poy elegxete prepei na einai idio me to antistoixo bit mesa sto pedio twn IR diey8unsewn. p.x. ean h grammh einai: permit 192.168.2.23 255.255.255.255 ayto 8a dinei adeia mono se IR diey8unseis poy tairiazoyn se ka8e bit mesa 192.168.2.23, p.x. mono 192.168.2.3. H grammh: permit 192.168.2.0 255.255.255.0 8a dwsei adeia se ka8e ari8mo mesa sthn omada 192.168.2.0 ews 192.168.2.255, olh h C klash perioxh. Den prepei na exete th grammh: permit 192.168.2.0 0.0.0.0 epeidh ayth dinei adeia se ka8e dieu8ynsh, adiaforo. Etsi, prwta dinoyme adeia se oles tis diey8unseis poy 8eloyme na dwsoyme adeia, kai tote aporriptoyme tis ypoloipes. Gia na afhsete toys pantes mesa sth perioxh 192.168.2.xxx, oi grammes: permit 192.168.2.0 255.255.255.0 deny 0.0.0.0 0.0.0.0 8a doylecoyn kala. Shmeiwste oti to prwto "0.0.0.0" einai h grammh arnhsews. Me enan ena tropopoihth apo 0.0.0.0, to pedio IR dieu8ynshs den peirazei. Ola ta 0 einai kanonas epeidh einai eukola sth plhktrologhsh. Perissoteres apo mia katagrafes apo to ka8ena epitrepontai. Sygkekrimenoi xrhstes mporoun epishs na kerdisoyn h na toys apagoreytoun prosbaseis. Ayto ginetai mesw diamorfwshs ths diadikasias epikurwshs. Den to yposthrizoyn ola ta systhmata th diamorfwsh, perilambanomenoy toy Trumpet Winsock, etsi den 8a anafer8w se ayto edw. H tekmhriwsh poy periexei to socks einai entelws eparkhs gi' ayto to antikeimeno. 8.2.2. To arxeio Dromologhshs. To arxeio dromologhshs einai ftwxa onomasmeno sto SOCKS "socks.conf". Eipa "ftwxa onomasmeno" epeidh einai toso konta sto onoma toy arxeio prosbashs poy einai eukolo na ta mperdecete. To arxeio dromologhshs einai ekei gia na leei stoys SOCKS pelates pote na xrhsimopoioun to socks kai pote oxi. p.x. Sto diktyo mas, to 192.168.2.3 den 8a xreiastei ma xrhsimopoihsei to socks gia na epikoinwnhsei me to 192.168.2.1, to firewall. Exei amesh sundesh mesw toy Ethernet. Ayto ka8orizei to 127.0.0.1, ton epistrefomeno brogxo (loopback), aytomata. Bebaiws den xreiazeste to SOCKS gia na epikoinwnhsete me ton eayto sas. Yparxoyn treis eisagwges: · deny · direct · sockd H arnhsh (deny) leei sto SOCKS pote na aporriptei mia aithsh. Ayth h eisagwgh exei ta idia tria pedia opws to sockd.conf, ton ejakribwth (identifier), dieu8ynsh kai tropopoihth (modifier). Genika, epeidh ayto xeirizetai epishs apo to sockd.conf, to arxeio prosbashs, to pedio toy tropopoihth einai orismeno sto 0.0.0.0. Ean 8elete na prologhsete ton eayto sas sto na kaleite apo pantou, mporeite na to kanete edw. H direct eisagwgh leei gia poies diey8unseis na mhn xrhsimopoihtai to socks. Aytes einai oles oi diey8unseis poy mporoun na proseggis8oun xwris to diakomisth ejoysiodothshs. 3ana exoyme tria pedia, ejakribwth, dieu8ynsh kai tropopoihth. To paradeigma mas 8a exei direct 192.168.2.0 255.255.255.0 Etsi metabainei amesa o ka8enas panw sto prostateyomeno diktyo. H sockd eisagwgh leei ston H/Y poios host exei ton socks diakomisth daimona panw toy. H suntajh einai: sockd @= Shmeiwste th @= eisagwgh. Ayth epitrepei na sthsete tis IR diey8unseis apo mia lista apo diakomistes ejoysiodothshs. Sto paradeigma mas, xrhsimopoioume mono ena diakomisth ejoysiodothshs. Alla, mporeite na exete arketous gia na epitrepete megalutera fortia kai gia pleonasma se periptwsh elleichs. Ta pedia IR dieu8ynsh kai tropopoihths doyleuoyn san ola ta alla paradeigmata. Na ka8orizete poies diey8unseis phgainoyn poy mesw apo ayta. The IP address and modifier fields work just like in the other examples. You specify which addresses go where through these. 