1. TIS-FWTK
°¢ ¼ºñ½ºº°·Î IPÁÖ¼Ò¸¦ ÀÌ¿ëÇÑ Á¢±ÙÁ¦¾î¸¦ Çϱâ
À§ÇÑ netacl ¸ðµâ°ú °¢ ¼ºñ½ºº° ÇÁ¶ô½Ã·Î ±¸¼ºµÇ¾î ÀÖÀ¸¸ç, °¢
ÇÁ¶ô½Ã´Â ÀÎÁõ±â´ÉÀÌ ºÎ¿©µÉ ¼ö ÀÖ´Ù. ÀÌ·¯ÇÑ °¢ ¼ºñ½º ¸ðµâÀº
¼ºñ½º¸¦ Á¦°øÇϱâ À§ÇÑ º¸¾È Á¤Ã¥À» Á¤ÀÇÇÑ netperm-table ÆÄÀÏÀ»
ÂüÁ¶ÇÏ¿© ¼ºñ½º Á¦°ø¿©ºÎ¸¦ °áÁ¤ÇÏ°í ¼ºñ½º Á¢¼Ó°ÅºÎ ¹× Çã¿ë¿¡
´ëÇÑ °ü·Ã ±â·ÏÀ» ³²±ä´Ù.
°¡. NETACL
netaclÀº, ¼¹ö¿¡¼ »ç¿ëµÇ´Â ´Ù¾çÇÑ TCP ±â¹ÝÀÇ
¼ºñ½º¿¡ ´ëÇÑ Á¢±ÙÀÇ Á¤µµ¸¦ °áÁ¤ÇØ ÁÖ´Â ³×Æ®¿öÅ© Á¢±Ù Á¦¾î ÇÁ·Î±×·¥ÀÌ´Ù.
¿¹¸¦ µé¸é, ¸¸¾à ¾î¶² Àΰ¡µÈ »ç¿ëÀÚ¿¡ ´ëÇØ ¹æȺ® ½Ã½ºÅÛÀ¸·ÎÀÇ
telnet Á¢±ÙÀ» Çã¿ëÇÏ°í ½Í´Ù¸é netacl°ú Àû´çÇÑ ±ÔÄ¢À» Àû¿ëÇÏ¿©
ÇØ´ç ±â´ÉÀ» °¡´ÉÅä·Ï ÇÒ ¼ö ÀÖ½À´Ï´Ù. ¹°·Ð ftp¿Í rlogin ¼ºñ½º¿¡µµ
¸¶Âù°¡Áö·Î Àû¿ëÇÒ ¼ö ÀÖ´Ù.
³ª. TELNET-GW
telnet ÇÁ¶ô½ÃÀÎ tn-gw´Â ¿øÇÏ´Â ¼¹ö·ÎÀÇ telnet
¼ºñ½º¿¡ ´ëÇÑ À¯ÀÏÇÑ °æ·Î¸¦ Á¦°øÇϴµ¥, ¸¹Àº ³×Æ®¿öÅ© ȯ°æ¿¡¼
½Ã½ºÅÛ °ü¸®ÀÚ°¡ ³»ºÎ¸ÁÀ¸·Î ¹æȺ® È£½ºÆ®¸¦ ÅëÇÑ telnet Á¢±ÙÀ»
Çã¿ëÇÏÁö ¾ÊÀ» ¶§ »ç¿ëÇÑ´Ù. netacl°ú´Â ´Ù¸£°Ô telnet ÇÁ¶ô½Ã´Â
¹æȺ®À¸·ÎÀÇ Á÷Á¢ Á¢±ÙÀ» Á¦°øÇÏÁö ¾Ê´Â´Ù. Áï, netaclÀ» °æÀ¯ÇÏ´Â
telnetÀº ¹æȺ® È£½ºÆ®·ÎÀÇ Á¢±ÙÀÌ Çã¿ëµÇÁö¸¸, ÇÁ¶ô½Ã¸¦ °æÀ¯ÇÏ´Â
telnetÀº ´ÜÁö ·Î±ë Á¦¾î¸¦ °®´Â °æ·Î¸¸À» Á¦°ø¹Þ°Ô µÇ´Â °ÍÀÌ´Ù.
¹æȺ® ½Ã½ºÅÛÀÇ °ü¸®ÀÚ´Â Á¾Á¾ ¹æȺ® È£½ºÆ®ÀÇ
¿ø°Ý °ü¸®¸¦ À§ÇÑ Á¢±Ù °æ·Î¿Í ÇÁ¶ô½Ã telnetÀ» ±¸ÃàÇØ¾ß ÇÏ´Â µô·¹¸¶¿¡
ºüÁú ¼ö°¡ Àִµ¥, ÀÌ´Â /etc/services ÆÄÀÏ°ú /etc/inetd.conf
ÆÄÀÏÀ» ¼öÁ¤ÇÏ¿© ½ÇÁ¦ÀÇ telnetd¸¦ telnetÀÇ Ç¥ÁØ TCP Æ÷Æ®¿Í´Â
´Ù¸£°Ô ¼³Á¤ÇÏ°í, ÇÁ¶ô½Ã¸¦ telnetÀÇ Ç¥ÁØ TCP Æ÷Æ®¿¡ ¼³Á¤ÇÔÀ¸·Î½á
ÇØ°áÇÒ ¼ö ÀÖ´Ù. ¾Æ¿ï·¯, ÀÌ °æ¿ì¿¡´Â º¸¾ÈÀ» À§ÇØ netcal µîÀÇ
Á¢±Ù Á¦¾î°¡ ÇÊ¿äÇÏ´Ù.
´Ù. FTP-GW
FTP ÇÁ¶ô½ÃÀÎ ftp-gw´Â, ¹æȺ® È£½ºÆ®¸¦ Åë°úÇÏ´Â
»ç¼³ ³×Æ®¿öÅ© ¶Ç´Â °ø¿ë ³×Æ®¿öÅ©·ÎÀÇ FTP Æ®·¡ÇÈÀ» Çã¿ëÇϴµ¥,
telnet ÇÁ¶ô½Ã¿Í ¸¶Âù°¡Áö·Î ¹æȺ®À¸·Î Ç¥ÁØ FTP Æ÷Æ®¸¦ °æÀ¯ÇÏ´Â
FTP Á¢±ÙÀÌ °¨ÁöµÇ¸é ÇÁ¶ô½ÃÀÇ ¼öÇàÀÌ ½ÃÀ۵ȴÙ.
¹æȺ® È£½ºÆ®·Î »ç¿ëµÇ´Â ½Ã½ºÅÛÀÌ FTP ¼ºñ½º¸¦
Á¦°øÇÏ°Ô ÇÏ´Â °ÍÀº º°·Î ÁÁÁö ¾ÊÀº »ý°¢ÀÌ´Ù. °¡Àå ÁÁÀº ¹æ¹ýÀº
º°µµÀÇ FTP ¼¹ö¸¦ ¿î¿ëÇÏ´Â °ÍÀÌÁö¸¸, ½Ã½ºÅÛÀÇ ¿ø°Ý °ü¸®¸¦ À§ÇØ
FTP ¼ºñ½º°¡ ÇÊ¿äÇÒ °æ¿ì telnet ¼ºñ½ºÀÇ °æ¿ì¿Í ¸¶Âù°¡Áö·Î /etc/services
ÆÄÀÏ°ú /etc/inetd.conf ÆÄÀÏÀ» ¼öÁ¤ÇÏ¿© ½ÇÁ¦ÀÇ ftpd¸¦ FTPÀÇ Ç¥ÁØ
TCP Æ÷Æ®¿Í´Â ´Ù¸£°Ô ¼³Á¤ÇÏ°í, ÇÁ¶ô½Ã¸¦ FTPÀÇ Ç¥ÁØ TCP Æ÷Æ®¿¡
¼³Á¤ÇÏ¿© »ç¿ëÇÒ ¼öµµ ÀÖ½À´Ï´Ù. ¹°·Ð ÀÌ °æ¿ì¿¡µµ netcal µîÀÇ
Á¢±Ù Á¦¾î°¡ ÇÊ¿äÇÏ´Ù.
¶ó. SMTP-GW
¹æȺ® È£½ºÆ®¸¦ Åë°úÇÏ´Â ¸ÞÀÏÀÇ ¿Ã¹Ù¸¥ Àü¼ÛÀ»
À§Çؼ´Â smap°ú smapd·Î ºÒ¸®´Â 2°³ÀÇ ÇÁ¶ô½Ã°¡ ÇÊ¿äÇÏ´Ù. ÀÌ Áß
smapÀº SMTPÀÇ ÃÖ¼Ò ¹öÀü¸¸À» ±¸ÇöÇÑ Å¬¶óÀ̾ðÆ®ÀÇ ±â´ÉÀ» ´ã´çÇÏ°Ô
µÇ´Âµ¥, ³×Æ®¿öÅ©·ÎºÎÅÍÀÇ ¸Þ½ÃÁö¸¦ ¹Þ¾Æ µé¿© À̸¦ µð½ºÅ©¿¡ ÀúÀåÇÔÀ¸·Î¼
ÈÄ¿¡ smapd°¡ ÀúÀåµÈ ¸Þ½ÃÁö¸¦ ÀçÀü¼ÛÇϵµ·Ï ÇÏ´Â ¿ªÇÒÀ» ¼öÇàÇÑ´Ù.
ÇÁ¶ô½Ã·Î µ¿À۵Ǵ smapÀº, chrootµÈ »óÅ¿¡¼ non-privileged ÇÁ·Î¼¼½º·Î
¼öÇàµÇµµ·Ï ¼³°èµÇ¾î ÀÖÀ¸¹Ç·Î ÀϹÝÀûÀÎ privileged ¸ÞÀÏ·¯¿¡ ºñÇØ
³ôÀº ¼öÁØÀÇ º¸¾È¼ºÀ» Á¦°øÇÏ°Ô µÈ´Ù.
smapd µ¥¸óÀº, smap¿¡ ÀÇÇØ ÀúÀåµÈ ¸ÞÀÏÀÇ ÀúÀå
¿µ¿ªÀ» ÁÖ±âÀûÀ¸·Î °Ë»çÇÏ¿© ¼öÁýµÈ ¸ÞÀÏÀÇ ¼ö½ÅÀÚ¿¡°Ô ÇØ´ç ¸ÞÀÏÀ»
Àü´ÞÇϵµ·Ï ÇÏ´Â ¿ªÇÒÀ» ¼öÇàÇÏ°Ô µÇ´Âµ¥, ÀÌ ¶§ ¸ÞÀÏÀÇ Àü¼ÛÀº
sendmailÀ̶ó´Â MTA(Mail Transfer Agent)¿¡ ÀÇÇØ ÀÌ·ç¾îÁö¸ç Àü¼ÛÀÌ
¿Ï·áµÈ ¸ÞÀÏ ¸Þ½ÃÁö´Â »èÁ¦µÈ´Ù. ¸¸ÀÏ ¸ÞÀÏ Àü¼ÛÀÌ ºÒ°¡´ÉÇÒ °æ¿ì
smapd´Â ¸ÞÀÏÀÌ ÀúÀåµÇ¾î ÀÖ´Â ¿µ¿ªÀ» À籸¼ºÇÏ¿© ÈÄ¿¡ ÀÖÀ» ÀçÀü¼Û¿¡
´ëºñÇÏ°Ô µÈ´Ù.
