Selasa, 22 Desember 2009

Biji Tomat Bisa Gantikan Aspirin


London, Biji tomat merupakan obat alternatif yang lebih sehat daripada obat-obatan kimiawi. Dengan bahan alami yang terdapat pada biji tomat, tak perlu lagi mengonsumsi obat penahan rasa nyeri seperti aspirin.

Berdasarkan hasil percobaan klinik, gel alami yang terdapat dalam biji tomat bisa mempertahankan sirkulasi darah yang sehat dengan cara mencegah pembekuan darah. Dengan sirkulasi darah yang tetap sehat, metabolisme tubuh pun akan lebih lancar dan jika hal ini dipertahankan bisa membawa seseorang berumur lebih panjang.

Gel yang ditemukan dan diekstrak dari biji tomat oleh peneliti dari Inggris ini sudah dipatenkan dan diberi nama Fruitflow. Gel tersebut tidak berwarna, tidak berasa dan dapat ditambahkan pada makanan tanpa mengubah karakteristik makanan itu.

Aspirin atau asam asetilsalisilat (asetosal) adalah obat yang sering digunakan sebagai analgesik (obat rasa sakit atau nyeri), antipiretik (obatp demam) dan anti-inflamasi (obat peradangan). Aspirin juga memiliki efek antikoagulan (anti penggumpalan) dan digunakan dalam dosis rendah untuk mencegah serangan jantung.

Namun efeknya darah jadi lambat membeku yang menyebabkan pendarahan berlebihan bisa terjadi. Oleh itu, mereka yang akan menjalani pembedahan atau mempunyai masalah pendarahan tidak diperbolahkan mengonsumsi aspirin.

Saat ini, jutaan orang terutama orang lanjut usia di seluruh dunia mengonsumsi aspirin dalam dosis kecil setiap harinya untuk meningkatkan aliran darah dalam tubuh. Meski dalam dosis kecil, namun aspirin yang dikonsumsi terus menerus bisa menghasilkan efek samping seperti pendarahan di perut atau menimbulkan bisul.

Professor Asim Dutta-Roy dari Rowett Institute, Aberdeen menemukan khasiat biji tomat ini selagi melakukan studi terhadap efek diet Mediterania yang dikenal banyak mengonsumsi sayuran terutama tomat.

Ia mengatakan bahwa biji tomat adalah bagian dari buah tomat yang seharusnya tidak dibuang ketika dikonsumsi karena di dalamnya terkandung zat berupa gel yang sangat bermanfaat untuk tubuh dan tidak akan menghasilkan efek samping apapun meski dikonsumsi dalam jumlah banyak.

"Dalam waktu 3 jam setelah mengonsumsi biji tomat, aliran darah dalam tubuh akan terlihat berjalan dengan sangat lancar. Efek ini akan berlangsung selama 18 jam, oleh sebab itu sebaiknya dikonsumsi secara rutin. Jika ingin membuat jus tomat, sebaiknya jangan pisahkan bijinya," kata Profesor Asim seperti dikutip dari Telegraph, Rabu (23/12/2009).

Gigi Kuat dengan Makan Protein


Chicago, Fluoride dan kalsium adalah elemen yang membuat gigi kuat. Tapi peneliti berhasil mengidentifikasi zat selain fluoride dan kalsium untuk memperkuat gigi dengan banyak makan protein.

Zat itu adalah asam amino yang terdapat pada protein. Asam amino yang terdapat pada enamel gigi yang sehat dan kuat itu adalah proline yang membantu pertumbuhan kristal-kristal enamel pada gigi.

Studi ini diharapkan bisa menjadi petunjuk bagi para dokter gigi maupun pakar kesehatan mulut dan gigi yang ingin menghasilkan lapisan enamel yang kuat.

"Kami berharap suatu hari nanti penemuan ini bisa menolong orang yang ingin mengganti lapisan enamelnya yang sudah rusak dengan enamel yang lebih sehat dan kuat," ujar Tom Diekwisch dari University of Illnois Chicago College of Dentistry seperti dikutip dari Healthday, Rabu (23/12/2009).

Proline adalah asam amino yang luar biasa karena merupakan kunci untuk memahami struktur dan fungsi berbagai macam protein alami termasuk protein amyloid yang berhubungan dengan penyakit Alzheimer.

Studi ini tidak hanya bermanfaat untuk kesehatan gigi tapi juga untuk penyakit neurodegenerative atau penyakit saraf turunan.

"Meski tidak semua protein mengandung proline, tapi tidak ada salahnya memperbanyak konsumsi protein agar gigi tetap sehat dan kuat," kata Diekwisch. Studi ini dipublikasikan dalam Journal PLoS Biology.

Kamis, 10 Desember 2009

Kebiasaan Membuka Jendela yang Mulai Dilupakan

Kebiasaan kecil membuka jendela sudah mulai dilupakan banyak orang. Padahal kebiasaan kecil itu punya efek yang besar untuk kesehatan. Masyarakat mampu misalnya lebih sering menggunakan pendingin ruangan (AC), sedangkan yang tak memiliki AC pun malas membuka jendela karena khawatir masalah keamanan.

"Rumah dan lingkungan sehat berperan besar dalam mewujudkan masyarakat Indonesia sehat, kuat dan cerdas agar mampu meraih masa depan yang lebih baik," ujar Apsara Herman, Head of Group Marketing & Branding Holcim Indonesia dalam acara seminar Bangun Kepedulian dan Pengetahuan Masyarakat akan Rumah Sehat di Pancious Pancake House, Jakarta, Kamis (10/12/2009).

Setiap orang pastinya ingin memiliki rumah ideal dan sehat. Tak perlu terlalu jauh berkhayal punya rumah besar dan taman yang asri, cukup dengan memiliki konsep sirkulasi udara dan pencahayaan yang baik.

"Minimal ada 30 persen bukaan dalam suatu ruangan," kata Nina M Pelawi, Brand Development Manager PT Holcim Indonesia Tbk.

Fungsi bukaan atau jendela adalah membiarkan cahaya dan udara masuk ke dalam ruangan agar bakteri-bakteri mati terkena sinar matahari.

"Sinar matahari kan bagus juga untuk tubuh kita. Semakin banyak sinar matahari yang masuk ke rumah, makin sehat orang yang tinggal di rumah itu," kata Nina.

Sebuah studi pernah dilakukan oleh peneliti dari University of Alabama, Birmingham yang mengatakan bahwa kurang terkena sinar matahari bisa membuat kemampuan otak menurun (lemot).

Selain itu, bukaan juga akan membuat udara dalam rumah tidak pengap dan sumpek. Namun sayangnya, meski ada jendela di rumah, namun banyak masyarakat yang lupa membuka jendela.

"Harusnya tiap pagi jendela dibuka, jangan takut ada maling yang masuk. Rumah juga kan butuh bernafas," ujar Nina.

Satu tips agar rumah terasa dingin dan sejuk, sebaiknya buatlah lubang-lubang di bagian bawah dan atas dinding rumah.

"Udara dan tekanan dingin itu kan datangnya dari bawah, makanya perlu ada lubang di bagian bawah dinding untuk masuknya udara dingin dari luar. Sedangkan untuk mengeluarkan udara panas dari dalam rumah bisa dengan membuat ventilasi lubang di bagian atas dinding karena udara panas itu berkumpul di atas ruangan. Itulah manfaat lubang di bawah dan atas, yaitu untuk menjalankan sirkulasi udara dingin dan panas dengan baik," jelas Nina.

Kesehatan berawal dari lingkungan yang paling kecil dulu, yaitu rumah. Mulailah melihat lagi apakah kondisi di rumah sudah sehat. Jangan lupa lakukan kebiasaan kecil membuka jendela tiap hari untuk hidup yang lebih baik

Jumat, 02 Oktober 2009

Menurunkan Berat Badan Dengan Minum Air Dingin Tak Efektif


Ada berbagai cara yang bisa dilakukan untuk menurunkan berat badan. Beberapa orang menggunakan air dingin sebagai alat untuk menurunkan berat badan. Tapi sehatkan cara ini untuk diterapkan?

Kelebihan kalori merupakan salah satu masalah yang sensitif buat kebanyakan orang. Tapi hal terpenting yang harus dipahami adalah membedakan antara kalori dalam makanan serta kalori yang terkandung dalam air.

Kata kalori dalam makanan digunakan untuk menunjukkan jumlah energi yang terkandung dalam sejumlah makanan. Sedangkan kalori dalam air adalah jumlah energi yang dibutuhkan untuk menaikkan temperatur, seperti 1 gram air sebanding dengan 1 derajat celsius.

Jika menggunakan perhitungan seperti itu, lalu bagaimana caranya air dingin bisa digunakan untuk membakar kalori dalam tubuh manusia?

Saat manusia mengonsumsi air dingin, maka tubuh harus membakar kalori atau lemak untuk meningkatkan temperatur dari minuman dingin tersebut. Sehingga air dingin yang masuk ke dalam tubuh bisa sesuai dengan suhu tubuh itu sendiri, seperti dikutip dari HowStuffWorks, Jumat (2/10/2009).

Misalnya seseorang mengonsumsi 0,5 liter air dingin atau setara dengan 473,18 kalori dengan suhu nol derajat sedangkan suhu tubuhnya adalah 37 derajat celsius, maka tubuh harus menaikkan temperatur air tersebut hingga mencapai suhu 37 derajat celsius. Jadi, tubuh hanya membakar 17,5 kalori.

Jika dilihat dari banyaknya kalori yang dibakar oleh tubuh, maka menurunkan berat badan dengan cara mengonsumsi air dingin tidak akan memberikan efek yang signifikan bagi tubuh. Jadi sebaiknya jangan terlalu barharap bisa menurunkan berat badan hanya dengan mengonsumsi air dingin saja. Selain itu, cara ini juga tidak terlalu menyehatkan bagi tubuh.

Cara yang paling efekif untuk menurunkan berat badan adalah dengan mengatur pola makan yang benar, menjalani pola hidup yang sehat serta rajin melakukan olahraga yang bisa membakar kalori berlebih dalam tubuh.

Bayi Lahir Sekarang Bisa Hidup Hingga 100 Tahun


Tidak banyak orang yang bisa hidup hingga mencapai usia 100 tahun. Tapi peneliti di Denmark memperkirakan lebih dari setengah bayi yang lahir di negara kaya saat ini bisa berumur hingga 100 tahun jika tren hidup yang dijalani seperti sekarang terus berlanjut.

Seperti diketahui, peningkatan jumlah orang-orang yang sangat tua dapat menimbulkan tantangan besar bagi kesehatan dan sistem sosial. Tapi penelitian menunjukkan bahwa mungkin masalah seperti ini tidak akan terjadi jika lansia tidak hanya hidup lebih lama, tetapi juga tetap hidup sehat.

Penelitian ini menggunakan populasi di Jerman sebagai studi kasusnya. Hasilnya, menunjukkan bahwa pada tahun 2050 penduduk Jerman secara substantial akan berusia lebih tua. Ini berarti tenaga kerja jumlahnya lebih sedikit dan harus saling bahu membahu. Saat ini banyak pemerintahan di negara maju menaikkan usia pensiunnya.

"Kenaikan harapan hidup yang besar yaitu lebih dari 30 tahun, telah terlihat di sebagian besar negara-negara maju sejak abad ke 20," ujar Kaare Christensen dari Danish Aging Research Center, seperti dikutip dari Reuters, Jumat (2/10/2009).

Christensen menambahkan jika kondisi kesehatan saat ini tidak berubah, maka 75 persen bayi yang lahir di negara-negara dengan harapan hidup terpanjang seperti Jepang, Swedia dan Spanyol akan bisa merayakan ulang tahunnya yang ke 75 tahun.