8.2.3. Sthnontas thn Onoma Perioxhs Yphresia (Domain Name Service) pisw apo firewall einai omologoymenos eukolo 8ema. Xreiazeste apla kai mono na sthsete to DNS panw sto mhxanhma poy einai o firewall. Meta, oriste se ka8e mhxanhma pisw apo to firewall na xrhsimopoioun ayth to DNS. DNS pisw apo to firewall. 8.3. Doyleuontas me Diakomisth Ejoysiodothshs. 8.3.1. Unix Gia na exete tis efarmoges sas na doyleuoyn me to diakomisth ejoysiodothshs, xreiazontai na ginoyn "sockified". 8a xreiasthte duo diaforetika telnet, ena gia amesh epikoinwnia kai ena gia epikoinwnia mesw toy diakomisth ejoysiodothshs. To SOCS erxetai me odhgies panw sto pws na kanete SOCKify ena programma, toso oso kai merika pre- SOCKified programmata. Ean xrhsimopoihte mia SOCKified ekdosh gia na pate kapoy amesa, to SOCS aytomata 8a allajei sthn amesh ekdosh gia esas. Epeidh ginetai ayto, 8eloyme na metonomasoyme ola ta programmata sto proswpiko mas diktyo kai na ta antikatasthsoyme me SOCKified programmata. p.x to "Finger" ginetai "finger.orig", to "telnet" ginetai "telnet.orig", k.o. Prepei na peite sto SOCKS sxetika me ayta mesw toy include/socks.h arxeioy. Sygkekrimena programmata 8a xeirizontai roytines kai 8a kanoyn sockify ton eayto toys. To Netscape einai ena apo ayta. Mporeite na xrhsimopoihte diakomisth ejoysiodothshs katw apo to Netscape eisagontas th dieu8ynsh toy diakomisth (192.168.2.1 sth periptwsh mas) mesa sto pedio SOKCs katw apo ta Proxies. H ka8e efarmogh 8a xreiastei ligh trofodothsh, asxeta apo to pws ths xeirizetai o diakomisth ejoysiodothshs. 8.3.2. MS Windows me Trumpet Winsock To Trumpet Winsock erxetai me enswmatwmenes diakomisth ejoysiodothshs dynatothtes. Mesa sto menou "egkatastashs (setup)", eisagete thn IR dieu8ynsh apo to diakomisth, kai tis diey8unseis apo oloys toy H/Y poy einai syndedemenoi amesa. To Trumpet tote 8a xeiristei ola ta ejerxomena paketa. 8.3.3. Kanontas to Diakomisth Ejoysiodothshs na doyleuei me UDP Paketa To paketo SOCKS doyleuei mono me paketa TCP, kai oxi UDP. Ayto to kanei ligotero xrhsimo. Polla xrhsima programmata, opws to talk kai to Archie, xrhsimopoioun UDP. Yparxei ena paketo sxediasmeno gia na xrhsimopoih8ei san diakomisths ejoysiodothshs gia paketa UDP kai kaleitai UDPrelay, apo ton Tom Fitzgerald . Dystyxws, th stigmh poy grafete ayto to HOWTO, den einai symbato me to Linux. 