¹æÈ­º® ±¸Ãà ½Ç¹« Áöħ

ÀÌ»óÈ£ : shlee@apdns.com / LPI, Inc (http://www.lpi.org)Çѱ¹¾î(http://lpi.apit.edu) ½ÎÀÌÆ® ¿î¿µ

 

 

    TIS Firewall ToolkitÀ» ÀÌ¿ëÇÏ¿© ¹æÈ­º®À» ±¸ÃàÇϴµ¥ ÇÊ¿äÇÑ Á¤º¸ ¹× ¼Â¾÷ÆÄÀÏ ±¸¼º¿¡ ´ëÇØ ´Ù·é´Ù.

 

1. TIS-FWTK

    °¢ ¼­ºñ½ºº°·Î IPÁÖ¼Ò¸¦ ÀÌ¿ëÇÑ Á¢±ÙÁ¦¾î¸¦ Çϱâ À§ÇÑ netacl ¸ðµâ°ú °¢ ¼­ºñ½ºº° ÇÁ¶ô½Ã·Î ±¸¼ºµÇ¾î ÀÖÀ¸¸ç, °¢ ÇÁ¶ô½Ã´Â ÀÎÁõ±â´ÉÀÌ ºÎ¿©µÉ ¼ö ÀÖ´Ù.
    ÀÌ·¯ÇÑ °¢ ¼­ºñ½º ¸ðµâÀº ¼­ºñ½º¸¦ Á¦°øÇϱâ À§ÇÑ º¸¾È Á¤Ã¥À» Á¤ÀÇÇÑ netperm-table ÆÄÀÏÀ» ÂüÁ¶ÇÏ¿© ¼­ºñ½º Á¦°ø¿©ºÎ¸¦ °áÁ¤ÇÏ°í ¼­ºñ½º Á¢¼Ó°ÅºÎ ¹× Çã¿ë¿¡ ´ëÇÑ °ü·Ã ±â·ÏÀ» ³²±ä´Ù.

    °¡. NETACL

    netaclÀº, ¼­¹ö¿¡¼­ »ç¿ëµÇ´Â ´Ù¾çÇÑ TCP ±â¹ÝÀÇ ¼­ºñ½º¿¡ ´ëÇÑ Á¢±ÙÀÇ Á¤µµ¸¦ °áÁ¤ÇØ ÁÖ´Â ³×Æ®¿öÅ© Á¢±Ù Á¦¾î ÇÁ·Î±×·¥ÀÌ´Ù. ¿¹¸¦ µé¸é, ¸¸¾à ¾î¶² Àΰ¡µÈ »ç¿ëÀÚ¿¡ ´ëÇØ ¹æÈ­º® ½Ã½ºÅÛÀ¸·ÎÀÇ telnet Á¢±ÙÀ» Çã¿ëÇÏ°í ½Í´Ù¸é netacl°ú Àû´çÇÑ ±ÔÄ¢À» Àû¿ëÇÏ¿© ÇØ´ç ±â´ÉÀ» °¡´ÉÅä·Ï ÇÒ ¼ö ÀÖ½À´Ï´Ù. ¹°·Ð ftp¿Í rlogin ¼­ºñ½º¿¡µµ ¸¶Âù°¡Áö·Î Àû¿ëÇÒ ¼ö ÀÖ´Ù.

    ³ª. TELNET-GW

    telnet ÇÁ¶ô½ÃÀÎ tn-gw´Â ¿øÇÏ´Â ¼­¹ö·ÎÀÇ telnet ¼­ºñ½º¿¡ ´ëÇÑ À¯ÀÏÇÑ °æ·Î¸¦ Á¦°øÇϴµ¥, ¸¹Àº ³×Æ®¿öÅ© ȯ°æ¿¡¼­ ½Ã½ºÅÛ °ü¸®ÀÚ°¡ ³»ºÎ¸ÁÀ¸·Î ¹æÈ­º® È£½ºÆ®¸¦ ÅëÇÑ telnet Á¢±ÙÀ» Çã¿ëÇÏÁö ¾ÊÀ» ¶§ »ç¿ëÇÑ´Ù. netacl°ú´Â ´Ù¸£°Ô telnet ÇÁ¶ô½Ã´Â ¹æÈ­º®À¸·ÎÀÇ Á÷Á¢ Á¢±ÙÀ» Á¦°øÇÏÁö ¾Ê´Â´Ù. Áï, netaclÀ» °æÀ¯ÇÏ´Â telnetÀº ¹æÈ­º® È£½ºÆ®·ÎÀÇ Á¢±ÙÀÌ Çã¿ëµÇÁö¸¸, ÇÁ¶ô½Ã¸¦ °æÀ¯ÇÏ´Â telnetÀº ´ÜÁö ·Î±ë Á¦¾î¸¦ °®´Â °æ·Î¸¸À» Á¦°ø¹Þ°Ô µÇ´Â °ÍÀÌ´Ù.

    ¹æÈ­º® ½Ã½ºÅÛÀÇ °ü¸®ÀÚ´Â Á¾Á¾ ¹æÈ­º® È£½ºÆ®ÀÇ ¿ø°Ý °ü¸®¸¦ À§ÇÑ Á¢±Ù °æ·Î¿Í ÇÁ¶ô½Ã telnetÀ» ±¸ÃàÇØ¾ß ÇÏ´Â µô·¹¸¶¿¡ ºüÁú ¼ö°¡ Àִµ¥, ÀÌ´Â /etc/services ÆÄÀÏ°ú /etc/inetd.conf ÆÄÀÏÀ» ¼öÁ¤ÇÏ¿© ½ÇÁ¦ÀÇ telnetd¸¦ telnetÀÇ Ç¥ÁØ TCP Æ÷Æ®¿Í´Â ´Ù¸£°Ô ¼³Á¤ÇÏ°í, ÇÁ¶ô½Ã¸¦ telnetÀÇ Ç¥ÁØ TCP Æ÷Æ®¿¡ ¼³Á¤ÇÔÀ¸·Î½á ÇØ°áÇÒ ¼ö ÀÖ´Ù. ¾Æ¿ï·¯, ÀÌ °æ¿ì¿¡´Â º¸¾ÈÀ» À§ÇØ netcal µîÀÇ Á¢±Ù Á¦¾î°¡ ÇÊ¿äÇÏ´Ù.

    ´Ù. FTP-GW

    FTP ÇÁ¶ô½ÃÀÎ ftp-gw´Â, ¹æÈ­º® È£½ºÆ®¸¦ Åë°úÇÏ´Â »ç¼³ ³×Æ®¿öÅ© ¶Ç´Â °ø¿ë ³×Æ®¿öÅ©·ÎÀÇ FTP Æ®·¡ÇÈÀ» Çã¿ëÇϴµ¥, telnet ÇÁ¶ô½Ã¿Í ¸¶Âù°¡Áö·Î ¹æÈ­º®À¸·Î Ç¥ÁØ FTP Æ÷Æ®¸¦ °æÀ¯ÇÏ´Â FTP Á¢±ÙÀÌ °¨ÁöµÇ¸é ÇÁ¶ô½ÃÀÇ ¼öÇàÀÌ ½ÃÀ۵ȴÙ.

    ¹æÈ­º® È£½ºÆ®·Î »ç¿ëµÇ´Â ½Ã½ºÅÛÀÌ FTP ¼­ºñ½º¸¦ Á¦°øÇÏ°Ô ÇÏ´Â °ÍÀº º°·Î ÁÁÁö ¾ÊÀº »ý°¢ÀÌ´Ù. °¡Àå ÁÁÀº ¹æ¹ýÀº º°µµÀÇ FTP ¼­¹ö¸¦ ¿î¿ëÇÏ´Â °ÍÀÌÁö¸¸, ½Ã½ºÅÛÀÇ ¿ø°Ý °ü¸®¸¦ À§ÇØ FTP ¼­ºñ½º°¡ ÇÊ¿äÇÒ °æ¿ì telnet ¼­ºñ½ºÀÇ °æ¿ì¿Í ¸¶Âù°¡Áö·Î /etc/services ÆÄÀÏ°ú /etc/inetd.conf ÆÄÀÏÀ» ¼öÁ¤ÇÏ¿© ½ÇÁ¦ÀÇ ftpd¸¦ FTPÀÇ Ç¥ÁØ TCP Æ÷Æ®¿Í´Â ´Ù¸£°Ô ¼³Á¤ÇÏ°í, ÇÁ¶ô½Ã¸¦ FTPÀÇ Ç¥ÁØ TCP Æ÷Æ®¿¡ ¼³Á¤ÇÏ¿© »ç¿ëÇÒ ¼öµµ ÀÖ½À´Ï´Ù. ¹°·Ð ÀÌ °æ¿ì¿¡µµ netcal µîÀÇ Á¢±Ù Á¦¾î°¡ ÇÊ¿äÇÏ´Ù.

    ¶ó. SMTP-GW

    ¹æÈ­º® È£½ºÆ®¸¦ Åë°úÇÏ´Â ¸ÞÀÏÀÇ ¿Ã¹Ù¸¥ Àü¼ÛÀ» À§Çؼ­´Â smap°ú smapd·Î ºÒ¸®´Â 2°³ÀÇ ÇÁ¶ô½Ã°¡ ÇÊ¿äÇÏ´Ù. ÀÌ Áß smapÀº SMTPÀÇ ÃÖ¼Ò ¹öÀü¸¸À» ±¸ÇöÇÑ Å¬¶óÀ̾ðÆ®ÀÇ ±â´ÉÀ» ´ã´çÇÏ°Ô µÇ´Âµ¥, ³×Æ®¿öÅ©·ÎºÎÅÍÀÇ ¸Þ½ÃÁö¸¦ ¹Þ¾Æ µé¿© À̸¦ µð½ºÅ©¿¡ ÀúÀåÇÔÀ¸·Î¼­ ÈÄ¿¡ smapd°¡ ÀúÀåµÈ ¸Þ½ÃÁö¸¦ ÀçÀü¼ÛÇϵµ·Ï ÇÏ´Â ¿ªÇÒÀ» ¼öÇàÇÑ´Ù. ÇÁ¶ô½Ã·Î µ¿À۵Ǵ smapÀº, chrootµÈ »óÅ¿¡¼­ non-privileged ÇÁ·Î¼¼½º·Î ¼öÇàµÇµµ·Ï ¼³°èµÇ¾î ÀÖÀ¸¹Ç·Î ÀϹÝÀûÀÎ privileged ¸ÞÀÏ·¯¿¡ ºñÇØ ³ôÀº ¼öÁØÀÇ º¸¾È¼ºÀ» Á¦°øÇÏ°Ô µÈ´Ù.

    smapd µ¥¸óÀº, smap¿¡ ÀÇÇØ ÀúÀåµÈ ¸ÞÀÏÀÇ ÀúÀå ¿µ¿ªÀ» ÁÖ±âÀûÀ¸·Î °Ë»çÇÏ¿© ¼öÁýµÈ ¸ÞÀÏÀÇ ¼ö½ÅÀÚ¿¡°Ô ÇØ´ç ¸ÞÀÏÀ» Àü´ÞÇϵµ·Ï ÇÏ´Â ¿ªÇÒÀ» ¼öÇàÇÏ°Ô µÇ´Âµ¥, ÀÌ ¶§ ¸ÞÀÏÀÇ Àü¼ÛÀº sendmailÀ̶ó´Â MTA(Mail Transfer Agent)¿¡ ÀÇÇØ ÀÌ·ç¾îÁö¸ç Àü¼ÛÀÌ ¿Ï·áµÈ ¸ÞÀÏ ¸Þ½ÃÁö´Â »èÁ¦µÈ´Ù. ¸¸ÀÏ ¸ÞÀÏ Àü¼ÛÀÌ ºÒ°¡´ÉÇÒ °æ¿ì smapd´Â ¸ÞÀÏÀÌ ÀúÀåµÇ¾î ÀÖ´Â ¿µ¿ªÀ» À籸¼ºÇÏ¿© ÈÄ¿¡ ÀÖÀ» ÀçÀü¼Û¿¡ ´ëºñÇÏ°Ô µÈ´Ù.

