|
|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?注册
×
IPCop is a Linux-based open source firewall system that can secure anything from a single home computer to an enterprise-level network. It goes beyond the simple security guard analogy and provides services like routing, logging of entry attempts, reporting of traffic patterns, and regulation of inbound and outbound traffic.
IPCOP是基于Linux的开放原代码的防火墙系统,他能够保障连接在网络上的电脑的安全。它较之其他单一安全防护系统不同,它同时能够提供路由服务,试图攻击服务器非法数据日志,图形化的数据流量表,标准化的进出数据规则。
A firewall acts like a virtual security guard for your network. Data coming in over the Internet is checked at the gate (firewall), and if it's OK, the firewall passes it through to its destination (a machine on your network). If it's something bad, it's dropped on the spot, without any information going back to the sender. Every computer attached to the Internet should go through a firewall.
防火墙类似于一个虚拟的网络安全守卫。来自因特网的数据首先经过防火墙的检查,如果数据是安全的,那么防火墙将允许它到达目的地(你网络上的一台机器上)。如果这些数据是有害的,那么将被防火墙丢弃,并且不向来源地回馈任何作息。所有连接在因特网上的电脑都应经过防火墙。
I've been happy using IPCop 1.3.0 for about a year. Version 1.4.0 has lots of new features that make using a firewall even easier than before, such as:
我有幸自一年前开始使用 IPCOP 1.3.0。现在1.4.0版本增加了许多新的特性,使防火墙(IPCOP)的使用变得更加简便,例如:
iptable network filters
基于iptable的网络过滤
Support for four separate network cards:
支持最多四个单独的网卡
Green -- internal trusted network
绿色 —— 内部网络
Blue -- wireless semi-trusted network (can be used as a
second Green)
蓝色 —— 无线网络(可以被用做第二个绿色接口)
Orange -- DMZ for Internet-accessed servers
橙色 —— 非军事区网络接入服务器
Red -- the Internet connection
红色 —— 因特网连接
DHCP client support on Red to receive an IP address from ISP DHCP server for Green and Blue.
红色接口上的 DHCP 客户端接收来自于ISP端的DHCP服务器分配的IP地址,供绿色和蓝色接口使用。
NTP server and client for setting IPCop clock and supplying a common clock for internal Green and Blue networks
NTP 服务端和客户端为IPCOP提供时间校准,同时通过绿色和蓝色接口提供内网时钟支持。
Intrusion detection for all four networks
为四个网络接口提供入侵侦测
Virtual private network (VPN) support
支持虚拟网VPN
Proxy support for both Web surfing and Domain Name Services
支持WEB代理和DNS服务代理
Performance graphics for CPU, memory, and disk utilization and network throughput
图形化的CPU、内存、硬盘使用及网络传输性能显示
The main enhancements over 1.3.0 include a new Web interface, more graphs, and support of wireless networks. Having a separate Wi-Fi leg makes sense, because while it isn't open to the Internet, a wireless network is open to anybody within range of your access point. Under 1.3.0 you'd have to wire your access point into your trusted (Green) or DMZ (Orange) network. Now you can put your access point on a separate network leg and have an easier time tracking users and activity.
1.3.0新增了一个全新的,更图形化的WEB界面,对无线网络提供了支持。新增了一个独立的Wi-Fi(这东东啥意思俺不知道,水平不限哇-_-||)检测脚,因为不同于因特网只向特定的用户全面开放,一个无线网络是面向所有接收范围内的用户开放的。在1.3.0以前,你必须通过有线方式让你的用户接入绿色接口或者非军事区接口(橙色接口)。现在你可以新增一个独立的无线网络接口,同时能方便的接入用户和监控他们。
Installation
安装
To get started, download the ISO file and burn it on a CD. It won't take very long, since it's only about 40MB in size.Grab any old desktop machine with at least five open PCI or ISA slots. I started out with a 200MHz Pentium box with 64MB of memory and a combination of 4 PCI and 3 ISA slots. I stuffed in three Intel PCI 10/100 network interface cards (NIC), a Digital/Tulip PCI 10/100 NIC, and an old 2MB ISA video card. You could use ISA-based NICs too, but you'll limit traffic on your networks to 10Mbps speeds. My box also had a CD reader and a 3GB IDE disk.