Semakin banyaknya orang yang berusia lanjut dikarenakan sebagai akibat dari peningkatan bantuan bagi orang-orang yang lemah dan sakit agar bisa bertahan hidup lebih lama. Saat ini meskipun banyak ditemukan orang yang bisa bertahan hingga usia 85 tahun, rata-rata memiliki penyakit kronis seperti diabetes, artritis atau jantung yang hanya akan menjadi lemah dan cacat pada usia selanjutnya.

Diharapkan dengan kemajuan teknologi yang terjadi saat ini, orang bisa mendeteksi penyakit lebih dini, meningkatkan pengobatan dan perbaikan penyakit umum. Sehingga bayi-bayi yang lahir sekarang bisa mempertahankan hidup lebih lama dan kemungkinan mencapai usia 100 tahun.

Senin, 07 September 2009

Presbiopia dan Mata Kering

Perubahan pada mata banyak terjadi saat usia merangkak naik. Mulai dari ketajaman penglihatan, penurunan jaringan di sekitar mata seperti kelopak mata, saluran air mata maupun air mata. Bisa pula terjadi perubahan pada lapisan kornea, badan kaca, serta lapisan saraf atau retina.

Proses penglihatan melibatkan banyak hal. Pada mata normal, sinar sejajar atau paralel dari benda jauh akan dibelokkan oleh kornea dan lensa. Sinar tersebut difokuskan tepat pada retina atau makula yang kemudian diteruskan melalui saraf optik ke otak sehingga akan menghasilkan penglihatan yang jelas.

Akan tetapi proses penglihatan ini berkurang ketika berusia lanjut. Para orang usia lanjut, mulai terjadi presbiopia atau mata tua. Presbiopia, dijelaskan oleh Dr. Rumita Salim Kadarisman, Sp.M, merupakan penurunan kemampuan akomodasi lensa mata sehingga lensa mata tidak cukup kuat untuk berakomodasi agar sinar jatuh di retina. Kondisi ini biasanya dimulai pada usia 40 tahun.

"Untuk mengatasinya, diperlukan kacamata baca atau kacamata plus," ucap Dr. Rumita. Besaran kacamata plus, umumnya akan berakhir di +3. Bila angkanya lebih dari nilai tersebut, perlu dicurigai adanya kemungkinan masalah lain dalam penglihatan Anda.

Selain proses penglihatan yang mengalami penurunan, pada mereka yang berusia lanjut juga kerap mengeluhkan mata kering atau dry eye. Dikatakan Dr. Rumita, sebanyak 6 persen usia 40 tahun atau lebih mengalami mata kering. Prosentasenya menjadi 10-15 persen pada usia lebih dari 65 tahun.

Pada tahap awal, mata kering ditandai dengan rasa mengganjal, sepet, perih, cepat lelah, dan penglihatan kadang-kadang terganggu. Dr. Rumita mengatakan tes Schirmer bisa dilakukan guna mengukur jumlah air mata.

"Normalnya, jumlah air mata lebih dari 10 mm. Tapi bila jumlahnya kurang dari 10 mm, maka bisa dikatakan sebagai mata kering," jelas Dr. Rumita.

Tahap lanjut, mata menjadi kotor, pembuluh darah di permukaan mata melebar. Pengobatan bisa diberikan ketika sudah mulai ada keluhan. Penggunaan tetes air mata buatan sebagai pelembab dapat diberikan, tetapi hendaknya dikonsultasikan ke dokter mata. Karena yang paling penting adalah memeriksakan mata terlebih dulu guna mengetahui masalah yang dialami.

Minggu, 06 September 2009

Lindungi 80 Juta Anak dari Iklan Rokok di Film

Iklan rokok dalam tayangan film hingga kini masih beredar bebas yang bisa berdampak negatif bagi anak-anak. Aktivis perlindungan anak minta agar RUU Perfilman yang sedang dibahas DPR membuat larangan tayangan merokok dalam produk film.

Wakil Ketua Komnas Perlindungan Anak Muhammad Joni mengatakan ada 80 jutaan anak Indonesia yang harus mendapat perhatian Komisi X DPR RI dan secara khusus pada Panja dan Pansus RUU Perfilman agar melindungi mereka dari efek negatif iklan rokok di film.

Menurutnya segala bentuk iklan dan promosi rokok dalam sebuah tayangan film, yang jelas berdampak negatif bagi anak-anak, tidak bisa dibenarkan.

"RUU Perfilman mestinya tidak mengabaikan hak-hak anak untuk terlindungi dari berbagai efek destruktif-negatif, yakni memastikan pelarangan iklan, promosi dan sponsor rokok dalam pembuatan film. Termasuk membuat larangan tayangan merokok dalam produk film," kata Joni dalam pernyataan tertulis yang diterima detikcom, Sabtu (5/9/2009).

RUU Perfilman saat ini sedang dalam pembahasan di Komisi X DPR RI. Berakhirnya masa jabatan anggota dewan akhir September ini diharapkan tidak membuat pembahasan RUU menjadi tergesa-gesa sehingga mengabaikan hal-hal krusial seperti materi iklan dan promosi rokok ini.

Joni menjelaskan, pelarangan ini dimaksudkan mencegah efek adiksi bahaya rokok yang mematikan dan memiskinkan rakyat, dan mencegah hasrat industri rokok memasuki atau menumpang imej dari artis atau citra film sebagai karya kreatif yang dikonsumsi masyarakat.

"Bagaimanapun film sebagai karya seni yang disaksikan dan dikonsumsi publik termasuk anak-anak," tegasnya.

Indonesia adalah satu-satuya Negara di Asia pasifik yang belum meratifikasi Framework Convention on Tobacco Control (FCTC) sehingga terkucil dan asing dalam khazanah tobacco control. Oleh karenanya, kata Joni, 80 jutaan anak Indonesia menaruh harapan besar pada Komisi X DPR RI dan secara khusus pada Panja dan Pansus RUU Perfilman.

"RUU Perfilman diharapkan dapat mengakomodir kepentingan anak dan menjadi benteng pertahanan anak dari pengaruh buruk rokok," pungkasnya.

Virus 'Gerogoti' Uang Rp 8 M Dewan Kota

Dewan Kota di Inggris harus rela kehilangan uang sebesar Rp 8 miliar karena sistem IT mereka diacak-acak oleh virus. Virus ini berasal dari sebuah memory stick milik salah satu karyawan yang dicolokkan ke salah satu komputer.

Selain sejumlah data-data yang dimiliki oleh dewan kota lenyap, uang yang tidak bisa dibilang sedikitpun menguap.

Setidaknya, salah satu layanan, yakni layanan perpustakaan kehilangan uang sekitar 25.000 Poundsterling akibat data yang memuat denda perpustakaan lenyap. Dan tiket parkir sebanyak 1.838 harus dihapus yang menyebabkan hilangnya uang sebanyak 90.000 Poundsterling.

Dikutip detikINET dari Dailymail, Minggu (6/9/2009), kerugian yang dialami dewan kota Ealing di Inggris ini akibat kecerobohan yang dilakukan salah satu karyawannya sendiri. Karyawan tersebut dengan ceroboh memasukkan memory stick yang terkontaminasi virus ke dalam komputer yang sedang beroperasi di housing department di London Timur.

Dari satu komputer, virus ini menjalar ke sistem IT dewan kota Ealing selama beberapa hari. Laporan dari Ealing menyatakan: "Segera setelah memory stick itu dicolokkan, virus langsung menyerang host PC dan memblokir koneksi ke anti-virus dan situs Microsoft Support. Kemudian menyebar ke seluruh jaringan Ealing."

Akibatnya, Dewan Kota harus rela kehilangan uang sebanyak 501.000 Poundsterling atau sekitar Rp 8 miliar. Uang sebesar itu untuk ongkos pekerjaan IT dan hilangnya pemasukan mereka.

Senin, 31 Agustus 2009

APPENDEX A - Example Scripts

RC Script useing GFCC

#!/bin/bash
#
# Firewall Script - Version 0.9.1
#
# chkconfig: 2345 09 99
# description: firewall script for 2.2.x kernel
# Set for testing
# set -x
#
# NOTES:
#
# This script is written for RedHat 6.1 or better.
#
# Be careful about offering public services like web or ftp servers.
#
# INSTALLATION:
# 1. place this file in /etc/rc.d/init.d (you'll have to be root..)
# call it something like "firewall" :-)
# make it root owned --> "chown root.root (filename)"
# make it executable --> "chmod 755 (filename)"
#
# 2. use GFCC to create your firewall rules and export them to a file
# named /etc/gfcc/rules/firewall.rule.sh.
#
# 3. add the firewall to the RH init structure --> "chkconfig --add (filename)"
# next time the router boots, things should happen automagically!
# sleep better at night knowing you are *LESS* vulnerable than before...
#
# RELEASE NOTES
# 30 Jan, 2000 - Changed to GFCC script
# 11 Dec, 1999 - updated by Mark Grennan
# 20 July, 1999 - initial writing - Anthony Ball
#

################################################

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

# See how we are called
case "$1" in

start)
# Start providing access
action "Starting firewall: " /bin/true
/etc/gfcc/rules/firewall.rule.sh
echo
;;

stop)
action "Stoping firewall: " /bin/true
echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward

echo
;;

restart)
action "Restarting firewall: " /bin/true
$0 stop
$0 start

echo
;;

status)
# List out all settings
/sbin/ipchains -L
;;

test)
action "Test Mode firewall: " /bin/true
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -A input -j ACCEPT
/sbin/ipchains -A output -j ACCEPT
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i $PUBLIC -j MASQ

echo
;;

*)
echo "Usage: $0 {start|stop|restart|status|test}"
exit 1

esac

15.2 GFCC script

This script was generated by the Graphical Firewall program (GFCC). This is not the working rule set. This is the exported rules set.

#!/bin/sh
# Generated by Gtk+ firewall control center

IPCHAINS=/sbin/ipchains


localnet="192.168.1.0/24"
firewallhost="192.168.1.1/32"
localhost="172.0.0.0/8"
DNS1="24.94.163.119/32"
DNS2="24.94.163.124/32"
Broadcast="255.255.255.255/32"
Multicast="224.0.0.0/8"
Any="0.0.0.0/0"
mail_grennan_com="192.168.1.1/32"
mark_grennan_com="192.168.1.3/32"

$IPCHAINS -P input DENY
$IPCHAINS -P forward ACCEPT
$IPCHAINS -P output ACCEPT

$IPCHAINS -F
$IPCHAINS -X

# input rules
$IPCHAINS -A input -s $Any -d $Broadcast -j DENY
$IPCHAINS -A input -p udp -s $Any -d $Any netbios-ns -j DENY
$IPCHAINS -A input -p tcp -s $Any -d $Any netbios-ns -j DENY
$IPCHAINS -A input -p udp -s $Any -d $Any netbios-dgm -j DENY
$IPCHAINS -A input -p tcp -s $Any -d $Any netbios-dgm -j DENY
$IPCHAINS -A input -p udp -s $Any -d $Any bootps -j DENY
$IPCHAINS -A input -p udp -s $Any -d $Any bootpc -j DENY
$IPCHAINS -A input -s $Multicast -d $Any -j DENY
$IPCHAINS -A input -s $localhost -d $Any -i lo -j ACCEPT
$IPCHAINS -A input -s $localnet -d $Any -i eth1 -j ACCEPT
$IPCHAINS -A input -s $localnet -d $Broadcast -i eth1 -j ACCEPT
$IPCHAINS -A input -p icmp -s $Any -d $Any -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any -j ACCEPT ! -y
$IPCHAINS -A input -p udp -s $DNS1 domain -d $Any 1023:65535 -j ACCEPT
$IPCHAINS -A input -p udp -s $DNS2 domain -d $Any 1023:65535 -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any ssh -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any telnet -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any smtp -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any pop-3 -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any auth -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any www -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any ftp -j ACCEPT
$IPCHAINS -A input -s $Any -d $Any -j DENY -l

# forward rules
$IPCHAINS -A forward -s $localnet -d $Any -j MASQ

# output rules

15.3 RC Script without GFCC This is the firewall rules set built my hand. It does not use GFCC.

#!/bin/bash
#
# Firewall Script - Version 0.9.0

# chkconfig: 2345 09 99
# description: firewall script for 2.2.x kernel

# Set for testing
# set -x

#
# NOTES:
#
# This script is written for RedHat 6.0 or better.
#
# This firewall script should work for most routers, dial-up or cable modem.
# It was written for RedHat distributions.
#
# Be careful about offering public services like web or ftp servers.
#
# INSTALLATION:
# 1. This file planned for a RedHat system. It would work
# on other distro's with perhaps no modification, but again...
# Who knows?!!? These instructions apply to RedHat systems.
#
# 2. place this file in /etc/rc.d/init.d (you'll have to be root..)
# call it something like "firewall" :-)
# make it root owned --> "chown root.root "
# make it executable --> "chmod 755 "
#
# 3. set the values for your network, internal interface, and DNS servers
# uncomment lines further down to enable optional in-bound services
# make sure "eth0" is your internal NIC (or change the value below)
# test it --> "/etc/rc.d/init.d/ start"
# you can list the rules --> "ipchains -L -n"
# fix anything that broke... :-)
#
# 4. add the firewall to the RH init structure --> "chkconfig --add "
# next time the router boots, things should happen automagically!
# sleep better at night knowing you are *LESS* vulnerable than before...
#
# RELEASE NOTES
# 20 July, 1999 - initial writing - Anthony Ball
# 11 Dec, 1999 - updated by Mark Grennan
#

################################################
# Fill in the values below to match your
# local network.

