Apache web server for windows - Rather than the complicated two-mask configuration of ipfwadm
Rather than the complicated two-mask configuration of ipfwadm and ipchains, iptables uses the simpler approach of plainly specifying what the TOS bits should match, or to what the TOS bits should be set. Additionally, rather than having to remember and use the hexadecimal value, you may specify the TOS bits using the more friendly mnemonics listed in the upcoming table. The general syntax used to match TOS bits looks like: -m tos –tos mnemonic [other-args]-j target The general syntax used to set TOS bits looks like: [other-args] -j TOS –set mnemonic Remember that these would typically be used together, but they can be used quite independently if you have a configuration that requires it. Mnemonic Normal-Service Minimize-Cost Maximize-Reliability Maximize-Throughput Minimize-Delay Hexadecimal 0×00 0×02 0×04 0×08 0×10 Testing a Firewall Configuration After you’ve designed an appropriate firewall configuration, it’s important to validate that it does in fact do what you want it to do. One way to do this is to use a test host outside your network to attempt to pierce your firewall: this can be quite clumsy and slow, though, and is limited to testing only those addresses that you can actually use. A faster and easier method is available with the Linux firewall implementation. It allows you to manually generate tests and run them through the firewall configuration just as if you were testing with actual datagrams. All varieties of the Linux kernel firewall software, ipfwadm, ipchains, and iptables, provide support for this style of testing. The implementation involves use of the relevant check command. The general test procedure is as follows: 1. Design and configure your firewall using ipfwadm, ipchains, or iptables. 2. Design a series of tests that will determine whether your firewall is actually working as you intend. For these tests you may use any source or destination address, so choose some address combinations that should be accepted and some others that should be dropped. If you’re allowing or disallowing only certain ranges of addresses, it is a good idea to test addresses on either side of the boundary of the range -one address just inside the boundary and one address just outside the boundary. This will help ensure that you have the correct boundaries configured, because it is sometimes easy to specify netmasks incorrectly in your configuration. If you’re filtering by protocol and port number, your tests should also check all important combinations of these parameters. For example, if you intend to accept only TCP under certain circumstances, check that UDP datagrams are dropped. 3. Develop ipfwadm, ipchains, or iptables rules to implement each test. It is probably worthwhile to write all the rules into a script so you can test and re-test easily as you correct mistakes or change your design. Tests use almost the same syntax as rule specifications, but the arguments take on slightly differing meanings. For example, the source address argument in a rule specification specifies the source address that datagrams matching this rule should have. The source address argument in test syntax, in contrast, specifies the source address of the test datagram that will be generated. For ipfwadm, you must use the -c option to specify that this command is a test, while for ipchains and iptables, you must use the -C option. In all cases you must always specify the source address, destina