لطفا منتظر باشید ...
Firewalling
Technically speaking, a firewall is a set of related programs located at the point of ingress that protects the resources of a private network from users on other networks. In more colloquial terms, a firewall is a device that enforces a predesignated policy across an access point to a network. Probably the most limiting factor in firewalls today is the policy. A firewall cannot protect against attacks that it does not know about, and as such the policy should take this situation into account and be as rigid as possible while still enabling work to get done.Techniques for building firewalls vary wildly, as do the implementations that range from simple single-module programs to huge appliances costing in the six-digit price range. Open-source firewall solutions often work extremely well in today's "cubbyhole" networks. To this end, many current operating systems include native kernel-level support for firewalling primitives. The libdnet library makes interacting with these firewall subsystems simple by specifying a standard nomenclature and translating it into the appropriate format for the given operating system. The following code snippet to add a firewall policy rule, modified from the libdnet sample code, assumes that the text string in argv is of the following format: “allow | block in | out <device> | any <proto><src> [: <sport> [-<max> ]]<dst> [:<dport> [-<max> ]] [<type> [/<code>]]”:
struct fw_rule fr
struct protoent *pr;
char *p;
We need at least six arguments to form a legal rule:
if (argc < 6)
{
return (-1);
}
memsettfr, 0, sizeof(*fr));
Determine the context of the rule and to which direction it applies:
fr->fw_op = strcmp(argv[0], "allow") ? FW_OP_BLOCK : FW_OP_ALLOW;
fr->fw_dir = strcmp(argvfl], "in") ? FW_DIR_OUT : FW_DIR_IN;
If we have a specific device named, use that:
if (strcmp(argv[2], "any") != 0)
{
strlcpy(fr->fw_device, argv[2], sizeof(fr->fw_device));
}
Next, figure out the protocol to which the rule applies:
if ((pr = getprotobyname(argv[3])) != NULL)
{
fr->fw_proto = pr->p_proto;
}
else
{
fr->fw_proto = atoi(argv[3]);
}
p = strtok(argv[4], ":");
Handle the source address of the rule:
if (addr_aton(p, &fr->fw_src) < 0)
{
return (-1);
}
if ((p = strtok(NULL, ":")) != NULL)
{
Handle the source port of the rule, accounting for a possible dash (indicating a port range):
fr->fw_sport[0] = (uint16_t)strtol(p, &p, 10);
if (*p == '-')
{
fr->fw_sport[l] = (uint16_t)strtol(p + 1, NULL, 10);
}
else
{
fr->fw_sport[1] = fr->fw_sport[0];
}
}
p = strtok(argv[5] , ":");
Handle the source address of the rule:
if (addr_aton(p, &fr->fw_dst) < 0)
{
return (-1);
}
if ((p = Lcrtok(NULL, ":")) != NULL)
{
Handle the destination port ofthe rule, accounting for a possible dash indicating a port range:
fr->fw_dport[0] = (uint16_t)strtol(p, &p, 10);
if (*p == '-')
{
fr->fw_dport[1] = (uint16_t)strtol(p + 1, NULL, 10);
}
else
{
fr->fw_dport[l] = fr->fw_dport[0];
}
}
if (argc > 6)
{
If we have more than six arguments, the rule has to apply to an ICMP or IGMP protocol; if it does not, a syntax error results:
if (fr- > fw_proto != IP_PROTO_ICMP&& fr->fw_proto != IP_PROTO_IGMP)
{
return (-1);
}
Stick the type and possible code into the port variables, and flag the high-order byte with 0xff:
fr->fw_sport[0] = (uint16_t)strtol(argv[6], &p, 10);
fr->fw_sport[1] = 0xff;
if (*p == '/')
{
fr->fw_dport[0] = (uintl6_t)strtol(p + 1, NULL, 10);
fr->fw_dport[l] = 0xff;
}
}
return (1);