PRIVATENET=xxx.xxx.xxx.xxx/xx

PUBLIC=ppp0
PRIVATE=eth0

# your dns servers
DNS1=xxx.xxx.xxx.xxx
DNS2=xxx.xxx.xxx.xxx

################################################

# some handy generic values to use
ANY=0.0.0.0/0
ALLONES=255.255.255.255

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

# See how we are called
case "$1" in

start)
# Start providing access
action "Starting firewall: " /bin/true

##
## Setup Envirement
##
# Flush all lists
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward

# Plug up everything
/sbin/ipchains -I input 1 -j DENY

# set policy to deny (Default is ACCEPT)
/sbin/ipchains -P input DENY
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward ACCEPT

# Turn on packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

##
## Install Modules
##
# Insert the active ftp module. This will allow non-passive ftp to machines
# on the local network (but not to the router since it is not masq'd)
if ! ( /sbin/lsmod | /bin/grep masq_ftp > /dev/null ); then
/sbin/insmod ip_masq_ftp
fi

##
## Some Security Stuff
##
# turn on Source Address Verification and get spoof protection
# on all current and future interfaces.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
else
echo
echo "PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED."
echo
fi

# deny bcasts on remaining interfaces
/sbin/ipchains -A input -d 0.0.0.0 -j DENY
/sbin/ipchains -A input -d 255.255.255.255 -j DENY

# deny these without logging 'cause there tend to be a lot...
/sbin/ipchains -A input -p udp -d $ANY 137 -j DENY # NetBIOS over IP
/sbin/ipchains -A input -p tcp -d $ANY 137 -j DENY # ""
/sbin/ipchains -A input -p udp -d $ANY 138 -j DENY # ""
/sbin/ipchains -A input -p tcp -d $ANY 138 -j DENY # ""
/sbin/ipchains -A input -p udp -d $ANY 67 -j DENY # bootp
/sbin/ipchains -A input -p udp -d $ANY 68 -j DENY # ""
/sbin/ipchains -A input -s 224.0.0.0/8 -j DENY # Multicast addresses

##
## Allow private network out
##
# allow all packets on the loopback interface
/sbin/ipchains -A input -i lo -j ACCEPT

# allow all packets from the internal "trusted" interface
/sbin/ipchains -A input -i $PRIVATE -s $PRIVATENET -d $ANY -j ACCEPT
/sbin/ipchains -A input -i $PRIVATE -d $ALLONES -j ACCEPT

##
## Allow Outside Services into the firewall (if you dare)
##
# allow ICMP
/sbin/ipchains -A input -p icmp -j ACCEPT
# allow TCP
/sbin/ipchains -A input -p tcp ! -y -j ACCEPT

# allow lookups to DNS (on firewall)
/sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY 1023: -j ACCEPT
/sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY 1023: -j ACCEPT
# or (BETTER IDEA) run a caching DNS server on the router and use the
# following two lines instead...
# /sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY domain -j ACCEPT
# /sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY domain -j ACCEPT

# uncomment the following to allow ssh in
/sbin/ipchains -A input -p tcp -d $ANY 22 -j ACCEPT

# uncomment the following to allow telnet in (BAD IDEA!!)
/sbin/ipchains -A input -p tcp -d $ANY telnet -j ACCEPT

# uncomment to allow NTP (network time protocol) to router
# /sbin/ipchains -A input -p udp -d $ANY ntp -j ACCEPT

# uncomment to allow SMTP in (not for mail clients - only a server)
/sbin/ipchains -A input -p tcp -d $ANY smtp -j ACCEPT

# uncomment to allow POP3 in (for mail clients)
/sbin/ipchains -A input -p tcp -d $ANY 110 -j ACCEPT

# allow auth in for sending mail or doing ftp
/sbin/ipchains -A input -p tcp -d $ANY auth -j ACCEPT

# uncomment to allow HTTP in (only if you run a web server on the router)
/sbin/ipchains -A input -p tcp -d $ANY http -j ACCEPT

# uncomment to allow FTP in
/sbin/ipchains -A input -p tcp -d $ANY ftp -j ACCEPT

##
## Masquerading stuff
##
# masquerade packets forwarded from internal network
/sbin/ipchains -A forward -s $PRIVATENET -d $ANY -j MASQ

##
## deny EVERYthing else and log them to /var/log/messages
##
/sbin/ipchains -A input -l -j DENY

# Remove the Plug
/sbin/ipchains -D input 1

;;

stop)
action "Stoping firewall: " /bin/true
echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward

echo
;;

restart)
action "Restarting firewall: " /bin/true
$0 stop
$0 start

echo
;;

status)
# List out settings
/sbin/ipchains -L
;;

test)
##
## This is about as simple as it gets
## (This is not secure AT ALL)
action "WARNING Test Firewall: " /bin/true
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -A input -j ACCEPT
/sbin/ipchains -A output -j ACCEPT
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i $PUBLIC -j MASQ

echo
;;

*)
echo "Usage: $0 {start|stop|restart|status|test}"
exit 1

esac

Making Management Easy

Firewall tools

There are several software packages that will make managing your firewall easier.

Be carefull, don't use these tools unless you can do without them. These scripts make it just as easy to make a misstake as they do to help you get it wright.

Both graphical and web based interfaces are being developed to work with the Linux filtering rules. Some companies have even create commercial firewalls based on Linux by putting it in their own box with their own management code. (nice)

I'm not realy a GUI guy. However, I have been using firewalls with GUI interfaces for some time. I've found they help by providing a nice report of all the rules in one easy glance.

gfcc (GTK+ Firewall Control Center) is a GTK+ application which can control Linux firewall policies and rules, based on ipchains package. Go to http://icarus.autostock.co.kr and get your copy. This is a realy good tool.

I have included RC scripts in appendex A. These scripts work with and without gfcc.

There a lots of scripts avaible to setup a firewall. One very complete script is avaible at http://www.jasmine.org.uk/~simon/bookshelf/papers/instant-firewall/instant-firewall.html. Another will done script is at http://www.pointman.org/.

Kfirewall is a GUI frontend for ipchains or ipfwadm (depending on your kernel version). http://megaman.ypsilonia.net/kfirewall/

FCT is an HTML based tool for the configuration of a firewall. It features automatic script-generation for IP-filtering commands (ipfwadm) on a firewall for multiple interfaces and any internet services. http://www.fen.baynet.de/~ft114/FCT/firewall.htm

13.2 General tools

WebMin is a general system admin package. It will not help you manage the firewall rules but it will help you with turning on and off damons and processes. This program is VERY good, I'm hoping the J. Cameron will include a IPCHAINS module. http://www.webmin.com/

Advanced Configurations

There is one configuration I would like to go over before wrapping this document up. The one I have just outlined will probably suffice for most people. However, I think the next outline will show a more advanced configuration that can clear up some questions. If you have questions beyond what I have just covered, or are just interested in the versatility of proxy servers and firewalls, read on.

12.1 A large network with emphasis on security

Say, for instance, you are the leader of millisha and you wish to network your site. You have 50 computers and a subnet of 32 (5 bits) IP numbers. You need various levels of access within your network because you tell your followers different things. Therefore, you'll need to protect certain parts of the network from the rest.

The levels are:

1. The external level. This is the level that gets shown to everybody. This is where you rant and rave to get new volunteers.
2. Troop This is the level of people who have gotten beyond the external level. Here is where you teach them about the evail government and how to make bombs.
3. Mercenary Here is where the real plans are keep. In this level is stored all the information on how the 3rd world government is going to take over the world, your plans involving Newt Gingrich, Oklahoma City, lown care products and what really is stored in that hangers at area 51.

The Network Setup

The IP numbers are arranged as:

* 1 number is 192.168.1.255, which is the broadcast address and is not usable.
* 23 of the 32 IP addresses are allocated to 23 machines that will be accessible to the internet.
* 1 extra IP goes to a Linux box on that network
* 1 extra goes to a different Linux box on that network.
* 2 IP #'s go to the router
* 4 are left over, but given domain names paul, ringo, john, and george, just to confuse things a bit.
* The protected networks both have the addresses 192.168.1.xxx

Then, two separate networks are built, each in different rooms. They are routed via infrared Ethernet so that they are completely invisible to the outside room. Luckily, infrared ethernet works just like normal ethernet.

These networks are each connected to one of the Linux boxes with an extra IP address.

There is a file server connecting the two protected networks. This is because the plans for taking over the world involves some of the higher Troops. The file server holds the address 192.168.1.17 for the Troop network and 192.168.1.23 for the Mercenary network. It has to have different IP addresses because it has to have different Ethernet cards. IP Forwarding on it is turned off.

IP Forwarding on both Linux boxes is also turned off. The router will not forward packets destined for 192.168.1.xxx unless explicitly told to do so, so the internet will not be able to get in. The reason for turning off IP Forwarding here is so that packets from the Troop's network will not be able to reach the Mercenary network, and vica versa.

The NFS server can also be set to offer different files to the different networks. This can come in handy, and a little trickery with symbolic links can make it so that the common files can be shared with all. Using this setup and another ethernet card can offer this one file server for all three networks.

The Proxy Setup

Now, since all three levels want to be able to monitor the network for their own devious purposes, all three need to have net access. The external network is connected directly into the internet, so we don't have to mess with proxy servers here. The Mercenary and Troop networks are behind firewalls, so it is necessary to set up proxy servers here.

Both networks will be setup very similarly. They both have the same IP addresses assigned to them. I will throw in a couple of parameters, just to make things more interesting though.

1. No one can use the file server for internet access. This exposes the file server to viruses and other nasty things, and it is rather important, so its off limits.
2. We will not allow troop access to the World Wide Web. They are in training, and this kind of information retrieval power might prove to be damaging.

So, the sockd.conf file on the Troop's Linux box will have this line:

deny 192.168.1.17 255.255.255.255

and on the Mercenary machine:

deny 192.168.1.23 255.255.255.255

And, the Troop's Linux box will have this line

deny 0.0.0.0 0.0.0.0 eq 80

This says to deny access to all machines trying to access the port equal (eq) to 80, the http port. This will still allow all other services, just deny Web access.

Then, both files will have:

permit 192.168.1.0 255.255.255.0

to allow all the computers on the 192.168.1.xxx network to use this proxy server except for those that have already been denied (ie. The file server and Web access from the Troop network).