¸¶. PLUG-GW
TCP ±â¹ÝÀÇ ¼ºñ½º Áß¿¡¼ »ç¿ëÀÚ¿¡°Ô Åõ¸í¼º
ÀÖ´Â ¼ºñ½º(NNTP, POP)¸¦ Á¦°øÇϱâ À§ÇØ Ç÷¯±× º¸µå ÇüÅÂÀÇ plug-gw
ÇÁ¶ô½Ã¸¦ Á¦°øÇÏ°í ÀÖ´Ù.
¹Ù. ÀÎÁõ¼¹ö
ÀÎÁõ±â´ÉÀº ¼±Åñâ´ÉÀ¸·Î½á °¢ ÇÁ¶ô½Ã¿¡¼ ÀÌ
±â´ÉÀ» »ç¿ëÇÒ ¼ö ÀÖ´Ù. Áö¿ø °¡´ÉÇÑ ÀÎÁõ¹æ½ÄÀº ¡°Bellcore¡¯s
S/KEY¡±À» ¸¹ÀÌ »ç¿ëÇÑ´Ù.
»ç. ±âŸ tools
ÇöÀç TIS Firewall ToolkitÀÌ °®´Â ¸®Æ÷Æà ±â´ÉÀº
¾î´ÀÁ¤µµ Ãæ½ÇÇÏ´Ù°í º¼ ¼ö ÀÖÀ¸³ª, ¹®ÀÚ ±â¹ÝÀÇ ¸®Æ÷Æà ÇüŸ¦
ÃëÇÏ°í ÀÖÀ¸¹Ç·Î ¸®Æ÷ÆÃµÈ º¸°í¼ÀÇ ºÐ¼®ÀÌ ´Ù¼Ò ¾î·Á¿ï ¼öµµ ÀÖÀ»
°ÍÀÌ´Ù º» ¹®¼¿¡¼´Â RLOGIN-GW, ÀÎÁõ¼¹ö, ±âŸ Åø¿¡ °ü·Ã
»çÇ×Àº Á¦¿ÜµÉ °ÍÀÌ´Ù.
2. º£½ºÃŠȣ½ºÆ®
ÀϹÝÀûÀ¸·Î º£½ºÃŠȣ½ºÆ®(Bastion Host)¶õ ³×Æ®¿öÅ©
º¸¾È¿¡ °¡Àå Áß¿äÇÑ ¹æȺ® È£½ºÆ®¸¦ ¸»ÇÑ´Ù. ´ëºÎºÐÀÌ 2°³ÀÇ ÆÐŶ
ÇÊÅ͸µ ¶ó¿ìÅÍ »çÀÌÀÇ ¸®´ª½º(À¯´Ð½º) ½Ã½ºÅÛÀ» º£½ºÃŠȣ½ºÆ®¶ó°í
ÇÑ´Ù. ¿ÜºÎ ¶ó¿ìÅÍ´Â ÀÎÅͳݰú º£½ºÃÅ »çÀÌÀÇ Æ®·¡Çȸ¸ Çã¶ôµÈ´Ù.
³»ºÎ ¶ó¿ìÅÍ´Â ³»ºÎ³×Æ®¿÷°ú º£½ºÃÅ »çÀÌÀÇ Æ®·¡Çȸ¸ÀÌ Çã¶ôµÈ´Ù.
2.1 ¸®´ª½º¸¦ º£½ºÃµ È£½ºÆ®·Î ±¸Ãà
°¡. ¸Ó½Å ÀÚü
º¸¾È ¼öÁØÀ» ³ôÀδÙ.
¾Ë·ÁÁø ¸ðµç ½Ã½ºÅÛ °ü·Ã ¹ö±×µéÀ» ¼öÁ¤ÇÏ¿©
°£°áÇÏ°í ¹«°áÇÑ ½Ã½ºÅÛ »óÅ·Π¸¸µç´Ù. ±×¸®°í ½Ã½ºÅÛ ·Î±× ±â·ÏÀ»
È°¿ëÇÑ´Ù.
³ª. ÇÊ¿ä ¾ø´Â
¸ðµç ¼ºñ½º¸¦ ÁßÁö½ÃŲ´Ù.
¸®´ª½º ¸Ó½ÅÀÌ µ¿ÀÛÇϴµ¥ ¹Ýµå½Ã ÇÊ¿äÇÑ ¼ºñ½º¸¸
³²±â°í ³ª¸ÓÁö´Â ÁßÁö½ÃŲ´Ù. ÀϹÝÀûÀ¸·Î º£½ºÃŠȣ½ºÆ®¸¦ ±¸ÃàÇϱâ
À§ÇØ »ç¿ëÀ» ÁßÁö½ÃÄÑ¾ß ÇÒ ¼ºñ½ºµéÀº, (NFS, RPC, ºÎÆÃ, BSDÀÇ
¡®r¡¯ ¸í·É¾î, routed, fingerd, uucpd, rwhod, lpd) µîÀ¸·Î¼ À̵é
¼ºñ½º´Â º£½ºÃŠȣ½ºÆ®¿¡¼ Á¦°øÇÏÁö ¾Ê´Â °ÍÀÌ ¾ÈÀüÇÕ´Ï´Ù.
´Ù. ºÒÇÊ¿äÇÑ
»ç¿ëÀÚ °èÁ¤À» ¸ðµÎ »èÁ¦ÇÑ´Ù.
²À ÇÊ¿äÇÑ °æ¿ì°¡ ¾Æ´Ï¸é º£½ºÃŠȣ½ºÆ® ³»ÀÇ
»ç¿ëÀÚ °èÁ¤Àº ¸ðµÎ »èÁ¦½ÃÄÑ¾ß ÇÑ´Ù. »ç¿ëÀÚ °èÁ¤ÀÌ Á¸ÀçÇÏÁö ¾Ê´Â
º£½ºÃŠȣ½ºÆ®°¡ ³ôÀº ¼öÁØÀÇ º¸¾È ¼öÁØÀ» Á¦°øÇÒ ¼ö Àֱ⠶§¹®ÀÌ´Ù.
¶ó. Áß¿äÄ¡ ¾ÊÀº
ÆÄÀÏ°ú ¸í·ÉÀº Áö¿î´Ù.
ƯÈ÷ setuid/setgid ÇÁ·Î±×·¥µéÀº ÇØÄ¿µéÀÇ ÁÖ¿ä
°ø°Ý ´ë»óÀÌ µÇ¹Ç·Î ¹Ýµå½Ã »èÁ¦ÇØ¾ß ÇÒ °ÍÀÌ´Ù. »èÁ¦ÇØ¾ß ÇÒ
ÇÁ·Î±×·¥À» ã±â À§ÇÑ ¹æ¹ýÀº ´ÙÀ½°ú °°´Ù. [nic@fw nic]# find
/ -type f -perm -040000 -o -perm -02000 -ls
¸¶. IP Forwarding±â´É,
Source Routing±â´ÉÀ» ¾ø¾Ø´Ù.
Ä¿³ÎÀÌ Á¦°øÇÏ´Â ±â´É Áß ´ÙÀ½°ú °°Àº ¸î°¡ÁöÀÇ
±â´ÉÀº º¸¾ÈÀÇ À§Ç輺À» °¡Áö°í Àִµ¥, ÀÌµé ±â´ÉÀÌ ¿ì¼±ÀûÀ¸·Î
Á¦°ÅµÇ¾î¾ß ÇÒ °ÍÀÌ´Ù. (IP forwarding OFF, IP Masquerading OFF,
NFS, RPC °ü·Ã ±â´É) ¸¸¾à, º£½ºÃŠȣ½ºÆ®°¡ µà¾ó-Ȩµå È£½ºÆ®·Î
±¸ÃàµÇ¾úÀ¸¸é IP Æ÷¿öµù ±â´ÉÀ» »èÁ¦ÇؾßÇÑ´Ù.
[nic@fw nic]#
cat /proc/sys/net/ipv4/ip_forward 0 |
[nic@fw nic]#
grep ¡°FORWARD_IPV4¡± /etc/sysconfig/network
FORWARD_IPV4 = no |
¹Ù. º¸¾ÈÁ¡°Ë
µµ±¸¸¦ ÀÌ¿ëÇÏ¿© º¸¾ÈÃë¾à¼ºÀ» Á¦°ÅÇÑ´Ù.
2.2 FWTK ÄÄÆÄÀÏÇϱâ
Makefile.config ÆÄÀÏÀ» ¸¸µé°í ÄÄÆÄÀÏ °ü·Ã
ȯ°æº¯¼ö¸¦ ¼³Á¤ÇÏ¿© ÄÄÆÄÀÏÇÑ´Ù.
[nic@fw nic]#
cd /usr/local/src/fwtk [nic@fw nic]# cp Makefile.config.linux
Makefile.config |
[nic@fw nic]#
vi Makefiel.config # ½Ã½ºÅÛ¿¡ ¼³Ä¡µÇ¾îÀÖ´Â
ÄÄÆÄÀÏ·¯ ¼±Åà CC=cc # ½ÇÇà ÆÄÀϵéÀ» ÀúÀåÇϱâ
À§ÇÑ µð·ºÅ丮 ÁöÁ¤ DEST=/usr/local/etc #
FWTK ¼Ò½º µð·ºÅ丮 FWTKSRCDIR=/usr/local/src/fwtk
# µ¥ÀÌÅͺ£À̽º ÁöÁ¤ DBMLIB=-lgdbm # ÇÁ·Ï½Ã
°ü·Ã ¼ºñ½º µð·ºÅ丮 ÁöÁ¤ DIRS= smap smapd netal
plug-gw ftp-gw |
2.3 ¼ºñ½º °ü·Ã ÆÄÀÏÀ» ¼öÁ¤ÇÑ´Ù.