    ¸¶. PLUG-GW

    TCP ±â¹ÝÀÇ ¼­ºñ½º Áß¿¡¼­ »ç¿ëÀÚ¿¡°Ô Åõ¸í¼º ÀÖ´Â ¼­ºñ½º(NNTP, POP)¸¦ Á¦°øÇϱâ À§ÇØ Ç÷¯±× º¸µå ÇüÅÂÀÇ plug-gw ÇÁ¶ô½Ã¸¦ Á¦°øÇÏ°í ÀÖ´Ù.

    ¹Ù. ÀÎÁõ¼­¹ö

    ÀÎÁõ±â´ÉÀº ¼±Åñâ´ÉÀ¸·Î½á °¢ ÇÁ¶ô½Ã¿¡¼­ ÀÌ ±â´ÉÀ» »ç¿ëÇÒ ¼ö ÀÖ´Ù. Áö¿ø °¡´ÉÇÑ ÀÎÁõ¹æ½ÄÀº ¡°Bellcore¡¯s S/KEY¡±À» ¸¹ÀÌ »ç¿ëÇÑ´Ù.

    »ç. ±âŸ tools

    ÇöÀç TIS Firewall ToolkitÀÌ °®´Â ¸®Æ÷Æà ±â´ÉÀº ¾î´ÀÁ¤µµ Ãæ½ÇÇÏ´Ù°í º¼ ¼ö ÀÖÀ¸³ª, ¹®ÀÚ ±â¹ÝÀÇ ¸®Æ÷Æà ÇüŸ¦ ÃëÇÏ°í ÀÖÀ¸¹Ç·Î ¸®Æ÷ÆÃµÈ º¸°í¼­ÀÇ ºÐ¼®ÀÌ ´Ù¼Ò ¾î·Á¿ï ¼öµµ ÀÖÀ» °ÍÀÌ´Ù
    º» ¹®¼­¿¡¼­´Â RLOGIN-GW, ÀÎÁõ¼­¹ö, ±âŸ Åø¿¡ °ü·Ã »çÇ×Àº Á¦¿ÜµÉ °ÍÀÌ´Ù.

     

2. º£½ºÃŠȣ½ºÆ®

    ÀϹÝÀûÀ¸·Î º£½ºÃŠȣ½ºÆ®(Bastion Host)¶õ ³×Æ®¿öÅ© º¸¾È¿¡ °¡Àå Áß¿äÇÑ ¹æÈ­º® È£½ºÆ®¸¦ ¸»ÇÑ´Ù. ´ëºÎºÐÀÌ 2°³ÀÇ ÆÐŶ ÇÊÅ͸µ ¶ó¿ìÅÍ »çÀÌÀÇ ¸®´ª½º(À¯´Ð½º) ½Ã½ºÅÛÀ» º£½ºÃŠȣ½ºÆ®¶ó°í ÇÑ´Ù. ¿ÜºÎ ¶ó¿ìÅÍ´Â ÀÎÅͳݰú º£½ºÃÅ »çÀÌÀÇ Æ®·¡Çȸ¸ Çã¶ôµÈ´Ù. ³»ºÎ ¶ó¿ìÅÍ´Â ³»ºÎ³×Æ®¿÷°ú º£½ºÃÅ »çÀÌÀÇ Æ®·¡Çȸ¸ÀÌ Çã¶ôµÈ´Ù.

    2.1 ¸®´ª½º¸¦ º£½ºÃµ È£½ºÆ®·Î ±¸Ãà

    °¡. ¸Ó½Å ÀÚü º¸¾È ¼öÁØÀ» ³ôÀδÙ.

    ¾Ë·ÁÁø ¸ðµç ½Ã½ºÅÛ °ü·Ã ¹ö±×µéÀ» ¼öÁ¤ÇÏ¿© °£°áÇÏ°í ¹«°áÇÑ ½Ã½ºÅÛ »óÅ·Π¸¸µç´Ù. ±×¸®°í ½Ã½ºÅÛ ·Î±× ±â·ÏÀ» È°¿ëÇÑ´Ù.

    ³ª. ÇÊ¿ä ¾ø´Â ¸ðµç ¼­ºñ½º¸¦ ÁßÁö½ÃŲ´Ù.

    ¸®´ª½º ¸Ó½ÅÀÌ µ¿ÀÛÇϴµ¥ ¹Ýµå½Ã ÇÊ¿äÇÑ ¼­ºñ½º¸¸ ³²±â°í ³ª¸ÓÁö´Â ÁßÁö½ÃŲ´Ù. ÀϹÝÀûÀ¸·Î º£½ºÃŠȣ½ºÆ®¸¦ ±¸ÃàÇϱâ À§ÇØ »ç¿ëÀ» ÁßÁö½ÃÄÑ¾ß ÇÒ ¼­ºñ½ºµéÀº, (NFS, RPC, ºÎÆÃ, BSDÀÇ ¡®r¡¯ ¸í·É¾î, routed, fingerd, uucpd, rwhod, lpd) µîÀ¸·Î¼­ ÀÌµé ¼­ºñ½º´Â º£½ºÃŠȣ½ºÆ®¿¡¼­ Á¦°øÇÏÁö ¾Ê´Â °ÍÀÌ ¾ÈÀüÇÕ´Ï´Ù.

    ´Ù. ºÒÇÊ¿äÇÑ »ç¿ëÀÚ °èÁ¤À» ¸ðµÎ »èÁ¦ÇÑ´Ù.

    ²À ÇÊ¿äÇÑ °æ¿ì°¡ ¾Æ´Ï¸é º£½ºÃŠȣ½ºÆ® ³»ÀÇ »ç¿ëÀÚ °èÁ¤Àº ¸ðµÎ »èÁ¦½ÃÄÑ¾ß ÇÑ´Ù. »ç¿ëÀÚ °èÁ¤ÀÌ Á¸ÀçÇÏÁö ¾Ê´Â º£½ºÃŠȣ½ºÆ®°¡ ³ôÀº ¼öÁØÀÇ º¸¾È ¼öÁØÀ» Á¦°øÇÒ ¼ö Àֱ⠶§¹®ÀÌ´Ù.

    ¶ó. Áß¿äÄ¡ ¾ÊÀº ÆÄÀÏ°ú ¸í·ÉÀº Áö¿î´Ù.

    ƯÈ÷ setuid/setgid ÇÁ·Î±×·¥µéÀº ÇØÄ¿µéÀÇ ÁÖ¿ä °ø°Ý ´ë»óÀÌ µÇ¹Ç·Î ¹Ýµå½Ã »èÁ¦ÇØ¾ß ÇÒ °ÍÀÌ´Ù.
    »èÁ¦ÇØ¾ß ÇÒ ÇÁ·Î±×·¥À» ã±â À§ÇÑ ¹æ¹ýÀº ´ÙÀ½°ú °°´Ù.
    [nic@fw nic]# find / -type f -perm -040000 -o -perm -02000  -ls

    ¸¶. IP Forwarding±â´É, Source Routing±â´ÉÀ» ¾ø¾Ø´Ù.

    Ä¿³ÎÀÌ Á¦°øÇÏ´Â ±â´É Áß ´ÙÀ½°ú °°Àº ¸î°¡ÁöÀÇ ±â´ÉÀº º¸¾ÈÀÇ À§Ç輺À» °¡Áö°í Àִµ¥, ÀÌµé ±â´ÉÀÌ ¿ì¼±ÀûÀ¸·Î Á¦°ÅµÇ¾î¾ß ÇÒ °ÍÀÌ´Ù. (IP forwarding OFF, IP Masquerading OFF, NFS, RPC °ü·Ã ±â´É)
    ¸¸¾à, º£½ºÃŠȣ½ºÆ®°¡ µà¾ó-Ȩµå È£½ºÆ®·Î ±¸ÃàµÇ¾úÀ¸¸é IP Æ÷¿öµù ±â´ÉÀ» »èÁ¦ÇؾßÇÑ´Ù.
     

    [nic@fw nic]#  cat /proc/sys/net/ipv4/ip_forward
    0

     

    [nic@fw nic]#  grep ¡°FORWARD_IPV4¡± /etc/sysconfig/network
    FORWARD_IPV4 = no

     

    ¹Ù. º¸¾ÈÁ¡°Ë µµ±¸¸¦ ÀÌ¿ëÇÏ¿© º¸¾ÈÃë¾à¼ºÀ» Á¦°ÅÇÑ´Ù.

    2.2 FWTK ÄÄÆÄÀÏÇϱâ

    Makefile.config ÆÄÀÏÀ» ¸¸µé°í ÄÄÆÄÀÏ °ü·Ã ȯ°æº¯¼ö¸¦ ¼³Á¤ÇÏ¿© ÄÄÆÄÀÏÇÑ´Ù.
     

    [nic@fw nic]# cd /usr/local/src/fwtk
    [nic@fw nic]# cp Makefile.config.linux Makefile.config

 

    [nic@fw nic]#  vi Makefiel.config
    # ½Ã½ºÅÛ¿¡ ¼³Ä¡µÇ¾îÀÖ´Â ÄÄÆÄÀÏ·¯ ¼±ÅÃ
    CC=cc
    # ½ÇÇà ÆÄÀϵéÀ» ÀúÀåÇϱâ À§ÇÑ µð·ºÅ丮 ÁöÁ¤
    DEST=/usr/local/etc
    # FWTK ¼Ò½º µð·ºÅ丮
    FWTKSRCDIR=/usr/local/src/fwtk
    # µ¥ÀÌÅͺ£À̽º ÁöÁ¤
    DBMLIB=-lgdbm
    # ÇÁ·Ï½Ã °ü·Ã ¼­ºñ½º µð·ºÅ丮 ÁöÁ¤
    DIRS= smap smapd netal plug-gw ftp-gw

     

    2.3 ¼­ºñ½º °ü·Ã ÆÄÀÏÀ» ¼öÁ¤ÇÑ´Ù.