开始前,你首先需要下载一个ISO文件,刻录到一张CD光盘上,不过这不会占用太长时间,因为这个ISO文件只有40Mb。废弃或者旧的桌面电脑(译者注:所谓台式电脑是也。估计笔记本也应该可以,就看大家有没有米了)。这台机器需要有至少5个空闲的PCI加ISA插口(译者注,晕了,他家电脑接口特别多呀)。我用的电脑是一台Pentium 200,安装有64M内存,4个PCI插口,3个ISA接口(译者注,果然有够多!)。我安装了三块Intel的10/100Mb自适应网卡,一块Digital/Tulip(估计是国外的小品牌网卡,反正俺没听说过)10/100Mb自适应网卡,以及一块2MB显存的ISA显卡(译者注,这东西现在国内也很少见了)。当然你也可以使用ISA接口的网卡,但是这样你最高只能得到10Mb的传输速率。我的电脑上同时还有一部CD-ROM和3GB的IDE硬盘。
For the installation, I hooked up a keyboard, mouse, and monitor. After installation, those components are no longer needed, as you can make changes via a Web browser or SSH into the firewall over the trusted (Green) network. You could even remove the video card and CD reader when you're done.
为了安装方便,我又找来了一块键盘,一个鼠标和一个显示器。当然,安装完成后,这些东西基本就没有什么用处了。因为你可以通过WEB或者SSH对防火墙进行管理。当然,如果你愿意,取下显卡和CD-ROM也是可以的。
Loading IPCop couldn't be easier, because the developers have automated just about everything. Simply pop in the CD, boot up the machine, and follow the on-screen directions. The installation will re-partition and take over the entire disk,
so make sure you want to do that before you continue.
启动IPCOP安装比较简单,因为开发者已经自动化了所有的一切,你只需打开CD-ROM,重新启动机器,跟随屏幕提示做就可以了。安装会重新格式化你的硬盘,所以在此安装开始前请注意保存有用的数据。
The setup program will walk you through setting up your host name, network configuration, passwords, and other settings. I set the firewall to use all four NICs and assigned IP addresses according to the following table:
安装程序会引导你对主机名,网络设置,密码及其他项目进行设置。我对四个网卡的设置如下:
TrustedGreen192.168.2.1
内网绿口:192.168.2.1
DMZ-WebOrange192.168.3.1
非军事区WEB橙色接口:192.168.3.1
WirelessBlue192.168.4.1
无线网蓝色接口:192.168.4.1
InternetRedISP-DHCP
因特网红色接口:这个由ISP的DHCP服务器指定。
If you get a static IP address from your Internet provider, use that address for your Red interface and select Static instead of DHCP. Once you've gone through all the screens, you'll be able to reboot and use any Web browser connected to the trusted (Green) network to manage the firewall.
如果你使用的是静态IP地址,在设置红色接口的时候选择Static,并且把这个地址指定到红色接口上。当全部设置完成之后,你可以重新启动机器并且通过绿色接口登录到防火墙的WEB管理页面啦!
Sorting out the networks
网卡的排序
With four network cards, how do you tell which is which? Log in as root on the IPCop console and type ifconfig. You'll see the normal output for the loopback (lo) and the four network cards device names from eth0 through eth3. A quick and dirty way to identify the cards is to plug your active cable or DSL modem Ethernet cable into the topmost NIC and rerun the ifconfig command. Look down the ifconfig listing and see which device changes the RX packet line. Run ifconfig a couple of times, just to make sure. Mark the card using a marker on the back of the PC with its corresponding device name (eth0, eth1, etc.). Mark the rest of the NICs following the same procedure.