8.4. Meionekthmata me toys Diakomistes Ejoysiodothshs O diakomisths ejoysiodothshs einai, panw ap' ola, mia asfalhs syskeyh. Xrhsimopoiwntas ton gia na ayjhsete thn prosbash sto Internet me periorismenes IR diey8unseis 8a exete polla meionekthmata. Enas diakomisths ejoysiodothshs 8a epitrepei kalliterh prosbash apo to eswteriko toy prostateyomenoy diktuoy pros ta ejw, alla 8a krata to eswteriko apolutws aprosbasto ap' ejw. Ayto shmainei oxi diakomistes, talk h archie syndeseis, h ameso taxydromeio stoys eswterikous ypologistes. Ayta ta meionekthmata mporei na fainontai ashmanta, alla skefthte me ayto to tropo: · Exete afhsei mia anafora poy ftiaxnete sto ypologisth sas mesa se ena diktyo prostateymeno me firewall. Eiste sto spiti, kai apofasizete oti 8elete na metabhte se ayton. Den mporeite. Den mporeite na proseggisete ton ypologisth sas epeidh einai pisw apo to firewall. Prospa8hte na kanete log sto firewall prwta, alla apo tote poy o ka8enas exei diakomisth ejoysiodothshs prosbash, kanenas den exei egkatasthsei ena logariasmo panw se ayton gia esas. · H korh sas phgainei sto kolegio. 8elete na tis stelnete email. Exete kapoia proswpika pragmata na syzhthsete, kai anamfibolws exete to taxydromeio sas na aposteletai katey8eian sto mhxanhma sas. Empisteueste to diaxeiristh toy systhmatos apolyta, alla akoma, ayto einai proswpiko mail. · H anikanothta na xrhsimopoiei UDP paketa antiproswpeuei ena megalo meionekthma me toys diakomistes ejoysiodothshs. Oramatizomai tis dynatothtes toy UDP poy erxontai suntoma. To FTP dhmioyrgei allo ena problhma me to diakomisth ejoysiodothshs. Otan katebazete h kanete ls, o diakomisths FTP anoigei mia ypodoxh sth mhxanh pelath kai stelnei tis plhrofories mesw ayths. O diakomisths ejoysiodothshs den 8a to epitrecei ayto, etsi to FTP sygkekrimena den 8a doylecei. Kai, oi diakomistes ejoysiodothshs einai argoi. Logw ths kalliterhs megalhs kalychs-elegxoy (overhead), sxedon ka8e allo meso apo to opoio pairnoyme ayth th prosbash 8a einai taxutero. Basika, ean exete tis IR diey8unseis, kai den anhsyxhte sxetika me thn asfaleia, mhn xrhsimopoieite firewall kai/h diakomistes ejoysiodothshs. Ean den exete tis IR diey8unseis, kai epishs den exete na anhsyxhte gia thn asfaleia, mporeite epishs na rijete mia matia gia na xrhsimopoihsete ena ejomoiwth IR, san ta Term, Slirp h TIA. To Term einai dia8esimo apo to ftp://sunsite.unc.edu, to Slirp einai dia8esimo apo to ftp://blitzen.canberra.edu.au/pub/slirp, kai to TIA einai dia8esimo apo to marketplace.com. Ayta ta paketa 8a trexoyn taxutera, epitrepoyn kalliteres syndeseis, kai parexoyn megaloy epipedoy apo prosbash gia to eswteriko toy diktuoy apo to Internet. Oi diakomistes ejoysiodothshs einai kaloi gia ta diktya ayta poy exoyn pollous host poy 8a 8eloyn na syndeontai sto Internet "on the fly", me mia egkatastash kai ligh doyleia meta. 9. Prohgmenes Morfes Yparxei mia morfh poy 8a h8ela na asxolh8w prin kleisw ayth th tekmhriwsh. Ayth molis th skiagrafhsa kai pi8anws 8a ikanopoihsei arketous. Pantws, skeftomai oti to epomeno skiagrafhma 8a deijei perissotero prohgmenhs morfhs apo to na jeka8arisei kapoies erwthseis. Ean exete erwthseis pera apo aytes poy molis kalyca, h apla endiafereste gia thn eykamcia twn diakomistwn ejoysiodothshs kai twn firewalls, synexiste to diabasma. 