    FWTK ¿ä¼Ò ´ëºÎºÐÀº inetd µ¥¸ó¿¡ ÀÇÇؼ­ ¼öÇàµÇ°í ¶ÇÇÑ inetd µ¥¸óÀº inetd.conf ÆÄÀÏÀ» ÂüÁ¶Çϵµ·Ï µÇ¾î ÀÖ´Ù.
    µû¶ó¼­ ¿ÜºÎ¿¡¼­ ³×Æ®¿÷ ¼­ºñ½º°¡ ¿äûµÇ¾úÀ» ¶§ inetd°¡ ¹æÈ­º® ¿ä¼ÒµéÀ» ¼öÇàÇϱâ À§Çؼ­´Â ¡°inetd.conf¡± ÆÄÀÏÀ» ¼öÁ¤ÇؾßÇÑ´Ù. ¶ÇÇÑ ³×Æ®¿÷ ¼­¹Ù½º¸¦ Á¦°øÇϱâ À§Çì¼­´Â °¢ ¼­ºñ½º¿¡ ´ëÇѵǴ Æ÷Æ® ¹øÈ£°¡ ÇÊ¿äÇÏ°í, °¢ ¼­ºñ½º°¡ »ç¿ëÇÏ´Â ÇÁ·ÎÅäÄÝ ¶ÇÇÑ ÇÊ¿äÇÏ´Ù.

    2.4 Á¢±ÙÁ¦¾î ±ÔÄ¢À» Á¤ÀÇÇÑ´Ù.

    netperm-table¿¡´Â ¾î¶°ÇÑ ³×Æ®¿÷/È£½ºÆ®¿¡ ´ëÇؼ­ ¼­ºñ½º¸¦ Á¦°øÇÒ °ÍÀÎÁö ¾Æ´ÑÁö¸¦ °áÁ¤Çϱâ À§ÇÑ Á¢±ÙÁ¦¾î ±ÔÄ¢À» Á¤ÀÇÇÏ°Ô µÈ´Ù. ÀÌ ÆÄÀÏÀÇ À§Ä¡´Â ±âº»ÀûÀ¸·Î ¡°/usr/local/etc/¡± ÀÌ°í ¡°:¡±(ÄÝ·Ð)ÀÇ ¿ÞÂÊÀº ¼­ºñ½º À̸§À» ³ªÅ¸³»°í ¿À¸¥ÂÊÀº Çã¿ë ³×Æ®¿÷ ¹× °ü·Ã Á¤º¸µéÀ» ±â¼úÇÏ°Ô µÈ´Ù.

    2.5 ¹æÈ­º® ±â´É ½ÃÇè

    ¹æÈ­º®ÀÇ ±â´ÉÀ» ½ÃÇèÇÏ´Â ¹æ¹ýÀº °°Àº ÀÌ´õ³Ý »ó¿¡ Àִ ȣ½ºÆ®¸¦ ÀÌ¿ëÇÏ¿© ±× ±â´ÉÀ» Á¡°ËÇÒ ¼ö ÀÖ´Ù. ¾Õ¼­ Á¤ÀÇÇß´ø Á¢±ÙÁ¦¾î ±ÔÄ¢À» ÀÌ¿ëÇÏ¿© ½ÃÇèÇÒ ¼ö ÀÖ´Ù. ´Ù¸¥ ³×Æ®¿÷ ¼­ºñ½º¿¡ ´ëÇؼ­µµ °°ÀÌ Å×½ºÆ®ÇÒ ¼ö ÀÖ´Ù.

     

3. ½ÇÀü ÀÀ¿ë °èÃþ ¹æÈ­º® ±¸ÃàÇϱâ

    R1 : ¿ÜºÎ¶ó¿ìÅÍ
    R2 : ³»ºÎ¶ó¿ìÅÍ
    B1: º£½ºÃÅÈ£½ºÆ® (WWW / FTP ¼­¹ö)
    B2 : º£½ºÃÅÈ£½ºÆ® (SMTP/ 2nd Nameserver)
    S1 : BBS
    S2 : MAIL HUB, 1st  Nameserver, POP3
    S3 : NAT (ipchains)
    S4 : ÆÄÀϼ­¹ö
    DB : RDBMS
    C1... : Ŭ¶óÀ̾ðÆ® PC

    R1, R2¿¡¼­ ÆÐŶÇÊÅ͸µ ±ÔÄ¢°ú º£½ºÃÅÈ£½ºÆ®¿¡ °ü·Ã ÇÁ·Ï½Ã ¼­¹ö¸¦ ±¸ÃàÇÏ¿© Á¢±ÙÁ¦¾î ±ÔÄ¢À» Àû¿ë½ÃŲ´Ù. ±×¸®°í °ü·Ã ¼³Á¤ ÆÄÀÏÀº ÀÌ ±ÛÀÇ ¸¶Á÷¸· ºÎºÐÀ» Âü°íÇϱ⠹ٶõ´Ù.

    3.1 ³×Æ®¿öÅ© Á¢±Ù Á¦¾î

    Åë»óÀûÀ¸·Î ±ÔÄ¢ÀÇ À̸§Àº netacl- °ú ÇØ´ç ¼­ºñ½ºÀÇ À̸§À» Á¶ÇÕÇÏ¿© »ç¿ëÇÏ°Ô µÇ´Âµ¥, ¼­ºñ½º°¡ in.ftpdÀÏ °æ¿ì¿¡´Â netacl-in.ftpd·Î ±ÔÄ¢ÀÇ À̸§À» ¼³Á¤ÇÑ´Ù.
     

    netacl-in.telnetd: permit-hosts 127.0.0.1 -exec /usr/sbin/in.telnetd
    netacl-in.telnetd: permit-hosts 210.217.111.* -exec /usr/sbin/in.telnetd
    netacl-in.telnetd: permit-hosts * -exec /usr/local/etc/tn-gw
    netacl-in.ftpd:   permit-hosts 210.217.111.* -exec /usr/sbin/in.ftpd
    netacl-in.ftpd:   permit-hosts unknow -exec /bin/cat /usr/local/etc/noftp.txt
    netacl-in.ftpd:   permit-hosts * -exec /home/ftp /usr/sbin/in.ftpd
    netacl-in.fingerd: permit-hosts 210.217.111.* -exec /usr/sbin/in.fingerd
    netacl-in.fingerd: permit-hosts unknow -exec /bin/cat/ /usr/local/etc/nofinger.txt

     

    À§ÀÇ ¿¹¿¡¼­´Â, netaclÀÌ Æ¯Á¤ ¼­ºê³Ý »óÀÇ È£½ºÆ®¿¡°Ô¸¸ ¼­ºñ½º°¡ Çã¿ëµÇµµ·Ï ±¸¼ºµÇ¾ú°í, À¯È¿ÇÑ DNS À̸§À» °¡ÁöÁö ¾ÊÀº ½Ã½ºÅÛÀ¸·ÎºÎÅÍÀÇ ¿¬°áÀº ƯÁ¤ÇÑ ÆÄÀÏÀ» Ãâ·ÂÇϵµ·Ï ±¸¼ºµÇ¾úÀ¸¸ç, ¶ÇÇÑ À§¿¡¼­ ¾ð±ÞµÈ È£½ºÆ® ÀÌ¿ÜÀÇ ¸ðµç ³×Æ®¿öÅ©·ÎºÎÅÍÀÇ FTP ¼­ºñ½º ¿äûÀº, ƯÁ¤ µð·ºÅ丮 »ó¿¡¼­ º°µµÀÇ FTP ¼­¹ö¸¦ »ç¿ëÇϵµ·Ï ÇÏ¿´À¸¹Ç·Î º°µµÀÇ FTP ¼­¹ö¿¡¼­ Á¦°ø ¼­ºñ½º¸¦ Á¦ÇÑÇÒ ¼ö ÀÖ´Ù.

    3.2 Telnet ÇÁ¶ô½Ã ¿î¿ë

    tn-gw ÇÁ·Î±×·¥ÀÌ inetd µ¥¸ó¿¡ ÀÇÇØ ±âµ¿µÇ°Ô µÇ´Âµ¥, ´ÙÀ½°ú °°ÀÌ /etc/inetd.conf ÆÄÀÏÀ» ¼öÁ¤ÇÑ´Ù.
     

    telnet stream tcp nowait root /usr/local/etc/tn-gw tn-gw

     

    inetdÀÌ È°¼ºÈ­µÇ¸ç Ŭ¶óÀ̾ðÆ®¿Í ½ÇÁ¦ ÅÐ³Ý ¼­¹ö »çÀÌ¿¡¼­ ÅÐ³Ý ¼­ºñ½ºÀÇ Áß°è ¿ªÇÒÀ» ÇÏ¸ç ¼­ºñ½º¸¦ Á¦°ø½Ã ³×Æ®¿÷/È£½ºÆ®¿¡ ´ëÇÑ Á¢±ÙÁ¦¾î ¹× ·Î±×±â·ÏÀ» °®´Â´Ù.

    tn-gw¸¦ À§ÇÏ¿© netperm-table¿¡ ´ÙÀ½°ú °°ÀÌ Á¢±Ù ±ÔÄ¢À» ¼³Á¤ÇÑ´Ù.
     

    tn-gw : userid bin
    tn-gw : directory /home
    tn-gw : prompt ¡°KRWEB@telnet-gw>¡±
    tn-gw : denial-msg       /usr/local/etc/tn-deny.txt
    tn-gw : welcome-msg   /usr/local/etc/tn-welcome.txt
    tn-gw : help-msg          /usr/local/etc/tn-help.txt
    tn-gw : denydest-msg   /usr/local/etc/tn-denydest.txt
    tn-gw : timeout             3600
    tn-gw : deny-hosts       unkown
    tn-gw : permit-hosts     210.217.111.*  210.217.112.*
    tn-gw : permit-hosts     210.217.112.*  -dest
    bbs.krweb.co.kr  -dest  !*  -passok  -xok


    Á¢±Ù±ÔÄ¢

    µµ¸ÞÀÎ À̸§À» DNS¿¡¼­ ¹ß°ßÇÒ ¼ö ¾øÀ» °æ¿ì Á¢¼ÓÀ» °ÅºÎÇÑ´Ù.
    210.217.111.0 ¹× 210.217.112.0 ³×Æ®¿öÅ©·ÎºÎÅÍÀÇ Á¢±Ù¸¸À» Çã¿ëÇÑ´Ù.
    210.217.112.0 ³×Æ®¿öÅ©·ÎºÎÅÍ ¿ä±¸µÈ Á¢¼Ó Áß bbs.krweb.co.kr·ÎÀÇ Á¢¼Ó¸¸À» Çã¿ëÇÏ°í ÀÌ¿ÜÀÇ Á¢¼Ó ¿ä±¸´Â ¸ðµÎ °ÅºÎÇÑ´Ù.

    telnet ÇÁ¶ô½Ã¸¦ ÅëÇÑ Á¢¼Ó

    Àΰ¡µÈ ³×Æ®¿÷¿¡¼­ Á¢±Ù
     

    [nic@ns nic]$ telnet fw.krweb.co.kr
    Trying 210.217.111.10
    Connected to fw.krweb.co.kr.
    Escape character is ¡®^]¡¯.