FWTK ¿ä¼Ò ´ëºÎºÐÀº inetd µ¥¸ó¿¡ ÀÇÇؼ ¼öÇàµÇ°í
¶ÇÇÑ inetd µ¥¸óÀº inetd.conf ÆÄÀÏÀ» ÂüÁ¶Çϵµ·Ï µÇ¾î ÀÖ´Ù.
µû¶ó¼ ¿ÜºÎ¿¡¼ ³×Æ®¿÷ ¼ºñ½º°¡ ¿äûµÇ¾úÀ» ¶§ inetd°¡ ¹æȺ®
¿ä¼ÒµéÀ» ¼öÇàÇϱâ À§Çؼ´Â ¡°inetd.conf¡± ÆÄÀÏÀ» ¼öÁ¤ÇؾßÇÑ´Ù.
¶ÇÇÑ ³×Æ®¿÷ ¼¹Ù½º¸¦ Á¦°øÇϱâ À§Çì¼´Â °¢ ¼ºñ½º¿¡ ´ëÇѵǴÂ
Æ÷Æ® ¹øÈ£°¡ ÇÊ¿äÇÏ°í, °¢ ¼ºñ½º°¡ »ç¿ëÇÏ´Â ÇÁ·ÎÅäÄÝ ¶ÇÇÑ ÇÊ¿äÇÏ´Ù.
2.4 Á¢±ÙÁ¦¾î ±ÔÄ¢À» Á¤ÀÇÇÑ´Ù.
netperm-table¿¡´Â ¾î¶°ÇÑ ³×Æ®¿÷/È£½ºÆ®¿¡ ´ëÇؼ
¼ºñ½º¸¦ Á¦°øÇÒ °ÍÀÎÁö ¾Æ´ÑÁö¸¦ °áÁ¤Çϱâ À§ÇÑ Á¢±ÙÁ¦¾î ±ÔÄ¢À»
Á¤ÀÇÇÏ°Ô µÈ´Ù. ÀÌ ÆÄÀÏÀÇ À§Ä¡´Â ±âº»ÀûÀ¸·Î ¡°/usr/local/etc/¡±
ÀÌ°í ¡°:¡±(ÄÝ·Ð)ÀÇ ¿ÞÂÊÀº ¼ºñ½º À̸§À» ³ªÅ¸³»°í ¿À¸¥ÂÊÀº Çã¿ë
³×Æ®¿÷ ¹× °ü·Ã Á¤º¸µéÀ» ±â¼úÇÏ°Ô µÈ´Ù.
2.5 ¹æȺ® ±â´É ½ÃÇè
¹æȺ®ÀÇ ±â´ÉÀ» ½ÃÇèÇÏ´Â ¹æ¹ýÀº °°Àº ÀÌ´õ³Ý
»ó¿¡ Àִ ȣ½ºÆ®¸¦ ÀÌ¿ëÇÏ¿© ±× ±â´ÉÀ» Á¡°ËÇÒ ¼ö ÀÖ´Ù. ¾Õ¼ Á¤ÀÇÇß´ø
Á¢±ÙÁ¦¾î ±ÔÄ¢À» ÀÌ¿ëÇÏ¿© ½ÃÇèÇÒ ¼ö ÀÖ´Ù. ´Ù¸¥ ³×Æ®¿÷ ¼ºñ½º¿¡
´ëÇؼµµ °°ÀÌ Å×½ºÆ®ÇÒ ¼ö ÀÖ´Ù.
3. ½ÇÀü ÀÀ¿ë °èÃþ ¹æȺ® ±¸ÃàÇϱâ
R1 : ¿ÜºÎ¶ó¿ìÅÍ R2 : ³»ºÎ¶ó¿ìÅÍ B1:
º£½ºÃÅÈ£½ºÆ® (WWW / FTP ¼¹ö) B2 : º£½ºÃÅÈ£½ºÆ® (SMTP/ 2nd
Nameserver) S1 : BBS S2 : MAIL HUB, 1st Nameserver,
POP3 S3 : NAT (ipchains) S4 : ÆÄÀϼ¹ö DB : RDBMS
C1... : Ŭ¶óÀ̾ðÆ® PC
R1, R2¿¡¼ ÆÐŶÇÊÅ͸µ ±ÔÄ¢°ú º£½ºÃÅÈ£½ºÆ®¿¡
°ü·Ã ÇÁ·Ï½Ã ¼¹ö¸¦ ±¸ÃàÇÏ¿© Á¢±ÙÁ¦¾î ±ÔÄ¢À» Àû¿ë½ÃŲ´Ù. ±×¸®°í
°ü·Ã ¼³Á¤ ÆÄÀÏÀº ÀÌ ±ÛÀÇ ¸¶Á÷¸· ºÎºÐÀ» Âü°íÇϱ⠹ٶõ´Ù.
3.1 ³×Æ®¿öÅ© Á¢±Ù Á¦¾î
Åë»óÀûÀ¸·Î ±ÔÄ¢ÀÇ À̸§Àº netacl- °ú ÇØ´ç ¼ºñ½ºÀÇ
À̸§À» Á¶ÇÕÇÏ¿© »ç¿ëÇÏ°Ô µÇ´Âµ¥, ¼ºñ½º°¡ in.ftpdÀÏ °æ¿ì¿¡´Â
netacl-in.ftpd·Î ±ÔÄ¢ÀÇ À̸§À» ¼³Á¤ÇÑ´Ù.
netacl-in.telnetd:
permit-hosts 127.0.0.1 -exec /usr/sbin/in.telnetd
netacl-in.telnetd: permit-hosts 210.217.111.* -exec
/usr/sbin/in.telnetd netacl-in.telnetd: permit-hosts
* -exec /usr/local/etc/tn-gw netacl-in.ftpd:
permit-hosts 210.217.111.* -exec /usr/sbin/in.ftpd
netacl-in.ftpd: permit-hosts unknow
-exec /bin/cat /usr/local/etc/noftp.txt netacl-in.ftpd:
permit-hosts * -exec /home/ftp /usr/sbin/in.ftpd
netacl-in.fingerd: permit-hosts 210.217.111.*
-exec /usr/sbin/in.fingerd netacl-in.fingerd:
permit-hosts unknow -exec /bin/cat/ /usr/local/etc/nofinger.txt |
À§ÀÇ ¿¹¿¡¼´Â, netaclÀÌ Æ¯Á¤ ¼ºê³Ý »óÀÇ È£½ºÆ®¿¡°Ô¸¸
¼ºñ½º°¡ Çã¿ëµÇµµ·Ï ±¸¼ºµÇ¾ú°í, À¯È¿ÇÑ DNS À̸§À» °¡ÁöÁö ¾ÊÀº
½Ã½ºÅÛÀ¸·ÎºÎÅÍÀÇ ¿¬°áÀº ƯÁ¤ÇÑ ÆÄÀÏÀ» Ãâ·ÂÇϵµ·Ï ±¸¼ºµÇ¾úÀ¸¸ç,
¶ÇÇÑ À§¿¡¼ ¾ð±ÞµÈ È£½ºÆ® ÀÌ¿ÜÀÇ ¸ðµç ³×Æ®¿öÅ©·ÎºÎÅÍÀÇ FTP ¼ºñ½º
¿äûÀº, ƯÁ¤ µð·ºÅ丮 »ó¿¡¼ º°µµÀÇ FTP ¼¹ö¸¦ »ç¿ëÇϵµ·Ï ÇÏ¿´À¸¹Ç·Î
º°µµÀÇ FTP ¼¹ö¿¡¼ Á¦°ø ¼ºñ½º¸¦ Á¦ÇÑÇÒ ¼ö ÀÖ´Ù.
3.2 Telnet ÇÁ¶ô½Ã ¿î¿ë
tn-gw ÇÁ·Î±×·¥ÀÌ inetd µ¥¸ó¿¡ ÀÇÇØ ±âµ¿µÇ°Ô
µÇ´Âµ¥, ´ÙÀ½°ú °°ÀÌ /etc/inetd.conf ÆÄÀÏÀ» ¼öÁ¤ÇÑ´Ù.
telnet stream
tcp nowait root /usr/local/etc/tn-gw tn-gw |
inetdÀÌ È°¼ºÈµÇ¸ç Ŭ¶óÀ̾ðÆ®¿Í ½ÇÁ¦ ÅгÝ
¼¹ö »çÀÌ¿¡¼ ÅÐ³Ý ¼ºñ½ºÀÇ Áß°è ¿ªÇÒÀ» ÇÏ¸ç ¼ºñ½º¸¦ Á¦°ø½Ã
³×Æ®¿÷/È£½ºÆ®¿¡ ´ëÇÑ Á¢±ÙÁ¦¾î ¹× ·Î±×±â·ÏÀ» °®´Â´Ù.
tn-gw¸¦ À§ÇÏ¿© netperm-table¿¡ ´ÙÀ½°ú °°ÀÌ
Á¢±Ù ±ÔÄ¢À» ¼³Á¤ÇÑ´Ù.
tn-gw : userid
bin tn-gw : directory /home tn-gw : prompt
¡°KRWEB@telnet-gw>¡± tn-gw : denial-msg /usr/local/etc/tn-deny.txt
tn-gw : welcome-msg /usr/local/etc/tn-welcome.txt
tn-gw : help-msg
/usr/local/etc/tn-help.txt tn-gw : denydest-msg
/usr/local/etc/tn-denydest.txt tn-gw
: timeout 3600
tn-gw : deny-hosts unkown
tn-gw : permit-hosts 210.217.111.*
210.217.112.* tn-gw : permit-hosts 210.217.112.*
-dest bbs.krweb.co.kr -dest !*
-passok -xok |
Á¢±Ù±ÔÄ¢
µµ¸ÞÀÎ À̸§À» DNS¿¡¼ ¹ß°ßÇÒ ¼ö ¾øÀ» °æ¿ì
Á¢¼ÓÀ» °ÅºÎÇÑ´Ù. 210.217.111.0 ¹× 210.217.112.0 ³×Æ®¿öÅ©·ÎºÎÅÍÀÇ
Á¢±Ù¸¸À» Çã¿ëÇÑ´Ù. 210.217.112.0 ³×Æ®¿öÅ©·ÎºÎÅÍ ¿ä±¸µÈ Á¢¼Ó
Áß bbs.krweb.co.kr·ÎÀÇ Á¢¼Ó¸¸À» Çã¿ëÇÏ°í ÀÌ¿ÜÀÇ Á¢¼Ó ¿ä±¸´Â
¸ðµÎ °ÅºÎÇÑ´Ù.
telnet ÇÁ¶ô½Ã¸¦ ÅëÇÑ Á¢¼Ó
Àΰ¡µÈ ³×Æ®¿÷¿¡¼ Á¢±Ù
[nic@ns nic]$
telnet fw.krweb.co.kr Trying 210.217.111.10
Connected to fw.krweb.co.kr. Escape character
is ¡®^]¡¯.
