On Wed, 19 Sep 2007 12:43 , Christos Ricudis sent: >Palias Panagiotis wrote: > >> >> De diafwnw, allwste einai leitourgika ths idias etairias. Ekei pou diafwnoume >> einai oti esu 8ewreis ta PIX/ASA software firewalls giati einai koina pc pou >> trexoun kapoio leitourgiko pou kanei th diaxeirish, swsta? > >Ma ayto akribws einai. Me th diafora oti to PIXos einai leitourgiko mono gia firewall, enw to linux 'h to bsd einai multi-purpose leitourgiko sto opoio pros8etoume th dunatothta gia firewall bazontas ta iptables ipfilter. > >> Auto pou lew einai oti to PIXOS (akoma ki an exei omoiothtes me to IOS se >> kommatia opws interface configuration, vlans, routing, vpn) den pairnei extra >> panw tou kapoio iptable-oeides firewall, to exei enswmatomeno. > >Ti paei na pei "extra", kai ti shmainei "enswmatwmeno" ? Auto pou eipa pio panw, oti sto PIXos kaneis anaba8mish ena mono pragma kai exeis neo leitourgiko me to firewall mazi. Enw an exeis ena linuxaki me iptables prepei na kaneis 3exwrista tis anaba8miseis. > >To firewall sto PIX OS kai sto IOS einai *akribws* oso enswmatwmeno einai >kai to iptables sto Linux. To filtering sto linux ginetai se kernel space, >sto userspace brisketai aplws to user interface. Sto PIX/IOS, pou den exeis >etsi ki alliws th dynatothta na ekteleseis arbitrary code, den exei kai toso >nohma o diaxwrismos userspace / kernelspace, kai den eimai kan sigouros oti >yparxei. Den prepei na einai diaxwrismena. Ektos tou oti den mporeis na tre3eis kapoio programma, se palioteres ekdoseis IOS mporouses na pagwseis to mhxanhma an tou petages mia malakia 'h an klatare apo kapoio periergo paketo. Aplws twra gia na to antimetwpisoun auto exoun to control plane wste na exeis dia8esimh thn console 'h to telnet gia paradeigma, akoma ki an kollhsei to upoloipo mhxanhma. > >Sthn periptwsh tou PIX eidika, pou den paizei kan specialized hardware, >exeis mono ena pi8ano data path : hardware => driver -> (IP -> TCP stack) -> >firewall. Einai akribws to idio data path pou exeis sto Linux me iptables h >sto pf me to BSD. > >An epaize special hardware assistance sto PIX, 8a isxye EN MEREI ayto poy >les, kai einai gnwstos tropos na kaneis optimization se kapoia special >cases. Opws blepw thn arxitektonikh tou PIX, den mporei na ylopoihsei kanena >apo ayta ta optimizations, poy anaferw parakatw : > >Aplopoihmeno paradeigma. Estw oti lew sto firewall : > >"Block all IP traffic coming from IP 1.2.3.4". > >Aytos o kanonas ylopoieitai eykola se epipedo hardware - sth sygkekrimenh >periptwsh, olh h plhroforia pou xreiazesai gia na deis an to paketo >dikaioutai na prow8h8ei pros ta panw (dhladh to "Einai IP traffic?" kai to >"Einai to source IP tou 1.2.3.4?"), brisketai se fixed positions mesa sto >ethernet frame, ara enas aplos comparator arkei gia na parei thn apofash, >kai ayto mporei na ylopoih8ei kallista se hardware sto idio to ethernet >interface. > >An o kanonas einai pio periplokos (p.x. perilambanei o,tidhpote afora to TCP >layer, h gia opoiodhpote logo prepei na "doun" to paketo ypshlotera layers), >tote anagkastika 8a prepei na akolou8h8ei mia pio "makria" diadromh, kai h >apofash 8a lhf8ei telika apo to software. > >Paromoia optimizations mporoun na ylopoih8oun gia apofaseis routing, >switching, ktl. Oso pio aplos einai enas matching kanonas, toso pio eykola >ylopoieitai se xamhlotera epipeda tou systhmatos, xwris na xreiazetai >aparaithta to ypoloipo systhma na "dei" to paketo. > >Oloi aytoi oi mhxanismoi ylopoiountai sto IOS se kapoious syndiasmous >hardware - 8a prosekseis oti sto IOS yparxoun toulaxiston tria pi8ana >paths : > >Cisco Express Forwarding, >Fast Switching, kai >Process Switching. > >Analogws twra tou poia features xrhsimopoieis, ti hardware exeis, poia >version tou IOS, ti mera tou mhna einai, th fash ths selhnhs, an katourhse o >skylos sou to prwi me thn oura pros to noto, ktl, to paketo mporei na >perasei apo ena apo ayta ta tria paths. To ka8e path ylopoieitai se ligo >diaforetiko layer, me diaforetiko performance impact sthn ka8e periptwsh. > >Des kai ayto edw pera : http://www.cisco.com/warp/public/105/cef_whichpath.html Dikio exeis se auta pou les. Auto pou 3erw einai oti gia to CEF as poume prospa8ousan na er8oun pio konta sto layer 2 gia dromologhsh. Ypoti8etai oti ston tomea tou firewall den ekanan kati tetoio giati 8ewroun risko to na kopei 'h na perasei kapoio paketo xwris na elegx8ei die3odika. > >-- >Christos Ricudis > > >-- >linux-greek-users mailing list -- http://lists.hellug.gr >