Omezeni TCP/IP uzivatelum Unixu?
Petr Snajdr
snajdr at pvt.net
Thu Dec 19 15:48:27 CET 1996
Pekny den,
jen volby pri kompilaci ktere s tim maji alespon trochu co delat:
IP: firewall packet logging (CONFIG_IP_FIREWALL_VERBOSE) [N/y/?] ?
This gives you information about what your firewall did with
packets it received. The information is handled by the klogd demon
which is responsible for kernel messages ("man klogd").
IP: accounting (CONFIG_IP_ACCT) [Y/n/?] ?
This keeps track of your IP network traffic and produces some
statistics. Usually, you only want to say Y here if your box will be
a router or a firewall for some local network, in which case you
naturally should have said Y to IP forwarding/gatewaying resp. IP
firewalling. The data is accessible with "cat /proc/net/ip_acct", so
you want to say Y to the /proc filesystem below, if you say Y
here. To specify what exactly should be recorded, you need the tool
ipfwadm (available from ftp.xos.nl if you don't have a copy already).
Network firewalls (CONFIG_FIREWALL) [Y/n/?] ?
A firewall is a computer which protects a local network from the
rest of the World: all traffic to and from computers on the local
net is inspected by the firewall first. If you want to configure
your Linux box as a firewall for a local network, say Y here. If
your local network is TCP/IP based, you will have to say Y to "IP:
firewalling", below. You also need to say Y here and enable "IP
firewalling" below in order to be able to use IP masquerading
(i.e. local computers can chat with an outside host, but that
outside host is made to think that it is talking to the firewall
box. Makes the local network completely invisible and avoids the
need to allocate valid IP host addresses for the machines on the
local net) or to use the ip packet accounting to see what is using
all your network bandwidth. Chances are that you should use this on
any machine being run as a router and not on a host. If unsure, say
N.
IP: forwarding/gatewaying (CONFIG_IP_FORWARD) [Y/n/?] ?
People who want to use their Linux box as the router for a local
network (i.e. the computer responsible for distributing Internet
traffic to and from the machines in the local network and the
subnetworks) should say Y here (thereby enlarging their kernel by
about 5 kB). Note that in this case, you possibly have two ethernet
devices in your computer: one for the "outside world" and one for
your local net. The kernel is not able to recognize both at boot
time without help; for details read the
Multiple-Ethernet-mini-HOWTO, available via ftp (user: anonymous) in
sunsite.unc.edu:/pub/Linux/docs/HOWTO/mini. If your box is
connected to two networks, it may still make sense to say N here,
namely if you want to turn your box into a firewall protecting a
local network from the internet. The Firewall-HOWTO tells you how to
do this. If your setup is more complex, say you are connected to
three networks and you want to act as a firewall between two of them
and route traffic for the others, you need to say Y here and enable
IP firewalling below. If you intend to use IP masquerading (i.e. IP
traffic from one of the local computers and destined for an outside
host is changed by your box so that it appears to come from you),
you'll have to say Y here and also to IP firewalling and IP
masquerading below. You should also say Y here if you want to
configure your box as a SLIP (the protocol for sending internet
traffic over telephone lines) or PPP (a better SLIP) server for
other people to dial into and your box is connected to a local
network at the same time. You would then most likely use proxy-ARP
(Address Resolution Protocol), explained in the Proxy-Arp mini howto
on sunsite in /pub/Linux/docs/HOWTO/mini. You also need to say Y
here if you want to run mrouted in order to do multicast routing as
used on the MBONE (a high bandwidth network on top of the internet
which carries audio and video broadcasts) for example. In this case,
say Y to "IP: multicasting" and "IP: multicast routing" as well. If
unsure, say N.
IP: firewalling (CONFIG_IP_FIREWALL) [Y/n/?] ?
If you want to configure your Linux box as a firewall for a local
TCP/IP based network, say Y here. This will enlarge your kernel by
about 2kB. You may need to read the FIREWALL-HOWTO, available via
ftp (user: anonymous) in
sunsite.unc.edu:/pub/Linux/docs/HOWTO. Also, you will need the
ipfwadm tool (available via ftp (user: anonymous) from ftp.xos.nl)
to allow selective blocking of internet traffic based
on type, origin and destination. You need to enable IP firewalling
in order to be able to use IP masquerading (i.e. local computers can
chat with an outside host, but that outside host is made to think
that it is talking to the firewall box. Makes the local network
completely invisible and avoids the need to allocate valid IP host
addresses for the machines on the local net) or to use the IP packet
accounting to see what is using all your network bandwidth.
This option is also needed when you want to enable the transparent
proxying support (makes the computers on the local network think
they're talking to a remote computer, while in reality the traffic
is redirected by your Linux firewall to a local proxy server).
--
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
S pozdravem
Petr Snajdr
A)bortovat, Z)kusit znova, U)derit velkym kladivem?
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
More information about the net
mailing list