The Troop's sockd.conf file will look like:

deny 192.168.1.17 255.255.255.255
deny 0.0.0.0 0.0.0.0 eq 80
permit 192.168.1.0 255.255.255.0

and the Mercenary file will look like:

deny 192.168.1.23 255.255.255.255
permit 192.168.1.0 255.255.255.0

This should configure everything correctly. Each network is isolated accordingly, with the proper amount of interaction. Everyone should be happy.

The SOCKS Proxy Server

Setting up the Proxy Server

The SOCKS proxy server available from http://www.socks.nec.com/.

Uncompressed and untar the files into a directory on your system, and follow the instructions on how to make it. I had a couple problems when I made it. Make sure that your Makefiles are correct.

One important thing to note is that the proxy server needs to be added to /etc/inetd.conf. You must add a line:

socks stream tcp nowait nobody /usr/local/etc/sockd sockd

to tell the server to run when requested.

11.2 Configuring the Proxy Server

The SOCKS program needs two separate configuration files. One to tell the access allowed, and one to route the requests to the appropriate proxy server. The access file should be housed on the server. The routing file should be housed on every UNIX machine. The DOS and, presumably, Macintosh computers will do their own routing.

The Access File

With socks4.2 Beta, the access file is called "sockd.conf".It should contain 2 lines, a permit and a deny line. Each line will have three entries:

* The Identifier (permit/deny)
* The IP address
* The address modifier

The identifier is either permit or deny. You should have both a permit and a deny line.

The IP address holds a four byte address in typical IP dot notation. I.E. 192.168.1.0.

The address modifier is also a typical IP address four byte number. It works like a netmask. Envision this number to be 32 bits (1s or 0s). If the bit is a 1, the corresponding bit of the address that it is checking must match the corresponding bit in the IP address field. For instance, if the line is:

permit 192.168.1.23 255.255.255.255

it will permit only the IP address that matches every bit in 192.168.1.23, eg, only 192.168.1.3. The line:

permit 192.168.1.0 255.255.255.0

will permit every number within group 192.168.1.0 through 192.168.1.255, the whole C Class domain. One should not have the line:

permit 192.168.1.0 0.0.0.0

as this will permit every address, regardless.

So, first permit every address you want to permit, and then deny the rest. To allow everyone in the domain 192.168.1.xxx, the lines:

permit 192.168.1.0 255.255.255.0
deny 0.0.0.0 0.0.0.0

will work nicely. Notice the first "0.0.0.0" in the deny line. With a modifier of 0.0.0.0, the IP address field does not matter. All 0's is the norm because it is easy to type.

More than one entry of each is allowed.

Specific users can also be granted or denied access. This is done via ident authentication. Not all systems support ident, including Trumpet Winsock, so I will not go into it here. The documentation with socks is quite adequate on this subject.

The Routing File

The routing file in SOCKS is poorly named "socks.conf". I say "poorly named" because it is so close to the name of the access file that it is easy to get the two confused.

The routing file is there to tell the SOCKS clients when to use socks and when not to. For instance, in our network, 192.168.1.3 will not need to use socks to talk with 192.168.1.1, firewall. It has a direct connection in via Ethernet. It defines 127.0.0.1, the loopback, automatically. Of course you do not need SOCKS to talk to yourself. There are three entries:

* deny
* direct
* sockd

Deny tells SOCKS when to reject a request. This entry has the same three fields as in sockd.conf, identifier, address and modifier. Generally, since this is also handled by sockd.conf, the access file, the modifier field is set to 0.0.0.0. If you want to preclude yourself from calling any place, you can do it here.

The direct entry tells which addresses to not use socks for. These are all the addresses that can be reached without the proxy server. Again we have the three fields, identifier, address and modifier. Our example would have

direct 192.168.1.0 255.255.255.0

Thus going direct for any on our protected network.

The sockd entry tells the computer which host has the socks server daemon on it. The syntax is:

sockd @=

Notice the @= entry. This allows you to set the IP addresses of a list of proxy servers. In our example, we only use one proxy server. But, you can have many to allow a greater load and for redundancy in case of failure.

The IP address and modifier fields work just like in the other examples. You specify which addresses go where through these. 6.2.3. DNS from behind a Firewall

Setting up Domain Name service from behind a firewall is a relatively simple task. You need merely to set up the DNS on the firewalling machine. Then, set each machine behind the firewall to use this DNS.

11.3 Working With a Proxy Server

Unix

To have your applications work with the proxy server, they need to be "sockified". You will need two different telnets, one for direct communication, one for communication via the proxy server. SOCKS comes with instructions on how to SOCKify a program, as well as a couple pre-SOCKified programs. If you use the SOCKified version to go somewhere direct, SOCKS will automatically switch over to the direct version for you. Because of this, we want to rename all the programs on our protected network and replace them with the SOCKified programs. "Finger" becomes "finger.orig", "telnet" becomes "telnet.orig", etc. You must tell SOCKS about each of these via the include/socks.h file.

Certain programs will handle routing and sockifying itself. Netscape is one of these. You can use a proxy server under Netscape by entering the server's address (192.168.1.1 in our case) in the SOCKs field under Proxies. Each application will need at least a little messing with, regardless of how it handles a proxy server.

MS Windows with Trumpet Winsock

Trumpet Winsock comes with built in proxy server capabilities. In the "setup" menu, enter the IP address of the server, and the addresses of all the computers reachable directly. Trumpet will then handle all outgoing packets.

Getting the Proxy Server to work with UDP Packets

The SOCKS package works only with TCP packets, not UDP. This makes it quite a bit less useful. Many useful programs, such as talk and Archie, use UDP. There is a package designed to be used as a proxy server for UDP packets called UDPrelay, by Tom Fitzgerald . Unfortunately, at the time of this writing, it is not compatible with Linux.

11.4 Drawbacks with Proxy Servers

The proxy server is, above all, a security device. Using it to increase internet access with limited IP addresses will have many drawbacks. A proxy server will allow greater access from inside the protected network to the outside, but will keep the inside completely inaccessible from the outside. This means no servers, talk or archive connections, or direct mailing to the inside computers. These drawbacks might seem slight, but think of it this way:

* You have left a report you are doing on your computer inside a firewall protected network. You are at home, and decide that you would like to go over it. You can not. You can not reach your computer because it is behind the firewall. You try to log into firewall first, but since everyone has proxy server access, no one has set up an account for you on it.

* Your daughter goes to college. You want to email her. You have some private things to talk about, and would rather have your mail sent directly to your machine. You trust your systems administrator completely, but still, this is private mail.

* The inability to use UDP packets represents a big drawback with the proxy servers. I imagine UDP capabilities will be coming shortly.

FTP causes another problem with a proxy server. When getting or doing an ls, the FTP server opens a socket on the client machine and sends the information through it. A proxy server will not allow this, so FTP doesn't particularly work.

And, proxy servers run slow. Because of the greater overhead, almost any other means of getting this access will be faster.

Basically, if you have the IP addresses, and you are not worried about security, do not use a firewall and/or proxy servers. If you do not have the IP addresses, but you are also not worried about security, you might also want to look into using an IP emulator, like Term, Slirp or TIA. Term is available from ftp://sunsite.unc.edu, Slirp is available from ftp://blitzen.canberra.edu.au/pub/slirp, and TIA is available from marketplace.com. These packages will run faster, allow better connections, and provide a greater level of access to the inside network from the internet. Proxy servers are good for those networks which have a lot of hosts that will want to connect to the internet on the fly, with one setup and little work after that.

Installing the TIS Proxy server

Getting the software

The TIS FWTK is available at http://www.tis.com/research/software/.

Don't make the mistake I did. When you ftp files from TIS, READ THE README's. The TIS fwtk is locked up in a hidden directory on their server.

TIS requires you read their agreement at http://www.tis.com/research/software/fwtk_readme.html and then send email to fwtk-request@tislabs.com with only the word accepted in the body of the message to learn the name of this hidden directory. No subject is needed in the message. Their system will then mails you back the directory name (good for 12 hours) to download the source.

As of this writing, the current version of FWTK is 2.1.

10.2 Compiling the TIS FWTK

Version 2.1 of the FWTK compiles much easier then any of the older versions.

EXPLAIN HERE!!!

Now run make.

10.3 Installing the TIS FWTK

Run make install.

The default installation directory is /usr/local/etc. You could change this (I didn't) to a more secure directory. I chose to change the access to this directory to 'chmod 700'.

All last is left now is to configure the firewall.

10.4 Configuring the TIS FWTK

Now the fun really begins. We must teach the system to call theses new services and create the tables to control them.

I'm not going to try to re-write the TIS FWTK manual here. I will show you the setting I found worked and explain the problems I ran into and how I got around them.

There are three files that make up these controls.

* /etc/services
o Tells the system what ports a services is on.

* /etc/inetd.conf
o Tells inetd what program to call when someone knocks on a service port.

* /usr/local/etc/netperm-table
o Tells the FWTK services who to allow and deny service to.

To get the FWTK functioning, you should edit these files from the bottom up. Editing the services file without the inetd.conf or netperm-table file set correctly could make your system inaccessible.

The netperm-table file

This file controls who can access the services of the TIS FWTK. You should think about the traffic using the firewall from both sides. People outside your network should identify themselves before gaining access, but the people inside your network might be allowed to just pass through.

So people can identify themselves, the firewall uses a program called authsrv to keep a database of user IDs and passwords. The authentication section of the netperm-table controls where the database is keep and who can access it.

I had some trouble closing the access to this service. Note the premit-hosts line I show uses a '*' to give everyone access. The correct setting for this line is '' authsrv: premit-hosts localhost if you can get it working.

#
# Proxy configuration table
#
# Authentication server and client rules
authsrv: database /usr/local/etc/fw-authdb
authsrv: permit-hosts *
authsrv: badsleep 1200
authsrv: nobogus true
# Client Applications using the Authentication server
*: authserver 127.0.0.1 114

To initialize the database, su to root, and run ./authsrv in the /var/local/etc directory to create the administrative user record. Here is a sample session.

Read the FWTK documentation to learn how to add users and groups.

#
# authsrv
authsrv# list
authsrv# adduser admin "Auth DB admin"
ok - user added initially disabled
authsrv# ena admin
enabled
authsrv# proto admin pass
changed
authsrv# pass admin "plugh"
Password changed.
authsrv# superwiz admin
set wizard
authsrv# list
Report for users in database
user group longname ok? proto last
------ ------ ------------------ ----- ------ -----
admin Auth DB admin ena passw never
authsrv# display admin
Report for user admin (Auth DB admin)
Authentication protocol: password
Flags: WIZARD
authsrv# ^D
EOT
#

The telnet gateway (tn-gw) controls are straight forward and the first you should set up.

In my example, I permit host from inside the private network to pass through without authenticating themselves. (permit-hosts 19961.2.* -passok) But, any other user must enter their user ID and password to use the proxy. (permit-hosts * -auth)

I also allow one other system (192.1.2.202) to access the firewall directly without going through the firewall at all. The two inetacl-in.telnetd lines do this. I will explain how these lines are called latter.

The Telnet timeout should be keep short.

# telnet gateway rules:
tn-gw: denial-msg /usr/local/etc/tn-deny.txt
tn-gw: welcome-msg /usr/local/etc/tn-welcome.txt
tn-gw: help-msg /usr/local/etc/tn-help.txt
tn-gw: timeout 90
tn-gw: permit-hosts 192.1.2.* -passok -xok
tn-gw: permit-hosts * -auth
# Only the Administrator can telnet directly to the Firewall via Port 24
netacl-in.telnetd: permit-hosts 192.1.2.202 -exec /usr/sbin/in.telnetd

The r-commands work the same way as telnet.

# rlogin gateway rules:
rlogin-gw: denial-msg /usr/local/etc/rlogin-deny.txt
rlogin-gw: welcome-msg /usr/local/etc/rlogin-welcome.txt
rlogin-gw: help-msg /usr/local/etc/rlogin-help.txt
rlogin-gw: timeout 90
rlogin-gw: permit-hosts 192.1.2.* -passok -xok
rlogin-gw: permit-hosts * -auth -xok
# Only the Administrator can telnet directly to the Firewall via Port
netacl-rlogind: permit-hosts 192.1.2.202 -exec /usr/libexec/rlogind -a

You shouldn't have anyone accessing your firewall directly and that includes FTP so don't put an FTP, server on you firewall.

