Shulou(Shulou.com)06/03 Report--

Mac OS X has been used for more than half a year, very cool is true, very hanging is not fake! There are so many features of Mac that you should spend a lot of time thinking about. You can't find the north proudly with it. Eventually you will be convinced that you are a very fashionable person. I admit that I am very corny, not a fan, let alone a talented person, so I hardly delve into anything other than the most basic functions of Mac. All of a sudden, I found out that Mac is actually a BSD. Although I have known this fact for a long time, it is only when I type man ipfw on the command line that I really want to delve into the Unix at hand. So, I no longer feel that Unix is very far away, and it is actually on hand, so my MacBook has become my Unix tester.

At first glance, the great Unix is huge, but it is really easier to use than Linux. The kernel of a network operating system like Cisco IOS is also based on BSD. There are two ios on top of BSD, one is Cisco's IOS, the other is Apple's iOS, which shows its greatness!

one。 Firewall software learning process about firewall, the first thing I learned was the command of Huawei's VRP system. In 2004, I heard the lecturer say that it was almost the same as the Cisco command. At that time, we all must have thought that there was plagiarism, so we self-taught Cisco, and found that it was really very similar, almost exactly the same. When I first saw someone typing a command in front of the Linux terminal in 2006, I opened my mouth and said to my colleagues. That's what we do with a router and a firewall. It's so humiliating, in fact, it's just Linux, so I taught myself Linux, and it was 2008 when I learned iptables.

Now come to think of it, it doesn't make much difference on the command line, and if you type netsh on the windows command line, the result is the same. So I don't think it's plagiarism, it's borrowlism at best, and the bottom of what we have in common must be the same component, which is actually the BSD kernel. Eventually, if you compare the various packet filtering mechanisms, you will find that Cisco,H3C,Windows 's are all the same, with the exception of Linux's Netfilter. Mac OS is based on BSD, so it's easy to navigate as long as you understand the command-line firewall commands on Cisco,Mac OS.

II. Ipfw introduction and similarities and differences with Netfilter want a brief introduction, it is best to man ipfw, here will not be listed. The most important thing is a chapter, that is, the chapter "PACKET FLOW". Only if you know where the packet is filtered in the protocol stack can you design a good rule set. The filter points are shown in the following figure:

Compared with the 5 HOOK points of Netfilter, this picture looks much more refreshing. A packet passes through at most 4 HOOK points, while Netfilter is much more complex. HOOK points are divided into 5 points according to the three elements before routing, after routing and the result of routing. The rules of any point require you to carefully consider the result of the route and whether it can be filtered. The ip_conntrack mechanism and the dynamic rules built into the conntrack mechanism increase the complexity of things.

Here is an excerpt from the man manual of the ipfw command:

Also note that each packet is always checked against the complete ruleset, irrespective of the place where the check occurs, or the source of the packet. If a rule contains some match patterns or actions which are not valid for the place of invocation (e.g. Trying to match a MAC header within ip_input ()), the match pattern will not match, but a not operator in front of such patterns will cause the pattern to always match on those packets. It is thus the responsibility of the programmer, if necessary, to write a suit-able ruleset to differentiate among the possible places.

This paragraph has two meanings. The first meaning is that ruleset is global and does not distinguish between HOOK points. Each HOOK point has to traverse the rule; in all ruleset. The other meaning is that the configurator is required to complete everything. Let's look at a simple rule, banning icmp:

Ipfw add deny icmp from any to any

Is it very similar to Cisco's, but not at all like iptables's?

3. IPFW dynamic rules Netfilter has an ip_conntrack mechanism to track every flow. This ip_conntrack mechanism makes people happy and sad, so you can configure notrack on the raw table of PREROUTING. Ipfw is different, it can track any stream anywhere, this is its state mechanism, ipfw tracks a flow through keep-state, and establishes dynamic rules for the reverse packet of the packet, matches the dynamic rules established by keep-state through check-state, the state of ipfw can be keep at any matching place, the so-called keep is to establish a dynamic rule, and its action is the action of keep-state. This is similar to the linkage mechanism of ip_conntrack and state match of Netfilter. The following is an example from the man manual, which I annotated earlier:

All dynamically created rule for each package check:

Ipfw add check-state

Release and maintain connectivity for TCP traffic originating from the local subnet, and create a dynamic rule:

Ipfw add allow tcp from my-subnet to any setup keep-state

Disable TCP connections originating elsewhere:

Ipfw add deny tcp from any to any

Analysis of the above examples:

The intranet initiates a TCP. Since there is no dynamic rule, it matches directly to the second rule and maintains the conntrack to create a reverse dynamic rule. When the return packet of the connection arrives at this Box, it passes because it matches to the dynamic rule. If the TCP originating from the public network reaches the private network, it will be directly matched to the third rule. If iptables is used, the configuration is as follows:

Iptables-t raw-A PREROUTING-p tcp-s! My-subbet-j NOTRACK

Iptables-A FORWARD-p tcp-m state-- state ESTABLISHED-j ACCEPT

Iptables-A FORWARD-p tcp-s my-subnet-j ACCEPT

Iptables-A FORWARD-p tcp-j DROP

With ipfw, you don't have to do track at a specific HOOK point, it can track and check at any time. Ipfw can combine track and target into one rule, and you can track for a specific filter rule, but the iptables of Netfilte must disassociate these associations.

4. Ipfw and natd use iptables, we can use the nat table to configure NAT, but using ipfw cannot do this. In BSD, nat is just a target, there is a user-mode natd process to nat, and you can also use ipnat to do it. No matter which way, the action divert is used. The so-called divert, in fact, literally means to forward control to other logic, for nat. It is common to forward control to the natd process. On Mac OS, I configure the following nat:

Ipfw add divert natd all from any to any via en1

Natd-interface en1

Where divert natd "routes" the matching packets to the natd process. As for the natd process, you can also man it with the following key descriptions:

The natd normally runs in the background as a daemon. It is passed raw IP packets as they travel into and out of the machine, and will possibly change these before re-injecting them back into the IP packet stream.

It changes all packets destined for another host so that their source IP number is that of the current machine. For each packet changed in this manner,an internal table entry is created to record this fact. The source port number is also changed to indicate the table entry applying to the packet. Packets that are received with a target IP of the current host are checked against this internal table. If an entry is found, it is used to determine the correct target IP number and port to place in the packet.

It can be seen that natd itself is maintained and does not need keep-state and check-state. However, if you want to experiment with keep-state and check-state, you may notice that ipfw has a series of match for via/recv/xmit. In the above example, via is used. If xmit is used, it can only be applied to packets in the direction of out. Man ipfw includes the following:

The recv interface can be tested on either incoming or outgoing packets, while the xmit interface can only be tested on outgoing packets. So out is required (and in is invalid) whenever xmit is used.

Note that in/out matches the packet direction, while via/recv/xmit matches the interface. Xmit has determined the interface, for packets in the direction of in, because there is no route, so can not determine the exit device, and then can not be used in xmit. If we create the following rule:

Ipfw add divert natd all from any to any xmit en1

Natd-interface en1

In this way, all returned packets will be spared. Although natd is on hold, there is no rule to divert packets to natd, so just to divert packets to natd, you need to use keep-state:

Ipfw add check-state

Ipfw add divert natd all from any to any xmit en1 keep-state

This allows you to deal with the returned packets. The problem, however, is that the state state maintained by the kernel may conflict with the state in natd, so this works well for stateful protocols such as TCP, and can be unstable for UDP and ICMP.

five。 Finally, let's compare ipfw and Cisco. After all, it is because of BSD that the packet is divided into two directions: in and out, and both can be considered to be applied to interfaces, although ipfw keeps a global ruleset in the kernel. In any case, Netfilter is by no means the case. In addition, Netfilter's iptables distinguishes between INPUT and FORWARD, so FORWARD packets do not need to go through the INPUT chain, while ipfw is the global rule. Ipfw and natd can be inserted into each other at any location, and any action, including divert natd, can be linked with state to achieve the stateful of the action, that is to say, the mechanism of ipfw can remember the header of a stream or the first matching action of any packet, while the conntrack and rule of Netfilter are separate, conntrack only tracks the connection, and the filter action needs to match itself, without the dynamic rule of filter. Finally, ipfw saves a copy of ruleset and repeats check at up to four HOOK points along the path of the graph shown in man ipfw.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.