[Lugge] Re: R: Re: R: Log di Linux

  • From: Roberto A.F. <robang@xxxxxxxxx>
  • To: lugge@xxxxxxxxxxxxx
  • Date: Wed, 22 Oct 2003 00:14:35 +0200

On Tue, 21 Oct 2003 23:10:13 +0200
suma <francesco.somaglia@xxxxxxxxxxxxx> wrote:

> Comunque a nome di tutti quelli che non ci hanno capito una cippa
> protesto ! Yuffa. :))

 
 Messi gli scherzi da parte voglio segnalarti un testo per il networking
disponibile anche in formato libro.
 
 Da questo link in inglese la spiegazione di alcune parole chiave di cui
posto le porzioni interessanti 
  http://www.oreilly.com/catalog/linag2/book/ch09.html

 Invece per quanto riguarda il NAT e il MASQUEREDING c'è l'intero
capitolo che non posto
 http://www.oreilly.com/catalog/linag2/book/ch11.html


 Spoofing
    This type of attack causes a host or application to mimic the
actions of another. Typically the attacker pretends to be an innocent
host by following IP addresses in network packets. For example, a
well-documented exploit of the BSD rlogin service can use this method to
mimic a TCP connection from another host by guessing TCP sequence
numbers.
    To protect against this type of attack, verify the authenticity of
datagrams and commands. Prevent datagram routing with invalid source
addresses. Introduce unpredictablility into connection control
mechanisms, such as TCP sequence numbers and the allocation of dynamic
port addresses.

 What Is a Firewall?
    A firewall is a secure and trusted machine that sits between a
private network and a public network.[1] The firewall machine is
configured with a set of rules that determine which network traffic will
be allowed to pass and which will be blocked or refused. In some large
organizations, you may even find a firewall located inside their
corporate network to segregate sensitive areas of the organization from
other employees. Many cases of computer crime occur from within an
organization, not just from outside.

 What Is IP Filtering?
    IP filtering is simply a mechanism that decides which types of IP
datagrams will be processed normally and which will be discarded. By
discarded we mean that the datagram is deleted and completely ignored,
as if it had never been received. You can apply many different sorts of
criteria to determine which datagrams you wish to filter; some examples
of these are:

    * Protocol type: TCP, UDP, ICMP, etc.

    * Socket number (for TCP/UPD)

    * Datagram type: SYN/ACK, data, ICMP Echo Request, etc.

    * Datagram source address: where it came from

    * Datagram destination address: where it is going to

    It is important to understand at this point that IP filtering is a
network layer facility. This means it doesn't understand anything about
the application using the network connections, only about the
connections themselves. For example, you may deny users access to your
internal network on the default telnet port, but if you rely on IP
filtering alone, you can't stop them from using the telnet program with
a port that you do allow to pass trhough your firewall. You can prevent
this sort of problem by using proxy servers for each service that you
allow across your firewall. The proxy servers understand the application
they were designed to proxy and can therefore prevent abuses, such as
using the telnet program to get past a firewall by using the World Wide
Web port. If your firewall supports a World Wide Web proxy, their telnet
connection will always be answered by the proxy and will allow only HTTP
requests to pass. A large number of proxy-server programs exist. Some
are free software and many others are commercial products. The
Firewall-HOWTO discusses one popular set of these, but they are beyond
the scope of this book.

    The IP filtering ruleset is made up of many combinations of the
criteria listed previously. For example, let's imagine that you wanted
to allow World Wide Web users within the Virtual Brewery network to have
no access to the Internet except to use other sites' web servers. You
would configure your firewall to allow forwarding of:

    * datagrams with a source address on Virtual Brewery network, a
destination address of anywhere, and with a destination port of 80 (WWW)

    * datagrams with a destination address of Virtual Brewery network
and a source port of 80 (WWW) from a source address of anywhere

    Note that we've used two rules here. We have to allow our data to go
out, but also the corresponding reply data to come back in. In practice,
as we'll see shortly, Linux simplifies this and allows us to specify
this in one command.