    ******************** < ȯ ¿µ > ************************
    KRWEBÀÇ ¹æÈ­º® Telnet Proxy¿¡ Á¢¼ÓµÇ½Å °ÍÀ» ȯ¿µÇÕ´Ï´Ù.
    ¸í·É¾î µµ¿ò¸»Àº ? ÀÔ´Ï´Ù
    *******************************************************

    KRWEB@telnet-gw>connect nownuri.net
    Not permitted to connect to nownuri.net
    KRWEB@telnet-gw>connect linux.krweb.co.kr
    Trying 210.217.111.5
    Connected to linux.krweb.co.kr.
    Escape character is ¡®^]¡¯.
    login:_

     

    À§ÀÇ ¿¹¿¡¼­, *.krweb.co.krÀ» Á¦¿ÜÇÑ ¸ðµç È£½ºÆ®·ÎÀÇ Á¢±ÙÀÌ ±ÝÁöµÇµµ·Ï ±ÔÄ¢ÀÌ ¼³Á¤µÇ¾î ÀÖÀ¸¹Ç·Î nownuri.netÀÇ telnet Á¢±ÙÀº ±ÝÁöµÇ¸ç linux.krweb.co.kr·ÎÀÇ Á¢±Ù¸¸ Çã¿ëµÈ´Ù.

    Àΰ¡µÇÁö ¾ÊÀº ³×Æ®¿÷¿¡¼­ Á¢±Ù
     

    [nic@xxx nic]$ telnet fw.krweb.co.kr
    Connecting to fw.krweb.co.kr ...
    **************** < ÁÖ   ÀÇ > *****************************
    ´ç½ÅÀº Àΰ¡(ÀÎÁõ)µÇÁö ¾ÊÀº ³×Æ®¿÷¿¡¼­ Á¢¼ÓÀ» ÇÏ¿´½À´Ï´Ù.
    º» ÅÐ³Ý ¼­ºñ½º¸¦ Çã°¡ÇÏÁö ¾Ê½À´Ï´Ù.
    *********************************************************
    Connection closed by foreign host

     

    À§ÀÇ ¿¹¿¡¼­´Â, Àΰ¡µÇÁö ¾ÊÀº ³×Æ®¿÷¿¡¼­ Á¢±ÙÇÒ ¶§ Á¢±Ù °ÅºÎ ¸Þ½ÃÁö ÆÄÀÏÀ» Ãâ·ÂÇÏ°í ¿¬°áÀ» ²÷´Â´Ù.

    3.3 FTP ÇÁ¶ô½Ã ¿î¿ë

    ´ÙÀ½°ú °°ÀÌ /etc/inetd.conf ÆÄÀÏÀ» ¼öÁ¤ÇÏ¿© ¿øÇÏ´Â ÇÁ¶ô½Ã µ¿ÀÛÀ» ±¸ÇöÇÑ´Ù.
     

    ftp stream tcp nowait root /usr/local/etc/ftp-gw ftp-gw

     

    ftp-gwÀÇ °æ¿ìµµ tn-gwÀÇ °æ¿ì¿Í ¸¶Âù°¡Áö·Î netperm-table¿¡ ¼³Á¤µÇ¾î ÀÖ´Â Á¢±Ù ±ÔÄ¢¿¡ µû¶ó Á¢¼Ó Çã¿ë ¿©ºÎ¸¦ ÆǺ°ÇÏ°Ô µÈ´Ù.

    ftp-gw¸¦ À§ÇÏ¿© netperm-table¿¡ ´ÙÀ½°ú °°ÀÌ Á¢±Ù ±ÔÄ¢À» ¼³Á¤ÇÑ´Ù.
     

    ftp-gw:  denial-msg      /usr/local/etc/ftp-deny.txt
    ftp-gw:  welcome-msg  /usr/local/etc/ftp-welcome.txt
    ftp-gw:  help-msg         /usr/local/etc/ftp-help.txt
    ftp-gw:  denydest-msg  /usr/local/etc/ftp-baddest.txt
    ftp-gw:  timeout            3600
    ftp-gw:  deny-hosts      unknown
    ftp-gw:  permit-hosts    210.217.111.* 210.217.112.*                                    -log { retr stor }
    ftp-gw:  permit-hosts    * -authall -log { retr stor }

    Á¢±Ù ±ÔÄ¢

    ±ÔÄ¢ÀÌ Àû¿ëµÇ°Ô µÇ¸é µµ¸ÞÀÎ À̸§À» DNS¿¡¼­ ¹ß°ßÇÒ ¼ö ¾øÀ» °æ¿ì Á¢¼ÓÀÌ °ÅºÎµÇ¸ç, 210.217.111 ¹× 210.217.112 ³×Æ®¿öÅ©·ÎºÎÅÍÀÇ Á¢±ÙÀ» Çã¿ëÇÏ°Ô µÈ´Ù. ¾Æ¿ï·¯ ÀÎÁõ ¿É¼ÇÀÌ ÀÖ´Â °æ¿ì, ÀÎÁõ °úÁ¤À» Åë°úÇÏ¿© Á¢±ÙÇϵµ·Ï ÇÑ´Ù.
    ¸ðµç ÆÄÀÏ Àü¼Û¿¡ ´ëÇÑ Á¤º¸°¡ ·Î±× ±â·ÏÀ¸·Î ³²°Ô µÈ´Ù.
    ftp ÇÁ¶ô½Ã¸¦ ÅëÇÑ Á¢±Ù

    ÀÎÁõ ¿É¼ÇÀÌ ¾ø´Â °æ¿ì (Àΰ¡µÈ ³×Æ®¿÷¿¡¼­ Á¢¼Ó)
     

    [nic@ns nic]$ ftp fw
    Connected to fw.krweb.co.kr
    220-
    220-
    220- ¹æÈ­º® FTP Proxy ¿¡ Á¢¼ÓµÇ½Å °ÍÀ» ȯ¿µÇÕ´Ï´Ù.
    220- »ç¿ëÀÚid@È£½ºÆ®¸í (¿¹, test@someplace.net)
    Name (firewall:test): test@someplace.net
    331-(----GATEWAY CONNECTED TO someplace.net----)
    331-(220 hen FTP server (UNIX(r) System V Release 4.0) ready.)
    331 Password required for knwook.
    Password:
    230 User knwook logged in.
    ftp>

     

    ÀÎÁõ ¿É¼ÇÀÌ ¾ø´Â °æ¿ì (Àΰ¡µÇÁö ¾ÊÀº ³×Æ®¿÷¿¡¼­ Á¢±Ù)
     

    [nic@xxx nic]$ ftp fw   
    Connected to fw.krweb.co.kr.
    500-
    500-**************<ÁÖÀÇ>****************
    500-FTP ¼­ºñ½º¸¦ »ç¿ëÇÒ ¼ö ¾÷½À´Ï´Ù.
    500-°í°´Áö¿ø¼¾ÅÍ  e-mail:helpme@krweb.co.kr
    500
    ftp>

     

    ÀÎÁõ ¿É¼ÇÀÌ ÀÖ´Â °æ¿ì
     

    [nic@ns nic]$ ftp fw   
    Connected to fw.krweb.co.kr.
    220-
    220-
    220-¹æÈ­º® FTP Proxy ¿¡ Á¢¼ÓµÇ½Å °ÍÀ» ȯ¿µÇÕ´Ï´Ù.
    220-»ç¿ëÀÚ ÀÎÁõÀÌ ³¡³ª¸é, ¾Æ·¡¿Í °°ÀÌ ÀÔ·ÂÇÏ¿© ÁֽʽÿÀ.
    220-use »ç¿ëÀÚid@È£½ºÆ®¸í (¿¹, use test@someplace.net)
    Name (firewall:nic): nic
    331 Enter authentication password for nic
    Password:
    230 User authenticated to proxy
    ftp> use test@someplace.net
    331-(----GATEWAY CONNECTED TO someplace.net----)
    331-(220 hen FTP server (UNIX(r) System V Release 4.0) ready.)
    331 Password required for test.
    Password:
    230 User test logged in.
    ftp>

     

    ¸ÕÀú FTP ÇÁ¶ô½ÃÀÇ »ç¿ëÀÚ ÀÎÁõ ÀýÂ÷°¡ ³¡³ª¸é, ¡°use user@
    site¡±ÀÇ Çü½Ä¿¡ ¸ÂÃß¾î ¿øÇÏ´Â »çÀÌÆ®·ÎÀÇ FTP Á¢±ÙÀ» ½ÃµµÇÏ°Ô µÈ´Ù.

    3.4 sendmail ÇÁ¶ô½Ã ¿î¿ë

    ¨ç smtp Ŭ¶óÀ̾ðÆ®ÀÇ ¼³Ä¡

    smap Ŭ¶óÀ̾ðÆ®´Â ¹æÈ­º® È£½ºÆ®ÀÇ smtp Æ÷Æ®·Î Á¢¼Ó ¿äûÀÌ Àü´ÞµÉ ¶§¸¶´Ù µ¿ÀÛÇÑ´Ù.
    ´Ù¸¥ ÇÁ¶ô½Ãµé°ú ¸¶Âù°¡Áö·Î /etc/inetd.conf ÆÄÀÏ¿¡ ´ÙÀ½°ú °°ÀÌ ¼³Á¤ÇÑ´Ù.
     

    smtp  stream  tcp  nowait  root  /usr/local/etc/smap  smap

     

    inetd.conf ÆÄÀÏÀ» ¼öÁ¤ÇÑ ÈÄ¿¡´Â inetd µ¥¸óÀ» Àç½ÃÀÛÇÏ¿© smapÀ» È°¼ºÈ­ÇÑ´Ù.
    ±×¸®°í smtp Æ÷Æ®¸¦ ¼öµ¿À¸·Î °Ë»çÇØ º»´Ù.
     

    [nic@ns nic]$ telnet fw 25   
    Trying 210.217.111.5...
    Connected to fw.krweb.co.kr.
    Escape character is ¡®^]¡¯.
    220 firewall SMTP/smap Ready.
    quit
    221 Closing connection
    Connection closed by foreign host.
    $

     

    smtp Ŭ¶óÀ̾ðÆ®ÀÇ ±¸¼º
    smap Ŭ¶óÀ̾ðÆ®´Â netperm-table³»¿¡ smapÀ¸·Î ½ÃÀÛÇÏ´Â, ÀÚ½ÅÀ» À§ÇÑ Á¢¼Ó ±ÔÄ¢¿¡ µû¶ó µ¿ÀÛÀ» ÇÏ°Ô µÈ´Ù.
     

    smap:              userid         smtp
    smap:              directory      /var/spool/smap
    smap:              timeout       3600
    smap:           maxbytes       10000
    smap:           maxrecip        20

     

    ¨è smtpd ¿¡Çø®ÄÉÀ̼ÇÀÇ ¼³Ä¡

    Á¢¼Ó ¿ä±¸¿¡ µû¶ó inetd·ÎºÎÅÍ ±âµ¿µÇ´Â smap°ú´Â ´Þ¸®, smapd´Â /etc/rc3.d/S88smapd ½ºÅ©¸³Æ® ÆÄÀÏÀ» ÀÛ¼ºÇÏ¿© ½Ã½ºÅÛÀÇ ºÎÆýÿ¡ ÀÚµ¿ ±âµ¿µÇµµ·Ï ¼³Á¤ÇÕ´Ï´Ù. ÀÌ °æ¿ì, ±âÁ¸ÀÇ sendmail µ¿ÀÛÀ» µ¥¸ó ¸ðµå¿¡¼­ Á¦°ÅÇØ¾ß ÇÑ´Ù.
     

    #/etc/rc.d/init.d/sendmail stop
    or
    # ntsysv     ¡æ       sendmail Á¦°Å

     

    ¾Æ¿ï·¯ ÆÄÀÏ ÆíÁý±â¸¦ »ç¿ë, Sxx(xx´Â ¼ýÀÚ)smapd ½ºÅ©¸³Æ® ÆÄÀÏÀ» »õ·Î ÀÛ¼ºÇÕ´Ï´Ù.
     

    # vi S88smapd   
    echo ¡°Starting Firewall Mail Processor ...¡±
    /usr/local/etc/smapd

     

    sendmailÀÌ µ¥¸ó ¸ðµå·Î µ¿ÀÛÇÏÁö ¾Ê±â ¶§¹®¿¡, ¹è´ÞÀÌ ºÒ°¡´ÉÇÏ¿© ´©ÀûµÈ ¸Þ½ÃÁöµéÀº ÁÖ±âÀûÀ¸·Î ºÒ·ÁÁö´Â sendmail¿¡ ÀÇÇØ ¹è´ÞµÇµµ·ÏÇØ¾ß ÇÑ´Ù. À̸¦ À§ÇØ ´ÙÀ½ ¶óÀÎÀ» crontab¿¡ Ãß°¡ÇÑ´Ù.
     

    0, 30 * * * * /usr/lib/sendmail -q > /dev/null 2>&1

     

    À§ÀÇ ¶óÀÎÀ» Ãß°¡ÇÔ¿¡ µû¶ó smapd ¿¡Çø®ÄÉÀ̼ǿ¡ ÀÇÇØ ¼º°øÀûÀ¸·Î Àü´ÞµÇÁö ¸øÇÑ ¸Þ½ÃÁöµéÀÌ ÀÌÈÄ¿¡¶óµµ ¾ÈÁ¤ÀûÀ¸·Î Àü´ÞµÊÀ» º¸ÀåÇÏ°Ô µË´Ï´Ù.

    smapd ¿¡Çø®ÄÉÀ̼ÇÀÇ ±¸¼º
    smapd ¿¡Çø®ÄÉÀ̼ÇÀº, ÁÖ±âÀûÀ¸·Î ¸ÞÀÏ Å¥¸¦ ÀÐ¾î ¿ø°Ý ½Ã½ºÅÛÀ¸·Î ¹è´ÞÇÏ°Ô µÇ´Â µ¿ÀÛÀ» ¼öÇàÇÑ´Ù.
     

    smapd:  executable /usr/local/etc/smapd
    smapd:  sendmail    /usr/lib/sendmail
    smapd:  userid                         smtp
    smapd:  directory    /var/spool/smap
    smapd:  baddir                   /var/spool/smap/bad
    smapd:  wakeup          900

     

    smapd¸¦ À§ÇÑ DNS ±¸¼º
    ¹æÈ­º® ½Ã½ºÅÛÀ» Åë°úÇÏ´Â ¸ÞÀÏÀÌ ¼º°øÀûÀÌ°í Á¤È®ÇÏ°Ô Àü´ÞµÇ±â À§Çؼ­´Â SMTP ¸ÞÀÏÀÌ º¸³»¾îÁö´Â °÷ÀÌ ±¸ºÐµÇµµ·Ï MX ·¹Äڵ尡 Áö¿ª DNS ÆÄÀÏ ³»¿¡¼­ ¾Ë·ÁÁ®¾ß ÇÒ ÇÊ¿ä°¡ ÀÖ´Ù. ÀÌ·¯ÇÑ ÀÛ¾÷Àº MX³ª ¸ÞÀÏ ÀͽºÃ¼ÀÎÀú Ãß°¡, ³×Æ®¿öÅ© µµ¸ÞÀÎÀ̳ª Áö¿ªÀÇ DNS Á¦°øÀÚ¿¡ µî·Ï µî¿¡ ÀÇÇØ °¡´ÉÇÕ´Ï´Ù.  

    À§ÀÇ Ãâ·Â ³»¿ëÀº nslookup ¸í·É¾î¸¦ ½ÇÇàÇÏ¿© ¾òÀº °ÍÀÔ´Ï´Ù. Ãâ·Â ³»¿ë Áß ¸ÞÀÏ ÀͽºÃ¼ÀÎÀú°¡ ´ÙÀ½°ú °°ÀÌ µî·ÏµÇ¾î ÀÖÀ½À» ¾Ë ¼ö ÀÖ´Ù.
     

    [nic@ns nic]# nslookup
    Default Server:  ns.krweb.co.kr
    Address:  210.217.111.1

    > set q=mx
    > krweb.co.kr
    Server:  ns.krweb.co.kr
    Address:  210.217.111.1

    krweb.co.kr      preference = 10, mail exchanger = mail.krweb.co.kr
    krweb.co.kr      preference = 1. Mail exchanger = fw.krweb.co.kr
    krweb.co.kr      nameserver = ns2.krweb.co.kr
    krweb.co.kr      nameserver = ns.krweb.co.kr
    mail.krweb.co.kr  internet address = 210.217.111.3
    fw.krweb.co.kr    internet address = 210.217.111.5
    ns2.krweb.co.kr  internet address = 210.217.111.2
    ns.krweb.co.kr    internet address = 210.217.111.1
    >

     

    µµ¸ÞÀÎ krweb.co.kr·ÎÀÇ ¸ÞÀÏÀÌ È£½ºÆ®·ÎºÎÅÍ º¸³»¾îÁø °æ¿ì¸¦ »ý°¢Çغ¸¸é, ÇØ´ç È£½ºÆ®´Â ¸ÕÀú krweb.co.kr µµ¸ÞÀÎ ÀÚü¿¡¼­ÀÇ À§Ä¡¸¦ Ž»öÇÏ°Ô µÈ´Ù. ¾î´À È£½ºÆ®°¡ ¸ÕÀú Á¢¼ÓµÉÁö¸¦ °áÁ¤Çϱâ À§ÇÑ ±ÔÄ¢Àº ¸Å¿ì °£´ÜÇÏ´Ù.
    À§ÀÇ ¿¹¿¡¼­´Â, ÁÖ¾îÁø email¿¡ ´ëÇØ ¹æÈ­º® È£½ºÆ®ÀÎ fw.krweb.co.kr°¡ ¿ì¼±±ÇÀÌ 1À̹ǷΠ°¡Àå ¸ÕÀú Á¢¼ÓµÈ´Ù.
    ±Ç°íÇÏ°í ½ÍÀº ¼³Á¤Àº, ¹æÈ­º® È£½ºÆ®·Î »ç¿ëµÇ´Â ½Ã½ºÅÛÀÌ °¡Àå ³·Àº ¿ì¼±±ÇÀ» °®µµ·Ï ÇÔÀ¸·Î½á ¿ÜºÎ¿Í Á÷Á¢ÀûÀ¸·Î Á¢¼ÓµÇ´Â ½Ã½ºÅÛÀÌ ¾øµµ·Ï ÇÑ´Ù. ¸¸¾à °¡Àå ³·Àº ¿ì¼±±ÇÀ» °¡Áø ½Ã½ºÅÛÀÌ ¼­ºñ½º 󸮰¡ ºÒ°¡´ÉÇÒ °æ¿ì, ´ÙÀ½ ½Ã½ºÅÛÀÌ Á¢ÃËµÇ°Ô µË´Ï´Ù: À§ °æ¿ì¿¡´Â mail.krweb.co.krÀÌ ÇØ´çµÈ´Ù. ¸ÞÀÏÀÌ mail.krweb.co.kr¿¡°Ô ¹è´ÞµÇ¸é, mail.krweb.co.kr »óÀÇ sendmail µ¥¸óÀÌ ÇØ´ç ¸ÞÀÏÀ» °¡Àå ³·Àº ¿ì¼±±ÇÀ» °®´Â fw.krweb.co.kr ½Ã½ºÅÛÀ¸·Î Àü´ÞÇØ¾ß ÇÒ Ã¥ÀÓÀÌ ÀÖ´Ù. ¾Æ¿ï·¯ sendmailÀÇ µ¿ÀÛÀº ¿ø°Ý ¸Ó½Å »óÀÇ sendmail.cf ÆÄÀÏ¿¡ ÀÇÇØ Á¦¾îµÈ´Ù.

    3.5 pop ÇÁ¶ô½Ã ¿î¿ë.

    ¹æÈ­º®ÀÌ POP ¼­ºñ½º¸¦ À§ÇÑ Á¢¼ÓÀ» ¼ö¿ëÇϵµ·Ï Çϱâ À§Çؼ­´Â, inetd°¡ POP Æ÷Æ®·ÎºÎÅÍÀÇ Á¢¼Ó ¿äûÀÌ ÀÖÀ» ¶§¸¶´Ù plug-gw¸¦ ½ÇÇà½Ãų ¼ö ÀÖµµ·Ï /etc/inetd.conf ÆÄÀÏÀ» ¼öÁ¤ÇØ¾ß ÇÑ´Ù.
     

    pop        stream          tcp
            nowait root /usr/local/etc/plug-gw        plug-gw 110

           

    ¹æÈ­º®À» Åë°úÇÏ´Â POP ¼­ºñ½º¸¦ Á¦°ø¹Þ±â À§Çؼ­´Â netperm-table¿¡ plug-gw¸¦ À§ÇÑ ±¸¼ºÀ» Ãß°¡ÇØ¾ß Çϴµ¥, POP Æ÷Æ®´Â /etc/services ÆÄÀÏ¿¡ 110·Î ¼³Á¤µÇ¹Ç·Î ´ÙÀ½°ú °°Àº ¼³Á¤À¸·Î ±¸ÇöÀÌ °¡´ÉÇÏ´Ù.
     

    plug-gw : port 110 210.217.112.* -plug-to 210.217.111.110

     

    ÀÌ ¶óÀÎÀº, 210.217.112 ³×Æ®¿÷À¸·ÎºÎÅÍÀÇ Æ÷Æ® 110
    (POP)·Î Á¢¼öµÈ ÀÓÀÇÀÇ ¿¬°áÀº 210.217.111.110·Î Á¢¼ÓµÊÀ» ¾Ë·ÁÁÖ°í ÀÖ´Ù. ±×¸®°í MUA (Mail User Agent) ÇÁ·Î±×·¥¿¡¼­ POP ¼­¹ö¸¦ ¹æÈ­º® ½Ã½ºÅÛÀ¸·Î ¼³Á¤ÇÑ´Ù.

    3.6 http proxy ¿î¿ë

    º» ¹®¼­¿¡¼­´Â TIS-FWTKÀÇ HTTP-GWÀ» »ç¿ëÇÏÁö ¾Ê°í, ´ë½Å¿¡ À¥Àü¿ë ÇÁ·Ï½Ã ¼­¹ö¸¦ »ç¿ëÇÏ°Ú´Ù.
    À¥Àü¿ë ÇÁ·Ï½Ã ÇÁ·Î±×·¥Àº squid ÀÌ´Ù.

    »çÀÌÆ® Á¢±Ù Á¦ÇÑ
    »çÀÌÆ® Á¢±Ù Á¦ÇÑÀº ACL(Access Control List)À» »ç¿ëÇÏ¿© Á¤ÀÇÇϸç ACLÀº »çÀÌÆ® Á¢¼Ó ¹ýÄ¢À» Á¤ÀÇÇÑ º¯¼öÀÇ ³ª¿­À̶ó »ý°¢ÇÏ¸é µÈ´Ù.

    HTTP Proxy¸¦ ¼³Á¤ÇÑ ÆÄÀÏÀº /usr/local/squid/etc/
    squid.conf¿¡ ÀÖ´Ù.
    ÀÌ ÆÄÀÏÀÇ Áß°£ ¾Æ·§ ºÎºÐ¿¡ ACL¿¡ ´ëÇÑ Á¤ÀÇ°¡ ÀÖ´Ù.
    ACLÀ» Á¤ÀÇÇÑ ´ÙÀ½¿£ ¹Ýµå½Ã http_access ±¸¹®À» »ç¿ëÇÏ¿© Á¤ÀÇÇÑ ACLÀ» È°¼ºÈ­ ½ÃÄÑ ÁÖ¾î¾ß ÇÑ´Ù.
     

    (/usr/local/squid/etc/squid.conf ÆÄÀÏ ¿¹Á¦)
    # cache °ü·Ã ¼³Á¤ ºÎºÐÀº »ý·«µÊ
    #----------------------------------
    #
    # Á¢±Ù ¼³Á¤ (ACL = Á¢±ÙÁ¦¾îÁ¦ÇÑ)
    # ºÒ°ÇÀüÇÑ »çÀÌÆ®¸¦ µé¾î°¡Áö ¸øÇϵµ·Ï ±ÝÁöÇÒ »çÀÌÆ®¸¦ ¼³Á¤ÇØ ÁÖ´Â
       ºÎºÐÀÌ´Ù.
    #
    # »ç¿ë ¹æ¹ý
    #
    # acl aclname acltype string1 ...
    # acl aclname acltype ¡°file¡± ...
    #
    # 1) ip-address¿¡ ¼³Á¤µÈ Ŭ¶óÀ̾ðÆ®µéÀÌ http¸¦ »ç¿ëÇÏÁö ¸øÇÏ°Ô ÇÑ´Ù.
    #    ¡®0.0.0.0/0.0.0¡¯ÀÌ¸é ¸ðµÎ Çã¿ë.
    # acl aclname src      ip-address/netmask ... (clients IP address)
    # acl aclname src      addr1-addr2/netmask ... (addresses ¹üÀ§)
    #
    # 2) ip-address¿¡ ¼³Á¤µÈ »çÀÌÆ®¸¦ Á¢¼ÓÇÏÁö ¸øÇÏ°Ô ÇÑ´Ù.
    # acl aclname dst      ip-address/netmask ... (URL host¡¯s IP address)
    #
    # 3) foo.comÀ̶ó´Â µµ¸ÞÀÎÀ» °¡Áø Ŭ¶óÀ̾ðÆ®ÀÇ http Á¢¼ÓÀ» ºÒÇãÇÑ´Ù.
    # acl aclname srcdomain   foo.com ... (taken from reverse DNS lookup)
    #
    # 4) foo.comÀ̶ó´Â µµ¸ÞÀÎÀ» »çÀÌÆ®ÀÇ Á¢¼ÓÀ» ±ÝÁö ½ÃŲ´Ù.
    # acl aclname dstdomain   foo.com ... (taken from the URL)
    #
    # 5) h1:m1¿¡¼­ h2:m2 ½Ã°£¿¡´Â Ŭ¶óÀ̾ðÆ®ÀÇ http Á¢¼ÓÀ» ºÒÇãÇÑ´Ù.
    #    day-abbrevs´Â ±ÝÁöÇÒ ¿äÀϵµ ÁöÁ¤ÇÒ ¼ö ÀÖ´Ù.
    # acl aclname time     [day-abbrevs]  [h1:m1-h2:m2]
    #       day-abbrevs:
    #               S - Sunday
    #               M - Monday
    #               T - Tuesday
    #               W - Wednesday
    #               H - Thursday
    #               F - Friday
    #               A - Saturday
    #       h1:m1 must be less than h2:m2
    #
    # 6) http://www·Î ½ÃÀ۵Ǵ URLÀÇ Á¢¼ÓÀ» ºÒÇãÇÑ´Ù. (¾Õ¿¡ ¹Ýµå½Ã ^ ÇÊ¿ä)
    #    (^°¡ ºÙÁö ¾ÊÀ¸¸é URLÀÇ ³¡ºÎºÐÀ» ÀǹÌÇÑ´Ù)
    # acl aclname url_regex  ^http://www    # regex matching on whole URL
    #
    # 7) gifÆÄÀÏÀº Àü¼ÛµÇÁö ¾Ê°Ô ÇÑ´Ù.
    # acl aclname urlpath_regex  \.gif$ ... # regex matching on URL path only
    #
    # 8) ƯÁ¤ Æ÷Æ®·ÎÀÇ Á¢¼ÓÀ» ºÒÇãÇÑ´Ù.
    # acl aclname port     80 70 21 ...
    #
    # 9) HTTP¿Í FTPÀÇ »ç¿ëÀ» ºÒÇãÇÑ´Ù.
    # acl aclname proto    HTTP FTP ...
    #
    # 10) HTML¿¡¼­ÀÇ ´ÙÀ½ÀÇ method°¡ µé¾î°£ ¶óÀÎÀÇ ½ÇÇàÀ» ±ÝÇÑ´Ù.
    # acl aclname method   GET POST ...
    #
    # ---------------------------------
    # ¿¹)
    # ¾ÕºÎºÐÀÌ sexÀ¸·Î ½ÃÀ۵Ǵ URLÀ» ±ÝÁö½ÃÅ°°íÀÚ ÇÒ¶§
    # --> acl denysex url_regex ^http://sex
    # µÞºÎºÐÀÌ adult.comÀ¸·Î ½ÃÀ۵Ǵ URLÀ» ±ÝÁö½ÃÅ°°íÀÚ ÇÒ¶§
    # --> acl denyadult url_regex adult.com
    #
    #----------------------------------
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl all src 0.0.0.0/0.0.0.0

    acl SSL_ports port 443 563
    acl Dangerous_ports port 7 9 19
    acl CONNECT method CONNECT

    # °ü¸®ÀÚ°¡ »õ·Î¿î ACLÀ» Á¤ÀÇÇÑ´Ù.
    acl sexsite01 url_regex ^
    http://come.to/ladyx

    acl sexsite02 url_regex ^http://sexygirl.com

    acl sexsite03 url_regex ^http://www.korean-babes.com

    #####################################
    ####################################
    #
    # À§¿¡¼­ Á¤ÀÇµÈ ACLÀ» ¿©±â¼­ ½ÇÁ¦·Î µ¿ÀÛµÉ ¼ö ÀÖµµ·Ï ¼³Á¤ÇÑ´Ù.
    # (allow´Â Çã°¡°í deny´Â ºÒÇã°¡¸¦ ¶æÇÑ´Ù)
    #
    # À§¿¡¼­ Á¤ÀÇµÈ ACLÀº ¹Ýµå½Ã µ¿ÀÛ°¡´ÉÇϵµ·Ï ¿©±â¸¦ ¼³Á¤ÇÑ´Ù!!
    #
    # HTTP Æ÷Æ®·ÎÀÇ Á¢±Ù:
    #     http_access allow|deny [!]aclname ...
    #
    # ICP Æ÷Æ®·ÎÀÇ Á¢±Ù:
    #     icp_access  allow|deny [!]aclname ...
    #
    # ¿¹) À§¿¡¼­ Á¤ÀÇÇÑ denysex À̶ó´Â ACL À̸§À» Enable ½Ãų¶§.
    # ---> http_access deny denysex
    #
    ###################################

    # Only allow access to the cache manager functions from the local host.
    http_access deny manager !localhost
    http_access deny CONNECT !SSL_ports
    http_access deny Dangerous_ports

    # À§¿¡¼­ Á¤ÀÇÇÑ ACLÀÇ Çã°¡/ºÒÇ㸦 °áÁ¤ÇÑ´Ù.
    http_access deny sexsite001
    http_access deny sexsite002
    http_access deny sexsite003
    ###################################

    # Allow everything else
    http_access allow  all

    # Reply to all ICP queries we receive
    icp_access  allow  all

     

4. º¸¾ÈÁ¤Ã¥ ¸¸µé±â

    ³×Æ®¿öÅ©°ü¸®ÀÚ°¡ ¶ó¿ìÅ͸¦ ÀÌ¿ëÇÑ ¹æÈ­º®À» ±¸¼ºÇÏ°íÀÚ ÇÒ ¶§ °¡Àå ¿ì¼±ÀûÀ¸·Î ¼ö¸³µÇ¾î¾ß ÇÒ °ÍÀº ÀÎÅͳݼ­ºñ½ºÀÇ Á¦°ø¹üÀ§¿Í Á¾·ùÀÌ´Ù.
    ´ÙÀ½°ú °°Àº Á¦°ø¹üÀ§¿Í ¼­ºñ½º¸¦ Á¤ÀÇÇÒ ¼ö ÀÖ´Ù.

    ¿ÜºÎ »ç¿ëÀÚ¿¡ ´ëÇØ
     ¡¤À¥ / ÆÄÀÏÀü¼Û ¼­ºñ½º¸¦ Á¦°ø
     ¡¤Àΰ¡µÈ ³×Æ®¿÷¿¡¼­´Â ³»ºÎ ¼­¹ö¿¡ telnet ¹× e-mail ¼­ºñ½º¸¦ ÀÌ¿ë
     ¡¤±× ¿ÜÀÇ ÀÎÅÍ³Ý ¼­ºñ½º´Â Á¦ÇÑ
     

    º¸¾ÈÁ¤Ã¥

    Á¦ÇÑ¿©ºÎ

    S_PORT

    D_PORT

    S_IP

    D_IP

    BBS

    Çã¿ë

    > 1023

    23

    ÁöÁ¡

    210.217.111.6

    FTP

    Çã¿ë

    > 1023

    21

    Any

    210.217.111.5

    WEB

    Çã¿ë

    > 1023

    80

    Any

    210.217.111.4

    SMTP

    Á¦ÇÑ

    > 1023

    25

    ÁöÁ¡

    210.217.111.3

    POP

    Çã¿ë

    > 1023

    110

    ÁöÁ¡

    210.217.111.3

    DNS

    Çã¿ë

    > 1023

    53

    ÁöÁ¡

    210.217.111.1

    ±âŸ

    Á¦ÇÑ

    > 1023

    > 1023

    Any

    210.217.111/24

     

    ³»ºÎ »ç¿ëÀÚ¿¡ ´ëÇØ
    ¡¤ºÒ°ÇÀü »çÀÌÆ®Á¢¼ÓÀ» Á¦ÇÑ
      (´Ü, ÇØ´ç »çÀÌÆ®ÀÇ ³×Æ®¿÷ ÁÖ¼Ò¸¦ ¾Ë°í ÀÖ¾î¾ß °¡´ÉÇÏ´Ù.)
    ¡¤±× ¿Ü ÀÎÅͳݼ­ºñ½º¸¦ ÀÌ¿ë
     

    º¸¾ÈÁ¤Ã¥

    Á¦ÇÑ¿©ºÎ

    S_PORT

    D_PORT

    S_IP

    D_IP

    ¼­ÀνÎÀÌÆ®

    Á¦ÇÑ

    > 1023

    80

    210.217.111/24

    ¼ºÀνÎÀÌÆ®

    DB

    Çã¿ë

    > 1023

    3306

    210.217.111/24

    210.217.111.88

    ±âŸ

    Çã¿ë

    > 1023

    > 1023

    210.217.111/24

    Any

     

    ¶ó¿ìÅÍÀÇ ACLÀ» ¸¸µé±â À§ÇØ ÇÊ¿äÇÑ Á¤º¸

    TCP/IP¸¦ ±â¹ÝÀ¸·ÎÇÑ IP ÆÐŶ ³»ºÎ¿¡´Â ¹Ýµå½Ã ¡°source ip address, destination ip address, source port, destination port¡±¿¡ °üÇÑ Á¤º¸¸¦ °¡Áö°í ÀÖÀ¸¸ç, ¶ó¿ìÅÍ´Â ÀÌ Á¤º¸µéÀ» Á¶ÇÕÇÏ¿© ƯÁ¤ ÆÐŶÀ» ÇÊÅ͸µÇÑ´Ù.

    ½Ã½ºÄÚ ¶ó¿ìÅÍ¿¡¼­ access-list ±¸¼º

    ³»ºÎ»ç¿ëÀÚÀÇ ÆÐŶ¿¡ ´ëÇÑ ±âº»ÀûÀÎ ACLÁ¤ÀÇ
    RT(config)# access-list 101 permit tcp any any established
    RT(config)# access-list 101 permit tcp any any gt 1023
    RT(config)# access-list 101 permit udp any any gt 1023
    RT(config)# access-list 101 permit tcp 210.217.111.0 0.0.0.255 host 210.217.111.88 eq 3306
    RT(config)# access-list 101 permit udp 210.217.111.0 0.0.0.255 host 210.217.111.88 eq 3306

    ¿ÜºÎ»ç¿ëÀÚ¿¡ ´ëÇÑ º¸¾ÈÁ¤Ã¥ ACL Á¤ÀÇ
    RT(config)# access-list 101 permit tcp any host 210.217.111.4 eq 80
    RT(config)# access-list 101 permit tcp any host 210.217.111.5 eq 20
    RT(config)# access-list 101 permit tcp any host 210.217.111.5 eq 21

    ÁöÁ¡¿¡ ´ëÇÑ º¸¾ÈÁ¤Ã¥ ACL Á¤ÀÇ
    RT(config)# access-list 101 permit tcp 210.217.112.0 0.0.0.255 host 210.217.111.6 eq 23
    RT(config)# access-list 101 permit tcp 210.217.112.0 0.0.0.255 host 210.217.111.3 eq 25
    RT(config)# access-list 101 permit tcp 210.217.112.0 0.0.0.255 host 210.217.111.1 eq 53
    RT(config)# access-list 101 permit udp 210.217.112.0 0.0.0.255 host 210.217.111.1 eq 53
    RT(config)# access-list 101 permit tcp 210.217.112.0 0.0.0.255 host 210.217.111.1 eq 110
    RT(config)# access-list 101 permit udp 210.217.112.0 0.0.0.255 host 210.217.111.1 eq 110

    ¼ºÀÎ site¿¡ ´ëÇÑ º¸¾ÈÁ¤Ã¥ ACL Á¤ÀÇ
    RT(config)# access-list 101 deny tcp 203.255.112.0 0.0.0.255 host 206.251.29.11 eq www
    ±×¿Ü Çã°¡µÇÁö¾ÊÀº ÆÐŶ¿¡ ´ëÇÑ º¸¾ÈÁ¤Ã¥ ACL Á¤ÀÇ
    RT(config)# access-list 101 deny ip any any

    ¹æÈ­º®¿¡¼­ ÀÎÅÍ³Ý ¼­ºñ½º ÇÊÅ͸µ ÀÏ¹Ý ±ÔÄ¢

    ¿©±â¿¡¼­´Â ½ºÅ©¸° ¼­ºê³Ý ±¸Á¶ÀÇ °¡Àå ÀϹÝÀûÀÎ ¹æÈ­º® ±¸Á¶¿¡¼­ ÀÎÅÍ³Ý ¼­ºñ½º ÇÊÅ͸µ¿¡ ´ëÇÏ¿© ¾Ë¾Æº¸°íÀÚ ÇÑ´Ù.

     

¼­ºñ½º ȯ°æ ¼³Á¤

    Telent
    ÆÐŶ ÇÊÅ͸µÀ» ÅëÇÏ¿© ¿ÜºÎ·Î ³ª°¡´Â ÅгÝÀ» Á¦°øÇÑ´Ù.
    ÇÁ¶ô½Ã¸¦ ÅëÇÏ¿© ¿ÜºÎ¿¡¼­ ³»ºÎ·Î µé¾î¿À´Â ÅгÝÀ» Á¦°øÇÑ´Ù(´Ü bbs·Î ÇÑÁ¤).

    ftp
    ÆÐŶ ÇÊÅ͸µÀ» ÅëÇÏ¿© ¿ÜºÎ·Î ³ª°¡´Â ÆÄÀÏÀü¼Û¼­ºñ½º¸¦ Á¦°øÇÑ´Ù.
    ÇÁ¶ô½Ã¸¦ ÅëÇÏ¿© ¿ÜºÎ¿¡¼­ ³»ºÎ·Î µé¾î¿À´Â ftpÀ» Á¦°øÇÑ´Ù(´Ü À͸í ftp·Î ÇÑÁ¤).
    ÇÁ¶ô½Ã¸¦ ÅëÇÏ¿© ÀÎÁõµÈ »ç¿ëÀÚ¸¸ »ç¿ë

    Smtp
    º£½ºÃŠȣ½ºÆ®¸¦ ÅëÇÏ¿© Á÷Á¢ µé¾î¿À´Â ¸ÞÀϵéÀÇ DNS MX ·¹ÄÚµåµéÀ» Á¦°øÇÑ´Ù.
    º£½ºÃŠȣ½ºÆ®¸¦ ÅëÇÏ¿© ¸ÞÀÏÀ» ¹ÛÀ¸·Î º¸³»´Â ³»ºÎ ÄÄÇ»ÅÍ¿¡ ´ëÇÑ È¯°æÀ» ¼³Á¤ÇÑ´Ù.
    ³»ºÎÀÇ ¸ÞÀÏ ¼­¹ö·Î µé¾î¿À´Â ¸ÞÀÏÀ» º¸³»µµ·Ï, ±×¸®°í ¸ñÀûÇÏ´Â °÷À¸·Î ¸ÞÀÏÀ» º¸³¾ ¼ö ÀÖµµ·Ï º£½ºÃŠȣ½ºÆ®ÀÇ È¯°æÀ» ¼³Á¤ÇÑ´Ù.

    http
    ÆÐŶ ÇÊÅ͸µÀ» ÅëÇÏ¿© ¿ÜºÎ·Î ³ª°¡´Â À¥ ¼­ºñ½º¸¦ Á¦°øÇÑ´Ù.
    ÇÁ¶ô½Ã¸¦ ÅëÇÏ¿© ºÒ°ÇÀü À¥ »çÀÌÆ®¸¦ ¹èÁ¦ÇÑ´Ù.
    °ø°³ À¥¼­¹ö¸¦ °æ°è¼± ³×Æ®¿÷¿¡ À§Ä¡ÇÑ´Ù.

    Dns
    °æ°è¼±¿¡ À§Ä¡ÇÏ´Â º£½ºÃÅÈ£½ºÆ®¿¡ 2Â÷ ³×ÀÓ¼­¹ö¸¦ ¿î¿µÇÏ°í, ³»ºÎ ³×Æ®¿÷¿¡ 1Â÷ ³×ÀÓ¼­¹ö¸¦ ¿î¿µÇÑ´Ù.

    ÆÐŶ ÇÊÅ͸µ ±ÔÄ¢

    ¿ì¸®´Â °¡»óÀÇ ¶ó¿ìÅÍ¿¡¼­ ¿ì¸®°¡ °¡Á¤ÇÑ ÇÊÅ͸µ ±ÔÄ¢¿¡ ´ëÇÏ¿© ¾Æ·¡¿Í °°Àº °ÍµéÀ» Á¦°øÇÑ´Ù.
    - µé¾î¿À°í ³ª°¡´Â ÆÐŶÀ» ±¸ºÐÇÑ´Ù.
    - Ãâ¹ßÁö, ¸ñÀûÁöÀÇ ÁÖ¼Ò ¹× Æ÷Æ® ±×¸®°í ÆäŶÀÇ ÇüŸ¦ ±¸º°ÇÒ ¼ö ÀÖ´Ù.
    - TCP ÆÐŶ¿¡ ´ëÇÏ¿© ACK ºñÆ®°¡ Á¶ÇÕÀÎÁö ¾Æ´ÏÁö¸¦ ÇÊÅ͸µÇØÁØ´Ù.
    - ±ÔÄ¢Àº ¼ø¼­´ë·Î Àû¿ëµÈ´Ù.
     