******************** < ȯ ¿µ
> ************************ KRWEBÀÇ ¹æȺ®
Telnet Proxy¿¡ Á¢¼ÓµÇ½Å °ÍÀ» ȯ¿µÇÕ´Ï´Ù. ¸í·É¾î
µµ¿ò¸»Àº ? ÀÔ´Ï´Ù *******************************************************
KRWEB@telnet-gw>connect nownuri.net
Not permitted to connect to nownuri.net KRWEB@telnet-gw>connect
linux.krweb.co.kr Trying 210.217.111.5 Connected
to linux.krweb.co.kr. Escape character is ¡®^]¡¯.
login:_ |
À§ÀÇ ¿¹¿¡¼, *.krweb.co.krÀ» Á¦¿ÜÇÑ ¸ðµç È£½ºÆ®·ÎÀÇ
Á¢±ÙÀÌ ±ÝÁöµÇµµ·Ï ±ÔÄ¢ÀÌ ¼³Á¤µÇ¾î ÀÖÀ¸¹Ç·Î nownuri.netÀÇ telnet
Á¢±ÙÀº ±ÝÁöµÇ¸ç linux.krweb.co.kr·ÎÀÇ Á¢±Ù¸¸ Çã¿ëµÈ´Ù.
Àΰ¡µÇÁö ¾ÊÀº ³×Æ®¿÷¿¡¼ Á¢±Ù
[nic@xxx nic]$
telnet fw.krweb.co.kr Connecting to fw.krweb.co.kr
... **************** < ÁÖ ÀÇ
> ***************************** ´ç½ÅÀº Àΰ¡(ÀÎÁõ)µÇÁö
¾ÊÀº ³×Æ®¿÷¿¡¼ Á¢¼ÓÀ» ÇÏ¿´½À´Ï´Ù. º» ÅÐ³Ý ¼ºñ½º¸¦
Çã°¡ÇÏÁö ¾Ê½À´Ï´Ù. *********************************************************
Connection closed by foreign host |
À§ÀÇ ¿¹¿¡¼´Â, Àΰ¡µÇÁö ¾ÊÀº ³×Æ®¿÷¿¡¼ Á¢±ÙÇÒ
¶§ Á¢±Ù °ÅºÎ ¸Þ½ÃÁö ÆÄÀÏÀ» Ãâ·ÂÇÏ°í ¿¬°áÀ» ²÷´Â´Ù.
3.3 FTP ÇÁ¶ô½Ã ¿î¿ë
´ÙÀ½°ú °°ÀÌ /etc/inetd.conf ÆÄÀÏÀ» ¼öÁ¤ÇÏ¿©
¿øÇÏ´Â ÇÁ¶ô½Ã µ¿ÀÛÀ» ±¸ÇöÇÑ´Ù.
ftp stream tcp
nowait root /usr/local/etc/ftp-gw ftp-gw |
ftp-gwÀÇ °æ¿ìµµ tn-gwÀÇ °æ¿ì¿Í ¸¶Âù°¡Áö·Î
netperm-table¿¡ ¼³Á¤µÇ¾î ÀÖ´Â Á¢±Ù ±ÔÄ¢¿¡ µû¶ó Á¢¼Ó Çã¿ë ¿©ºÎ¸¦
ÆǺ°ÇÏ°Ô µÈ´Ù.
ftp-gw¸¦ À§ÇÏ¿© netperm-table¿¡ ´ÙÀ½°ú °°ÀÌ
Á¢±Ù ±ÔÄ¢À» ¼³Á¤ÇÑ´Ù.
ftp-gw: denial-msg
/usr/local/etc/ftp-deny.txt
ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt
ftp-gw: help-msg /usr/local/etc/ftp-help.txt
ftp-gw: denydest-msg /usr/local/etc/ftp-baddest.txt
ftp-gw: timeout
3600 ftp-gw: deny-hosts
unknown ftp-gw:
permit-hosts 210.217.111.*
210.217.112.* -log
{ retr stor } ftp-gw: permit-hosts *
-authall -log { retr stor } |
Á¢±Ù ±ÔÄ¢
±ÔÄ¢ÀÌ Àû¿ëµÇ°Ô µÇ¸é µµ¸ÞÀÎ À̸§À» DNS¿¡¼
¹ß°ßÇÒ ¼ö ¾øÀ» °æ¿ì Á¢¼ÓÀÌ °ÅºÎµÇ¸ç, 210.217.111 ¹× 210.217.112
³×Æ®¿öÅ©·ÎºÎÅÍÀÇ Á¢±ÙÀ» Çã¿ëÇÏ°Ô µÈ´Ù. ¾Æ¿ï·¯ ÀÎÁõ ¿É¼ÇÀÌ ÀÖ´Â
°æ¿ì, ÀÎÁõ °úÁ¤À» Åë°úÇÏ¿© Á¢±ÙÇϵµ·Ï ÇÑ´Ù. ¸ðµç ÆÄÀÏ Àü¼Û¿¡
´ëÇÑ Á¤º¸°¡ ·Î±× ±â·ÏÀ¸·Î ³²°Ô µÈ´Ù. ftp ÇÁ¶ô½Ã¸¦ ÅëÇÑ Á¢±Ù
ÀÎÁõ ¿É¼ÇÀÌ ¾ø´Â °æ¿ì (Àΰ¡µÈ ³×Æ®¿÷¿¡¼ Á¢¼Ó)
[nic@ns nic]$
ftp fw Connected to fw.krweb.co.kr 220-
220- 220- ¹æȺ® FTP Proxy ¿¡ Á¢¼ÓµÇ½Å °ÍÀ»
ȯ¿µÇÕ´Ï´Ù. 220- »ç¿ëÀÚid@È£½ºÆ®¸í (¿¹, test@someplace.net)
Name (firewall:test): test@someplace.net 331-(----GATEWAY
CONNECTED TO someplace.net----) 331-(220 hen
FTP server (UNIX(r) System V Release 4.0) ready.)
331 Password required for knwook. Password:
230 User knwook logged in. ftp> |
ÀÎÁõ ¿É¼ÇÀÌ ¾ø´Â °æ¿ì (Àΰ¡µÇÁö ¾ÊÀº ³×Æ®¿÷¿¡¼
Á¢±Ù)
[nic@xxx nic]$
ftp fw Connected to fw.krweb.co.kr.
500- 500-**************<ÁÖÀÇ>****************
500-FTP ¼ºñ½º¸¦ »ç¿ëÇÒ ¼ö ¾÷½À´Ï´Ù. 500-°í°´Áö¿ø¼¾ÅÍ
e-mail:helpme@krweb.co.kr 500 ftp> |
ÀÎÁõ ¿É¼ÇÀÌ ÀÖ´Â °æ¿ì
[nic@ns nic]$
ftp fw Connected to fw.krweb.co.kr.
220- 220- 220-¹æȺ® FTP Proxy ¿¡ Á¢¼ÓµÇ½Å
°ÍÀ» ȯ¿µÇÕ´Ï´Ù. 220-»ç¿ëÀÚ ÀÎÁõÀÌ ³¡³ª¸é, ¾Æ·¡¿Í
°°ÀÌ ÀÔ·ÂÇÏ¿© ÁֽʽÿÀ. 220-use »ç¿ëÀÚid@È£½ºÆ®¸í
(¿¹, use test@someplace.net) Name (firewall:nic):
nic 331 Enter authentication password for nic
Password: 230 User authenticated to proxy
ftp> use test@someplace.net 331-(----GATEWAY
CONNECTED TO someplace.net----) 331-(220 hen
FTP server (UNIX(r) System V Release 4.0) ready.)
331 Password required for test. Password:
230 User test logged in. ftp> |
¸ÕÀú FTP ÇÁ¶ô½ÃÀÇ »ç¿ëÀÚ ÀÎÁõ ÀýÂ÷°¡ ³¡³ª¸é,
¡°use user@ site¡±ÀÇ Çü½Ä¿¡ ¸ÂÃß¾î ¿øÇÏ´Â »çÀÌÆ®·ÎÀÇ FTP
Á¢±ÙÀ» ½ÃµµÇÏ°Ô µÈ´Ù.
3.4 sendmail ÇÁ¶ô½Ã ¿î¿ë
¨ç smtp Ŭ¶óÀ̾ðÆ®ÀÇ ¼³Ä¡
smap Ŭ¶óÀ̾ðÆ®´Â ¹æȺ® È£½ºÆ®ÀÇ smtp Æ÷Æ®·Î
Á¢¼Ó ¿äûÀÌ Àü´ÞµÉ ¶§¸¶´Ù µ¿ÀÛÇÑ´Ù. ´Ù¸¥ ÇÁ¶ô½Ãµé°ú ¸¶Âù°¡Áö·Î
/etc/inetd.conf ÆÄÀÏ¿¡ ´ÙÀ½°ú °°ÀÌ ¼³Á¤ÇÑ´Ù.
smtp stream
tcp nowait root /usr/local/etc/smap
smap |
inetd.conf ÆÄÀÏÀ» ¼öÁ¤ÇÑ ÈÄ¿¡´Â inetd µ¥¸óÀ»
Àç½ÃÀÛÇÏ¿© smapÀ» È°¼ºÈÇÑ´Ù. ±×¸®°í smtp Æ÷Æ®¸¦ ¼öµ¿À¸·Î
°Ë»çÇØ º»´Ù.
[nic@ns nic]$
telnet fw 25 Trying 210.217.111.5...
Connected to fw.krweb.co.kr. Escape character
is ¡®^]¡¯. 220 firewall SMTP/smap Ready.
quit 221 Closing connection Connection closed
by foreign host. $ |
smtp Ŭ¶óÀ̾ðÆ®ÀÇ ±¸¼º smap Ŭ¶óÀ̾ðÆ®´Â
netperm-table³»¿¡ smapÀ¸·Î ½ÃÀÛÇÏ´Â, ÀÚ½ÅÀ» À§ÇÑ Á¢¼Ó ±ÔÄ¢¿¡
µû¶ó µ¿ÀÛÀ» ÇÏ°Ô µÈ´Ù.
smap: userid
smtp
smap: directory /var/spool/smap
smap: timeout 3600
smap: maxbytes
10000 smap: maxrecip
20 |
¨è smtpd ¿¡Çø®ÄÉÀ̼ÇÀÇ ¼³Ä¡
Á¢¼Ó ¿ä±¸¿¡ µû¶ó inetd·ÎºÎÅÍ ±âµ¿µÇ´Â smap°ú´Â
´Þ¸®, smapd´Â /etc/rc3.d/S88smapd ½ºÅ©¸³Æ® ÆÄÀÏÀ» ÀÛ¼ºÇÏ¿© ½Ã½ºÅÛÀÇ
ºÎÆýÿ¡ ÀÚµ¿ ±âµ¿µÇµµ·Ï ¼³Á¤ÇÕ´Ï´Ù. ÀÌ °æ¿ì, ±âÁ¸ÀÇ sendmail
µ¿ÀÛÀ» µ¥¸ó ¸ðµå¿¡¼ Á¦°ÅÇØ¾ß ÇÑ´Ù.