 
TCP Extensions: used with -m tcp -p tcp

- -sport [!] [port[:port]]

    Specifies the port that the datagram source must be using to match
this rule. Ports may be specified as a range by specifying the upper and
lower limits of the range using the colon as a delimiter. For example,
20:25 described all of the ports numbered 20 up to and including 25.
Again, the ! character may be used to negate the values.

- -dport [!] [port[:port]]

    Specifies the port that the datagram destination must be using to
match this rule. The argument is coded identically to the - -sport
option.

- -tcp-flags [!] mask comp

    Specifies that this rule should match when the TCP flags in the
datagram match those specified by mask and comp. mask is a
comma-separated list of flags that should be examined when making the
test. comp is a comma-separated list of flags that must be set for the
rule to match. Valid flags are: SYN, ACK, FIN, RST, URG, PSH, ALL or
NONE. This is an advanced option: refer to a good description of the TCP
protocol, such as RFC-793, for a description of the meaning and
implication of each of these flags. The ! character negates the rule.

[!] - -syn

    Specifies the rule to match only datagrams with the SYN bit set and
the ACK and FIN bits cleared. Datagrams with these options are used to
open TCP connections, and this option can therefore be used to manage
connection requests. This option is shorthand for:

- -tcp-flags SYN,RST,ACK SYN

    When you use the negation operator, the rule will match all
datagrams that do not have both the SYN and ACK bits set.

UDP Extensions: used with -m udp -p udp

- -sport [!] [port[:port]]

    Specifies the port that the datagram source must be using to match
this rule. Ports may be specified as a range by specifying the upper and
lower limits of the range using the colon as a delimiter. For example,
20:25 describes all of the ports numbered 20 up to and including 25.
Again, the ! character may be used to negate the values.

- -dport [!] [port[:port]]

    Specifies the port that the datagram destination must be using to
match this rule. The argument is coded identically to the - -sport
option.

ICMP Extensions: used with -m icmp -p icmp

- -icmp-type [!] typename

    Specifies the ICMP message type that this rule will match. The type
may be specified by number or name. Some valid names are: echo-request,
echo-reply, source-quench, time-exceeded, destination-unreachable,
network-unreachable, host-unreachable, protocol-unreachable, and
port-unreachable.

MAC Extensions: used with -m mac

- -mac-source [!] address

    Specifies the host's Ethernet address that transmitted the datagram
that this rule will match. This only makes sense in a rule in the input
or forward chains because we will be transmitting any datagram that
passes the output chain.



 TOS Bit Manipulation

    The Type Of Service (TOS) bits are a set of four-bit flags in the IP
header. When any one of these bit flags is set, routers may handle the
datagram differently than datagrams with no TOS bits set. Each of the
four bits has a different purpose and only one of the TOS bits may be
set at any time, so combinations are not allowed. The bit flags are
called Type of Service bits because they enable the application
transmitting the data to tell the network the type of network service it
requires.



-- 
   ,__    ,_     ,___   .-------=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
   ||_)   ||\    ||_   /        Oh Capitano, Oh mio Capitano       |
   || \   ||¯\   ||¯     linuxgrp: http://www.lugge.net            |
   ¯¯  ¯° ¯¯  ¯° ¯¯  °   homepage: http://digilander.iol.it/robang |
\  Roberto A. Foglietta  reg num : #219348 by the Linux Counter    |
 `---------------------=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'
========---------- 
  
 Prima di scrivere in m-list per favore leggi il regolamento 
 http://www.lugge.net/soci/index.php?link=manifesto
 
 Archivio delle e-mail postate in lista 
 http://www.freelists.org/archives/lugge/ 
 
 Modifica dell'account sulla lista LUGGe 
 http://www.lugge.net/soci/index.php?link=manifesto.htm#list
 
  

Other related posts: