1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
<TITLE>Firewalling and packets accounting: Principles</TITLE>
<LINK HREF="firewall-3.html" REL=next>
<LINK HREF="firewall-1.html" REL=previous>
<LINK HREF="firewall.html#toc2" REL=contents>
</HEAD>
<BODY>
<A HREF="firewall-3.html">Next</A>
<A HREF="firewall-1.html">Previous</A>
<A HREF="firewall.html#toc2">Contents</A>
<HR>
<H2><A NAME="s2">2. Principles</A></H2>
<P>
<P>
<H2><A NAME="ss2.1">2.1 Packet filtering</A>
</H2>
<P>Packet filtering allows your computer to drop or accept
IP packets based on the following criteria:
<P>
<UL>
<LI>Origin.</LI>
<LI>Destination.</LI>
<LI>Interface on which it was received.</LI>
</UL>
<P>Origin and Destination are qualified by:
<P>
<UL>
<LI>IP number.</LI>
<LI>Port number.</LI>
<LI>Protocol.</LI>
</UL>
<P>
<H2><A NAME="ss2.2">2.2 Bi-directional rules</A>
</H2>
<P>The rules you are entering are bi-directional. In one
screen, you qualify packets flowing from the origin
to the destination and the reverse. This is why
you are allowed to specify the interface twice.
<P>
<H2><A NAME="ss2.3">2.3 Inputing rules</A>
</H2>
<P>You can control the packets which are accepted by your
computer. Inputing rules allow you to discard some packets at
reception time.
<P>
<H2><A NAME="ss2.4">2.4 Forwarding rules</A>
</H2>
<P>You can control packets going through your computer.
One special case of forwarding rules are the masquerading rules.
These are handled in the same user interface (a simple checkbox).
Masquerading is generally used to hide computers on Intranets
and provides them almost full connectivity to the Internet. All
connections to the Internet seems to come from the firewall itself.
<P>
<H2><A NAME="ss2.5">2.5 Outputing rules</A>
</H2>
<P>You can control packets that are about to leave your computer.
You can discard packets at delivery time. Most firewalls can
be implemented using inputing rules. One special case of
forwarding rules are the masquerading rules. These are handled
in the same user interface (a simple checkbox).
<P>
<H2><A NAME="ss2.6">2.6 Activating rules globally or selectively</A>
</H2>
<P>
<P>You can permanently deactivate a rule or all rules
without erasing them. This is handy for testing
firewalling capabilities and for establishing
"switchable" policies. Each rule has a checkbox
for activation.
<P>One screen is provided to activate/deactivate all blocking
and forwarding rules at once.
<P>
<H2><A NAME="ss2.7">2.7 When everything goes wrong!</A>
</H2>
<P>Firewalling in <EM>Linux</EM> may be deadly. An improper
configuration can bring the network to its knees. One
command that may save your day is
<P>
<BLOCKQUOTE><CODE>
<PRE>
netconf --resetfw
</PRE>
</CODE></BLOCKQUOTE>
<P>This command deactivates all firewalling rules. It does
not affect the configuration -- it affects only the working set.
<P>
<BLOCKQUOTE><CODE>
<PRE>
netconf --update
</PRE>
</CODE></BLOCKQUOTE>
<P>will reactivate the rules. You may need to use those
two commands to check out if a network malfunction is caused
by your firewalling rules or not.
<P>
<P>
<HR>
<A HREF="firewall-3.html">Next</A>
<A HREF="firewall-1.html">Previous</A>
<A HREF="firewall.html#toc2">Contents</A>
</BODY>
</HTML>
|