#/etc/rc.d/init.d/sendmail
stop or # ntsysv ¡æ
sendmail Á¦°Å |
¾Æ¿ï·¯ ÆÄÀÏ ÆíÁý±â¸¦ »ç¿ë, Sxx(xx´Â ¼ýÀÚ)smapd
½ºÅ©¸³Æ® ÆÄÀÏÀ» »õ·Î ÀÛ¼ºÇÕ´Ï´Ù.
# vi S88smapd
echo ¡°Starting Firewall Mail Processor
...¡± /usr/local/etc/smapd |
sendmailÀÌ µ¥¸ó ¸ðµå·Î µ¿ÀÛÇÏÁö ¾Ê±â ¶§¹®¿¡,
¹è´ÞÀÌ ºÒ°¡´ÉÇÏ¿© ´©ÀûµÈ ¸Þ½ÃÁöµéÀº ÁÖ±âÀûÀ¸·Î ºÒ·ÁÁö´Â sendmail¿¡
ÀÇÇØ ¹è´ÞµÇµµ·ÏÇØ¾ß ÇÑ´Ù. À̸¦ À§ÇØ ´ÙÀ½ ¶óÀÎÀ» crontab¿¡ Ãß°¡ÇÑ´Ù.
0, 30 * * * *
/usr/lib/sendmail -q > /dev/null 2>&1 |
À§ÀÇ ¶óÀÎÀ» Ãß°¡ÇÔ¿¡ µû¶ó smapd ¿¡Çø®ÄÉÀ̼ǿ¡
ÀÇÇØ ¼º°øÀûÀ¸·Î Àü´ÞµÇÁö ¸øÇÑ ¸Þ½ÃÁöµéÀÌ ÀÌÈÄ¿¡¶óµµ ¾ÈÁ¤ÀûÀ¸·Î
Àü´ÞµÊÀ» º¸ÀåÇÏ°Ô µË´Ï´Ù.
smapd ¿¡Çø®ÄÉÀ̼ÇÀÇ ±¸¼º smapd ¿¡Çø®ÄÉÀ̼ÇÀº,
ÁÖ±âÀûÀ¸·Î ¸ÞÀÏ Å¥¸¦ ÀÐ¾î ¿ø°Ý ½Ã½ºÅÛÀ¸·Î ¹è´ÞÇÏ°Ô µÇ´Â µ¿ÀÛÀ»
¼öÇàÇÑ´Ù.
smapd: executable /usr/local/etc/smapd
smapd: sendmail /usr/lib/sendmail
smapd: userid smtp
smapd: directory /var/spool/smap
smapd: baddir /var/spool/smap/bad
smapd: wakeup 900 |
smapd¸¦ À§ÇÑ DNS ±¸¼º ¹æȺ® ½Ã½ºÅÛÀ»
Åë°úÇÏ´Â ¸ÞÀÏÀÌ ¼º°øÀûÀÌ°í Á¤È®ÇÏ°Ô Àü´ÞµÇ±â À§Çؼ´Â SMTP ¸ÞÀÏÀÌ
º¸³»¾îÁö´Â °÷ÀÌ ±¸ºÐµÇµµ·Ï MX ·¹Äڵ尡 Áö¿ª DNS ÆÄÀÏ ³»¿¡¼
¾Ë·ÁÁ®¾ß ÇÒ ÇÊ¿ä°¡ ÀÖ´Ù. ÀÌ·¯ÇÑ ÀÛ¾÷Àº MX³ª ¸ÞÀÏ ÀͽºÃ¼ÀÎÀú
Ãß°¡, ³×Æ®¿öÅ© µµ¸ÞÀÎÀ̳ª Áö¿ªÀÇ DNS Á¦°øÀÚ¿¡ µî·Ï µî¿¡ ÀÇÇØ
°¡´ÉÇÕ´Ï´Ù.
À§ÀÇ Ãâ·Â ³»¿ëÀº nslookup ¸í·É¾î¸¦ ½ÇÇàÇÏ¿©
¾òÀº °ÍÀÔ´Ï´Ù. Ãâ·Â ³»¿ë Áß ¸ÞÀÏ ÀͽºÃ¼ÀÎÀú°¡ ´ÙÀ½°ú °°ÀÌ µî·ÏµÇ¾î
ÀÖÀ½À» ¾Ë ¼ö ÀÖ´Ù.
[nic@ns nic]#
nslookup Default Server: ns.krweb.co.kr
Address: 210.217.111.1
> set q=mx > krweb.co.kr
Server: ns.krweb.co.kr Address: 210.217.111.1
krweb.co.kr preference
= 10, mail exchanger = mail.krweb.co.kr krweb.co.kr
preference = 1. Mail
exchanger = fw.krweb.co.kr krweb.co.kr nameserver
= ns2.krweb.co.kr krweb.co.kr nameserver
= ns.krweb.co.kr mail.krweb.co.kr internet
address = 210.217.111.3 fw.krweb.co.kr internet
address = 210.217.111.5 ns2.krweb.co.kr internet
address = 210.217.111.2 ns.krweb.co.kr internet
address = 210.217.111.1 > |
µµ¸ÞÀÎ krweb.co.kr·ÎÀÇ ¸ÞÀÏÀÌ È£½ºÆ®·ÎºÎÅÍ
º¸³»¾îÁø °æ¿ì¸¦ »ý°¢Çغ¸¸é, ÇØ´ç È£½ºÆ®´Â ¸ÕÀú krweb.co.kr µµ¸ÞÀÎ
ÀÚü¿¡¼ÀÇ À§Ä¡¸¦ Ž»öÇÏ°Ô µÈ´Ù. ¾î´À È£½ºÆ®°¡ ¸ÕÀú Á¢¼ÓµÉÁö¸¦
°áÁ¤Çϱâ À§ÇÑ ±ÔÄ¢Àº ¸Å¿ì °£´ÜÇÏ´Ù. À§ÀÇ ¿¹¿¡¼´Â, ÁÖ¾îÁø
email¿¡ ´ëÇØ ¹æȺ® È£½ºÆ®ÀÎ fw.krweb.co.kr°¡ ¿ì¼±±ÇÀÌ 1À̹ǷÎ
°¡Àå ¸ÕÀú Á¢¼ÓµÈ´Ù. ±Ç°íÇÏ°í ½ÍÀº ¼³Á¤Àº, ¹æȺ® È£½ºÆ®·Î
»ç¿ëµÇ´Â ½Ã½ºÅÛÀÌ °¡Àå ³·Àº ¿ì¼±±ÇÀ» °®µµ·Ï ÇÔÀ¸·Î½á ¿ÜºÎ¿Í
Á÷Á¢ÀûÀ¸·Î Á¢¼ÓµÇ´Â ½Ã½ºÅÛÀÌ ¾øµµ·Ï ÇÑ´Ù. ¸¸¾à °¡Àå ³·Àº ¿ì¼±±ÇÀ»
°¡Áø ½Ã½ºÅÛÀÌ ¼ºñ½º 󸮰¡ ºÒ°¡´ÉÇÒ °æ¿ì, ´ÙÀ½ ½Ã½ºÅÛÀÌ Á¢Ã˵ǰÔ
µË´Ï´Ù: À§ °æ¿ì¿¡´Â mail.krweb.co.krÀÌ ÇØ´çµÈ´Ù. ¸ÞÀÏÀÌ mail.krweb.co.kr¿¡°Ô
¹è´ÞµÇ¸é, mail.krweb.co.kr »óÀÇ sendmail µ¥¸óÀÌ ÇØ´ç ¸ÞÀÏÀ»
°¡Àå ³·Àº ¿ì¼±±ÇÀ» °®´Â fw.krweb.co.kr ½Ã½ºÅÛÀ¸·Î Àü´ÞÇØ¾ß ÇÒ
Ã¥ÀÓÀÌ ÀÖ´Ù. ¾Æ¿ï·¯ sendmailÀÇ µ¿ÀÛÀº ¿ø°Ý ¸Ó½Å »óÀÇ sendmail.cf
ÆÄÀÏ¿¡ ÀÇÇØ Á¦¾îµÈ´Ù.
3.5 pop ÇÁ¶ô½Ã ¿î¿ë.
¹æȺ®ÀÌ POP ¼ºñ½º¸¦ À§ÇÑ Á¢¼ÓÀ» ¼ö¿ëÇϵµ·Ï
Çϱâ À§Çؼ´Â, inetd°¡ POP Æ÷Æ®·ÎºÎÅÍÀÇ Á¢¼Ó ¿äûÀÌ ÀÖÀ» ¶§¸¶´Ù
plug-gw¸¦ ½ÇÇà½Ãų ¼ö ÀÖµµ·Ï /etc/inetd.conf ÆÄÀÏÀ» ¼öÁ¤Çؾß
ÇÑ´Ù.
pop stream
tcp
nowait
root /usr/local/etc/plug-gw plug-gw
110 |
¹æȺ®À» Åë°úÇÏ´Â POP ¼ºñ½º¸¦ Á¦°ø¹Þ±â À§Çؼ´Â
netperm-table¿¡ plug-gw¸¦ À§ÇÑ ±¸¼ºÀ» Ãß°¡ÇØ¾ß Çϴµ¥, POP Æ÷Æ®´Â
/etc/services ÆÄÀÏ¿¡ 110·Î ¼³Á¤µÇ¹Ç·Î ´ÙÀ½°ú °°Àº ¼³Á¤À¸·Î ±¸ÇöÀÌ
°¡´ÉÇÏ´Ù.
plug-gw : port
110 210.217.112.* -plug-to 210.217.111.110 |
ÀÌ ¶óÀÎÀº, 210.217.112 ³×Æ®¿÷À¸·ÎºÎÅÍÀÇ Æ÷Æ®
110 (POP)·Î Á¢¼öµÈ ÀÓÀÇÀÇ ¿¬°áÀº 210.217.111.110·Î Á¢¼ÓµÊÀ»
¾Ë·ÁÁÖ°í ÀÖ´Ù. ±×¸®°í MUA (Mail User Agent) ÇÁ·Î±×·¥¿¡¼ POP
¼¹ö¸¦ ¹æȺ® ½Ã½ºÅÛÀ¸·Î ¼³Á¤ÇÑ´Ù.