机器里面有四张网卡,我们怎么知道哪个是哪个呢?我们可以用ROOT用户登录IPCOP控制台,然后键入ifconfig命令。就能够看到从eth0至eht3各网卡的接口名称及流量信息。最迅速的办法就是把你的Cable或者Adsl猫的ETH接口分别插入最高处的网卡(译者注:可能说的是最接近CPU位置的网卡吧)并且两次输入ifconfig命令。看看屏幕列出的数据,看看哪个设置的RX信息。如此重复三次,你就可以确定哪个卡是哪个了(译者注:果然是个好办法,别说你需要用四次ifconfig哈)。在网卡上端贴上相应的标签,以便今后使用(译注:这个好象不用说大家也会做吧)。
When you're done, unhook the modem cable right away. I logged a couple of access attempts within the first couple of minutes of firewall operation. You don't want someone hacking into your firewall box because you forgot to unhook the Internet cable from the trusted Green or Blue network leg. Next, while still logged into the firewall console as root, perform the following:
当你完成以上步骤后,取下你的猫。在我设置防火墙的时候,截取了至少1打攻击防火墙的记录。你也不希望在你完成防火墙的设置前,因为你的猫通过绿色或者蓝色接口连接在因特网上,而受到攻击吧(译者注:也太夸张了吧-_-||)。然后,使用root登录防火墙,完成以下操作:
#> cd /usr/local/sbin
#> ./setup
上面这二条命令就没有必要翻译成中文了吧。
Use the Tab and arrow keys to travel down the menu to select Networking. Move down and select Drivers and Card Assignments. Look at the list and you can figure out that Green will probably correspond to eth0. In my case Blue was eth1, Orange eth2, and Red eth3. Go back up the menu structure to get back to your root prompt.
使用Tab和方向键移动菜单,选择网络,向下选择驱动和网卡指定。观察列表,你可以确认绿色已经绑定在eht0上了。在我的机器里面,eht1是蓝色接口,eht2是橙色,eth3是红色。返回菜单,再返回root提示符。
Now you can hook up your cables and rerun ifconfig to make sure the appropriate data is moving across each NIC. Power down the firewall (with shutdown -h now), remove the monitor, keyboard, and mouse, then power up the machine again. You may have to power down the cable modem to get a new IP address if you're using a dynamic IP address from your ISP.
现在你可以接上你的猫,并且通过键入ifconfig命令来确认所有的数据都流向正确的网卡。关闭防火墙(使用shutdown –h now),移走显示器,键盘,鼠标。重新启动防火墙。你可能需要重新启动你的猫,以便获得一个新的IP地址,如果你使用动态IP地址的话。
Web-based management
基于WEB页面的管理
After the firewall reboots, take a look at the Web-based management interface. Use a browser connected to the Green network and go to http://192.168.2.1:81/, or use the Green IP address that you assigned and add the :81/ port. You'll see a splash screen and login prompt. Enter "admin" and the admin password that you set during installation.
Now you can click through a tabbed interface to see the settings and information you need. Here's a description of some of the more useful tabs.
Status
The Status tab lets you keep track of what's going on inside your IPCop system. Some of the more useful menu items include system and network graphs and network status. The system graphs are useful for monitoring CPU and memory usage, to make sure that your firewall can handle the data flow. If you've recruited an old 300MHz Pentium II machine for your firewall, you can check usage as you add users. Six months from now,
when you've tripled your user base, the system graph can tell you if you're maxed out and need a more powerful machine.Likewise with the traffic graph. You can watch the amount of traffic flowing over each network leg. Naturally, you'd assume
that the largest amount of traffic would flow over the trusted (Green) network. A large increase on your wireless (Blue) network might mean that unauthorized users has found your access point.Another screen you'll find useful is network status. Here you'll see network interface information (much like the output of ifconfig), Red network DHCP information, LAN-side DHCP clients, and routing table data.
Logs
You'll want to regularly look at the Firewall and IDS screens to find out who is trying to break in and what kinds of threats are coming in over the Internet. If you click on the Summary menu item you'll see a nice compilation of all the IP addresses that have tried to access your firewall's ports, what network the probes came from, and how many times it's happened in the last 24 hours (default). To track intrusion attempts on all four networks, click the enable boxes under the Services -> Intrusion Detection and click Save.
Wrapping up
I was impressed with IPCop 1.4.0. It was easy to install, easy to configure, and provides more status information than 1.3.0. The IPCop team built a new Web GUI that's intuitive and functional. It also added welcome support for the fourth (wireless) network. I like having a semi-accessible network leg with logging capabilities.
An IPCop firewall can be an important network protection device for your medium-sized business or educational organization.
Rob Reilly is a technology consultant who specializes in helping clients communicate effectively. Many of his published articles are geared to the use of Linux, portable computing, and presentation technology, especially as it relates to communication in business. Send him a note or visit his Web site at http://home.earthlink.net/~robreilly. |
|
|Archiver|手机版|小黑屋|软路由
( 渝ICP备15001194号-1|
渝公网安备 50011602500124号 )
IP卡
狗仔卡
发表于 2006-9-3 16:52:18
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
