3. ¦n¤F¡M¤°»ò¬O«Ê¥]¹LÂo(Packer Filter)©O¡S

«Ê¥]¹LÂo´N¬O¥Î¤@­Ó³nÅé¬d¬Ý©Ò¬y¸g«Ê¥]¤§ªíÀY(header) ¡M¥Ñ¦¹¨M©w¾ã­Ó«Ê¥]ªº©R¹B¡C¥¦©Î³\·|¨M©w ¥á±ó(DROP) ³o­Ó«Ê¥](¨Ò¦p¡M©¿²¤¥¦´N¦p®Ú¥»¨S¦¬¨ì¥¦¤@¼Ë)¡M©Î¬O±µ¦¬(ACCEPT)³o­Ó«Ê¥](¨Ò¦p¡MÅý³o­Ó«Ê¥]³q¹L)¡M©Î¬O¨ä¥¦§ó½ÆÂøªº°Ê§@¡C

¦b Linux ¤§¤U¡M«Ê¥]¹LÂo¥\¯à¬O¤º«Ø©ó®Ö¤ß¤§¤º(°µ¬°¤@­Ó®Ö¤ß¼Ò²Õ¡M©ÎªÌª½±µ¤º«Ø)¡M¦P®ÉÁÙ¦³¤@¨Ç§Þ¥©§Ú­Ì¥i¥H¹B¥Î©ó«Ê¥]¤§¤Wªº¡M¤£¹L³ÌºD¥Îªº¨ÌµM¬O¬d¬ÝªíÀY¥H¨M©w«Ê¥]ªº©R¹B¡C

3.1 §Ú¬°¤°»ò­n«Ê¥]¹LÂo¡S

²¦Ó¨¥¤§¡R±±¨î¡N«O¦w¡Nĵ§Ù¡C

Control:

·í±z¥Î±zªº Linux ¥D¾÷±N±zªº¤º³¡ºô¸ô³s±µ¦Ü¨ä¥¦ºô¸ô(¤ñ¤è»¡¡Mineternet)ªº®É­Ô¡M±z¦³¾÷·|¤¹³\¯S©wÃþ«¬ªº¥æ³q¡M¦Ó¸T¤î¨ä¥¦ªº¡C ¨Ò¦p¡M¤@­Ó«Ê¥]ªºªíÀY·|¥]§t«Ê¥]ªº¥Øªº¦a¦a§}¡M©Ò¥H±z¥i¥H¨¾¤î«Ê¥]¬y¦V¥ ³¡ºô¸ôªº¬Y¤@³¡¥÷¡C¦A¦p¡M§Ú¥Î Netscape ³s½u¦Ü Dilbert archives¡M¨ººô­¶¤W¦³¤@­Ó¨Ó¦Û doubleclick.net ªº¼s§i¡M³o¼Ë Netscape ·|®ö¶O§Úªº®É¶¡¥h¤U¸ü¥¦­Ì¡C¥u­nÅý«Ê¥]¹LÂo¾÷¨î¤£¤¹³\¥ô¦ó¨Ó¦Ûdoubleclick.net ªº«Ê¥]¡M§Ú­Ì´N¥i¥H¸Ñ¨M³o­Ó°ÝÃD(·íµM¡M¦³§ó¦nªº¤èªk¨Ó°µ³o¥ó¨Æ±¡°Õ¡M½Ð°Ñ¦Ò Junkbuster)¡C

Security:

·í±zªº Linux ¥D¾÷¬O±z¤«µM¦³§Çªº¤º³¡ºô¸ô©M¥ ­±¨º­Ó²V¨PµL¤ñªº internet ¤§¶¡ªº°ß¤@³q¹D¡M¦Ó±zª¾¹D¥i¥H­­¨î­þ¨ÇªF¦è¤ ¯à¶i¤J±zªºªù¤á¡M¸Û¬O¤£¿ù¤§Á|§a¡C¨Ò¦p¡M±z©Î³\·|©ñ¦æ¥ô¦ó±q¤º³¡ºô¸ô¥X¥hªºªF¦è¡M¦ý¤S¾á¤ß¨Ó¦Û¥ ­±ªº´c¦W¬L³¹ªº¡¥Ping of Death¡¦¡C¤S¦p¡M±z©Î³\¨Ã¤£§Æ±æ§O¤H±q¥ ­± telnet ¤W±zªº Linux ¥D¾÷¡MºÉºÞ¥þ³¡ªº±b¸¹³£¦³±K½X«OÅ@¡C©Î³\¡M±zÁÙ·Q(¥¿¦p¤j³¡¥÷¤H¤@¼Ë)¦b internet ¤W·í¬Ý«È¦Ó¤£Ä@·í¦øªA¾¹(¤]¥i¯à±z¬OÄ@·Nªº) ¡M³Ì²³æ²ö¦p¥Î«Ê¥]¹LÂo¨Ó©Úµ´¥ô¦ó·N±ý³s½uªº«Ê¥]¡M¤£Åý¥ô¦ó¤H³s¶i¨Ó¡C

Watchfulness:

¦³®É­Ô¡M¤@¥x³]©w®t¦Hªº¾÷¾¹·|±q¥»¦aºô¸ô¦V¥ ­±¹Ã°e«Ê¥]¡C¦Ó¦n®ø®§¬O±z¥i¥HÅý«Ê¥]¹LÂo¨Ó§i¶D±z¬O§_¦³ÅܺAªº¨Æ±¡µo¥Í¡C±z©Î³\·|¹ï¤§±Ä¨ú¦æ°Ê¡M¤S©Î³\¦­¤w¨£ºD¤£©Ç¤F¡C

3.2 ¦p¦ó¦b Linux ¤U¹LÂo«Ê¥]¡S

Linux ªº®Ö¤ß¦Û±q 1.1 ª©´N¤w¸g¦³«Ê¥]¹LÂo¥\¯à¡C²Ä¤@¥N¬O 1994 ¦ ¥Ñ Alan Cox °ò©ó BSD ªº ipfw ²¾´Ó¹L¨Óªº¡M«á¨Ó¦b Linux 2.0 ª©¥»¦A¥Ñ Jos Vos ¥[±j¡M§Q¥Î ' ipfwadm ' ³o°¦¨Ï¥ÎªÌªÅ¶¡(userspace *)¤u¨ã¨Ó±±¨î®Ö¤ßªº¹LÂo³W«h¡C¦b 1998 ¦ ¦ ¤¤¡M§Ú¦b Micahel Neuling ªº¤j¤OÀ°§U¤U¡M§ëª`¤F¬Û·íªººë¤O¦b Linux ®Ö¤ß 2.2 ¤W­±¡M±À¥X¤F ' ipchains ' ³o°¦¤u¨ã¡C²×©ó¡MLinux ®Ö¤ß 2.4 ªº²Ä¥|¥N¤u¨ã ' iptables ' ³s¦P¨ä¥¦®Ö¤ß§ï¼g¤]¦b 1999 ¦ ¦ ¤¤¶i¦æ¶}µo¤F¡C³o´N¬O¥Ø«e³o­Ó iptables ªº HOWTO ¤å¥ó©Ò­P¤O¤§©Ò¦b¡C

(* ĶªÌµù¡R¡§¨Ï¥ÎªÌªÅ¶¡¡¨³q±`¬O¥Î¨Ó°Ï§O¨t²Î°O¾ÐÅ骺¨Ï¥Î½d³ò¡M¥D­nÃþ«¬¤À¬°®Ö¤ßªÅ¶¡©M¨Ï¥ÎªÌªÅ¶¡¡C­ì§@ªÌ¥i¯à¥H¬°¤j®a³£¬Oµ{¦¡°ª¤â¡M¬G·|¥Î¦p¦¹±Mªù³N»y¡CµM¹ï¤@¯ëŪªÌ¨Ó»¡¡M²z¸Ñ¤W©Î³\¦³§xÃø¡M¬G¦¹¦h»¡¨â¥y¡C¦b©¹«áªº¾\Ū¤¤¤]½Ð¯d·N¡C)

±z»Ý­n¤@­Ó®Ö¤ß¦³ netfilter «Øºc©ó¨ä¤¤¡Rnetfilter ¬O Linux ®Ö¤ß¤¤¤@­Ó³q¥Î¬[ºc¡M¥i¥HÅý¨ä¥¦ªF¦è(¨Ò¦p iptables ¼Ò²Õ) ´¡¤J(plug into)¡C´«¥y¸Ü»¡¡M±z»Ý­n®Ö¤ß 2.3.15 ©Î§ó·sªºª©¥»¡M¦P®É¦b®Ö¤ß½sĶ®É¥H ' Y ' ¦^µª CONFIG_NETFILTER ³o­Ó¿ï¶µ¡C

iptables ³o°¦¤u¨ã·|©M®Ö¤ß¹ïÁ¿¨Ã§i¶D¥¦¤°»ò«Ê¥]­n¹LÂo¡C°£«D±z¬O¤@­Óµ{¦¡¤H­û¡M©Î²§·Q¤Ñ¶}¡M¨º±z´N¬O¥Î¥¦¨Ó±±¨î«Ê¥]«ç¼Ë¹LÂoªº¤F¡C

iptables

³o°¦ iptables ¤u¨ã¥i¥H´¡¤J©Î²¾°£®Ö¤ß«Ê¥]¹LÂoªí®æ(packet filtering table) ¤¤ªº¤@¨Ç³W«h(rules)¡C¤]´N¬O»¡¡MµL½×±z³]©w¤F¤°»ò¡M­n¬O­«·s±Ò°Ê(reboot)¨t²Îªº¸Ü¡M´N·|¥þ³¡¥á¥¢¡Q½Ð°Ñ¾\ ¨î©w¥Ã¤[©Ê³W«h(Making Rules Permanent)¡M ¬Ý¬Ý¦p¦ó½T«O³]©w¦b¤U¦¸ Linux ±Ò°Ê«á¥i¥H¦^¦s¡C

iptables ¬O¥Î¨Ó¨ú¥N ipfwadm ©M ipchains ªº¡R½Ð°Ñ¾\ ¨Ï¥Î ipchains ©M ipfwadm (Using ipchains and ipfwadm)¡M ¬Ý¬Ý¦p¦óµLµhªºÁקK¨Ï¥Î iptables¡M°²¦p±z¥Ø«e¥¿¨Ï¥Î¥¦­Ì¨ä¤¤¤§¤@¡C