3.6 http proxy ¿î¿ë
º» ¹®¼¿¡¼´Â TIS-FWTKÀÇ HTTP-GWÀ» »ç¿ëÇÏÁö
¾Ê°í, ´ë½Å¿¡ À¥Àü¿ë ÇÁ·Ï½Ã ¼¹ö¸¦ »ç¿ëÇÏ°Ú´Ù. À¥Àü¿ë ÇÁ·Ï½Ã
ÇÁ·Î±×·¥Àº squid ÀÌ´Ù.
»çÀÌÆ® Á¢±Ù Á¦ÇÑ »çÀÌÆ® Á¢±Ù Á¦ÇÑÀº ACL(Access
Control List)À» »ç¿ëÇÏ¿© Á¤ÀÇÇϸç ACLÀº »çÀÌÆ® Á¢¼Ó ¹ýÄ¢À» Á¤ÀÇÇÑ
º¯¼öÀÇ ³ª¿À̶ó »ý°¢ÇÏ¸é µÈ´Ù.
HTTP Proxy¸¦ ¼³Á¤ÇÑ ÆÄÀÏÀº /usr/local/squid/etc/
squid.conf¿¡ ÀÖ´Ù. ÀÌ ÆÄÀÏÀÇ Áß°£ ¾Æ·§ ºÎºÐ¿¡ ACL¿¡ ´ëÇÑ
Á¤ÀÇ°¡ ÀÖ´Ù. ACLÀ» Á¤ÀÇÇÑ ´ÙÀ½¿£ ¹Ýµå½Ã http_access ±¸¹®À»
»ç¿ëÇÏ¿© Á¤ÀÇÇÑ ACLÀ» È°¼ºÈ ½ÃÄÑ ÁÖ¾î¾ß ÇÑ´Ù.
(/usr/local/squid/etc/squid.conf
ÆÄÀÏ ¿¹Á¦) # cache °ü·Ã ¼³Á¤ ºÎºÐÀº »ý·«µÊ
#---------------------------------- # #
Á¢±Ù ¼³Á¤ (ACL = Á¢±ÙÁ¦¾îÁ¦ÇÑ) # ºÒ°ÇÀüÇÑ »çÀÌÆ®¸¦
µé¾î°¡Áö ¸øÇϵµ·Ï ±ÝÁöÇÒ »çÀÌÆ®¸¦ ¼³Á¤ÇØ ÁÖ´Â
ºÎºÐÀÌ´Ù. # # »ç¿ë ¹æ¹ý
# # acl aclname acltype string1 ... # acl
aclname acltype ¡°file¡± ... # # 1) ip-address¿¡
¼³Á¤µÈ Ŭ¶óÀ̾ðÆ®µéÀÌ http¸¦ »ç¿ëÇÏÁö ¸øÇÏ°Ô ÇÑ´Ù.
# ¡®0.0.0.0/0.0.0¡¯ÀÌ¸é ¸ðµÎ Çã¿ë.
# acl aclname src ip-address/netmask
... (clients IP address) # acl aclname src addr1-addr2/netmask
... (addresses ¹üÀ§) # # 2) ip-address¿¡
¼³Á¤µÈ »çÀÌÆ®¸¦ Á¢¼ÓÇÏÁö ¸øÇÏ°Ô ÇÑ´Ù. # acl
aclname dst ip-address/netmask
... (URL host¡¯s IP address) # # 3) foo.comÀ̶ó´Â
µµ¸ÞÀÎÀ» °¡Áø Ŭ¶óÀ̾ðÆ®ÀÇ http Á¢¼ÓÀ» ºÒÇãÇÑ´Ù.
# acl aclname srcdomain foo.com ...
(taken from reverse DNS lookup) # # 4) foo.comÀ̶ó´Â
µµ¸ÞÀÎÀ» »çÀÌÆ®ÀÇ Á¢¼ÓÀ» ±ÝÁö ½ÃŲ´Ù. # acl
aclname dstdomain foo.com ... (taken
from the URL) # # 5) h1:m1¿¡¼ h2:m2 ½Ã°£¿¡´Â
Ŭ¶óÀ̾ðÆ®ÀÇ http Á¢¼ÓÀ» ºÒÇãÇÑ´Ù. # day-abbrevs´Â
±ÝÁöÇÒ ¿äÀϵµ ÁöÁ¤ÇÒ ¼ö ÀÖ´Ù. # acl aclname
time [day-abbrevs] [h1:m1-h2:m2]
# day-abbrevs:
# S
- Sunday # M
- Monday # T
- Tuesday # W
- Wednesday # H
- Thursday # F
- Friday # A
- Saturday # h1:m1
must be less than h2:m2 # # 6) http://www·Î
½ÃÀ۵Ǵ URLÀÇ Á¢¼ÓÀ» ºÒÇãÇÑ´Ù. (¾Õ¿¡ ¹Ýµå½Ã ^ ÇÊ¿ä)
# (^°¡ ºÙÁö ¾ÊÀ¸¸é URLÀÇ ³¡ºÎºÐÀ»
ÀǹÌÇÑ´Ù) # acl aclname url_regex ^http://www #
regex matching on whole URL # # 7) gifÆÄÀÏÀº
Àü¼ÛµÇÁö ¾Ê°Ô ÇÑ´Ù. # acl aclname urlpath_regex
\.gif$ ... # regex matching on URL path
only # # 8) ƯÁ¤ Æ÷Æ®·ÎÀÇ Á¢¼ÓÀ» ºÒÇãÇÑ´Ù.
# acl aclname port 80 70
21 ... # # 9) HTTP¿Í FTPÀÇ »ç¿ëÀ» ºÒÇãÇÑ´Ù.
# acl aclname proto HTTP FTP ...
# # 10) HTML¿¡¼ÀÇ ´ÙÀ½ÀÇ method°¡ µé¾î°£ ¶óÀÎÀÇ
½ÇÇàÀ» ±ÝÇÑ´Ù. # acl aclname method GET
POST ... # # ---------------------------------
# ¿¹) # ¾ÕºÎºÐÀÌ sexÀ¸·Î ½ÃÀ۵Ǵ URLÀ» ±ÝÁö½ÃÅ°°íÀÚ
ÇÒ¶§ # --> acl denysex url_regex ^http://sex
# µÞºÎºÐÀÌ adult.comÀ¸·Î ½ÃÀ۵Ǵ URLÀ» ±ÝÁö½ÃÅ°°íÀÚ
ÇÒ¶§ # --> acl denyadult url_regex adult.com
# #---------------------------------- acl
manager proto cache_object acl localhost src
127.0.0.1/255.255.255.255 acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443 563
acl Dangerous_ports port 7 9 19 acl CONNECT
method CONNECT
# °ü¸®ÀÚ°¡ »õ·Î¿î ACLÀ» Á¤ÀÇÇÑ´Ù.
acl sexsite01 url_regex ^http://come.to/ladyx
acl sexsite02 url_regex ^http://sexygirl.com
acl sexsite03 url_regex ^http://www.korean-babes.com
#####################################
#################################### # #
À§¿¡¼ Á¤ÀÇµÈ ACLÀ» ¿©±â¼ ½ÇÁ¦·Î µ¿ÀÛµÉ ¼ö ÀÖµµ·Ï
¼³Á¤ÇÑ´Ù. # (allow´Â Çã°¡°í deny´Â ºÒÇã°¡¸¦
¶æÇÑ´Ù) # # À§¿¡¼ Á¤ÀÇµÈ ACLÀº ¹Ýµå½Ã µ¿ÀÛ°¡´ÉÇϵµ·Ï
¿©±â¸¦ ¼³Á¤ÇÑ´Ù!! # # HTTP Æ÷Æ®·ÎÀÇ Á¢±Ù:
# http_access allow|deny
[!]aclname ... # # ICP Æ÷Æ®·ÎÀÇ Á¢±Ù:
# icp_access allow|deny
[!]aclname ... # # ¿¹) À§¿¡¼ Á¤ÀÇÇÑ denysex
À̶ó´Â ACL À̸§À» Enable ½Ãų¶§. # ---> http_access
deny denysex # ###################################
# Only allow access to the cache
manager functions from the local host. http_access
deny manager !localhost http_access deny CONNECT
!SSL_ports http_access deny Dangerous_ports
# À§¿¡¼ Á¤ÀÇÇÑ ACLÀÇ Çã°¡/ºÒÇ㸦
°áÁ¤ÇÑ´Ù. http_access deny sexsite001 http_access
deny sexsite002 http_access deny sexsite003
###################################
# Allow everything else http_access
allow all
# Reply to all ICP queries we
receive icp_access allow all |
4. º¸¾ÈÁ¤Ã¥ ¸¸µé±â
³×Æ®¿öÅ©°ü¸®ÀÚ°¡ ¶ó¿ìÅ͸¦ ÀÌ¿ëÇÑ ¹æȺ®À»
±¸¼ºÇÏ°íÀÚ ÇÒ ¶§ °¡Àå ¿ì¼±ÀûÀ¸·Î ¼ö¸³µÇ¾î¾ß ÇÒ °ÍÀº ÀÎÅͳݼºñ½ºÀÇ
Á¦°ø¹üÀ§¿Í Á¾·ùÀÌ´Ù. ´ÙÀ½°ú °°Àº Á¦°ø¹üÀ§¿Í ¼ºñ½º¸¦ Á¤ÀÇÇÒ
¼ö ÀÖ´Ù.
¿ÜºÎ »ç¿ëÀÚ¿¡ ´ëÇØ ¡¤À¥ / ÆÄÀÏÀü¼Û
¼ºñ½º¸¦ Á¦°ø ¡¤Àΰ¡µÈ ³×Æ®¿÷¿¡¼´Â ³»ºÎ ¼¹ö¿¡ telnet
¹× e-mail ¼ºñ½º¸¦ ÀÌ¿ë ¡¤±× ¿ÜÀÇ ÀÎÅÍ³Ý ¼ºñ½º´Â
Á¦ÇÑ
º¸¾ÈÁ¤Ã¥ |
Á¦ÇÑ¿©ºÎ |
S_PORT |
D_PORT |
S_IP |
D_IP |
BBS |
Çã¿ë |
>
1023 |
23 |
ÁöÁ¡ |
210.217.111.6 |
FTP |
Çã¿ë |
>
1023 |
21 |
Any |
210.217.111.5 |
WEB |
Çã¿ë |
>
1023 |
80 |
Any |
210.217.111.4 |
SMTP |
Á¦ÇÑ |
>
1023 |
25 |
ÁöÁ¡ |
210.217.111.3 |
POP |
Çã¿ë |
>
1023 |
110 |
ÁöÁ¡ |
210.217.111.3 |
DNS |
Çã¿ë |
>
1023 |
53 |
ÁöÁ¡ |
210.217.111.1 |
±âŸ |
Á¦ÇÑ |
>
1023 |
>
1023 |
Any |
210.217.111/24 |
³»ºÎ »ç¿ëÀÚ¿¡ ´ëÇØ ¡¤ºÒ°ÇÀü »çÀÌÆ®Á¢¼ÓÀ»
Á¦ÇÑ (´Ü, ÇØ´ç »çÀÌÆ®ÀÇ ³×Æ®¿÷ ÁÖ¼Ò¸¦ ¾Ë°í ÀÖ¾î¾ß
°¡´ÉÇÏ´Ù.) ¡¤±× ¿Ü ÀÎÅͳݼºñ½º¸¦ ÀÌ¿ë
º¸¾ÈÁ¤Ã¥ |
Á¦ÇÑ¿©ºÎ |
S_PORT |
D_PORT |
S_IP |
D_IP |
¼ÀνÎÀÌÆ® |
Á¦ÇÑ |
> 1023 |
80 |
210.217.111/24 |
¼ºÀνÎÀÌÆ® |
DB |
Çã¿ë |
> 1023 |
3306 |
210.217.111/24 |
210.217.111.88 |
±âŸ |
Çã¿ë |
> 1023 |
> 1023 |
210.217.111/24 |
Any |
¶ó¿ìÅÍÀÇ ACLÀ» ¸¸µé±â À§ÇØ ÇÊ¿äÇÑ Á¤º¸
TCP/IP¸¦ ±â¹ÝÀ¸·ÎÇÑ IP ÆÐŶ ³»ºÎ¿¡´Â ¹Ýµå½Ã
¡°source ip address, destination ip address, source port, destination
port¡±¿¡ °üÇÑ Á¤º¸¸¦ °¡Áö°í ÀÖÀ¸¸ç, ¶ó¿ìÅÍ´Â ÀÌ Á¤º¸µéÀ» Á¶ÇÕÇÏ¿©
ƯÁ¤ ÆÐŶÀ» ÇÊÅ͸µÇÑ´Ù.
½Ã½ºÄÚ ¶ó¿ìÅÍ¿¡¼ access-list ±¸¼º
³»ºÎ»ç¿ëÀÚÀÇ ÆÐŶ¿¡ ´ëÇÑ ±âº»ÀûÀÎ ACLÁ¤ÀÇ
RT(config)# access-list 101 permit tcp any any established
RT(config)# access-list 101 permit tcp any any gt 1023
RT(config)# access-list 101 permit udp any any gt 1023
RT(config)# access-list 101 permit tcp 210.217.111.0 0.0.0.255
host 210.217.111.88 eq 3306 RT(config)# access-list 101
permit udp 210.217.111.0 0.0.0.255 host 210.217.111.88 eq 3306
¿ÜºÎ»ç¿ëÀÚ¿¡ ´ëÇÑ º¸¾ÈÁ¤Ã¥ ACL Á¤ÀÇ RT(config)#
access-list 101 permit tcp any host 210.217.111.4 eq 80
RT(config)# access-list 101 permit tcp any host 210.217.111.5
eq 20 RT(config)# access-list 101 permit tcp any host 210.217.111.5
eq 21
ÁöÁ¡¿¡ ´ëÇÑ º¸¾ÈÁ¤Ã¥ ACL Á¤ÀÇ RT(config)#
access-list 101 permit tcp 210.217.112.0 0.0.0.255 host 210.217.111.6
eq 23 RT(config)# access-list 101 permit tcp 210.217.112.0
0.0.0.255 host 210.217.111.3 eq 25 RT(config)# access-list
101 permit tcp 210.217.112.0 0.0.0.255 host 210.217.111.1 eq
53 RT(config)# access-list 101 permit udp 210.217.112.0
0.0.0.255 host 210.217.111.1 eq 53 RT(config)# access-list
101 permit tcp 210.217.112.0 0.0.0.255 host 210.217.111.1 eq
110 RT(config)# access-list 101 permit udp 210.217.112.0
0.0.0.255 host 210.217.111.1 eq 110
¼ºÀÎ site¿¡ ´ëÇÑ º¸¾ÈÁ¤Ã¥ ACL Á¤ÀÇ RT(config)#
access-list 101 deny tcp 203.255.112.0 0.0.0.255 host 206.251.29.11
eq www ±×¿Ü Çã°¡µÇÁö¾ÊÀº ÆÐŶ¿¡ ´ëÇÑ º¸¾ÈÁ¤Ã¥ ACL Á¤ÀÇ
RT(config)# access-list 101 deny ip any any
¹æȺ®¿¡¼ ÀÎÅÍ³Ý ¼ºñ½º ÇÊÅ͸µ ÀÏ¹Ý ±ÔÄ¢
¿©±â¿¡¼´Â ½ºÅ©¸° ¼ºê³Ý ±¸Á¶ÀÇ °¡Àå ÀϹÝÀûÀÎ
¹æȺ® ±¸Á¶¿¡¼ ÀÎÅÍ³Ý ¼ºñ½º ÇÊÅ͸µ¿¡ ´ëÇÏ¿© ¾Ë¾Æº¸°íÀÚ ÇÑ´Ù.
¼ºñ½º ȯ°æ ¼³Á¤
Telent ÆÐŶ
ÇÊÅ͸µÀ» ÅëÇÏ¿© ¿ÜºÎ·Î ³ª°¡´Â ÅгÝÀ» Á¦°øÇÑ´Ù. ÇÁ¶ô½Ã¸¦
ÅëÇÏ¿© ¿ÜºÎ¿¡¼ ³»ºÎ·Î µé¾î¿À´Â ÅгÝÀ» Á¦°øÇÑ´Ù(´Ü bbs·Î ÇÑÁ¤).
ftp ÆÐŶ
ÇÊÅ͸µÀ» ÅëÇÏ¿© ¿ÜºÎ·Î ³ª°¡´Â ÆÄÀÏÀü¼Û¼ºñ½º¸¦ Á¦°øÇÑ´Ù.
ÇÁ¶ô½Ã¸¦ ÅëÇÏ¿© ¿ÜºÎ¿¡¼ ³»ºÎ·Î µé¾î¿À´Â ftpÀ» Á¦°øÇÑ´Ù(´Ü À͸í
ftp·Î ÇÑÁ¤). ÇÁ¶ô½Ã¸¦ ÅëÇÏ¿© ÀÎÁõµÈ »ç¿ëÀÚ¸¸ »ç¿ë
Smtp º£½ºÃÅ
È£½ºÆ®¸¦ ÅëÇÏ¿© Á÷Á¢ µé¾î¿À´Â ¸ÞÀϵéÀÇ DNS MX ·¹ÄÚµåµéÀ» Á¦°øÇÑ´Ù.
º£½ºÃŠȣ½ºÆ®¸¦ ÅëÇÏ¿© ¸ÞÀÏÀ» ¹ÛÀ¸·Î º¸³»´Â ³»ºÎ ÄÄÇ»ÅÍ¿¡ ´ëÇÑ
ȯ°æÀ» ¼³Á¤ÇÑ´Ù. ³»ºÎÀÇ ¸ÞÀÏ ¼¹ö·Î µé¾î¿À´Â ¸ÞÀÏÀ» º¸³»µµ·Ï,
±×¸®°í ¸ñÀûÇÏ´Â °÷À¸·Î ¸ÞÀÏÀ» º¸³¾ ¼ö ÀÖµµ·Ï º£½ºÃŠȣ½ºÆ®ÀÇ
ȯ°æÀ» ¼³Á¤ÇÑ´Ù.
http ÆÐŶ
ÇÊÅ͸µÀ» ÅëÇÏ¿© ¿ÜºÎ·Î ³ª°¡´Â À¥ ¼ºñ½º¸¦ Á¦°øÇÑ´Ù. ÇÁ¶ô½Ã¸¦
ÅëÇÏ¿© ºÒ°ÇÀü À¥ »çÀÌÆ®¸¦ ¹èÁ¦ÇÑ´Ù. °ø°³ À¥¼¹ö¸¦ °æ°è¼±
³×Æ®¿÷¿¡ À§Ä¡ÇÑ´Ù.
Dns °æ°è¼±¿¡
À§Ä¡ÇÏ´Â º£½ºÃÅÈ£½ºÆ®¿¡ 2Â÷ ³×ÀÓ¼¹ö¸¦ ¿î¿µÇÏ°í, ³»ºÎ ³×Æ®¿÷¿¡
1Â÷ ³×ÀÓ¼¹ö¸¦ ¿î¿µÇÑ´Ù.
ÆÐŶ ÇÊÅ͸µ ±ÔÄ¢
¿ì¸®´Â °¡»óÀÇ ¶ó¿ìÅÍ¿¡¼ ¿ì¸®°¡ °¡Á¤ÇÑ ÇÊÅ͸µ
±ÔÄ¢¿¡ ´ëÇÏ¿© ¾Æ·¡¿Í °°Àº °ÍµéÀ» Á¦°øÇÑ´Ù. - µé¾î¿À°í ³ª°¡´Â
ÆÐŶÀ» ±¸ºÐÇÑ´Ù. - Ãâ¹ßÁö, ¸ñÀûÁöÀÇ ÁÖ¼Ò ¹× Æ÷Æ® ±×¸®°í
ÆäŶÀÇ ÇüŸ¦ ±¸º°ÇÒ ¼ö ÀÖ´Ù. - TCP ÆÐŶ¿¡ ´ëÇÏ¿© ACK ºñÆ®°¡
Á¶ÇÕÀÎÁö ¾Æ´ÏÁö¸¦ ÇÊÅ͸µÇØÁØ´Ù. - ±ÔÄ¢Àº ¼ø¼´ë·Î Àû¿ëµÈ´Ù.