Again, the permit-hosts line allows anyone in the protected network free access to the Internet and all others must authenticate themselves. I included logging of every file sent and received to my controls. (-log { retr stor })

The ftp timeout controls how long it will take to drop a bad connections as well as how long a connection will stay open with out activity.

# ftp gateway rules:
ftp-gw: denial-msg /usr/local/etc/ftp-deny.txt
ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt
ftp-gw: help-msg /usr/local/etc/ftp-help.txt
ftp-gw: timeout 300
ftp-gw: permit-hosts 192.1.2.* -log { retr stor }
ftp-gw: permit-hosts * -authall -log { retr stor }

Web, gopher and browser based ftp are contorted by the http-gw. The first two lines create a directory to store ftp and web documents as they are passing through the firewall. I make these files owned by root and put the in a directory accessible only by root.

The Web connection should be kept short. It controls how long the user will wait on a bad connections.

# www and gopher gateway rules:
http-gw: userid root
http-gw: directory /jail
http-gw: timeout 90
http-gw: default-httpd www.afs.net
http-gw: hosts 192.1.2.* -log { read write ftp }
http-gw: deny-hosts *

The ssl-gw is really just a pass anything gateway. Be carefully with it. In this example I allow anyone inside the protected network to connect to any server outside the network except the addresses 127.0.0.* and 192.1.1.* and then only on ports 443 through 563. Ports 443 through 563 are known SSL ports.

# ssl gateway rules:
ssl-gw: timeout 300
ssl-gw: hosts 192.1.2.* -dest { !127.0.0.* !192.1.1.* *:443:563 }
ssl-gw: deny-hosts *

Here is an example of how to use the plug-gw to allow connections to a news server. In this example I allow anyone inside the protected network to connect to only one system and only to it's news port.

The seconded line allows the news server to pass its data back to the protected network.

Because most clients expect to stay connected while the user read news, the timeout for a news server should be long.


# NetNews Pluged gateway
plug-gw: timeout 3600
plug-gw: port nntp 192.1.2.* -plug-to 24.94.1.22 -port nntp
plug-gw: port nntp 24.94.1.22 -plug-to 192.1.2.* -port nntp

The finger gateway is simple. Anyone inside the protected network must login first and then we allow them to use the finger program on the firewall. Anyone else just gets a message.

# Enable finger service
netacl-fingerd: permit-hosts 192.1.2.* -exec /usr/libexec/fingerd
netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt

I haven't setup the Mail and X-windows services so I'm not including examples. If anyone has a working example, please send me email.

The /etc/services file

This is where it all begins. When a client connects to the firewall it connects on a known port (less then 1024). For example telnet connects on port 23. The inetd deamon hears this connection and looks up the name of these service in the /etc/services file. It then calls the program assigned to the name in the /etc/inetd.conf file.

Some of the services we are creating are not normally in the /etc/services file. You can assign some of them to any port you want. For example, I have assigned the administrator's telnet port (telnet-a) to port 24. You could assign it to port 2323 if you wished. For the administrator (YOU) to connect directly to the firewall you will need to telnet to port 24 not 23 and if you setup your netperm-table file, like I did, you will only be able to this from one system inside your protected network.


telnet-a 24/tcp
ftp-gw 21/tcp # this named changed
auth 113/tcp ident # User Verification
ssl-gw 443/tcp

IP filtering setup (IPCHAINS)

Linux ipchains is a rewrite of the Linux IPv4 firewalling code and a rewrite of ipfwadm, which was a rewrite of BSD's ipfw, I believe. It is required to administer the IP packet filters in Linux kernel versions 2.1.102 and above.

The older code doesn't deal with fragments, has 32-bit counters (on Intel at least), doesn't allow specification of protocols other than TCP, UDP or ICMP, can't make large changes atomically, can't specify inverse rules, has some quirks, and can be tough to manage (making it prone to user error). Or so the author says.

I'm not going to get real deep into how to control an IPChains firewall because there is a GREAT!! HOWTO on it at http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html. I'd just end up duplicating it here. Here are the basics.

You work with chains by name. You start with three built-in chains input, output and forward which you can't delete. You can create chains of your own. Rules can then be added and deleted from these rule sets.

The operations to work on entire chains are;

1. Create a new chain (-N).
2. Delete an empty chain (-X).
3. Change the policy for a built-in chain. (-P).
4. List the rules in a chain (-L).
5. Flush the rules out of a chain (-F).
6. Zero the packet and byte counters on all rules in a chain (-Z).

There are several ways to manipulate rules inside a chain:

1. Append a new rule to a chain (-A).
2. Insert a new rule at some position in a chain (-I).
3. Replace a rule at some position in a chain (-R).
4. Delete a rule at some position in a chain (-D).
5. Delete the first rule that matches in a chain (-D).

There are a few operations for masquerading, which are in ipchains for want of a good place to put them:

1. List the currently masqueraded connections (-M -L).
2. Set masquerading timeout values (-M -S).

There are some timing issues involved in altering firewall rules. If you are not careful, you can let packets through while you are half-way through your changes. A simplistic approach is to do the following:

# ipchains -I input 1 -j DENY
# ipchains -I output 1 -j DENY
# ipchains -I forward 1 -j DENY

... make changes ...

# ipchains -D input 1
# ipchains -D output 1
# ipchains -D forward 1
#

This drops all packets for the duration of the changes.

Here a duplicate of the above firewall rules in IPChains.

#!/bin/sh
#
# rc.firewall
#
## Flush everything, start from scratch
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward

## Redirect for HTTP Transparent Proxy
#$IPCHAINS -A input -p tcp -s 192.1.2.0/24 -d 0.0.0.0/0 80 -j REDIRECT 8080

## Create your own chain
/sbin/ipchains -N my-chain
# Allow email to got to the server
/sbin/ipchains -A my-chain -s 0.0.0.0/0 smtp -d 192.1.2.10 1024:-j ACCEPT
# Allow email connections to outside email servers
/sbin/ipchains -A my-chain -s 192.1.2.10 -d 0.0.0.0/0 smtp -j ACCEPT
# Allow Web connections to your Web Server
/sbin/ipchains -A my-chain -s 0.0.0.0/0 www -d 192.1.2.11 1024: -j ACCEPT
# Allow Web connections to outside Web Server
/sbin/ipchains -A my-chain -s 192.1.2.0/24 1024: -d 0.0.0.0/0 www -j ACCEPT
# Allow DNS traffic
/sbin/ipchains -A my-chain -p UDP -s 0.0.0.0/0 dns -d 192.1.2.0/24 -j ACCEPT

## If you are using masquerading
# don't masq internal-internal traffic
/sbin/ipchains -A forward -s 192.1.2.0/24 -d 192.1.2.0/24 -j ACCEPT
# don't masq external interface direct
/sbin/ipchains -A forward -s 24.94.1.0/24 -d 0.0.0.0/0 -j ACCEPT
# masquerade all internal IP's going outside
/sbin/ipchains -A forward -s 192.1.2.0/24 -d 0.0.0.0/0 -j MASQ

## Deny everything else
/sbin/ipchains -P my-chain input DENY

Don't stop here. This is not a great firewall and I'm sure you have other services you will be providing. Again, read the IPCHAINS-HOWTO.

IP filtering setup (IPFWADM)

If you are using kernel 2.1.102 or newer skip to the next section on IPCHAINS.

In older kernels IP Forwarding is turned on by default in the kernel. Because of this, your network should start by denying access to everything and flushing any ipfw rules in place from the last time it was run. This script fragment should go in your network startup script. (/etc/rc.d/init.d/network)

#
# setup IP packet Accounting and Forwarding
#
# Forwarding
#
# By default DENY all services
ipfwadm -F -p deny
# Flush all commands
ipfwadm -F -f
ipfwadm -I -f
ipfwadm -O -f

Now we have the ultimate firewall. Nothing can get through.

Now create the file /etc/rc.d/rc.firewall. This script should allow email, Web and DNS traffic through. ;-)

#! /bin/sh
#
# rc.firewall
#
# Source function library.
. /etc/rc.d/init.d/functions

# Get config.
. /etc/sysconfig/network

# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
case "$1" in
start)
echo -n "Starting Firewall Services: "
# Allow email to got to the server
/sbin/ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 192.1.2.10 25
# Allow email connections to outside email servers
/sbin/ipfwadm -F -a accept -b -P tcp -S 192.1.2.10 25 -D 0.0.0.0/0 1024:65535
# Allow Web connections to your Web Server
/sbin/ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 192.1.2.11 80
# Allow Web connections to outside Web Server
/sbin/ipfwadm -F -a accept -b -P tcp -S 192.1.2.* 80 -D 0.0.0.0/0 1024:65535
# Allow DNS traffic
/sbin/ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 192.1.2.0/24
;;
stop)
echo -n "Stooping Firewall Services: "
ipfwadm -F -p deny
;;
status)
echo -n "Now do you show firewall stats?"
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: firewall {start|stop|status|restart|reload}"
exit 1
esac

NOTE: In this example we have the email (smtp) server running at 192.1.2.10 that must be able to send and receive on port 25. The web server running at 192.1.2.11. We are allowing anyone on the LAN to get to outside web and DNS servers.

This is not perfectly secure. Because port 80 doesn't have to used as a web port, a smart hacker might use this port to create a virtual private network (VPN) through the firewall. The way around this is to setup a web proxy. and only allow the proxy through the firewall. Users on the LAN will have to go through the proxy to get to outside web servers.

You might also be interested in accounting for traffic going through your firewall. This script will count ever packet. You could add a line or two to account for packets going to just a single system.


# Flush the current accounting rules
ipfwadm -A -f
# Accounting
/sbin/ipfwadm -A -f
/sbin/ipfwadm -A out -i -S 192.1.2.0/24 -D 0.0.0.0/0
/sbin/ipfwadm -A out -i -S 0.0.0.0/0 -D 192.1.2.0/24
/sbin/ipfwadm -A in -i -S 192.1.2.0/24 -D 0.0.0.0/0
/sbin/ipfwadm -A in -i -S 0.0.0.0/0 -D 192.1.2.0/24

If all you need is a filtering firewall you can stop here. Test it and Enjoy.

Preparing the Linux system

Install as little of the Linux system as you can. My installation started with a server configuration and then I turn off ever un-needed service in /etc/inetd.conf. For more security you should uninstall the unneeded service.

Because most distributions don't dome with a kernel usefull to your perpose. You will need to compile your own kernal. It is best if you do this on a computer other then the firewall. If you do install a C compiler and utilities on your firewall, remove them after you have completed comfiguring your kernel.

6.1 Compiling the Kernel

Start with a clean minimal installation of your Linux distribution. The less software you have loaded the less holes, backdoors and/or bugs there will be to introduce security problems in your server.

Pick a stable kernel. I am using kernel 2.2.13 kernel for my system. So this documentation is based on it's settings.

You well need to recompile the Linux kernel with the appropriate options. If you haven't recompiled your kernel before you should read the Kernel HOWTO, the Ethernet HOWTO, and the NET-2 HOWTO.

Here are the network related setting I know work. I have marked some with a ?. If you will be using this feature, turn it on as well.

I use "make menuconfig" to edit my kernel settings.