9.1. Ena megalo diktyo me emfash sthn asfaleia Peite, gia paradeigma, oti eiste o epikefalhs parastratiwtikhs organwshs kai 8elete na diktywsete th 8esh sas. Exete 50 H/Y kai ena ypodiktyo apo 32 IR ari8mous twn 5 stoixeiwn (bits). Xreiazeste diaforetika epipeda prosbashs mesa sto diktyo sas epeidh lete stoys akolou8oys sas diaforetika pragmata. Etsi, 8a xreiasthte na prostateusete sygkekrimena tmhmata toy diktuoy apo to ypoloipo. Ta epipeda einai: 1. To ejwteriko epipedo. Ayto to epipedo poy deixnete stoys pantes. Edw einai poy fwnazete kai parallhlhte gia na parete neoys e8elontes. 2. Stratiwtiko Edw einai to epipedo apo atoma poy exoyn perasei pera apo to ejwteriko epipedo. Edw einai poy toys didaskete sxetika me thn evail kybernhsh kai sto pws na ftiaxnoyn bombes. 3. Mis8oforoi Edw einai poy ta pragmatika plana kratountai. Se ayto to epipedo einai apo8hkeymenes oles oi plhrofories panw sto pws h tritokosmikh kybernhsh phgainei na katakthsei to kosmo, ta plana sas emplekoyn tis Newt Gingrish, Oklahoma City, lown endiaferontos proionta kai ti pragmatika einai apo8hkeymeno mesa sta ypostega tis perioxhs 51. 9.1.1. H egkatastash toy diktuoy Oi IR ari8moi einai katanemhmenoi ws ejhs: · 1 ari8mos einai 192.168.2.2555, poy einai h dieu8ynsh ekpomphs kai den xrhsimopoieitai · 23 apo tis 32 IR diey8unseis einai topo8ethmenes sta 23 mhxanhmata poy 8a einai prosbashma sto Internet. · 1 epipleon IR phgainei se ena koyti linux se ayto to diktyo · 1 epipleon phgainei se ena diaforetiko koyti linux se ayto to diktyo. · 2 IR ari8moi pane sto dromologhth · 4 afe8hkan sth panta, alla toys do8hkan ta topika onomata paul, ringo, john, kai george, apla gia na mperdeuoyn ta pragmata ligaki. · Ta prostateyomena diktya amfotera exoyn diey8unseis 192.168.2.xxx Meta, duo xwrista diktya dhmioyrgh8hkan, to ka8ena se diaforetika dwmatia. Ayta dromologh8hkan mesw ypery8roy Ethernet etsi einai apolutws aorata sta ejwterika dwmatia. Eytyxws, ta ypery8ra ethernet doyleuoyn san ta kanonika ethernet. Ayta ta diktya einai to ka8ena syndedemeno me apo ena koyti linux me mia epipleon IR dieu8ynsh. Yparxei enas diakomisths arxeiwn (file server) poy syndeei ta duo prostateyomena diktya. Ayto ginetai epeidh gia thn katakthsh toy kosmoy emplekontai kai ychloteroi stratiwtes. O diakomisths arxeiwn krata thn dieu8ynsh 192.168.2.17 gia to Stratiwtiko diktyo kai thn 192.168.2.23 gia to Mis8oforiko diktyo. Aytos exei diaforetikes IR diey8unseis epeidh exei diaforetikes kartes Ethernet. To IR Forwarding panw se ayton einai kleisto. To IR Forwarding einai kai sta duo koytia linux epishs kleisto. O dromologhths den 8a prow8ei paketa proorismena gia 192.168.2.xxx ektos ean den toy dhlw8ei kathgorhmatika na to kanei, etsi to Internet den 8a einai ikano na mpei mesa. O logos poy apenergopoih8hke to IP Forwarding edw egine giati etsi ta paketa apo to diktyo twn Stratiwtwn den 8a einai ikana na proseggisoyn to Mis8oforiko diktyo, kai to anapodo. O diakomisths NFS mporei epishs na oristei gia na prosferei diaforetika arxeia se diaforetika diktya. Ayto ginetai xeirokinhta, kai me liga tryk me tis symbolikes syndeseis (symbolic links) mporei na ginei etsi wste ta koina arxeia na moirazontai se oloys. Xrhsimopoiwntas ayto to sthsimo kai allh mia ethernet karta mporoume na prosferoyme ayto ton ena diakomisth arxeiwn kai gia ta tria diktya. 