    [nic@fw nic]# cat /usr/local/etc/netperm-table
    # Netacl rules:
    netacl-in.telnetd: permit-hosts 127.0.0.1
             -exec /usr/sbin/in.telnetd
    netacl-in.telnetd: permit-hosts 210.217.111.*
             -exec /usr/sbin/in.telnetd
    netacl-in.telnetd: permit-hosts *
             -exec /usr/local/etc/tn-gw
    netacl-in.ftpd:   permit-hosts 210.217.111.*
             -exec /usr/sbin/in.ftpd
    netacl-in.ftpd:   permit-hosts unknow
             -exec /bin/cat /usr/local/etc/noftp.txt
    netacl-in.ftpd:   permit-hosts *
             -exec /home/ftp /usr/sbin/in.ftpd
    #
    # Telnet gateway rules:
    tn-gw:             userid            bin
    tn-gw:             directory        /home/telnet
    tn-gw:         denial-msg        /usr/local/etc/tn-deny.txt
    tn-gw:         welcome-msg    /usr/local/etc/tn-welcome.txt
    tn-gw:         timeout              3600
    tn-gw:         prompt               ¡°KRWEB>¡±
    tn-gw:         permit-hosts       210.217.111.* -auth -passok
    tn-gw:         permit-hosts       210.217.111.* 210.217.112.* -auth
    #
    # FTP gateway rules:
    ftp-gw:        userid                bin
    tn-gw:         directory            /home/ftp
    ftp-gw:        denial-msg        /usr/local/etc/ftp-deny.txt
    ftp-gw:        welcome-msg    /usr/local/etc/ftp-welcome.txt
    ftp-gw:        timeout              3600
    ftp-gw:        permit-hosts    210.217.111.* -authall -dest
    !202.30.113.2
    ftp-gw:        permit-hosts    210.217.115.* -auth  stor  -log

    #
    # SMAP/SMAPD rules:
    smap, smapd:      userid         smtp
    smap, smapd:      directory     /var/spool/smap
    smap:                 timeout       3600
    smapd:               executable   /usr/local/etc/smapd
    smapd:               sendmail     /usr/lib/sendmail
    #
    # Auth server rules:
    authsrv:               permit-hosts     127.0.0.1
    #
    # Auth client rules:
    *:             authserver       127.0.0.1       7777
    #
    # END.

     

    [nic@fw nic]# cat /etc/inetd.conf
    #
    ftp              stream  tcp  nowait  root  /usr/local/etc/ftp-gw     ftp-gw
    ftp-adm      stream  tcp  nowait  root  /usr/local/etc/netacl      in.ftpd
    telnet          stream  tcp  nowait  root  /usr/local/etc/tn-gw      tn-gw
    telnet-adm  stream  tcp  nowait  root  /usr/local/etc/netacl      in.telnetd
    smtp           stream  tcp  nowait  root  /usr/local/etc/smap       smap
    pop            stream  tcp  nowait  root   /usr/local/etc/plug-gw  plug-gw pop
    finger          stream  tcp  nowait  roor  /usr/local/etc/netacl      in.fingerd
    authsrv        stream  tcp  nowait  root  /usr/local/etc/authsrv    authsrv
    time            stream  tcp  nowait  root  /usr/sbin/tcpd               in.timed
    time            dgram  udp   wait    root   /usr/sbin/tcpd              in.timed

      

    [nic@fw nic]# cat /etc/services
    ftp                21/tcp
    retr stor
    ftp-adm        2021/tcp
    telnet            23/tcp
    telnet-adm    2023/tcp
    smtp             25/tcp          
    pop              110/tcp
    ...

     

    ³»ºÎ¶ó¿ìÅÍ ÆÐŶ ÇÊÅ͸µ
     

±ÔÄ¢

Ãâ¹ßÁöÁÖ¼Ò

¸ñÀûÁöÁÖ¼Ò

Ãâ¹ßÁöÆ÷Æ®

¸ñÀûÁöÆ÷Æ®

ACK set

Á¤Ã¥

TELNET

³»ºÎ
¿ÜºÎ

¿ÜºÎ
³»ºÎ

1023ÀÌ»ó
23

23
1023ÀÌ»ó

Any
Yes

Çã°¡
Çã°¡

FTP-1

³»ºÎ
¿ÜºÎ
³»ºÎ
¿ÜºÎ

¿ÜºÎ
³»ºÎ
¿ÜºÎ
³»ºÎ 

1023ÀÌ»ó
21
1023ÀÌ»ó
1023ÀÌ»ó

21
1023ÀÌ»ó
1023ÀÌ»ó
1023ÀÌ»ó

Any
Yes
Any
Yes

Çã°¡
Çã°¡
Çã°¡
Çã°¡

FTP-2

³»ºÎ
º£½ºÃÅ
º£½ºÃÅ
³»ºÎ

º£½ºÃÅ
³»ºÎ
³»ºÎ
º£½ºÃÅ 

1023ÀÌ»ó
21
1023ÀÌ»ó
1023ÀÌ»ó

21
1023ÀÌ»ó
1023ÀÌ»ó
1023ÀÌ»ó

Any
Yes
Any
Yes

Çã°¡
Çã°¡
Çã°¡
Çã°¡

SMTP-1

³»ºÎ
º£½ºÃÅ

º£½ºÃÅ
³»ºÎ

1023ÀÌ»ó
25

25
1023

Any
Yes

Çã°¡
Çã°¡

SMTP-2

º£½ºÃÅ
¸ÞÀÏÇãºê

¸ÞÀÏÇãºê
º£½ºÃÅ

1023ÀÌ»ó
25

25
1023ÀÌ»ó

Any
Yes

Çã°¡
Çã°¡

HTTP

³»ºÎ
º£½ºÃÅ

º£½ºÃÅ
³»ºÎ

1023ÀÌ»ó
80

80
1023ÀÌ»ó

Any
Yes

Çã°¡
Çã°¡

DNS-1

³»ºÎ

º£½ºÃÅ

53

53

(UDP)

Çã°¡

DNS-2

º£½ºÃÅ

³»ºÎ

53

53

(UDP)

Çã°¡

DNS-3

³»ºÎ
º£½ºÃÅ 

º£½ºÃÅ
³»ºÎ

1023ÀÌ»ó
53

53
1023ÀÌ»ó

Any
Yes

Çã°¡
Çã°¡

DNS-4

º£½ºÃÅ
³»ºÎ

³»ºÎ
º£½ºÃÅ 

1023ÀÌ»ó
53

53
1023ÀÌ»ó

Any
Yes

Çã°¡
Çã°¡

DEFAULT

ANY
ANY

ANY
ANY

ANY
ANY

ANY
ANY

ANY
ANY

°ÅºÎ
°ÅºÎ

     

    ¿ÜºÎ¶ó¿ìÅÍ ÆÐŶ ÇÊÅ͸µ
     

±ÔÄ¢

Ãâ¹ßÁöÁÖ¼Ò

¸ñÀûÁöÁÖ¼Ò

Ãâ¹ßÁöÆ÷Æ®

¸ñÀûÁöÆ÷Æ®

ACK set

Á¤Ã¥

TELNET

³»ºÎ
¿ÜºÎ

¿ÜºÎ
³»ºÎ

1023ÀÌ»ó
23

23
1023ÀÌ»ó

Any
Yes

Çã°¡
Çã°¡

FTP-1

³»ºÎ
¿ÜºÎ
³»ºÎ
¿ÜºÎ

¿ÜºÎ
³»ºÎ
¿ÜºÎ
³»ºÎ

1023ÀÌ»ó
21
1023ÀÌ»ó
1023ÀÌ»ó

21
1023ÀÌ»ó
1023ÀÌ»ó
1023ÀÌ»ó

Any
Yes
Any
Yes

Çã°¡
Çã°¡
Çã°¡
Çã°¡

FTP-2

Any
º£½ºÃÅ
º£½ºÃÅ
Any

º£½ºÃÅ
Any
Any
º£½ºÃÅ

1023ÀÌ»ó
21
1023ÀÌ»ó
1023ÀÌ»ó

21
1023ÀÌ»ó
1023ÀÌ»ó
1023ÀÌ»ó

Any
Yes
Any
Yes

Çã°¡
Çã°¡
Çã°¡
Çã°¡

SMTP-1

Any
º£½ºÃÅ

º£½ºÃÅ
Any

1023ÀÌ»ó
25

25
1023

Any
Yes

Çã°¡
Çã°¡

SMTP-2

º£½ºÃÅ
Any

Any
º£½ºÃÅ

1023ÀÌ»ó
25

25
1023ÀÌ»ó

Any
Yes

Çã°¡
Çã°¡

HTTP-1

º£½ºÃÅ
Any 

Any
º£½ºÃÅ

1023ÀÌ»ó
Any

Any
1023ÀÌ»ó

Any
Yes

Çã°¡
Çã°¡

HTTP-2

Any
º£½ºÃÅ

º£½ºÃÅ
Any

1023ÀÌ»ó
80

80
1023ÀÌ»ó

Any
Yes

Çã°¡
Çã°¡

DNS-1

º£½ºÃÅ

Any

53

53

(UDP)

Çã°¡

DNS-2

Any

º£½ºÃÅ

53

53

(UDP)

Çã°¡

DNS-3

Any
º£½ºÃÅ 

º£½ºÃÅ
Any

Any
53

53
Any

(UDP)
(UDP)

Çã°¡
Çã°¡

DNS-4

º£½ºÃÅ
Any

Any
º£½ºÃÅ 

1023ÀÌ»ó
53

53
1023ÀÌ»ó

Any
Yes

Çã°¡
Çã°¡

DNS-5

Any
º£½ºÃÅ
º£½ºÃÅ

º£½ºÃÅ
Any
³»ºÎ

1023ÀÌ»ó
53
100

53
1023ÀÌ»ó
1023

Any
Yes
Yes

Çã°¡
Çã°¡
Çã°¡

DEFAULT

ANY
ANY

ANY
ANY

ANY
ANY

ANY
ANY

ANY
ANY

°ÅºÎ
°ÅºÎ

     

°á·Ð

    ½ºÅ©¸° ¼­ºê³Ý ±¸Á¶´Â È¥ÀÚ¼­µµ ¼³Ä¡ÇÒ ¼ö ÀÖ´Â °¡Àå ÀϹÝÀûÀÎ ÆÄÀ̾î¾ó ±¸Á¶ÀÏ °ÍÀÌ´Ù.
    ±×¸®°í TCP_WRAPPERS, IPCHAINS ¿Í °°Àº ¹æÈ­º® °ü·Ã ÇÁ·Î±×·¥µµ ÀÌ ±¸Á¶¿¡ Æ÷ÇÔÇÑ´Ù¸é º¸´Ù³ªÀº º¸¾ÈÁ¤Ã¥À» ¸¸µé¼ö ÀÖÀ» °ÍÀÌ´Ù.
    ¹æÈ­º®ÀÌ º¸¾È¿¡ ÷º´ÀÎ °ÍÀº ´©±¸³ª ¾Ë°í ÀÖ´Â »ç½ÇÀÌÁö¸¸ ½Ã½ºÅÛ °ü¸®ÀÚÀÇ ³ë·Âµµ Áß¿äÇÑ ºÎºÐÀ» Â÷ÁöÇÑ´Ù.




¡ã top

homeÀ¸·Î...