<*> Packet socket
[ ] Kernel/User netlink socket
[*] Network firewalls
[ ] Socket Filtering
<*> Unix domain sockets
[*] TCP/IP networking
[ ] IP: multicasting
[*] IP: advanced router
[ ] IP: kernel level autoconfiguration
[*] IP: firewalling
[?] IP: always defragment (required for masquerading)
[?] IP: transparent proxy support
[?] IP: masquerading
--- Protocol-specific masquerading support will be built as modules.
[?] IP: ICMP masquerading
--- Protocol-specific masquerading support will be built as modules.
[ ] IP: masquerading special modules support
[*] IP: optimize as router not host
< > IP: tunneling
< > IP: GRE tunnels over IP
[?] IP: aliasing support
[*] IP: TCP syncookie support (not enabled per default)
--- (it is safe to leave these untouched)
< > IP: Reverse ARP
[*] IP: Allow large windows (not recommended if <16Mb of memory)
< > The IPv6 protocol (EXPERIMENTAL)
---
< > The IPX protocol
< > Appletalk DDP
< > CCITT X.25 Packet Layer (EXPERIMENTAL)
< > LAPB Data Link Driver (EXPERIMENTAL)
[ ] Bridging (EXPERIMENTAL)
[ ] 802.2 LLC (EXPERIMENTAL)
< > Acorn Econet/AUN protocols (EXPERIMENTAL)
< > WAN router
[ ] Fast switching (read help!)
[ ] Forwarding between high speed interfaces
[ ] PU is too slow to handle full bandwidth
QoS and/or fair queueing --->

After making all the setting you need you should recompile, reinstall the kernel and reboot.

I use the command:

make dep;make clean;make bzlilo;make modules;make modules_install;init 6 to accomplish all of this in one step.

6.2 Configuring two network cards

If you have two network cards in your computer, you may need to add an append statement to your /etc/lilo.conf file to describe the IRQ and address of both cards. My lilo append statement looks like this:


append="ether=12,0x300,eth0 ether=15,0x340,eth1"

6.3 Configuring the Network Addresses

Now we arrive at the fun part of our setup. I'm not going to go deep into how to setup a LAN. Read the Networking-HOWTO to solve your problems here.

Your goal is to provide two network connection to your filtering firewall system. One on the Internet (unsecured side) and one on the LAN (secure side).

Anyway, you have a few decisions to make.

1. Will you use Real IP number or Make some up for your LAN.
2. Will your ISP assign the number or will you be using static IP numbers?

Since you don't want the internet to have access to your private network, you don't need to use "real addresses". You could just makeup addresses for your private LAN. But this is not recommended. If data gets routed out of your LAN, it might end up at another systems port.

There are a number of Internet address ranges set aside for private networks. Of these, 192.168.1.xxx, is set aside and we will use it in our examples.

You will need to use IP masquerading to make this happen. With this process the firewall will forward packets and translate them into "REAL " " IP address to travel on the Internet.

Using these non-routable IP address makes your network is more secure. Internet routers will not pass packets with these addresses.

You may want to read the IP Masquerading HOWTO at this point.

24.94.1.123 __________ 192.168.1.1
_/\__/\_ \ | | / _______________
| | \| Firewall |/ | |
/ Internet \--------| System |------------| Workstation/s |
\_ _ _ _/ |__________| |_______________|
\/ \/ \/

You must have a "real" IP address to assign to your Internet network card. This address can be permanently assigned to you. (A static IP address) or it can be assigned at network connect time by the PPP process.

You assign your inside IP numbers. Like 192.168.1.1 to the LAN card. This will be your gateway IP address. You can assign all the other machines in the protected network (LAN) a number in the 192.168.1.xxx range. (192.168.1.2 through 192.168.1.254)

I use RedHat Linux. To configure the network at boot time I added a ifcfg-eth1 file in the /etc/sysconfig/network-scripts directory. You may also find a ifcfg-ppp0 or ifcfg-tr0 in this directory. These 'ifcfg-' files are used by RedHat to configure and enable your network devices at boot time. The are named after the connection type.

Here is the ifcfg-eth1 (second ehternet card) for our example;

DEVICE=eth1
IPADDR=192.168.1.1
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
GATEWAY=24.94.1.123
ONBOOT=yes

If you are going to use a dialup connection you will need to look at the ifcfg-ppp0 and the chat-ppp0 file. These control your PPP connection.

This ifcfg file might look like;

DEVICE="ppp0"
ONBOOT="yes"
USERCTL="no"
MODEMPORT="/dev/modem"
LINESPEED="115200"
PERSIST="yes"
DEFABORT="yes"
DEBUG="yes"
INITSTRING="ATZ"
DEFROUTE="yes"
HARDFLOWCTL="yes"
ESCAPECHARS="no"
PPPOPTIONS=""
PAPNAME="LoginID"
REMIP=""
NETMASK=""
IPADDR=""
MRU=""
MTU=""
DISCONNECTTIMEOUT=""
RETRYTIMEOUT="5"
BOOTPROTO="none"

6.4 Testing your network

Start by using the ifconfig and route commands. If you have two network cards ifconfig should look something like:

#ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:1620 errors:0 dropped:0 overruns:0
TX packets:1620 errors:0 dropped:0 overruns:0
collisions:0 txqueuelan:0

eth0 Link encap:10Mbps Ethernet HWaddr 00:00:09:85:AC:55
inet addr:24.94.1.123 Bcast:24.94.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1000 errors:0 dropped:0 overruns:0
TX packets:1100 errors:0 dropped:0 overruns:0
collisions:0 txqueuelan:0
Interrupt:12 Base address:0x310

eth1 Link encap:10Mbps Ethernet HWaddr 00:00:09:80:1E:D7
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1110 errors:0 dropped:0 overruns:0
TX packets:1111 errors:0 dropped:0 overruns:0
collisions:0 txqueuelan:0
Interrupt:15 Base address:0x350

and your route table should look like:

#route -n
Kernel routing table
Destination Gateway Genmask Flags MSS Window Use Iface
24.94.1.0 * 255.255.255.0 U 1500 0 15 eth0
192.168.1.0 * 255.255.255.0 U 1500 0 0 eth1
127.0.0.0 * 255.0.0.0 U 3584 0 2 lo
default 24.94.1.123 * UG 1500 0 72 eth0

Note: 24.94.1.0 is the Internet side of this firewall and 192.168.1.0 is the private (LAN) side.

You should start by making sure every computer on your LAN can ping the inside address of your firewall system. (192.168.1.1 in this example) If not, go over the NET-2 HOWTO again and work on the network some more.

Next, from the firewall, try to ping a Internet system. I use www.internic.net as my test point. If it doesn't work, try a server at your ISP. If this doesn't work some part of your Internet connection is wrong. You should be able to connect to the anywhere on the Internet from the firewall. Try looking at your default gateway setting. If you are using a dialup connection double check your user ID and Password. Reread the Net-2 HOWTO, and try again.

Now try to ping the outside address of the firewall (24.94.1.123) from a computer on your LAN. This shouldn't work. If it does, you have masquerading or IP Forwarding turned on, or you already have some packet filtering set. Turn them off and try again. You need to know the filtering is in place.

For kernels newer then 2.1.102 you can issue the command;

echo "0" > /proc/sys/net/ipv4/ip_forward

If you are using an older kernel (WHY) you will need to re-compile your kernel with forwarding turned off. (Just upgrade.)

Try pinging the outside address of the firewall (24.94.1.123) again. It shouldn't work.

Now turn on IP forwarding and/or masquerading. You should be able to ping the anywhere on the Internet from any system on your LAN.

echo "1" > /proc/sys/net/ipv4/ip_forward

BIG NOTE: If you are using "REAL" IP addresses on your LAN (not 192.168.1.*) and you can't ping the internet but you CAN ping the Internet side of your firewall, make sure your ISP is routing packets for your private network address.

A test for this problem is to have someone else on the Internet (say a friend using a local provider) use traceroute to your network. If the trace stops at your providers router, then they are not forwarding your traffic.

It works? Great. The hard part is done. :-)

6.5 Securing the Firewall

A firewall isn't any good if the system it is build on is left wide open to attacks. A "bad guy" could gain access to the through a non firewall service and modify it for their own needs. You need to turning off any unneeded services.

Look in your /etc/inetd.conf file. This file configures inetd also known as the "super server". It controls a bunch of the server daemons and starts them as they are requested by a packet arriving at a "well known" port.

You should turn off echo, discard, daytime, chargen, ftp, gopher, shell, login, exec, talk, ntalk, pop-2, pop-3, netstat, systat, tftp, bootp, finger, cfinger, time, swat and linuxconfig if you have one.

To turn a service off, put # as the first character of the service line. When your done, send a SIG-HUP to the process by typing "kill -HUP ", where is the process number of inetd. This will make inetd re-read its configuration file (inetd.conf) and restart without taking your system down.

Test this by telneting to port 15 (netstat) on firewall. If you get any output you have not turned these services off.

telnet localhost 19

You can also create the file /etc/nologin. Put a few line of text in it like (BUZZ OFF). When this file exists, login will not allow user to logon. They will see the contents of this file and their logins refused. Only root can logon.

You can also edit the file /etc/securetty. If the user is root, then the login must be occurring on a tty listed in /etc/securetty. Failures will be logged with the syslog facility. With both of these controls in place the only way to logon to the firewall will be as root from the console.

NEVER EVER TELNET to a system and log IN AS ROOT. If you need remote root access SSH (Secure Shell). You might even turn off telnet.

If you are really paranoid you need to be using lids (Linux Intrusion Detect System). It is an intrusion detection system patch for the Linux kernel; it can protect important files from being changed. When it's in effect, no one (including root) can change the protected files or directories and their sub-directories. You have to reboot the system with a security=1 LILO setting to modify secure files. (I'd also boot into single user mode.)

Software requirements

Selecting a Kernel

To create a filtering firewall, you don't need any special software. Linux will do. At the time of this writing I'm using RedHat 6.1.

The bilt in Linux firewall have changed several times. If you are using an old Linux kernel (1.0.x or older) geta new copy. These older used ipfwadm from http://www.xos.nl/linux/ipfwadm/ and is no longer supported.

If you are using 2.2.13 or newer you will be using ipchaining as developed by http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html

If you are using the newer 2.4 kernal there is a new firewall utility with more feachers. I will write about this soon.

5.2 Selecting a proxy server

If you want to setup a proxy server you will need one of these packages.

1. Squid
2. The TIS Firewall Toolkit (FWTK)
3. SOCKS

Squid is a great package and works with Linux's Transparent Proxy feature. I will be describing how to setup this server.

AT the time of this writing, Network Associates and Trusted Information System's (TIS) , have merged. So keep watching their web sites for more information about changes. Mean while, the Tool Kit can still be had at. http://www.tis.com/research/software/

Trusted Information System put out a collection of programs designed to facilitate firewalling. With this toolkit, you set up one daemon for each service (WWW, telnet ect.) you will be using.

Setting up the Linux Filtering Firewall

Hardware requirements

Filtering firewalls don't require fancy hardware. They are little more then simple routers.

All you need is:

1. a 486-DX66 with 32 meg of memory
2. a 250m hard disk (500 recommended)
3. network connections (LAN Cards, Serial Ports, Wireless?)
4. monitor and keyboard

With some systems by using a serial port console, you can even eliminate the monitor and keyboard.

If you need a proxy server that will handle lots of traffic, you should get the largest system you can afford. This is because for every user that connects to the system it will be creating another process. If you will have 50 or more concurrent users I'm guessing you will need:

1. a Pentium II with 64meg of memory
2. a two gig hard disk to store all the logs
3. two network connections
4. monitor and keyboard

The network connections can be any type (NIC cards, ISDN, even modems).

Understanding Firewalls

A firewall is a structure intended to keep a fire from spreading. Building have firewalls made of brick walls completely dividing sections of the building. In a car a firewall is the metal wall separating the engine and passenger compartments.

Internet firewalls are intended to keep the flames of Internet hell out of your private LAN. Or, to keep the members of your LAN pure and chaste by denying them access the all the evil Internet temptations. ;-)

The first computer firewall was a non-routing Unix host with connections to two different networks. One network card connected to the Internet and the other to the private LAN. To reach the Internet from the private network, you had to logon to the firewall (Unix) server. You then used the resources of the system to access the Internet. For example, you could use X-windows to run Netscape's browser on the firewall system and have the display on your work station. With the browser running on the firewall it has access to both networks.