9.1.2. H egkatastash twn ejoysiodothsewn Twra, afou kai ta tria epipeda 8eloyn na einai ikana na symboyleuontai to diktyo gia toys dikous toys skoteinous skopous, kai oi treis xreiazontai na exoyn prosbash sto Internet, etsi den exoyme na ta trofodothsoyme edw me diakomistes ejoysiodothshs. Ta Mis8oforiko kai Stratiwtiko diktya einai pisw apo firewalls, etsi einai anagkaio na sthsoyme diakomistes ejoysiodothshs ekei. Amfotera ta diktya 8a exoyn egkatasta8ei paromoia. Kai ta duo exoyn tis idies IR diey8unseis topo8ethmenes epanw toys. 8a petajw merikes parametroys, apla gia na kanw ta pragmata pio endiaferonta. 1. Kanenas den mporei na xrhsimopoiei to diakomisth arxeiwn gia prosbash sto Internet. Ayth ek8etei to diakomisth arxeiwn se ious kai alla dysaresta pragmata, kai ayto einai kapws sobaro, etsi einai ektos twn oriwn. 2. Den 8a epitrepoyme prosbash twn stratiwtwn sto World Wide Web. Aytoi einai se ekpaideysh, kai ayths ths fushs oi plhrofories, anakthshs dunamhs, mporei na apodeix8oun katastrofikes. Etsi, to arxeio sockd.conf sto koyti linux twn Stratiwtwn 8a exei ayth th grammh: deny 192.168.2.17 255.255.255.255 kai ston Mis8oforwn to mhxanhma: deny 192.168.2.23 255.255.255.255 Kai, to koyti linux twn Stratiwtwn 8a exei thn ejhs grammh: deny 0.0.0.0 0.0.0.0 eq 80 Ayth leei na arnh8ei prosbash se oles tis mhxanes poy prospa8oun na apokthsoyn prosbash se porta ish (equal) me 80, thn http porta. Ayto akoma epitrepei oles tis alles yphresies, apla apagoreuei Web prosbash. Meta, amfotera ta arxeia 8a exoyn: permit 192.168.2.0 255.255.255.0 gia na epitrecete se oloys toys ypologistes panw sto 192.168.2.xxx diktyo na xrhsimopoioun ayto to diakomisth ejoysiodothshs ektos gia aytous poy toys exei hdh apagoreyth. (p.x o diakomisths arxeiwn kai h Web prosbash apo to diktyo twn stratiwtwn.) To arxeio sockd.conf twn Stratiwtwn 8a einai kapws etsi: deny 192.168.2.17 255.255.255.255 deny 0.0.0.0 0.0.0.0 eq 80 permit 192.168.2.0 255.255.255.0 kai twn Mis8oforwn kapws etsi: deny 192.168.2.23 255.255.255.255 permit 192.168.2.0 255.255.255.0 Ayto ofeilei na exei ta panta ry8mismena swsta. Ka8e diktyo einai apomonwmeno analoga, me th swsth posothta allhlepidrashs. Oloi ofeiloyn na einai xaroumenoi. Twra, katakthste to kosmo! Shmeiwsh toy Metafrasth Gia opoiodhpote la8os sth metafrash zhtw na me sygxwrhsete mias kai parolo poy edwsa to kallitero eayto moy se merika shmeia den mporesa na kanw akribh metafrash. Se merika shmeia yparxoyn agglikes lejeis poy htan adunato na tis metafrasw oute me th boh8eia lejikwn. Elpizw na deijete th katanohsh sas opws epishs kai sta or8ografika la8h :-> Parakalw osoys exoyn epishmanei la8h h anakribeies na tis shmeiwsoyn kai na tis steiloyn eite sth synthrhtria twn ellhnikwn HOWTO, Boula Sanida voulariba@hellug.gr, eite se emena proswpika. Opoiadhpote epipleon plhroforia gia toys firewalls poy pi8anws 8a boh8hsei sthn egkatastash toys, epikoinwnhste me th synthrhtria. Panagiwths Tsakirhs mazestix@ath.forthnet.gr 26 Ioynioy 1999