[nic@fw nic]#
cat /usr/local/etc/netperm-table # Netacl rules:
netacl-in.telnetd: permit-hosts 127.0.0.1 -exec
/usr/sbin/in.telnetd netacl-in.telnetd: permit-hosts
210.217.111.* -exec
/usr/sbin/in.telnetd netacl-in.telnetd: permit-hosts
* -exec
/usr/local/etc/tn-gw netacl-in.ftpd: permit-hosts
210.217.111.* -exec
/usr/sbin/in.ftpd netacl-in.ftpd: permit-hosts
unknow -exec
/bin/cat /usr/local/etc/noftp.txt netacl-in.ftpd:
permit-hosts * -exec
/home/ftp /usr/sbin/in.ftpd # # Telnet
gateway rules: tn-gw: userid
bin
tn-gw: directory /home/telnet
tn-gw: denial-msg /usr/local/etc/tn-deny.txt
tn-gw: welcome-msg /usr/local/etc/tn-welcome.txt
tn-gw: timeout 3600
tn-gw: prompt ¡°KRWEB>¡±
tn-gw: permit-hosts
210.217.111.*
-auth -passok tn-gw: permit-hosts
210.217.111.*
210.217.112.* -auth # # FTP gateway rules:
ftp-gw: userid bin
tn-gw: directory /home/ftp
ftp-gw: denial-msg /usr/local/etc/ftp-deny.txt
ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt
ftp-gw: timeout
3600
ftp-gw: permit-hosts
210.217.111.* -authall -dest
!202.30.113.2 ftp-gw: permit-hosts
210.217.115.* -auth stor
-log
# # SMAP/SMAPD rules:
smap, smapd: userid
smtp
smap, smapd: directory /var/spool/smap
smap: timeout 3600
smapd: executable
/usr/local/etc/smapd smapd:
sendmail
/usr/lib/sendmail #
# Auth server rules: authsrv:
permit-hosts
127.0.0.1 # # Auth
client rules: *:
authserver 127.0.0.1 7777
# # END. |
[nic@fw
nic]# cat /etc/inetd.conf # ftp stream tcp nowait root /usr/local/etc/ftp-gw ftp-gw
ftp-adm stream tcp nowait root /usr/local/etc/netacl in.ftpd
telnet stream tcp nowait root /usr/local/etc/tn-gw tn-gw
telnet-adm stream tcp nowait root /usr/local/etc/netacl in.telnetd
smtp stream tcp nowait root /usr/local/etc/smap smap
pop stream tcp nowait root /usr/local/etc/plug-gw plug-gw
pop finger stream tcp nowait roor /usr/local/etc/netacl in.fingerd
authsrv stream tcp nowait root /usr/local/etc/authsrv authsrv
time stream tcp nowait root /usr/sbin/tcpd in.timed
time dgram udp wait root /usr/sbin/tcpd in.timed |
[nic@fw
nic]# cat /etc/services ftp 21/tcp
retr stor ftp-adm 2021/tcp
telnet 23/tcp
telnet-adm 2023/tcp smtp
25/tcp
pop 110/tcp
... |
³»ºÎ¶ó¿ìÅÍ ÆÐŶ ÇÊÅ͸µ
±ÔÄ¢ |
Ãâ¹ßÁöÁÖ¼Ò |
¸ñÀûÁöÁÖ¼Ò |
Ãâ¹ßÁöÆ÷Æ® |
¸ñÀûÁöÆ÷Æ® |
ACK
set |
Á¤Ã¥ |
TELNET |
³»ºÎ ¿ÜºÎ |
¿ÜºÎ ³»ºÎ |
1023ÀÌ»ó
23 |
23 1023ÀÌ»ó |
Any
Yes |
Çã°¡
Çã°¡ |
FTP-1 |
³»ºÎ ¿ÜºÎ ³»ºÎ
¿ÜºÎ |
¿ÜºÎ ³»ºÎ ¿ÜºÎ
³»ºÎ |
1023ÀÌ»ó
21 1023ÀÌ»ó 1023ÀÌ»ó |
21 1023ÀÌ»ó
1023ÀÌ»ó 1023ÀÌ»ó |
Any
Yes Any Yes |
Çã°¡
Çã°¡ Çã°¡ Çã°¡ |
FTP-2 |
³»ºÎ º£½ºÃÅ º£½ºÃÅ
³»ºÎ |
º£½ºÃÅ ³»ºÎ ³»ºÎ
º£½ºÃÅ |
1023ÀÌ»ó
21 1023ÀÌ»ó 1023ÀÌ»ó |
21 1023ÀÌ»ó
1023ÀÌ»ó 1023ÀÌ»ó |
Any
Yes Any Yes |
Çã°¡
Çã°¡ Çã°¡ Çã°¡ |
SMTP-1 |
³»ºÎ º£½ºÃÅ |
º£½ºÃÅ ³»ºÎ |
1023ÀÌ»ó
25 |
25 1023 |
Any
Yes |
Çã°¡
Çã°¡ |
SMTP-2 |
º£½ºÃÅ ¸ÞÀÏÇãºê |
¸ÞÀÏÇãºê º£½ºÃÅ |
1023ÀÌ»ó
25 |
25 1023ÀÌ»ó |
Any
Yes |
Çã°¡
Çã°¡ |
HTTP |
³»ºÎ º£½ºÃÅ |
º£½ºÃÅ ³»ºÎ |
1023ÀÌ»ó
80 |
80 1023ÀÌ»ó |
Any
Yes |
Çã°¡
Çã°¡ |
DNS-1 |
³»ºÎ |
º£½ºÃÅ |
53 |
53 |
(UDP) |
Çã°¡ |
DNS-2 |
º£½ºÃÅ |
³»ºÎ |
53 |
53 |
(UDP) |
Çã°¡ |
DNS-3 |
³»ºÎ º£½ºÃÅ |
º£½ºÃÅ ³»ºÎ |
1023ÀÌ»ó
53 |
53 1023ÀÌ»ó |
Any
Yes |
Çã°¡
Çã°¡ |
DNS-4 |
º£½ºÃÅ ³»ºÎ |
³»ºÎ º£½ºÃÅ |
1023ÀÌ»ó
53 |
53 1023ÀÌ»ó |
Any
Yes |
Çã°¡
Çã°¡ |
DEFAULT |
ANY ANY |
ANY ANY |
ANY
ANY |
ANY
ANY |
ANY
ANY |
°ÅºÎ
°ÅºÎ |
±ÔÄ¢ |
Ãâ¹ßÁöÁÖ¼Ò |
¸ñÀûÁöÁÖ¼Ò |
Ãâ¹ßÁöÆ÷Æ® |
¸ñÀûÁöÆ÷Æ® |
ACK
set |
Á¤Ã¥ |
TELNET |
³»ºÎ ¿ÜºÎ |
¿ÜºÎ ³»ºÎ |
1023ÀÌ»ó
23 |
23 1023ÀÌ»ó |
Any
Yes |
Çã°¡
Çã°¡ |
FTP-1 |
³»ºÎ ¿ÜºÎ ³»ºÎ
¿ÜºÎ |
¿ÜºÎ ³»ºÎ ¿ÜºÎ
³»ºÎ |
1023ÀÌ»ó
21 1023ÀÌ»ó 1023ÀÌ»ó |
21 1023ÀÌ»ó
1023ÀÌ»ó 1023ÀÌ»ó |
Any
Yes Any Yes |
Çã°¡
Çã°¡ Çã°¡ Çã°¡ |
FTP-2 |
Any º£½ºÃÅ º£½ºÃÅ
Any |
º£½ºÃÅ Any Any
º£½ºÃÅ |
1023ÀÌ»ó
21 1023ÀÌ»ó 1023ÀÌ»ó |
21 1023ÀÌ»ó
1023ÀÌ»ó 1023ÀÌ»ó |
Any
Yes Any Yes |
Çã°¡
Çã°¡ Çã°¡ Çã°¡ |
SMTP-1 |
Any º£½ºÃÅ |
º£½ºÃÅ Any |
1023ÀÌ»ó
25 |
25 1023 |
Any
Yes |
Çã°¡
Çã°¡ |
SMTP-2 |
º£½ºÃÅ Any |
Any º£½ºÃÅ |
1023ÀÌ»ó
25 |
25 1023ÀÌ»ó |
Any
Yes |
Çã°¡
Çã°¡ |
HTTP-1 |
º£½ºÃÅ Any |
Any º£½ºÃÅ |
1023ÀÌ»ó
Any |
Any
1023ÀÌ»ó |
Any
Yes |
Çã°¡
Çã°¡ |
HTTP-2 |
Any º£½ºÃÅ |
º£½ºÃÅ Any |
1023ÀÌ»ó
80 |
80 1023ÀÌ»ó |
Any
Yes |
Çã°¡
Çã°¡ |
DNS-1 |
º£½ºÃÅ |
Any |
53 |
53 |
(UDP) |
Çã°¡ |
DNS-2 |
Any |
º£½ºÃÅ |
53 |
53 |
(UDP) |
Çã°¡ |
DNS-3 |
Any º£½ºÃÅ |
º£½ºÃÅ Any |
Any
53 |
53 Any |
(UDP)
(UDP) |
Çã°¡
Çã°¡ |
DNS-4 |
º£½ºÃÅ Any |
Any º£½ºÃÅ |
1023ÀÌ»ó
53 |
53 1023ÀÌ»ó |
Any
Yes |
Çã°¡
Çã°¡ |
DNS-5 |
Any º£½ºÃÅ º£½ºÃÅ |
º£½ºÃÅ Any ³»ºÎ |
1023ÀÌ»ó
53 100 |
53 1023ÀÌ»ó
1023 |
Any
Yes Yes |
Çã°¡
Çã°¡ Çã°¡ |
DEFAULT |
ANY ANY |
ANY ANY |
ANY
ANY |
ANY
ANY |
ANY
ANY |
°ÅºÎ
°ÅºÎ |
°á·Ð
½ºÅ©¸° ¼ºê³Ý ±¸Á¶´Â È¥ÀÚ¼µµ ¼³Ä¡ÇÒ ¼ö ÀÖ´Â
°¡Àå ÀϹÝÀûÀÎ ÆÄÀ̾î¾ó ±¸Á¶ÀÏ °ÍÀÌ´Ù. ±×¸®°í TCP_WRAPPERS,
IPCHAINS ¿Í °°Àº ¹æȺ® °ü·Ã ÇÁ·Î±×·¥µµ ÀÌ ±¸Á¶¿¡ Æ÷ÇÔÇÑ´Ù¸é
º¸´Ù³ªÀº º¸¾ÈÁ¤Ã¥À» ¸¸µé¼ö ÀÖÀ» °ÍÀÌ´Ù. ¹æȺ®ÀÌ º¸¾È¿¡
÷º´ÀÎ °ÍÀº ´©±¸³ª ¾Ë°í ÀÖ´Â »ç½ÇÀÌÁö¸¸ ½Ã½ºÅÛ °ü¸®ÀÚÀÇ ³ë·Âµµ
Áß¿äÇÑ ºÎºÐÀ» Â÷ÁöÇÑ´Ù.
¡ã top
|