This sort of dual homed system (a system with two network connections) is great if you can TRUST ALL of your users. You can simple setup a Linux system and give an account accounts on it to everyone needing Internet access. With this setup, the only computer on your private network that knows anything about the outside world is the firewall. No one can download to their personal workstations. They must first download a file to the firewall and then download the file from the firewall to their workstation.

BIG NOTE: 99% of all break-ins start with gaining account level access on the system being attacked. Because of this I don't recommend this type of firewall. It is also very limiting.

2.1 Firewall Politics

You shouldn't believe a firewall machine is all you need. Set policies first.

Firewalls are used for two purposes.

1. to keep people (worms / crackers) out.
2. to keep people (employees / children) in.

When I started working on firewalls I was surprised to learn the company I worked for were more interested in "spying" on their employees then keeping crackers out of their networks.

At least in my state (Oklahoma) employers have the right to monitor phone calls and Internet activity as long as they inform the employees they are doing it.

Big Brother is not government. Big Brother = Big Business.

Don't get me wrong. People should work, not play at work. And I feel the work ethic has been eroding. However, I have also observed that management types are the biggest abusers of the rules they set. I have seen hourly workers reprimanded for using the Internet to looking for bus routesto get to work while the same manager used hours of work time looking for fine restaurants and nightclubs to take prospective customers.

My fix for this type of abuse is to publish the firewall logs on a Web page for everyone to see.

The security business can be scary. If you are the firewall manager, watch your back.

How it create a security policy

I have seen some realy high folutin documentation on how to create a security policy. After many years of experence I know now say, don't believe a word of them. Create a security policy is simple.

1. describe what you need to service
2. describe the group of people you need to service
3. describe which service each group needs access to
4. for each service group describe how the service should be keep secure
5. write a statment making all other forms of access a vialation

Your policy will become more complicated with time but don't try to cover to much ground now. Make it simple and clear.

2.2 Types of Firewalls

There are two types of firewalls.

1. Filtering Firewalls - that block selected network packets.
2. Proxy Servers (sometimes called firewalls) - that make network connections for you.

Packet Filtering Firewalls

Packet Filtering is the type of firewall built into the Linux kernel.

A filtering firewall works at the network level. Data is only allowed to leave the system if the firewall rules allow it. As packets arrive they are filtered by their type, source address, destination address, and port information contained in each packet.

Many network routers have the ability to perform some firewall services. Filtering firewalls can be thought of as a type of router. Because of this you need a deep understanding of IP packet structure to work with one.

Because very little data is analyzed and logged, filtering firewalls take less CPU and create less latency in your network.

Filtering firewalls do not provide for password controls. User can not identify themselves. The only identity a user has is the IP number assigned to their workstation. This can be a problem if you are going to use DHCP (Dynamic IP assignments). This is because rules are based on IP numbers you will have to adjust the rules as new IP numbers are assigned. I don't know how to automate this process.

Filtering firewalls are more transparent to the user. The user does not have to setup rules in their applications to use the Internet. With most proxy servers this is not true.

Proxy Servers

Proxies are mostly used to control, or monitor, outbound traffic. Some application proxies cache the requested data. This lowers bandwidth requirements and decreases the access the same data for the next user. It also gives unquestionable evidence of what was transferred.

There are two types of proxy servers.

1. Application Proxies - that do the work for you.
2. SOCKS Proxies - that cross wire ports.

Application Proxy

The best example is a person telneting to another computer and then telneting from there to the outside world. With a application proxy server the process is automated. As you telnet to the outside world the client send you to the proxy first. The proxy then connects to the server you requested (the outside world) and returns the data to you.

Because proxy servers are handling all the communications, they can log everything they (you) do. For HTTP (web) proxies this includes very URL they you see. For FTP proxies this includes every file you download. They can even filter out "inappropriate" words from the sites you visit or scan for viruses.

Application proxy servers can authenticate users. Before a connection to the outside is made, the server can ask the user to login first. To a web user this would make every site look like it required a login.

SOCKS Proxy

A SOCKS server is a lot like an old switch board. It simply cross wires your connection through the system to another outside connection.

Most SOCKS server only work with TCP type connections. And like filtering firewalls they don't provide for user authentication. They can however record where each user connected to.

Minggu, 30 Agustus 2009

Pendidikan sek bagi remaja


Selama ini banyak kalangan yang mempertanyakan kegunaan pendidikan seks bagi remaja. Benarkah tidak ada gunanya? Bagaimana status pendidikan seks di luar negeri? Mari kita simak untuk perbandingan!

ScienceDaily (Mar.20, 2008). Riset terbaru menunjukkan bahwa pendidikan seks komprehensif dapat mengurangi kemungkinan kehamilan remaja, dan tidak ada indikasi bahwa hal tersebut meningkatkan level hubungan seks atau penyakit menular seksual (PMS). “Sama sekali tidak membahayakan untuk mengajari remaja mengenai kontrol kelahiran, sebagai tambahan dari penolakan hubungan seks,’ demikian kata pimpinan kajian, Pamela Kohler, Manajer program pada Universitas Washington di Seattle. Orang tua dan pendidik telah lama berargumentasi, apakah siswa harus mendapatkan pengajaran kontrol kelahiran, atau secara mudah bilang saja tidak terhadap seks bebas. Opsi mana yang lebih baik untuk menunda hubungan seks pada remaja.

Kohler dan kolega mengamati hasil dari survei nasional Amerika Serikat tahun 2002 dan berfokus pada remaja heteroseksual umur 15 sampai 19 tahun. Penemuan ini- berdasarkan respon dari 1719 remaja- dipublikasi pada journal of Adolescent Health. Setelah mereview hasil, peneliti menemukan bahwa satu dari empat remaja menerima pendidikan penolakan hubungan seks saja. Sembilan persen, terutama di daerah miskin dan pedesaan, tidak menerima pendidikan seks sama sekali. Dua pertiga sisanya menerima instruksi komprehensif, dengan diskusi kontrol kelahiran dan penolakan hubungan. Remaja yang menerima pendidikan seks komprehensif memiliki kemungkinan 60 persen lebih kecil untuk mendapatkan kehamilan, dibandingkan yang tidak menerima pendidikan seks sama sekali. Kemungkinan kehamilah adalah 30 persen lebih rendah pada mereka yang hanya menerima pendidikan penolakan hubungan seks saja, dibanding mereka yang tidak menerima hubungan seks, namun peneliti mengasumsikan bahwa angka tersebut kurang signifikan secara statistik, sebab beberapa remaja yang masuk dalam kategori diteliti.

Walau mereka juga tidak mencapai signifkansi statistik, survei lain juga menganjurkan bahwa pendidikan seks komprehensif, bukan penolakan hubungan seks saja, mengurangi kemungkinan remaja terlibat pada hubungan vaginal. Kedua pendekatan tersebut tidak dilaporkan mengurangi kemungkinan PMS, namun hasil tersebut secara statistik tidak signifikan. Bagaimanapun, penemuan tersebut mendukung diberikannya pendidikan seks komprehensif, demikian tandas Kohler. ‘Tidak ada bukti untuk mendukung bahwa pendidikan penolakan hubungan seks saja mengurangi kemungkinan terjadinya hubungan seks, atau kehamilan’, kata Kohler lagi.

Don Operario, PhD., profesor pada Universitas Oxford di Inggris mengatakan bahwa kajian tersebut memberikan ‘bukti lebih jauh’, terhadap kegunaan pendidikan seks komprehensif dan ketidak efektifitas dari pendekatan penolakan hubungan seks saja. Bagaimanapun, kajian tersebut tidak menunjukkan bagaimana pendidik harus mengimplementasikan pendidikan seks komprehensif pada ruang kelas, demikian kata Operario, yang mempelajari pendidikan seks. ‘Kita memerlukan pemahaman lebih baik terhadap cara yang paling efektif untuk memberikan tipe pendidikan dalam rangka untuk memaksimalkan pemahaman murid dan penerimaan komunitas’, kata Operario.

Referensi Jurnal : Kohler PK, Manhart LE, Lafferty WE. Abstinence-only and comprehensive sex education and the initiation of sexual activity and teen pregnancy. J Adolesc Health 42(4), 2008.

Sampai saat ini masalah seksualitas selalu menjadi topik yang menarik untuk dibicarakan. Hal ini dimungkinkan karena permasalahan seksual telah menjadi suatu hal yang sangat melekat pada diri manusia. Seksualitas tidak bisa dihindari oleh makhluk hidup, karena dengan seks makhluk hidup dapat terus bertahan menjaga kelestarian keturunannya.

Pada masa remaja rasa ingin tahu terhadap masalah seksual sangat penting dalam pembentukan hubungan baru yang lebih matang dengan lawan jenis. Padahal pada masa remaja informasi tentang masalah seksual sudah seharusnya mulai diberikan, agar remaja tidak mencari informasi dari orang lain atau dari sumber-sumber yang tidak jelas atau bahkan keliru sama sekali. Pemberian informasi masalah seksual menjadi penting terlebih lagi mengingat remaja berada dalam potensi seksual yang aktif, karena berkaitan dengan dorongan seksual yang dipengaruhi hormon dan sering tidak memiliki informasi yang cukup mengenai aktivitas seksual mereka sendiri (Handbook of Adolecent psychology, 1980). Tentu saja hal tersebut akan sangat berbahaya bagi perkembangan jiwa remaja bila ia tidak memiliki pengetahuan dan informasi yang tepat. Fakta menunjukkan bahwa sebagian besar remaja kita tidak mengetahui dampak dari perilaku seksual yang mereka lakukan, seringkali remaja sangat tidak matang untuk melakukan hubungan seksual terlebih lagi jika harus menanggung resiko dari hubungan seksual tersebut.

Karena meningkatnya minat remaja pada masalah seksual dan sedang berada dalam potensi seksual yang aktif, maka remaja berusaha mencari berbagai informasi mengenai hal tersebut. Dari sumber informasi yang berhasil mereka dapatkan, pada umumnya hanya sedikit remaja yang mendapatkan seluk beluk seksual dari orang tuanya. Oleh karena itu remaja mencari atau mendapatkan dari berbagai sumber informasi yang mungkin dapat diperoleh, misalnya seperti di sekolah atau perguruan tinggi, membahas dengan teman-teman, buku-buku tentang seks, media massa atau internet.

Memasuki Milenium baru ini sudah selayaknya bila orang tua dan kaum pendidik bersikap lebih tanggap dalam menjaga dan mendidik anak dan remaja agar ekstra berhati-hati terhadap gejala-gejala sosial, terutama yang berkaitan dengan masalah seksual, yang berlangsung saat ini. Seiring perkembangan yang terjadi sudah saatnya pemberian penerangan dan pengetahuan masalah seksualitas pada anak dan remaja ditingkatkan. Pandangan sebagian besar masyarakat yang menganggap seksualitas merupakan suatu hal yang alamiah, yang nantinya akan diketahui dengan sendirinya setelah mereka menikah sehingga dianggap suatu hal tabu untuk dibicarakan secara terbuka, nampaknya secara perlahan-lahan harus diubah. Sudah saatnya pandangan semacam ini harus diluruskan agar tidak terjadi hal-hal yang tidak diinginkan dan membahayakan bagi anak dan remaja sebagai generasi penerus bangsa. Remaja yang hamil di luar nikah, aborsi, penyakit kelamin, dll, adalah contoh dari beberapa kenyataan pahit yang sering terjadi pada remaja sebagai akibat pemahaman yang keliru mengenai seksualitas.

Karakteristik Seksual Remaja

Pengertian seksual secara umum adalah sesuatu yang berkaitan dengan alat kelamin atau hal-hal yang berhubungan dengan perkara-perkara hubungan intim antara laki-laki dengan perempuan. Karakter seksual masing-masing jenis kelamin memiliki spesifikasi yang berbeda hal ini seperti yang pendapat berikut ini : Sexual characteristics are divided into two types. Primary sexual characteristics are directly related to reproduction and include the sex organs (genitalia). Secondary sexual characteristics are attributes other than the sex organs that generally distinguish one sex from the other but are not essential to reproduction, such as the larger breasts characteristic of women and the facial hair and deeper voices characteristic of men (Microsoft Encarta Encyclopedia 2002)

Pendapat tersebut seiring dengan pendapat Hurlock (1991), seorang ahli psikologi perkembangan, yang mengemukakan tanda-tanda kelamin sekunder yang penting pada laki-laki dan perempuan. Menurut Hurlock, pada remaja putra : tumbuh rambut kemaluan, kulit menjadi kasar, otot bertambah besar dan kuat, suara membesar dan lain,lain. Sedangkan pada remaja putri : pinggul melebar, payudara mulai tumbuh, tumbuh rambut kemaluan, mulai mengalami haid, dan lain-lain.

Seiring dengan pertumbuhan primer dan sekunder pada remaja ke arah kematangan yang sempurna, muncul juga hasrat dan dorongan untuk menyalurkan keinginan seksualnya. Hal tersebut merupakan suatu yang wajar karena secara alamiah dorongan seksual ini memang harus terjadi untuk menyalurkan kasih sayang antara dua insan, sebagai fungsi pengembangbiakan dan mempertahankan keturunan.

Perilaku Seksual

Perilaku seksual adalah segala tingkah laku yang didorong oleh hasrat seksual, baik dengan lawan jenis maupun sesama jenis. Bentuk-bentuk tingkah laku ini dapat beraneka ragam, mulai dari perasaan tertarik hingga tingkah laku berkencan, bercumbu dan senggama. Obyek seksual dapat berupa orang, baik sejenis maupun lawan jenis, orang dalam khayalan atau diri sendiri. Sebagian tingkah laku ini memang tidak memiliki dampak, terutama bila tidak menimbulkan dampak fisik bagi orang yang bersangkutan atau lingkungan sosial. Tetapi sebagian perilaku seksual (yang dilakukan sebelum waktunya) justru dapat memiliki dampak psikologis yang sangat serius, seperti rasa bersalah, depresi, marah, dan agresi.

Sementara akibat psikososial yang timbul akibat perilaku seksual antara lain adalah ketegangan mental dan kebingungan akan peran sosial yang tiba-tiba berubah, misalnya pada kasus remaja yang hamil di luar nikah. Belum lagi tekanan dari masyarakat yang mencela dan menolak keadaan tersebut. Selain itu resiko yang lain adalah terganggunya kesehatan yang bersangkutan, resiko kelainan janin dan tingkat kematian bayi yang tinggi. Disamping itu tingkat putus sekolah remaja hamil juga sangat tinggi, hal ini disebabkan rasa malu remaja dan penolakan sekolah menerima kenyataan adanya murid yang hamil diluar nikah. Masalah ekonomi juga akan membuat permasalahan ini menjadi semakin rumit dan kompleks.

Berbagai perilaku seksual pada remaja yang belum saatnya untuk melakukan hubungan seksual secara wajar antara lain dikenal sebagai :

Masturbasi atau onani yaitu suatu kebiasaan buruk berupa manipulasi terhadap alat genital dalam rangka menyalurkan hasrat seksual untuk pemenuhan kenikmatan yang seringkali menimbulkan goncangan pribadi dan emosi.
Berpacaran dengan berbagai perilaku seksual yang ringan seperti sentuhan, pegangan tangan sampai pada ciuman dan sentuhan-sentuhan seks yang pada dasarnya adalah keinginan untuk menikmati dan memuaskan dorongan seksual.
Berbagai kegiatan yang mengarah pada pemuasan dorongan seksual yang pada dasarnya menunjukan tidak berhasilnya seseorang dalam mengendalikannya atau kegagalan untuk mengalihkan dorongan tersebut ke kegiatan lain yang sebenarnya masih dapat dikerjakan.

Dorongan atau hasrat untuk melakukan hubungan seksual selalu muncul pada remaja, oleh karena itu bila tidak ada penyaluran yang sesuai (menikah) maka harus dilakukan usaha untuk memberi pengertian dan pengetahuan mengenai hal tersebut.

Adapun faktor-faktor yang dianggap berperan dalam munculnya permasalahan seksual pada remaja, menurut Sarlito W. Sarwono (Psikologi Remaja,1994) adalah sebagai berikut :

Perubahan-perubahan hormonal yang meningkatkan hasrat seksual remaja. Peningkatan hormon ini menyebabkan remaja membutuhkan penyaluran dalam bentuk tingkah laku tertentu
Penyaluran tersebut tidak dapat segera dilakukan karena adanya penundaan usia perkawinan, baik secara hukum oleh karena adanya undang-undang tentang perkawinan, maupun karena norma sosial yang semakin lama semakin menuntut persyaratan yang terus meningkat untuk perkawinan (pendidikan, pekerjaan, persiapan mental dan lain-lain)
Norma-norma agama yang berlaku, dimana seseorang dilarang untuk melakukan hubungan seksual sebelum menikah. Untuk remaja yang tidak dapat menahan diri memiliki kecenderungan untuk melanggar hal-hal tersebut.
Kecenderungan pelanggaran makin meningkat karena adanya penyebaran informasi dan rangsangan melalui media masa yang dengan teknologi yang canggih (cth: VCD, buku stensilan, Photo, majalah, internet, dan lain-lain) menjadi tidak terbendung lagi. Remaja yang sedang dalam periode ingin tahu dan ingin mencoba, akan meniru apa dilihat atau didengar dari media massa, karena pada umumnya mereka belum pernah mengetahui masalah seksual secara lengkap dari orangtuanya.
Orangtua sendiri, baik karena ketidaktahuannya maupun karena sikapnya yang masih mentabukan pembicaraan mengenai seks dengan anak, menjadikan mereka tidak terbuka pada anak, bahkan cenderung membuat jarak dengan anak dalam masalah ini.
Adanya kecenderungan yang makin bebas antara pria dan wanita dalam masyarakat, sebagai akibat berkembangnya peran dan pendidikan wanita, sehingga kedudukan wanita semakin sejajar dengan pria.

Pendidikan Seksual

Menurut Sarlito dalam bukunya Psikologi Remaja (1994), secara umum pendidikan seksual adalah suatu informasi mengenai persoalan seksualitas manusia yang jelas dan benar, yang meliputi proses terjadinya pembuahan, kehamilan sampai kelahiran, tingkah laku seksual, hubungan seksual, dan aspek-aspek kesehatan, kejiwaan dan kemasyarakatan. Masalah pendidikan seksual yang diberikan sepatutnya berkaitan dengan norma-norma yang berlaku di masyarakat, apa yang dilarang, apa yang dilazimkan dan bagaimana melakukannya tanpa melanggar aturan-aturan yang berlaku di masyarakat.

Pendidikan seksual merupakan cara pengajaran atau pendidikan yang dapat menolong muda-mudi untuk menghadapi masalah hidup yang bersumber pada dorongan seksual. Dengan demikian pendidikan seksual ini bermaksud untuk menerangkan segala hal yang berhubungan dengan seks dan seksualitas dalam bentuk yang wajar. Menurut Singgih, D. Gunarsa, penyampaian materi pendidikan seksual ini seharusnya diberikan sejak dini ketika anak sudah mulai bertanya tentang perbedaan kelamin antara dirinya dan orang lain, berkesinambungan dan bertahap, disesuaikan dengan kebutuhan dan umur anak serta daya tangkap anak ( dalam Psikologi praktis, anak, remaja dan keluarga, 1991). Dalam hal ini pendidikan seksual idealnya diberikan pertama kali oleh orangtua di rumah, mengingat yang paling tahu keadaan anak adalah orangtuanya sendiri. Tetapi sayangnya di Indonesia tidak semua orangtua mau terbuka terhadap anak di dalam membicarakan permasalahan seksual. Selain itu tingkat sosial ekonomi maupun tingkat pendidikan yang heterogen di Indonesia menyebabkan ada orang tua yang mau dan mampu memberikan penerangan tentang seks tetapi lebih banyak yang tidak mampu dan tidak memahami permasalahan tersebut. Dalam hal ini maka sebenarnya peran dunia pendidikan sangatlah besar.

Tujuan Pendidikan Seksual

Pendidikan seksual selain menerangkan tentang aspek-aspek anatomis dan biologis juga menerangkan tentang aspek-aspek psikologis dan moral. Pendidikan seksual yang benar harus memasukkan unsur-unsur hak asasi manusia. Juga nilai-nilai kultur dan agama diikutsertakan sehingga akan merupakan pendidikan akhlak dan moral juga.

Menurut Kartono Mohamad pendidikan seksual yang baik mempunyai tujuan membina keluarga dan menjadi orang tua yang bertanggungjawab (dalam Diskusi Panel Islam Dan Pendidikan Seks Bagi Remaja, 1991). Beberapa ahli mengatakan pendidikan seksual yang baik harus dilengkapi dengan pendidikan etika, pendidikan tentang hubungan antar sesama manusia baik dalam hubungan keluarga maupun di dalam masyarakat. Juga dikatakan bahwa tujuan dari pendidikan seksual adalah bukan untuk menimbulkan rasa ingin tahu dan ingin mencoba hubungan seksual antara remaja, tetapi ingin menyiapkan agar remaja tahu tentang seksualitas dan akibat-akibatnya bila dilakukan tanpa mematuhi aturan hukum, agama dan adat istiadat serta kesiapan mental dan material seseorang. Selain itu pendidikan seksual juga bertujuan untuk memberikan pengetahuan dan mendidik anak agar berperilaku yang baik dalam hal seksual, sesuai dengan norma agama, sosial dan kesusilaan (Tirto Husodo, Seksualitet dalam mengenal dunia remaja, 1987)

Penjabaran tujuan pendidikan seksual dengan lebih lengkap sebagai berikut :

Memberikan pengertian yang memadai mengenai perubahan fisik, mental dan proses kematangan emosional yang berkaitan dengan masalah seksual pada remaja.
Mengurangi ketakutan dan kecemasan sehubungan dengan perkembangan dan penyesuaian seksual (peran, tuntutan dan tanggungjawab)
Membentuk sikap dan memberikan pengertian terhadap seks dalam semua manifestasi yang bervariasi
Memberikan pengertian bahwa hubungan antara manusia dapat membawa kepuasan pada kedua individu dan kehidupan keluarga.
Memberikan pengertian mengenai kebutuhan nilai moral yang esensial untuk memberikan dasar yang rasional dalam membuat keputusan berhubungan dengan perilaku seksual.
Memberikan pengetahuan tentang kesalahan dan penyimpangan seksual agar individu dapat menjaga diri dan melawan eksploitasi yang dapat mengganggu kesehatan fisik dan mentalnya.
Untuk mengurangi prostitusi, ketakutan terhadap seksual yang tidak rasional dan eksplorasi seks yang berlebihan.
Memberikan pengertian dan kondisi yang dapat membuat individu melakukan aktivitas seksual secara efektif dan kreatif dalam berbagai peran, misalnya sebagai istri atau suami, orang tua, anggota masyarakat.

Jadi tujuan pendidikan seksual adalah untuk membentuk suatu sikap emosional yang sehat terhadap masalah seksual dan membimbing anak dan remaja ke arah hidup dewasa yang sehat dan bertanggung jawab terhadap kehidupan seksualnya. Hal ini dimaksudkan agar mereka tidak menganggap seks itu suatu yang menjijikan dan kotor. Tetapi lebih sebagai bawaan manusia, yang merupakan anugrah Tuhan dan berfungsi penting untuk kelanggengan kehidupan manusia, dan supaya anak-anak itu bisa belajar menghargai kemampuan seksualnya dan hanya menyalurkan dorongan tersebut untuk tujuan tertentu (yang baik) dan pada waktu yang tertentu saja.